RT5-only L3 EVPN Tutorial#

While EVPN originally emerged as a Layer 2 VPN technology to overcome VPLS limitations, it has since evolved to become a unified control plane for many services, Layer 3 VPN included. Founded upon the BGP protocol, EVPN has lots of flexibility and features to become a one-stop-shop for all VPN services in various network deployments, but especially fit for the IP fabrics.

In the Layer 2 EVPN Basics Tutorial we discussed how to configure EVPN to provide a layer 2 service across an IP fabric. Today' focus will be on deploying a Layer 3 Ethernet VPN (EVPN) in the SR Linux-powered DC fabric. We will be working with an interface-less² flavor of an L3 EVPN service that does not require the use of Integrated Routing and Bridging (IRB) interfaces, and as such has no need MAC VRF instances, ARP/ND entries synchronization, MAC/IP (RT2) and IMET routes.

As you might expect, the Layer 3 EVPN is designed to provide Layer 3 services across the fabric. As such, there are no stretched broadcast domains across the fabric and the customer equipment is directly connected via L3 interfaces to the leafs and often runs a PE-CE routing protocol to exchange IP prefixes.

To explain the Layer 3 EVPN configuration and concepts we will use a lab representing a tiny fabric built with two leafs, one spine and two pairs of clients devices connected to the leafs; one pair per each tenant. The first pair of clients will represent L3 servers connected to leaf ports directly, while the second pair will be represented by an FRRouting routers that act a CE router and announce routes.

As part of this tutorial we will go over two L3 EVPN scenarios. First, we will demonstrate how we can provide connectivity for directly attached L3 clients of Tenant 1. These are the clients that are addressed with L3 interfaces and connected to the leaf devices directly.

The second scenario will demonstrate how to connect CE devices of Tenant 2 that establish a BGP session with the leaf devices to exchange IP prefixes. The BGP EVPN will make sure that the client prefixes are distributed to the participants of the same L3 EVPN service of this tenant.

From the data plane perspective we will be using VXLAN tunnels to transport the encapsulated tenant packets through the IP fabric.

As part of this tutorial we will configure the SR Linux-based DC fabric underlay with BGP Unnumbered. Then we will setup the overlay routing using iBGP with EVPN address family and proceed with the creation of an L3 EVPN service for the two tenants of our fabric.

Lab deployment#

To let you follow along the configuration steps of this tutorial we created a lab that you can deploy on any Linux VM with containerlab or run in the cloud with Codespaces:

sudo containerlab deploy -c -t srl-labs/srl-l3evpn-basics-lab

The lab comes up online with the FRR nodes configured, and no configuration is present on the SR Linux nodes besides the basic setup. During the course of this tutorial we will configure the SR Linux nodes and explain the FRR config bits.

If you want to deploy the lab with all configs already applied, just uncomment the startup-config knobs in the topology file.

Once the deployment process is finished you'll see a table with the deployed nodes.
Using the names provided in the table you can SSH into the nodes to start the configuration process. For example, to connect to the l3evpn-leaf1 node you can use the following command:

ssh l3evpn-leaf1 #(1)!

1. If you happen to have an SSH key the login will be passwordless. If not, admin:NokiaSrl1! is the default username and password.

With the lab deployed we are ready to embark on our learn-by-doing EVPN configuration journey!

Comments