Alex D.
2018-04-18 21:50:45 UTC
Hello,
in our core network, we have an EVPN with IRB setup on 2 MX480. JUNOS is
17.3R1-S1.6.
Here are the relevant parts of my configuration:
routing-instance:
EVPN_TEST {
instance-type virtual-switch;
route-distinguisher x.x.x.x:1002;
vrf-target target:1002:10;
protocols {
evpn {
extended-vlan-list 10;
default-gateway do-not-advertise;
}
}
bridge-domains {
VLAN-10 {
vlan-id 10;
interface ae10.10;
routing-interface irb.1002;
}
}
}
interfaces:
irb {
unit 1002 {
family inet {
address a.b.c.d/29;
}
mac 84:b5:9c:af:fe:02;
}
}
ae10 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
~ snip ~
}
unit 10 {
encapsulation vlan-bridge;
vlan-id 10;
family bridge;
}
}
Both routers PE1 and PE2 have identical setup (apart from the
route-distinguisher). The irb interfaces act as default-gateway for a
firewall cluster connected to ae10 on both PE routers. The firewall
cluster has VRRP configured on it's external interfaces, which is
running fine over EVPN. Connectivity to/from the VRRP IP is given
regardless of whether first or second cluster member is VRRP master. So
far everything is going as expected...
Let's come to my problem now...
On both PE routers, I have static routes for DMZ networks (which resides
behind the firewall) towards the VRRP IP. These DMZ networks are only
reacheable, when the packet arrives over the PE router which has the
VRRP master attached.
Here's an example: VRRP master is attached at PE1. PE2 learns this VRRP
IP via an EVPN type-2 route from PE1. Now, an IP packet for a DMZ host
arrives at PE2 which has a static route pointing to the VRRP IP. PE2
doesn't label-switch the IP ipacket to PE1 (where the next-hop is
connected), but tries to use the local irb as outgoing interface. I hope
my problem description is reasonably understandable.
Based on the observations, the following questions arise for me:
- could my setup work at all, or do I have a basic understanding problem
here ? Most EVPN with IRB examples i found focuses on hosts (and not
firewalls/routers) and therefore doesn't use static routes.
- if my setup should work as described, is there a known bug with EVPN
with IRB and static routing ?
- does someone have a similar, but working setup
If you need more informations, a more detailed and non-anonymized
configurations or some output of show commands, feel free to ask. I will
provide them accordingly.
Thanks in advance.
Regards,
Alex
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
in our core network, we have an EVPN with IRB setup on 2 MX480. JUNOS is
17.3R1-S1.6.
Here are the relevant parts of my configuration:
routing-instance:
EVPN_TEST {
instance-type virtual-switch;
route-distinguisher x.x.x.x:1002;
vrf-target target:1002:10;
protocols {
evpn {
extended-vlan-list 10;
default-gateway do-not-advertise;
}
}
bridge-domains {
VLAN-10 {
vlan-id 10;
interface ae10.10;
routing-interface irb.1002;
}
}
}
interfaces:
irb {
unit 1002 {
family inet {
address a.b.c.d/29;
}
mac 84:b5:9c:af:fe:02;
}
}
ae10 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
~ snip ~
}
unit 10 {
encapsulation vlan-bridge;
vlan-id 10;
family bridge;
}
}
Both routers PE1 and PE2 have identical setup (apart from the
route-distinguisher). The irb interfaces act as default-gateway for a
firewall cluster connected to ae10 on both PE routers. The firewall
cluster has VRRP configured on it's external interfaces, which is
running fine over EVPN. Connectivity to/from the VRRP IP is given
regardless of whether first or second cluster member is VRRP master. So
far everything is going as expected...
Let's come to my problem now...
On both PE routers, I have static routes for DMZ networks (which resides
behind the firewall) towards the VRRP IP. These DMZ networks are only
reacheable, when the packet arrives over the PE router which has the
VRRP master attached.
Here's an example: VRRP master is attached at PE1. PE2 learns this VRRP
IP via an EVPN type-2 route from PE1. Now, an IP packet for a DMZ host
arrives at PE2 which has a static route pointing to the VRRP IP. PE2
doesn't label-switch the IP ipacket to PE1 (where the next-hop is
connected), but tries to use the local irb as outgoing interface. I hope
my problem description is reasonably understandable.
Based on the observations, the following questions arise for me:
- could my setup work at all, or do I have a basic understanding problem
here ? Most EVPN with IRB examples i found focuses on hosts (and not
firewalls/routers) and therefore doesn't use static routes.
- if my setup should work as described, is there a known bug with EVPN
with IRB and static routing ?
- does someone have a similar, but working setup
If you need more informations, a more detailed and non-anonymized
configurations or some output of show commands, feel free to ask. I will
provide them accordingly.
Thanks in advance.
Regards,
Alex
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp