Virtual Ethernet Segments
This chapter provides information about Virtual Ethernet Segments.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 15.0.R3, but the MD-CLI in the current edition is based on SR OS Release 21.2.R2. Virtual Ethernet segments are supported in SR OS Release 15.0.R1, and later.
Overview
RFC 7432 describes the use and procedures for Ethernet segments (ESs) that can be associated with physical Ethernet ports and LAGs. The SR OS implementation also allows an ES to be associated with SDPs. ESs meet the redundancy requirements of directly connected CEs. However, ESs will not work when an aggregation network exists between CEs and ES PEs, which requires different ESs to be defined for the port, LAG, or SDP. Draft-ietf-bess-evpn-virtual-eth-segment describes how virtual ESs (vESs) can be defined with an Attachment Circuit (AC) level granularity. vESs for PWs shows an example where vES definition at the pseudowire (PW) granularity level is required:
When a Layer 2 aggregation network is used to get access to EVPN, the association of ACs that belong to the same ES and physical ports or SDPs can be arbitrary. For example, the SDP between MTU-1 and PE-3 (vESs for PWs) cannot be associated with only one ES, because it is being used by two different CEs that require different ESs. The association must be at spoke-SDP level. The RFC 7432 port/lag-based ES definition is not sufficient, so vESs need to be defined. Virtual ESs can be configured with up to eight ranges of one or more:
-
VC-IDs (spoke-SDPs)
-
Q-tags (dot1q)
-
S-tags (qinq)
-
C-tags for a fixed S-tag (qinq)
Mesh-SDPs are not allowed for an SDP used by a vES.
Virtual ESs are configured as Ethernet segments of type virtual:
*[ex:/configure service system bgp evpn ethernet-segment "ESI-1"]
A:admin@PE-2# type ?
type <keyword>
<keyword> - (none|virtual)
Default - none
'type' is: immutable
Type of the ethernet segment.
Warning: Modifying this element recreates
'configure service system bgp evpn ethernet-segment "ESI-1"' automatically for the
new value to take effect.
Virtual ES "vESI-23_600" is associated with LAG 1 and one service-delimiting VLAN range is defined for the S-tag, as follows:
# on PE-2, PE-3:
configure {
service {
system {
bgp {
evpn {
ethernet-segment "vESI-23_600" {
admin-state enable
type virtual
esi 01:00:00:00:00:23:06:00:00:01
multi-homing-mode all-active
df-election {
es-activation-timer 3
service-carving-mode manual
manual {
evi 2 {
end 2
}
}
}
association {
lag "lag-1" {
virtual-ranges {
qinq {
s-tag 600 {
end 602
}
}
}
}
}
}
}
The configured ES will match all the SAPs for which the top (outer) service-delimiting tag is within the 600 to 602 range.
When the ES is created as virtual, a port, LAG, or SDP needs to be created before any VLAN or VC-ID can be associated.
-
For VC-ID, only spoke-SDPs are allowed, no mesh-SDPs. Manual spoke-SDP VC-IDs and BGP-AD VC-IDs can be included in the range.
-
For dot1q, only those SAPs that match the service-delimiting VLAN range will be associated with the vES
-
For qinq, the following two commands can be configured, with a mutually exclusive S-tag:
-
s-tag <qtag1> end <qtag1> - associates all qinq SAPs with outer tag between the configured qtags.
-
s-tag-c-tag <qtag1> c-tag-start <qtag2> c-tag-end <qtag2> - associates all qinq SAPs with outer qtag1 and inner qtag between the configured qtag2 values to the vES
A mutually exclusive S-tag means that a value for the S-tag can be configured in either of the two commands, but not in both.
-
Supported examples for Q-tag values between 1 and 4094 shows the supported examples for qtag values between 1 and 4094; Supported examples for Q-tag values 0, *, and null shows the supported examples for qtag values 0, *, and null:
|
vES configuration for port 1/1/1 |
SAP association |
|---|---|
|
dot1q qtag 100 |
1/1/1:100 |
|
dot1q qtag-range 100 to 102 |
1/1/1:100, 1/1/1:101, 1/1/1:102 |
|
qinq s-tag 100 c-tag 200 |
1/1/1:100.200 |
|
qinq s-tag 100 c-tag-range 200 to 202 |
1/1/1:100.200, 1/1/1:100.201, 1/1/1:100.202 |
|
qinq s-tag 100 |
All SAPs 1/1/1:100.x (x being 1 to 4094, 0, or *) |
|
qinq s-tag-range 100 to 102 |
All SAPs 1/1/1:100.x, 1/1/1:101.x, 1/1/1:102.x (x being 1 to 4094, 0, or *) |
|
vES configuration for port 1/1/1 |
SAP association |
|---|---|
|
dot1q qtag 0 |
1/1/1:0 |
|
dot1q qtag * |
1/1/1:* |
|
qinq s-tag 0 c-tag * |
1/1/1:0.* |
|
qinq s-tag * c-tag * |
1/1/1:*.* |
|
qinq s-tag * c-tag null |
1/1/1:*.null |
Considerations:
-
The ranges can be modified on the fly for qtag, s-tag/c-tag, or vc-id.
-
For port-based vESs, PXC sub-ports are supported. For more information about PXC, see the "Port Cross-Connect (PCX)" chapter in the Interface Configuration volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I.
-
Virtual ESs are supported in EVPN-MPLS, PBB-EVPN, and EVPN-VPWS
-
Virtual ESs are supported in single-active and all-active EVPN multi-homing
-
Two all-active vESs must use different ES-BMAC addresses, even if they are defined in the same LAG.
-
-
Virtual ESs implement CMAC flush procedures described in RFC 7623. Optionally, ISID-based CMAC-flush can be used where the single-active vES does not use ES-BMAC allocation. See chapter PBB-EVPN ISID-based CMAC Flush.
-
Connection-profile-vlan SAPs (CP-SAPs) cannot be associated with a vES and cannot be configured on ports where vESs are defined. For more information about CP-SAPs, see chapter VLAN Range SAPs for VPLS and Epipe Services.
Configuration
Example topology shows the example topology with four core PEs in an EVPN-MPLS network and two MTUs. VPLS 1 is configured in all the nodes. EVPN is configured on the core PEs, not on the MTUs. LAG 1 is configured on MTU-1, PE-2, and PE-3 and associated with an all-active vES "ESI-23_1" on PE-2 and PE-3. A single-active vES "ESI-45_1" is configured on PE-4 and PE-5, associated with SDPs.
The configuration is similar to the one in chapter EVPN for MPLS Tunnels, where the parameters are described in detail.
The initial configuration on the nodes includes the following:
-
Cards, MDAs, ports
-
Router interfaces
-
IS-IS (alternatively, OSPF can be configured)
-
LDP in the IP/MPLS core and IP/MPLS access network
LAG 1 is configured with qinq encapsulation. The LAG configuration on MTU-1 is as follows:
# on MTU-1:
configure {
lag "lag-1" {
admin-state enable
encap-type qinq
mode access
max-ports 64
lacp {
mode active
administrative-key 32768
}
port 1/1/1 {
}
port 1/1/2 {
}
}
BGP is configured on all PEs for address family EVPN. PE-2 is the Route Reflector (RR) and is configured as follows.
# on RR PE-2:
configure {
router "Base" {
autonomous-system 64500
bgp {
vpn-apply-export true
vpn-apply-import true
rapid-withdrawal true
peer-ip-tracking true
split-horizon true
rapid-update {
evpn true
}
group "internal" {
peer-as 64500
family {
evpn true
}
cluster {
cluster-id 1.1.1.1
}
}
neighbor "192.0.2.3" {
group "internal"
}
neighbor "192.0.2.4" {
group "internal"
}
neighbor "192.0.2.5" {
group "internal"
}
}
VPLS 1 is configured on all nodes. On the PEs, BGP-EVPN is enabled for MPLS. The following is configured on PE-2:
# on PE-2:
configure {
service {
vpls "VPLS 1" {
admin-state enable
service-id 1
customer "1"
bgp 1 {
}
bgp-evpn {
evi 1
mpls 1 {
admin-state enable
ingress-replication-bum-label true
ecmp 2
auto-bind-tunnel {
resolution any
}
}
}
sap lag-1:1.1 {
}
}
The configuration on the other PEs is similar, but on PE-4 and PE-5, a spoke-SDP is configured instead of a SAP. The service configuration on PE-4 is as follows:
# on PE-4:
configure {
service {
sdp 46 {
admin-state enable
delivery-type mpls
ldp true
far-end {
ip-address 192.0.2.6
}
}
vpls "VPLS 1" {
admin-state enable
service-id 1
customer "1"
bgp 1 {
}
bgp-evpn {
evi 1
mpls 1 {
admin-state enable
ingress-replication-bum-label true
ecmp 2
auto-bind-tunnel {
resolution any
}
}
}
spoke-sdp 46:1 {
}
}
Virtual ESs must be configured with type virtual; if not, the following error is raised after an attempt to define virtual ranges:
*[ex:/configure service system bgp evpn ethernet-segment "ESI-3" association lag "lag-1"]
A:admin@PE-2# virtual-ranges {
MINOR: MGMT_CORE #2203: configure service system bgp evpn ethernet-segment "ESI-3" association lag "lag-1" virtual-ranges - Invalid element - virtual-ranges allowed only on virtual ethernet-segments
On PE-2 and PE-3, the two following two all-active multi-homing vESs are created, each with a unique ESI:
# on PE-2, PE-3:
configure {
service {
system {
bgp {
evpn {
ethernet-segment "vESI-23_1" {
admin-state enable
type virtual
esi 01:00:00:00:00:23:01:00:00:01
multi-homing-mode all-active
df-election {
es-activation-timer 3
}
association {
lag "lag-1" {
virtual-ranges {
qinq {
s-tag-c-tag 495 c-tag-start 100 {
c-tag-end 102
}
s-tag 1 {
end 1
}
s-tag 500 {
end 501
}
}
}
}
}
}
ethernet-segment "vESI-23_600" {
admin-state enable
type virtual
esi 01:00:00:00:00:23:06:00:00:01
multi-homing-mode all-active
df-election {
es-activation-timer 3
service-carving-mode manual
manual {
evi 2 {
end 2
}
}
}
association {
lag "lag-1" {
virtual-ranges {
qinq {
s-tag 600 {
end 602
}
}
}
}
}
}
}
When attempting to configure another vES with the ESI of an existing ES/vES, the following error is raised:
*[ex:/configure service system bgp evpn ethernet-segment "vESI-23_610"]
A:admin@PE-2# esi 01:00:00:00:00:23:06:00:00:01
*[ex:/configure service system bgp evpn ethernet-segment "vESI-23_610"]
A:admin@PE-2# commit
MINOR: SVCMGR #1003: configure service system bgp evpn ethernet-segment "vESI-23_610" - Inconsistent value - esi 01:00:00:00:00:23:06:00:00:01 in use by ethernet segment vESI-23_600
Multiple vESs can be defined on the same LAG. However, the ranges should not overlap. The following error is raised after attempting to configure an additional range in vES "ESI-23_600" that uses S-tag 600 in combination with a range of C-tags. S-tag 600 is already included in the first range: s-tag 600 end 602. The error message points out that this range is of a different type: the existing range defines only S-tags, whereas the new range defines a range of C-tags for S-tag 600.
*[ex:/configure service system bgp evpn ethernet-segment "vESI-23_600" association lag "lag-1" virtual-ranges qinq s-tag-c-tag 600 c-tag-start 100]
A:admin@PE-2# commit
MINOR: SVCMGR #1003: configure service system bgp evpn ethernet-segment "vESI-23_600" association lag "lag-1" virtual-ranges qinq s-tag-c-tag 600 c-tag-start 100 - Inconsistent value - range overlaps with range of a different type in this ethernet-segment
When attempting to define s-tag 1 in "vESI-23_2", when S-tag 1 is already defined in "vESI-23_1", the following error is raised:
*[ex:/configure service system bgp evpn ethernet-segment "vESI-23_600" association lag "lag-1" virtual-ranges qinq s-tag 1]
A:admin@PE-2# commit
MINOR: SVCMGR #1003: configure service system bgp evpn ethernet-segment "vESI-23_600" association lag "lag-1" virtual-ranges qinq s-tag 1 - Inconsistent value - range overlaps with range in ethernet-segment vESI-23_1
On PE-4, the following single-active multi-homing vESs are configured. The configuration on PE-5 contains a different SDP.
# on PE-4:
configure {
service {
system {
bgp {
evpn {
ethernet-segment "vESI-45_1" {
admin-state enable
type virtual
esi 01:00:00:00:00:45:01:00:00:01
multi-homing-mode single-active
df-election {
es-activation-timer 3
}
association {
sdp 46 {
virtual-ranges {
vc-id 1 {
end 1
}
vc-id 500 {
end 501
}
}
}
}
}
ethernet-segment "vESI-45_2" {
admin-state enable
type virtual
esi 01:00:00:00:00:45:02:00:00:01
multi-homing-mode single-active
df-election {
es-activation-timer 3
service-carving-mode manual
manual {
evi 2 {
end 2
}
}
}
association {
sdp 46 {
virtual-ranges {
vc-id 2 {
end 2
}
}
}
}
}
}
}
The configured ESs and vESs can be retrieved as follows:
[/]
A:admin@PE-2# show service system bgp-evpn ethernet-segment
===============================================================================
Service Ethernet Segment
===============================================================================
Name ESI Admin Oper
-------------------------------------------------------------------------------
vESI-23_1 01:00:00:00:00:23:01:00:00:01 Enabled Up
vESI-23_600 01:00:00:00:00:23:06:00:00:01 Enabled Up
-------------------------------------------------------------------------------
Entries found: 2
===============================================================================
The following information for the first entry in the list shows that it is a virtual ES.
[/]
A:admin@PE-2# show service system bgp-evpn ethernet-segment name "vESI-23_1"
===============================================================================
Service Ethernet Segment
===============================================================================
Name : vESI-23_1
Eth Seg Type : Virtual
Admin State : Enabled Oper State : Up
ESI : 01:00:00:00:00:23:01:00:00:01
Multi-homing : allActive Oper Multi-homing : allActive
ES SHG Label : 524280
Source BMAC LSB : <none>
Lag : lag-1
ES Activation Timer : 3 secs
Oper Group : (Not Specified)
Svc Carving : auto Oper Svc Carving : auto
Cfg Range Type : primary
===============================================================================
Virtual ES "vESI-23_1" on PE-2 has the following S-tag ranges and S/C-tag ranges:
[/]
A:admin@PE-2# show service system bgp-evpn ethernet-segment name "vESI-23_1" virtual-ranges
===============================================================================
Q-Tag Ranges
===============================================================================
Q-Tag Start Q-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
VC-Id Ranges
===============================================================================
VC-Id Start VC-Id End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
S-Tag Ranges
===============================================================================
S-Tag Start S-Tag End Last Changed
-------------------------------------------------------------------------------
1 1 04/20/2021 16:14:55
500 501 04/20/2021 16:14:55
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
===============================================================================
S-Tag C-Tag Ranges
===============================================================================
S-Tag Start C-Tag Start C-Tag End Last Changed
-------------------------------------------------------------------------------
495 100 102 04/20/2021 16:14:55
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
===============================================================================
Vxlan Instance Service Ranges
===============================================================================
Svc Range Start Svc Range End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
The ranges in the vES can be modified while the vES is operationally up, for example, an S-tag range can be added as follows:
# on PE-2:
configure {
service {
system {
bgp {
evpn
ethernet-segment "vESI-23_1" {
association {
lag "lag-1" {
virtual-ranges {
qinq {
s-tag 10 {
end 10
}
}
}
The S-tag ranges can be verified with the following command. Compared with the preceding output, the S-tag 10 has been added:
[/]
A:admin@PE-2# show service system bgp-evpn ethernet-segment name "vESI-23_1" virtual-ranges | match S-Tag post-lines 8
S-Tag Ranges
===============================================================================
S-Tag Start S-Tag End Last Changed
-------------------------------------------------------------------------------
1 1 04/20/2021 16:14:55
10 10 04/20/2021 16:17:23
500 501 04/20/2021 16:14:55
-------------------------------------------------------------------------------
Number of Entries: 3
===============================================================================
===============================================================================
S-Tag C-Tag Ranges
===============================================================================
S-Tag Start C-Tag Start C-Tag End Last Changed
-------------------------------------------------------------------------------
495 100 102 04/20/2021 16:14:55
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
===============================================================================
Vxlan Instance Service Ranges
===============================================================================
On PE-4, the same show command shows the range of VC-IDs, as follows:
[/]
A:admin@PE-4# show service system bgp-evpn ethernet-segment name "vESI-45_1" virtual-ranges
===============================================================================
Q-Tag Ranges
===============================================================================
Q-Tag Start Q-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
VC-Id Ranges
===============================================================================
VC-Id Start VC-Id End Last Changed
-------------------------------------------------------------------------------
1 1 04/20/2021 16:15:58
500 501 04/20/2021 16:15:58
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
===============================================================================
S-Tag Ranges
===============================================================================
S-Tag Start S-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
S-Tag C-Tag Ranges
===============================================================================
S-Tag Start C-Tag Start C-Tag End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
===============================================================================
Vxlan Instance Service Ranges
===============================================================================
Svc Range Start Svc Range End Last Changed
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No entries found
===============================================================================
Connection-profile-vlan SAPs (CP-SAPs) cannot be associated with a vES and cannot be configured on ports where vESs are defined. CP-SAP 10 is created on PE-3, as follows:
# on PE-3:
configure {
connection-profile vlan 10 {
qtag-range 5 {
end 100
}
qtag-range 495 {
end 495
}
The following vES is configured on PE-3:
# on PE-3:
configure {
service {
system {
bgp {
evpn {
ethernet-segment "vESI-23_10" {
admin-state enable
type virtual
esi 01:00:00:00:00:23:10:00:00:01
multi-homing-mode single-active
df-election {
es-activation-timer 3
}
association {
port 1/2/3 {
virtual-ranges {
qinq {
s-tag 100 {
end 100
}
}
}
}
}
}
This vES can only be configured when no CP-SAPs are defined on port 1/2/3. The following error message is raised when a CP-SAP is configured on port 1/2/3 already and the vES is configured afterward:
*[ex:/configure service system bgp evpn ethernet-segment "vESI-23_10" association port 1/2/3 virtual-ranges qinq s-tag 100]
A:admin@PE-3# commit
MINOR: MGMT_CORE #4001: configure service vpls "VPLS 1" sap 1/2/3:100.cp-10 - connection profile saps not allowed on port/lags associated with evpn ethernet-segments - configure service system bgp evpn ethernet-segment "vESI-23_10" association
When attempting to configure CP-SAP 1/2/3:cp-10 in VPLS 1 with port 1/2/3 associated with a vES, the following error message is raised.
*[ex:/configure service vpls "VPLS 1" sap 1/2/3:100.cp-10]
A:admin@PE-3# commit
MINOR: MGMT_CORE #4001: configure service vpls "VPLS 1" sap 1/2/3:100.cp-10 - connection profile saps not allowed on port/lags associated with evpn ethernet-segments - configure service system bgp evpn ethernet-segment "vESI-23_10" association
Conclusion
Regular ESs and vESs can be associated with ports, LAGs, and SDPs; in case of vES, ranges of Q-tags, S-tags, C-tags, or VC-IDs can be defined. The granularity for vES is per AC. Multiple vESs with different ESIs can be defined on the same port, LAG, or SDP.