With the release of XE-3.13 VXLAN gets a much awaited unicast flavor. The configuration doesn't change by much [except from the obvious, that is there are no multicast configurations].
multicast VXLAN, read up: http://stayinginit.blogspot.in/2014/02/vxlan-basics.html
Apart from the addition of the unicast mode suppor for VXLAN, they have also changed the port-number. Initially the port was the same as that used by OTV, however, now that has changed.
Let's look at how these in the below section:
To start off with, the topology; this remains the same as the one seen in the vxlan-basics [however, I have replaced the ASR1K core router with yet another CSR1000v].
The basic router reachability configurations are shown below:
Router1:
router ospf 11
router-id 11.11.11.1
interface GigabitEthernet4
description connected to the CORE
ip address 100.1.1.2 255.255.255.0
ip ospf 11 area 11
no shutdown
interface GigabitEthernet3
description connected to VM1
no shutdown
service instance 11 ethernet
encapsulation dot1q 11
rewrite ingress tag pop 1 symmetric
interface Loopback11
ip address 11.11.11.11 255.255.255.255
ip ospf 11 area 11
Router2:
router ospf 11
router-id 11.11.11.3
interface GigabitEthernet4
description connected to the CORE
ip address 101.1.1.2 255.255.255.0
ip ospf 11 area 11
no shutdown
interface GigabitEthernet3
description connected to VM2
no shutdown
service instance 11 ethernet
encapsulation dot1q 11
rewrite ingress tag pop 1 symmetric
interface Loopback11
ip address 12.12.12.12 255.255.255.255
ip ospf 11 area 11
CORE [here the core router is just placed to bring about IP connectivity]:
router ospf 11
router-id 11.11.11.2
interface GigabitEthernet2
description connected to Router1
ip address 100.1.1.1 255.255.255.0
ip ospf 11 area 11
no shutdown
interface GigabitEthernet3
description connected to Router2
ip address 101.1.1.1 255.255.255.0
ip ospf 11 area 11
no shutdown
Next, we will look at the 'nve' configuration:
On Router1:
interface nve11
no shutdown
member vni 5011
ingress-replication 12.12.12.12 ! this is the new command
source-interface Loopback11
Post the above, we just have to finally configure the bridge-domain members to ensure the MAC addresses are correctly used.
On Router1:
bridge-domain 11
member vni 5011
member GigabitEthernet3 service-instance 11
On Router2:
interface nve11
no shutdown
member vni 5011
ingress-replication 11.11.11.11
source-interface Loopback11
bridge-domain 11
member vni 5011
member GigabitEthernet3 service-instance 11
As seen from the above the new command used is the 'ingress-replication' command which actually is the member vni's sub-command.
That concludes our configuration, we will verify our configuration by sending traffic between VM1 and VM2
NOTE: VM1's IP - 130.1.1.101 and VM2's IP - 130.1.1.100
Before the ping, on Router1:
Router1#show bridge-domain 11
Bridge-domain 11 (2 ports in all)
State: UP Mac learning: Enabled
Aging-Timer: 300 second(s)
GigabitEthernet3 service instance 11
vni 5011
AED MAC address Policy Tag Age Pseudoport
1 FFFF.FFFF.FFFF flood static 0 OLIST_PTR:0xe80e3000
Router1#
[root@localhost ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:56:B1:3F:71
inet addr:130.1.1.101 Bcast:130.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb1:3f71/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:439572 errors:0 dropped:0 overruns:0 frame:0
TX packets:8225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:124674203 (118.8 MiB) TX bytes:804428 (785.5 KiB)
Base address:0x2000 Memory:fd5c0000-fd5e0000
[root@localhost ~]#
[root@localhost ~]# ping 130.1.1.100 -c 5
PING 130.1.1.100 (130.1.1.100) 56(84) bytes of data.
64 bytes from 130.1.1.100: icmp_seq=1 ttl=64 time=5.57 ms
64 bytes from 130.1.1.100: icmp_seq=2 ttl=64 time=1.76 ms
64 bytes from 130.1.1.100: icmp_seq=3 ttl=64 time=1.85 ms
64 bytes from 130.1.1.100: icmp_seq=4 ttl=64 time=2.36 ms
64 bytes from 130.1.1.100: icmp_seq=5 ttl=64 time=2.03 ms
--- 130.1.1.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 1.763/2.718/5.573/1.443 ms
[root@localhost ~]#
Post the ping, on Router1:
Router1#show bridge-domain 11
Bridge-domain 11 (2 ports in all)
State: UP Mac learning: Enabled
Aging-Timer: 300 second(s)
GigabitEthernet3 service instance 11
vni 5011
AED MAC address Policy Tag Age Pseudoport
0 0050.56B1.6619 forward dynamic 265 nve11.VNI5011, VxLAN --> VM2's MAC
src: 11.11.11.11 dst: 12.12.12.12
0 0050.56B1.3F71 forward dynamic 265 GigabitEthernet3.EFP11 --> VM1's MAC
1 FFFF.FFFF.FFFF flood static 0 OLIST_PTR:0xe80e3000
Router1#
Now, let us quickly look at the port which is being used by VXLAN:
Router1#show platform software vxlan F0 udp-port
VXLAN UDP Port: 4789
Router1#
As seen, the port-number has changed. Hence, incase you have firewall, you need to ensure this port is allowed, else, one will see drops.
This ends this brief overview of VXLAN - Unicast. Hope this post has been helpful.
The image used for demonstrating the above has been: Cisco IOS XE Software, Version 03.13.00.S - Extended Support Release
Hi,
ReplyDeleteThanks for the article. I didn't manage to ping between the hosts. Have you done any special configuration on hosts such as tagging the eth0 with tag 11 or something?
Hey Lakmal,
DeleteIf you are doing everything in an ESXi like I did, you have enable the 'promiscuous mode' on the vswitch security settings and also ensure that the vswitch VLAN-ID settings has 'All'
Hi,
ReplyDeleteThanks for the article! Do you have a separate vswitch between Router1 to VM1 as well as Router 2 to VM2? Thanks
Hi,
DeleteYes, I have separate vswitches between the VM's and the routers.
Delayed response, but, yes I have separate vswitches between my VM's and routers.
DeleteHi Aries, I have read every single article you wrote. Good work and very helpful. Please keep blogging
ReplyDeleteThank you very much. It's this appreciation which has brought me back to this.
Delete