DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

[MSLAV]

Hello all,

can anyone help me to resolve a problem I faced playing with VXLAN EVPN?

My topology is in the attachment.
The problem in that Moved_Server1 can ping everything except Moved_Server2 and 3 behind VTEP Leaf 2 and 3.
These two servers can't ping anything.

Did anyone face the same problem or can point to guide where this explained?

Cisco has a doc talking about firewall implementations with VXLAn fabric- https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf
And it seems that my scenario is valid ...but doesn't work

[paulno1]

Hi, please come onto rocket chat technical discussion chat and i can help you with this, i'm just in the process of fitting my firewalls into a evpn fabric, this comes under cisco programmable fabric and you can have both L2 and L3 firewall modes

your issue has to be down to ACLs, do you not get any hits at all?

my design is different in that im using multiple tenants and vrfs @ the l3 vni level

[Uldis (UD)]

Paul meant:

http://www.eve-ng.net/live-helpdesk
Use your google account or create new for chat.

It is Tech room.

UD

[sanjeevlsg]

Can you guys attach the unl file ,so we can test it out too and If you have exported cfg. Thanks

[MSLAV]

UPDATE:
Ok, I created a new lab ( in attachments).
The scenario is the following:
Customer A has old infra with Servers connected to the CORE switch, Gateways are on the CORE.
Now they are building VXLAN fabric.
New servers will be connected directly to Leafs with Anycast Gateways on them.
Old servers will be transitioned to Leafs with the step-by-step approach, so keeping GW on a Core is mandatory until all servers are migrated.

I was able to make it work with some limitations:

1. "hardware access-list TCAM region arp-ether 256 double-wide" - added double-wide
2. it seems that I have to have Old-Servers on both Leafs. If Old_Servers are connected to a Leaf which does not have direct L2 Trunk to a CORE - it doesn't work. I guess there is something wrong with Control Plane/ARP/ or something. SO, Servers in "Green" can ping everything, Server in "Red" behind Leaf2 can't even get out.

The general technical solution is described in this doc - ttps://www.cisco.com/c/dam/en/us/produ ... 736585.pdf

Next step is to try it on real hardware and involve Cisco TAC.
Maybe it's not supported design at all, or I am missing something.

[MSLAV]

Update:
moved all gateways to VXLAN Fabric - works OK, all can ping all.
Migration strategy will be to move old servers within an old VLAN to VXLANs Fabric with its Gateways.

Still, do not understand why NVE do not forward arp request for vlan 805 GW from SRV2-1-805 to CORE though.

[Uldis (UD)]

Dear MSLAV,

you can export your lab and upload here.
Upload is in zip, just use EVE GUI export lab

[MSLAV]

Sure.
Problem is that this lab doesn't look like as it was posted here, I was playing with it trying different staff.

I'm adding a lab which was in the beginning of the post.
Problem is that servers with GWs on a Core switch and connected to Leaf2 become isolated.
With GWs on VTEPs ( anycast gw), everything is working good.

I hope someone can figure it out.

BTW, there is another article about this kind of implementation; https://nwktimes.blogspot.com/2018/10/v ... ation.html

[MSLAV]

UPDATE:

Tried on real hardware, all is working as expected: PCs on remote Leaf are able to ping its GW on an external L3 device (a Core).
It seems that the issue relates to EVE_NG, whether its an IOL on a CORE switch ( I use 15.2a) or Nexuses itself. I also tried L3 IOL - same results, not working solution.
I guess EVE just do not support "Routed East-West Firewall" design.

UPDATE:

Finally made it work with vIOS L2 image.
And I was missing ip pim rp-address [anycast-rp] on Spines
Problem solved

This solution: https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf is 100% working in EVE_NG and EVE-NG does its job perfectly.

[rumshot]

Hi MsLav,

Im passing thru a similar situation where i need to integrate an old topology to a new fabric.
Do you have documented the latest lab version ? im using a nexus as bridge following cisco advise, but its getting difficult day by day...

best regards,