CSG Cisco Validated Profile Series

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 67

CSG

Cisco Validated Profile Series

Enterprise Routing

BGP EVPN and Segment Routing with IPsec/GRE

on Cisco ASR 1000 Routers

CVP


Contents

1. Profile introduction .............................................................................................................................................. 3

2. Network profile ..................................................................................................................................................... 3

a. Topology diagram ................................................................................................................................................ 3

b. Hardware and feature specifications ................................................................................................................. 4 i. Key vertical features ........................................................................................................................................... 5 ii. Hardware profile ................................................................................................................................................ 6

c. Test environment ................................................................................................................................................. 6

3. Use case scenarios .............................................................................................................................................. 6

1. Test methodology ................................................................................................................................................ 6

2. Use cases ............................................................................................................................................................. 7

3.2 BGP EVPN – SR with IPsec/GRE on ASR1000 ................................................................................................ 7 3.2.1 Routing ......................................................................................................................................................... 7 3.2.2 Security ........................................................................................................................................................ 7 3.2.3 Simplified management ................................................................................................................................ 7 3.2.4 System health monitoring ............................................................................................................................. 7 3.2.5 System and network resiliency, robustness ................................................................................................. 8

4. Notes ..................................................................................................................................................................... 8

5. Best practices and recommendations ............................................................................................................... 9

6. Convergence data ................................................................................................................................................ 9

7. Throughput data ................................................................................................................................................ 10

8. Appendix ............................................................................................................................................................ 11

a. Configuration on ASR1K PE1: .......................................................................................................................... 11

b. Configuration on ASR1K TR1: .......................................................................................................................... 14

c. Configuration on ASR 1000 PE 2 ...................................................................................................................... 18

d. Configuration on ASR1K TR 2: ......................................................................................................................... 21

e. Configuration on ASR1K CE in the DC: ........................................................................................................... 24

f. Configuration on N9K Leaf 1: ............................................................................................................................ 26

g. Configuration on N9K spine 1 .......................................................................................................................... 30

h. Configuration on N9K leaf 2 ............................................................................................................................. 33

i. Configuration on N9K spine 2 ........................................................................................................................... 37

j. NETCONF/YANG Remote Procedural Call (RPC) messages to configure on the ASR 1000 PE .................. 41

k. Verifications on an ASR1K PE .......................................................................................................................... 56

10. Acronyms ......................................................................................................................................................... 67


1. Profile introduction

This Cisco® Validated Profile covers the segregation of a campus network from a data center through a WAN

interconnect.

Cisco Nexus® 9000 Series devices form the campus network. Cisco ASR 1000 Series Aggregation Services

Routers (ASR 1000) are in the WAN interconnect and data center. The WAN interconnect is through an IPsec

Generic Routing Encapsulation (GRE) tunnel.

Border Gateway Protocol Ethernet VPN over Multiprotocol Label Switching (BGP EVPNoMPLS) RT5 with next-hop

unchanged is used to advertise the site prefixes across the overlay network.

A single BGP session is used to carry both Segment Routing (SR) and EVPN prefixes.

BGP Labelled Unicast with Segment Routing is used as underlay and BGP MPLSoEVPN is used for overlay.

BGP Segment Routing PrefixSID is used to advertise the NodeSID of the provider edge (PE) device.

Table 1. BGP EVPN-SR with IPsec/GRE on ASR 1000 routers profile feature summary

Deployment areas Features

Security IPsec/GRE

Management and monitoring Simple Network Management Protocol (SNMP), sysLog server

System resiliency Interface flaps, RP, ESP, SIP, SPA failovers

Network services BGP LU, Segment Routing, BGP MPLSoEVPN, Bidirectional Forwarding Detection (BFD)

Network resiliency BFD, equal-cost multipath (ECMP) routing

2. Network profile

Based on the research, customer feedback, and configuration samples, the BGP EVPN-Segment Routing with

IPsec/GRE with a Cisco ASR 1000 router profile is designed with a deployment topology that is generic and can

easily be modified to fit any specific deployment scenario.

a. Topology diagram

Disclaimer: The links between the different network layers in the topology are mainly to facilitate this profile

validation across different platform combinations. The actual deployment could vary based on specific

requirements.

BGP EVPN-Segment Routing with IPsec/GRE with a Cisco ASR1000 router profile covers N9K in a campus

connected to the data center via the WAN. We have IPsec/GRE in the WAN using a Cisco ASR 1001-HX Router

and an ASR 1006-X Router.


Figure 1. Deployment diagram of BGP EVPN Segment Routing with IPsec/GRE

The left portion of the topology represents the campus, consisting of the N9k leaf and spine nodes working in the

standalone mode.

The right portion of the topology represents the DC and WAN, consisting of ASR1Ks running an IPsec/GRE tunnel

between them.

b. Hardware and feature specifications

This section details the 3D feature matrix, where the hardware platforms are listed along with their place in the

network (PIN) and the relevant deployment.

Table 2. Network device and platform

Network device Platform

ASR 1K PE 1 ASR 1006-X (RP3/ESP100/EPA10x10G)

ASR 1K PE 2 ASR 1006- X (RP2/ESP100/EPA10x10G)

N9K PE1 (Leaf 1) N9K-C9396PX

N9K PE2 (Leaf 2) N9K-C9396PX

ASR1K Transit Routers ASR1001-HX

N9K Spine 1 N9K-C9396PX

N9K Spine 2 N9K-93180YC-EX

CE in DC ASR 1002-HX

Transit Router (TR) to Spirent PE ASR 1002-HX

Spirent Test Center 4.85 (BGP SR and EVPN license)


Table 3. Features and functionalities tested

Features and functionalities

Campus has N9K TORs and Spines in the standalone mode ●

N9K Leafs are the PEs and Spines are Transit devices ●

Spines connect to ASR 1K Transit Rrouters ●

IPsec/GRE tunnel between ASR1K Transit Routers and ASR1K PEs ●

One BGP session to carry both EVPN and SR labels ●

BGP LU with SR as underlay ●

Equal- Cost Paths ●

BFD with BGP for all interfaces and neighbors ●

Segment Routing Global Block (SRGB) range of 16000-25000 ●

Transit routers advertise the EVPN prefixes as next hop unchanged ●

Table 4. Scales tested

Scales tested

7 N9K Spines simulated using Spirent Test Center ●

20 N9K Leaf PEs behind each Spine simulated using Spirent Test Center (Total 140 N9K PEs) ●

10 VRFs on each N9K PE (Same 10 VRFs on each PE) ●

Total 100,000 prefixes; 72 prefixes per VRF on each Nexus 9000 leaf (total is calculated as 72 x 10 VRF x 140 PE = 100,800) ●

1 IPsec/GRE tunnel between ASR 1000 transit router and ASR1K PE ●

i. Key vertical features

Table 5 defines the 3D hardware, place in network (PIN), and the features deployed. The scale of these configured

features, the test environment, list of endpoints, and hardware software versions of the network topology will be

defined in subsequent sections of this guide.

Table 5. Key vertical features

Deployment layer Platforms Critical vertical features

ASR1K PE ASR 1006-X Router (RP3/ESP100/ASR1000-MIP100/10X10G EPA)/

ASR 1006-X Router (RP2/ESP100/ASR1000-MIP100/10X10G EPA)

One BGP session to carry both EVPN and SR labels

BGP Labelled Unicast

BGP Segment Routing

BGP MPLSoEVPN with next hop unchanged (RT5)

IPv4 underlay, dual-stack overlay

Segment Routing Global Block (SRGB) 16000 – 25000

Bidirectional Forwarding Detection (BFD)

IPsec/GRE

Configuration using NETCONF YANG

ASR1K TR ASR 1001-HX One BGP session to carry both EVPN and SR labels


BGP Segment Routing


SRGB 16000 – 25000

BFD

IPsec/GRE


Deployment layer Platforms Critical vertical features

N9K Leaf PE N9K-C9396PX One BGP session to carry both EVPN and SR labels


BGP Segment Routing


IPv4 underlay, dual-stack overlay

SRGB 16000 – 25000

BFD

HSRP between N9K Leaf PEs

N9K Spine N9K-C9396PX / N9K-93180YC-EX One BGP session to carry bothe EVPN and SR labels


BGP Segment Routing


SRGB 16000 – 25000

BFD

ii. Hardware profile

Table 6 defines the set of relevant hardware, servers, test equipment, and endpoints that are used to complete the

end-to-end retail vertical profile deployment. A list of hardware, along with the relevant software versions and the

role of these devices, complement the actual physical topology that is defined in Figure 1 of the previous section.

Table 6. Hardware profile of servers and endpoints

VM and hardware Software versions Description

Spirent Windows 7 N9K PE and spine (4.85 version)

Netconf/Yang Provisioning the configs on the ASR1K PE

c. Test environment

This section contains a description of the features and relevant scales at which the features are deployed across

the physical topology. Table 7 lists the scale for each respective feature.

Disclaimer: Table 7 captures a sample set of scale values used in one of the use cases. Refer to appropriate

Cisco documentation and data sheets for comprehensive scale data.

Table 7. Sample set of scale values

Feature Scale

N9K Spine 7

N9K Leaf 140

VRF on each PE 10

IPsec/GRE tunnels 1

RT5 prefixes 100,000 (72 per PE x 10 VRF x 140 PE)

3. Use case scenarios

1. Test methodology

The use cases listed in Table 8 will be executed using the topology defined in Figure 1, along with the test

environment (Table 7) already explained in this document.

Images are loaded on the devices under test via the TFTP server using the management interface.


To validate a new release, the network topology is upgraded with the new software image with an existing

configuration that comprises the use cases and relevant traffic profiles. The addition of new use cases acquired

from the field or from customer deployments is added on top of the existing configuration.

During each use-case execution, syslog would be monitored closely across the devices for any relevant system

events, errors, or alarms. With respect to longevity for this profile setup, CPU and memory usage or leaks would be

monitored during the validation phase. Furthermore, to test the robustness of the software release and platform

under test, typical network events would be triggered during the use-case execution process.

2. Use cases

Table 8 describes the use cases that were executed on BGP EVPN-SR with IPsec/GRE on a Cisco ASR 1000

router profile. These use cases are divided into buckets of technology areas to outline the complete coverage of

the deployment scenarios. Use cases continuously evolve based on feedback from the field.

These technology buckets comprise security, network services, monitoring and troubleshooting, simplified

management, system health monitoring, and system resiliency.

3.2 BGP EVPN – SR with IPsec/GRE on ASR1000

Table 8. Use cases for BGP EVPN - SR

Number Focus area Use cases

3.2.1 Routing

1 BGP LU with SR as underlay and BGP MPLSoEVPN as overlay

Campus with N9K Leaf and spine ●

N9K Leaf is the PE and the spine is the transit router ●

Hot Standby Router Protocol (HSRP) between the N9K Leafs ●

eBGP Labelled Unicast with SR as underlay ●

BGP EVPN as overlay ●

Spine peers with leaf and ASR 1000 transit router ●

ASR 1000 PE is in the data center ●

BGP EVPN with next hop unchanged is between the PEs, that is, between the Nexus 9000 ●leaf and ASR 1006-X data center

2 Best and backup paths Traffic through best path ●

Shut tunnel interface on ASR 1000 PE (best path), verify traffic takes backup tunnel path ●

3.2.2 Security

1 IPsec/GRE IPsec/GRE tunnel between ASR 1000 transit router and PE ●

Transform set with esp-aes esp-sha-hmac ●

“mpls bgp forwarding” on the IPsec/GRE tunnel ●

3.2.3 Simplified management

1 Provisioning NETCONF/YANG to provision ASR 1000 PE ●

3.2.4 System health monitoring

1 System health Monitor system health for CPU usage, memory consumption, and memory leaks during longevity

2 SNMP Mibwalk Monitor system health for CPU usage, memory consumption, and memory leaks during snmp mibwalk


Number Focus area Use cases

3.2.5 System and network resiliency, robustness

1 System resiliency Verify system-level resiliency during the following events:

Active RP/standby RP failure ●

Active/standby ESP failure ●

WAN/LAN interface flaps ●

IPsec tunnel flaps ●

Session Initiation Protocol (SIP) / shared port adapter (SPA) reload and online insertion and ●removal (OIR)

Link failures ●

Node failures (leaf 1/leaf 2/spine 1/spine 2/TR1/TR2/PE1/PE2/CE) ●

In-Service Software Upgrade (ISSU) ●

2 Negative events, triggers Verify that the system holds good and recovers to working condition after the following negative events are triggered:

Config changes – add/remove config snippets, config replace ●

Routing protocol interface flaps ●

EVPN events ●

BGP events ●

SR events ●

MPLS events ●

IPsec events ●

4. Notes

● There are behavior differences in the ASR 1000 routers and Nexus 9000 switches when Segment Routing

is shut down. ASR 1000 routers still use the labels from the dynamic pool instead of SRGB and traffic

resumes. But on Nexus 9000 switches, BGP will not use the labels from a dynamic pool and hence, the

traffic doesn’t resume.

● The Prefix SID can be configured on Nexus 9000 switches using route-map or using the SR APP. The ASR

1000 Series supports only through the SR APP.

● Even when removing “neighbor encapsulation mpls” from “address-family l2vpn evpn” on the ASR 1000 PE,

traffic still uses MPLS encapsulation and not virtual extensible LAN (VXLAN) encapsulation if there are no

VNI, bridge domain interface (BDI), or network virtual interface (NVE) configured. Though VXLAN

encapsulation is the default, it will not use VXLAN unless the VNI, BDI, and NVE configurations are present

on the ASR 1000 router.

● When both ESPs are reloaded on the ASR 1000 PE, IPsec SAs no longer have the last sequence number

and need to restart from 0. However, peer transit router 1 expects the sequence number to continue, and

will drop any packet with a smaller sequence number due to an ANTI_REPLAY error. So the PE cannot

reach the transit router (TR) which results in the BGP session not coming up. We will have to do a shut/no

shut on the GRE tunnel or wait for the rekey to complete for the BGP session to come up on the ASR 1000

PE.

● IPsec/Crypto throughput with Cisco Internet Mix (IMIX) for the ASR 1001-HX Router and the ASR 1006-X

Router (RP3/ESP100) is less with a single tunnel when compared to throughput with multiple tunnels.


5. Best practices and recommendations

● It is a best practice to configure all nodes in the network to use the same SRGB (16000 – 23999)

● By default, volume-based rekey is enabled on the ASR 1000 routers and the default value is approximately

35 Gbps, which is too low. It is recommended to disable the volume-based rekey or set the rekey value to a

higher number.

6. Convergence data

Table 9. Convergence data

Event (link/node failure)

Traffic switches from --> to

Traffic from DC to campus (Nexus 9000) - IPv4


Traffic from campus to DC (Nexus 9000) - IPv4


Traffic from DC to campus (Spirent PEs)

DC2 tunnel shutdown

DC2 --> DC1 6.7 10.1 134 msec 176 msec 9

DC1 tunnel shutdown

DC1 --> DC2 6.4 9.4 186 msec 123 msec 8

DC1 - CE interface shut

DC2 --> DC1 266 msec 3.2 49 msec 10 msec 260 msec

DC2 - CE interface shut

DC2 --> DC1 272 msec 1.3 33 msec 20 msec 270 msec

DC2 - TR2 interface shut

DC2 --> DC1 7 12 116 msec 148 msec 9

DC1 - TR1 interface shut

DC1 --> DC2 6 9 107 msec 48 msec 8

CE - DC2 interface shut

DC2 --> DC1 28 msec 23 msec 184 msec 72 msec 28 msec

CE - DC1 interface shut


TR2 - DC2 interface shut

DC2 --> DC1 7 14 127 msec 185 msec 9

TR1 - DC1 interface shut

DC1 --> DC2 6 9 97 msec 48 msec 8

TR2 – spine 1 interface 1 shut

DC2 --> DC2 180 msec 180 msec 0.5 0.5 0

TR2 – spine 2 interface 1 and 2 shut

DC2 --> DC1 172 msec 172 msec 484 msec 451 msec 0

TR1 - spine 1 interface 1 shut

DC1 --> DC1 28 msec 28 msec 1.2 1.3 0

TR1 – spine 2 interface 1 and 2 shut

DC1 --> DC2 220 msec 222 msec 1.9 2.1 0

Spine 1 – leaf 1 interface shut

Spine 1 --> Spine 2

32 msec 32 msec 1.9 1.9 0

Spine 2 - leaf 2 interface shut

Spine 2 --> Spine 1

160msec 160 msec 1.3 1.3 0

Leaf 1 – spine 1 interface shut

Leaf 1-Spine 1 --> Leaf 1-Spine 2

1.4 1.4 0.9 0.9 0

Leaf 1 - Spirent interface shut

Leaf 1 --> Leaf 2 30 33 8 8.5 0

DC1 reload DC1 --> DC2 46 msec 46 msec 44 msec 44 msec 45 msec

DC2 reload DC2 --> DC1 37 msec 36 msec 37 msec 37 msec 35 msec

TR1 reload DC1 --> DC2 23 msec 23 msec 10 msec 40 msec 7


Event (link/node failure)

Traffic switches from --> to





Traffic from DC to campus (Spirent PEs)

TR2 reload DC2 --> DC1 16 msec 18 msec 33 msec 33 msec 8

Spine 1 reload Spine1 --> Spine 2 257 msec 257 msec 1.2 1.7 0

Spine 2 reload Spine 2 --> Spine 1

272 msec 272 msec 1.3 1.2 0

Leaf 1 reload Leaf1 --> Leaf2 5 5 7 7 0

Leaf 2 reload Leaf2 --> Leaf1 5 8 7 7 0

DC2 RP switchover

DC2 --> DC1 4.8 6 127 msec 183 msec 8

DC1 RP switchover

DC1 --> DC2 6 5 33 msec 25 msec 8

DC2 ESP switchover


DC1 ESP switchover


DC1 both ESPs reload at same time

DC1 --> DC2 4 4 211 msec 227 msec 11

DC2 both ESPs reload at same time

DC2 --> DC1 1 2 283 msec 294 msec 107

DC1 MIP reload DC1 --> DC2 0.6 2 0.3 0.7 2

DC2 MIP reload DC2 --> DC1 2 8 2 2 2

Note that convergence times are noted with the following in place:

● BFD enabled on all Nexus 9000 and ASR 1000 devices

● Multihop BFD between the ASR 1000 transit router and the ASR 1000 PE

● Equal-cost multipathing (ECMP) on all devices (Nexus 9000 and ASR 1000) for both underlay SR Node

SIDs and overlay EVPN campus and data center prefixes

Refer to the appendix for the show commands.

7. Throughput data

Table 10. ASR1006X PE

ASR 1K PE

Packet Size

Throughput (in Gbps)

Throughput (in frames/second)

RP Memory IOS Memory ESP Memory QFP Memory MIP Memory

RP CPU IOS CPU FP CPU QFP CPU MIP CPU

Active

Standby

Active

Standby

Active

Standby

Active Standby

Active

Standby

Avtive

Standby

Active

Standby

Active

Standby

ASR1006

X

(RP3/ESP

100)

1400 17.4 15531862 3607

MB

(11%

)

3457

MB

(45%)

793

Mb

557M

b

1112

MB

(6%)

1109

MB

(6%)

349452

KB

(8%)

324448

KB

(7%)

557M

B

(28%)

1.00

%

1% 1% 0% 2% 2% 98% 0% 8

%

ASR1006

X

(RP3/ESP

100)

1024 16.4 1959246 3608

MB

(11%

)

3457

MB

(45%)

793

Mb

557M

b

1112

MB

(6%)

1109

MB

(6%)

349452

KB

(8%)

324448

KB

(7%)

557M

B

(28%)

1.00

%

1% 1% 0% 2% 2% 98% 0% 8

%

ASR1006

X

(RP3/ESP

100)

512 13.4 3140702 3609

MB

(11%

)

3459

MB

(45%)

793

Mb

557M

b

1113

MB

(6%)

1109

MB

(6%)

349452

KB

(8%)

324448

KB

(7%)

557M

B

(28%)

1% 1% 1% 0% 1% 1% 99% 0% 7

%

ASR1006

X

(RP3/ESP

100)

128 5.2 4370628 3609

MB

(11%

)

3459

MB

(45%)

793

Mb

557M

b

1113

MB

(6%)

1109

MB

(6%)

349452

KB

(8%)

324448

KB

(7%)

557M

B

(28%)

1% 1% 1% 0% 1% 1% 99% 0% 8

%


ASR 1K PE

Packet Size



RP Memory IOS Memory ESP Memory QFP Memory MIP Memory

RP CPU IOS CPU FP CPU QFP CPU MIP CPU

Active

Standby

Active

Standby

Active

Standby

Active Standby

Active

Standby

Avtive

Standby

Active

Standby

Active

Standby

ASR1006

X

(RP3/ESP

100)

82 3.4 4166666 3609

MB

(11%

)

3459

MB

(45%)

793

Mb

557M

b

1113

MB

(6%)

1109

MB

(6%)

349452

KB

(8%)

324448

KB

(7%)

557M

B

(28%)

1% 1% 1% 0% 1% 1% 99% 0% 8

%

ASR1006

X

(RP3/ESP

100)

IMIX

(64-7,

594-4,

1518-1)

7.8 2240142 3609

MB

(11%

)

3459

MB

(45%)

793

Mb

557M

b

1113

MB

(6%)

1109

MB

(6%)

349452

KB

(8%)

324448

KB

(7%)

557M

B

(28%)

1% 1% 1% 0% 1% 1% 99% 0% 8

%

Table 11. ASR1001-HX Transit router

Transit Router Packet Size



RP Memory

IOS Memory

QFP Memory RP CPU QFP CPU IOS CPU

ASR1001-HX 1400 17.4 15531862 2748MB (34%)

494MB 215990KB (10%)

2% 98% 1%

ASR1001-HX 1024 16.4 1959246 2746MB (34%)

494MB 215990KB (10%)

2% 99% 1%

ASR1001-HX 512 13.4 3140702 2749MB (34%)

494MB 215990KB (10%)

2% 99% 1%

ASR1001-HX 128 5.2 4370628 2749MB (34%)

494MB 215990KB (10%)

2% 99% 1%

ASR1001-HX 82 3.4 4166666 2749MB (34%)

494MB 215990KB (10%)

2% 99% 1%

ASR1001-HX IMIX (64-7, 594-4, 1518-1)

7.8 2240142 2749MB (34%)

494MB 215990KB (10%)

2% 99% 1%

8. Appendix

Disclaimer

Following are some sample configuration snippets to give readers a general idea about the configuration used in

some of the use-cases. They would require further customization for actual deployments. For detailed configuration

options and best practices, refer to documentation on cisco.com.

a. Configuration on ASR1K PE1:

vrf definition CU1_101

rd 1:101

!

address-family ipv4

route-target export 1:101

route-target import 1:101

route-target export 1:101 stitching

route-target import 1:101 stitching

exit-address-family

!

address-family ipv6






exit-address-family

!

segment-routing mpls

global-block 16000 25000

!

connected-prefix-sid-map

address-family ipv4

1.1.1.1/32 index 5001 range 1

exit-address-family

!

!

interface TenGigabitEthernet0/0/6

description "Connected to CE2"

no ip address

bfd interval 50 min_rx 50 multiplier 5

!

interface TenGigabitEthernet0/0/6.101

encapsulation dot1Q 100

vrf forwarding CU1_101

ip address 13.1.1.1 255.255.255.0

ipv6 address 2001:13:1:1::1/64


!


description "Connected to TR1"

ip address 11.1.1.2 255.255.255.0

ip mtu 1468


!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 11.1.1.1


crypto isakmp keepalive 100

crypto ipsec security-association lifetime kilobytes disable

crypto ipsec security-association replay window-size 1024

!

!

crypto ipsec transform-set my_set esp-aes esp-sha-hmac

mode tunnel

!

!

crypto ipsec profile profile1

set security-association lifetime kilobytes disable

set security-association lifetime days 1

set transform-set my_set

!

bfd map ipv4 192.168.1.0/24 192.168.1.2/32 BFD

bfd-template multi-hop BFD

interval min-tx 50 min-rx 50 multiplier 3

!

interface Tunnel1

ip address 192.168.1.2 255.255.255.0

mpls bgp forwarding

tunnel source 11.1.1.2

tunnel destination 11.1.1.1

tunnel protection ipsec profile profile1

!

route-map NH_UNCHG permit 10

set ip next-hop 1.1.1.1

set ipv6 next-hop ::FFFF:1.1.1.1

!

router bgp 5001

bgp router-id interface Loopback0

bgp log-neighbor-changes

bgp graceful-restart

no bgp default route-target filter

neighbor 192.168.1.1 remote-as 4001

neighbor 192.168.1.1 fall-over bfd

!

address-family ipv4


network 1.1.1.1 mask 255.255.255.255


neighbor 192.168.1.1 activate

neighbor 192.168.1.1 send-community both

neighbor 192.168.1.1 send-label

maximum-paths 4

exit-address-family

!

address-family l2vpn evpn



neighbor 192.168.1.1 route-map NH_UNCHG out

neighbor 192.168.1.1 encap mpls

maximum-paths 4

exit-address-family

!

address-family ipv4 vrf CU1_101

advertise l2vpn evpn

bgp additional-paths install




maximum-paths 4

exit-address-family

!




neighbor 2001:13:1:1::2 remote-as 201

neighbor 2001:13:1:1::2 fall-over bfd

neighbor 2001:13:1:1::2 activate

maximum-paths 4

exit-address-family

!

b. Configuration on ASR1K TR1:




!


address-family ipv4

3.3.3.3/32 index 4001 range 1

exit-address-family

!







!

!


mode tunnel

!

!





!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

!


description "Connected to Spine1"

ip address 16.1.1.1 255.255.255.0

mpls bgp forwarding


!



ip address 27.1.1.1 255.255.255.0

mpls bgp forwarding



!


description "Connected to DC1"

ip address 11.1.1.1 255.255.255.0

ip mtu 1468


!

bfd map ipv4 192.168.1.0/24 192.168.1.1/32 BFD



!

interface Tunnel1

ip address 192.168.1.1 255.255.255.0

mpls bgp forwarding




!


set ip next-hop unchanged

!

router bgp 4001





neighbor 16.1.1.2 disable-connected-check









neighbor 192.168.1.2 ebgp-multihop 2

neighbor 192.168.1.2 fall-over bfd multi-hop


!

address-family ipv4


network 3.3.3.3

network 3.3.3.3 mask 255.255.255.255














maximum-paths 4

exit-address-family

!














maximum-paths 4

exit-address-family

!


c. Configuration on ASR 1000 PE 2


rd 2:101

!

address-family ipv4





exit-address-family

!

address-family ipv6





exit-address-family

!



!


address-family ipv4

2.2.2.2/32 index 5002 range 1

exit-address-family

!







!

!



mode tunnel

!

!





!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!


description "Connected to CE1"

no ip address


!




ip address 14.1.1.1 255.255.255.0

ipv6 address 2001:14:1:1::1/64


!


description "Connected to TR2"

ip address 12.1.1.2 255.255.255.0


!

bfd map ipv4 192.168.2.0/24 192.168.2.2/32 BFD



!

interface Tunnel1

ip address 192.168.2.2 255.255.255.0

mpls bgp forwarding





!



set ipv6 next-hop ::FFFF:2.2.2.2

!

router bgp 5002



bgp graceful-restart




neighbor 192.168.2.1 update-source Tunnel1


!

address-family ipv4

network 2.2.2.2 mask 255.255.255.255





maximum-paths 4

exit-address-family

!






maximum-paths 4

exit-address-family

!








maximum-paths 4

exit-address-family

!







maximum-paths 4

exit-address-family

!

d. Configuration on ASR1K TR 2:



!


address-family ipv4

4.4.4.4/32 index 4002 range 1

exit-address-family

!

!







!

!


mode tunnel

!

!






!

interface Loopback0

ip address 4.4.4.4 255.255.255.255

!



ip address 17.1.1.1 255.255.255.0

mpls bgp forwarding


!



ip address 26.1.1.1 255.255.255.0

mpls bgp forwarding


!


description "Connected to DC2

ip address 12.1.1.1 255.255.255.0


!

bfd map ipv4 192.168.2.0/24 192.168.2.1/32 BFD



!

interface Tunnel1

ip address 192.168.2.1 255.255.255.0

mpls bgp forwarding




!



!


router bgp 4002
















!

address-family ipv4


network 4.4.4.4

network 4.4.4.4 mask 255.255.255.255














maximum-paths 4

exit-address-family

!


















maximum-paths 4

exit-address-family

!

e. Configuration on ASR1K CE in the DC:


rd 1:101

!

address-family ipv4



exit-address-family

!

address-family ipv6



exit-address-family

!

interface Loopback0

ip address 10.10.10.10 255.255.255.255

!




no ip address

!




ip address 13.1.1.2 255.255.255.0

ipv6 address 2001:13:1:1::2/64


!



no ip address

!




ip address 14.1.1.2 255.255.255.0

ipv6 address 2001:14:1:1::2/64


!


description "Connected to TGEN"

no ip address

!




ip address 15.1.1.1 255.255.255.0

ipv6 address 2001:15:1:1::1/64


!

router bgp 201

bgp router-id 10.10.10.10


!




redistribute connected




neighbor 13.1.1.1 route-map CE2_DC1 out




neighbor 14.1.1.1 route-map CE2_DC2 out

maximum-paths 4

exit-address-family

!


redistribute connected







maximum-paths 4

exit-address-family

!

f. Configuration on N9K Leaf 1:




address-family ipv4

7.7.7.7/32 index 3101

route-map SET_NH permit 10


ip prefix-list cu1_101 seq 10 permit 23.1.1.0/24

ipv6 prefix-list cu1_101_v6 seq 10 permit 2001:23:1:1::/64

route-map cu1_101 permit 10


match ip address prefix-list cu1_101

route-map cu1_101_v6 permit 10

match ipv6 address prefix-list cu1_101_v6

route-map label-index-Leaf-1 permit 10

set label-index 3101

vrf context CU1_101

rd auto

address-family ipv4 unicast


route-target import 1:101 evpn


route-target export 1:101 evpn






interface Ethernet1/20

description “Connected to Spine1”

no switchport


ip address 18.1.1.1/24

ipv6 address 2001:18:1:1::1/64

mpls ip forwarding

no shutdown



no switchport



ipv6 address 2001:21:1:1::1/64

mpls ip forwarding

no shutdown



description “Connected to Switch/TGEN”

no switchport

no shutdown

interface Ethernet1/24.101

encapsulation dot1q 100

vrf member CU1_101



ipv6 address 2001:23:1:1::1/64

no shutdown

hsrp version 2

hsrp 100

ip 23.1.1.100

track 100 decrement 20

hsrp 100 ipv6

ip 2001:23:1:1::100


interface loopback0


interface loopback101

vrf member CU1_101


router bgp 3101

router-id 7.7.7.7


network 7.7.7.7/32

allocate-label all

maximum-paths 4


address-family ipv4 labeled-unicast


maximum-paths 4

template peer CU1_IPv4



as-override

send-community

soft-reconfiguration inbound always



as-override

send-community


template peer EVPN-LU_AS-2101

remote-as 2101


send-community extended




route-map SET_NH out

encapsulation mpls


bfd

remote-as 2201







encapsulation mpls


bfd

remote-as 3101



next-hop-self





encapsulation mpls


neighbor 18.1.1.2

inherit peer EVPN-LU_AS-2101

neighbor 21.1.1.2


vrf CU1_101

router-id 31.1.1.1

bestpath as-path multipath-relax



redistribute direct route-map cu1_101

maximum-paths 4



redistribute direct route-map cu1_101_v6

maximum-paths 4

g. Configuration on N9K spine 1




address-family ipv4

5.5.5.5/32 index 2101



route-map label-index-Spine-1 permit 10



description “Connected to Leaf1”

no switchport




ipv6 address 2001:18:1:1::2/64

mpls ip forwarding


no shutdown


description “Connected to Leaf2”

no switchport




ipv6 address 2001:20:1:1::2/64

mpls ip forwarding

no shutdown



no switchport




mpls ip forwarding

no shutdown



no switchport




mpls ip forwarding

no shutdown

interface loopback0


router bgp 2101

router-id 5.5.5.5


network 5.5.5.5/32

allocate-label all


maximum-paths 4




retain route-target all

maximum-paths 4


bfd

remote-as 3101

disable-connected-check


send-community





route-map NH_UNCHG out

encapsulation mpls


bfd

remote-as 3201








encapsulation mpls

template peer EVPN-LU_TR1_AS-4001

bfd

remote-as 4001



send-community







encapsulation mpls


bfd

remote-as 4002








encapsulation mpls

neighbor 16.1.1.1

inherit peer EVPN-LU_TR1_AS-4001

description TR-1_E1/26

neighbor 18.1.1.1


description Leaf-1_E1/20

neighbor 20.1.1.1



neighbor 26.1.1.1



h. Configuration on N9K leaf 2




address-family ipv4

8.8.8.8/32 index 3201

ip prefix-list cu1_101 seq 10 permit 23.1.1.0/24

ipv6 prefix-list cu1_101_v6 seq 10 permit 2001:23:1:1::/64


route-map SET_NH permit 10


route-map cu1_101 permit 10

match ip address prefix-list cu1_101

route-map cu1_101_v6 permit 10

match ipv6 address prefix-list cu1_101_v6

route-map label-index-Leaf-2 permit 10


vrf context CU1_101

rd auto













no switchport



ipv6 address 2001:20:1:1::1/64

mpls ip forwarding

no shutdown



no switchport



ipv6 address 2001:19:1:1::1/64

mpls ip forwarding

no shutdown



description “Connected to TGEN/Switch”

no switchport



no shutdown

interface Ethernet1/24.101

encapsulation dot1q 100

vrf member CU1_101



ipv6 address 2001:23:1:1::2/64

no shutdown

hsrp version 2

hsrp 100

priority 200

ip 23.1.1.100


hsrp 100 ipv6

priority 200

ip 2001:23:1:1::100


interface loopback0


interface loopback101

vrf member CU1_101


router bgp 3101

router-id 8.8.8.8


network 8.8.8.8/32

allocate-label all

maximum-paths 4





maximum-paths 4


bfd


as-override

send-community



bfd


as-override

send-community



bfd

remote-as 2101







encapsulation mpls


bfd

remote-as 2201







encapsulation mpls


bfd


remote-as 3101



next-hop-self





encapsulation mpls

neighbor 19.1.1.2


neighbor 20.1.1.2


vrf CU1_101

router-id 32.1.1.1

bestpath as-path multipath-relax



redistribute direct route-map cu1_101

maximum-paths 4



redistribute direct route-map cu1_101_v6

maximum-paths 4

i. Configuration on N9K spine 2




address-family ipv4

6.6.6.6/32 index 2201



route-map label-index-Spine-2 permit 10




description "Connected to Leaf2"

no switchport



ipv6 address 2001:19:1:1::2/64

mpls ip forwarding

no shutdown


description "Connected to Leaf1"

no switchport



ipv6 address 2001:21:1:1::2/64

mpls ip forwarding

no shutdown


description "Connected to ASR1K TR2"

no switchport



mpls ip forwarding

no shutdown


description "Connected to ASR1K TR1"

no switchport



mpls ip forwarding

no shutdown

router bgp 2201

router-id 6.6.6.6



network 6.6.6.6/32

allocate-label all

maximum-paths 4




retain route-target all

maximum-paths 4


bfd

remote-as 3101

ebgp-multihop 2


send-community






encapsulation mpls


bfd

remote-as 3201








encapsulation mpls


bfd

remote-as 4001



send-community







encapsulation mpls


bfd

remote-as 4002








encapsulation mpls

neighbor 17.1.1.1



neighbor 19.1.1.1



neighbor 21.1.1.1



neighbor 27.1.1.1




j. NETCONF/YANG Remote Procedural Call (RPC) messages to configure on the

ASR 1000 PE

#1 VRF and other Basic Configurations

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">

<edit-config>

<target>

<running/>

</target>

<config>

<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">

<version>16.9</version>

<boot-start-marker/>

<boot>

<system>

<bootfile>

<filename-list>

<filename>harddisk:asr1000rpx86-universalk9. SSA.bin</filename>

</filename-list>

</bootfile>

</system>

</boot>

<hostname>DC1_RP3</hostname>

<enable>

<password>

<secret>lab</secret>

</password>

</enable>

<vrf>

<definition>

<name>CU1_101</name>

<rd>1:101</rd>

<address-family>

<ipv4>

<route-target>

<export>


<asn-ip>1:101</asn-ip>

<stitching/>

</export>

<import>


<stitching/>

</import>

</route-target>

</ipv4>

<ipv6>

<route-target>

<export>


<stitching/>

</export>

<import>


<stitching/>

</import>

</route-target>

</ipv6>

</address-family>

</definition>

</vrf>

<ip>

<admission>

<watch-list>

<expiry-time>0</expiry-time>

</watch-list>

</admission>

<forward-protocol>

<protocol>nd</protocol>

</forward-protocol>

<sla xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-sla">

<entry>

<number>1</number>

<udp-echo>

<dest-addr>11.1.1.2</dest-addr>


<dest-port>200</dest-port>

<source-ip>11.1.1.1</source-ip>

<source-port>2002</source-port>

</udp-echo>

</entry>

<schedule>

<entry-number>1</entry-number>

<life>forever</life>

<start-time>

<now/>

</start-time>

</schedule>

</sla>

</ip>

<ipv6>

<unicast-routing/>

</ipv6>

<redundancy>

<main-cpu>

<standby>

<console>

<enable/>

</console>

</standby>

</main-cpu>

<mode>sso</mode>

</redundancy>

</native>

</config>

</edit-config>

</rpc>

# 2 crypto and route-map configuration


<edit-config>

<target>

<running/>

</target>


<config>


<crypto>

<ipsec xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">

<profile>

<name>profile1</name>

<set>

<transform-set>my_set</transform-set>

<security-association>

<lifetime>

<kilobytes>disable</kilobytes>

</lifetime>

</security-association>

</set>

</profile>

<security-association>

<lifetime>

<kilobytes>disable</kilobytes>

</lifetime>

<replay>

<window-size>1024</window-size>

</replay>

</security-association>

<transform-set>

<tag>my_set</tag>

<esp>esp-aes</esp>

<esp-hmac>esp-sha-hmac</esp-hmac>

<mode>

<tunnel/>

</mode>

</transform-set>

</ipsec>

<isakmp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">

<keepalive>

<number>100</number>

</keepalive>

<key>

<key-address>


<key>cisco123</key>

<addr4-container>

<address>11.1.1.1</address>

</addr4-container>

</key-address>

</key>

<policy>

<number>10</number>

<authentication>pre-share</authentication>

</policy>

</isakmp>

<pki xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">

<certificate>

<chain>

<name>TP-self-signed-3319783595</name>

<certificate>

<serial>01</serial>

<certtype>self-signed</certtype>

</certificate>

</chain>

</certificate>

<trustpoint>

<id>TP-self-signed-3319783595</id>

<enrollment>

<selfsigned/>

</enrollment>

<revocation-check>none</revocation-check>

<rsakeypair>

<key-label>TP-self-signed-3319783595</key-label>

</rsakeypair>

<subject-name>cn=IOS-Self-Signed-Certificate-3319783595</subject-

name>

</trustpoint>

</pki>

</crypto>

<route-map>

<name>NH_UNCHG</name>


<route-map-without-order-seq xmlns="http://cisco.com/ns/yang/Cisco-IOS-

XE-route-map">

<seq_no>10</seq_no>

<operation>permit</operation>

<set>

<ip>

<next-hop>


</next-hop>

</ip>

<ipv6>

<next-hop>

<nha-ipv6>

<nha-ipv6>::ffff:101:101</nha-ipv6>

</nha-ipv6>

</next-hop>

</ipv6>

</set>

</route-map-without-order-seq>

</route-map>

<route-map>

<name>label-PE1</name>

<route-map-without-order-seq xmlns="http://cisco.com/ns/yang/Cisco-IOS-

XE-route-map">

<seq_no>10</seq_no>

<operation>permit</operation>

</route-map-without-order-seq>

</route-map>

<control-plane/>

</native>

</config>

</edit-config>

</rpc>

# 3 Interface configuration


<edit-config>

<target>


<running/>

</target>

<config>


<TenGigabitEthernet>

<name>0/0/6</name>

<description>Connected to CE2</description>

<bfd>

<interval xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">

<msecs>50</msecs>

<min_rx>50</min_rx>

<multiplier>5</multiplier>

</interval>

</bfd>

<ip>

<no-address>

<address>false</address>

</no-address>

</ip>

<ipv6>

<address>

<prefix-list>

<prefix>2001:13:1:1::1/64</prefix>

</prefix-list>

</address>

</ipv6>

</TenGigabitEthernet>


<name>0/0/6.1</name>

<encapsulation>

<dot1Q>

<vlan-id>2</vlan-id>

</dot1Q>

</encapsulation>

<bfd>


<msecs>900</msecs>

<min_rx>900</min_rx>



</interval>

</bfd>

<ip>

<address>

<primary>


<mask>255.255.255.0</mask>

</primary>

</address>

</ip>



<name>0/0/6.101</name>

<encapsulation>

<dot1Q>

<vlan-id>100</vlan-id>

</dot1Q>

</encapsulation>

<bfd>


<msecs>50</msecs>

<min_rx>50</min_rx>


</interval>

</bfd>

<vrf>

<forwarding>CU1_101</forwarding>

</vrf>

<ip>

<address>

<primary>


<mask>255.255.255.0</mask>

</primary>

</address>

</ip>

<ipv6>


<address>

<prefix-list>

<prefix>2001:13:1:1::1/64</prefix>

</prefix-list>

</address>

</ipv6>



<name>0/0/7</name>

<description>Connected to TR1</description>

<bfd>


<msecs>50</msecs>

<min_rx>50</min_rx>


</interval>

</bfd>

<ip>

<address>

<primary>


<mask>255.255.255.0</mask>

</primary>

</address>

</ip>



<name>0/0/8</name>

<shutdown/>

<ip>

<no-address>


</no-address>

</ip>



<name>0/0/9</name>

<shutdown/>


<ip>

<no-address>


</no-address>

</ip>


<Loopback>

<name>0</name>

<ip>

<address>

<primary>


<mask>255.255.255.255</mask>

</primary>

</address>

</ip>

</Loopback>

<Tunnel>

<name>1</name>

<mpls>

<bgp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-mpls">

<forwarding/>

</bgp>

</mpls>

<ip>

<address>

<primary>


<mask>255.255.255.0</mask>

</primary>

</address>

</ip>

<tunnel xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-tunnel">

<source>11.1.1.2</source>

<destination>

<ipaddress-or-host>11.1.1.1</ipaddress-or-host>

</destination>

<protection>


<ipsec xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">

<profile>profile1</profile>

</ipsec>

</protection>

</tunnel>

</Tunnel>

</interface>

</native>

</config>

</edit-config>

</rpc>

# 4 segment routing configuration


<edit-config>

<target>

<running/>

</target>

<config>


<segment-routing>

<mpls xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-segment-routing">

<connected-prefix-sid-map>

<address-family>

<ipv4>

<prefixes>

<ipprefix>1.1.1.1/32</ipprefix>

<index>

<range-start>5001</range-start>

<range>1</range>

</index>

</prefixes>

</ipv4>

</address-family>

</connected-prefix-sid-map>

<global-block>

<range-start>16000</range-start>

<range-end>25000</range-end>


</global-block>

</mpls>

</segment-routing>

</native>

</config>

</edit-config>

</rpc>

# 5 BFD and NTP configuration


<edit-config>

<target>

<running/>

</target>

<config>


<bfd>

<map xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">

<ipv4>

<no-vrf>

<dest-ip>192.168.1.0/24</dest-ip>

<src-ip>192.168.1.2/32</src-ip>

<template-name>BFD</template-name>

</no-vrf>

</ipv4>

</map>

</bfd>

<ntp>

<master xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-ntp"/>

</ntp>

<diagnostic xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-diagnostics">

<bootup>

<level>minimal</level>

</bootup>

</diagnostic>

</native>

</config>


</edit-config>

</rpc>

# 6 BGP configuration


<edit-config>

<target>

<running/>

</target>

<config>


<router>

<bgp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bgp">

<id>5001</id>

<bgp>

<graceful-restart/>

</bgp>

<neighbor>

<id>192.168.1.1</id>

<remote-as>4001</remote-as>

<ebgp-multihop>

<max-hop>2</max-hop>

</ebgp-multihop>

<fall-over>

<bfd>

<multi-hop/>

</bfd>

</fall-over>

<update-source>

<Tunnel>1</Tunnel>

</update-source>

</neighbor>

<address-family>

<with-vrf>

<ipv4>

<af-name>unicast</af-name>

<vrf>

<name>CU1_101</name>


<advertise>

<l2vpn>

<evpn/>

</l2vpn>

</advertise>

<bgp>

<additional-paths>

<install/>

</additional-paths>

</bgp>

<maximum-paths>

<ebgp>4</ebgp>

</maximum-paths>

<neighbor>

<id>13.1.1.2</id>

<remote-as>201</remote-as>

<activate/>

<fall-over>

<bfd/>

</fall-over>

</neighbor>

</vrf>

</ipv4>

</with-vrf>

<no-vrf>

<ipv4>

<af-name>unicast</af-name>

<network>

<with-mask>

<number>1.1.1.1</number>

<mask>255.255.255.255</mask>

</with-mask>

</network>

<maximum-paths>

<ebgp>4</ebgp>

</maximum-paths>

<neighbor>

<id>192.168.1.1</id>


<activate/>

<send-community>

<send-community-where>both</send-community-where>

</send-community>

<send-label/>

</neighbor>

<segment-routing>

<mpls/>

</segment-routing>

</ipv4>

<l2vpn>

<af-name>evpn</af-name>

<maximum-paths>

<ebgp>4</ebgp>

</maximum-paths>

<neighbor>

<id>192.168.1.1</id>

<activate/>

<encap>

<mpls/>

</encap>

<route-map>

<inout>out</inout>

<route-map-name>NH_UNCHG</route-map-name>

</route-map>

<send-community>

<send-community-where>both</send-community-where>

</send-community>

</neighbor>

</l2vpn>

</no-vrf>

</address-family>

</bgp>

</router>


k. Verifications on an ASR1K PE

DC1_RP3#sh ip bgp all sum

For address family: IPv4 Unicast

BGP router identifier 1.1.1.1, local AS number 5001

BGP table version is 3631, main routing table version 3631

156 network entries using 38688 bytes of memory

156 path entries using 21216 bytes of memory

156/156 BGP path/bestpath attribute entries using 43680 bytes of memory

155 BGP AS-PATH entries using 6168 bytes of memory

10 BGP extended community entries using 240 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 109992 total bytes of memory

BGP activity 3360838/3158941 prefixes, 5433488/5231572 paths, scan interval 60

secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd

192.168.1.1 4 4001 1602 25 3631 0 0 00:08:04

155

For address family: VPNv4 Unicast












secs


State/PfxRcd


13.1.1.2 4 201 83 382 2163267 0 0 01:10:31

2

13.1.2.2 4 201 82 525 2163267 0 0 01:10:31

1

13.1.3.2 4 201 83 452 2163267 0 0 01:10:31

1

13.1.4.2 4 201 82 382 2163267 0 0 01:10:31

1


State/PfxRcd

13.1.5.2 4 201 83 381 2163267 0 0 01:10:31

1

13.1.6.2 4 201 82 384 2163267 0 0 01:10:32

1

13.1.7.2 4 201 82 383 2163267 0 0 01:10:33

1

13.1.8.2 4 201 81 380 2163267 0 0 01:10:32

1

13.1.9.2 4 201 82 382 2163267 0 0 01:10:33

1

13.1.10.2 4 201 83 382 2163267 0 0 01:10:32

1

For address family: VPNv6 Unicast












secs


State/PfxRcd

2001:13:1:1::2 4 201 84 81 789 0 0 01:10:26

3


2001:13:1:2::2 4 201 84 81 789 0 0 01:10:31

3

2001:13:1:3::2 4 201 85 82 789 0 0 01:10:33

3

2001:13:1:4::2 4 201 85 80 789 0 0 01:10:25

3


State/PfxRcd

2001:13:1:5::2 4 201 85 81 789 0 0 01:10:31

3

2001:13:1:6::2 4 201 84 82 789 0 0 01:10:33

3

2001:13:1:7::2 4 201 83 81 789 0 0 01:10:32

3

2001:13:1:8::2 4 201 84 82 789 0 0 01:10:29

3

2001:13:1:9::2 4 201 85 82 789 0 0 01:10:33

3

2001:13:1:10::2 4 201 85 80 789 0 0 01:10:33

3

For address family: L2VPN E-VPN












secs


State/PfxRcd

192.168.1.1 4 4001 1602 25 1513181 0 0 00:08:06

100839

DC1_RP3#


DC1_RP3#sh ip route vrf CU1_101

Routing Table: CU1_101

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 13.1.1.0/24 is directly connected, TenGigabitEthernet0/0/6.101

L 13.1.1.1/32 is directly connected, TenGigabitEthernet0/0/6.101

15.0.0.0/24 is subnetted, 1 subnets

B 15.1.1.0 [20/0] via 13.1.1.2, 03:28:20


B 16.16.1.1 [20/0] via 13.1.1.2, 03:28:20


B 23.1.1.0 [20/0] via 8.8.8.8, 00:07:04 Campus Prefix (2 ECMP)

[20/0] via 7.7.7.7, 00:07:04


B 35.35.1.1 [20/0] via 28.1.1.2, 00:19:40 <snipped>

DC1_RP3#sh bfd neighbors

IPv4 Sessions

NeighAddr LD/RD RH/RS State Int

13.1.1.2 4138/4288 Up Up

Te0/0/6.101

13.1.2.2 4133/4283 Up Up

Te0/0/6.102


13.1.3.2 4135/4285 Up Up

Te0/0/6.103

13.1.4.2 4132/4282 Up Up

Te0/0/6.104

13.1.5.2 4139/4289 Up Up

Te0/0/6.105

13.1.6.2 4134/4284 Up Up

Te0/0/6.106

13.1.7.2 4130/4280 Up Up

Te0/0/6.107

13.1.8.2 4136/4286 Up Up

Te0/0/6.108

13.1.9.2 4131/4281 Up Up

Te0/0/6.109

13.1.10.2 4137/4287 Up Up

Te0/0/6.110

IPv4 Sessions


IPv6 Sessions


2001:13:1:1::2 4/189 Up Up

Te0/0/6.101

2001:13:1:2::2 7/186 Up Up

Te0/0/6.102

2001:13:1:3::2 5/181 Up Up

Te0/0/6.103

2001:13:1:4::2 9/190 Up Up

Te0/0/6.104

2001:13:1:5::2 1/187 Up Up

Te0/0/6.105

2001:13:1:6::2 6/184 Up Up

Te0/0/6.106

2001:13:1:7::2 2/185 Up Up

Te0/0/6.107

2001:13:1:8::2 3/188 Up Up

Te0/0/6.108

2001:13:1:9::2 10/183 Up Up

Te0/0/6.109

2001:13:1:10::2 8/182 Up Up

Te0/0/6.110

IPv6 Sessions



IPv4 Multihop Sessions

NeighAddr[vrf] LD/RD RH/RS State

192.168.1.1 4141/4097 Up Up Tunnel

DC1_RP3#

TR1#sh bfd neighbors

IPv4 Sessions


16.1.1.2 4102/1090519043 Up Up Te0/1/3

27.1.1.2 4097/1090519047 Up Up Te0/1/5

IPv4 Multihop Sessions

NeighAddr[vrf] LD/RD RH/RS State

192.168.1.2 4101/4110 Up Up

TR1#

DC1_RP3#sh ip bgp l2vpn evpn det | b 23.1.1.0

BGP routing table entry for [5][7.7.7.7:3][0][24][23.1.1.0]/17, version 94

Paths: (1 available, best #1, table EVPN-BGP-Table)

Not advertised to any peer

Refresh Epoch 1

4001 2101 3101

7.7.7.7 (via default) from 192.168.1.1 (3.3.3.3)

Origin incomplete, localpref 100, valid, external, best

EVPN ESI: 00000000000000000000, Gateway Address: 0.0.0.0, VNI Label 0, MPLS

VPN Label 492287

Extended Community: RT:1:101

rx pathid: 0, tx pathid: 0x0

BGP routing table entry for [5][8.8.8.8:3][0][24][23.1.1.0]/17, version 114

Paths: (1 available, best #1, table EVPN-BGP-Table)

Not advertised to any peer

Refresh Epoch 1

4001 2101 3101

8.8.8.8 (via default) from 192.168.1.1 (3.3.3.3)

Origin incomplete, localpref 100, valid, external, best


EVPN ESI: 00000000000000000000, Gateway Address: 0.0.0.0, VNI Label 0, MPLS

VPN Label 492288

Extended Community: RT:1:101

rx pathid: 0, tx pathid: 0x0

Leaf1# sh bgp l2vpn evpn 15.1.1.0

BGP routing table information for VRF default, address family L2VPN EVPN

Route Distinguisher: 1:101

BGP routing table entry for [5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224, version 1

6260734

Paths: (2 available, best #1)

Flags: (0x000002) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i

n HW

Advertised path-id 1

Path type: external, path is valid, is best path

Imported to 2 destination(s)

AS-Path: 2201 4001 5001 201 , path sourced external to AS

1.1.1.1 (metric 0) from 21.1.1.2 (6.6.6.6)

Origin incomplete, MED not set, localpref 100, weight 0

Received label 16

Extcommunity: RT:1:101

Path type: external, path is valid, not best reason: newer EBGP path


1.1.1.1 (metric 0) from 18.1.1.2 (5.5.5.5)


Received label 16


Path-id 1 advertised to peers:

18.1.1.2

Route Distinguisher: 2:101


6260611




n HW



Imported to 2 destination(s)


2.2.2.2 (metric 0) from 18.1.1.2 (5.5.5.5)


Received label 40




2.2.2.2 (metric 0) from 21.1.1.2 (6.6.6.6)


Received label 40


Path-id 1 advertised to peers:

21.1.1.2

Route Distinguisher: 7.7.7.7:3


6260693



n HW



Imported from 2:101:[5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224


2.2.2.2 (metric 0) from 18.1.1.2 (5.5.5.5)


Received label 40




Imported from 1:101:[5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224


1.1.1.1 (metric 0) from 21.1.1.2 (6.6.6.6)


Received label 16


Path-id 1 not advertised to any peer

Leaf1# sh ip route vrf CU1_101

IP Route Table for VRF "CU1_101"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

15.1.1.0/24, ubest/mbest: 2/0 DC Prefix (2 ECMP)

*via 1.1.1.1%default, [20/0], 00:03:28, bgp-3101, external, tag 2201 (mpls-v

pn)


pn)

16.16.1.1/32, ubest/mbest: 2/0


pn)


pn)

23.1.1.0/24, ubest/mbest: 1/0, attached

*via 23.1.1.1, Eth1/24.101, [0/0], 04:44:30, direct


*via 23.1.1.1, Eth1/24.101, [0/0], 04:44:30, local


*via 23.1.1.100, Eth1/24.101, [0/0], 04:43:47, hsrp


*via 31.1.1.1, Lo101, [0/0], 4w1d, local

*via 31.1.1.1, Lo101, [0/0], 4w1d, direct

Leaf1# sh ip route

IP Route Table for VRF "default"


'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

1.1.1.1/32, ubest/mbest: 2/0 ASR1K PE1 Node SID (2 ECMP)

*via 18.1.1.2, [20/0], 01:26:37, bgp-3101, external, tag 2101 (mpls)


2.2.2.2/32, ubest/mbest: 2/0 ASR1K PE2 Node SID (2 ECMP)



DC1_RP3#sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: Tunnel1-head-0, local addr 11.1.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (11.1.1.2/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (11.1.1.1/255.255.255.255/47/0)

current_peer 11.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3291696656, #pkts encrypt: 3291696656, #pkts digest: 3291696656

#pkts decaps: 2564054003, #pkts decrypt: 2564054003, #pkts verify: 2564054003

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 11.1.1.2, remote crypto endpt.: 11.1.1.1

plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb

TenGigabitEthernet0/0/7

current outbound spi: 0xB5D43C74(3050585204)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xCA7FA606(3397363206)


transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2255, flow_id: HW:255, sibling_flags FFFFFFFF80004048, crypto

map: Tunnel1-head-0

sa timing: remaining key lifetime (sec): 2981

Kilobyte Volume Rekey has been disabled

IV size: 8 bytes

replay detection support: Y replay window size: 1024

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xB5D43C74(3050585204)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2256, flow_id: HW:256, sibling_flags FFFFFFFF80004048, crypto

map: Tunnel1-head-0

sa timing: remaining key lifetime (sec): 2981

Kilobyte Volume Rekey has been disabled

IV size: 8 bytes

replay detection support: Y replay window size: 1024

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

DC1_RP3#


10. Acronyms

Following is a list of acronyms used in this Cisco Validated Profile:

● EVPN – Ethernet VPN

● MPLS – Multi-protocol Label Switching

● SR – Segment Routing

● BGP – Border Gateway Protocol

● BGP LU – BGP Labelled Unicast

● IPsec – Internet Protocol Security

● GRE – Generic Routing Encapsulation

● SNMP – Simple Network Management Protocol

For any feedback/questions, please send an email to: [email protected]

Printed in USA C17-741511-00 12/18

mailto:[email protected]

CSG Cisco Validated Profile Series

Documents