Virtual Ethernet Segments
This chapter provides information about Virtual Ethernet Segments.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 15.0.R3, but the CLI in the current edition is based on SR OS Release 21.2.R2. Virtual Ethernet segments are supported in SR OSRelease 15.0.R1, and later.
Overview
RFC 7432 describes the use and procedures for Ethernet segments (ESs) that can be associated with physical Ethernet ports and LAGs. The SR OS implementation also allows an ES to be associated with SDPs. ESs meet the redundancy requirements of directly connected CEs. However, ESs will not work when an aggregation network exists between CEs and ES PEs, which requires different ESs to be defined for the port, LAG, or SDP. Draft-ietf-bess-evpn-virtual-eth-segment describes how virtual ESs (vESs) can be defined with an Attachment Circuit (AC) level granularity. vESs for PWs shows an example where vES definition at the pseudowire (PW) granularity level is required:
When a Layer 2 aggregation network is used to get access to EVPN, the association of ACs that belong to the same ES and physical ports or SDPs can be arbitrary. For example, the SDP between MTU-1 and PE-3 (vESs for PWs) cannot be associated with only one ES, because it is being used by two different CEs that require different ESs. The association must be at spoke-SDP level. The RFC 7432 port/lag-based ES definition is not sufficient, so vESs need to be defined. Virtual ESs can be configured with up to eight ranges of one or more:
VC-IDs (spoke-SDPs)
Q-tags (dot1q)
S-tags (qinq)
C-tags for a fixed S-tag (qinq)
Mesh-SDPs are not allowed for an SDP used by a vES.
Virtual ESs are configured as Ethernet segments with the creation-time keyword virtual:
*A:PE-2>config>service>system>bgp-evpn# ethernet-segment ?
- ethernet-segment <name> [create] [virtual]
- no ethernet-segment <name>
<name> : [32 chars max]
<virtual> : keyword
dot1q + Configure dot1q port or lag information
[no] es-activation-* - Configure ethernet segment activation timer
[no] es-orig-ip - Configure ES route's originating IP address.
[no] esi - Configure ethernet segment identifier
[no] lag - Configure lag for service BGP EVPN ethernet segment
[no] multi-homing - Configure multi-homing for service BGP EVPN ethernet segment
[no] network-interc* - Configure network interconnect vxlan information
[no] oper-group - Configure operational-group for the ethernet-segment
[no] port - Configure port for service BGP EVPN ethernet segment
[no] pw-port - Configure pw-port for service BGP EVPN ethernet segment
qinq + Configure qinq port or lag information
[no] route-next-hop - Configure next hop IP for ES and AD per-ES routes.
[no] sdp - Configure sdp for service BGP EVPN ethernet segment
service-carving + Configure service carving mode for BGP EVPN ethernet segment
service-id + Configure service id vxlan information under ethernet segment
[no] shutdown - Enable/disable administrative state of the ethernet segment
[no] source-bmac-lsb - Configure source BMAC address LSB information
[no] vc-id-range - Configure VC ID range
Virtual ES "vESI-23_600" is associated with LAG 1 and one service-delimiting VLAN range is defined for the S-tag, as follows:
# on PE-2, PE-3:
configure
service
system
bgp-evpn
ethernet-segment "vESI-23_600" virtual create
esi 01:00:00:00:00:23:06:00:00:01
es-activation-timer 3
service-carving
mode manual
manual
evi 2
exit
exit
multi-homing all-active
lag 1
qinq
s-tag-range 600 to 602
exit
no shutdown
exit
The configured ES will match all the SAPs for which the top (outer) service-delimiting tag is within the 600 to 602 range.
When the ES is created as virtual, a port, LAG, or SDP needs to be created before any VLAN or VC-ID can be associated.
For VC-ID, only spoke-SDPs are allowed, no mesh-SDPs. Manual spoke-SDP VC-IDs and BGP-AD VC-IDs can be included in the range.
For dot1q, only those SAPs that match the service-delimiting VLAN range will be associated with the vES
For qinq, the following two commands can be configured, with a mutually exclusive S-tag:
s-tag-range <qtag1> to <qtag1> - associates all qinq SAPs with outer tag between the configured qtags.
s-tag <qtag1> c-tag-range <qtag2> to <qtag2> - associates all qinq SAPs with outer qtag1 and inner qtag between the configured qtag2 values to the vES
A mutually exclusive S-tag means that a value for the S-tag can be configured in either of the two commands, but not in both.
Supported examples for Q-tag values between 1 and 4094 shows the supported examples for qtag values between 1 and 4094; Supported examples for Q-tag values 0, *, and null shows the supported examples for qtag values 0, *, and null:
vES configuration for port 1/1/1 |
SAP association |
|---|---|
dot1q qtag-range 100 |
1/1/1:100 |
dot1q qtag-range 100 to 102 |
1/1/1:100, 1/1/1:101, 1/1/1:102 |
qinq s-tag 100 c-tag-range 200 |
1/1/1:100.200 |
qinq s-tag 100 c-tag-range 200 to 202 |
1/1/1:100.200, 1/1/1:100.201, 1/1/1:100.202 |
qinq s-tag-range 100 |
All SAPs 1/1/1:100.x (x being 1 to 4094, 0, or *) |
qinq s-tag-range 100 to 102 |
All SAPs 1/1/1:100.x, 1/1/1:101.x, 1/1/1:102.x (x being 1 to 4094, 0, or *) |
vES configuration for port 1/1/1 |
SAP association |
|---|---|
dot1q qtag-range 0 |
1/1/1:0 |
dot1q qtag-range * |
1/1/1:* |
qinq s-tag 0 c-tag-range * |
1/1/1:0.* |
qinq s-tag * c-tag-range * |
1/1/1:*.* |
qinq s-tag * c-tag-range null |
1/1/1:*.null |
Considerations:
The ranges can be modified on the fly: qtag-range, s-tag/c-tag-range, vc-id-range.
For port-based vESs, PXC sub-ports are supported. For more information about PXC, see chapter Port Cross-Connect (PXC) in the Interface Configuration volume of the 7450 ESS, 7750 SR, and 7950 XRS Advanced Configuration Guide - Part I.
Virtual ESs are supported in EVPN-MPLS, PBB-EVPN, and EVPN-VPWS
Virtual ESs are supported in single-active and all-active EVPN multi-homing
Two all-active vESs must use different ES-BMAC addresses, even if they are defined in the same LAG.
Virtual ESs implement CMAC flush procedures described in RFC 7623. Optionally, ISID-based CMAC-flush can be used where the single-active vES does not use ES-BMAC allocation. See chapter PBB-EVPN ISID-based CMAC Flush.
Connection-profile-vlan SAPs (CP-SAPs) cannot be associated with a vES and cannot be configured on ports where vESs are defined. For more information about CP-SAPs, see chapter VLAN Range SAPs for VPLS and Epipe Services.
Configuration
Example topology shows the example topology with four core PEs in an EVPN-MPLS network and two MTUs. VPLS 1 is configured in all the nodes. EVPN is configured on the core PEs, not on the MTUs. LAG 1 is configured on MTU-1, PE-2, and PE-3 and associated with an all-active vES "ESI-23_1" on PE-2 and PE-3. A single-active vES "ESI-45_1" is configured on PE-4 and PE-5, associated with SDPs.
The configuration is similar to the one in chapter EVPN for MPLS Tunnels, where the parameters are described in detail.
The initial configuration on the nodes includes the following:
Cards, MDAs, ports
Router interfaces
IS-IS (alternatively, OSPF can be configured)
LDP in the IP/MPLS core and IP/MPLS access network
LAG 1 is configured with qinq encapsulation. The LAG configuration on MTU-1 is as follows:
# on MTU-1:
configure
lag 1 name "lag-1"
mode access
encap-type qinq
port 1/1/1
port 1/1/2
lacp active administrative-key 32768
no shutdown
BGP is configured on all PEs for address family EVPN. PE-2 is the Route Reflector (RR) and is configured as follows.
# on RR PE-2:
configure
router Base
autonomous-system 64500
bgp
vpn-apply-import
vpn-apply-export
enable-peer-tracking
rapid-withdrawal
split-horizon
rapid-update evpn
group "internal"
family evpn
cluster 1.1.1.1
peer-as 64500
neighbor 192.0.2.3
exit
neighbor 192.0.2.4
exit
neighbor 192.0.2.5
exit
exit
VPLS 1 is configured on all nodes. On the PEs, BGP-EVPN is enabled for MPLS. The following is configured on PE-2:
# on PE-2:
configure
service
vpls 1 name "VPLS 1" customer 1 create
bgp
exit
bgp-evpn
evi 1
mpls bgp 1
ingress-replication-bum-label
ecmp 2
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
stp
shutdown
exit
sap lag-1:1.1 create
no shutdown
exit
no shutdown
exit
The configuration on the other PEs is similar, but on PE-4 and PE-5, a spoke-SDP is configured instead of a SAP. The service configuration on PE-4 is as follows:
# on PE-4:
configure
service
sdp 46 mpls create
far-end 192.0.2.6
ldp
keep-alive
shutdown
exit
no shutdown
exit
vpls 1 name "VPLS 1" customer 1 create
bgp
exit
bgp-evpn
evi 1
mpls bgp 1
ingress-replication-bum-label
ecmp 2
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
stp
shutdown
exit
spoke-sdp 46:1 create
no shutdown
exit
no shutdown
exit
Virtual ESs must be created with the virtual keyword; if not, the following error is raised after an attempt to define a range:
*A:PE-2>config>service>system>bgp-evpn>eth-seg>qinq# s-tag-range 1
MINOR: SVCMGR #8070 Cannot create range - ethernet-segment is not virtual
On PE-2 and PE-3, the two following two all-active multi-homing vESs are created, each with a unique ESI:
# on PE-2, PE-3:
configure
service
system
bgp-evpn
ethernet-segment "vESI-23_1" virtual create
esi 01:00:00:00:00:23:01:00:00:01
es-activation-timer 3
service-carving
mode auto
exit
multi-homing all-active
lag 1
qinq
s-tag-range 1
s-tag-range 500 to 501
s-tag 495 c-tag-range 100 to 102
exit
no shutdown
exit
ethernet-segment "vESI-23_600" virtual create
esi 01:00:00:00:00:23:06:00:00:01
es-activation-timer 3
service-carving
mode manual
manual
evi 2
exit
exit
multi-homing all-active
lag 1
qinq
s-tag-range 600 to 602
exit
no shutdown
exit
When attempting to configure another vES with the ESI of an existing ES/vES, the following error is raised:
*A:PE-2>config>service>system>bgp-evpn# ethernet-segment "vESI-23_610" virtual create
*A:PE-2>config>service>system>bgp-evpn>eth-seg# esi 01:00:00:00:00:23:06:00:00:01
MINOR: SVCMGR #8047 Ethernet segment id is not valid - ESI already in use by another ethernet segment
Multiple vESs can be defined on the same LAG. However, the ranges should not overlap. The following error is raised after attempting to configure an additional range in vES "ESI-23_600" that uses S-tag 600 in combination with a range of C-tags. S-tag 600 is already included in the first range: s-tag-range 600 to 602. The error message points out that this range is of a different type: the existing range defines only S-tags, whereas the new range defines a range of C-tags for S-tag 600.
*A:PE-2>config>service>system>bgp-evpn>eth-seg>qinq# s-tag 600 c-tag-range 100 to 111
MINOR: SVCMGR #8070 Cannot create range - range overlaps with existing range of a different type
When attempting to define s-tag-range 1 in "vESI-23_2", when S-tag 1 is already defined in "vESI-23_1", the following error is raised:
*A:PE-2>config>service>system>bgp-evpn>eth-seg>qinq# s-tag-range 1
MINOR: SVCMGR #8070 Cannot create range - range overlaps with existing range in ethernet-segment vESI-23_1
On PE-4, the following single-active multi-homing vESs are configured. The configuration on PE-5 contains a different SDP.
# on PE-4:
configure
service
system
bgp-evpn
ethernet-segment "vESI-45_1" virtual create
esi 01:00:00:00:00:45:01:00:00:01
es-activation-timer 3
service-carving
mode auto
exit
multi-homing single-active
sdp 46
vc-id-range 1
vc-id-range 500 to 501
no shutdown
exit
ethernet-segment "vESI-45_2" virtual create
esi 01:00:00:00:00:45:02:00:00:01
es-activation-timer 3
service-carving
mode manual
manual
evi 2
exit
exit
multi-homing single-active
sdp 46
vc-id-range 2
no shutdown
exit
The configured ESs and vESs can be retrieved as follows:
*A:PE-2# show service system bgp-evpn ethernet-segment
===============================================================================
Service Ethernet Segment
===============================================================================
Name ESI Admin Oper
-------------------------------------------------------------------------------
vESI-23_1 01:00:00:00:00:23:01:00:00:01 Enabled Up
vESI-23_600 01:00:00:00:00:23:06:00:00:01 Enabled Up
-------------------------------------------------------------------------------
Entries found: 2
===============================================================================
The following information for the first entry in the list shows that it is a virtual ES.
*A:PE-2# show service system bgp-evpn ethernet-segment name "vESI-23_1"
===============================================================================
Service Ethernet Segment
===============================================================================
Name : vESI-23_1
Eth Seg Type : Virtual
Admin State : Enabled Oper State : Up
ESI : 01:00:00:00:00:23:01:00:00:01
Multi-homing : allActive Oper Multi-homing : allActive
ES SHG Label : 524280
Source BMAC LSB : <none>
Lag Id : 1
ES Activation Timer : 3 secs
Oper Group : (Not Specified)
Svc Carving : auto Oper Svc Carving : auto
Cfg Range Type : primary
===============================================================================
Virtual ES "vESI-23_1" on PE-2 has the following S-tag ranges and S/C-tag ranges:
*A:PE-2# show service system bgp-evpn ethernet-segment name "vESI-23_1" virtual-ranges
===============================================================================
Q-Tag Ranges
===============================================================================
Q-Tag Start Q-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
VC-Id Ranges
===============================================================================
VC-Id Start VC-Id End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
S-Tag Ranges
===============================================================================
S-Tag Start S-Tag End Last Changed
-------------------------------------------------------------------------------
1 1 04/19/2021 12:21:18
500 501 04/19/2021 12:21:18
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
===============================================================================
S-Tag C-Tag Ranges
===============================================================================
S-Tag Start C-Tag Start C-Tag End Last Changed
-------------------------------------------------------------------------------
495 100 102 04/19/2021 12:21:18
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
===============================================================================
Vxlan Instance Service Ranges
===============================================================================
Svc Range Start Svc Range End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
The ranges in the vES can be modified while the vES is operationally up, for example, an S-tag range can be added as follows:
# on PE-2:
configure
service
system
bgp-evpn
ethernet-segment "vESI-23_1"
qinq
s-tag-range 10
The S-tag ranges can be verified with the following command. Compared with the preceding output, the S-tag 10 has been added:
*A:PE-2# show service system bgp-evpn ethernet-segment name "vESI-23_1" virtual-ranges | match S-Tag post-lines 9
S-Tag Ranges
===============================================================================
S-Tag Start S-Tag End Last Changed
-------------------------------------------------------------------------------
1 1 04/19/2021 12:21:18
10 10 04/19/2021 12:27:11
500 501 04/19/2021 12:21:18
-------------------------------------------------------------------------------
Number of Entries: 3
===============================================================================
===============================================================================
S-Tag C-Tag Ranges
===============================================================================
S-Tag Start C-Tag Start C-Tag End Last Changed
-------------------------------------------------------------------------------
495 100 102 04/19/2021 12:21:18
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
===============================================================================
Vxlan Instance Service Ranges
===============================================================================
On PE-4, the same show command shows the range of VC-IDs, as follows:
*A:PE-4# show service system bgp-evpn ethernet-segment name "vESI-45_1" virtual-ranges
===============================================================================
Q-Tag Ranges
===============================================================================
Q-Tag Start Q-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
VC-Id Ranges
===============================================================================
VC-Id Start VC-Id End Last Changed
-------------------------------------------------------------------------------
1 1 04/19/2021 12:24:50
500 501 04/19/2021 12:24:50
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
===============================================================================
S-Tag Ranges
===============================================================================
S-Tag Start S-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
S-Tag C-Tag Ranges
===============================================================================
S-Tag Start C-Tag Start C-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
Vxlan Instance Service Ranges
===============================================================================
Svc Range Start Svc Range End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
Connection-profile-vlan SAPs (CP-SAPs) cannot be associated with a vES and cannot be configured on ports where vESs are defined. CP-SAP 10 is created on PE-3, as follows:
# on PE-3:
configure
connection-profile-vlan 10 create
vlan-range 5 to 100
vlan-range 495
exit
The following vES is configured on PE-3:
# on PE-3:
configure
service
system
bgp-evpn
ethernet-segment "vESI-23_10" virtual create
esi 01:00:00:00:00:23:10:00:00:01
es-activation-timer 3
service-carving
mode auto
exit
multi-homing single-active
port 1/2/3
qinq
s-tag-range 100
exit
no shutdown
exit
This vES can only be configured when no CP-SAPs are defined on port 1/2/3. The following error message is raised when a CP-SAP is configured on port 1/2/3 already and the vES is configured afterward:
*A:PE-3>config>service>system>bgp-evpn>eth-seg# port 1/2/3
MINOR: SVCMGR #8048 Ethernet segment access port/lag/sdp/vxlan-instance/pw-port is not valid - not allowed when connection profile saps configured on port/lag
When attempting to configure CP-SAP 1/2/3:cp-10 in VPLS 1 with port 1/2/3 associated with a vES, the following error message is raised.
*A:PE-3>config>service>vpls# sap 1/2/3:100.cp-10 create
MINOR: SVCMGR #6044 Cannot create sap - sap type not allowed when port is associated with virtual ethernet-segment
Conclusion
Regular ESs and vESs can be associated with ports, LAGs, and SDPs; in case of vES, ranges of Q-tags, S-tags, C-tags, or VC-IDs can be defined. The granularity for vES is per AC. Multiple vESs with different ESIs can be defined on the same port, LAG, or SDP.