Validated Design for Cisco ACI to SR-MPLS Handoff
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- US/Canada 800-553-2447
- Worldwide Support Phone Numbers
- All Tools
Feedback
Feedback
Note: The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.
Prior to the introduction of SR/MPLS Handoff, there were two ways to extend a Tenant VPN located in a Cisco ACI fabric to an MPLS network:
● Using IP Handoff, the border leaf is connected to a Provider Edge (PE) router using VRF-lite. The main drawback is that for each VPN that must be extended, a physical or logical interface and a routing protocol session is required which leads to some scalability and automation challenges.
IP Handoff Connectivity to WAN
The following link provides more information on IP Handoff and L3outs.
● Using GOLF, the spine is running EVPN VxLAN to a PE router and the PE router performs the interworking function between EVPNoVxLAN and L3VPNoMPLS. While this option brings advantages in terms of scaling compared to IP Handoff (as there is a single EVPN session between the border leaf and DC-PE), it requires VxLAN to be enabled on the DC-PE, and some service provider platforms may have a limited support of VxLAN.
GOLF Connectivity to WAN
The following link provides more information on GOLF.
SR/MPLS Handoff is a new interconnection option that enables you to connect a border leaf or remote leaf to a DC-PE using Segment Routing (SR) MPLS. SR/MPLS is a better solution than others as it is much more common for an SP core. The solution brings the following benefits:
● Unified transport and policies between DC and SP
● Single Control Plane session for multiple VRFs
● Traffic engineering in the SP core controlled from the DC
SR/MPLS Connectivity to WAN
Note: Although the solution is named SR/MPLS Handoff, it is fully compatible with any existing MPLS LDP or RSVP-TE network deployment. However, to get the full benefit, especially the traffic-engineering control feature, a Segment Routing network is required.
See the SR/MPLS handoff white paper (https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-744107.html) for additional details.
Sample Use Cases
This section provides sample use cases where SR/MPLS handoff can be used.
Private Cloud for Enterprise
Private Cloud for Enterprise
In this use case, an operator provides a Layer 3 VPN to multiple enterprises but also to Private cloud services by hosting customer dedicated applications into its datacenter. End to end VPN extension from the SP to the DC can easily be achieved by using the SR/MPLS Handoff or MPLS Handoff.
A similar use case is an enterprise having its own datacenter and private WAN network. The enterprise has several applications that must be reachable only from a particular group of users. Segmentation in the DC can easily be extended across the WAN using SR/MPLS handoff.
In addition, based on the application constraints, traffic can be steered over a specific path in the core based on the application requirements.
5G Network Slicing
5G Network Slicing
SR/MPLS handoff adds automation to 5G network slicing. Each slice may use a different VPN and the traffic within a slice may use one or more class of services. SR/MPLS handoff automates both the VPN extension between DC and WAN as well as mapping the class of services on a specific transport path in the WAN.
In the use case described above, two mobile slices are created. One slice is dedicated to end users reaching the Internet and generic services and the other slice is dedicated to an enterprise customer.
As displayed in the example of Figure 5, traffic from an enterprise terminal can be steered seamlessly to the dedicated UPF using a premium routing path, and from the UPF to the enterprise headquarter site, also using a premium routing path. On the other hand, the end-user traffic is steered to another dedicated UPF and then to some Gi services before going to the Internet. Best effort routing in the underlay for the end-user traffic.
ACI as Transit
There are a couple of use cases where the Cisco ACI fabric can be used as transit with SR/MPLS handoff. This means that the traffic comes into the fabric, then exits the fabric and finally reaches its destination.
Cisco ACI Fabric as Transit with Service Chaining
Figure 6 describes a typical GiLAN use case, where the mobile traffic from a user is steered to a service chain within the fabric. The traffic crosses all the necessary services before leaving the fabric and reaching its Internet destination.
Transit Without Any Services
Figure 7 describes two use cases where a Cisco ACI fabric is used purely as transport between two networks.
The figure on the left describes a user accessing a mainframe. The mainframe is connected using a regular L3out to a border leaf. Traffic comes from an external network using SR/MPLS handoff and is carried through the Cisco ACI fabric to the L3out where the mainframe is attached.
On the right hand side, a residential user is accessing some content located in a main DC. While the regional DC could be used to host mobile core functions for instance, it is used purely as transit for the traffic related to the residential users.
Audience
The audience for this document includes, but is not limited to Datacenter IT, Telco cloud, and Enterprise DCs.
Purpose of the Document
This document consists of validated designs and configurations to ease and to speed up customer deployments or testing.
The detailed configurations provided (especially related to ACI ) make the document quite long. However, this enables the reader to copy/paste the configurations and easily reproduce the validated designs.
Validated Hardware and Software Versions
The version numbers provided below are the ones that have been tested and are provided for information. A customer is may use any later versions without any issues.
Service Provider Network
NCS5500 acting as DC-PE and running XR 7.0.2
ASR9K Typhoon and Tomahawk line cards acting as DC-PE and running XR 7.0.2
Datacenter Network
ACI APIC Controller version: 5.0(1k)
ACI Switch version: 15.0(1k)
ACI switch hardware tested:
Leaf switch: N9K-C93360YC-FX2, N9K-C9336C-FX2, N9K-C93240YC-FX2, N9K-C93180YC-FX, N9K-C9348GC-FXP
Spine switch: N9K-C9364C
The complete list of the supported hardware is available here:
The configuration will be the same regardless of the hardware combination used.
Segment Routing Considerations
As this document is focused on the SR/MPLS Handoff between ACI and an MPLS core, the segment routing base configuration of the MPLS core will not be detailed. This base configuration is related to IGP Segment Routing configuration (SRGB definition, Prefix-SID configuration).
From a design point of view, the core SR domain may extend to Cisco ACI fabrics when implementing the SR/MPLS Handoff. When this is the case, the Segment Identifier (Node-SID) used for ACI leafs must be unique across the SR domain, including the SR core.
It is recommended that you use the same Segment Routing Global Block (SRGB) value across the SR domain to ease operations. The SRGB considered in this document is [16000, 32000] across the whole network.
Table 1. Loopback Addresses
| Node |
Loopback IP Address |
| LEAF3 |
20.204.103.1/32
|
| LEAF4 |
20.204.104.1/32
|
| LEAF5 |
20.204.105.1/32
|
| LEAF6 |
20.204.106.1/32
|
| LEAF7 |
20.204.107.1/23
|
| LEAF8 |
20.204.108.1/32
|
| LEAF11 |
20.204.111.1/32
|
| LEAF12 |
20.204.112.1/32
|
| LEAF13 |
20.204.113.1/32
|
| LEAF14 |
20.204.114.1/32
|
| PE1 |
201.201.201.1/32
|
| PE2 |
201.201.201.2/32
|
| PE3 |
201.201.201.3/32
|
| PE6 |
201.201.201.6/32
|
| PE7 |
201.201.201.7/32
|
| AGG2-PE1 |
201.221.201.1/32
|
| AGG2-PE2 |
201.221.201.2/32
|
| AGG2-RR1-EVPN |
201.221.202.3/32
|
| AGG2-RR2-EVPN |
201.221.202.4/32
|
| AGG3-PE1 |
201.231.201.1/32
|
| AGG3-PE2 |
201.231.201.2/32
|
Design
Basic Communication Between the ACI Main DC and Remote Leaf
In Figure 8, two workloads A and B respectively connected to the ACI main DC with a remote leaf to communicate. There is no transport requirement for the traffic flow.
SR/MPLS handoff is implemented between the border leafs and the DC-PEs. The central Cisco ACI fabric uses Leaf3 as a border leaf directly connected to PE2 acting as a DC-PE. The remote leaf Leaf5 is directly connected to PE6 acting as a DC-PE.
ACI and SP network are using different AS numbers.
Note: Using iBGP between ACI border leaf and SP core is NOT supported yet.
The design assumes that the same loopback is used for the dataplane and controlplane which is the simplest solution even if ACI supports having a separate loopback for controlplane and dataplane.
From a tenant configuration standpoint, VRFs are not stretched across sites. Each ACI site must use a different VRF with a different set of route targets (RT). In our example, the Cisco ACI fabric has a VRF called TENANT_BASIC_21 which uses the RT 1:2110005 while the remote leaf site has a VRF called TENANT_BASIC_2121 which uses the RT 1:2110006. The SP core will use the RT 1:2110000 in the VPN unicast address-family domain.
Note: When the VRF is stretched, a VxLAN tunnel is automatically created, and the VxLAN path will be used instead of the SR/MPLS path. More details can be found in the following section.
While the setup is presented as a fabric site communicating with a remote leaf site, other combinations have been tested and are fully supported as detailed below:
Various Validated Traffic Combinations
The configuration remains the same in all the listed cases.
Infrastructure Configuration
The infrastructure configuration consists in setting up the SR/MPLS handoff between the DC-PEs and the ACI border leafs. In this simple use case, we assume that there is no multihoming of the border leaf to the DC-PEs and there is no tuning related to fast-convergence. The next section will cover multihoming.
PE2 DC-PE Configuration
Interface to BL Configuration
interface TenGigE0/0/0/0/4
description connected to ifav204-leaf3:1/1 used for SR/MPLS
ipv4 address 120.1.53.2 255.255.255.0
load-interval 30
!
BGP Labeled Unicast Configuration
The BGP LU (Labeled Unicast) configuration requires several configuration blocks:
1. First, BGP LU address-family must be configured as well as redistribution of the local loopback address to BGP LU. The filtering of the loopback address is enabled by using a route-policy CONNECTED-TO-BGP-LU leveraging on a prefix-set PFXSET-OWN-LO0 which defines the local loopback address. The route-policy takes the node-SID value associated to the loopback as an input parameter, so the node-SID can be attached as a BGP Prefix-SID attribute to the BGP-LU route. In our configuration, the node-SID “2” is used as a parameter of the route-policy.
router bgp 1
bgp router-id 201.201.201.2
address-family ipv4 unicast
redistribute connected route-policy CONNECTED-TO-BGP-LU(2)
allocate-label all
!
!
prefix-set PFXSET-OWN-LO0
201.201.201.2/32
end-set
!
route-policy CONNECTED-TO-BGP-LU($node_sid)
if destination in PFXSET-OWN-LO0 then
set label-index $node_sid
pass
endif
end-policy
!
2. Then, the BGP-LU session with the ACI Border Leaf must be configured:
The proposed configuration of the BGP-LU uses a neighbor-group. The neighbor-group can be reused and applied to multiple BGP-LU peers if necessary. In our example, there is a single peer configured. By default, XR requires some explicit policies to be configured on eBGP peers, otherwise all routes are dropped.
As the DC-PE is directly connected to the ACI border leaf, there is no need to propagate the border leaf loopback addresses received by the DC-PE over the BGP-LU session into the SP network. The inbound policy SET-CT-NO-ADVERTISE ensures that the BGP-LU prefixes will not be propagated to any other BGP peer (if any) by setting the well-known “no-advertise” BGP community.
The outbound policy ADVERTISE-LO0-ONLY ensures that the DC-PE only propagates its local loopback address to the ACI-Leaf (this is again because the leaf and the DC-PE are directly connected).
router bgp 1
neighbor-group ACI-site-LU
remote-as 987654321
address-family ipv4 labeled-unicast
route-policy SET-CT-NO-ADVERTISE in
maximum-prefix 10 80 warning-only
route-policy ADVERTISE-LO0-ONLY out
!
!
neighbor 120.1.53.1
use neighbor-group ACI-site-LU
!
!
community-set COMSET-NO-ADVERTISE
no-advertise
end-set
!
route-policy SET-CT-NO-ADVERTISE
set community COMSET-NO-ADVERTISE
end-policy
!
route-policy ADVERTISE-LO0-ONLY
if destination in PFXSET-OWN-LO0 then
pass
else
drop
endif
end-policy
!
3. The last step is to activate MPLS forwarding on the interface towards the leaf.
router bgp 1
mpls activate
interface TenGigE0/0/0/0/4
!
router static
address-family ipv4 unicast
120.1.53.1/32 TenGigE0/0/0/0/4
BGP Overlay Configuration
The BGP overlay configuration consists in activating the BGP service overlay address families on the DC-PE.
On the SP core side, the DC-PE must run the VPNv4/VPNv6 address families while EVPN address family runs towards the ACI leaf.
Note: Although the ACI border leaf and the DC-PE are directly connected, the EVPN session runs between loopback addresses. Then eBGP multihop must be implemented on the EVPN session.
In our configurations, constrained route distribution is also activated on the VPNv4/v6 peers but it is not required to be activated.
As for the BGP-LU session, the provided configurations are for a single-homing use case without fast-convergence.
router bgp 1
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family ipv4 rt-filter
!
address-family l2vpn evpn
!
neighbor-group ACI-site-EVPN
remote-as 987654321
ebgp-multihop 255
update-source Loopback0
address-family l2vpn evpn
!
!
neighbor-group RR-VPNunicast
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family ipv4 rt-filter
!
neighbor 20.204.103.1
use neighbor-group ACI-site-EVPN
address-family l2vpn evpn
route-policy PASS in
route-policy PASS out
!
neighbor 202.202.202.102
use neighbor-group RR-VPNunicast
!
neighbor 202.202.202.103
use neighbor-group RR-VPNunicast
!
route-policy PASS
pass
end-policy
!
The last step is to enable the EVPN/VPNvX stitching functionality.
On the ACI neighbor-group, the EVPN address-family must enable stitching to VPNvX address-family by using the following commands:
router bgp 1
neighbor-group ACI-site-EVPN
address-family l2vpn evpn
import stitching-rt re-originate
advertise vpnv4 unicast re-originated stitching-rt
advertise vpnv6 unicast re-originated stitching-rt
!
!
The EVPN/VPNvX stitching is based on the concept of stitching and non-stitching RTs. For instance, an EVPN route is learned by DC-PE with an RT configured as stitching RT, the EVPN routes with stitching RTs are imported in a local VRF and re-originated into VPNvX using a non-stitching RT value. Reverse processing happens when a VPNvX route is received with a non-stitching RT, the route is imported in the VRF and re-originated into EVPN using a stitching RT.
On the VPN RR neighbor-group, stitching also must be activated using the following configuration.
router bgp 1
neighbor-group RR-VPNunicast
address-family vpnv4 unicast
import re-originate stitching-rt
advertise vpnv4 unicast re-originated
!
address-family vpnv6 unicast
import re-originate stitching-rt
advertise vpnv6 unicast re-originated
PE6 DC-PE configuration
PE6 configuration is similar to the PE2 configuration.
interface TenGigE0/0/0/12
description connected to ifav204-leaf5:1/1 used for SR/MPLS
ipv4 address 120.1.62.2 255.255.255.0
load-interval 30
!
router static
address-family ipv4 unicast
120.1.62.1/32 TenGigE0/0/0/12
!
router bgp 1
bgp router-id 201.201.201.6
mpls activate
interface TenGigE0/0/0/12
!
address-family ipv4 unicast
redistribute connected route-policy CONNECTED-TO-BGP-LU(6)
allocate-label all
!
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family ipv4 rt-filter
!
address-family l2vpn evpn
!
neighbor-group ACI-site-EVPN
remote-as 987654321
ebgp-multihop 255
update-source Loopback0
address-family l2vpn evpn
import stitching-rt re-originate
advertise vpnv4 unicast re-originated stitching-rt
advertise vpnv6 unicast re-originated stitching-rt
!
!
neighbor-group RR-VPNunicast
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
import re-originate stitching-rt
advertise vpnv4 unicast re-originated
!
address-family vpnv6 unicast
import re-originate stitching-rt
advertise vpnv6 unicast re-originated
!
address-family ipv4 rt-filter
!
!
neighbor 120.1.62.1
use neighbor-group ACI-site-LU
address-family ipv4 labeled-unicast
route-policy SET-CT-NO-ADVERTISE in
maximum-prefix 10 80 warning-only
route-policy ADVERTISE-LO0-ONLY out
!
!
neighbor 20.204.105.1
use neighbor-group ACI-site-EVPN
address-family l2vpn evpn
route-policy PASS in
route-policy PASS out
!
!
!
prefix-set PFXSET-OWN-LO0
201.201.201.6/32
end-set
!
route-policy ADVERTISE-LO0-ONLY
if destination in PFXSET-OWN-LO0 then
pass
else
drop
endif
end-policy
!
community-set COMSET-NO-ADVERTISE
no-advertise
end-set
!
route-policy SET-CT-NO-ADVERTISE
set community COMSET-NO-ADVERTISE
end-policy
!
route-policy PASS
pass
end-policy
!
route-policy CONNECTED-TO-BGP-LU($node_sid)
if destination in PFXSET-OWN-LO0 then
set label-index $node_sid
pass
endif
end-policy
ACI Configuration
The SR/MPLS Infra L3out is configured in the “INFRA” tenant on the border leaf.
The configuration contains underlay BGP-LU and overlay BGP EVPN sessions for SR/MPLS Handoff.
Tenant VRFs must then be selectively attached to ACI Infra-L3out(s) to advertise Tenant prefixes to DC-PE routers and import MPLS VPN prefixes from DC-PE.
As the ACI configuration is provided as XML that can easily be imported in Cisco APIC, each block of configuration is associated with a tag comment in the XML. The explanation of the block associated with each tag comment is provided below.
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<fvTenant
dn="uni/tn-infra"
name="infra"
>
<!-- Tag_1 Default Label Range config in Infra Tenant -->
<mplsLabelPol
maxDynamicLabel="525286"
maxStaticLabel="0"
minDynamicLabel="16"
minStaticLabel="0"
name="default"
>
<mplsSrgbLabelPol
localId="1"
maxSrgbLabel="32000"
minSrgbLabel="16000"
/>
</mplsLabelPol>
<!-- Tag_2 Default interface config in Infra Tenant -->
<mplsIfPol
name="default"
/>
<!-- Tag_3 MPLS Infra L3out towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.103.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-103"
>
<l3extLoopBackIfP addr="20.204.103.1"
>
<mplsNodeSidP
loopbackAddr="20.204.103.1"
sidoffset="45"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.53.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.53.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.2"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 MPLS Infra L3out towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.105.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-105"
>
<l3extLoopBackIfP addr="20.204.105.1"
>
<mplsNodeSidP
loopbackAddr="20.204.105.1"
sidoffset="47"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.62.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.62.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.6"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
</fvTenant>
</imdata>
Tag_1 Default Label Range config in INFRA Tenant:
This block creates an MPLS Label policy.
ACI supports same Segment Routing Global Block (SRGB) across all fabrics. Default SRGB range in ACI is from 16000 to 23999. SRGB range is user configurable with a minimum (16000) and maximum (471804).
Note: ACI always advertises implicit-null for underlay label (Transport loopback). VRF Aggregate label is advertised from a different range (948576 to 1068576) than the SRGB range.
In our example, we use an SRGB starting from 16000 to 32000.
Tag_2 Default interface Profile config in INFRA Tenant:
This block creates an MPLS Interface profile policy. We have a default policy and have attached it to the interface connected to DC-PE.
Tag_3 and Tag_4 MPLS Infra L3out towards DC PE:
This block handles the configuration of the SR/MPLS INFRA L3 out.
The container “mplsExtP” attaches the created MPLS Label policy to the SR/MPLS INFRA L3out.
The container “l3extLNodeP” is a NodeProfile where we reference the leaf which is connected to DC-PE.
Note: In our example, the node already has a Router-id. For instance leaf3 has a router-id of 30.204.103.1.
SR/MPLS is supported on L3 port, L3 Sub-interface, Port-channel, Port-channel sub-interface. SR/MPLS is not supported for vPC and SVI.
The BGP EVPN peer type must be set to SR MPLS. As the EVPN BGP session is based on loopback addresses, the TTL for the session must be at minimum 2 (eBGP multihop). In the provided configuration, we have configured PE02 EVPN loopback as the peer address (201.201.201.2) in location 2-1.
It is important to set the allow-as-in (allow-self-as) attribute in EVPN peer so that the ACI site can receive BGP routes from a remote site with the same AS number.
Example:
<bgpInfraPeerP addr="201.201.201.2" addrTCtrl="af-ucast" adminSt="enabled" allowedSelfAsCnt="3" annotation="" ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
Verifications
XR BGP-LU
The BGP session state can be displayed using the following command. In the output below, the PE02 has received one prefix from the leaf.
RP/0/RSP0/CPU0:PE02#show bgp ipv4 labeled-unicast summary
Mon Aug 31 13:13:29.718 UTC
BGP router identifier 201.201.201.2, local AS number 1
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000000 RD version: 273
BGP main routing table version 273
BGP NSR Initial initsync version 42 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
BGP is operating in STANDALONE mode.
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 273 273 273 273 273 0
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
120.1.53.1 0 987654321 1352 1351 273 0 0 22:27:28 1
The received prefixes can be verified using the following command. The DC-PE correctly receives the leaf loopback address 20.204.103.1/32 over the BGP-LU session.
RP/0/RSP0/CPU0:PE02#show bgp ipv4 labeled-unicast neighbors 120.1.53.1 routes
Mon Aug 31 13:14:34.270 UTC
BGP router identifier 201.201.201.2, local AS number 1
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000000 RD version: 273
BGP main routing table version 273
BGP NSR Initial initsync version 42 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 20.204.103.1/32 120.1.53.1 0 987654321 i
When displaying the details of prefix 20.204.103.1/32, we can see the implicit-null MPLS label, as well as the Node-SID value (45) that has been advertised by the leaf.
RP/0/RSP0/CPU0:PE02#show bgp ipv4 unicast 20.204.103.1/32
Thu Sep 3 02:51:28.796 UTC
BGP routing table entry for 20.204.103.1/32
Versions:
Process bRIB/RIB SendTblVer
Speaker 1867 1867
Local Label: 16045
Last Modified: Sep 2 16:29:40.144 for 10:21:49
Paths: (1 available, best #1, not advertised to any peer)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
987654321
120.1.53.1 from 120.1.53.1 (30.204.103.1)
Received Label 3
Origin IGP, localpref 100, valid, external, best, group-best, labeled-unicast
Received Path ID 0, Local Path ID 1, version 1867
Community: no-advertise
Origin-AS validity: (disabled)
Label-Index: 45
RP/0/RSP0/CPU0:PE02#
The local MPLS label value is computed as expected by using:
base SRGB + Index = 16000 + 45 = 16045.
ACI BGP-LU:
The default route-maps attached to the BGP-LU session can be displayed by using the following command.
ifav204-leaf3# show bgp ipv4 labeled-unicast neighbors 120.1.53.2 vrf overlay-1
BGP neighbor is 120.1.53.2, remote AS 1, ebgp link, Peer index 5
For address family: IPv4 Unicast
BGP table version 7, neighbor version 0
0 accepted paths consume 0 bytes of memory
0 sent paths
0 denied paths
Maximum prefixes allowed 20000 (action is reject)
Threshold for warning messages 75%
Inbound route-map configured is permit-all, handle obtained
Outbound route-map configured is permit-mpls-cp-loopback, handle obtained
For address family: IPv4 Label Unicast
BGP table version 10, neighbor version 10
1 accepted paths consume 112 bytes of memory
1 sent paths
0 denied paths
Inbound route-map configured is permit-all, handle obtained
Outbound route-map configured is permit-mpls-dp-loopback, handle obtained
ifav204-leaf3#
----
ifav204-leaf3# show route-map permit-all
route-map permit-all, permit, sequence 2
Match clauses:
Set clauses:
ifav204-leaf3# show route-map permit-mpls-cp-loopback
route-map permit-mpls-cp-loopback, permit, sequence 1
Match clauses:
ip address prefix-lists: infra_mpls_cp_tep
Set clauses:
ifav204-leaf3# show route-map permit-mpls-dp-loopback
route-map permit-mpls-dp-loopback, permit, sequence 1
Match clauses:
ip address prefix-lists: infra_mpls_dp_tep
Set clauses:
ifav204-leaf3# show ip prefix-list infra_mpls_dp_tep
ip prefix-list infra_mpls_dp_tep: 1 entries
seq 1 permit 20.204.103.1/32
ifav204-leaf3# show ip prefix-list infra_mpls_cp_tep
ip prefix-list infra_mpls_cp_tep: 1 entries
seq 1 permit 20.204.103.1/32
ifav204-leaf3#
The default route-maps have the following purpose:
● permit-all allows inbound prefixes of ipv4 labeled unicast and ipv4 unicast address family
● permit-mpls-cp-loopback advertises EVPN control plane loopback
● permit-mpls-dp-loopback advertises MPLS transport loopback
On LEAF3, the loopback from PE02 is correctly received using BGP-LU. As the DC-PE and the BL are directly connected, the received label is 3 (implicit-null), corresponding to implicit-null. The BGP Prefix SID attribute (Label index 2) is also correctly received.
ifav204-leaf3# show bgp ipv4 labeled-unicast 201.201.201.2/32 vrf overlay-1
BGP routing table information for VRF overlay-1, address family IPv4 Label Unicast
BGP routing table entry for 201.201.201.2/32, version 20 dest ptr 0xa4977ed8
Paths: (1 available, best #1)
Flags: (0x08001a 00000000) on xmit-list, is in urib, is best urib route, is in HW
label af: version 29, (0x100002) on xmit-list
Advertised path-id 1, Label AF advertised path-id 1
Path type: external 0x40000028 0x0 ref 0 adv path ref 2, path is valid, is best path
AS-Path: 1 , path sourced external to AS
120.1.53.2 (metric 0) from 120.1.53.2 (201.201.201.2)
Origin incomplete, MED 0, localpref 100, weight 0 tag 0, propagate 0
Received label 3
Prefix-SID Attribute: Length: 10
Label Index TLV: Length 7, Flags 0x0 Label Index 2
Path-id 1 not advertised to any peer
Label AF advertisement
Path-id 1 not advertised to any peer
ifav204-leaf3#
XR BGP EVPN Session State
RP/0/RSP0/CPU0:PE02#show bgp l2vpn evpn summary
Mon Aug 31 13:15:43.258 UTC
BGP router identifier 201.201.201.2, local AS number 1
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 147
BGP NSR Initial initsync version 147 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
BGP is operating in STANDALONE mode.
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 147 147 147 147 147 0
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
20.204.103.1 0 987654321 1429 1556 147 0 0 22:29:19 0
ACI BGP EVPN Session State
ifav204-leaf3# show bgp l2vpn evpn summary vrf overlay-1
BGP summary information for VRF overlay-1, address family L2VPN EVPN
BGP router identifier 30.204.103.1, local AS number 987654321
BGP table version is 2004, L2VPN EVPN config peers 2, capable peers 2
401 network entries and 520 paths using 65452 bytes of memory
BGP attribute entries [81/12960], BGP AS path entries [0/0]
BGP community entries [5/160], BGP clusterlist entries [2/8]
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
201.201.201.2 4 1 1203 642 2004 0 0 10:07:21 0
ifav204-leaf3#
At this stage, no routes are received with the ACI border leaf. Tenant configuration is required to exchange VPN routes.
Tenant Configuration
PE2 DC-PE
Each DC-PE requires a VRF to be configured to perform the EVPN/VPNvX stitching function.
The VRF is configured with a stitching RT value (in our design, this is the RT used in the EVPN domain with the ACI DC) and a non-stitching RT value (the RT used in the VPNvX domain of the SP core).
Each DC-PE must use a different route-distinguisher value for the stitching VRF.
Also, the user must ensure that the DC-PE is not configured with the same RD value as the VRF located in the connected ACI site. Using different RDs is required to enable the route re-origination between EVPN and VPNvX. Reorigination cannot happen if a learned route has the same RD as the stitching VRF.
vrf TENANT_BASIC
address-family ipv4 unicast
import route-target
1:2110000
1:2110005 stitching
!
export route-target
1:2110000
1:2110005 stitching
!
!
address-family ipv6 unicast
import route-target
1:2110000
1:2110005 stitching
!
export route-target
1:2110000
1:2110005 stitching
!
!
!
router bgp 1
vrf TENANT_BASIC
rd 1:2110002
address-family ipv4 unicast
!
address-family ipv6 unicast
!
PE6 DC-PE
vrf TENANT_BASIC
address-family ipv4 unicast
import route-target
1:2110000
1:2110006 stitching
!
export route-target
1:2110000
1:2110006 stitching
!
!
address-family ipv6 unicast
import route-target
1:2110000
1:2110006 stitching
!
export route-target
1:2110000
1:2110006 stitching
!
!
!
router bgp 1
vrf TENANT_BASIC
rd 1:2110006
address-family ipv4 unicast
!
address-family ipv6 unicast
!
ACI Configuration
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<!-- Specify Name of Tenant as Required -->
<fvTenant descr="Tenant with Basic SR MPLS Handoff between 2-1 and 2-1-2-1"
dn="uni/tn-TENANT-BASIC"
name="TENANT-BASIC"
>
<!-- Tag_1 User L3out Route Control Config -->
<rtctrlSubjP
name="all"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="100.0.0.0/8"
toPfxLen="0"
/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="::/0"
toPfxLen="0"
/>
</rtctrlSubjP>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<!-- Tag_2 User L3out Config towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2121"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106/instP-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_3 User L3out Config towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_21"
/>
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Export-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-MPLS-TENANT-L3OUT-2105/instP-LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 User VRF Config towards DC PE Location 2-1-2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2121"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_5 User VRF Config towards DC PE Location 2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_21"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_6 User BD Config towards DC PE Location 2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2105"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:5::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_21"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_7 User BD Config towards DC PE Location 2-1-2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2106"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:6::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2121"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_8 Application Profile Config towards DC PE Location 2-1 -->
<fvAp
name="LOCATION-2-1-2-1-AP2106"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG106"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-105/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2106"
/>
</fvAEPg>
</fvAp>
<!-- Tag_9 Application Profile Config towards DC PE Location 2-1-2-1 -->
<fvAp
name="LOCATION-2-1-AP2105"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG105"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="immediate"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-101/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="immediate"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2105"
/>
</fvAEPg>
</fvAp>
</fvTenant>
</imdata>
Tag_1 User L3out Route Control Configuration:
Outbound Route Policy:
An outbound route policy is required to advertise any prefix including BD subnets. The default outbound route policy is to not advertise any prefix. Explicit outbound route-map can be configured with the following functionalities but are not limited to them.
● Match prefixes to advertise to SR/MPLS network
● Match prefixes and community to advertise prefixes to SR/MPLS network
● Set community including color community based on prefix and/or community match
Inbound Route Policy:
By default, the inbound route policy is to accept all prefixes. Explicit inbound route-map can be configured to match prefixes to selectively deny in the fabric if required.
Tag_2 and Tag_3 User L3out Configuration towards DC PE
This specifies the SR MPLS Tenant L3out for each site.
Each VRF that needs to be advertised towards SR MPLS core must be associated to an SR/MPLS-Infra L3out. Import and export route-maps can be optionally configured to apply route-policies based on prefixes and/or communities to advertise prefixes into SR network or receive prefixes from SR network.
Detailed explanation of above XML configuration:
● “rtctrlProfile”: Route Control Profile in the above configuration is used to apply the inbound and outbound route-policies.
● “l3extConsLbl”: Layer 3 Consumer Label in the above configuration is used to map SR MPLS Infra Location to User Tenant SR MPLS location from where the route needs to be leaked.
● “l3extInstP”: External EPG is defined on SR/MPLS Tenant L3out.
● User can define subnet and those subnets will be used to apply ACI security policies (contract)
● External EPG subnet is used to leak prefixes in another VRF using flags. If route-leak and security flag is enabled on external EPG subnet, then subnet can be leaked to another VRF.
● User can also configure external EPG subnet with aggregated flag to leak prefixes to another VRF. Contract must be defined to leaf prefixes and allow communication across VRFs.
● External EPG on SR/MPLS is not used for routing policies such as applying route-map to advertise/deny prefix advertisement.
Tag_4 and Tag_5 User VRF Config towards DC
Specify the VRF and the corresponding EVPN RTs. In our case, the RT 1:2110006 is used both for importing and exporting routes for the VRF in site 2-1-2-1 and the RT 1:210005 is used for the VRF in site 2-1.
Tag_6 and Tag_7 User BD Config towards DC PE
Specify the Bridge Domain (BD) subnet where the host is attached. Make sure you make the scope of the BD subnet public so that the route can be advertised externally. This can be achieved by setting the tag “scope = public” as displayed in the example configuration.
<fvSubnet ctrl="nd" descr="" ip="100.21.6.254/24" scope="public" virtual="no"/>
Subnets used in the above example:
● 100.21.5.0/24 is the subnet in Location 2-1, with a gateway being 100.21.5.254.
● 100.21.6.0/24 is the subnet 2-1-2-1, with a gateway being 100.21.6.254.
● These subnets will be exchanged via SR MPLS across these two locations.
Tag_8 and Tag_9 Application Profile Config towards DC PE
Specify the end point group and the static port information where your host is attached. There is no change with respect to Application profile and EPG configuration when it comes to SR MPLS. It is configured like any regular tenant configuration.
Verifications
End to End Tenant VPN Route Propagation
This section will provide the necessary operation commands to verify the controlplane and dataplane for inter-site communications.
It will focus on how site 2-1 can reach the destination subnet 100.21.6.0/24 located in site 2-1-2-1.
XR: EVPN Route Received from BL
Although the route that is received from the BL is an EVPN route, the route reception should be checked using VPN unicast commands. This is related to how the stitching between EVPN and VPN unicast works. The route is received as EVPN but is automatically translated to a VPN unicast route.
The route 100.21.6.0 is correctly received by PE6 from the BL as displayed below. The route is received with an MPLS EVPN label of 948594. One of the important points to note in the command is that the displayed received route-target is not actually the one which is received. Again, the EVPN to VPN unicast stitching performs some action on the RTs, and the matching stitching RT (1:2110006 received from the BL) is replaced by the non-stitching RT (1:2110000) during the translation to VPN unicast.
The route is installed in the routing and forwarding table.
RP/0/RP0/CPU0:PE06#show bgp vpnv4 unicast vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 08:44:42.653 UTC
BGP routing table entry for 100.21.6.0/24, Route Distinguisher: 1:2110006
Versions:
Process bRIB/RIB SendTblVer
Speaker 164147 164147
Local Label: 32074
Last Modified: Sep 3 15:59:43.382 for 16:44:59
Paths: (3 available, best #1)
Advertised to update-groups (with more than one peer):
0.5
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.5
987654321
20.204.105.1 from 20.204.105.1 (30.204.105.1)
Received Label 948594
Origin incomplete, metric 0, localpref 100, valid, external, best, group-best, import-candidate, imported, reoriginated
Received Path ID 0, Local Path ID 1, version 164147
Extended community: RT:1:2110000
EVPN Gateway Address : 0.0.0.0
Source AFI: L2VPN EVPN, Source VRF: default, Source Route Distinguisher: 105:3014666
RP/0/RP0/CPU0:PE06#show route vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 12:08:16.932 UTC
Routing entry for 100.21.6.0/24
Known via "bgp 1", distance 20, metric 0
Tag 987654321, type external
Installed Sep 3 15:59:42.931 for 20:08:34
Routing Descriptor Blocks
20.204.105.1, from 20.204.105.1, BGP external
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
RP/0/RP0/CPU0:PE06#show cef vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 12:07:57.268 UTC
100.21.6.0/24, version 232, internal 0x1000001 0x30 (ptr 0xa9a60978) [1], 0x0 (0x0), 0x208 (0x8aeb5318)
Updated Sep 3 15:59:42.934
Prefix Len 24, traffic index 0, precedence n/a, priority 3
via 20.204.105.1/32, 5 dependencies, recursive, bgp-ext [flags 0x6020]
path-idx 0 NHID 0x0 [0xa9d1f830 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
next hop 20.204.105.1/32 via 16047/0/21
next hop 120.1.62.1/32 Te0/0/0/12 labels imposed {ImplNull ImplNull 948594}
XR: VPN Unicast Route Received from Remote PE
PE6 has advertised the route 100.21.6.0 using VPNv4 to the SP core and this route is received and imported by PE2 in the VRF TENANT_BASIC.
Similarly, when PE2 imports the VPN unicast route using the non-stitching RT 1:2110000, it automatically translates it to the stitching RT value 1:2110005.
RP/0/RSP0/CPU0:PE02#show bgp vpnv4 unicast vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 08:37:21.850 UTC
BGP routing table entry for 100.21.6.0/24, Route Distinguisher: 1:2110002
Versions:
Process bRIB/RIB SendTblVer
Speaker 287129 287129
Local Label: 32068
Last Modified: Sep 3 16:01:33.144 for 16:35:49
Paths: (2 available, best #1)
Advertised to update-groups (with more than one peer):
0.2
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.2
987654321
201.201.201.6 (metric 20150) from 202.202.202.102 (201.201.201.6)
Received Label 32074
Origin incomplete, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 1, version 287128
Extended community: RT:1:2110005
Originator: 201.201.201.6, Cluster list: 0.0.0.2
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110006
RP/0/RSP0/CPU0:PE02#show route vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 12:12:20.875 UTC
Routing entry for 100.21.6.0/24
Known via "bgp 1", distance 200, metric 0
Tag 987654321, type internal
Installed Sep 3 16:01:32.983 for 20:10:48
Routing Descriptor Blocks
201.201.201.6, from 202.202.202.102
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
In the VRF forwarding table, the route uses the BGP VPN received label (32074), as well as the MPLS label associated with the Node-SID to reach PE6 (16006).
RP/0/RSP0/CPU0:PE02#show cef vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 12:12:14.667 UTC
100.21.6.0/24, version 202, internal 0x1000001 0x0 (ptr 0x78f29bbc) [1], 0x0 (0x0), 0x208 (0x8a652e28)
Updated Sep 3 16:01:32.984
Prefix Len 24, traffic index 0, precedence n/a, priority 3
via 201.201.201.6/32, 6 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0x89a98a78 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
next hop 201.201.201.6/32 via 16006/0/21
next hop 200.200.200.2/32 BE1 labels imposed {16006 32074}
XR: VPN Unicast Route Advertised to BL
When checking the routes advertised to the border leaf, VPN unicast commands have to be used. Again this is because the translation of the route to EVPN happens late in the BGP update processing.
RP/0/RSP0/CPU0:PE02#show bgp vpnv4 unicast advertised neighbor 20.204.103.1 | be 1:2110002
Fri Sep 4 12:18:59.518 UTC
Route Distinguisher: 1:2110002
100.21.6.0/24 is advertised to 20.204.103.1
Path info:
neighbor: 202.202.202.102 neighbor router id: 201.201.201.6
valid internal best import-candidate imported reoriginated with stitching-rt
Received Path ID 1, Local Path ID 1, version 287128
Attributes after inbound policy was applied:
next hop: 201.201.201.6
MET ORG AS LOCAL EXTCOMM
origin: incomplete neighbor as: 987654321 metric: 0 local pref: 100
aspath: 987654321
extended community: RT:1:2110005
originator: 201.201.201.6 cluster list: 0.0.0.2
Attributes after outbound policy was applied:
next hop: 201.201.201.2
ORG AS LOCAL EXTCOMM
origin: incomplete neighbor as: 987654321 local pref: 100
aspath: 1 987654321
extended community: RT:1:2110005
RP/0/RSP0/CPU0:PE02#show bgp l2vpn evpn neighbors 20.204.103.1 advertised-routes
Fri Sep 4 12:23:51.024 UTC
RP/0/RSP0/CPU0:PE02#
It is expected that EVPN commands do not display anything as routes are still considered as VPN unicast route.
ACI: EVPN Route Received from PE
The subnet 100.21.6.0/24, coming from the remote leaf site 2-1-2-1, is correctly received by the border leaf located in site 2-1. Although there is a loop in the ASPATH, the route is accepted because of the allowas-in parameter.
ifav204-leaf3# show bgp l2vpn evpn 100.21.6.0 vrf overlay-1
Route Distinguisher: 1:2110002
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 507 dest ptr 0xacfd07fa
Paths: (1 available, best #1)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW, is locked
Multipath: eBGP iBGP
Advertised path-id 1
Path type: external 0x40000028 0x0 ref 2 adv path ref 1, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 1 987654321 , path sourced external to AS
201.201.201.2 (metric 0) from 201.201.201.2 (201.201.201.2)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 32068
Extcommunity:
RT:1:2110005
Path-id 1 not advertised to any peer
Route Distinguisher: 103:2392067 (L3VNI 2392067)
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 2182 dest ptr 0xacfd21e6
Paths: (1 available, best #1)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW
Multipath: eBGP iBGP
Advertised path-id 1
Path type: external 0xc0000028 0x0 ref 0 adv path ref 1, path is valid, is best path
Imported from 1:2110002:[5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/120
AS-Path: 1 987654321 , path sourced external to AS
201.201.201.2 (metric 0) from 201.201.201.2 (201.201.201.2)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 32068
Extcommunity:
RT:1:2110005
Path-id 1 not advertised to any peer
ifav204-leaf3#
The received route is correctly installed in the tenant routing table.
The route uses a recursive nexthop (PE2 loopback) and an outgoing MPLS label value of 32068 which corresponds to the label received from BGP EVPN.
ifav204-leaf3# show ip route 100.21.6.0/24 vrf TENANT-BASIC:TENANT_BASIC_21
IP Route Table for VRF "TENANT-BASIC:TENANT_BASIC_21"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
100.21.6.0/24, ubest/mbest: 1/0
*via 201.201.201.2%overlay-1, [20/0], 10:26:14, bgp-987654321, external, tag 1, Mpls Label 32068
recursive next hop: 201.201.201.2/32%overlay-1
ifav204-leaf3#
ACI: Tenant Connectivity Check
In order to check the connectivity between the sites, a ping can be issued from a leaf in the fabric 2-1 where the Bridge Domain is deployed towards the remote leaf site. In our case, LEAF1 connects the tenant in the fabric.
ifav204-leaf1# iping 100.21.6.254 -V TENANT-BASIC:TENANT_BASIC_21
PING 100.21.6.254 (100.21.6.254): 56 data bytes
64 bytes from 100.21.6.254: icmp_seq=0 ttl=61 time=0.46 ms
64 bytes from 100.21.6.254: icmp_seq=1 ttl=61 time=0.281 ms
64 bytes from 100.21.6.254: icmp_seq=2 ttl=61 time=0.273 ms
64 bytes from 100.21.6.254: icmp_seq=3 ttl=61 time=0.296 ms
^C
--- 100.21.6.254 ping statistics ---
4 packets transmitted, 4 packets received, +1 duplicates, 0.00% packet loss
round-trip min/avg/max = 0.273/0.405/0.72 ms
ifav204-leaf1#
Basic SR-Handoff with Multihoming
Design
Basic Communication between ACI Fabric and Remote Leaf with Multihoming
The use case is similar to the previous one where two workloads located respectively in the Cisco ACI fabric and a remote leaf site are required to communicate. However, from an infrastructure perspective, the network is fully redundant, and a pair of remote leaf switches is connected to a pair of DC-PEs on each ACI site.
To get the best convergence, it is recommended that you connect each border leaf to two DC-PEs. In the provided configurations, BFD will be implemented both on the BGP-LU session and the EVPN session to speed up the failure detection between the DC-PE and the ACI border leaf.
When multihoming is implemented, some routes learned from a site may be reinjected into the same site. Some loop prevention mechanisms will be configured to prevent such loops from occuring. For instance, when PE2 learns a route from the Cisco ACI fabric, it propagates the route to the SP CORE and PE1 will receive it and may propagate the route back to the Cisco ACI fabric.
Configuration
PE1 DC-PE configuration
The configuration below is very similar to the previous one. The differences are as follows:
● BFD is activated using the “bfd fast-detect” keyword on the LU session as well as on the EVPN session. The globally configured timers (50ms x 3) are used. However, the multihop EVPN BFD session will not be using these values as ACI Border Leaf minimum values are 250ms x 3.
● Loop prevention policies are configured on the EVPN BGP sessions using the route-policies MARK-ACI-ROUTES (inbound) and DROP-ACI-ROUTES (outbound). Loops may happen in both directions. The ACI route may be learned by SP core and injected back to the original ACI site, and an SP route may be learned by an ACI site and injected back to the SP core. As multiple ACI sites may use the same AS number (in our case the remote leaf is using the same AS number as the Fabric), then ASPATH loop check has been disabled and cannot be used any longer to prevent loops. Site of Origin is used in both directions (one SOO value per direction) to prevent loops. MARK-ACI-ROUTES route-policy mark the routes with an SOO associated to the pair of border leaf switches and drops routes with an SOO value associated to the pair of DC-PEs connected to the ACI site. DROP-ACI-ROUTES drops the routes with an SOO associated to the pair of border leaf switches and marks the routes with an SOO associated to the pair of DC-PEs connected to the ACI site. To allow reusability of the policies, the policies use an ACI site number as a variable.
● The stitching VRF is configured to perform iBGP and eBGP multipath to get the benefit of loadbalancing (maximum-paths ebgp 16 / maximum-paths ibgp 16).
Loop Prevention using Site of Origin in Multihoming Scenario
vrf TENANT_BASIC
address-family ipv4 unicast
import route-target
1:2110000
1:2110005 stitching
!
export route-target
1:2110000
1:2110005 stitching
!
!
address-family ipv6 unicast
import route-target
1:2110000
1:2110005 stitching
!
export route-target
1:2110000
1:2110005 stitching
!
!
!
interface TenGigE0/0/0/9
description connected to ifav204-leaf3:1/18 used for SR/MPLS
ipv4 address 120.1.51.2 255.255.255.0
load-interval 30
!
interface TenGigE0/0/0/11
description connected to ifav204-leaf4:1/14 used for SR/MPLS
ipv4 address 120.1.52.2 255.255.255.0
load-interval 30
!
router static
address-family ipv4 unicast
120.1.51.1/32 TenGigE0/0/0/9
120.1.52.1/32 TenGigE0/0/0/11
!
!
router bgp 1
bfd minimum-interval 50
bfd multiplier 3
bgp router-id 201.201.201.1
mpls activate
interface TenGigE0/0/0/9
interface TenGigE0/0/0/11
!
address-family ipv4 unicast
redistribute connected route-policy CONNECTED-TO-BGP-LU(1)
allocate-label all
!
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family ipv4 rt-filter
!
address-family l2vpn evpn
!
neighbor-group ACI-site-LU
remote-as 987654321
bfd fast-detect
address-family ipv4 labeled-unicast
route-policy SET-CT-NO-ADVERTISE in
maximum-prefix 10 80 warning-only
route-policy ADVERTISE-LO0-ONLY out
!
!
neighbor-group ACI-site-EVPN
remote-as 987654321
bfd fast-detect
ebgp-multihop 255
update-source Loopback0
address-family l2vpn evpn
import stitching-rt re-originate
allowas-in 5
advertise vpnv4 unicast re-originated stitching-rt
advertise vpnv6 unicast re-originated stitching-rt
!
!
neighbor-group RR-VPNunicast
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
import re-originate stitching-rt
advertise vpnv4 unicast re-originated
!
address-family vpnv6 unicast
import re-originate stitching-rt
advertise vpnv6 unicast re-originated
!
address-family ipv4 rt-filter
!
!
neighbor 120.1.51.1
use neighbor-group ACI-site-LU
!
neighbor 120.1.52.1
use neighbor-group ACI-site-LU
!
neighbor 20.204.103.1
use neighbor-group ACI-site-EVPN
address-family l2vpn evpn
route-policy MARK-ACI-ROUTES(5) in
route-policy DROP-ACI-ROUTES(5) out
!
!
neighbor 20.204.104.1
use neighbor-group ACI-site-EVPN
address-family l2vpn evpn
route-policy MARK-ACI-ROUTES(5) in
route-policy DROP-ACI-ROUTES(5) out
!
!
neighbor 202.202.202.100
use neighbor-group RR-VPNunicast
!
neighbor 202.202.202.101
use neighbor-group RR-VPNunicast
!
vrf TENANT_BASIC
rd 1:2110005
address-family ipv4 unicast
maximum-paths ebgp 16
maximum-paths ibgp 16
!
address-family ipv6 unicast
maximum-paths ebgp 16
maximum-paths ibgp 16
!
!
route-policy MARK-ACI-ROUTES($site)
if extcommunity soo matches-any (987654321:$site) then
drop
else
set extcommunity soo (1:$site)
endif
end-policy
!
route-policy DROP-ACI-ROUTES($site)
if extcommunity soo matches-any (1:$site) then
drop
else
set extcommunity soo (987654321:$site)
endif
end-policy
!
prefix-set PFXSET-OWN-LO0
201.201.201.1/32
end-set
!
route-policy ADVERTISE-LO0-ONLY
if destination in PFXSET-OWN-LO0 then
pass
else
drop
endif
end-policy
!
community-set COMSET-NO-ADVERTISE
no-advertise
end-set
!
route-policy SET-CT-NO-ADVERTISE
set community COMSET-NO-ADVERTISE
end-policy
!
route-policy CONNECTED-TO-BGP-LU($node_sid)
if destination in PFXSET-OWN-LO0 then
set label-index $node_sid
pass
endif
end-policy
ACI Configuration
INFRA Tenant Configuration
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<fvTenant
dn="uni/tn-infra"
name="infra"
>
<!-- Tag_1 Default Label Range config in Infra Tenant -->
<mplsLabelPol
maxDynamicLabel="525286"
maxStaticLabel="0"
minDynamicLabel="16"
minStaticLabel="0"
name="default"
>
<mplsSrgbLabelPol
localId="1"
maxSrgbLabel="32000"
minSrgbLabel="16000"
/>
</mplsLabelPol>
<!-- Tag_2 Default interface config in Infra Tenant -->
<mplsIfPol
name="default"
/>
<!-- Tag_3 MPLS Infra L3out towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.103.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-103"
>
<l3extLoopBackIfP addr="20.204.103.1"
>
<mplsNodeSidP
loopbackAddr="20.204.103.1"
sidoffset="45"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.104.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-104"
>
<l3extLoopBackIfP addr="20.204.104.1"
>
<mplsNodeSidP
loopbackAddr="20.204.104.1"
sidoffset="46"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.51.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/18]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.51.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.53.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.53.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.52.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-104/pathep-[eth1/14]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.52.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.54.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-104/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.54.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.2"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.1"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 MPLS Infra L3out towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.105.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-105"
>
<l3extLoopBackIfP addr="20.204.105.1"
>
<mplsNodeSidP
loopbackAddr="20.204.105.1"
sidoffset="47"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.106.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-106"
>
<l3extLoopBackIfP addr="20.204.106.1"
>
<mplsNodeSidP
loopbackAddr="20.204.106.1"
sidoffset="48"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.63.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-106/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.63.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.62.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.62.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.64.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-106/pathep-[eth1/3]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.64.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.61.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/3]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.61.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.7"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.6"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
</fvTenant>
</imdata>
User Tenant Configuration
There is no change in the user tenant configuration for multihoming as we add additional links to INFRA tenant in same location.
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<!-- Specify Name of Tenant as Required -->
<fvTenant descr="Tenant with Basic SR MPLS Handoff between 2-1 and 2-1-2-1"
dn="uni/tn-TENANT-BASIC"
name="TENANT-BASIC"
>
<!-- Tag_1 User L3out Route Control Config -->
<rtctrlSubjP
name="all"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="100.0.0.0/8"
toPfxLen="0"
/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="::/0"
toPfxLen="0"
/>
</rtctrlSubjP>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<!-- Tag_2 User L3out Config towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2121"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106/instP-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_3 User L3out Config towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_21"
/>
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Export-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-MPLS-TENANT-L3OUT-2105/instP-LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 User VRF Config towards DC PE Location 2-1-2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2121"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_5 User VRF Config towards DC PE Location 2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_21"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_6 User BD Config towards DC PE Location 2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2105"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:5::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_21"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_7 User BD Config towards DC PE Location 2-1-2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2106"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:6::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2121"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_8 Application Profile Config towards DC PE Location 2-1 -->
<fvAp
name="LOCATION-2-1-2-1-AP2106"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG106"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-105/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2106"
/>
</fvAEPg>
</fvAp>
<!-- Tag_9 Application Profile Config towards DC PE Location 2-1-2-1 -->
<fvAp
name="LOCATION-2-1-AP2105"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG105"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="immediate"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-101/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="immediate"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2105"
/>
</fvAEPg>
</fvAp>
</fvTenant>
</imdata>
Verifications
XR: Site of Origin setting
On PE2, when receiving the VPN unicast route from PE6 and PE7, the path contains the SoO that has been set by the remote PEs (1:6). As the site connected to PE1/PE2 uses a different SoO, PE2 advertises the route to the BL by setting the new SoO value 987654321:5.
RP/0/RSP0/CPU0:PE02#show bgp vpnv4 uni vrf TENANT_BASIC 100.21.6.0
Fri Sep 4 12:33:17.060 UTC
BGP routing table entry for 100.21.6.0/24, Route Distinguisher: 1:2110002
Versions:
Process bRIB/RIB SendTblVer
Speaker 287129 287129
Local Label: 32068
Last Modified: Sep 3 16:01:33.144 for 20:31:44
Paths: (2 available, best #1)
Advertised to update-groups (with more than one peer):
0.2
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.2
987654321
201.201.201.6 (metric 20150) from 202.202.202.102 (201.201.201.6)
Received Label 32074
Origin incomplete, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 1, version 287128
Extended community: SoO:1:6 RT:1:2110005
Originator: 201.201.201.6, Cluster list: 0.0.0.2
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110006
Path #2: Received by speaker 0
Not advertised to any peer
987654321
201.201.201.7 (metric 20150) from 202.202.202.102 (201.201.201.7)
Received Label 32109
Origin incomplete, metric 0, localpref 100, valid, internal, add-path, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 2, version 287129
Extended community: SoO:1:6 RT:1:2110005
Originator: 201.201.201.7, Cluster list: 0.0.0.2, 0.0.0.1
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110007
RP/0/RSP0/CPU0:PE02#show bgp vpnv4 unicast advertised neighbor 20.204.103.1 | be 1:2110002
Fri Sep 4 12:31:39.918 UTC
Route Distinguisher: 1:2110002
100.21.6.0/24 is advertised to 20.204.103.1
Path info:
neighbor: 202.202.202.102 neighbor router id: 201.201.201.6
valid internal best import-candidate imported reoriginated with stitching-rt
Received Path ID 1, Local Path ID 1, version 287128
Attributes after inbound policy was applied:
next hop: 201.201.201.6
MET ORG AS LOCAL EXTCOMM
origin: incomplete neighbor as: 987654321 metric: 0 local pref: 100
aspath: 987654321
extended community: SoO:1:6 RT:1:2110005
originator: 201.201.201.6 cluster list: 0.0.0.2
Attributes after outbound policy was applied:
next hop: 201.201.201.2
ORG AS LOCAL EXTCOMM
origin: incomplete neighbor as: 987654321 local pref: 100
aspath: 1 987654321
extended community: RT:1:2110005 SoO:987654321:5
On PE2, the route 100.21.5.0/24 received from the locally connected ACI site are also tagged with an SoO value of 1:5. The second path associated to this prefix is received from PE1 and also has the SoO value 1:5 which prevents PE2 to advertise the path from PE1 to the BL in case it becomes the best path.
RP/0/RSP0/CPU0:PE02#show bgp vpnv4 uni vrf TENANT_BASIC 100.21.5.0
Fri Sep 4 12:36:21.805 UTC
BGP routing table entry for 100.21.5.0/24, Route Distinguisher: 1:2110002
Versions:
Process bRIB/RIB SendTblVer
Speaker 292940 292940
Local Label: 32068
Last Modified: Sep 4 07:58:54.144 for 04:37:28
Paths: (3 available, best #1)
Advertised to update-groups (with more than one peer):
0.3
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.3
987654321
20.204.103.1 from 20.204.103.1 (30.204.103.1)
Received Label 949935
Origin incomplete, metric 0, localpref 100, valid, external, best, group-best, import-candidate, imported, reoriginated
Received Path ID 0, Local Path ID 1, version 292940
Extended community: SoO:1:5 Color:500 RT:1:2110000
EVPN Gateway Address : 0.0.0.0
Source AFI: L2VPN EVPN, Source VRF: default, Source Route Distinguisher: 103:2392067
Path #2: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.3
987654321
20.204.104.1 from 20.204.104.1 (30.204.104.1)
Received Label 949935
Origin incomplete, metric 0, localpref 100, valid, external, add-path, import-candidate, imported, reoriginated
Received Path ID 0, Local Path ID 5, version 292940
Extended community: SoO:1:5 RT:1:2110000
EVPN Gateway Address : 0.0.0.0
Source AFI: L2VPN EVPN, Source VRF: default, Source Route Distinguisher: 104:2392067
Path #3: Received by speaker 0
Not advertised to any peer
987654321
201.201.201.1 (metric 1000) from 202.202.202.102 (201.201.201.1)
Received Label 32062
Origin incomplete, metric 0, localpref 100, valid, internal, add-path, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 4, version 292895
Extended community: SoO:1:5 RT:1:2110005
Originator: 201.201.201.1, Cluster list: 0.0.0.2, 0.0.0.1
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110001
ACI Routes Received and Advertised
As displayed below, leaf3 has two BGP-LU and EVPN sessions where it receives prefixes.
ifav204-leaf3# show bgp ipv4 labeled-unicast summary vrf overlay-1
BGP summary information for VRF overlay-1, address family IPv4 Label Unicast
BGP router identifier 30.204.103.1, local AS number 987654321
BGP table version is 13, IPv4 Label Unicast config peers 2, capable peers 2
3 network entries and 3 paths using 612 bytes of memory
BGP attribute entries [1/160], BGP AS path entries [0/0]
BGP community entries [5/160], BGP clusterlist entries [2/8]
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
120.1.51.2 4 1 652 656 13 0 0 00:17:36 1
120.1.53.2 4 1 686 687 13 0 0 11:22:21 1
ifav204-leaf3# show bgp l2vpn evpn summary vrf overlay-1
BGP summary information for VRF overlay-1, address family L2VPN EVPN
BGP router identifier 30.204.103.1, local AS number 987654321
BGP table version is 2777, L2VPN EVPN config peers 2, capable peers 2
401 network entries and 520 paths using 65452 bytes of memory
BGP attribute entries [82/13120], BGP AS path entries [0/0]
BGP community entries [5/160], BGP clusterlist entries [2/8]
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
201.201.201.1 4 1 1467 722 2777 0 0 00:17:31 119
201.201.201.2 4 1 1302 744 2777 0 0 11:22:23 119
ifav204-leaf3#
We may notice that the BD subnet is now advertised to both the EVPN peers (PE01 and PE02). The prefix 100.21.5.0/24 is advertised to both 201.201.201.1 (PE01) and 201.201.201.2 (PE2).
ifav204-leaf3# show bgp l2vpn evpn 100.21.5.0 vrf overlay-1
Route Distinguisher: 103:2392067 (L3VNI 2392067)
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.5.0]:[0.0.0.0]/224, version 2786 dest ptr 0xacfdf810
Paths: (1 available, best #1)
Flags: (0x00000a 00000000) on xmit-list, is not in rib/evpn
Multipath: eBGP iBGP
Advertised path-id 1
Path type: local 0x4000008c 0x0 ref 0 adv path ref 1, path is valid, is best path
AS-Path: NONE, path locally originated
0.0.0.0 (metric 0) from 0.0.0.0 (30.204.103.1)
Origin incomplete, MED 0, localpref 100, weight 32768 tag 4294966001, propagate 0
Received label 949935
Extcommunity:
RT:1:2110005
VNID:2392067
Path-id 1 advertised to peers:
201.201.201.1 201.201.201.2
The leaf receives the subnet 100.21.6.0/24 (located in site 2-1-2-1) from the two DC-PE.
ifav204-leaf3# show bgp l2vpn evpn 100.21.6.0 vrf overlay-1
Route Distinguisher: 1:2110001
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 2782 dest ptr 0xacfd41fe
Paths: (1 available, best #1)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW, is locked
Multipath: eBGP iBGP
Advertised path-id 1
Path type: external 0x40000028 0x0 ref 2 adv path ref 1, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 1 987654321 , path sourced external to AS
201.201.201.1 (metric 0) from 201.201.201.1 (201.201.201.1)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 32065
Extcommunity:
RT:1:2110005
SOO:987654321:5
Path-id 1 not advertised to any peer
Route Distinguisher: 1:2110002
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 2778 dest ptr 0xacfd07fa
Paths: (1 available, best #1)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW, is locked
Multipath: eBGP iBGP
Advertised path-id 1
Path type: external 0x40000028 0x0 ref 2 adv path ref 1, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 1 987654321 , path sourced external to AS
201.201.201.2 (metric 0) from 201.201.201.2 (201.201.201.2)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 32068
Extcommunity:
RT:1:2110005
SOO:987654321:5
Path-id 1 not advertised to any peer
Route Distinguisher: 103:2392067 (L3VNI 2392067)
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 2784 dest ptr 0xacfd21e6
Paths: (2 available, best #2)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW
Multipath: eBGP iBGP
Path type: external 0xc0020028 0x0 ref 0 adv path ref 0, path is valid, not best reason: newer EBGP path, multipath
Imported from 1:2110001:[5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/120
AS-Path: 1 987654321 , path sourced external to AS
201.201.201.1 (metric 0) from 201.201.201.1 (201.201.201.1)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 32065
Extcommunity:
RT:1:2110005
SOO:987654321:5
Advertised path-id 1
Path type: external 0xc0000028 0x0 ref 0 adv path ref 1, path is valid, is best path
Imported from 1:2110002:[5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/120
AS-Path: 1 987654321 , path sourced external to AS
201.201.201.2 (metric 0) from 201.201.201.2 (201.201.201.2)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 32068
Extcommunity:
RT:1:2110005
SOO:987654321:5
Path-id 1 not advertised to any peer
Load Balancing Between DC-PE and BL/RL
As described earlier, the enablement of BGP multipath enables the load balancing of traffic between multiple BGP paths.
In the described example, there is one path per DC-PE. However, it is also perfectly fine to have multiple parallel IP links between an RL/BL and a DC-PE and then create BGP multipath. When using multiple parallel IP links, a mix of interface types can be used for each link (physical interface, sub-interface, port-channel). There will be one BGP-LU session per IP link.
To simplify, it is also possible to use bundles (port-channels) between a DC-PE and a BL/RL. In this case, there is a single BGP-LU session per bundle interface.
Load Balancing
SR-Handoff with Multihoming and Multiple ACI Sites Connected to the Same DC-PEs
Design
Basic Communication Between ACI Fabric and Multiple Remote Leafs Connected to the Same DC-PE
The design above is the same as the previous one, except that there are two remote leaf sites connected to the same pair of DC-PEs. To use SR/MPLS handoff between the two remote leaf sites, each site must use a different VRF. If the VRF is stretched across the two remote leaf sites, VXLAN path will be used.
This design requires a special feature to be activated on the DC-PE to enable the propagation of EVPN routes from one ACI site to another one.
While this example uses two remote leaf switches connected to the same DC-PE, a similar design and configuration has been tested with two PODs of an Cisco ACI fabric connecting to the same pair of DC-PE and will also apply for multiple Cisco ACI fabrics connecting to the same pair of DC-PE (as displayed in Figure 14).
Multiple PODs and Multiple Fabrics Connected to the Same DC-PEs
Configuration
PE7 DC-PE Configuration
As a reminder, the EVPN neighbor-group “ACI-site-EVPN” is used to configure the EVPN session parameters. When multiple sites/pods are connected to the same PE, the “next-hop-unchanged” knob must be configured. When an EVPN route comes from site 6 on PE6 or PE7, it is propagated to site 7 without changing the BGP nexthop (and vice versa). Having the XR DC-PE changing the EVPN nexthop and MPLS label (ASBR option B behavior) is currently not supported.
router bgp 1
neighbor-group ACI-site-EVPN
remote-as 987654321
bfd fast-detect
bfd multiplier 3
bfd minimum-interval 50
ebgp-multihop 255
update-source Loopback0
address-family l2vpn evpn
import stitching-rt re-originate
allowas-in 5
advertise vpnv4 unicast re-originated stitching-rt
advertise vpnv6 unicast re-originated stitching-rt
next-hop-unchanged
!
!
Consequently, the remote leaf from site 7 must then have reachability to the loopback address from the remote leaf located in site 6. This is achieved by allowing the propagation of the BGP LU prefixes from Site 6 to Site 7 and vice versa. BGP communities (1:52121 and 1:52122) are used to mark LU routes coming from each ACI site and for proper filtering and loop prevention.
The route-policies SET-CT-FROM-ACI-2-1-2-1 and SET-CT-FROM-ACI-2-1-2-2 are used as inbound policies on the BGP LU sessions respectively to site 6 and 7 and they respectively set the community 1:52121 and 1:52122.
The route-policies ADVERTISE-LU-TO-ACI-2-1-2-1 and ADVERTISE-LU-TO -2-1-2-2 are used as outbound policies on the BGP LU sessions respectively to site 6 and 7 and they have the following behavior:
● For ADVERTISE-LU-TO-ACI-2-1-2-1 (used to site 6): authorize the local loopback and the routes with community 1:52122 (routes from site 7) and drop everything else.
● For ADVERTISE-LU-TO-ACI-2-1-2-2 (used to site 7): authorize the local loopback and the routes with community 1:52121 (routes from site 6) and drop everything else.
Finally, the “as-override” keyword is also required on the BGP-LU session as we must exchange LU routes coming from different ACI sites that may use the same AS number. In our example, the two remote leaf sites are part of the same fabric and consequently are using the same AS number.
router bgp 1
neighbor-group ACI-site-LU
remote-as 987654321
bfd fast-detect
bfd multiplier 3
bfd minimum-interval 50
address-family ipv4 labeled-unicast
maximum-prefix 10 80 warning-only
as-override
!
!
neighbor 120.1.61.1
use neighbor-group ACI-site-LU
address-family ipv4 labeled-unicast
route-policy SET-CT-FROM-ACI-2-1-2-1 in
route-policy ADVERTISE-LU-TO-ACI-2-1-2-1 out
!
!
neighbor 120.1.64.1
use neighbor-group ACI-site-LU
address-family ipv4 labeled-unicast
route-policy SET-CT-FROM-ACI-2-1-2-1 in
route-policy ADVERTISE-LU-TO-ACI-2-1-2-1 out
!
!
neighbor 120.1.73.1
use neighbor-group ACI-site-LU
address-family ipv4 labeled-unicast
route-policy SET-CT-FROM-ACI-2-1-2-2 in
route-policy ADVERTISE-LU-TO-ACI-2-1-2-2 out
!
!
neighbor 120.1.74.1
use neighbor-group ACI-site-LU
address-family ipv4 labeled-unicast
route-policy SET-CT-FROM-ACI-2-1-2-2 in
route-policy ADVERTISE-LU-TO-ACI-2-1-2-2 out
!
!
!
route-policy SET-CT-FROM-ACI-2-1-2-1
set community (1:52121)
end-policy
!
route-policy ADVERTISE-LU-TO-ACI-2-1-2-1
if destination in PFXSET-OWN-LO0 then
pass
elseif community matches-any (1:52122) then
pass
else
drop
endif
end-policy
!
route-policy SET-CT-FROM-ACI-2-1-2-2
set community (1:52122)
end-policy
!
route-policy ADVERTISE-LU-TO-ACI-2-1-2-2
if destination in PFXSET-OWN-LO0 then
pass
elseif community matches-any (1:52121) then
pass
else
drop
endif
end-policy
!
ACI Configuration
INFRA Tenant Configuration
The configuration is the same as the previous multihoming case, except that the site 2-1-2-2 configuration is added.
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<fvTenant
dn="uni/tn-infra"
name="infra"
>
<!-- Tag_1 Default Label Range config in Infra Tenant -->
<mplsLabelPol
maxDynamicLabel="525286"
maxStaticLabel="0"
minDynamicLabel="16"
minStaticLabel="0"
name="default"
>
<mplsSrgbLabelPol
localId="1"
maxSrgbLabel="32000"
minSrgbLabel="16000"
/>
</mplsLabelPol>
<!-- Tag_2 Default interface config in Infra Tenant -->
<mplsIfPol
name="default"
/>
<!-- Tag_3 MPLS Infra L3out towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.103.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-103"
>
<l3extLoopBackIfP addr="20.204.103.1"
>
<mplsNodeSidP
loopbackAddr="20.204.103.1"
sidoffset="45"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.104.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-104"
>
<l3extLoopBackIfP addr="20.204.104.1"
>
<mplsNodeSidP
loopbackAddr="20.204.104.1"
sidoffset="46"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.51.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/18]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.51.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.53.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.53.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.52.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-104/pathep-[eth1/14]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.52.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.54.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-104/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.54.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.2"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.1"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 MPLS Infra L3out towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.105.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-105"
>
<l3extLoopBackIfP addr="20.204.105.1"
>
<mplsNodeSidP
loopbackAddr="20.204.105.1"
sidoffset="47"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.106.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-106"
>
<l3extLoopBackIfP addr="20.204.106.1"
>
<mplsNodeSidP
loopbackAddr="20.204.106.1"
sidoffset="48"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.63.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-106/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.63.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.62.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.62.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.64.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-106/pathep-[eth1/3]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.64.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.61.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/3]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.61.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.7"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.6"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_5 MPLS Infra L3out towards DC PE Location 2-1-2-2 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-2-2"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-2-2"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-2-2_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.107.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-107"
>
<l3extLoopBackIfP addr="20.204.107.1"
>
<mplsNodeSidP
loopbackAddr="20.204.107.1"
sidoffset="49"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.108.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-108"
>
<l3extLoopBackIfP addr="20.204.108.1"
>
<mplsNodeSidP
loopbackAddr="20.204.108.1"
sidoffset="50"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-2-2_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.73.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-107/pathep-[PC2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.73.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="send-com,send-ext-com"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.71.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-107/pathep-[PC1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.71.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.72.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-108/pathep-[PC1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.72.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.74.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-108/pathep-[PC2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.74.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="send-com,send-ext-com"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.7"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.6"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-2-2_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
</fvTenant>
</imdata>
User Tenant Configuration
The user tenant configuration below includes the new site 2-1-2-2. There is no change in how the tenant configuration is set up as compared to the previous use cases.
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<!-- Specify Name of Tenant as Required -->
<fvTenant descr="Tenant with Basic SR MPLS Handoff between 2-1 and 2-1-2-1"
dn="uni/tn-TENANT-BASIC"
name="TENANT-BASIC"
>
<!-- Tag_1 User L3out Route Control Config -->
<rtctrlSubjP
name="all"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="100.0.0.0/8"
toPfxLen="0"
/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="::/0"
toPfxLen="0"
/>
</rtctrlSubjP>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<!-- Tag_2 User L3out Config towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2121"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106/instP-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_3 User L3out Config towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_21"
/>
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Export-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-MPLS-TENANT-L3OUT-2105/instP-LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag User L3out Config towards DC PE Location 2-1-2-2 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2122"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-2"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107/instP-LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2107-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 User VRF Config towards DC PE Location 2-1-2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2121"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_5 User VRF Config towards DC PE Location 2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_21"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2122"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_6 User BD Config towards DC PE Location 2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2105"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:5::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_21"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_7 User BD Config towards DC PE Location 2-1-2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2106"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:6::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2121"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- TAG USER BD CONFIG TOWARDS DC PE LOCATION 2-1-2-2 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2107"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="100.21.7.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="2001:100:21:7::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2122"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_8 Application Profile Config towards DC PE Location 2-1 -->
<fvAp
name="LOCATION-2-1-2-1-AP2106"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG106"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-105/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2106"
/>
</fvAEPg>
</fvAp>
<!-- Tag_9 Application Profile Config towards DC PE Location 2-1-2-1 -->
<fvAp
name="LOCATION-2-1-AP2105"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG105"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="immediate"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-101/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="immediate"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2105"
/>
</fvAEPg>
</fvAp>
<!-- Tag Application Profile Config towards DC PE Location 2-1-2-2 -->
<fvAp
name="LOCATION-2-1-2-2-AP2107"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG107"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-107/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2107"
/>
</fvAEPg>
</fvAp>
</fvTenant>
</imdata>
Verifications
We can check on leaf7 (located in site 2-1-2-2) that it correctly receives the routes from the site 2-1-2-1 connected on the same DC-PEs.
ifav204-leaf7# show bgp l2vpn evpn 100.21.6.0 vrf overlay-1
Route Distinguisher: 105:2686985
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 42358 dest ptr 0xac8755ba
Paths: (2 available, best #2)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW, is locked
Multipath: eBGP iBGP
Path type: external 0x40000028 0x0 ref 0 adv path ref 0, path is valid, not best reason: newer EBGP path
AS-Path: 1 987654321 , path sourced external to AS
20.204.105.1 (metric 0) from 201.201.201.6 (201.201.201.6)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 948579
Extcommunity:
RT:1:2110006
SOO:987654321:7
COLOR:500
Advertised path-id 1
Path type: external 0x40000028 0x0 ref 2 adv path ref 1, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 1 987654321 , path sourced external to AS
20.204.105.1 (metric 0) from 201.201.201.7 (201.201.201.7)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 948579
Extcommunity:
RT:1:2110006
SOO:987654321:7
COLOR:500
Path-id 1 not advertised to any peer
Route Distinguisher: 106:2686985
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 42372 dest ptr 0xac84b460
Paths: (2 available, best #2)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW, is locked
Multipath: eBGP iBGP
Path type: external 0x40000028 0x0 ref 0 adv path ref 0, path is valid, not best reason: Router Id
AS-Path: 1 987654321 , path sourced external to AS
20.204.106.1 (metric 0) from 201.201.201.7 (201.201.201.7)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 948579
Extcommunity:
RT:1:2110006
SOO:987654321:7
COLOR:500
Advertised path-id 1
Path type: external 0x40000028 0x0 ref 2 adv path ref 1, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 1 987654321 , path sourced external to AS
20.204.106.1 (metric 0) from 201.201.201.6 (201.201.201.6)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 948579
Extcommunity:
RT:1:2110006
SOO:987654321:7
COLOR:500
Path-id 1 not advertised to any peer
Route Distinguisher: 107:2392069 (L3VNI 2392069)
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/224, version 42375 dest ptr 0xac875794
Paths: (2 available, best #2)
Flags: (0x000002 00000000) on xmit-list, is not in rib/evpn, is not in HW
Multipath: eBGP iBGP
Path type: external 0xc0020028 0x0 ref 0 adv path ref 0, path is valid, not best reason: newer EBGP path, multipath
Imported from 106:2686985:[5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/120
AS-Path: 1 987654321 , path sourced external to AS
20.204.106.1 (metric 0) from 201.201.201.6 (201.201.201.6)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 948579
Extcommunity:
RT:1:2110006
SOO:987654321:7
COLOR:500
Advertised path-id 1
Path type: external 0xc0000028 0x0 ref 0 adv path ref 1, path is valid, is best path
Imported from 105:2686985:[5]:[0]:[0]:[24]:[100.21.6.0]:[0.0.0.0]/120
AS-Path: 1 987654321 , path sourced external to AS
20.204.105.1 (metric 0) from 201.201.201.7 (201.201.201.7)
Origin incomplete, MED not set, localpref 100, weight 0 tag 4294966257, propagate 0
Received label 948579
Extcommunity:
RT:1:2110006
SOO:987654321:7
COLOR:500
Path-id 1 not advertised to any peer
The prefix 100.21.6.0/24 is correctly received by the leaf with two paths: one from leaf5 and one from leaf6 (both are located in site 2-1-2-1). As expected, the DC-PE does not change the nexthop of the EVPN routes when multiple sites are connected.
The leaf has a BGP-LU route to reach leaf5 and leaf6 loopbacks.
ifav204-leaf7# show bgp ipv4 labeled-unicast 20.204.105.1/32 vrf overlay-1
BGP routing table information for VRF overlay-1, address family IPv4 Label Unicast
BGP routing table entry for 20.204.105.1/32, version 55 dest ptr 0xa41fc40c
Paths: (2 available, best #2)
Flags: (0x08001a 00000000) on xmit-list, is in urib, is best urib route, is in HW
label af: version 62, (0x100002) on xmit-list
Path type: external 0x40020028 0x0 ref 0 adv path ref 0, path is valid, not best reason: newer EBGP path, multipath
AS-Path: 1 1 , path sourced external to AS
120.1.73.2 (metric 0) from 120.1.73.2 (201.201.201.7)
Origin IGP, MED not set, localpref 100, weight 0 tag 0, propagate 0
Received label 16047
Prefix-SID Attribute: Length: 10
Label Index TLV: Length 7, Flags 0x0 Label Index 47
Advertised path-id 1, Label AF advertised path-id 1
Path type: external 0x40000028 0x0 ref 0 adv path ref 2, path is valid, is best path
AS-Path: 1 1 , path sourced external to AS
120.1.71.2 (metric 0) from 120.1.71.2 (201.201.201.6)
Origin IGP, MED not set, localpref 100, weight 0 tag 0, propagate 0
Received label 16047
Prefix-SID Attribute: Length: 10
Label Index TLV: Length 7, Flags 0x0 Label Index 47
Path-id 1 not advertised to any peer
Label AF advertisement
Path-id 1 not advertised to any peer
ifav204-leaf7# show bgp ipv4 labeled-unicast 20.204.106.1
BGP routing table information for VRF overlay-1, address family IPv4 Label Unicast
BGP routing table entry for 20.204.106.1/32, version 57 dest ptr 0xa41fc490
Paths: (2 available, best #2)
Flags: (0x08001a 00000000) on xmit-list, is in urib, is best urib route, is in HW
label af: version 64, (0x100002) on xmit-list
Path type: external 0x40020028 0x0 ref 0 adv path ref 0, path is valid, not best reason: newer EBGP path, multipath
AS-Path: 1 1 , path sourced external to AS
120.1.73.2 (metric 0) from 120.1.73.2 (201.201.201.7)
Origin IGP, MED not set, localpref 100, weight 0 tag 0, propagate 0
Received label 16048
Prefix-SID Attribute: Length: 10
Label Index TLV: Length 7, Flags 0x0 Label Index 48
Advertised path-id 1, Label AF advertised path-id 1
Path type: external 0x40000028 0x0 ref 0 adv path ref 2, path is valid, is best path
AS-Path: 1 1 , path sourced external to AS
120.1.71.2 (metric 0) from 120.1.71.2 (201.201.201.6)
Origin IGP, MED not set, localpref 100, weight 0 tag 0, propagate 0
Received label 16048
Prefix-SID Attribute: Length: 10
Label Index TLV: Length 7, Flags 0x0 Label Index 48
Path-id 1 not advertised to any peer
Label AF advertisement
Path-id 1 not advertised to any peer
SR/MPLS Handoff Using Different Transport Constraints Per Destination
Design
SR/MPLS Handoff with Per Destination Traffic Steering
In Figure 16, the Cisco ACI fabric hosts two services A and D which require respectively a best effort transport service and a low latency transport service. In this design, the Cisco ACI fabric will signal the level of service associated to each destination (on a per IP prefix basis) to the SP core, so each ingress PE in the SP core will select the appropriate transport path within the core. Using the signaling from ACI allows the datacenter to control the transport slice to be used within the core network.
Each level of service is associated to a BGP color community, in our design, the color 500 is associated to the best effort transport service, while the color 200 is associated to a low latency transport service.
The Cisco ACI fabric advertises the prefix 10.1.5.0/24 associated to service A with the BGP color 500 while the prefix 20.1.5.0/24 associated to service D is advertised with the BGP color 200.
The BGP color is carried transparently by the connected DC-PE into the SP core and when a remote PE (such as PE6 or PE3) receives the route with the color, it leverages the Automated Steering (AS) or On-Demand Nexthop (ODN) feature to automatically steer the traffic to the destination onto the appropriate transport path.
Configuration
BGP Route Coloring on ACI
The VRF export policy of site 2-1 is a modified set of the BGP color community as follows:
● Set color 200 to prefix 101.21.5.254/24
● Set color 500 otherwise
ACI color community configuration snippet:
<!-- color 500 policy -->
<rtctrlAttrP annotation=""
descr=""
name="color-500"
nameAlias=""
userdom=":all:">
<rtctrlSetComm annotation=""
community="extended:color:500"
descr=""
name=""
nameAlias=""
setCriteria="append"
type="community"
userdom=":all:"/>
</rtctrlAttrP>
ACI user tenant configuration including the route coloring:
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<!-- Specify Name of Tenant as Required -->
<fvTenant descr="Tenant with Basic SR MPLS Handoff between 2-1 and 2-1-2-1"
dn="uni/tn-TENANT-BASIC"
name="TENANT-BASIC"
>
<!-- Tag_1 User L3out Route Control Config -->
<rtctrlSubjP
name="all"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="100.0.0.0/8"
toPfxLen="0"
/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="101.0.0.0/8"
toPfxLen="0"
userdom=":all:"/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="::/0"
toPfxLen="0"
/>
</rtctrlSubjP>
<!-- Color configuration per prefix subnet -->
<rtctrlSubjP
name="Granular-Rule"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="101.21.5.254/24"
toPfxLen="0"
/>
</rtctrlSubjP>
<!-- export policy for site21 -->
<rtctrlProfile
name="export-21"
type="combinable"
userdom=":all:">
<!-- Color 500 for all routes from site2-1 -->
<rtctrlCtxP action="permit"
name="export-500"
order="0"
userdom=":all:">
<rtctrlScope
userdom=":all:">
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="color-500"
userdom="all"/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
userdom=":all:"/>
</rtctrlCtxP>
<!-- Color 200 for specific subnet routes from site2-1 -->
<rtctrlCtxP action="permit"
name="export-200"
order="0"
userdom=":all:">
<rtctrlScope
userdom=":all:">
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="color-200"
userdom="all"/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="Granular-Rule"
userdom=":all:"/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<!-- color 200 policy -->
<rtctrlAttrP
name="color-200"
userdom=":all:">
<rtctrlSetComm
community="extended:color:200"
setCriteria="append"
type="community"
userdom=":all:"/>
</rtctrlAttrP>
<!-- color 500 policy -->
<rtctrlAttrP
name="color-500"
userdom=":all:">
<rtctrlSetComm
community="extended:color:500"
setCriteria="append"
type="community"
userdom=":all:"/>
</rtctrlAttrP>
<!-- Tag_2 User L3out Config towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2121"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106/instP-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_3 User L3out Config towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_21"
/>
<!-- Optional import polocy -->
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="export-21"
type="combinable"
userdom=":all:">
<rtctrlCtxP action="permit"
name="export-500"
order="0"
userdom=":all:">
<rtctrlScope
userdom=":all:">
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="color-500"
userdom="all"/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
userdom=":all:"/>
</rtctrlCtxP>
<rtctrlCtxP action="permit"
name="export-200"
order="1"
userdom=":all:">
<rtctrlScope
userdom=":all:">
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="color-200"
userdom="all"/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="Granular-Rule"
userdom=":all:"/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-export-21"
userdom=":all:"/>
<l3extRsLblToProfile
direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToInstP
tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-MPLS-TENANT-L3OUT-2105/instP-LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag User L3out Config towards DC PE Location 2-1-2-2 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2122"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-2"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107/instP-LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 User VRF Config towards DC PE Location 2-1-2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2121"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_5 User VRF Config towards DC PE Location 2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_21"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2122"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_6 User BD Config towards DC PE Location 2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2105"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:5::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="101.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_21"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_7 User BD Config towards DC PE Location 2-1-2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2106"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:6::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="101.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2121"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- TAG USER BD CONFIG TOWARDS DC PE LOCATION 2-1-2-2 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2107"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="100.21.7.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="101.21.7.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="2001:100:21:7::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2122"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_8 Application Profile Config towards DC PE Location 2-1 -->
<fvAp
name="LOCATION-2-1-2-1-AP2106"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG106"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-105/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2106"
/>
</fvAEPg>
</fvAp>
<!-- Tag_9 Application Profile Config towards DC PE Location 2-1-2-1 -->
<fvAp
name="LOCATION-2-1-AP2105"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG105"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="immediate"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-101/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="immediate"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2105"
/>
</fvAEPg>
</fvAp>
<!-- Tag Application Profile Config towards DC PE Location 2-1-2-2 -->
<fvAp
name="LOCATION-2-1-2-2-AP2107"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG107"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-107/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2107"
/>
</fvAEPg>
</fvAp>
</fvTenant>
</imdata>
ODN Template on XR (PE6 Sample Configuration)
Segment Routing must be implemented before using Autosteering or ODN. The following configuration does not provide the segment routing base configuration templates but only the ODN policies to be used for steering traffic to the ACI sites.
segment-routing
traffic-eng
on-demand color 200
dynamic
pcep
!
metric
type latency
!
!
!
on-demand color 500
dynamic
pcep
!
metric
type igp
!
!
!
pcc
source-address ipv4 201.201.201.6
pce address ipv4 202.202.202.104
precedence 100
!
pce address ipv4 202.202.202.105
precedence 200
!
!
!
The configuration is split in two parts:
● ODN policies. The two ODN policies that we are using in the design leverage on PCE computation.
● PCE servers configuration. In the configuration, PE2 is using a primary and backup PCE.
For each service type, there is an associated BGP color community value. In our case, we use color 200 for low-latency and 500 for best-effort.
It is not mandatory to use a PCE based computation, however in multi-domain scenarios, it often becomes mandatory.
In our design, the color 200 is associated to a path computation based on the latency metric advertised in the IGP. The color 500 is associated with a path computation based on the regular IGP metric which maps to a best-effort routing. While we are using the color 500 for best effort traffic using the regular IGP metric, it is not mandatory. VPN routes could be advertised without a color and will defacto use the regular IGP path. However, such a case requires the ingress PE to have reachability to the egress PE (using IGP or BGP-LU).
The constraints defined in an ODN policy are not limited to the one used in this configuration. See the IOS XR SR-TE configuration guideline for more information. For instance, another validated example is to have a color associated with a low latency secured path for some critical applications flows. In such a scenario, the IGP links in the SP core are tagged with a particular affinity bit indicating that the link is NON SECURE (this could be a core MPLS link which is carried over a non-trusted carrier for instance). The ODN policy, associated with a BGP color 600, will be configured to use the latency metric AND exclude all NON SECURE links from the path computation.
Low Latency Secured Routing
on-demand color 600
dynamic
metric
type latency
!
affinity exclude-any
name NON_SECURE
!
!
!
affinity-map
name NON_SECURE bit-position 3
!
Verifications
ACI Color Attachment to Local Route
We can check that the BGP color is correctly attached to the EVPN route associated with the local route of the tenant.
ifav204-leaf3# show bgp l2vpn evpn 101.21.5.0 vrf TENANT-BASIC:TENANT_BASIC_21
Route Distinguisher: 103:2785286 (L3VNI 2785286)
BGP routing table entry for [5]:[0]:[0]:[24]:[101.21.5.0]:[0.0.0.0]/224, version 86140 dest ptr 0xa4cfba10
Paths: (1 available, best #1)
Flags: (0x00000a 00000000) on xmit-list, is not in rib/evpn
Multipath: eBGP iBGP
Advertised path-id 1
Path type: local 0x4000008c 0x0 ref 0 adv path ref 1, path is valid, is best path
AS-Path: NONE, path locally originated
0.0.0.0 (metric 0) from 0.0.0.0 (30.204.103.1)
Origin incomplete, MED 0, localpref 100, weight 32768 tag 4294966001, propagate 0
Received label 949926
Extcommunity:
RT:1:2110005
COLOR:200
VNID:2785286
Path-id 1 advertised to peers:
201.201.201.1 201.201.201.2
ifav204-leaf3# show bgp l2vpn evpn 100.21.5.0 vrf TENANT-BASIC:TENANT_BASIC_21
Route Distinguisher: 103:2785286 (L3VNI 2785286)
BGP routing table entry for [5]:[0]:[0]:[24]:[100.21.5.0]:[0.0.0.0]/224, version 86141 dest ptr 0xa4cec0b8
Paths: (1 available, best #1)
Flags: (0x00000a 00000000) on xmit-list, is not in rib/evpn
Multipath: eBGP iBGP
Advertised path-id 1
Path type: local 0x4000008c 0x0 ref 0 adv path ref 1, path is valid, is best path
AS-Path: NONE, path locally originated
0.0.0.0 (metric 0) from 0.0.0.0 (30.204.103.1)
Origin incomplete, MED 0, localpref 100, weight 32768 tag 4294966001, propagate 0
Received label 949926
Extcommunity:
RT:1:2110005
COLOR:500
VNID:2785286
Path-id 1 advertised to peers:
201.201.201.1 201.201.201.2
Remote DC-PE Handling Received Color
PE6 receives the BGP color and applies the associated ODN template.
As a result, the prefix 100.21.5.0/24, PE6 has instantiated two SR policies, respectively to PE2 and PE1 associated with regular IGP routing (best effort). The binding-sid value can be used to check details about the used SR-policy.
RP/0/RP0/CPU0:PE06#show bgp vpnv4 un vrf TENANT_BASIC 100.21.5.0
Mon Sep 28 10:05:10.293 UTC
BGP routing table entry for 100.21.5.0/24, Route Distinguisher: 1:2110006
Versions:
Process bRIB/RIB SendTblVer
Speaker 112165 112165
Local Label: 32266
Last Modified: Sep 22 14:11:06.642 for 5d19h
Paths: (2 available, best #1)
Advertised to update-groups (with more than one peer):
0.1 0.6
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.1 0.6
987654321
201.201.201.1 C:500 (bsid:32171) (metric 20100) from 202.202.202.102 (201.201.201.1)
Received Label 32211
Origin incomplete, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 1, version 111836
Extended community: SoO:1:5 Color:500 RT:1:2110006 RT:1:2110007
Originator: 201.201.201.1, Cluster list: 0.0.0.2, 0.0.0.1
SR policy color 500, up, registered, bsid 32171, if-handle 0x200040e4
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110001
Path #2: Received by speaker 0
Not advertised to any peer
987654321
201.201.201.2 C:500 (bsid:32110) (metric 10020149) from 202.202.202.102 (201.201.201.2)
Received Label 32639
Origin incomplete, metric 0, localpref 100, valid, internal, add-path, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 2, version 111836
Extended community: SoO:1:5 Color:500 RT:1:2110006 RT:1:2110007
Originator: 201.201.201.2, Cluster list: 0.0.0.2
SR policy color 500, up, registered, bsid 32110, if-handle 0x200040ec
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110002
RP/0/RP0/CPU0:PE06#show segment-routing traffic-eng policy binding-sid 32171
Mon Sep 28 10:08:27.035 UTC
SR-TE policy database
---------------------
Color: 500, End-point: 201.201.201.1
Name: srte_c_500_ep_201.201.201.1
Status:
Admin: up Operational: up for 5d19h (since Sep 22 14:11:06.761)
Candidate-paths:
Preference: 200 (BGP ODN) (shutdown)
Requested BSID: dynamic
Maximum SID Depth: 12
Dynamic (invalid)
Metric Type: IGP, Path Accumulated Metric: 0
Preference: 100 (BGP ODN) (active)
Requested BSID: dynamic
PCC info:
Symbolic name: bgp_c_500_ep_201.201.201.1_discr_100
PLSP-ID: 16
Maximum SID Depth: 12
Dynamic (pce 202.202.202.104) (valid)
Metric Type: IGP, Path Accumulated Metric: 20100
16001 [Prefix-SID, 201.201.201.1]
Attributes:
Binding SID: 32171
Forward Class: Not Configured
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
RP/0/RP0/CPU0:PE06#show segment-routing traffic-eng policy binding-sid 32110
Mon Sep 28 10:09:10.104 UTC
SR-TE policy database
---------------------
Color: 500, End-point: 201.201.201.2
Name: srte_c_500_ep_201.201.201.2
Status:
Admin: up Operational: up for 3w0d (since Sep 6 17:56:47.905)
Candidate-paths:
Preference: 200 (BGP ODN) (shutdown)
Requested BSID: dynamic
Maximum SID Depth: 12
Dynamic (invalid)
Metric Type: IGP, Path Accumulated Metric: 0
Preference: 100 (BGP ODN) (active)
Requested BSID: dynamic
PCC info:
Symbolic name: bgp_c_500_ep_201.201.201.2_discr_100
PLSP-ID: 17
Maximum SID Depth: 12
Dynamic (pce 202.202.202.104) (valid)
Metric Type: IGP, Path Accumulated Metric: 20150
16002 [Prefix-SID, 201.201.201.2]
Attributes:
Binding SID: 32110
Forward Class: Not Configured
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
For the prefix 101.21.5.0/24, it has instantiated two SR policies associated with low latency routing.
RP/0/RP0/CPU0:PE06#show bgp vpnv4 un vrf TENANT_BASIC 101.21.5.0
Mon Sep 28 10:05:15.314 UTC
BGP routing table entry for 101.21.5.0/24, Route Distinguisher: 1:2110006
Versions:
Process bRIB/RIB SendTblVer
Speaker 112166 112166
Local Label: 32266
Last Modified: Sep 22 14:11:06.642 for 5d19h
Paths: (2 available, best #1)
Advertised to update-groups (with more than one peer):
0.1 0.6
Path #1: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.1 0.6
987654321
201.201.201.1 C:200 (bsid:32174) (metric 20100) from 202.202.202.102 (201.201.201.1)
Received Label 32211
Origin incomplete, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 1, version 111837
Extended community: SoO:1:5 Color:200 RT:1:2110006 RT:1:2110007
Originator: 201.201.201.1, Cluster list: 0.0.0.2, 0.0.0.1
SR policy color 200, up, registered, bsid 32174, if-handle 0x200041a4
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110001
Path #2: Received by speaker 0
Not advertised to any peer
987654321
201.201.201.2 C:200 (bsid:32125) (metric 10020149) from 202.202.202.102 (201.201.201.2)
Received Label 32639
Origin incomplete, metric 0, localpref 100, valid, internal, add-path, import-candidate, imported, reoriginated with stitching-rt
Received Path ID 1, Local Path ID 2, version 111837
Extended community: SoO:1:5 Color:200 RT:1:2110006 RT:1:2110007
Originator: 201.201.201.2, Cluster list: 0.0.0.2
SR policy color 200, up, registered, bsid 32125, if-handle 0x200041ac
Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 1:2110002
RP/0/RP0/CPU0:PE06#show segment-routing traffic-eng policy binding-sid 32174
Mon Sep 28 10:11:08.109 UTC
SR-TE policy database
---------------------
Color: 200, End-point: 201.201.201.1
Name: srte_c_200_ep_201.201.201.1
Status:
Admin: up Operational: up for 5d20h (since Sep 22 14:11:06.762)
Candidate-paths:
Preference: 200 (BGP ODN) (shutdown)
Requested BSID: dynamic
Maximum SID Depth: 12
Dynamic (invalid)
Metric Type: LATENCY, Path Accumulated Metric: 0
Preference: 100 (BGP ODN) (active)
Requested BSID: dynamic
PCC info:
Symbolic name: bgp_c_200_ep_201.201.201.1_discr_100
PLSP-ID: 40
Maximum SID Depth: 12
Dynamic (pce 202.202.202.104) (valid)
Metric Type: LATENCY, Path Accumulated Metric: 34000
32005 [Adjacency-SID, 200.200.200.74 - 200.200.200.73]
32020 [Adjacency-SID, 200.200.200.26 - 200.200.200.25]
32005 [Adjacency-SID, 200.200.200.62 - 200.200.200.61]
32014 [Adjacency-SID, 200.200.200.13 - 200.200.200.14]
32010 [Adjacency-SID, 200.200.200.9 - 200.200.200.10]
Attributes:
Binding SID: 32174
Forward Class: Not Configured
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
RP/0/RP0/CPU0:PE06#show segment-routing traffic-eng policy binding-sid 32125
Mon Sep 28 10:11:12.976 UTC
SR-TE policy database
---------------------
Color: 200, End-point: 201.201.201.2
Name: srte_c_200_ep_201.201.201.2
Status:
Admin: up Operational: up for 3w0d (since Sep 6 17:56:47.906)
Candidate-paths:
Preference: 200 (BGP ODN) (shutdown)
Requested BSID: dynamic
Maximum SID Depth: 12
Dynamic (invalid)
Metric Type: LATENCY, Path Accumulated Metric: 0
Preference: 100 (BGP ODN) (active)
Requested BSID: dynamic
PCC info:
Symbolic name: bgp_c_200_ep_201.201.201.2_discr_100
PLSP-ID: 41
Maximum SID Depth: 12
Dynamic (pce 202.202.202.104) (valid)
Metric Type: LATENCY, Path Accumulated Metric: 35000
32005 [Adjacency-SID, 200.200.200.74 - 200.200.200.73]
32020 [Adjacency-SID, 200.200.200.26 - 200.200.200.25]
32005 [Adjacency-SID, 200.200.200.62 - 200.200.200.61]
32014 [Adjacency-SID, 200.200.200.13 - 200.200.200.14]
32010 [Adjacency-SID, 200.200.200.9 - 200.200.200.10]
32004 [Adjacency-SID, 200.200.200.6 - 200.200.200.5]
Attributes:
Binding SID: 32125
Forward Class: Not Configured
Steering labeled-services disabled: no
Steering BGP disabled: no
IPv6 caps enable: yes
You can also check the forwarding table to verify that the SR-policy is actually used for forwarding traffic. The forwarding table uses the binding SID allocated for the SR-policy
RP/0/RP0/CPU0:PE06#show cef vrf TENANT_BASIC 100.21.5.0
Mon Sep 28 10:12:57.827 UTC
100.21.5.0/24, version 305, internal 0x1000001 0x30 (ptr 0xa9a33130) [1], 0x0 (0x0), 0x208 (0x8aea7608)
Updated Sep 22 14:11:06.788
Prefix Len 24, traffic index 0, precedence n/a, priority 3
via local-label 32171, 5 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0x89692700 0x0]
recursion-via-label
next hop VRF - 'default', table - 0xe0000000
next hop via 32171/0/21
labels imposed {32211}
RP/0/RP0/CPU0:PE06#show mpls forwarding labels 32171 detail
Mon Sep 28 10:14:22.848 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
32171 Pop No ID srte_c_500_e point2point 0
Updated: Sep 22 14:11:06.760
Version: 210864, Priority: 2
Label Stack (Top -> Bottom): { Unlabelled Imp-Null }
NHID: 0x0, Encap-ID: 0x13e1a00000002, Path idx: 0, Backup path idx: 0, Weight: 0
MAC/Encaps: 0/0, MTU: 0
Outgoing Interface: srte_c_500_ep_201.201.201.1 (ifhandle 0x200040e4)
Packets Switched: 0
RP/0/RP0/CPU0:PE06#show cef vrf TENANT_BASIC 101.21.5.0
Mon Sep 28 10:13:02.119 UTC
101.21.5.0/24, version 307, internal 0x1000001 0x30 (ptr 0xa9a32fa8) [1], 0x0 (0x0), 0x208 (0x8aea8580)
Updated Sep 22 14:11:06.788
Prefix Len 24, traffic index 0, precedence n/a, priority 3
via local-label 32174, 5 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0x89692628 0x0]
recursion-via-label
next hop VRF - 'default', table - 0xe0000000
next hop via 32174/0/21
labels imposed {32211}
RP/0/RP0/CPU0:PE06#show mpls forwarding labels 32174 detail
Mon Sep 28 10:14:39.568 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
32174 Pop No ID srte_c_200_e point2point 0
Updated: Sep 22 14:11:06.761
Version: 210865, Priority: 2
Label Stack (Top -> Bottom): { Unlabelled Imp-Null }
NHID: 0x0, Encap-ID: 0x13e1c00000002, Path idx: 0, Backup path idx: 0, Weight: 0
MAC/Encaps: 0/0, MTU: 0
Outgoing Interface: srte_c_200_ep_201.201.201.1 (ifhandle 0x200041a4)
Packets Switched: 0
Cisco ACI Fabric as VPN Transit
Design
In the ACI version used for this CVD, three scenarios are supported when using Cisco ACI fabric as VPN transit.
Inter-VRF Transit Routing Between Different Border Leafs
Inter-VRF Transit Routing Within the Same Border Leaf
Intra-VRF Transit Routing Between Different Border Leafs
Note: Intra-VRF transit routing within he same border leaf is NOT supported.
Configuration
Note:
● We assume that the tenant name for XML POST is “sr-transit “.
● Some configuration steps are redundant as the configuration is re-used in multiple scenarios.
Inter-VRF Transit Using Different VRFs and Different BLs
ACI
Create VRF ‘1’ with import/export RT 100:2001 in user tenant:
<?xml version="1.0" encoding="utf-8"?>
<fvCtx annotation=""
bdEnforcedEnable="no"
descr=""
dn="uni/tn-sr-transit/ctx-1"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="1"
nameAlias=""
ownerKey=""
ownerTag=""
pcEnfDir="ingress"
pcEnfPref="enforced"
userdom=":all:">
<fvRsVrfValidationPol annotation=""
tnL3extVrfValidationPolName=""
userdom="all"/>
<vzAny annotation=""
descr=""
matchT="AtleastOne"
name=""
nameAlias=""
prefGrMemb="disabled"
userdom="all"/>
<fvRsOspfCtxPol annotation=""
tnOspfCtxPolName=""
userdom="all"/>
<fvRsCtxToEpRet annotation=""
tnFvEpRetPolName=""
userdom="all"/>
<fvRsCtxToBgpCtxAfPol af="ipv4-ucast"
annotation=""
tnBgpCtxAfPolName="default"
userdom=":all:"/>
<fvRsCtxToExtRouteTagPol annotation=""
tnL3extRouteTagPolName=""
userdom="all"/>
<fvRsBgpCtxPol annotation=""
tnBgpCtxPolName=""
userdom="all"/>
<bgpRtTargetP af="ipv4-ucast"
annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
userdom=":all:">
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2001"
type="export"
userdom=":all:"/>
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2001"
type="import"
userdom=":all:"/>
</bgpRtTargetP>
</fvCtx>
Create VRF ‘3’ with import/export RT 100:2003 in user tenant:
<?xml version="1.0" encoding="utf-8"?>
<fvCtx annotation=""
bdEnforcedEnable="no"
descr=""
dn="uni/tn-sr-transit/ctx-3"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="3"
nameAlias=""
ownerKey=""
ownerTag=""
pcEnfDir="ingress"
pcEnfPref="enforced"
userdom=":all:">
<fvRsVrfValidationPol annotation=""
tnL3extVrfValidationPolName=""
userdom="all"/>
<vzAny annotation=""
descr=""
matchT="AtleastOne"
name=""
nameAlias=""
prefGrMemb="disabled"
userdom="all"/>
<fvRsOspfCtxPol annotation=""
tnOspfCtxPolName=""
userdom="all"/>
<fvRsCtxToEpRet annotation=""
tnFvEpRetPolName=""
userdom="all"/>
<fvRsCtxToBgpCtxAfPol af="ipv4-ucast"
annotation=""
tnBgpCtxAfPolName="default"
userdom=":all:"/>
<fvRsCtxToExtRouteTagPol annotation=""
tnL3extRouteTagPolName=""
userdom="all"/>
<fvRsBgpCtxPol annotation=""
tnBgpCtxPolName=""
userdom="all"/>
<bgpRtTargetP af="ipv4-ucast"
annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
userdom=":all:">
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2003"
type="import"
userdom=":all:"/>
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2003"
type="export"
userdom=":all:"/>
</bgpRtTargetP>
</fvCtx>
In the user tenant, define contracts and policies:
<vzBrCP annotation=""
descr=""
dn="uni/tn-sr-transit/brc-VRF1-to-VRF3"
intent="install"
name="VRF1-to-VRF3"
nameAlias=""
ownerKey=""
ownerTag=""
prio="unspecified"
scope="global"
targetDscp="unspecified"
userdom=":all:">
<vzSubj annotation=""
consMatchT="AtleastOne"
descr=""
name="any"
nameAlias=""
prio="unspecified"
provMatchT="AtleastOne"
revFltPorts="yes"
targetDscp="unspecified"
userdom=":all:">
<vzRsSubjFiltAtt action="permit"
annotation=""
directives=""
priorityOverride="default"
tnVzFilterName="default"
userdom=":all:"/>
</vzSubj>
</vzBrCP>
<rtctrlSubjP annotation=""
descr=""
dn="uni/tn-sr-transit/subj-quad-zero-prefix"
name="quad-zero-prefix"
nameAlias=""
userdom=":all:">
<rtctrlMatchRtDest aggregate="yes"
annotation=""
descr=""
fromPfxLen="0"
ip="0.0.0.0/0"
name=""
nameAlias=""
toPfxLen="0"
userdom=":all:"/>
</rtctrlSubjP>
<rtctrlProfile annotation=""
descr=""
dn="uni/tn-sr-transit/prof-rm-permit-any"
name="rm-permit-any"
nameAlias=""
ownerKey=""
ownerTag=""
type="global"
userdom=":all:">
<rtctrlCtxP action="permit"
annotation=""
descr=""
name="any"
nameAlias=""
order="1"
userdom=":all:">
<rtctrlRsCtxPToSubjP annotation=""
tnRtctrlSubjPName="quad-zero-prefix"
userdom=":all:"/>
</rtctrlCtxP>
</rtctrlProfile>
In user tenant, configure an SR/MPLS L3out for VRF-1 using the following parameters:
*Name: SR/MPLS-VRF-1
*VRF: 1
*SR/MPLS Infra L3Out (Location): BL1-PE1
*External EPG: VRF-1-ExtEPG-1
*IP Prefix: 10.10.10.0/24
*Inter VRF Policy: Route Leaking, Security
*Provided Contract: VRF1-to-VRF3
*Consumed Contract: VRF1-to-VRF3
*Outbound Route-map: rm-permit-any
*1 Permit Context with the following match rule: 0.0.0.0/0 with Aggregate true
*Inbound Route-map: None (permit any by default) or rm-permit-any
---
<l3extOut annotation=""
descr=""
dn="uni/tn-sr-transit/out-SR/MPLS_VRF_1"
enforceRtctrl="export"
mplsEnabled="yes"
name="SR/MPLS_VRF_1"
nameAlias=""
ownerKey=""
ownerTag=""
targetDscp="unspecified"
userdom=":all:">
<l3extRsEctx annotation=""
tnFvCtxName="1"
userdom="all"/>
<l3extInstP annotation=""
descr=""
exceptionTag=""
floodOnEncap="disabled"
matchT="AtleastOne"
name="ExtEPG1"
nameAlias=""
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
userdom=":all:">
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="VRF1-to-VRF3"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="EPG-to-SR/MPLS_VRF_1-L3Out"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="VRF1"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="10.10.9.10/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="10.10.10.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<fvRsCustQosPol annotation=""
tnQosCustomPolName=""
userdom="all"/>
<fvRsCons annotation=""
intent="install"
prio="unspecified"
tnVzBrCPName="VRF1"
userdom=":all:"/>
<fvRsCons annotation=""
intent="install"
prio="unspecified"
tnVzBrCPName="VRF1-to-VRF3"
userdom=":all:"/>
</l3extInstP>
<l3extConsLbl annotation=""
descr=""
name="BL1-PE1-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_1/instP-ExtEPG1"
userdom=":all:"/>
</l3extConsLbl>
</l3extOut>
In user tenant, configure an SR/MPLS L3out for VRF-3 using the following parameters:
*Name: SR/MPLS-VRF-3
*VRF: 3
*SR/MPLS Infra L3Out (Location): BL6-PE2
*External EPG: VRF-3-ExtEPG-1
*IP Prefix: 30.30.30.0/24
*Inter VRF Policy: Route Leaking, Security
*Provided Contract: VRF1-to-VRF3
*Consumed Contract: VRF1-to-VRF3
*Outbound Route-map: rm-permit-any
*1 Permit Context with the following match rule: 0.0.0.0/0 with Aggregate true
*Inbound Route-map: None (permit any by default) or rm-permit-any
---
<l3extOut annotation=""
descr=""
dn="uni/tn-sr-transit/out-SR/MPLS_VRF_3"
enforceRtctrl="export"
mplsEnabled="yes"
name="SR/MPLS_VRF_3"
nameAlias=""
ownerKey=""
ownerTag=""
targetDscp="unspecified"
userdom=":all:">
<l3extRsEctx annotation=""
tnFvCtxName="3"
userdom="all"/>
<l3extInstP annotation=""
descr=""
exceptionTag=""
floodOnEncap="disabled"
matchT="AtleastOne"
name="ExtEPG1"
nameAlias=""
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
userdom=":all:">
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="EPG-to-SR/MPLS_VRF_3-L3Out"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="level1"
tnVzBrCPName="VRF2-to-VRF3"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="VRF1-to-VRF3"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="30.30.30.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<fvRsCustQosPol annotation=""
tnQosCustomPolName=""
userdom="all"/>
<fvRsCons annotation=""
intent="install"
prio="unspecified"
tnVzBrCPName="VRF1-to-VRF3"
userdom=":all:"/>
<fvRsCons annotation=""
intent="install"
prio="level1"
tnVzBrCPName="VRF2-to-VRF3"
userdom=":all:"/>
</l3extInstP>
<l3extConsLbl annotation=""
descr=""
name="BL6-PE2-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_3/instP-ExtEPG1"
userdom=":all:"/>
</l3extConsLbl>
</l3extOut>
XR DC-PE
VRF configuration on PE1:
vrf sr-transit-1
address-family ipv4 unicast
import route-target
100:2001
100:2001 stitching
!
export route-target
100:2001
100:2001 stitching
!
router bgp 1
vrf sr-transit-1
rd auto
address-family ipv4 unicast
label mode per-vrf
redistribute connected
!
address-family ipv6 unicast
label mode per-vrf
redistribute connected
VRF configuration on PE2:
vrf sr-transit-3
address-family ipv4 unicast
import route-target
100:2003
100:2003 stitching
!
export route-target
100:2003
100:2003 stitching
!
router bgp 1
vrf sr-transit-3
rd auto
address-family ipv4 unicast
label mode per-vrf
redistribute connected
!
address-family ipv6 unicast
label mode per-vrf
redistribute connected
Inter-VRF transit using different VRFs and a single BL
ACI
Create VRF ‘2’ with import/export RT 100:2002 in user tenant:
<fvCtx annotation=""
bdEnforcedEnable="no"
descr=""
dn="uni/tn-sr-transit/ctx-2"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="2"
nameAlias=""
ownerKey=""
ownerTag=""
pcEnfDir="ingress"
pcEnfPref="enforced"
userdom=":all:">
<fvRsVrfValidationPol annotation=""
tnL3extVrfValidationPolName=""
userdom="all"/>
<vzAny annotation=""
descr=""
matchT="AtleastOne"
name=""
nameAlias=""
prefGrMemb="disabled"
userdom="all"/>
<fvRsOspfCtxPol annotation=""
tnOspfCtxPolName=""
userdom="all"/>
<fvRsCtxToEpRet annotation=""
tnFvEpRetPolName=""
userdom="all"/>
<fvRsCtxToBgpCtxAfPol af="ipv4-ucast"
annotation=""
tnBgpCtxAfPolName="default"
userdom=":all:"/>
<fvRsCtxToExtRouteTagPol annotation=""
tnL3extRouteTagPolName=""
userdom="all"/>
<fvRsBgpCtxPol annotation=""
tnBgpCtxPolName=""
userdom="all"/>
<bgpRtTargetP af="ipv4-ucast"
annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
userdom=":all:">
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2002"
type="import"
userdom=":all:"/>
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2002"
type="export"
userdom=":all:"/>
</bgpRtTargetP>
</fvCtx>
Create VRF ‘3’ with import/export RT 100:2003 in user tenant:
<fvCtx annotation=""
bdEnforcedEnable="no"
descr=""
dn="uni/tn-sr-transit/ctx-3"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="3"
nameAlias=""
ownerKey=""
ownerTag=""
pcEnfDir="ingress"
pcEnfPref="enforced"
userdom=":all:">
<fvRsVrfValidationPol annotation=""
tnL3extVrfValidationPolName=""
userdom="all"/>
<vzAny annotation=""
descr=""
matchT="AtleastOne"
name=""
nameAlias=""
prefGrMemb="disabled"
userdom="all"/>
<fvRsOspfCtxPol annotation=""
tnOspfCtxPolName=""
userdom="all"/>
<fvRsCtxToEpRet annotation=""
tnFvEpRetPolName=""
userdom="all"/>
<fvRsCtxToBgpCtxAfPol af="ipv4-ucast"
annotation=""
tnBgpCtxAfPolName="default"
userdom=":all:"/>
<fvRsCtxToExtRouteTagPol annotation=""
tnL3extRouteTagPolName=""
userdom="all"/>
<fvRsBgpCtxPol annotation=""
tnBgpCtxPolName=""
userdom="all"/>
<bgpRtTargetP af="ipv4-ucast"
annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
userdom=":all:">
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2003"
type="import"
userdom=":all:"/>
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2003"
type="export"
userdom=":all:"/>
</bgpRtTargetP>
</fvCtx>
In the user tenant, define contracts and policies:
<vzBrCP annotation=""
descr=""
dn="uni/tn-sr-transit/brc-VRF2-to-VRF3"
intent="install"
name="VRF2-to-VRF3"
nameAlias=""
ownerKey=""
ownerTag=""
prio="unspecified"
scope="tenant"
targetDscp="unspecified"
userdom=":all:">
<vzSubj annotation=""
consMatchT="AtleastOne"
descr=""
name="any"
nameAlias=""
prio="unspecified"
provMatchT="AtleastOne"
revFltPorts="yes"
targetDscp="unspecified"
userdom=":all:">
<vzRsSubjFiltAtt action="permit"
annotation=""
directives=""
priorityOverride="default"
tnVzFilterName="default"
userdom=":all:"/>
</vzSubj>
</vzBrCP>
--------------------------------------------------------------------------------------------
<rtctrlSubjP annotation=""
descr=""
dn="uni/tn-sr-transit/subj-quad-zero-prefix"
name="quad-zero-prefix"
nameAlias=""
userdom=":all:">
<rtctrlMatchRtDest aggregate="yes"
annotation=""
descr=""
fromPfxLen="0"
ip="0.0.0.0/0"
name=""
nameAlias=""
toPfxLen="0"
userdom=":all:"/>
</rtctrlSubjP>
--------------------------------------------------------------------------------------------
<rtctrlProfile annotation=""
descr=""
dn="uni/tn-sr-transit/prof-rm-permit-any"
name="rm-permit-any"
nameAlias=""
ownerKey=""
ownerTag=""
type="global"
userdom=":all:">
<rtctrlCtxP action="permit"
annotation=""
descr=""
name="any"
nameAlias=""
order="1"
userdom=":all:">
<rtctrlRsCtxPToSubjP annotation=""
tnRtctrlSubjPName="quad-zero-prefix"
userdom=":all:"/>
</rtctrlCtxP>
</rtctrlProfile>
In the user tenant, configure an SR/MPLS L3out for VRF-2 using the following parameters:
*Name: SR/MPLS-VRF-2
*VRF: 2
*SR/MPLS Infra L3Out (Location): BL6-PE1
*External EPG: VRF-2-ExtEPG-1
*IP Prefix: 20.20.20.0/24
*Inter VRF Policy: Route Leaking, Security
*Provided Contract: VRF2-to-VRF3
*Consumed Contract: VRF2-to-VRF3
*Outbound Route-map: rm-permit-any
*1 Permit Context with the following match rule: 0.0.0.0/0 with Aggregate true
*Inbound Route-map: None (permit any by default) or rm-permit-any
<l3extOut annotation=""
descr=""
dn="uni/tn-sr-transit/out-SR/MPLS_VRF_2"
enforceRtctrl="export"
mplsEnabled="yes"
name="SR/MPLS_VRF_2"
nameAlias=""
ownerKey=""
ownerTag=""
targetDscp="unspecified"
userdom=":all:">
<l3extRsEctx annotation=""
tnFvCtxName="2"
userdom="all"/>
<l3extInstP annotation=""
descr=""
exceptionTag=""
floodOnEncap="disabled"
matchT="AtleastOne"
name="ExtEPG1"
nameAlias=""
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
userdom=":all:">
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="EPG-to-SR/MPLS_VRF_2-L3Out"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="level1"
tnVzBrCPName="VRF2-to-VRF3"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="VRF2_MPLS-to-L3Out"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="20.20.20.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<fvRsCustQosPol annotation=""
tnQosCustomPolName=""
userdom="all"/>
<fvRsCons annotation=""
intent="install"
prio="unspecified"
tnVzBrCPName="VRF2_MPLS-to-L3Out"
userdom=":all:"/>
<fvRsCons annotation=""
intent="install"
prio="level1"
tnVzBrCPName="VRF2-to-VRF3"
userdom=":all:"/>
</l3extInstP>
<l3extInstP annotation=""
descr=""
exceptionTag=""
floodOnEncap="disabled"
matchT="AtleastOne"
name="ExtEPG4"
nameAlias=""
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
userdom=":all:">
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="22.22.22.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="21.21.21.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<fvRsCustQosPol annotation=""
tnQosCustomPolName=""
userdom="all"/>
</l3extInstP>
<l3extConsLbl annotation=""
descr=""
name="BL6-PE2-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_2/instP-ExtEPG1"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_2/instP-ExtEPG4"
userdom=":all:"/>
</l3extConsLbl>
<l3extConsLbl annotation=""
descr=""
name="BL6-PE1-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_2/instP-ExtEPG1"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_2/instP-ExtEPG4"
userdom=":all:"/>
</l3extConsLbl>
</l3extOut>
In user tenant, configure an SR/MPLS L3out for VRF-3 using the following parameters:
*Name: SR/MPLS-VRF-3
*VRF: 3
*SR/MPLS Infra L3Out (Location): BL6-PE2
*External EPG: VRF-3-ExtEPG-1
*IP Prefix: 30.30.30.0/24
*Inter VRF Policy: Route Leaking, Security
*Provided Contract: VRF2-to-VRF3
*Consumed Contract: VRF2-to-VRF3
*Outbound Route-map: rm-permit-any
*1 Permit Context with the following match rule: 0.0.0.0/0 with Aggregate true
*Inbound Route-map: None (permit any by default) or rm-permit-any
<l3extOut annotation=""
descr=""
dn="uni/tn-sr-transit/out-SR/MPLS_VRF_3"
enforceRtctrl="export"
mplsEnabled="yes"
name="SR/MPLS_VRF_3"
nameAlias=""
ownerKey=""
ownerTag=""
targetDscp="unspecified"
userdom=":all:">
<l3extRsEctx annotation=""
tnFvCtxName="3"
userdom="all"/>
<l3extInstP annotation=""
descr=""
exceptionTag=""
floodOnEncap="disabled"
matchT="AtleastOne"
name="ExtEPG1"
nameAlias=""
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
userdom=":all:">
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="EPG-to-SR/MPLS_VRF_3-L3Out"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="level1"
tnVzBrCPName="VRF2-to-VRF3"
userdom=":all:"/>
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="VRF1-to-VRF3"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="30.30.30.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<fvRsCustQosPol annotation=""
tnQosCustomPolName=""
userdom="all"/>
<fvRsCons annotation=""
intent="install"
prio="unspecified"
tnVzBrCPName="VRF1-to-VRF3"
userdom=":all:"/>
<fvRsCons annotation=""
intent="install"
prio="level1"
tnVzBrCPName="VRF2-to-VRF3"
userdom=":all:"/>
</l3extInstP>
<l3extConsLbl annotation=""
descr=""
name="BL6-PE2-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_3/instP-ExtEPG1"
userdom=":all:"/>
</l3extConsLbl>
</l3extOut>
XR DC-PE
VRF configuration on PE1:
vrf sr-transit-2
address-family ipv4 unicast
import route-target
100:2002
100:2002 stitching
!
export route-target
100:2002
100:2002 stitching
!
router bgp 1
vrf sr-transit-2
rd auto
address-family ipv4 unicast
label mode per-vrf
redistribute connected
!
address-family ipv6 unicast
label mode per-vrf
redistribute connected
VRF configuration on PE2:
vrf sr-transit-3
address-family ipv4 unicast
import route-target
100:2003
100:2003 stitching
!
export route-target
100:2003
100:2003 stitching
!
router bgp 1
vrf sr-transit-3
rd auto
address-family ipv4 unicast
label mode per-vrf
redistribute connected
!
address-family ipv6 unicast
label mode per-vrf
redistribute connected
Intra-VRF Transit Using Different VRFs and Different BLs
ACI
Create VRF ‘2’ with import/export RT 100:2004 in user tenant:
<fvCtx annotation=""
bdEnforcedEnable="no"
descr=""
dn="uni/tn-sr-transit/ctx-4"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="4"
nameAlias=""
ownerKey=""
ownerTag=""
pcEnfDir="ingress"
pcEnfPref="enforced"
userdom=":all:">
<fvRsVrfValidationPol annotation=""
tnL3extVrfValidationPolName=""
userdom="all"/>
<vzAny annotation=""
descr=""
matchT="AtleastOne"
name=""
nameAlias=""
prefGrMemb="disabled"
userdom="all"/>
<fvRsOspfCtxPol annotation=""
tnOspfCtxPolName=""
userdom="all"/>
<fvRsCtxToEpRet annotation=""
tnFvEpRetPolName=""
userdom="all"/>
<fvRsCtxToBgpCtxAfPol af="ipv4-ucast"
annotation=""
tnBgpCtxAfPolName="default"
userdom=":all:"/>
<fvRsCtxToExtRouteTagPol annotation=""
tnL3extRouteTagPolName=""
userdom="all"/>
<fvRsBgpCtxPol annotation=""
tnBgpCtxPolName=""
userdom="all"/>
<bgpRtTargetP af="ipv4-ucast"
annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
userdom=":all:">
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2004"
type="import"
userdom=":all:"/>
<bgpRtTarget annotation=""
descr=""
name=""
nameAlias=""
ownerKey=""
ownerTag=""
rt="route-target:as4-nn2:100:2004"
type="export"
userdom=":all:"/>
</bgpRtTargetP>
</fvCtx>
In the user tenant, define contracts and policies:
<vzBrCP annotation=""
descr=""
dn="uni/tn-sr-transit/brc-VRF4"
intent="install"
name="VRF4"
nameAlias=""
ownerKey=""
ownerTag=""
prio="unspecified"
scope="global"
targetDscp="unspecified"
userdom=":all:">
<vzSubj annotation=""
consMatchT="AtleastOne"
descr=""
name="any"
nameAlias=""
prio="unspecified"
provMatchT="AtleastOne"
revFltPorts="yes"
targetDscp="unspecified"
userdom=":all:">
<vzRsSubjFiltAtt action="permit"
annotation=""
directives=""
priorityOverride="default"
tnVzFilterName="default"
userdom=":all:"/>
</vzSubj>
</vzBrCP>
-------------------------------------------------------------------------------
<rtctrlSubjP annotation=""
descr=""
dn="uni/tn-sr-transit/subj-quad-zero-prefix"
name="quad-zero-prefix"
nameAlias=""
userdom=":all:">
<rtctrlMatchRtDest aggregate="yes"
annotation=""
descr=""
fromPfxLen="0"
ip="0.0.0.0/0"
name=""
nameAlias=""
toPfxLen="0"
userdom=":all:"/>
</rtctrlSubjP>
-------------------------------------------------------------
<rtctrlProfile annotation=""
descr=""
dn="uni/tn-sr-transit/prof-rm-permit-any"
name="rm-permit-any"
nameAlias=""
ownerKey=""
ownerTag=""
type="global"
userdom=":all:">
<rtctrlCtxP action="permit"
annotation=""
descr=""
name="any"
nameAlias=""
order="1"
userdom=":all:">
<rtctrlRsCtxPToSubjP annotation=""
tnRtctrlSubjPName="quad-zero-prefix"
userdom=":all:"/>
</rtctrlCtxP>
</rtctrlProfile>
In user tenant, configure an SR/MPLS L3out for VRF-4 using the following parameters:
*Name: SR/MPLS-VRF-4
*VRF: 4
*SR/MPLS Infra L3Out (Location): BL1-PE1
*External EPG: VRF-4-ExtEPG-1
*IP Prefix: 40.40.40.0/24
*Inter VRF Policy: Route Leaking, Security
*IP Prefix: 42.42.42.0/24
*Inter VRF Policy: Route Leaking, Security
*Provided Contract: VRF4 (not needed for transit, for consumption by any internal EPGs)
*Outbound Route-map: rm-permit-any
*1 Permit Context with the following match rule: 0.0.0.0/0 with Aggregate true
*Inbound Route-map: None (permit any by default) or rm-permit-any
*SR/MPLS Infra L3Out (Location): BL6-PE2
*External EPG: VRF-4-ExtEPG-1
*Outbound Route-map: rm-permit-any
*1 Permit Context with the following match rule: 0.0.0.0/0 with Aggregate true
*Inbound Route-map: None (permit any by default) or rm-permit-any
---
<l3extOut annotation=""
descr=""
dn="uni/tn-sr-transit/out-SR/MPLS_VRF_4"
enforceRtctrl="export"
mplsEnabled="yes"
name="SR/MPLS_VRF_4"
nameAlias=""
ownerKey=""
ownerTag=""
targetDscp="unspecified"
userdom=":all:">
<l3extRsEctx annotation=""
tnFvCtxName="4"
userdom="all"/>
<l3extInstP annotation=""
descr=""
exceptionTag=""
floodOnEncap="disabled"
matchT="AtleastOne"
name="ExtEPG1"
nameAlias=""
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
userdom=":all:">
<fvRsProv annotation=""
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="EPG-to-SR/MPLS_VRF_4-L3Out"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="40.40.40.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<l3extSubnet aggregate=""
annotation=""
descr=""
ip="42.42.42.0/24"
name=""
nameAlias=""
scope="import-security,shared-rtctrl,shared-security"
userdom=":all:"/>
<fvRsCustQosPol annotation=""
tnQosCustomPolName=""
userdom="all"/>
</l3extInstP>
<l3extConsLbl annotation=""
descr=""
name="BL6-PE2-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_4/instP-ExtEPG1"
userdom=":all:"/>
</l3extConsLbl>
<l3extConsLbl annotation=""
descr=""
name="BL1-PE1-infra"
nameAlias=""
owner="infra"
ownerKey=""
ownerTag=""
tag="yellow-green"
userdom=":all:">
<l3extRsLblToProfile annotation=""
direction="export"
tDn="uni/tn-sr-transit/prof-rm-permit-any"
userdom=":all:"/>
<l3extRsLblToInstP annotation=""
tDn="uni/tn-sr-transit/out-SR/MPLS_VRF_4/instP-ExtEPG1"
userdom=":all:"/>
</l3extConsLbl>
</l3extOut>
XR DC-PE
VRF configuration on PE1 and PE2:
vrf sr-transit-4
address-family ipv4 unicast
import route-target
100:2004
100:2004 stitching
!
export route-target
100:2004
100:2004 stitching
!
router bgp 1
vrf sr-transit-4
rd auto
address-family ipv4 unicast
label mode per-vrf
redistribute connected
!
address-family ipv6 unicast
label mode per-vrf
redistribute connected
Note: In the design presented, it is assumed that PE1 and PE2 are part of two different SR/MPLS networks that use two different L3VPN controlplanes. Consequently, there is no way for 40.40.40.40/24 and 42.42.42.42/24 to communicate directly and the only available path will use the Cisco ACI fabric.
SR/MPLS Handoff with Remote DC-PE
Design
ACI sites may be connected to access networks to provide value added services in that part of the network. In such a case, the access PE cannot perform the EVPN/L3VPN stitching function that must be hosted on a remote DC-PE.
ACI Remote Leaf Switches Using Remote DC-PEs
There are two main architectures that can be used in this scenario:
1. Access routers stitch BGP-LU from ACI Border leaf to an SR IGP based LSP.
Access Routers Stitch BGP-LU from ACI Border Leaf to an SR IGP-Based LSP
In this model, the access router will perform stitching between the BGP-LU and SR IGP by redistributing loopbacks from BGP-LU to IGP and vice versa. There is a single transport label (SR-IGP label) carried in the access network.
2. Access routers tunnel BGP-LU over SR IGP based LSP.
Access Routers Tunnel BGP-LU over SR IGP-Based LSP
In this model, there is a BGP-LU controlplane in the access network. For instance, the DC-PE may provide an inline RR function for BGP-LU, or there could also be some BGP-LU dedicated RRs in the access network.
In this architecture, the loopbacks of the RL/BL are carried through BGP-LU to the DC-PEs using the access router loopback as a BGP nexthop. Then the DC-PE must tunnel the traffic using SR to reach the access router. Consequently, there are two transport labels in the access network: a BGP-LU label associated to the loopback of the RL/BL and an SR-IGP label associated to the loopback of the access router.
In the following figure, the ACI remote leaf site 2-1-3-3 is physically connected to access routers (ACC2-1-R2 and ACC2-1-R3). However, the BGP services are provided by the aggregation routers (AGG2-PE1 and AGG2-PE2). In our test setup, the access routers are ASR903/ASR920 XE routers and the aggregation routers are XR routers.
Remote DC-PE Validated Scenario
In this design, the border leaf runs the BGP-LU session with the access routers while the BGP-EVPN session is established with EVPN Route Reflectors or with the remote PEs that are providing the EVPN/L3VPN stitching function.
While this tested setup uses EVPN Route Reflectors, it is perfectly fine to have the EVPN sessions from the border leaf to the remote DC-PE as mentioned previously.
The access network uses IS-IS with segment-routing as IGP. There is no BGP-LU controlplane in the access network, then the BGP-LU routes received from the border leaf will be redistributed to the IGP and some of the loopbacks of the IGP will be redistributed from IS-IS to BGP-LU. The following loopbacks must be advertised from the IGP to BGP-LU:
● Loopbacks of remote DC-PEs performing the EVPN/L3VPN stitching.
● Loopbacks of the EVPN Route Reflectors (as the remote leaf switches must have a BGP session with the RRs).
● Loopbacks of any other ACI sites connected to the same access network (this will be discussed later).
Bi-Directional Redistribution of Transport Routes Between BGP LU and IGP on Access Router
Bi-directional redistribution of transport routes between BGP LU and IGP on access router. When there is a BGP-LU control plane in the access network, there is no need to perform full route redistribution as displayed in the following figure.
Single-Side Redistribution of Transport Routes Between BGP LU and IGP on Access Router
Single-sided redistribution of transport routes between BGP LU and IGP on access routerIn this architecture, BGP-LU routes from the ACI site can be carried to the aggregation routers using the BGP-LU control plane. Each aggregation router will receive the loopbacks of the border leafs from the BGP-LU Route Reflectors with a next hop as the access routers.
Configuration
XE access router (ACC2-1-R3):
interface GigabitEthernet0/0/6
description connected to ifav204-leaf12
mtu 9150
no ip address
load-interval 30
negotiation auto
service instance 1011 ethernet
encapsulation dot1q 101
rewrite ingress tag pop 1 symmetric
bridge-domain 1011
!
!
interface GigabitEthernet0/0/7
description connected to ifav204-leaf11
mtu 9150
no ip address
load-interval 30
negotiation auto
service instance 1012 ethernet
encapsulation dot1q 101
rewrite ingress tag pop 1 symmetric
bridge-domain 1012
!
!
interface BDI1011
ip address 120.1.94.2 255.255.255.0
no ip redirects
no ip proxy-arp
mpls bgp forwarding
bfd interval 50 min_rx 50 multiplier 3
!
interface BDI1012
ip address 120.1.93.2 255.255.255.0
no ip redirects
no ip proxy-arp
mpls bgp forwarding
bfd interval 50 min_rx 50 multiplier 3
!
router isis AGG2
net 49.0002.0000.0002.0012.00
is-type level-2-only
router-id Loopback0
metric-style wide
fast-flood 15
max-lsp-lifetime 65500
lsp-refresh-interval 64000
spf-interval 1 50 150
prc-interval 1 50 150
log-adjacency-changes
metric 9999999 level-1
metric 9999999 level-2
segment-routing mpls
segment-routing prefix-sid-map advertise-local
fast-reroute per-prefix level-1 all
fast-reroute per-prefix level-2 all
fast-reroute use-candidate-only level-1
fast-reroute use-candidate-only level-2
fast-reroute tie-break level-1 node-protecting 1
fast-reroute tie-break level-2 node-protecting 1
fast-reroute ti-lfa level-1
fast-reroute ti-lfa level-2
microloop avoidance segment-routing
microloop avoidance rib-update-delay 2000
redistribute bgp 1 route-map BGP-LU-TO-ISIS
passive-interface Loopback0
maximum-paths 32
bfd all-interfaces
mpls traffic-eng router-id Loopback0
mpls traffic-eng level-2
!
router bgp 1
bgp router-id 201.221.211.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor RR-EVPN peer-group
neighbor RR-EVPN remote-as 1
neighbor RR-EVPN update-source Loopback0
neighbor ACI-site-LU peer-group
neighbor ACI-site-LU remote-as 987654321
neighbor ACI-site-LU fall-over bfd
neighbor ACI-site-LU update in labeled-unicast unique
neighbor ACI-site-LU update out labeled-unicast unique
neighbor 120.1.93.1 peer-group ACI-site-LU
neighbor 120.1.94.1 peer-group ACI-site-LU
neighbor 201.221.202.3 peer-group RR-EVPN
neighbor 201.221.202.4 peer-group RR-EVPN
!
address-family ipv4
redistribute isis AGG2 level-2 route-map ISIS-TO-BGP-LU
segment-routing mpls
neighbor ACI-site-LU route-map SET-CT in
neighbor ACI-site-LU route-map ADVERTISE-LOOPBACKS-TO-LU out
neighbor ACI-site-LU send-label
neighbor ACI-site-LU maximum-prefix 10 80 warning-only
neighbor 120.1.93.1 activate
neighbor 120.1.94.1 activate
maximum-paths 32
exit-address-family
!
address-family l2vpn evpn
neighbor RR-EVPN send-community both
neighbor 201.221.202.3 activate
neighbor 201.221.202.4 activate
exit-address-family
!
address-family rtfilter unicast
neighbor RR-EVPN send-community both
neighbor 201.221.202.3 activate
neighbor 201.221.202.4 activate
exit-address-family
!
!
ip community-list 1 permit 1:50002
!
ip prefix-list EVPN_DCI seq 5 permit 201.221.201.1/32
ip prefix-list EVPN_DCI seq 10 permit 201.221.201.2/32
!
ip prefix-list EVPN_RR_LOOPBACKS seq 5 permit 201.221.202.3/32
ip prefix-list EVPN_RR_LOOPBACKS seq 10 permit 201.221.202.4/32
!
route-map ADVERTISE-LOOPBACKS-TO-LU permit 10
match community 1
set mpls-label
!
route-map ADVERTISE-LOOPBACKS-TO-LU permit 30
match ip address prefix-list EVPN_RR_LOOPBACKS
!
route-map ADVERTISE-LOOPBACKS-TO-LU permit 40
match ip address prefix-list EVPN_DCI
set mpls-label
!
route-map SET-CT permit 10
set community 1:50002 no-advertise
!
route-map BGP-LU-TO-ISIS permit 10
match community 1
set tag 102133
!
route-map ISIS-TO-BGP-LU permit 10
match ip address prefix-list EVPN_RR_LOOPBACKS
!
route-map ISIS-TO-BGP-LU permit 20
match ip address prefix-list EVPN_DCI
!
When the access router receives routes in BGP-LU, the routes are tagged with a community 1:50002 which means that the route is an LU route belonging to the Access network#2. This community is associated to the IS-IS tag 102133 when redistributed from BGP-LU to IS-IS, so IS-IS knows that the routes are coming from the ACI site 2-1-3-3. This helps prevent loops due to mutual redistribution between protocols.
When the access router redistributes IGP routes to BGP-LU, the redistribution is filtered using the route-map ISIS-TO-BGP-LU to allow EVPN RR loopbacks and remote DC-PE loopbacks.
In case there are multiple ACI sites in the access network, there may be multiple ACI leaf loopbacks in IS-IS belonging to different sites. Thanks to the tagging of routes, the site of origin for each loopback is known. To enable communication between the ACI sites within the same access network, new terms must be added to the ISIS-TO-BGP-LU route-map.
In the following figure, there is another ACI site 2-1-4-4 connected to the same access network. Loopbacks of the leafs will be carried with the tag 102144 in IS-IS. In order for ACC2-1-R3 router to advertise the loopbacks of site 2-1-4-4 to site 2-1-3-3, a new term is added as follows:
route-map ISIS-TO-BGP-LU permit 30
match tag 102144
set community 1:50002
!
This new term matches the routes from site 2-1-4-4 and sets the community 1:50002, then the routes will be sent to the ACI leafs of site 2-1-3-3.
Multiple ACI Site in the Same Access Network Using Remote DC-PEs
Note: XE and NX-OS have a slightly different behavior in how they handle BGP-LU updates. XR and NXOS are fully compatible by default. It is recommended to activate the following knobs on the BGP-LU session on XE device facing NXOS:
router bgp 1
neighbor ACI-site-LU update in labeled-unicast unique
neighbor ACI-site-LU update out labeled-unicast unique
XR EVPN RR:
router bgp 1
bgp router-id 201.221.202.3
bgp cluster-id 2.0.3.1
address-family ipv4 rt-filter
!
address-family l2vpn evpn
!
neighbor-group ACI-site-EVPN
remote-as 987654321
bfd fast-detect
bfd multiplier 3
bfd minimum-interval 50
ebgp-multihop 255
update-source Loopback0
address-family l2vpn evpn
allowas-in 5
next-hop-unchanged
!
!
neighbor-group RR-client-EVPN
remote-as 1
update-source Loopback0
address-family l2vpn evpn
route-reflector-client
!
!
neighbor 20.204.111.1
use neighbor-group ACI-site-EVPN
address-family l2vpn evpn
route-policy MARK-ACI-ROUTES(9) in
route-policy DROP-ACI-ROUTES(9) out
!
!
neighbor 20.204.112.1
use neighbor-group ACI-site-EVPN
address-family l2vpn evpn
route-policy MARK-ACI-ROUTES(9) in
route-policy DROP-ACI-ROUTES(9) out
!
!
neighbor 201.221.201.1
use neighbor-group RR-client-EVPN
!
neighbor 201.221.201.2
use neighbor-group RR-client-EVPN
!
!
route-policy MARK-ACI-ROUTES($site)
if extcommunity soo matches-any (987654321:$site) then
drop
else
set extcommunity soo (1:$site)
endif
end-policy
!
route-policy DROP-ACI-ROUTES($site)
if extcommunity soo matches-any (1:$site) then
drop
else
set extcommunity soo (987654321:$site)
endif
end-policy
!
The route-reflector has a BGP configuration that is similar to a regular DC-PE.
The eBGP EVPN session with the border leaf must be configured with the “ebgp-multihop” option, and the TTL must be set to a higher value than usual as the RR could be many hops away from the border leafs.
It is also important to have the “next-hop-unchanged” keyword on the neighbor-group “ACI-site-EVPN” used for the border leafs, as, from a transport standpoint, the nexthop is the DC-PE (AGG2-PE1 or AGG2-PE2) and not the RR.
The route-reflector implements loop prevention using SOO on the EVPN session to the border leaf as the DC-PE does in a regular use case. See the section “Basic SR-Handoff with multihoming” for more information.
DC-PE configuration (AGG2-PE1):
vrf TENANT_BASIC
address-family ipv4 unicast
import route-target
1:2110000
1:2110009 stitching
!
export route-target
1:2110000
1:2110009 stitching
!
!
address-family ipv6 unicast
import route-target
1:2110000
1:2110009 stitching
!
export route-target
1:2110000
1:2110009 stitching
!
!
!
router bgp 1
bgp router-id 201.221.201.1
ibgp policy out enforce-modifications
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family ipv4 rt-filter
!
address-family l2vpn evpn
!
neighbor-group RR-EVPN
remote-as 1
update-source Loopback0
address-family ipv4 rt-filter
route-reflector-client
!
address-family l2vpn evpn
import stitching-rt re-originate
route-policy MARK_EVPN_DROP_L3VPN_ROUTES in
route-reflector-client
advertise vpnv4 unicast re-originated stitching-rt
advertise vpnv6 unicast re-originated stitching-rt
!
!
neighbor-group RR-VPNunicast
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
import re-originate stitching-rt
route-policy MARK_L3VPN_DROP_EVPN_ROUTES in
advertise vpnv4 unicast re-originated
!
address-family vpnv6 unicast
import re-originate stitching-rt
route-policy MARK_L3VPN_DROP_EVPN_ROUTES in
advertise vpnv6 unicast re-originated
!
address-family ipv4 rt-filter
!
!
neighbor 201.221.202.1
use neighbor-group RR-VPNunicast
!
neighbor 201.221.202.2
use neighbor-group RR-VPNunicast
!
neighbor 201.221.202.3
use neighbor-group RR-EVPN
!
neighbor 201.221.202.4
use neighbor-group RR-EVPN
!
vrf TENANT_BASIC
rd 1:2110022
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
route-policy MARK_EVPN_DROP_L3VPN_ROUTES
if community matches-any (1:2102) then
drop
else
set community (1:2202)
endif
end-policy
!
route-policy MARK_L3VPN_DROP_EVPN_ROUTES
if community matches-any (1:2202) then
drop
else
set community (1:2102)
endif
end-policy
While most of the configuration is similar to a regular DC-PE, there are two main changes:
● As the site loop prevention is performed on RR, there is no need to perform per site filtering on DC-PE for the remote sites.
● As there is an EVPN RR involved, there could be BGP update loops between EVPN and L3VPN domains, and new filtering is required to prevent these loops.
Per-domain filtering is achieved by using community-based setting and inbound filtering on EVPN and VPN unicast sessions.
Routes received on the VPN unicast session that are coming with the EVPN domain community (1:2202) are dropped, or routes are tagged with VPN unicast domain community (1:2102).
Similarly, routes received on the EVPN session that are coming with the VPN unicast domain community (1:2102) are dropped, or routes are tagged with EVPN domain community (1:2202).
Per-Domain Route-Filtering
ACI Configuration
INFRA Tenant Configuration
Add two additional SR/MPLS INFRA L3outs (2-1-3-3 and 2-1-4-4) as part of the tenant INFRA configuration.
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<fvTenant
dn="uni/tn-infra"
name="infra"
>
<!-- Tag_1 Default Label Range config in Infra Tenant -->
<mplsLabelPol
maxDynamicLabel="525286"
maxStaticLabel="0"
minDynamicLabel="16"
minStaticLabel="0"
name="default"
>
<mplsSrgbLabelPol
localId="1"
maxSrgbLabel="32000"
minSrgbLabel="16000"
/>
</mplsLabelPol>
<!-- Tag_2 Default interface config in Infra Tenant -->
<mplsIfPol
name="default"
/>
<!-- Tag_3 MPLS Infra L3out towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.103.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-103"
>
<l3extLoopBackIfP addr="20.204.103.1"
>
<mplsNodeSidP
loopbackAddr="20.204.103.1"
sidoffset="45"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.104.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-104"
>
<l3extLoopBackIfP addr="20.204.104.1"
>
<mplsNodeSidP
loopbackAddr="20.204.104.1"
sidoffset="46"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.51.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/18]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.51.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.53.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-103/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.53.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.52.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-104/pathep-[eth1/14]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.52.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.54.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-104/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.54.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.2"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.1"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 MPLS Infra L3out towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-2-1"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-2-1"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-2-1_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.105.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-105"
>
<l3extLoopBackIfP addr="20.204.105.1"
>
<mplsNodeSidP
loopbackAddr="20.204.105.1"
sidoffset="47"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.106.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-106"
>
<l3extLoopBackIfP addr="20.204.106.1"
>
<mplsNodeSidP
loopbackAddr="20.204.106.1"
sidoffset="48"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-2-1_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.63.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-106/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.63.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.62.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.62.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.64.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-106/pathep-[eth1/3]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.64.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.61.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-105/pathep-[eth1/3]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.61.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.7"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.6"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-2-1_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_5 MPLS Infra L3out towards DC PE Location 2-1-2-2 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-2-2"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-2-2"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-2-2_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.107.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-107"
>
<l3extLoopBackIfP addr="20.204.107.1"
>
<mplsNodeSidP
loopbackAddr="20.204.107.1"
sidoffset="49"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.108.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-108"
>
<l3extLoopBackIfP addr="20.204.108.1"
>
<mplsNodeSidP
loopbackAddr="20.204.108.1"
sidoffset="50"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-2-2_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.73.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-107/pathep-[PC2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.73.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="send-com,send-ext-com"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.71.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-107/pathep-[PC1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.71.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.72.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-108/pathep-[PC1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.72.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.74.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-108/pathep-[PC2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.74.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="send-com,send-ext-com"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.201.201.7"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.201.201.6"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-2-2_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- TAG Remote DC behind access network in location location 2-1-3-3 and 2-1-4-4 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-3-3"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-3-3"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-3-3_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.111.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-111"
>
<l3extLoopBackIfP addr="20.204.111.1"
>
<mplsNodeSidP
loopbackAddr="20.204.111.1"
sidoffset="11043"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.112.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-112"
>
<l3extLoopBackIfP addr="20.204.112.1"
>
<mplsNodeSidP
loopbackAddr="20.204.112.1"
sidoffset="11044"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-3-3_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.92.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-112/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.92.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.93.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-111/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.93.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.91.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-111/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.91.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.94.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="inherit"
tDn="topology/pod-1/paths-112/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.94.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsNdIfPol
/>
<l3extRsLIfPCustQosPol
/>
<l3extRsIngressQosDppPol
/>
<l3extRsEgressQosDppPol
/>
<l3extRsArpIfPol
/>
<bfdMhIfP
keyId="1"
type="none"
userdom=":all:">
<bfdRsMhIfPol
tnBfdMhIfPolName="MH-BFD"
userdom="all"/>
</bfdMhIfP>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.221.202.3"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.221.202.4"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-3-3_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="2-1-4-4"
targetDscp="unspecified"
>
<mplsExtP
>
<mplsRsLabelPol
tDn="uni/tn-infra/mplslabelpol-default"
/>
</mplsExtP>
<l3extRsL3DomAtt
tDn="uni/l3dom-L3Dom"
/>
<l3extRsEctx
tnFvCtxName="overlay-1"
/>
<l3extProvLbl
name="2-1-4-4"
tag="yellow-green"
/>
<l3extLNodeP
name="2-1-4-4_nodeProfile"
tag="yellow-green"
targetDscp="unspecified"
>
<l3extRsNodeL3OutAtt
rtrId="30.204.113.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-113"
>
<l3extLoopBackIfP addr="20.204.113.1"
>
<mplsNodeSidP
loopbackAddr="20.204.113.1"
sidoffset="11041"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsNodeL3OutAtt
rtrId="30.204.114.1"
rtrIdLoopBack="no"
tDn="topology/pod-1/node-114"
>
<l3extLoopBackIfP addr="20.204.114.1"
>
<mplsNodeSidP
loopbackAddr="20.204.114.1"
sidoffset="11042"
/>
</l3extLoopBackIfP>
</l3extRsNodeL3OutAtt>
<l3extRsLNodePMplsCustQosPol
tDn="uni/tn-infra/qosmplscustom-"
/>
<l3extLIfP
name="2-1-4-4_interfaceProfile"
prio="unspecified"
tag="yellow-green"
>
<l3extRsPathL3OutAtt addr="120.1.105.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-113/pathep-[eth1/16]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.105.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.108.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-114/pathep-[eth1/17]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.108.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.109.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-113/pathep-[eth1/19]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.109.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.104.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-114/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.104.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.106.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-114/pathep-[eth1/16]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.106.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.111.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-113/pathep-[eth1/20]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.111.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.110.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-114/pathep-[eth1/19]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.110.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.102.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-114/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.102.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.103.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-113/pathep-[eth1/2]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.103.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.107.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-113/pathep-[eth1/17]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.107.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.112.1/24"
autostate="disabled"
encap="vlan-101"
encapScope="local"
ifInstT="sub-interface"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-114/pathep-[eth1/20]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.112.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsPathL3OutAtt addr="120.1.101.1/24"
autostate="disabled"
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-1/paths-113/pathep-[eth1/1]"
targetDscp="unspecified"
>
<bgpPeerP addr="120.1.101.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
peerCtrl="bfd"
ttl="1"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
<l3extRsNdIfPol
/>
<l3extRsLIfPCustQosPol
/>
<l3extRsIngressQosDppPol
/>
<l3extRsEgressQosDppPol
/>
<l3extRsArpIfPol
/>
<mplsIfP
>
<mplsRsIfPol
tnMplsIfPolName="default"
/>
</mplsIfP>
<bfdIfP
keyId="1"
type="none"
>
<bfdRsIfPol
tnBfdIfPolName="BFD_Pol"
/>
</bfdIfP>
</l3extLIfP>
<bgpInfraPeerP addr="201.221.202.3"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
<bgpInfraPeerP addr="201.221.202.4"
addrTCtrl="af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
ctrl="allow-self-as,dis-peer-as-check,send-com,send-ext-com"
dataPlaneAddr="0.0.0.0"
peerCtrl="bfd"
peerT="SR/MPLS"
remoteIntersiteRR="no"
srcIfT="l3out-loopback"
trustCtrl="untrusted"
ttl="16"
weight="0">
<bgpRsPeerPfxPol
/>
<bgpAsP
asn="1"
/>
</bgpInfraPeerP>
</l3extLNodeP>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="2-1-4-4_mplsInstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsCustQosPol
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
</fvTenant>
</imdata>
User Tenant Configuration
Two additional SR MPLS Infra L3outs locations or SR MPLS VRF L3Outs (2-1-3-3 and 2-1-4-4) are also added to the existing user tenant.
<?xml version="1.0" encoding="utf-8"?>
<imdata totalCount="1">
<!-- Specify Name of Tenant as Required -->
<fvTenant descr="Tenant with Basic SR MPLS Handoff"
dn="uni/tn-TENANT-BASIC"
name="TENANT-BASIC"
>
<!-- Tag_1 User L3out Route Control Config -->
<rtctrlSubjP
name="all"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="100.0.0.0/8"
toPfxLen="0"
/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="101.0.0.0/8"
toPfxLen="0"
userdom=":all:"/>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="::/0"
toPfxLen="0"
/>
</rtctrlSubjP>
<!-- Color configuration per prefix subnet -->
<rtctrlSubjP
name="Granular-Rule"
>
<rtctrlMatchRtDest aggregate="yes"
fromPfxLen="0"
ip="101.21.5.254/24"
toPfxLen="0"
/>
</rtctrlSubjP>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlScope
>
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="color"
/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
<rtctrlCtxP action="permit"
name="Granular-Export"
order="1"
>
<rtctrlScope
>
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="Granular-color"
/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="Granular-Rule"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlScope
>
<rtctrlRsScopeToAttrP
tnRtctrlAttrPName="color"
/>
</rtctrlScope>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlAttrP
name="color"
>
<rtctrlSetComm
community="extended:color:500"
setCriteria="append"
type="community"
/>
</rtctrlAttrP>
<rtctrlAttrP
name="Granular-color"
>
<rtctrlSetComm
community="extended:color:200"
setCriteria="append"
type="community"
/>
</rtctrlAttrP>
<!-- Tag_2 User L3out Config towards DC PE Location 2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2121"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106/instP-LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_3 User L3out Config towards DC PE Location 2-1-2-1 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_21"
/>
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Export-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-MPLS-TENANT-L3OUT-2105/instP-LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-MPLS-TENANT-L3OUT-2105-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag User L3out Config towards DC PE Location 2-1-2-2 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2122"
/>
<rtctrlProfile
name="Export-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-Pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-Pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-2-2"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToProfile direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToInstP tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107/instP-LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2107-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="::/0"
name="ipv6All"
scope="import-security"
/>
<l3extSubnet
ip="0.0.0.0/0"
name="ipv4All"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag User L3out configuration towards Remote DC PE 2-1-3-3 and 2-1-4-4 -->
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-3-3-MPLS-TENANT-L3OUT-2109"
targetDscp="unspecified"
>
<l3extRsEctx tnFvCtxName="TENANT_BASIC_2133"
/>
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Export-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-3-3"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToProfile
direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToInstP
tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-3-3-MPLS-TENANT-L3OUT-2109/instP-LOCATION-2-1-3-3-MPLS-TENANT-L3OUT-2109-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-3-3-MPLS-TENANT-L3OUT-2109-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="0.0.0.0/0"
scope="import-security"
/>
<l3extSubnet
ip="::/0"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvSiteAssociated
name="msc-local"
siteId="2"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<l3extOut
enforceRtctrl="export"
mplsEnabled="yes"
name="LOCATION-2-1-4-4-MPLS-TENANT-L3OUT-2110"
targetDscp="unspecified"
>
<l3extRsEctx
tnFvCtxName="TENANT_BASIC_2144"
/>
<rtctrlProfile
name="Export-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Export-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<rtctrlProfile
name="Import-pol"
type="combinable"
>
<rtctrlCtxP action="permit"
name="Import-pol"
order="1"
>
<rtctrlRsCtxPToSubjP
tnRtctrlSubjPName="all"
/>
</rtctrlCtxP>
</rtctrlProfile>
<l3extConsLbl
name="2-1-4-4"
owner="infra"
tag="yellow-green"
>
<l3extRsLblToProfile
direction="export"
tDn="uni/tn-TENANT-BASIC/prof-Export-Pol"
/>
<l3extRsLblToProfile
direction="import"
tDn="uni/tn-TENANT-BASIC/prof-Import-Pol"
/>
<l3extRsLblToInstP
tDn="uni/tn-TENANT-BASIC/out-LOCATION-2-1-4-4-MPLS-TENANT-L3OUT-2110/instP-LOCATION-2-1-4-4-MPLS-TENANT-L3OUT-2110-InstP"
/>
</l3extConsLbl>
<l3extInstP
floodOnEncap="disabled"
matchT="AtleastOne"
name="LOCATION-2-1-4-4-MPLS-TENANT-L3OUT-2110-InstP"
prefGrMemb="exclude"
prio="unspecified"
targetDscp="unspecified"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<l3extSubnet
ip="0.0.0.0/0"
scope="import-security"
/>
<l3extSubnet
ip="::/0"
scope="import-security"
/>
<fvRsCustQosPol
/>
<fvSiteAssociated
name="msc-local"
siteId="2"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
</l3extInstP>
<bgpExtP
/>
</l3extOut>
<!-- Tag_4 User VRF Config towards DC PE Location 2-1-2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2121"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="export"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_5 User VRF Config towards DC PE Location 2-1 -->
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_21"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110005"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<fvCtx bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2122"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110007"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110006"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag User VRF towards 2-1-3-3 and 2-1-4-4 -->
<fvCtx
bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2133"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110009"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110010"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110009"
type="import"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110009"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110010"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110009"
type="export"
/>
</bgpRtTargetP>
</fvCtx>
<fvCtx
bdEnforcedEnable="no"
ipDataPlaneLearning="enabled"
knwMcastAct="permit"
name="TENANT_BASIC_2144"
pcEnfDir="ingress"
pcEnfPref="enforced"
>
<fvRsVrfValidationPol
tnL3
/>
<vzAny
matchT="AtleastOne"
prefGrMemb="disabled"
/>
<fvRsOspfCtxPol
/>
<fvRsCtxToEpRet
/>
<fvRsCtxToExtRouteTagPol
tnL3
/>
<fvRsBgpCtxPol
/>
<bgpRtTargetP af="ipv6-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110010"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110009"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110010"
type="export"
/>
</bgpRtTargetP>
<bgpRtTargetP af="ipv4-ucast"
>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110010"
type="import"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110010"
type="export"
/>
<bgpRtTarget
rt="route-target:as2-nn4:1:2110009"
type="import"
/>
</bgpRtTargetP>
</fvCtx>
<!-- Tag_6 User BD Config towards DC PE Location 2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2105"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:5::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="101.21.5.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_21"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-MPLS-TENANT-L3OUT-2105"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_7 User BD Config towards DC PE Location 2-1-2-1 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2106"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="2001:100:21:6::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="100.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="101.21.6.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2121"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-1-MPLS-TENANT-L3OUT-2106"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- TAG USER BD CONFIG TOWARDS DC PE LOCATION 2-1-2-2 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2107"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet ctrl="nd"
ip="100.21.7.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="101.21.7.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet ctrl="nd"
ip="2001:100:21:7::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2122"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-2-2-MPLS-TENANT-L3OUT-2107"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag BD towards DC PE location 2-1-3-3 and 2-1-4-4 -->
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2109"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet
ctrl="nd"
ip="2001:100:21:9::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet
ctrl="nd"
ip="100.21.9.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2133"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-3-3-MPLS-TENANT-L3OUT-2109"
/>
<fvRsBDToNdP
/>
</fvBD>
<fvBD OptimizeWanBandwidth="no"
arpFlood="no"
epClear="no"
hostBasedRouting="no"
intersiteBumTrafficAllow="no"
intersiteL2Stretch="no"
ipLearning="yes"
ipv6McastAllow="no"
limitIpLearnToSubnets="yes"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mcastAllow="no"
multiDstPktAct="bd-flood"
name="BD2110"
type="regular"
unicastRoute="yes"
unkMacUcastAct="proxy"
unkMcastAct="flood"
v6unkMcastAct="flood"
vmac="not-applicable">
<fvSubnet
ctrl="nd"
ip="100.21.10.254/24"
preferred="no"
scope="public"
virtual="no"/>
<fvSubnet
ctrl="nd"
ip="2001:100:21:10::254/64"
preferred="no"
scope="public"
virtual="no"/>
<fvRsMldsn
/>
<fvRsIgmpsn
/>
<fvRsCtx
tnFvCtxName="TENANT_BASIC_2144"
/>
<fvRsBdToEpRet
resolveAct="resolve"
/>
<fvRsBDToOut
tnL3extOutName="LOCATION-2-1-4-4-MPLS-TENANT-L3OUT-2110"
/>
<fvRsBDToNdP
/>
</fvBD>
<!-- Tag_8 Application Profile Config towards DC PE Location 2-1 -->
<fvAp
name="LOCATION-2-1-2-1-AP2106"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG106"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-105/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2106"
/>
</fvAEPg>
</fvAp>
<!-- Tag_9 Application Profile Config towards DC PE Location 2-1-2-1 -->
<fvAp
name="LOCATION-2-1-AP2105"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG105"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="immediate"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-101/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="immediate"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2105"
/>
</fvAEPg>
</fvAp>
<!-- Tag Application Profile Config towards DC PE Location 2-1-2-2 -->
<fvAp
name="LOCATION-2-1-2-2-AP2107"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG107"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-107/pathep-[eth1/10]"
/>
<fvRsDomAtt bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2107"
/>
</fvAEPg>
</fvAp>
<!-- Application profile configuration towards DC PE location 2-1-3-3 and 2-1-4-4 -->
<fvAp
name="LOCATION-2-1-3-3-AP2109"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG109"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-111/pathep-[eth1/10]"
/>
<fvRsDomAtt
bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2109"
/>
</fvAEPg>
</fvAp>
<fvAp
name="LOCATION-2-1-4-4-AP2110"
prio="unspecified"
>
<fvAEPg
floodOnEncap="disabled"
hasMcastSource="no"
isAttrBasedEPg="no"
matchT="AtleastOne"
name="EPG110"
pcEnfPref="unenforced"
prefGrMemb="exclude"
prio="unspecified"
shutdown="no"
>
<fvRsProv
intent="install"
matchT="AtleastOne"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsPathAtt
encap="vlan-2101"
instrImedcy="lazy"
mode="regular"
primaryEncap="unknown"
tDn="topology/pod-1/paths-113/pathep-[eth1/10]"
/>
<fvRsDomAtt
bindingType="none"
classPref="encap"
encap="unknown"
encapMode="auto"
epgCos="Cos0"
epgCosPref="disabled"
instrImedcy="lazy"
netflowDir="both"
netflowPref="disabled"
numPorts="0"
portAllocation="none"
primaryEncap="unknown"
primaryEncapInner="unknown"
resImedcy="lazy"
secondaryEncapInner="unknown"
switchingMode="native"
tDn="uni/phys-phys"
untagged="no"
/>
<fvRsCons
intent="install"
prio="unspecified"
tnVzBrCPName="default"
/>
<fvRsCustQosPol
/>
<fvRsBd
tnFvBDName="BD2110"
/>
</fvAEPg>
</fvAp>
</fvTenant>
</imdata>
Design
It is perfectly fine to use the MPLS Handoff with a non-SR network.
Both, the directly connected and remote DC-PE architectures work in this model. The following figure describes a remote DC-PE architecture with an access network running LDPoRSVP.
Remote DC-PE with LDPoRSVP Access Network
There is a single change compared to the SR-based architecture. When using BGP-LU, the BL/RL and the access routers do not advertise the BGP Prefix-SID attribute. The BGP-LU updates only carry the regular MPLS label value.
The two outputs that follow highlight the difference in BGP-LU between SR/MPLS Handoff and regular MPLS handoff.
SR/MPLS Handoff:
ifav204-leaf13# show bgp ipv4 labeled-unicast 201.221.201.1
BGP routing table information for VRF overlay-1, address family IPv4 Label Unicast
BGP routing table entry for 201.221.201.1/32, version 35 dest ptr 0xa4a01374
Paths: (6 available, best #4)
Flags: (0x08001a 00000000) on xmit-list, is in urib, is best urib route, is in HW
label af: version 42, (0x100002) on xmit-list
Path type: external 0x40000028 0x0 ref 0 adv path ref 0, path is valid, not best reason: MED
AS-Path: 1 , path sourced external to AS
120.1.111.2 (metric 0) from 120.1.111.2 (201.221.211.4)
Origin incomplete, MED 30000, localpref 100, weight 0 tag 0, propagate 0
Received label 42
Prefix-SID Attribute: Length: 10
Label Index TLV: Length 7, Flags 0x0 Label Index 9001
ACC2-1-R4#show bgp ipv4 unicast 20.204.113.1
BGP routing table entry for 20.204.113.1/32, version 272
Paths: (3 available, best #2, table default, not advertised to any peer)
Multipath: eBGP
Net local label from SRGB
Not advertised to any peer
Refresh Epoch 1
987654321
120.1.111.1 from 120.1.111.1 (30.204.113.1)
Origin IGP, localpref 100, valid, external, multipath
sr-labelindex 0x2B21
Community: 1:50002 no-advertise
mpls labels in/out 27041/imp-null
rx pathid: 0, tx pathid: 0
Updated on Sep 2 2020 16:28:06 UTC
Regular MPLS Handoff:
ifav203-leaf12# show bgp ipv4 labeled-unicast 201.231.201.1
BGP routing table information for VRF overlay-1, address family IPv4 Label Unicast
BGP routing table entry for 201.231.201.1/32, version 7 dest ptr 0xa4b23920
Paths: (2 available, best #2)
Flags: (0x08001a 00000000) on xmit-list, is in urib, is best urib route, is in HW
label af: version 10, (0x100002) on xmit-list
Path type: external 0x40020028 0x0 ref 0 adv path ref 0, path is valid, not best reason: newer EBGP path, multipath
AS-Path: 103001 , path sourced external to AS
120.1.82.2 (metric 0) from 120.1.82.2 (201.231.211.1)
Origin incomplete, MED not set, localpref 100, weight 0 tag 0, propagate 0
Received label 29
ACC3-1-R2#show bgp ipv4 unicast 20.203.112.1
BGP routing table entry for 20.203.112.1/32, version 133962685
Paths: (1 available, best #1, table default)
Path advertised to update-groups:
6
Refresh Epoch 1
100
120.1.84.1 from 120.1.84.1 (30.203.112.1)
Origin IGP, localpref 100, valid, external, best
mpls labels in/out 58/imp-null
rx pathid: 0, tx pathid: 0x0
Updated on Aug 22 2020 02:40:02 UTC
Configuration
Access Router
The “segment-routing mpls” keyword must not be activated in the BGP configuration:
router bgp 103001
bgp router-id 201.231.211.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor ACI-site-LU peer-group
neighbor ACI-site-LU remote-as 100
neighbor ACI-site-LU fall-over bfd
neighbor 120.1.83.1 peer-group ACI-site-LU
neighbor 120.1.84.1 peer-group ACI-site-LU
!
address-family ipv4
bgp nexthop trigger delay 0
segment-routing mpls
neighbor ACI-site-LU route-map ADVERTISE-LOOPBACKS-TO-LU out
neighbor ACI-site-LU send-label
neighbor 120.1.83.1 activate
neighbor 120.1.84.1 activate
exit-address-family
!
In case the device is an XR device, do not set a label-index when redistributing the loopback of the DC-PE to BGP-LU.
router bgp 1
bgp router-id 201.201.201.2
address-family ipv4 unicast
redistribute connected route-policy CONNECTED-TO-BGP-LU(2)
allocate-label all
!
!
prefix-set PFXSET-OWN-LO0
201.201.201.2/32
end-set
!
route-policy CONNECTED-TO-BGP-LU($node_sid)
if destination in PFXSET-OWN-LO0 then
set label-index $node_sid
pass
endif
end-policy
!
ACI Infra Tenant Configuration Sample to Disable Segment Routing
Similar to the preceding PE configuration, disable segment-routing in the BGP LU peer configuration.
<bgpPeerP addr="120.1.81.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
annotation=""
ctrl="segment-routing-disable"
descr=""
name=""
nameAlias=""
peerCtrl="bfd"
privateASctrl=""
ttl="1"
userdom=""
weight="0">
Here is a sample Leaf Interface profile configuration where SR has been disabled.
<!-- Tag - Disable Segment Routing for the Peer towards DC PE , This configuration goes in leaf interface profile under Node Profile in SR MPLS Infra L3out -->
<l3extLIfP annotation=""
descr=""
name="1-2-1-1_interfaceProfile"
nameAlias=""
ownerKey=""
ownerTag=""
prio="unspecified"
tag="yellow-green"
userdom="">
<l3extRsPathL3OutAtt addr="120.1.81.1/24"
annotation=""
autostate="disabled"
descr=""
encap="unknown"
encapScope="local"
ifInstT="l3-port"
ipv6Dad="enabled"
llAddr="::"
mac="00:22:BD:F8:19:FF"
mode="regular"
mtu="9000"
tDn="topology/pod-2/paths-111/pathep-[eth1/1]"
targetDscp="unspecified"
userdom="">
<bgpPeerP addr="120.1.81.2"
addrTCtrl="af-label-ucast,af-ucast"
adminSt="enabled"
allowedSelfAsCnt="3"
annotation=""
ctrl="segment-routing-disable"
descr=""
name=""
nameAlias=""
peerCtrl="bfd"
privateASctrl=""
ttl="1"
userdom=""
weight="0">
<bgpRsPeerPfxPol annotation=""
tnBgpPeerPfxPolName=""
userdom=""/>
<bgpAsP annotation=""
asn="103001"
descr=""
name=""
nameAlias=""
userdom=""/>
</bgpPeerP>
</l3extRsPathL3OutAtt>
</l3extLIfP>
This section provides a list of tests that have been validated in the framework of this CVD.
Table 2. Topology and Design
| Test Type |
Test Detail |
| RL/BL to PE physical/logical connection |
Direct 10GE link between BL/RL and PE |
| VLAN over 10GE link between BL/RL and PE |
|
| Port-channel of 10GE links between BL/RL and PE |
|
| VLAN over Port-channel of 10GE links between BL/RL and PE |
|
| Multiple parallel IP links between BL/RL and PE. Each IP link being a mix of Port-channel, sub-interface, physical interface. |
|
| RL/BL to PE underlay type |
Only IPv4 underlay has been evaluated for this CVD. |
| EVPN session |
EVPN session using the same loopback address for dataplane and controlplane |
| EVPN session using a different loopback address for dataplane and controlplane |
|
| EVPN session using multihop BFD |
|
| L3 Outs |
Single MPLS infra L3out on a BL/RL |
| Multiple MPLS infra L3out on a BL/RL |
|
| Mix of regular L3outs and MPLS infra L3outs on a BL/RL using separate interfaces |
|
| DC-PE type |
NCS5500 |
| ASR9000 (Typhoon and Tomahawk linecards) |
|
| Multihoming |
Each BL/RL is attached to two DC-PEs |
| Load Balancing |
Multiple IP links between the RL/BL and the DC-PE |
| Port-channels between RL/BL and the DC-PE |
|
| BGP multipath at BGP LU level |
|
| BGP multipath at EVPN level |
|
| Remote DC-PE |
BGP-LU routes are redistributed in IGP by DC-PE |
| BGP-LU is tunneled over SR or LDP by DC-PE |
|
| LDP support |
Directly connected DC-PE and RL/BL without SR activated |
| RL/BL using a remote DC-PE without SR activated |
|
| Service chaining |
Traffic comes in a Cisco ACI fabric using SR/MPLS L3out then traffic is steered to a service-graph and finally exists the fabric using SR/MPLS L3out. |
| ACI as transit |
Different BL Different VRF Transit Different BL Same VRF Transit Same BL Different VRF Transit |
| Mode of Testing |
APIC UI configuration XML Post configuration |
Table 3. Failures
| Test Type |
Test Detail |
| Link failures |
RL/BL to DC-PE single link failure, RL/BL directly connected to DC-PE |
| RL/BL to DC-PE Port-channel member link failure, RL/BL directly connected to DC-PE |
|
| DC-PE to CORE link failure |
|
| RL/BL to access PE single link failure, RL/BL uses a remote DC-PE |
|
| Node failures |
RL/BL reload |
| RL/BL crash |
|
| BL/RL clean reload |
|
| DC-PE reload |
|
| DC-PE crash |
Table 4. Configuration Triggers
| Test Type |
Test Detail |
| ACI Config triggers |
Modify CP/DP TEP |
| Increase/Decrease SRGB range |
|
| Modify contract/Security policy to allow/Drop traffic |
|
| Modify Export/Import policies to allow/Deny routes |
|
| Modify EVPN RT |
|
| Add/Delete VRF |
|
| Modify BD Subnet |
|
| Add/Delete Leaf Node Profile |
|
| Add/Delete Leaf Interface profile |
|
| Modify BGP ASN ( 4Byte to 2 Byte ) |
|
| Add/Delete BGP Router ID |
|
| Modify BGP Color |
|
| DC PE Config Triggers |
Modify BGP VPN/EVPN RT |
| Modify Remote ASN |
|
| Modify SRGB range |
|
| Shut/no shut BGP peers |
Table 5. Traffic Steering
| Test Type |
Test Detail |
| BGP color |
Modifying the BGP color associated to a tenant subnet on the BL/RL and verifying that the remote DC-PEs are steering the traffic with the appropriate policy. |
| Having different prefixes using different colors in the same VRF on the BL/RL |
1. Stitching VRF on XR must use a Route Distinguisher that is different from the received route that must be reoriginated.
2. iBGP is not supported between DC-PE and border/remote leaf.
ACI to SR/MPLS Architecture Whitepaper
SR/MPLS Handoff Configuration Guideline
XR SR-TE Configuration Guideline
