Tuesday, October 14, 2014

VXLAN - Unicast

With the release of XE-3.13 VXLAN gets a much awaited unicast flavor. The configuration doesn't change by much [except from the obvious, that is there are no multicast configurations]. 

Apart from the addition of the unicast mode suppor for VXLAN, they have also changed the port-number. Initially the port was the same as that used by OTV, however, now that has changed. 

Let's look at how these in the below section:

To start off with, the topology; this remains the same as the one seen in the vxlan-basics [however, I have replaced the ASR1K core router with yet another CSR1000v].



 The basic router reachability configurations are shown below:

 Router1:

 router ospf 11
 router-id 11.11.11.1
interface GigabitEthernet4
 description connected to the CORE
 ip address 100.1.1.2 255.255.255.0
 ip ospf 11 area 11
 no shutdown
interface GigabitEthernet3
 description connected to VM1
 no shutdown
 service instance 11 ethernet
  encapsulation dot1q 11
  rewrite ingress tag pop 1 symmetric
interface Loopback11
 ip address 11.11.11.11 255.255.255.255
 ip ospf 11 area 11

 Router2:

 router ospf 11
 router-id 11.11.11.3
interface GigabitEthernet4
 description connected to the CORE
 ip address 101.1.1.2 255.255.255.0
 ip ospf 11 area 11
 no shutdown
interface GigabitEthernet3
 description connected to VM2
 no shutdown
 service instance 11 ethernet
  encapsulation dot1q 11
  rewrite ingress tag pop 1 symmetric
interface Loopback11
 ip address 12.12.12.12 255.255.255.255
 ip ospf 11 area 11

CORE [here the core router is just placed to bring about IP connectivity]:

router ospf 11
 router-id 11.11.11.2
interface GigabitEthernet2
 description connected to Router1
 ip address 100.1.1.1 255.255.255.0
 ip ospf 11 area 11
 no shutdown
interface GigabitEthernet3
 description connected to Router2
 ip address 101.1.1.1 255.255.255.0
 ip ospf 11 area 11
 no shutdown
Next, we will look at the 'nve' configuration:

On Router1:

interface nve11
 no shutdown
 member vni 5011
  ingress-replication 12.12.12.12 ! this is the new command
 source-interface Loopback11

Post the above, we just have to finally configure the bridge-domain members to ensure the MAC addresses are correctly used.

 On Router1:

 bridge-domain 11
 member vni 5011
 member GigabitEthernet3 service-instance 11

 On Router2:

 interface nve11
 no shutdown
 member vni 5011
  ingress-replication 11.11.11.11
 source-interface Loopback11
bridge-domain 11
 member vni 5011
 member GigabitEthernet3 service-instance 11
As seen from the above the new command used is the 'ingress-replication' command which actually is the member vni's sub-command. 

That concludes our configuration, we will verify our configuration by sending traffic between VM1 and VM2
NOTE: VM1's IP - 130.1.1.101 and VM2's IP - 130.1.1.100

 Before the ping, on Router1:

Router1#show bridge-domain 11
Bridge-domain 11 (2 ports in all)
State: UP                    Mac learning: Enabled
Aging-Timer: 300 second(s)
    GigabitEthernet3 service instance 11
    vni 5011
   AED MAC address    Policy  Tag       Age  Pseudoport
   1   FFFF.FFFF.FFFF flood   static    0    OLIST_PTR:0xe80e3000

Router1#

[root@localhost ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:50:56:B1:3F:71 
          inet addr:130.1.1.101  Bcast:130.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb1:3f71/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:439572 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8225 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:124674203 (118.8 MiB)  TX bytes:804428 (785.5 KiB)
          Base address:0x2000 Memory:fd5c0000-fd5e0000

[root@localhost ~]#

[root@localhost ~]# ping 130.1.1.100 -c 5
PING 130.1.1.100 (130.1.1.100) 56(84) bytes of data.
64 bytes from 130.1.1.100: icmp_seq=1 ttl=64 time=5.57 ms
64 bytes from 130.1.1.100: icmp_seq=2 ttl=64 time=1.76 ms
64 bytes from 130.1.1.100: icmp_seq=3 ttl=64 time=1.85 ms
64 bytes from 130.1.1.100: icmp_seq=4 ttl=64 time=2.36 ms
64 bytes from 130.1.1.100: icmp_seq=5 ttl=64 time=2.03 ms

--- 130.1.1.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 1.763/2.718/5.573/1.443 ms
[root@localhost ~]# 

Post the ping, on Router1:

Router1#show bridge-domain 11
Bridge-domain 11 (2 ports in all)
State: UP                    Mac learning: Enabled
Aging-Timer: 300 second(s)
    GigabitEthernet3 service instance 11
    vni 5011
   AED MAC address    Policy  Tag       Age  Pseudoport
   0   0050.56B1.6619 forward dynamic   265  nve11.VNI5011, VxLAN --> VM2's MAC
                                             src: 11.11.11.11 dst: 12.12.12.12
   0   0050.56B1.3F71 forward dynamic   265  GigabitEthernet3.EFP11 --> VM1's MAC
   1   FFFF.FFFF.FFFF flood   static    0    OLIST_PTR:0xe80e3000

Router1#

Now, let us quickly look at the port which is being used by VXLAN:

 Router1#show platform software vxlan F0 udp-port
VXLAN UDP Port: 4789

Router1#
As seen, the port-number has changed. Hence, incase you have firewall, you need to ensure this port is allowed, else, one will see drops.

This ends this brief overview of VXLAN - Unicast. Hope this post has been helpful.

The image used for demonstrating the above has been: Cisco IOS XE Software, Version 03.13.00.S - Extended Support Release
Posted by at 7 comments:
Subscribe to: Posts (Atom)