CSG Cisco Validated Profile Series
Transcript of CSG Cisco Validated Profile Series
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 67
CSG
Cisco Validated Profile Series
Enterprise Routing
BGP EVPN and Segment Routing with IPsec/GRE
on Cisco ASR 1000 Routers
CVP
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 67
Contents
1. Profile introduction .............................................................................................................................................. 3
2. Network profile ..................................................................................................................................................... 3
a. Topology diagram ................................................................................................................................................ 3
b. Hardware and feature specifications ................................................................................................................. 4 i. Key vertical features ........................................................................................................................................... 5 ii. Hardware profile ................................................................................................................................................ 6
c. Test environment ................................................................................................................................................. 6
3. Use case scenarios .............................................................................................................................................. 6
1. Test methodology ................................................................................................................................................ 6
2. Use cases ............................................................................................................................................................. 7
3.2 BGP EVPN – SR with IPsec/GRE on ASR1000 ................................................................................................ 7 3.2.1 Routing ......................................................................................................................................................... 7 3.2.2 Security ........................................................................................................................................................ 7 3.2.3 Simplified management ................................................................................................................................ 7 3.2.4 System health monitoring ............................................................................................................................. 7 3.2.5 System and network resiliency, robustness ................................................................................................. 8
4. Notes ..................................................................................................................................................................... 8
5. Best practices and recommendations ............................................................................................................... 9
6. Convergence data ................................................................................................................................................ 9
7. Throughput data ................................................................................................................................................ 10
8. Appendix ............................................................................................................................................................ 11
a. Configuration on ASR1K PE1: .......................................................................................................................... 11
b. Configuration on ASR1K TR1: .......................................................................................................................... 14
c. Configuration on ASR 1000 PE 2 ...................................................................................................................... 18
d. Configuration on ASR1K TR 2: ......................................................................................................................... 21
e. Configuration on ASR1K CE in the DC: ........................................................................................................... 24
f. Configuration on N9K Leaf 1: ............................................................................................................................ 26
g. Configuration on N9K spine 1 .......................................................................................................................... 30
h. Configuration on N9K leaf 2 ............................................................................................................................. 33
i. Configuration on N9K spine 2 ........................................................................................................................... 37
j. NETCONF/YANG Remote Procedural Call (RPC) messages to configure on the ASR 1000 PE .................. 41
k. Verifications on an ASR1K PE .......................................................................................................................... 56
10. Acronyms ......................................................................................................................................................... 67
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 67
1. Profile introduction
This Cisco® Validated Profile covers the segregation of a campus network from a data center through a WAN
interconnect.
Cisco Nexus® 9000 Series devices form the campus network. Cisco ASR 1000 Series Aggregation Services
Routers (ASR 1000) are in the WAN interconnect and data center. The WAN interconnect is through an IPsec
Generic Routing Encapsulation (GRE) tunnel.
Border Gateway Protocol Ethernet VPN over Multiprotocol Label Switching (BGP EVPNoMPLS) RT5 with next-hop
unchanged is used to advertise the site prefixes across the overlay network.
A single BGP session is used to carry both Segment Routing (SR) and EVPN prefixes.
BGP Labelled Unicast with Segment Routing is used as underlay and BGP MPLSoEVPN is used for overlay.
BGP Segment Routing PrefixSID is used to advertise the NodeSID of the provider edge (PE) device.
Table 1. BGP EVPN-SR with IPsec/GRE on ASR 1000 routers profile feature summary
Deployment areas Features
Security IPsec/GRE
Management and monitoring Simple Network Management Protocol (SNMP), sysLog server
System resiliency Interface flaps, RP, ESP, SIP, SPA failovers
Network services BGP LU, Segment Routing, BGP MPLSoEVPN, Bidirectional Forwarding Detection (BFD)
Network resiliency BFD, equal-cost multipath (ECMP) routing
2. Network profile
Based on the research, customer feedback, and configuration samples, the BGP EVPN-Segment Routing with
IPsec/GRE with a Cisco ASR 1000 router profile is designed with a deployment topology that is generic and can
easily be modified to fit any specific deployment scenario.
a. Topology diagram
Disclaimer: The links between the different network layers in the topology are mainly to facilitate this profile
validation across different platform combinations. The actual deployment could vary based on specific
requirements.
BGP EVPN-Segment Routing with IPsec/GRE with a Cisco ASR1000 router profile covers N9K in a campus
connected to the data center via the WAN. We have IPsec/GRE in the WAN using a Cisco ASR 1001-HX Router
and an ASR 1006-X Router.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 67
Figure 1. Deployment diagram of BGP EVPN Segment Routing with IPsec/GRE
The left portion of the topology represents the campus, consisting of the N9k leaf and spine nodes working in the
standalone mode.
The right portion of the topology represents the DC and WAN, consisting of ASR1Ks running an IPsec/GRE tunnel
between them.
b. Hardware and feature specifications
This section details the 3D feature matrix, where the hardware platforms are listed along with their place in the
network (PIN) and the relevant deployment.
Table 2. Network device and platform
Network device Platform
ASR 1K PE 1 ASR 1006-X (RP3/ESP100/EPA10x10G)
ASR 1K PE 2 ASR 1006- X (RP2/ESP100/EPA10x10G)
N9K PE1 (Leaf 1) N9K-C9396PX
N9K PE2 (Leaf 2) N9K-C9396PX
ASR1K Transit Routers ASR1001-HX
N9K Spine 1 N9K-C9396PX
N9K Spine 2 N9K-93180YC-EX
CE in DC ASR 1002-HX
Transit Router (TR) to Spirent PE ASR 1002-HX
Spirent Test Center 4.85 (BGP SR and EVPN license)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 67
Table 3. Features and functionalities tested
Features and functionalities
Campus has N9K TORs and Spines in the standalone mode ●
N9K Leafs are the PEs and Spines are Transit devices ●
Spines connect to ASR 1K Transit Rrouters ●
IPsec/GRE tunnel between ASR1K Transit Routers and ASR1K PEs ●
One BGP session to carry both EVPN and SR labels ●
BGP LU with SR as underlay ●
Equal- Cost Paths ●
BFD with BGP for all interfaces and neighbors ●
Segment Routing Global Block (SRGB) range of 16000-25000 ●
Transit routers advertise the EVPN prefixes as next hop unchanged ●
Table 4. Scales tested
Scales tested
7 N9K Spines simulated using Spirent Test Center ●
20 N9K Leaf PEs behind each Spine simulated using Spirent Test Center (Total 140 N9K PEs) ●
10 VRFs on each N9K PE (Same 10 VRFs on each PE) ●
Total 100,000 prefixes; 72 prefixes per VRF on each Nexus 9000 leaf (total is calculated as 72 x 10 VRF x 140 PE = 100,800) ●
1 IPsec/GRE tunnel between ASR 1000 transit router and ASR1K PE ●
i. Key vertical features
Table 5 defines the 3D hardware, place in network (PIN), and the features deployed. The scale of these configured
features, the test environment, list of endpoints, and hardware software versions of the network topology will be
defined in subsequent sections of this guide.
Table 5. Key vertical features
Deployment layer Platforms Critical vertical features
ASR1K PE ASR 1006-X Router (RP3/ESP100/ASR1000-MIP100/10X10G EPA)/
ASR 1006-X Router (RP2/ESP100/ASR1000-MIP100/10X10G EPA)
One BGP session to carry both EVPN and SR labels
BGP Labelled Unicast
BGP Segment Routing
BGP MPLSoEVPN with next hop unchanged (RT5)
IPv4 underlay, dual-stack overlay
Segment Routing Global Block (SRGB) 16000 – 25000
Bidirectional Forwarding Detection (BFD)
IPsec/GRE
Configuration using NETCONF YANG
ASR1K TR ASR 1001-HX One BGP session to carry both EVPN and SR labels
BGP Labelled Unicast
BGP Segment Routing
BGP MPLSoEVPN with next hop unchanged (RT5)
SRGB 16000 – 25000
BFD
IPsec/GRE
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 67
Deployment layer Platforms Critical vertical features
N9K Leaf PE N9K-C9396PX One BGP session to carry both EVPN and SR labels
BGP Labelled Unicast
BGP Segment Routing
BGP MPLSoEVPN with next hop unchanged (RT5)
IPv4 underlay, dual-stack overlay
SRGB 16000 – 25000
BFD
HSRP between N9K Leaf PEs
N9K Spine N9K-C9396PX / N9K-93180YC-EX One BGP session to carry bothe EVPN and SR labels
BGP Labelled Unicast
BGP Segment Routing
BGP MPLSoEVPN with next hop unchanged (RT5)
SRGB 16000 – 25000
BFD
ii. Hardware profile
Table 6 defines the set of relevant hardware, servers, test equipment, and endpoints that are used to complete the
end-to-end retail vertical profile deployment. A list of hardware, along with the relevant software versions and the
role of these devices, complement the actual physical topology that is defined in Figure 1 of the previous section.
Table 6. Hardware profile of servers and endpoints
VM and hardware Software versions Description
Spirent Windows 7 N9K PE and spine (4.85 version)
Netconf/Yang Provisioning the configs on the ASR1K PE
c. Test environment
This section contains a description of the features and relevant scales at which the features are deployed across
the physical topology. Table 7 lists the scale for each respective feature.
Disclaimer: Table 7 captures a sample set of scale values used in one of the use cases. Refer to appropriate
Cisco documentation and data sheets for comprehensive scale data.
Table 7. Sample set of scale values
Feature Scale
N9K Spine 7
N9K Leaf 140
VRF on each PE 10
IPsec/GRE tunnels 1
RT5 prefixes 100,000 (72 per PE x 10 VRF x 140 PE)
3. Use case scenarios
1. Test methodology
The use cases listed in Table 8 will be executed using the topology defined in Figure 1, along with the test
environment (Table 7) already explained in this document.
Images are loaded on the devices under test via the TFTP server using the management interface.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 67
To validate a new release, the network topology is upgraded with the new software image with an existing
configuration that comprises the use cases and relevant traffic profiles. The addition of new use cases acquired
from the field or from customer deployments is added on top of the existing configuration.
During each use-case execution, syslog would be monitored closely across the devices for any relevant system
events, errors, or alarms. With respect to longevity for this profile setup, CPU and memory usage or leaks would be
monitored during the validation phase. Furthermore, to test the robustness of the software release and platform
under test, typical network events would be triggered during the use-case execution process.
2. Use cases
Table 8 describes the use cases that were executed on BGP EVPN-SR with IPsec/GRE on a Cisco ASR 1000
router profile. These use cases are divided into buckets of technology areas to outline the complete coverage of
the deployment scenarios. Use cases continuously evolve based on feedback from the field.
These technology buckets comprise security, network services, monitoring and troubleshooting, simplified
management, system health monitoring, and system resiliency.
3.2 BGP EVPN – SR with IPsec/GRE on ASR1000
Table 8. Use cases for BGP EVPN - SR
Number Focus area Use cases
3.2.1 Routing
1 BGP LU with SR as underlay and BGP MPLSoEVPN as overlay
Campus with N9K Leaf and spine ●
N9K Leaf is the PE and the spine is the transit router ●
Hot Standby Router Protocol (HSRP) between the N9K Leafs ●
eBGP Labelled Unicast with SR as underlay ●
BGP EVPN as overlay ●
Spine peers with leaf and ASR 1000 transit router ●
ASR 1000 PE is in the data center ●
BGP EVPN with next hop unchanged is between the PEs, that is, between the Nexus 9000 ●leaf and ASR 1006-X data center
2 Best and backup paths Traffic through best path ●
Shut tunnel interface on ASR 1000 PE (best path), verify traffic takes backup tunnel path ●
3.2.2 Security
1 IPsec/GRE IPsec/GRE tunnel between ASR 1000 transit router and PE ●
Transform set with esp-aes esp-sha-hmac ●
“mpls bgp forwarding” on the IPsec/GRE tunnel ●
3.2.3 Simplified management
1 Provisioning NETCONF/YANG to provision ASR 1000 PE ●
3.2.4 System health monitoring
1 System health Monitor system health for CPU usage, memory consumption, and memory leaks during longevity
2 SNMP Mibwalk Monitor system health for CPU usage, memory consumption, and memory leaks during snmp mibwalk
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 67
Number Focus area Use cases
3.2.5 System and network resiliency, robustness
1 System resiliency Verify system-level resiliency during the following events:
Active RP/standby RP failure ●
Active/standby ESP failure ●
WAN/LAN interface flaps ●
IPsec tunnel flaps ●
Session Initiation Protocol (SIP) / shared port adapter (SPA) reload and online insertion and ●removal (OIR)
Link failures ●
Node failures (leaf 1/leaf 2/spine 1/spine 2/TR1/TR2/PE1/PE2/CE) ●
In-Service Software Upgrade (ISSU) ●
2 Negative events, triggers Verify that the system holds good and recovers to working condition after the following negative events are triggered:
Config changes – add/remove config snippets, config replace ●
Routing protocol interface flaps ●
EVPN events ●
BGP events ●
SR events ●
MPLS events ●
IPsec events ●
4. Notes
● There are behavior differences in the ASR 1000 routers and Nexus 9000 switches when Segment Routing
is shut down. ASR 1000 routers still use the labels from the dynamic pool instead of SRGB and traffic
resumes. But on Nexus 9000 switches, BGP will not use the labels from a dynamic pool and hence, the
traffic doesn’t resume.
● The Prefix SID can be configured on Nexus 9000 switches using route-map or using the SR APP. The ASR
1000 Series supports only through the SR APP.
● Even when removing “neighbor encapsulation mpls” from “address-family l2vpn evpn” on the ASR 1000 PE,
traffic still uses MPLS encapsulation and not virtual extensible LAN (VXLAN) encapsulation if there are no
VNI, bridge domain interface (BDI), or network virtual interface (NVE) configured. Though VXLAN
encapsulation is the default, it will not use VXLAN unless the VNI, BDI, and NVE configurations are present
on the ASR 1000 router.
● When both ESPs are reloaded on the ASR 1000 PE, IPsec SAs no longer have the last sequence number
and need to restart from 0. However, peer transit router 1 expects the sequence number to continue, and
will drop any packet with a smaller sequence number due to an ANTI_REPLAY error. So the PE cannot
reach the transit router (TR) which results in the BGP session not coming up. We will have to do a shut/no
shut on the GRE tunnel or wait for the rekey to complete for the BGP session to come up on the ASR 1000
PE.
● IPsec/Crypto throughput with Cisco Internet Mix (IMIX) for the ASR 1001-HX Router and the ASR 1006-X
Router (RP3/ESP100) is less with a single tunnel when compared to throughput with multiple tunnels.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 67
5. Best practices and recommendations
● It is a best practice to configure all nodes in the network to use the same SRGB (16000 – 23999)
● By default, volume-based rekey is enabled on the ASR 1000 routers and the default value is approximately
35 Gbps, which is too low. It is recommended to disable the volume-based rekey or set the rekey value to a
higher number.
6. Convergence data
Table 9. Convergence data
Event (link/node failure)
Traffic switches from --> to
Traffic from DC to campus (Nexus 9000) - IPv4
Traffic from DC to campus (Nexus 9000) - IPv6
Traffic from campus to DC (Nexus 9000) - IPv4
Traffic from campus to DC (Nexus 9000) - IPv6
Traffic from DC to campus (Spirent PEs)
DC2 tunnel shutdown
DC2 --> DC1 6.7 10.1 134 msec 176 msec 9
DC1 tunnel shutdown
DC1 --> DC2 6.4 9.4 186 msec 123 msec 8
DC1 - CE interface shut
DC2 --> DC1 266 msec 3.2 49 msec 10 msec 260 msec
DC2 - CE interface shut
DC2 --> DC1 272 msec 1.3 33 msec 20 msec 270 msec
DC2 - TR2 interface shut
DC2 --> DC1 7 12 116 msec 148 msec 9
DC1 - TR1 interface shut
DC1 --> DC2 6 9 107 msec 48 msec 8
CE - DC2 interface shut
DC2 --> DC1 28 msec 23 msec 184 msec 72 msec 28 msec
CE - DC1 interface shut
DC1 --> DC2 33 msec 27 msec 155 msec 74 msec 33 msec
TR2 - DC2 interface shut
DC2 --> DC1 7 14 127 msec 185 msec 9
TR1 - DC1 interface shut
DC1 --> DC2 6 9 97 msec 48 msec 8
TR2 – spine 1 interface 1 shut
DC2 --> DC2 180 msec 180 msec 0.5 0.5 0
TR2 – spine 2 interface 1 and 2 shut
DC2 --> DC1 172 msec 172 msec 484 msec 451 msec 0
TR1 - spine 1 interface 1 shut
DC1 --> DC1 28 msec 28 msec 1.2 1.3 0
TR1 – spine 2 interface 1 and 2 shut
DC1 --> DC2 220 msec 222 msec 1.9 2.1 0
Spine 1 – leaf 1 interface shut
Spine 1 --> Spine 2
32 msec 32 msec 1.9 1.9 0
Spine 2 - leaf 2 interface shut
Spine 2 --> Spine 1
160msec 160 msec 1.3 1.3 0
Leaf 1 – spine 1 interface shut
Leaf 1-Spine 1 --> Leaf 1-Spine 2
1.4 1.4 0.9 0.9 0
Leaf 1 - Spirent interface shut
Leaf 1 --> Leaf 2 30 33 8 8.5 0
DC1 reload DC1 --> DC2 46 msec 46 msec 44 msec 44 msec 45 msec
DC2 reload DC2 --> DC1 37 msec 36 msec 37 msec 37 msec 35 msec
TR1 reload DC1 --> DC2 23 msec 23 msec 10 msec 40 msec 7
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 67
Event (link/node failure)
Traffic switches from --> to
Traffic from DC to campus (Nexus 9000) - IPv4
Traffic from DC to campus (Nexus 9000) - IPv6
Traffic from campus to DC (Nexus 9000) - IPv4
Traffic from campus to DC (Nexus 9000) - IPv6
Traffic from DC to campus (Spirent PEs)
TR2 reload DC2 --> DC1 16 msec 18 msec 33 msec 33 msec 8
Spine 1 reload Spine1 --> Spine 2 257 msec 257 msec 1.2 1.7 0
Spine 2 reload Spine 2 --> Spine 1
272 msec 272 msec 1.3 1.2 0
Leaf 1 reload Leaf1 --> Leaf2 5 5 7 7 0
Leaf 2 reload Leaf2 --> Leaf1 5 8 7 7 0
DC2 RP switchover
DC2 --> DC1 4.8 6 127 msec 183 msec 8
DC1 RP switchover
DC1 --> DC2 6 5 33 msec 25 msec 8
DC2 ESP switchover
DC2 --> DC1 18 msec 18 msec 8 msec 8 msec 17 msec
DC1 ESP switchover
DC1 --> DC2 5 msec 5 msec 1 msec 1 msec 5 msec
DC1 both ESPs reload at same time
DC1 --> DC2 4 4 211 msec 227 msec 11
DC2 both ESPs reload at same time
DC2 --> DC1 1 2 283 msec 294 msec 107
DC1 MIP reload DC1 --> DC2 0.6 2 0.3 0.7 2
DC2 MIP reload DC2 --> DC1 2 8 2 2 2
Note that convergence times are noted with the following in place:
● BFD enabled on all Nexus 9000 and ASR 1000 devices
● Multihop BFD between the ASR 1000 transit router and the ASR 1000 PE
● Equal-cost multipathing (ECMP) on all devices (Nexus 9000 and ASR 1000) for both underlay SR Node
SIDs and overlay EVPN campus and data center prefixes
Refer to the appendix for the show commands.
7. Throughput data
Table 10. ASR1006X PE
ASR 1K PE
Packet Size
Throughput (in Gbps)
Throughput (in frames/second)
RP Memory IOS Memory ESP Memory QFP Memory MIP Memory
RP CPU IOS CPU FP CPU QFP CPU MIP CPU
Active
Standby
Active
Standby
Active
Standby
Active Standby
Active
Standby
Avtive
Standby
Active
Standby
Active
Standby
ASR1006
X
(RP3/ESP
100)
1400 17.4 15531862 3607
MB
(11%
)
3457
MB
(45%)
793
Mb
557M
b
1112
MB
(6%)
1109
MB
(6%)
349452
KB
(8%)
324448
KB
(7%)
557M
B
(28%)
1.00
%
1% 1% 0% 2% 2% 98% 0% 8
%
ASR1006
X
(RP3/ESP
100)
1024 16.4 1959246 3608
MB
(11%
)
3457
MB
(45%)
793
Mb
557M
b
1112
MB
(6%)
1109
MB
(6%)
349452
KB
(8%)
324448
KB
(7%)
557M
B
(28%)
1.00
%
1% 1% 0% 2% 2% 98% 0% 8
%
ASR1006
X
(RP3/ESP
100)
512 13.4 3140702 3609
MB
(11%
)
3459
MB
(45%)
793
Mb
557M
b
1113
MB
(6%)
1109
MB
(6%)
349452
KB
(8%)
324448
KB
(7%)
557M
B
(28%)
1% 1% 1% 0% 1% 1% 99% 0% 7
%
ASR1006
X
(RP3/ESP
100)
128 5.2 4370628 3609
MB
(11%
)
3459
MB
(45%)
793
Mb
557M
b
1113
MB
(6%)
1109
MB
(6%)
349452
KB
(8%)
324448
KB
(7%)
557M
B
(28%)
1% 1% 1% 0% 1% 1% 99% 0% 8
%
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 67
ASR 1K PE
Packet Size
Throughput (in Gbps)
Throughput (in frames/second)
RP Memory IOS Memory ESP Memory QFP Memory MIP Memory
RP CPU IOS CPU FP CPU QFP CPU MIP CPU
Active
Standby
Active
Standby
Active
Standby
Active Standby
Active
Standby
Avtive
Standby
Active
Standby
Active
Standby
ASR1006
X
(RP3/ESP
100)
82 3.4 4166666 3609
MB
(11%
)
3459
MB
(45%)
793
Mb
557M
b
1113
MB
(6%)
1109
MB
(6%)
349452
KB
(8%)
324448
KB
(7%)
557M
B
(28%)
1% 1% 1% 0% 1% 1% 99% 0% 8
%
ASR1006
X
(RP3/ESP
100)
IMIX
(64-7,
594-4,
1518-1)
7.8 2240142 3609
MB
(11%
)
3459
MB
(45%)
793
Mb
557M
b
1113
MB
(6%)
1109
MB
(6%)
349452
KB
(8%)
324448
KB
(7%)
557M
B
(28%)
1% 1% 1% 0% 1% 1% 99% 0% 8
%
Table 11. ASR1001-HX Transit router
Transit Router Packet Size
Throughput (in Gbps)
Throughput (in frames/second)
RP Memory
IOS Memory
QFP Memory RP CPU QFP CPU IOS CPU
ASR1001-HX 1400 17.4 15531862 2748MB (34%)
494MB 215990KB (10%)
2% 98% 1%
ASR1001-HX 1024 16.4 1959246 2746MB (34%)
494MB 215990KB (10%)
2% 99% 1%
ASR1001-HX 512 13.4 3140702 2749MB (34%)
494MB 215990KB (10%)
2% 99% 1%
ASR1001-HX 128 5.2 4370628 2749MB (34%)
494MB 215990KB (10%)
2% 99% 1%
ASR1001-HX 82 3.4 4166666 2749MB (34%)
494MB 215990KB (10%)
2% 99% 1%
ASR1001-HX IMIX (64-7, 594-4, 1518-1)
7.8 2240142 2749MB (34%)
494MB 215990KB (10%)
2% 99% 1%
8. Appendix
Disclaimer
Following are some sample configuration snippets to give readers a general idea about the configuration used in
some of the use-cases. They would require further customization for actual deployments. For detailed configuration
options and best practices, refer to documentation on cisco.com.
a. Configuration on ASR1K PE1:
vrf definition CU1_101
rd 1:101
!
address-family ipv4
route-target export 1:101
route-target import 1:101
route-target export 1:101 stitching
route-target import 1:101 stitching
exit-address-family
!
address-family ipv6
route-target export 1:101
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 67
route-target import 1:101
route-target export 1:101 stitching
route-target import 1:101 stitching
exit-address-family
!
segment-routing mpls
global-block 16000 25000
!
connected-prefix-sid-map
address-family ipv4
1.1.1.1/32 index 5001 range 1
exit-address-family
!
!
interface TenGigabitEthernet0/0/6
description "Connected to CE2"
no ip address
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/0/6.101
encapsulation dot1Q 100
vrf forwarding CU1_101
ip address 13.1.1.1 255.255.255.0
ipv6 address 2001:13:1:1::1/64
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/0/7
description "Connected to TR1"
ip address 11.1.1.2 255.255.255.0
ip mtu 1468
bfd interval 50 min_rx 50 multiplier 5
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 11.1.1.1
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 67
crypto isakmp keepalive 100
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
!
crypto ipsec transform-set my_set esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile profile1
set security-association lifetime kilobytes disable
set security-association lifetime days 1
set transform-set my_set
!
bfd map ipv4 192.168.1.0/24 192.168.1.2/32 BFD
bfd-template multi-hop BFD
interval min-tx 50 min-rx 50 multiplier 3
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
mpls bgp forwarding
tunnel source 11.1.1.2
tunnel destination 11.1.1.1
tunnel protection ipsec profile profile1
!
route-map NH_UNCHG permit 10
set ip next-hop 1.1.1.1
set ipv6 next-hop ::FFFF:1.1.1.1
!
router bgp 5001
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp graceful-restart
no bgp default route-target filter
neighbor 192.168.1.1 remote-as 4001
neighbor 192.168.1.1 fall-over bfd
!
address-family ipv4
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 67
network 1.1.1.1 mask 255.255.255.255
segment-routing mpls
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 send-community both
neighbor 192.168.1.1 send-label
maximum-paths 4
exit-address-family
!
address-family l2vpn evpn
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 send-community both
neighbor 192.168.1.1 route-map NH_UNCHG out
neighbor 192.168.1.1 encap mpls
maximum-paths 4
exit-address-family
!
address-family ipv4 vrf CU1_101
advertise l2vpn evpn
bgp additional-paths install
neighbor 13.1.1.2 remote-as 201
neighbor 13.1.1.2 fall-over bfd
neighbor 13.1.1.2 activate
maximum-paths 4
exit-address-family
!
address-family ipv6 vrf CU1_101
advertise l2vpn evpn
bgp additional-paths install
neighbor 2001:13:1:1::2 remote-as 201
neighbor 2001:13:1:1::2 fall-over bfd
neighbor 2001:13:1:1::2 activate
maximum-paths 4
exit-address-family
!
b. Configuration on ASR1K TR1:
segment-routing mpls
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 67
global-block 16000 25000
!
connected-prefix-sid-map
address-family ipv4
3.3.3.3/32 index 4001 range 1
exit-address-family
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 11.1.1.2
crypto isakmp keepalive 100
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
!
crypto ipsec transform-set my_set esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile profile1
set security-association lifetime kilobytes disable
set security-association lifetime days 1
set transform-set my_set
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface TenGigabitEthernet0/1/3
description "Connected to Spine1"
ip address 16.1.1.1 255.255.255.0
mpls bgp forwarding
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/1/5
description "Connected to Spine2"
ip address 27.1.1.1 255.255.255.0
mpls bgp forwarding
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 67
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/1/7
description "Connected to DC1"
ip address 11.1.1.1 255.255.255.0
ip mtu 1468
bfd interval 50 min_rx 50 multiplier 5
!
bfd map ipv4 192.168.1.0/24 192.168.1.1/32 BFD
bfd-template multi-hop BFD
interval min-tx 50 min-rx 50 multiplier 3
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
mpls bgp forwarding
tunnel source 11.1.1.1
tunnel destination 11.1.1.2
tunnel protection ipsec profile profile1
!
route-map NH_UNCHG permit 10
set ip next-hop unchanged
!
router bgp 4001
bgp router-id interface Loopback0
bgp log-neighbor-changes
no bgp default route-target filter
neighbor 16.1.1.2 remote-as 2101
neighbor 16.1.1.2 disable-connected-check
neighbor 16.1.1.2 fall-over bfd
neighbor 27.1.1.2 remote-as 2201
neighbor 27.1.1.2 disable-connected-check
neighbor 27.1.1.2 fall-over bfd
neighbor 33.1.1.2 remote-as 2000
neighbor 33.1.1.2 disable-connected-check
neighbor 33.1.1.2 fall-over bfd
neighbor 192.168.1.2 remote-as 5001
neighbor 192.168.1.2 ebgp-multihop 2
neighbor 192.168.1.2 fall-over bfd multi-hop
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 67
!
address-family ipv4
bgp additional-paths install
network 3.3.3.3
network 3.3.3.3 mask 255.255.255.255
segment-routing mpls
neighbor 16.1.1.2 activate
neighbor 16.1.1.2 send-community both
neighbor 16.1.1.2 send-label
neighbor 27.1.1.2 activate
neighbor 27.1.1.2 send-community both
neighbor 27.1.1.2 send-label
neighbor 33.1.1.2 activate
neighbor 33.1.1.2 send-community both
neighbor 33.1.1.2 send-label
neighbor 192.168.1.2 activate
neighbor 192.168.1.2 send-community both
neighbor 192.168.1.2 send-label
maximum-paths 4
exit-address-family
!
address-family l2vpn evpn
neighbor 16.1.1.2 activate
neighbor 16.1.1.2 send-community both
neighbor 16.1.1.2 route-map NH_UNCHG out
neighbor 27.1.1.2 activate
neighbor 27.1.1.2 send-community both
neighbor 27.1.1.2 route-map NH_UNCHG out
neighbor 33.1.1.2 activate
neighbor 33.1.1.2 send-community both
neighbor 33.1.1.2 route-map NH_UNCHG out
neighbor 192.168.1.2 activate
neighbor 192.168.1.2 send-community both
neighbor 192.168.1.2 route-map NH_UNCHG out
maximum-paths 4
exit-address-family
!
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 67
c. Configuration on ASR 1000 PE 2
vrf definition CU1_101
rd 2:101
!
address-family ipv4
route-target export 1:101
route-target import 1:101
route-target export 1:101 stitching
route-target import 1:101 stitching
exit-address-family
!
address-family ipv6
route-target export 1:101
route-target import 1:101
route-target export 1:101 stitching
route-target import 1:101 stitching
exit-address-family
!
segment-routing mpls
global-block 16000 25000
!
connected-prefix-sid-map
address-family ipv4
2.2.2.2/32 index 5002 range 1
exit-address-family
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 12.1.1.1
crypto isakmp keepalive 100
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
!
crypto ipsec transform-set my_set esp-aes esp-sha-hmac
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 67
mode tunnel
!
!
crypto ipsec profile profile1
set security-association lifetime kilobytes disable
set security-association lifetime days 1
set transform-set my_set
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface TenGigabitEthernet0/0/6
description "Connected to CE1"
no ip address
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/0/6.101
encapsulation dot1Q 100
vrf forwarding CU1_101
ip address 14.1.1.1 255.255.255.0
ipv6 address 2001:14:1:1::1/64
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/0/7
description "Connected to TR2"
ip address 12.1.1.2 255.255.255.0
bfd interval 50 min_rx 50 multiplier 5
!
bfd map ipv4 192.168.2.0/24 192.168.2.2/32 BFD
bfd-template multi-hop BFD
interval min-tx 50 min-rx 50 multiplier 3
!
interface Tunnel1
ip address 192.168.2.2 255.255.255.0
mpls bgp forwarding
tunnel source 12.1.1.2
tunnel destination 12.1.1.1
tunnel protection ipsec profile profile1
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 67
!
route-map NH_UNCHG permit 10
set ip next-hop 2.2.2.2
set ipv6 next-hop ::FFFF:2.2.2.2
!
router bgp 5002
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp graceful-restart
no bgp default route-target filter
neighbor 192.168.2.1 remote-as 4002
neighbor 192.168.2.1 ebgp-multihop 2
neighbor 192.168.2.1 update-source Tunnel1
neighbor 192.168.2.1 fall-over bfd multi-hop
!
address-family ipv4
network 2.2.2.2 mask 255.255.255.255
segment-routing mpls
neighbor 192.168.2.1 activate
neighbor 192.168.2.1 send-community both
neighbor 192.168.2.1 send-label
maximum-paths 4
exit-address-family
!
address-family l2vpn evpn
neighbor 192.168.2.1 activate
neighbor 192.168.2.1 send-community both
neighbor 192.168.2.1 route-map NH_UNCHG out
neighbor 192.168.2.1 encap mpls
maximum-paths 4
exit-address-family
!
address-family ipv4 vrf CU1_101
advertise l2vpn evpn
bgp additional-paths install
neighbor 14.1.1.2 remote-as 201
neighbor 14.1.1.2 fall-over bfd
neighbor 14.1.1.2 activate
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 67
maximum-paths 4
exit-address-family
!
address-family ipv6 vrf CU1_101
advertise l2vpn evpn
bgp additional-paths install
neighbor 2001:14:1:1::2 remote-as 201
neighbor 2001:14:1:1::2 fall-over bfd
neighbor 2001:14:1:1::2 activate
maximum-paths 4
exit-address-family
!
d. Configuration on ASR1K TR 2:
segment-routing mpls
global-block 16000 25000
!
connected-prefix-sid-map
address-family ipv4
4.4.4.4/32 index 4002 range 1
exit-address-family
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 12.1.1.2
crypto isakmp keepalive 100
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
!
crypto ipsec transform-set my_set esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile profile1
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 67
set security-association lifetime kilobytes disable
set security-association lifetime days 1
set transform-set my_set
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface TenGigabitEthernet0/1/2
description "Connected to Spine2"
ip address 17.1.1.1 255.255.255.0
mpls bgp forwarding
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/1/5
description "Connected to Spine1"
ip address 26.1.1.1 255.255.255.0
mpls bgp forwarding
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/1/7
description "Connected to DC2
ip address 12.1.1.1 255.255.255.0
bfd interval 50 min_rx 50 multiplier 5
!
bfd map ipv4 192.168.2.0/24 192.168.2.1/32 BFD
bfd-template multi-hop BFD
interval min-tx 50 min-rx 50 multiplier 3
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.0
mpls bgp forwarding
tunnel source 12.1.1.1
tunnel destination 12.1.1.2
tunnel protection ipsec profile profile1
!
route-map NH_UNCHG permit 10
set ip next-hop unchanged
!
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 67
router bgp 4002
bgp router-id interface Loopback0
bgp log-neighbor-changes
no bgp default route-target filter
neighbor 17.1.1.2 remote-as 2201
neighbor 17.1.1.2 disable-connected-check
neighbor 17.1.1.2 fall-over bfd
neighbor 26.1.1.2 remote-as 2101
neighbor 26.1.1.2 disable-connected-check
neighbor 26.1.1.2 fall-over bfd
neighbor 34.1.1.2 remote-as 2000
neighbor 34.1.1.2 disable-connected-check
neighbor 34.1.1.2 fall-over bfd
neighbor 192.168.2.2 remote-as 5002
neighbor 192.168.2.2 ebgp-multihop 2
neighbor 192.168.2.2 fall-over bfd multi-hop
!
address-family ipv4
bgp additional-paths install
network 4.4.4.4
network 4.4.4.4 mask 255.255.255.255
segment-routing mpls
neighbor 17.1.1.2 activate
neighbor 17.1.1.2 send-community both
neighbor 17.1.1.2 send-label
neighbor 26.1.1.2 activate
neighbor 26.1.1.2 send-community both
neighbor 26.1.1.2 send-label
neighbor 34.1.1.2 activate
neighbor 34.1.1.2 send-community both
neighbor 34.1.1.2 send-label
neighbor 192.168.2.2 activate
neighbor 192.168.2.2 send-community both
neighbor 192.168.2.2 send-label
maximum-paths 4
exit-address-family
!
address-family l2vpn evpn
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 67
neighbor 17.1.1.2 activate
neighbor 17.1.1.2 send-community both
neighbor 17.1.1.2 route-map NH_UNCHG out
neighbor 17.1.1.2 encap mpls
neighbor 26.1.1.2 activate
neighbor 26.1.1.2 send-community both
neighbor 26.1.1.2 route-map NH_UNCHG out
neighbor 26.1.1.2 encap mpls
neighbor 34.1.1.2 activate
neighbor 34.1.1.2 send-community both
neighbor 34.1.1.2 route-map NH_UNCHG out
neighbor 34.1.1.2 encap mpls
neighbor 192.168.2.2 activate
neighbor 192.168.2.2 send-community both
neighbor 192.168.2.2 route-map NH_UNCHG out
maximum-paths 4
exit-address-family
!
e. Configuration on ASR1K CE in the DC:
vrf definition CU1_101
rd 1:101
!
address-family ipv4
route-target export 1:101
route-target import 1:101
exit-address-family
!
address-family ipv6
route-target export 1:101
route-target import 1:101
exit-address-family
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
interface TenGigabitEthernet0/1/2
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 67
description "Connected to DC1"
no ip address
!
interface TenGigabitEthernet0/1/2.101
encapsulation dot1Q 100
vrf forwarding CU1_101
ip address 13.1.1.2 255.255.255.0
ipv6 address 2001:13:1:1::2/64
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/1/3
description "Connected to DC2"
no ip address
!
interface TenGigabitEthernet0/1/3.101
encapsulation dot1Q 100
vrf forwarding CU1_101
ip address 14.1.1.2 255.255.255.0
ipv6 address 2001:14:1:1::2/64
bfd interval 50 min_rx 50 multiplier 5
!
interface TenGigabitEthernet0/1/4
description "Connected to TGEN"
no ip address
!
interface TenGigabitEthernet0/1/4.101
encapsulation dot1Q 100
vrf forwarding CU1_101
ip address 15.1.1.1 255.255.255.0
ipv6 address 2001:15:1:1::1/64
bfd interval 50 min_rx 50 multiplier 5
!
router bgp 201
bgp router-id 10.10.10.10
bgp log-neighbor-changes
!
address-family ipv4 vrf CU1_101
bgp additional-paths install
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 67
redistribute connected
neighbor 13.1.1.1 remote-as 5001
neighbor 13.1.1.1 fall-over bfd
neighbor 13.1.1.1 activate
neighbor 13.1.1.1 route-map CE2_DC1 out
neighbor 14.1.1.1 remote-as 5002
neighbor 14.1.1.1 fall-over bfd
neighbor 14.1.1.1 activate
neighbor 14.1.1.1 route-map CE2_DC2 out
maximum-paths 4
exit-address-family
!
address-family ipv6 vrf CU1_101
redistribute connected
neighbor 2001:13:1:1::1 remote-as 5001
neighbor 2001:13:1:1::1 fall-over bfd
neighbor 2001:13:1:1::1 activate
neighbor 2001:14:1:1::1 remote-as 5002
neighbor 2001:14:1:1::1 fall-over bfd
neighbor 2001:14:1:1::1 activate
maximum-paths 4
exit-address-family
!
f. Configuration on N9K Leaf 1:
segment-routing mpls
global-block 16000 25000
connected-prefix-sid-map
address-family ipv4
7.7.7.7/32 index 3101
route-map SET_NH permit 10
set ip next-hop 7.7.7.7
ip prefix-list cu1_101 seq 10 permit 23.1.1.0/24
ipv6 prefix-list cu1_101_v6 seq 10 permit 2001:23:1:1::/64
route-map cu1_101 permit 10
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 67
match ip address prefix-list cu1_101
route-map cu1_101_v6 permit 10
match ipv6 address prefix-list cu1_101_v6
route-map label-index-Leaf-1 permit 10
set label-index 3101
vrf context CU1_101
rd auto
address-family ipv4 unicast
route-target import 1:101
route-target import 1:101 evpn
route-target export 1:101
route-target export 1:101 evpn
address-family ipv6 unicast
route-target import 1:101
route-target import 1:101 evpn
route-target export 1:101
route-target export 1:101 evpn
interface Ethernet1/20
description “Connected to Spine1”
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 18.1.1.1/24
ipv6 address 2001:18:1:1::1/64
mpls ip forwarding
no shutdown
interface Ethernet1/28
description “Connected to Spine2”
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 21.1.1.1/24
ipv6 address 2001:21:1:1::1/64
mpls ip forwarding
no shutdown
interface Ethernet1/24
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 67
description “Connected to Switch/TGEN”
no switchport
no shutdown
interface Ethernet1/24.101
encapsulation dot1q 100
vrf member CU1_101
bfd interval 50 min_rx 50 multiplier 5
ip address 23.1.1.1/24
ipv6 address 2001:23:1:1::1/64
no shutdown
hsrp version 2
hsrp 100
ip 23.1.1.100
track 100 decrement 20
hsrp 100 ipv6
ip 2001:23:1:1::100
track 100 decrement 20
interface loopback0
ip address 7.7.7.7/32
interface loopback101
vrf member CU1_101
ip address 31.1.1.1/32
router bgp 3101
router-id 7.7.7.7
address-family ipv4 unicast
network 7.7.7.7/32
allocate-label all
maximum-paths 4
address-family ipv6 unicast
address-family ipv4 labeled-unicast
address-family l2vpn evpn
maximum-paths 4
template peer CU1_IPv4
address-family ipv4 unicast
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 67
as-override
send-community
soft-reconfiguration inbound always
template peer CU1_IPv6
address-family ipv6 unicast
as-override
send-community
soft-reconfiguration inbound always
template peer EVPN-LU_AS-2101
remote-as 2101
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map SET_NH out
encapsulation mpls
template peer EVPN-LU_AS-2201
bfd
remote-as 2201
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map SET_NH out
encapsulation mpls
template peer EVPN-LU_AS-3101
bfd
remote-as 3101
address-family ipv4 labeled-unicast
send-community extended
next-hop-self
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map SET_NH out
encapsulation mpls
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 67
neighbor 18.1.1.2
inherit peer EVPN-LU_AS-2101
neighbor 21.1.1.2
inherit peer EVPN-LU_AS-2201
vrf CU1_101
router-id 31.1.1.1
bestpath as-path multipath-relax
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map cu1_101
maximum-paths 4
address-family ipv6 unicast
advertise l2vpn evpn
redistribute direct route-map cu1_101_v6
maximum-paths 4
g. Configuration on N9K spine 1
segment-routing mpls
global-block 16000 25000
connected-prefix-sid-map
address-family ipv4
5.5.5.5/32 index 2101
route-map NH_UNCHG permit 10
set ip next-hop unchanged
route-map label-index-Spine-1 permit 10
set label-index 2101
interface Ethernet1/20
description “Connected to Leaf1”
no switchport
bfd interval 50 min_rx 50 multiplier 5
bfd interval 50 min_rx 50 multiplier 5
ip address 18.1.1.2/24
ipv6 address 2001:18:1:1::2/64
mpls ip forwarding
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 67
no shutdown
interface Ethernet1/22
description “Connected to Leaf2”
no switchport
bfd interval 50 min_rx 50 multiplier 5
bfd interval 50 min_rx 50 multiplier 5
ip address 20.1.1.2/24
ipv6 address 2001:20:1:1::2/64
mpls ip forwarding
no shutdown
interface Ethernet1/26
description “Connected to Spine1”
no switchport
bfd interval 50 min_rx 50 multiplier 5
bfd interval 50 min_rx 50 multiplier 5
ip address 16.1.1.2/24
mpls ip forwarding
no shutdown
interface Ethernet1/28
description “Connected to Spine2”
no switchport
bfd interval 50 min_rx 50 multiplier 5
bfd interval 50 min_rx 50 multiplier 5
ip address 26.1.1.2/24
mpls ip forwarding
no shutdown
interface loopback0
ip address 5.5.5.5/32
router bgp 2101
router-id 5.5.5.5
address-family ipv4 unicast
network 5.5.5.5/32
allocate-label all
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 67
maximum-paths 4
address-family ipv6 unicast
address-family ipv4 labeled-unicast
address-family l2vpn evpn
retain route-target all
maximum-paths 4
template peer EVPN-LU_AS-3101
bfd
remote-as 3101
disable-connected-check
address-family ipv4 labeled-unicast
send-community
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
template peer EVPN-LU_AS-3201
bfd
remote-as 3201
disable-connected-check
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
template peer EVPN-LU_TR1_AS-4001
bfd
remote-as 4001
disable-connected-check
address-family ipv4 labeled-unicast
send-community
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 67
send-community extended
route-map NH_UNCHG out
encapsulation mpls
template peer EVPN-LU_TR2_AS-4002
bfd
remote-as 4002
disable-connected-check
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
neighbor 16.1.1.1
inherit peer EVPN-LU_TR1_AS-4001
description TR-1_E1/26
neighbor 18.1.1.1
inherit peer EVPN-LU_AS-3101
description Leaf-1_E1/20
neighbor 20.1.1.1
inherit peer EVPN-LU_AS-3101
description Leaf-2_E1/22
neighbor 26.1.1.1
inherit peer EVPN-LU_TR2_AS-4002
description TR-2_E1/28
h. Configuration on N9K leaf 2
segment-routing mpls
global-block 16000 25000
connected-prefix-sid-map
address-family ipv4
8.8.8.8/32 index 3201
ip prefix-list cu1_101 seq 10 permit 23.1.1.0/24
ipv6 prefix-list cu1_101_v6 seq 10 permit 2001:23:1:1::/64
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 67
route-map SET_NH permit 10
set ip next-hop 8.8.8.8
route-map cu1_101 permit 10
match ip address prefix-list cu1_101
route-map cu1_101_v6 permit 10
match ipv6 address prefix-list cu1_101_v6
route-map label-index-Leaf-2 permit 10
set label-index 3201
vrf context CU1_101
rd auto
address-family ipv4 unicast
route-target import 1:101
route-target import 1:101 evpn
route-target export 1:101
route-target export 1:101 evpn
address-family ipv6 unicast
route-target import 1:101
route-target import 1:101 evpn
route-target export 1:101
route-target export 1:101 evpn
interface Ethernet1/22
description "Connected to Spine1"
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 20.1.1.1/24
ipv6 address 2001:20:1:1::1/64
mpls ip forwarding
no shutdown
interface Ethernet1/26
description "Connected to Spine2"
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 19.1.1.1/24
ipv6 address 2001:19:1:1::1/64
mpls ip forwarding
no shutdown
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 67
interface Ethernet1/24
description “Connected to TGEN/Switch”
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 26.1.1.2/24
no shutdown
interface Ethernet1/24.101
encapsulation dot1q 100
vrf member CU1_101
bfd interval 50 min_rx 50 multiplier 5
ip address 23.1.1.2/24
ipv6 address 2001:23:1:1::2/64
no shutdown
hsrp version 2
hsrp 100
priority 200
ip 23.1.1.100
track 100 decrement 20
hsrp 100 ipv6
priority 200
ip 2001:23:1:1::100
track 100 decrement 20
interface loopback0
ip address 8.8.8.8/32
interface loopback101
vrf member CU1_101
ip address 32.1.1.1/32
router bgp 3101
router-id 8.8.8.8
address-family ipv4 unicast
network 8.8.8.8/32
allocate-label all
maximum-paths 4
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 67
address-family ipv6 unicast
address-family ipv4 labeled-unicast
address-family l2vpn evpn
maximum-paths 4
template peer CU1_IPv4
bfd
address-family ipv4 unicast
as-override
send-community
soft-reconfiguration inbound always
template peer CU1_IPv6
bfd
address-family ipv6 unicast
as-override
send-community
soft-reconfiguration inbound always
template peer EVPN-LU_AS-2101
bfd
remote-as 2101
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map SET_NH out
encapsulation mpls
template peer EVPN-LU_AS-2201
bfd
remote-as 2201
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map SET_NH out
encapsulation mpls
template peer EVPN-LU_AS-3101
bfd
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 67
remote-as 3101
address-family ipv4 labeled-unicast
send-community extended
next-hop-self
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map SET_NH out
encapsulation mpls
neighbor 19.1.1.2
inherit peer EVPN-LU_AS-2201
neighbor 20.1.1.2
inherit peer EVPN-LU_AS-2101
vrf CU1_101
router-id 32.1.1.1
bestpath as-path multipath-relax
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map cu1_101
maximum-paths 4
address-family ipv6 unicast
advertise l2vpn evpn
redistribute direct route-map cu1_101_v6
maximum-paths 4
i. Configuration on N9K spine 2
segment-routing mpls
global-block 16000 25000
connected-prefix-sid-map
address-family ipv4
6.6.6.6/32 index 2201
route-map NH_UNCHG permit 10
set ip next-hop unchanged
route-map label-index-Spine-2 permit 10
set label-index 2201
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 67
interface Ethernet1/26
description "Connected to Leaf2"
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 19.1.1.2/24
ipv6 address 2001:19:1:1::2/64
mpls ip forwarding
no shutdown
interface Ethernet1/28
description "Connected to Leaf1"
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 21.1.1.2/24
ipv6 address 2001:21:1:1::2/64
mpls ip forwarding
no shutdown
interface Ethernet1/30
description "Connected to ASR1K TR2"
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 17.1.1.2/24
mpls ip forwarding
no shutdown
interface Ethernet1/32
description "Connected to ASR1K TR1"
no switchport
bfd interval 50 min_rx 50 multiplier 5
ip address 27.1.1.2/24
mpls ip forwarding
no shutdown
router bgp 2201
router-id 6.6.6.6
address-family ipv4 unicast
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 67
network 6.6.6.6/32
allocate-label all
maximum-paths 4
address-family ipv6 unicast
address-family ipv4 labeled-unicast
address-family l2vpn evpn
retain route-target all
maximum-paths 4
template peer EVPN-LU_AS-3101
bfd
remote-as 3101
ebgp-multihop 2
address-family ipv4 labeled-unicast
send-community
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
template peer EVPN-LU_AS-3201
bfd
remote-as 3201
disable-connected-check
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
template peer EVPN-LU_TR1_AS-4001
bfd
remote-as 4001
disable-connected-check
address-family ipv4 labeled-unicast
send-community
send-community extended
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 67
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
template peer EVPN-LU_TR2_AS-4002
bfd
remote-as 4002
disable-connected-check
address-family ipv4 labeled-unicast
send-community extended
soft-reconfiguration inbound always
address-family l2vpn evpn
send-community extended
route-map NH_UNCHG out
encapsulation mpls
neighbor 17.1.1.1
inherit peer EVPN-LU_TR2_AS-4002
description TR-2_E1/30
neighbor 19.1.1.1
inherit peer EVPN-LU_AS-3101
description Leaf-2_E1/26
neighbor 21.1.1.1
inherit peer EVPN-LU_AS-3101
description Leaf-1_E1/28
neighbor 27.1.1.1
inherit peer EVPN-LU_TR1_AS-4001
description TR-1_E1/32
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 67
j. NETCONF/YANG Remote Procedural Call (RPC) messages to configure on the
ASR 1000 PE
#1 VRF and other Basic Configurations
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<version>16.9</version>
<boot-start-marker/>
<boot>
<system>
<bootfile>
<filename-list>
<filename>harddisk:asr1000rpx86-universalk9. SSA.bin</filename>
</filename-list>
</bootfile>
</system>
</boot>
<hostname>DC1_RP3</hostname>
<enable>
<password>
<secret>lab</secret>
</password>
</enable>
<vrf>
<definition>
<name>CU1_101</name>
<rd>1:101</rd>
<address-family>
<ipv4>
<route-target>
<export>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 67
<asn-ip>1:101</asn-ip>
<stitching/>
</export>
<import>
<asn-ip>1:101</asn-ip>
<stitching/>
</import>
</route-target>
</ipv4>
<ipv6>
<route-target>
<export>
<asn-ip>1:101</asn-ip>
<stitching/>
</export>
<import>
<asn-ip>1:101</asn-ip>
<stitching/>
</import>
</route-target>
</ipv6>
</address-family>
</definition>
</vrf>
<ip>
<admission>
<watch-list>
<expiry-time>0</expiry-time>
</watch-list>
</admission>
<forward-protocol>
<protocol>nd</protocol>
</forward-protocol>
<sla xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-sla">
<entry>
<number>1</number>
<udp-echo>
<dest-addr>11.1.1.2</dest-addr>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 67
<dest-port>200</dest-port>
<source-ip>11.1.1.1</source-ip>
<source-port>2002</source-port>
</udp-echo>
</entry>
<schedule>
<entry-number>1</entry-number>
<life>forever</life>
<start-time>
<now/>
</start-time>
</schedule>
</sla>
</ip>
<ipv6>
<unicast-routing/>
</ipv6>
<redundancy>
<main-cpu>
<standby>
<console>
<enable/>
</console>
</standby>
</main-cpu>
<mode>sso</mode>
</redundancy>
</native>
</config>
</edit-config>
</rpc>
# 2 crypto and route-map configuration
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 67
<config>
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<crypto>
<ipsec xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">
<profile>
<name>profile1</name>
<set>
<transform-set>my_set</transform-set>
<security-association>
<lifetime>
<kilobytes>disable</kilobytes>
</lifetime>
</security-association>
</set>
</profile>
<security-association>
<lifetime>
<kilobytes>disable</kilobytes>
</lifetime>
<replay>
<window-size>1024</window-size>
</replay>
</security-association>
<transform-set>
<tag>my_set</tag>
<esp>esp-aes</esp>
<esp-hmac>esp-sha-hmac</esp-hmac>
<mode>
<tunnel/>
</mode>
</transform-set>
</ipsec>
<isakmp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">
<keepalive>
<number>100</number>
</keepalive>
<key>
<key-address>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 67
<key>cisco123</key>
<addr4-container>
<address>11.1.1.1</address>
</addr4-container>
</key-address>
</key>
<policy>
<number>10</number>
<authentication>pre-share</authentication>
</policy>
</isakmp>
<pki xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">
<certificate>
<chain>
<name>TP-self-signed-3319783595</name>
<certificate>
<serial>01</serial>
<certtype>self-signed</certtype>
</certificate>
</chain>
</certificate>
<trustpoint>
<id>TP-self-signed-3319783595</id>
<enrollment>
<selfsigned/>
</enrollment>
<revocation-check>none</revocation-check>
<rsakeypair>
<key-label>TP-self-signed-3319783595</key-label>
</rsakeypair>
<subject-name>cn=IOS-Self-Signed-Certificate-3319783595</subject-
name>
</trustpoint>
</pki>
</crypto>
<route-map>
<name>NH_UNCHG</name>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 67
<route-map-without-order-seq xmlns="http://cisco.com/ns/yang/Cisco-IOS-
XE-route-map">
<seq_no>10</seq_no>
<operation>permit</operation>
<set>
<ip>
<next-hop>
<address>1.1.1.1</address>
</next-hop>
</ip>
<ipv6>
<next-hop>
<nha-ipv6>
<nha-ipv6>::ffff:101:101</nha-ipv6>
</nha-ipv6>
</next-hop>
</ipv6>
</set>
</route-map-without-order-seq>
</route-map>
<route-map>
<name>label-PE1</name>
<route-map-without-order-seq xmlns="http://cisco.com/ns/yang/Cisco-IOS-
XE-route-map">
<seq_no>10</seq_no>
<operation>permit</operation>
</route-map-without-order-seq>
</route-map>
<control-plane/>
</native>
</config>
</edit-config>
</rpc>
# 3 Interface configuration
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 67
<running/>
</target>
<config>
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<TenGigabitEthernet>
<name>0/0/6</name>
<description>Connected to CE2</description>
<bfd>
<interval xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">
<msecs>50</msecs>
<min_rx>50</min_rx>
<multiplier>5</multiplier>
</interval>
</bfd>
<ip>
<no-address>
<address>false</address>
</no-address>
</ip>
<ipv6>
<address>
<prefix-list>
<prefix>2001:13:1:1::1/64</prefix>
</prefix-list>
</address>
</ipv6>
</TenGigabitEthernet>
<TenGigabitEthernet>
<name>0/0/6.1</name>
<encapsulation>
<dot1Q>
<vlan-id>2</vlan-id>
</dot1Q>
</encapsulation>
<bfd>
<interval xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">
<msecs>900</msecs>
<min_rx>900</min_rx>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 67
<multiplier>3</multiplier>
</interval>
</bfd>
<ip>
<address>
<primary>
<address>100.100.1.1</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
</TenGigabitEthernet>
<TenGigabitEthernet>
<name>0/0/6.101</name>
<encapsulation>
<dot1Q>
<vlan-id>100</vlan-id>
</dot1Q>
</encapsulation>
<bfd>
<interval xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">
<msecs>50</msecs>
<min_rx>50</min_rx>
<multiplier>3</multiplier>
</interval>
</bfd>
<vrf>
<forwarding>CU1_101</forwarding>
</vrf>
<ip>
<address>
<primary>
<address>13.1.1.1</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
<ipv6>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 67
<address>
<prefix-list>
<prefix>2001:13:1:1::1/64</prefix>
</prefix-list>
</address>
</ipv6>
</TenGigabitEthernet>
<TenGigabitEthernet>
<name>0/0/7</name>
<description>Connected to TR1</description>
<bfd>
<interval xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">
<msecs>50</msecs>
<min_rx>50</min_rx>
<multiplier>5</multiplier>
</interval>
</bfd>
<ip>
<address>
<primary>
<address>11.1.1.2</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
</TenGigabitEthernet>
<TenGigabitEthernet>
<name>0/0/8</name>
<shutdown/>
<ip>
<no-address>
<address>false</address>
</no-address>
</ip>
</TenGigabitEthernet>
<TenGigabitEthernet>
<name>0/0/9</name>
<shutdown/>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 67
<ip>
<no-address>
<address>false</address>
</no-address>
</ip>
</TenGigabitEthernet>
<Loopback>
<name>0</name>
<ip>
<address>
<primary>
<address>1.1.1.1</address>
<mask>255.255.255.255</mask>
</primary>
</address>
</ip>
</Loopback>
<Tunnel>
<name>1</name>
<mpls>
<bgp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-mpls">
<forwarding/>
</bgp>
</mpls>
<ip>
<address>
<primary>
<address>192.168.1.2</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
<tunnel xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-tunnel">
<source>11.1.1.2</source>
<destination>
<ipaddress-or-host>11.1.1.1</ipaddress-or-host>
</destination>
<protection>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 67
<ipsec xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-crypto">
<profile>profile1</profile>
</ipsec>
</protection>
</tunnel>
</Tunnel>
</interface>
</native>
</config>
</edit-config>
</rpc>
# 4 segment routing configuration
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<segment-routing>
<mpls xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-segment-routing">
<connected-prefix-sid-map>
<address-family>
<ipv4>
<prefixes>
<ipprefix>1.1.1.1/32</ipprefix>
<index>
<range-start>5001</range-start>
<range>1</range>
</index>
</prefixes>
</ipv4>
</address-family>
</connected-prefix-sid-map>
<global-block>
<range-start>16000</range-start>
<range-end>25000</range-end>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 67
</global-block>
</mpls>
</segment-routing>
</native>
</config>
</edit-config>
</rpc>
# 5 BFD and NTP configuration
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<bfd>
<map xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bfd">
<ipv4>
<no-vrf>
<dest-ip>192.168.1.0/24</dest-ip>
<src-ip>192.168.1.2/32</src-ip>
<template-name>BFD</template-name>
</no-vrf>
</ipv4>
</map>
</bfd>
<ntp>
<master xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-ntp"/>
</ntp>
<diagnostic xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-diagnostics">
<bootup>
<level>minimal</level>
</bootup>
</diagnostic>
</native>
</config>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 67
</edit-config>
</rpc>
# 6 BGP configuration
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<router>
<bgp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-bgp">
<id>5001</id>
<bgp>
<graceful-restart/>
</bgp>
<neighbor>
<id>192.168.1.1</id>
<remote-as>4001</remote-as>
<ebgp-multihop>
<max-hop>2</max-hop>
</ebgp-multihop>
<fall-over>
<bfd>
<multi-hop/>
</bfd>
</fall-over>
<update-source>
<Tunnel>1</Tunnel>
</update-source>
</neighbor>
<address-family>
<with-vrf>
<ipv4>
<af-name>unicast</af-name>
<vrf>
<name>CU1_101</name>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 67
<advertise>
<l2vpn>
<evpn/>
</l2vpn>
</advertise>
<bgp>
<additional-paths>
<install/>
</additional-paths>
</bgp>
<maximum-paths>
<ebgp>4</ebgp>
</maximum-paths>
<neighbor>
<id>13.1.1.2</id>
<remote-as>201</remote-as>
<activate/>
<fall-over>
<bfd/>
</fall-over>
</neighbor>
</vrf>
</ipv4>
</with-vrf>
<no-vrf>
<ipv4>
<af-name>unicast</af-name>
<network>
<with-mask>
<number>1.1.1.1</number>
<mask>255.255.255.255</mask>
</with-mask>
</network>
<maximum-paths>
<ebgp>4</ebgp>
</maximum-paths>
<neighbor>
<id>192.168.1.1</id>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 67
<activate/>
<send-community>
<send-community-where>both</send-community-where>
</send-community>
<send-label/>
</neighbor>
<segment-routing>
<mpls/>
</segment-routing>
</ipv4>
<l2vpn>
<af-name>evpn</af-name>
<maximum-paths>
<ebgp>4</ebgp>
</maximum-paths>
<neighbor>
<id>192.168.1.1</id>
<activate/>
<encap>
<mpls/>
</encap>
<route-map>
<inout>out</inout>
<route-map-name>NH_UNCHG</route-map-name>
</route-map>
<send-community>
<send-community-where>both</send-community-where>
</send-community>
</neighbor>
</l2vpn>
</no-vrf>
</address-family>
</bgp>
</router>
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 67
k. Verifications on an ASR1K PE
DC1_RP3#sh ip bgp all sum
For address family: IPv4 Unicast
BGP router identifier 1.1.1.1, local AS number 5001
BGP table version is 3631, main routing table version 3631
156 network entries using 38688 bytes of memory
156 path entries using 21216 bytes of memory
156/156 BGP path/bestpath attribute entries using 43680 bytes of memory
155 BGP AS-PATH entries using 6168 bytes of memory
10 BGP extended community entries using 240 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 109992 total bytes of memory
BGP activity 3360838/3158941 prefixes, 5433488/5231572 paths, scan interval 60
secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
192.168.1.1 4 4001 1602 25 3631 0 0 00:08:04
155
For address family: VPNv4 Unicast
BGP router identifier 1.1.1.1, local AS number 5001
BGP table version is 2163267, main routing table version 2163267
100821 network entries using 25810176 bytes of memory
100831 path entries using 13713016 bytes of memory
1421/1420 BGP path/bestpath attribute entries using 420616 bytes of memory
155 BGP AS-PATH entries using 6168 bytes of memory
10 BGP extended community entries using 240 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 39950216 total bytes of memory
BGP activity 3360838/3158941 prefixes, 5433488/5231572 paths, scan interval 60
secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 67
13.1.1.2 4 201 83 382 2163267 0 0 01:10:31
2
13.1.2.2 4 201 82 525 2163267 0 0 01:10:31
1
13.1.3.2 4 201 83 452 2163267 0 0 01:10:31
1
13.1.4.2 4 201 82 382 2163267 0 0 01:10:31
1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
13.1.5.2 4 201 83 381 2163267 0 0 01:10:31
1
13.1.6.2 4 201 82 384 2163267 0 0 01:10:32
1
13.1.7.2 4 201 82 383 2163267 0 0 01:10:33
1
13.1.8.2 4 201 81 380 2163267 0 0 01:10:32
1
13.1.9.2 4 201 82 382 2163267 0 0 01:10:33
1
13.1.10.2 4 201 83 382 2163267 0 0 01:10:32
1
For address family: VPNv6 Unicast
BGP router identifier 1.1.1.1, local AS number 5001
BGP table version is 789, main routing table version 789
40 network entries using 11200 bytes of memory
49 path entries using 7644 bytes of memory
21/20 BGP path/bestpath attribute entries using 6216 bytes of memory
155 BGP AS-PATH entries using 6168 bytes of memory
10 BGP extended community entries using 240 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 31468 total bytes of memory
BGP activity 3360838/3158941 prefixes, 5433488/5231572 paths, scan interval 60
secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
2001:13:1:1::2 4 201 84 81 789 0 0 01:10:26
3
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 67
2001:13:1:2::2 4 201 84 81 789 0 0 01:10:31
3
2001:13:1:3::2 4 201 85 82 789 0 0 01:10:33
3
2001:13:1:4::2 4 201 85 80 789 0 0 01:10:25
3
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
2001:13:1:5::2 4 201 85 81 789 0 0 01:10:31
3
2001:13:1:6::2 4 201 84 82 789 0 0 01:10:33
3
2001:13:1:7::2 4 201 83 81 789 0 0 01:10:32
3
2001:13:1:8::2 4 201 84 82 789 0 0 01:10:29
3
2001:13:1:9::2 4 201 85 82 789 0 0 01:10:33
3
2001:13:1:10::2 4 201 85 80 789 0 0 01:10:33
3
For address family: L2VPN E-VPN
BGP router identifier 1.1.1.1, local AS number 5001
BGP table version is 1513181, main routing table version 1513181
100880 network entries using 34702720 bytes of memory
100880 path entries using 20983040 bytes of memory
1421/1421 BGP path/bestpath attribute entries using 397880 bytes of memory
155 BGP AS-PATH entries using 6168 bytes of memory
10 BGP extended community entries using 240 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 56090048 total bytes of memory
BGP activity 3360838/3158941 prefixes, 5433488/5231572 paths, scan interval 60
secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
192.168.1.1 4 4001 1602 25 1513181 0 0 00:08:06
100839
DC1_RP3#
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 67
DC1_RP3#sh ip route vrf CU1_101
Routing Table: CU1_101
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.1.1.0/24 is directly connected, TenGigabitEthernet0/0/6.101
L 13.1.1.1/32 is directly connected, TenGigabitEthernet0/0/6.101
15.0.0.0/24 is subnetted, 1 subnets
B 15.1.1.0 [20/0] via 13.1.1.2, 03:28:20
16.0.0.0/32 is subnetted, 1 subnets
B 16.16.1.1 [20/0] via 13.1.1.2, 03:28:20
23.0.0.0/24 is subnetted, 1 subnets
B 23.1.1.0 [20/0] via 8.8.8.8, 00:07:04 Campus Prefix (2 ECMP)
[20/0] via 7.7.7.7, 00:07:04
35.0.0.0/32 is subnetted, 10080 subnets
B 35.35.1.1 [20/0] via 28.1.1.2, 00:19:40 <snipped>
DC1_RP3#sh bfd neighbors
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
13.1.1.2 4138/4288 Up Up
Te0/0/6.101
13.1.2.2 4133/4283 Up Up
Te0/0/6.102
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 67
13.1.3.2 4135/4285 Up Up
Te0/0/6.103
13.1.4.2 4132/4282 Up Up
Te0/0/6.104
13.1.5.2 4139/4289 Up Up
Te0/0/6.105
13.1.6.2 4134/4284 Up Up
Te0/0/6.106
13.1.7.2 4130/4280 Up Up
Te0/0/6.107
13.1.8.2 4136/4286 Up Up
Te0/0/6.108
13.1.9.2 4131/4281 Up Up
Te0/0/6.109
13.1.10.2 4137/4287 Up Up
Te0/0/6.110
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
IPv6 Sessions
NeighAddr LD/RD RH/RS State Int
2001:13:1:1::2 4/189 Up Up
Te0/0/6.101
2001:13:1:2::2 7/186 Up Up
Te0/0/6.102
2001:13:1:3::2 5/181 Up Up
Te0/0/6.103
2001:13:1:4::2 9/190 Up Up
Te0/0/6.104
2001:13:1:5::2 1/187 Up Up
Te0/0/6.105
2001:13:1:6::2 6/184 Up Up
Te0/0/6.106
2001:13:1:7::2 2/185 Up Up
Te0/0/6.107
2001:13:1:8::2 3/188 Up Up
Te0/0/6.108
2001:13:1:9::2 10/183 Up Up
Te0/0/6.109
2001:13:1:10::2 8/182 Up Up
Te0/0/6.110
IPv6 Sessions
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 67
NeighAddr LD/RD RH/RS State Int
IPv4 Multihop Sessions
NeighAddr[vrf] LD/RD RH/RS State
192.168.1.1 4141/4097 Up Up Tunnel
DC1_RP3#
TR1#sh bfd neighbors
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
16.1.1.2 4102/1090519043 Up Up Te0/1/3
27.1.1.2 4097/1090519047 Up Up Te0/1/5
IPv4 Multihop Sessions
NeighAddr[vrf] LD/RD RH/RS State
192.168.1.2 4101/4110 Up Up
TR1#
DC1_RP3#sh ip bgp l2vpn evpn det | b 23.1.1.0
BGP routing table entry for [5][7.7.7.7:3][0][24][23.1.1.0]/17, version 94
Paths: (1 available, best #1, table EVPN-BGP-Table)
Not advertised to any peer
Refresh Epoch 1
4001 2101 3101
7.7.7.7 (via default) from 192.168.1.1 (3.3.3.3)
Origin incomplete, localpref 100, valid, external, best
EVPN ESI: 00000000000000000000, Gateway Address: 0.0.0.0, VNI Label 0, MPLS
VPN Label 492287
Extended Community: RT:1:101
rx pathid: 0, tx pathid: 0x0
BGP routing table entry for [5][8.8.8.8:3][0][24][23.1.1.0]/17, version 114
Paths: (1 available, best #1, table EVPN-BGP-Table)
Not advertised to any peer
Refresh Epoch 1
4001 2101 3101
8.8.8.8 (via default) from 192.168.1.1 (3.3.3.3)
Origin incomplete, localpref 100, valid, external, best
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 67
EVPN ESI: 00000000000000000000, Gateway Address: 0.0.0.0, VNI Label 0, MPLS
VPN Label 492288
Extended Community: RT:1:101
rx pathid: 0, tx pathid: 0x0
Leaf1# sh bgp l2vpn evpn 15.1.1.0
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 1:101
BGP routing table entry for [5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224, version 1
6260734
Paths: (2 available, best #1)
Flags: (0x000002) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Advertised path-id 1
Path type: external, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 2201 4001 5001 201 , path sourced external to AS
1.1.1.1 (metric 0) from 21.1.1.2 (6.6.6.6)
Origin incomplete, MED not set, localpref 100, weight 0
Received label 16
Extcommunity: RT:1:101
Path type: external, path is valid, not best reason: newer EBGP path
AS-Path: 2101 4001 5001 201 , path sourced external to AS
1.1.1.1 (metric 0) from 18.1.1.2 (5.5.5.5)
Origin incomplete, MED not set, localpref 100, weight 0
Received label 16
Extcommunity: RT:1:101
Path-id 1 advertised to peers:
18.1.1.2
Route Distinguisher: 2:101
BGP routing table entry for [5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224, version 1
6260611
Paths: (2 available, best #1)
Flags: (0x000002) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 67
n HW
Advertised path-id 1
Path type: external, path is valid, is best path
Imported to 2 destination(s)
AS-Path: 2101 4002 5002 201 , path sourced external to AS
2.2.2.2 (metric 0) from 18.1.1.2 (5.5.5.5)
Origin incomplete, MED not set, localpref 100, weight 0
Received label 40
Extcommunity: RT:1:101
Path type: external, path is valid, not best reason: newer EBGP path
AS-Path: 2201 4002 5002 201 , path sourced external to AS
2.2.2.2 (metric 0) from 21.1.1.2 (6.6.6.6)
Origin incomplete, MED not set, localpref 100, weight 0
Received label 40
Extcommunity: RT:1:101
Path-id 1 advertised to peers:
21.1.1.2
Route Distinguisher: 7.7.7.7:3
BGP routing table entry for [5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224, version 1
6260693
Paths: (2 available, best #1)
Flags: (0x000002) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Advertised path-id 1
Path type: external, path is valid, is best path
Imported from 2:101:[5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224
AS-Path: 2101 4002 5002 201 , path sourced external to AS
2.2.2.2 (metric 0) from 18.1.1.2 (5.5.5.5)
Origin incomplete, MED not set, localpref 100, weight 0
Received label 40
Extcommunity: RT:1:101
Path type: external, path is valid, not best reason: newer EBGP path
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 67
Imported from 1:101:[5]:[0]:[0]:[24]:[15.1.1.0]:[0.0.0.0]/224
AS-Path: 2201 4001 5001 201 , path sourced external to AS
1.1.1.1 (metric 0) from 21.1.1.2 (6.6.6.6)
Origin incomplete, MED not set, localpref 100, weight 0
Received label 16
Extcommunity: RT:1:101
Path-id 1 not advertised to any peer
Leaf1# sh ip route vrf CU1_101
IP Route Table for VRF "CU1_101"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
15.1.1.0/24, ubest/mbest: 2/0 DC Prefix (2 ECMP)
*via 1.1.1.1%default, [20/0], 00:03:28, bgp-3101, external, tag 2201 (mpls-v
pn)
*via 2.2.2.2%default, [20/0], 00:04:00, bgp-3101, external, tag 2101 (mpls-v
pn)
16.16.1.1/32, ubest/mbest: 2/0
*via 1.1.1.1%default, [20/0], 00:03:28, bgp-3101, external, tag 2201 (mpls-v
pn)
*via 2.2.2.2%default, [20/0], 00:04:00, bgp-3101, external, tag 2101 (mpls-v
pn)
23.1.1.0/24, ubest/mbest: 1/0, attached
*via 23.1.1.1, Eth1/24.101, [0/0], 04:44:30, direct
23.1.1.1/32, ubest/mbest: 1/0, attached
*via 23.1.1.1, Eth1/24.101, [0/0], 04:44:30, local
23.1.1.100/32, ubest/mbest: 1/0, attached
*via 23.1.1.100, Eth1/24.101, [0/0], 04:43:47, hsrp
31.1.1.1/32, ubest/mbest: 2/0, attached
*via 31.1.1.1, Lo101, [0/0], 4w1d, local
*via 31.1.1.1, Lo101, [0/0], 4w1d, direct
Leaf1# sh ip route
IP Route Table for VRF "default"
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 67
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
1.1.1.1/32, ubest/mbest: 2/0 ASR1K PE1 Node SID (2 ECMP)
*via 18.1.1.2, [20/0], 01:26:37, bgp-3101, external, tag 2101 (mpls)
*via 21.1.1.2, [20/0], 01:26:38, bgp-3101, external, tag 2201 (mpls)
2.2.2.2/32, ubest/mbest: 2/0 ASR1K PE2 Node SID (2 ECMP)
*via 18.1.1.2, [20/0], 01:27:15, bgp-3101, external, tag 2101 (mpls)
*via 21.1.1.2, [20/0], 01:27:15, bgp-3101, external, tag 2201 (mpls)
DC1_RP3#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 11.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (11.1.1.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (11.1.1.1/255.255.255.255/47/0)
current_peer 11.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3291696656, #pkts encrypt: 3291696656, #pkts digest: 3291696656
#pkts decaps: 2564054003, #pkts decrypt: 2564054003, #pkts verify: 2564054003
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.1.1.2, remote crypto endpt.: 11.1.1.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb
TenGigabitEthernet0/0/7
current outbound spi: 0xB5D43C74(3050585204)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCA7FA606(3397363206)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 66 of 67
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2255, flow_id: HW:255, sibling_flags FFFFFFFF80004048, crypto
map: Tunnel1-head-0
sa timing: remaining key lifetime (sec): 2981
Kilobyte Volume Rekey has been disabled
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB5D43C74(3050585204)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2256, flow_id: HW:256, sibling_flags FFFFFFFF80004048, crypto
map: Tunnel1-head-0
sa timing: remaining key lifetime (sec): 2981
Kilobyte Volume Rekey has been disabled
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
DC1_RP3#
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 67
10. Acronyms
Following is a list of acronyms used in this Cisco Validated Profile:
● EVPN – Ethernet VPN
● MPLS – Multi-protocol Label Switching
● SR – Segment Routing
● BGP – Border Gateway Protocol
● BGP LU – BGP Labelled Unicast
● IPsec – Internet Protocol Security
● GRE – Generic Routing Encapsulation
● SNMP – Simple Network Management Protocol
For any feedback/questions, please send an email to: [email protected]
Printed in USA C17-741511-00 12/18