從現有網絡遷移到 VXLAN EVPN.pdf

《從現有網絡遷移到 VXLAN EVPN.pdf》由會員分享，可在線閱讀，更多相關《從現有網絡遷移到 VXLAN EVPN.pdf（101頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveYianni Thallas,CXPM ArchitectBRKDCN-2951Migrate from your existing network to VXLAN EVPN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after the sess

2、ionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights res

3、erved.Cisco PublicBRKDCN-2951Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionOut with the oldIn with the newOld to NewMigration WalkthroughExternal Connectivity MigrationBRKDCN-29514Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

4、coLiveIntroductionBRKDCN-29516As application requirements change the network needs to change with it.With technologies such as virtualization,edge computing,hybrid clouds,5G networks,artificial intelligence(AI),and the need for automation,the data center needs to change.Legacy datacenter designs run

5、ning classic ethernet/vPC and FabricPath no longer meet the requirements.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntroductionBRKDCN-29517VXLAN EVPN is the de facto technology for NextGen Data Centers.Migrating from legacy DCs running Spanning Tree or FabricPath can

6、 be challenging.This session will cover how to migrate from the old to the new.Out with the old 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOut with the oldAccessAccessAccessAgg*Agg*CoreCoreSTP RootFHRP ActiveSTP 2ndRootFHRP StandbyClassic Spanning-TreeAccessAccessAcce

7、ssAgg*Agg*CoreCoreSTP RootFHRP ActiveSTP RootFHRP ActivevPC and Spanning-TreevPCvPCAgg*=Aggregation9BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOut with the oldLeafLeafLeaf“Spine”“Spine”CoreCoreAnycast HSRPAnycast HSRPFabricPath(MAC-in-MAC)vPC“Spine”=Not Re

8、ally a Spine10BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData Center Network ChallengesHierarchical TopologyScale-Up with Big Centralized Chassis(Agg*)STP limits full bandwidth utilizationHairpiningSuboptimal performance,traffic forwarding constrained by s

9、panning-tree rulesRigid Network Service Placement(L4-L7)Limited Endpoint MobilityFlood&LearnConvergence dependent on Single Tree and MAC Flush(TCN)Exposed to Large Broadcast Domains(All Access and Agg*)Agg*=Aggregation11BRKDCN-2951In with the new 2023 Cisco and/or its affiliates.All rights reserved.

10、Cisco PublicWhat is VXLAN?Standards based EncapsulationRFC 7348MAC-in-IPTransport IndependentLayer-3 Transport(Underlay)Uses UDP-EncapsulationMultipath CapableUses Per-Flow EntropyFlexible NamespaceAllows Segmentations13BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

11、scoLiveOverlay TaxonomyVVVEdge Device(NVE)Underlay Transport NetworkHosts(Endpoints)Hosts(Endpoint)Edge Devices(NVEs)UnderlayControl-PlaneVVVTunnel EncapsulationOverlay Control-PlaneService=Virtual NetworkIdentifier=VN Identifier(VNI)14BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved

12、.Cisco Public#CiscoLiveMAC-in-IP EncapsulationVXLANOuterMACSA/DAOptional Outer802.1qOuterIP SAOuterIP DAOuterUDPInner MAC SAInner MAC DAOptional Inner 802.1qOriginal Ethernet PayloadCRCVXLAN Encapsulation(50/54 Bytes)Original Ethernet FrameMACIP14 Bytes4 Bytes20 Bytes8 Bytes8 Bytes15BRKDCN-2951 2023

13、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransport IndependenceVVVUnderlay Transport NetworkWe Want To BridgeBut Underlay is Routed16BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultipath CapableVXLANOuterMACSA/DAOptional Outer8

14、02.1qOuterIP SAOuterIP DAOuterUDPInner MAC SAInner MAC DAOptional Inner 802.1qOriginal Ethernet PayloadCRCVXLAN Encapsulation(50/54 Bytes)Original Ethernet FrameMACIP/UDPUDP Dest.Port:4789UDP Src.Port:Per-FlowDestinationVTEP IPSourceVTEP IP14 Bytes4 Bytes20 Bytes8 Bytes8 BytesMAC SA/DAIP SA/DAProtoc

15、olPort17BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultipath CapableVVVUnderlay Transport NetworkUnderlay is ECMP Routed18BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtended NamespaceVXLANOuterMACSA/DAOptional Ou

16、ter802.1qOuterIP SAOuterIP DAOuterUDPVXLAN Encapsulation(50/54 Bytes)IP/UDP/VXLANFlagsR R R R I R R RVXLAN Network Identifier(VNI)ReservedReserved1 Byte(8 bits)3 Bytes(24 bits)1 Byte(8 bits)3 Bytes(24 bits)14 Bytes4 Bytes20 Bytes8 Bytes8 Bytes Flags Field:I-flag(set to 1)for valid VNI.Other flags re

17、main as R(set to 0)VNI Field:Allows VNI 1-16,777,215(some implementation only 4096-16,777,215)19BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtended NamespaceVXLANOuterMACSA/DAOptional Outer802.1qOuterIP SAOuterIP DAOuterUDPVXLAN Encapsulation(50/54 Bytes)I

18、P/UDP/VXLANFlagsR R R R I R R RVXLAN Network Identifier(VNI)ReservedReserved1 Byte(8 bits)3 Bytes(24 bits)1 Byte(8 bits)3 Bytes(24 bits)14 Bytes4 Bytes20 Bytes8 Bytes8 Bytesvlan 15vn-segment 3123420BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat is EVPN?Standards ba

19、sed Control-PlaneRFC 8365(and RFC 7432)Uses Multiprotocol BGPUses Various Data-PlanesVXLAN(EVPN-Overlay),MPLS,Provider Backbone(PBB)Many Use-Cases CoveredBridging,MAC Mobility,First-Hop&Prefix Routing,Multi-Tenancy(VPN)21BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C

20、iscoLiveEVPN Route-TypesBGP EVPN Address-FamilyRoute-Type 2MAC/IP Advertisement RouteMandatory:MAC Address(/48)MPLS Label1(L2VNI)Route Target for MAC-VRFOptional:IP Address(/32 or/128)MPLS Label2(L3VNI*)Route Target for IP-VRFRouter MACIP Attributes are learned through ARP/ND22BRKDCN-2951 2023 Cisco

21、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEVPN Route-TypesBGP EVPN Address-FamilyRoute-Type 2MAC/IP Advertisement RouteMandatory:MAC Address(/48)MPLS Label1(L2VNI)Route Target for MAC-VRFOptional:IP Address(/32 or/128)MPLS Label2(L3VNI*)Route Target for IP-VRFRouter MACIP Attr

22、ibutes are learned through ARP/NDRoute-Type 5IP Prefix AdvertisementMandatory:IP Prefix(Variable Subnet Mask)MPLS Label(L3VNI)Route Target for IP-VRFRouter MACOptional:Gateway-IPIP Attributes are learned through Redistribution or Routing Protocols23BRKDCN-2951 2023 Cisco and/or its affiliates.All ri

23、ghts reserved.Cisco Public#CiscoLiveData Center Network ChallengesSolving the Legacy Methods ChallengesHierarchical TopologyScale-OutAdding Spine for Bandwidth and RedundancyAdding Leaf for Port CapacityAll Links are used(IP ECMP)Agg*=Aggregation24BRKDCN-2951 2023 Cisco and/or its affiliates.All rig

24、hts reserved.Cisco Public#CiscoLiveData Center Network ChallengesSolving the Legacy Methods ChallengesHierarchical TopologyScale-OutAdding Spine for Bandwidth and RedundancyAdding Leaf for Port CapacityAll Links are used(IP ECMP)No More HairpiningDefault Gateway at Every LeafDistributed Anycast Gate

25、wayFlexible Network Service Placement(L4-L7)Pervasive Subnet and Endpoint MobilityAgg*=Aggregation25BRKDCN-2951 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData Center Network ChallengesSolving the Legacy Methods ChallengesHierarchical TopologyScale-OutAdding Spine for

26、 Bandwidth and RedundancyAdding Leaf for Port CapacityAll Links are used(IP ECMP)No More HairpiningDefault Gateway at Every LeafDistributed Anycast GatewayFlexible Network Service Placement(L4-L7)Pervasive Subnet and Endpoint MobilityControl-Plane LearnedActive Learning and Distribution with BGP EVP

27、NReduces the Broadcast Domain by configuring VLANs where NeededAgg*=Aggregation26BRKDCN-2951Migrating from Old to New 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewMigration stepsBRKDCN-2951281.Deploy VXLAN EVPN environment2.Integrate legacy data network infras

28、tructure and the new VXLAN fabric.L2 and L3 integration is needed for workload migration.3.Migrate workloads between legacy networks and new fabric.During workload migration communication between migrated and non-migrated devices uses the Layer 2 and Layer 3 connections that were established in step

29、 2.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewFHRP placementBRKDCN-295129Newly deployed VLANs and IP subnets default gateway should be placed in the new VXLAN EVPN fabric.For VLANs that need to be migrated to the new fabric the FHRP migration can be chosen b

30、ased on the following criteria:*Default Gateway Coexistence of HSRP and Anycast GatewayWhen most of the workloads are migratedPremigration of the first workloadPremigration of the last workload*NX-OS 10.2(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2

31、ConnectionBRKDCN-295130VXLANvPCvPC/vPCvPC+vPCvPCvPCvPCV VV VV VV VV VCE/FP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 ConnectionBRKDCN-295133Double-sided VPC should be used on a pair of nodes between the FP/CE and VXLAN network.This allows for a loop

32、 free topology.In the VXLAN fabric any pair of VPC devices with a VTEP(Virtual Tunnel Endpoint)can provide the connectivity.In the FP/CE network the interconnection should be connected at the Layer 2 Layer 3 demarcation point 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv

33、eOld to NewLayer 2 Connection STP considerationsBRKDCN-295134VXLAN does not forward BPDUs,nor does it block traffic on a tunnel.Possibility for L2 loop if proper L2 design considerations are not taken.On both classic ethernet and FabricPath the root should be on the L2 interconnect switches.The VXLA

34、N border VTEPs should have their root ports towards the FP/CE network.It is recommended to have a single logical link for efficient bandwidth utilization or physical L2 connection between the two networksSingle active connection in both use-cases can be achieved using VPC or VPC+for FabricPath netwo

35、rks,or manual VLAN distribution 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection STP considerationsSTP loop-freeBRKDCN-295135Cisco Recommended 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connectio

36、n VLAN Mapping 1:1BRKDCN-295136VLAN in FP/CE and in VXLAN is consistentVLAN10 is used up to ingress border,which is mapped to a VNI.Egress VTEP is mapped to same original VLAN VLAN mappingIngress Classic Ethernet node*vlan 10VLAN mappingEgress Classic Ethernet node*vlan 10VLAN mappingIngress VXLAN n

37、odevlan 10vn-segment 30001VLAN mappingEgress VXLAN nodevlan 10vn-segment 30001*mode fabricpath for FP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection VLAN Mapping 1:1BRKDCN-295137Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACD

38、MACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection VLAN Mapping 1:1BRKDCN-295138Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACD

39、MACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2B1L1SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP30001300010003.0000.10010003.0000.1002192.168.10.1192.168.10.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

40、CiscoLiveOld to NewLayer 2 Connection VLAN Mapping 1:1BRKDCN-295139Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP3

41、0001300010003.0000.10010003.0000.1002192.168.10.1192.168.10.2B1L1SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection Mapping between differen

42、t VLANsBRKDCN-295140VLAN in FP/CE and in VXLAN is consistentVLAN10 is used up to ingress border,which is mapped to a VNI.Egress VTEP is mapped to different VLAN VLAN mappingIngress Classic Ethernet node*vlan 10VLAN mappingEgress Classic Ethernet node*vlan 10VLAN mappingIngress VXLAN nodevlan 10vn-se

43、gment 30001VLAN mappingEgress VXLAN nodevlan 55vn-segment 30001*mode fabricpath for FP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection Mapping between different VLANsBRKDCN-295141Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACD

44、MACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection Mapping between different VLANsBRKDCN-295142Server 2Server 2192.168.10.2Server 1Server 1192.16

45、8.10.1SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.100210192.168.10.1192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP30001300010003.0000.10010003.0000.1002192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.

46、Cisco Public#CiscoLiveOld to NewLayer 2 Connection Mapping between different VLANsBRKDCN-295143Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIP

47、DIPPayloadPayloadB1-IPL1-IP30001300010003.0000.10010003.0000.1002192.168.10.1192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10025555192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connect

48、ion Flexible VLAN mapping with port-VLAN translationBRKDCN-295144Allows VLAN translation from FP/CE VLAN10 is used up to ingress border,which is mapped to different VLAN then transported through VXLAN with VNI Egress VTEP is mapped to different VLAN Mapping of VLANs at various stages can be operatio

49、nally complexVLAN mappingIngress Classic Ethernet node*vlan 10VLAN mappingEgress Classic Ethernet node*vlan 10VLAN mappingIngress VXLAN nodevlan 23vn-segment 30001interface port-channel 10switchport vlan mapping enableswitchport vlan mapping 10 23switchport trunk allowed vlan 23VLAN mappingEgress VX

50、LAN nodevlan 55vn-segment 30001*mode fabricpath for FP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection Flexible VLAN mapping with port-VLAN translationBRKDCN-295145Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACDMACDMACVLANVLAN

51、SIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection Flexible VLAN mapping with port-VLAN translationBRKDCN-295146Server 2Server 2192.168.10.2Server 1Server 1192.

52、168.10.1SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP30001300010003.0000.10010003.0000.1002192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reser

53、ved.Cisco Public#CiscoLiveOld to NewLayer 2 Connection Flexible VLAN mapping with port-VLAN translationBRKDCN-295147Server 2Server 2192.168.10.2Server 1Server 1192.168.10.1SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10021010192.168.10.1192.168.10.2SIPSIPDIPDIPVNIVNISMAC

54、SMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP30001300010003.0000.10010003.0000.1002192.168.10.1192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.10010003.0000.10025555192.168.10.1192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld

55、to NewLayer 3 Connection Classic EthernetLayer 3 connectivity between old and new is needed Allows communication between endpoints at various migration stagesAllows communication of migrated endpoints to old external coreIn CE network this should be done at the aggregation layer where the L2/L3 dema

56、rcation existsIn the VXLAN network this could be any switch that provides a VTEP BRKDCN-295148 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection FabricPathAccess-Aggregation using VPC active/active with HSRP Leaf-and-Spine with active/active HSRP

57、 at a leaf pair using VPCLeaf-and-Spine with anycast HSRP at spineBRKDCN-295149 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection FabricPathAccess-Aggregation using VPCSimilar to VPC aggregation with active/active HSRP,difference is FP encapsulat

58、ionL2/L3 interconnect will be placed at the aggregation layerBRKDCN-295150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection FabricPathLeaf-and-Spine with First-Hop Gateway at LeafSimilar to access-aggregation with active/active HSRPFHRP is at th

59、e leaf layerExternal connectivity is also hosted at leaf(border leaf)Spine layer is free of endpoints and external connectivityL2/L3 interconnect will be placed at the leaf layerBRKDCN-295151 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection Fabr

60、icPathLeaf-and-Spine with First-Hop Gateway at LeafAnycast HSRP at the spine layerIn FabricPath up to four all-active nodes can existL3 interconnect must be at the spine where the FHRP isL2 interconnect can be anywhere with VPC+BRKDCN-295152 2023 Cisco and/or its affiliates.All rights reserved.Cisco

61、 Public#CiscoLiveOld to NewLayer 3 Connection Routing Protocol ConsiderationsVXLAN fabric already runs BGPRouting domain separationRouting policy capabilityVRF awarenessScalabilityOther protocols such as IGPs introduce complexity needing mutual redistributionPolicy enforcement is lackingNo scalabili

62、tyBRKDCN-295153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection VRF Mapping 1:1 VRFs from CE/FP are mapped to same VRF in the VXLAN fabricVRF-lite used between the fabricsPer-vrf eBGP peering using subinterfacesPeering is done between CE/FP L2/

63、L3 demarcation and VXLAN border deviceBRKDCN-295155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection VRF Mapping 1:1Packet WalkBRKDCN-295158Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayloa

64、d0003.0000.1001HSRP VIP2020192.168.20.2192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection VRF Mapping 1:1Packet WalkBRKDCN-295159Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPa

65、yload0003.0000.1001HSRP VIP2020192.168.20.2192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayloadP2P MACP2P MAC2020192.168.20.2192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection VRF Mapping 1:1Packet WalkBRKDCN-295160Serve

66、r 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.1001HSRP VIP2020192.168.20.2192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayloadP2P MACP2P MAC2020192.168.20.2192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayl

67、oadB1-IPL1-IP5000150001B1 RMACL1 RMAC192.168.20.2192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection VRF Mapping 1:1Packet WalkBRKDCN-295161Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDI

68、PPayloadPayload0003.0000.1001HSRP VIP2020192.168.20.2192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayloadP2P MACP2P MAC2020192.168.20.2192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP5000150001B1 RMACL1 RMAC192.168.20.2192.168.10.2SMACSMACDMACDMACVLANVLANS

69、IPSIPDIPDIPPayloadPayloadDAG MAC0003.0000.10021010192.168.20.2192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection Mapping from default VRFDefault VRF from CE/FP is mapped to different VRF in the VXLAN fabricVRF-lite used between th

70、e fabricsPer-vrf eBGP peering on VXLAN network and default VRF on CE/FP network using physical or subinterfacesPeering is done between CE/FP L2/L3 demarcation and VXLAN border deviceBRKDCN-295162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection

71、Mapping from default VRFPacket WalkBRKDCN-295165Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.1001HSRP VIP2020192.168.20.2192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer

72、3 Connection Mapping from default VRFPacket WalkBRKDCN-295166Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.1001HSRP VIP2020192.168.20.2192.168.10.2SMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadP2P MACP2P MAC192.168.20.2192.168.10.2B1L

73、1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLayer 3 Connection Mapping from default VRFPacket WalkBRKDCN-295167Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.1001HSRP VIP2020192.168.20.219

74、2.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP5000150001B1 RMACL1 RMAC192.168.20.2192.168.10.2B1L1SMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadP2P MACP2P MAC192.168.20.2192.168.10.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewLa

75、yer 3 Connection Mapping from default VRFPacket WalkBRKDCN-295168Server 1Server 1192.168.10.2Server 2Server 2192.168.20.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayload0003.0000.1001HSRP VIP2020192.168.20.1192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayloadP2P MACP2P MAC2020192.168.20.

76、1192.168.10.2SIPSIPDIPDIPVNIVNISMACSMACDMACDMACSIPSIPDIPDIPPayloadPayloadB1-IPL1-IP5000150001B1 RMACL1 RMAC192.168.10.1192.168.10.2SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPPayloadPayloadDAG MAC0003.0000.10021010192.168.20.2192.168.10.2B1L1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public

77、#CiscoLiveOld to NewLayer 3 Connection VXLAN EVPN underlay to CE/FPIf VXLAN underlay network needs to be reachable from CE network extra eBGP peering is neededPer-VRF and global VRF eBGP peering using subinterfaces or physical interfacesPeering is done between CE/FP L2/L3 demarcation and VXLAN borde

78、r deviceBRKDCN-295169 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Placement ConsiderationsPrior to NX-OS 10.2(3)FHRP and Distributed Anycast Gateway(DAG)cannot co-existFHRP and DAG run in different modes.CE/FP uses HSRP/VRRP while VXLAN uses a

79、nycast gatewayThey cannot be active simultaneouslyTwo options keep default gateway in the CE/FP network until migration is finished or migrate gateways to the VXLAN EVPN fabric prior to workload migrationMAC alignment needs to be done in either modeBRKDCN-295170 2023 Cisco and/or its affiliates.All

80、rights reserved.Cisco Public#CiscoLiveOld to NewFirst Hop Gateway Premigration StepsEndpoints typically learn the gateway MAC dynamically using ARPWith HSRP the MAC is derived from the HSRP version and the group.In VXLAN EVPN the DAG virtual MAC is configured globally,that means all VLANs have the s

81、ame MAC for the default gatewayEndpoints in CE/FP store the HSRP IP-to-MAC binding in their ARP cacheEventually the MAC needs to be aligned to use the global DAG MAC to help make migration as seamless as possibleBRKDCN-295171 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv

82、eOld to NewFirst Hop Gateway Premigration Steps-MAC alignmentManually updating ARP cache isnt feasiblePrior to any migration HSRP VMAC needs to be changed to the DAG MACHosts need to be updated by changing the standby HSRP member to active to force a GARP*HSRP VMAC configuration on Aggregationinterf

83、ace vlan 20vrf member Tenant-Aip address 192.168.20.201/24hsrp 10ip 192.168.20.1mac-address 2020.0000.00aa*Theres a possibility that not all hosts ARP cache gets updated*All pre-migration steps should be performed during a maintenance windowHSRP VMAC configuration on Aggregationinterface vlan 20vrf

84、member Tenant-Aip address 192.168.20.201/24hsrp 10ip 192.168.20.1mac-address 2020.0000.00aapriority 120preemptBRKDCN-295172 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSRP and Anycast Gateway-10.2(3)Whats the problem without it

85、?BRKDCN-295173SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPEP1DAG1010EP1EP2SIPSIPDIPDIPL2 VNIL2 VNISMACSMACDMACDMACV1MC3000130001DAGFFF12a2a2bSMACSMACDMACDMACVLANVLANDAGFFF20202bIP packet sent to EP2 hits SVI10 DAG.Routed locally to EP2 SVI20.ARP request to retrieve EP2 MACSVI20 initiates ARP request to retr

86、ieve EP2 MACV1V2Note:DAG=SVI/HSRP=VMAC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSRP and Anycast Gateway-10.2(3)Whats the problem without it?BRKDCN-295174SMACSMACDMACDMACEP2VMAC344ARP reply from EP2 to DAG MACTraffic stops at

87、 agg layer SVISVI MAC=DAG MACEP2 MAC is not learned by EVPN fabricV1V2Note:DAG=SVI/HSRP=VMAC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSRP and Anycast Gateway-10.2(3)How to resolve the problem1.EP1 sends data packet to EP2 hi

88、ts SVI 10 DAG.2.Local leaf routes the packet and assuming EP2 MAC/IP is not in the fabric control plane,the leaf sends an ARP request for EP23.A“Proxy-ARP”function is now performed on the border leaf node,allowing to change the payload of the ARP request before forwarding it toward the Classic Ether

89、net network.Border leaf system MAC is replacing the DAG VMAC as Sender MAC,whereas a border leaf specific IP address(secondary IP)is replacing the DAG IP as Sender IP.BRKDCN-295175 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSR

90、P and Anycast Gateway-10.2(3)How to resolve the problemBRKDCN-295176SMACSMACDMACDMACVLANVLANSIPSIPDIPDIPEP1DAG1010EP1EP2SIPSIPDIPDIPL2 L2 VNIVNISMASMAC CDMACDMACV1MC3000130001DAGFFF12SMACSMACDMACDMACVLANVLANV2 MACFFF20203V1V2IP packet sent to EP2 hits SVI10 DAG.Routed locally to EP2 SVI20.SVI20 init

91、iates ARP request to retrieve EP2 MACARP request for EP2 is sourced from V2 BIA MACNote:DAG=SVI/HSRP=VMAC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSRP and Anycast Gateway-10.2(3)How to resolve the problem4.EP2 replies to the

92、 ARP request with a destination of the border node system MAC bridges through the aggregation switches using the L2 interconnect.The border node consumes the ARP reply.EP2 is shown as an endpoint5.Border node generates a Type-2 EVPN route.Now the local leaf where EP1 is will have the MAC and IP info

93、rmation of EP2.BRKDCN-295177 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSRP and Anycast Gateway-10.2(3)How to resolve the problemBRKDCN-295178EVPN RTEVPN RT-2 2MAC&IPMAC&IPNHNHRT-2EP2V2V25SMACSMACDMACDMACVLANVLANEP2V2 BIA MAC2

94、0204V1V2Note:DAG=SVI/HSRP=VMACEP2 ARP reply to V2 BIA MACV2 sends RT-2 EVPN route to fabric 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway Coexistence of HSRP and Anycast Gateway-10.2(3)Configuration Stepsinterface vlan 10vrf member Tenant-Aip ad

95、dress 192.168.10.1/24ip address 192.168.10.10 secondary use-biafabric forwarding mode anycast-gatewayinterface vlan 20vrf member Tenant-Aip address 192.168.20.1/24ip address 192.168.20.10 secondary use-biafabric forwarding mode anycast-gatewayinterface port-channel1description vPC to CE networkswitc

96、hportswitchport mode trunkswitchport trunk allowed vlan 10,20port-type externalvpc 1Configure secondary IP addresses on border node SVIs and use the system MAC.IPv6 can also be configuredIdentify the VPC port-channel for the L2 interconnect and configure it to perform the“proxy-arp”functionBRKDCN-29

97、5179 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway in CE/FP networkSince migration starts from CE/FP network FHRP can remain there during migrationVXLAN network initially provides L2 bridgingMigrated hosts go out the fabric using the L2 intercon

98、nect to be routed BRKDCN-295180 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewDefault Gateway in CE/FP networkAfter all workloads have been migrated in a subnet the gateway can be moved to the VXLAN EVPN fabricMigration is done by configuring the DAG on the lea

99、fs and decommissioning the SVI in the CE/FP networkBorder nodes do not need the DAG unless theres hosts connected to itRouting between the two is done via the L3 interconnectBRKDCN-295181 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOld to NewAnycast Gateway in VXLANThe

100、 gateway is immediately migrated from old to newThis eliminates the need for post migration gateway movementDAG is configured on border nodes which serves as the gateway for the CE/FP networkAs workloads are migrated,the directly attached leaf becomes the gatewayBRKDCN-295184Migration Walkthrough 20

101、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughLets put everything together1.Locate CE/FP switches performing the L2/L3 demarcation2.Build the Layer 3 interconnect3.Build the Layer 2 interconnect4.Define FHRP approach5.Align gateway MAC address6.Perform

102、 workload migration7.Decommission L2/L3 interconnect and FHRP if neededBRKDCN-295187 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughLocate CE/FP switches performing the L2/L3 demarcationLocate where the L2/L3 demarcation exists in CE/FP networkIn the

103、VXLAN EVPN fabric any pair of border devices can be used that can do the bridging and routing requirementsBRKDCN-295188 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughBuild the Layer 3 and Layer 2 interconnectRecommended to use eBGPMake sure to advert

104、ise subnets local to each networkBRKDCN-295189Eliminate STP Back-to-Back vPC.vPC best practices apply 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughDefine FHRP approachDecide if CE/FP network provides the FHRP during migration or if VXLAN network tak

105、es over prior to migratingBefore 10.2(3)both HSRP and DAG could not coexistBRKDCN-295190From 10.2(3)and later both HSRP and DAG can coexist for same subnet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughAlign gateway MAC addressAlign gateway MAC of th

106、e FHRP to facilitate seamless migrationA state change of the gateways is needed in the CE/FP networkThis MAC will be the distributed anycast gatewayBRKDCN-295191HSRP VMAC configuration on Aggregationinterface vlan 20vrf member Tenant-Aip address 192.168.20.201/24hsrp 10ip 192.168.20.1mac-address 202

107、0.0000.00aaHSRP VMAC configuration on Aggregationinterface vlan 20vrf member Tenant-Aip address 192.168.20.201/24hsrp 10ip 192.168.20.1mac-address 2020.0000.00aapriority 120preempt 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughPerform workload migrat

108、ionAfter the L2/L3 interconnect has been established,and FHRP aligned,workloads can be migratedThis can be performed using virtual machine mobility or by recabling servers physically to the VXLAN network BRKDCN-295192 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigrati

109、on WalkthroughDecommissioning First-Hop GatewayAfter workloads have been migrated to VXLAN the CE/FP FHRP can be migrated to the Distributed Anycast GatewayIf using HSRP and DAG coexistence FHRP in CE/FP can be kept enabledIf FHRP was migrated to DAG first,this step is unnecessary or optionally deco

110、mmissioned from border deviceBRKDCN-295193 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMigration WalkthroughDecommissioning L2/L3 interconnectOnce workload migration and FHRP decommission is complete the L2 interconnect can be removed.Layer 3 interconnect may still be

111、needed for external connectivity if it has not been migrated to VXLANBRKDCN-295194External Connectivity Migration 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in CE/FPTraffic flows to core in CE/FP network to externalVXLAN networks b

112、ridge to CE/FP network then route using coreAfter migration connection can be moved to VXLAN network border devicesBRKDCN-295196Layer 2Server 2Server 2ClassicEthernetVXLANSVI 2020(VRF-A)192.168.20.1/24192.168.20.2192.168.10.2Server 2Server 2VNI 30001VLAN 20SVI 1010(VRF-A)192.168.10.1/24VLAN 10655016

113、5502100.100.100.10065503 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in CE/FPBRKDCN-295197As workloads and gateways move to VXLAN,subnets use the L3 interconnect to route outVXLAN networks bridge to CE/FP network then route using co

114、reAfter migration connection can be moved to VXLAN network border devicesLayer 2Server 2Server 2ClassicEthernetVXLANSVI 2020(VRF-A)192.168.20.1/24192.168.20.2100.100.100.100192.168.10.2Server 2Server 2VRF-A(VNI 50001)VLAN 20Layer 3VRF-ASVI 10 DAG(VRF-A)192.168.10.1/24Layer 3655016550265503 2023 Cisc

115、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in CE/FPBRKDCN-295198As workloads and gateways move to VXLAN,subnets use the L3 interconnect to route outCore device can connect to VXLAN border used for interconnectLonger AS path through L3 inter

116、connect and can be used for backupLayer 2Server 2Server 2ClassicEthernetVXLANSVI 2020(VRF-A)192.168.20.1/24192.168.20.2192.168.10.2Server 2Server 2VRF-A(VNI 50001)VLAN 20Layer 3VRF-ASVI 1010 DAG(VRF-A)192.168.10.1/24Layer 3Layer 3VRF-A6550165502100.100.100.10065503 2023 Cisco and/or its affiliates.A

117、ll rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in CE/FPBRKDCN-295199As workloads and gateways move to VXLAN,subnets use the L3 interconnect to route outCore device can connect to dedicated VXLAN border devicesL3 interconnect will have longer AS path and can be used for

118、 backupLayer 2Server 2Server 2ClassicEthernetVXLANSVI 2020(VRF-A)192.168.20.1/24192.168.20.2192.168.10.2Server 2Server 2VLAN 20Layer 3VRF-ASVI 1010 DAG(VRF-A)192.168.10.1/24Layer 3Layer 3VRF-A6550165502VRF-A(VNI 50001)100.100.100.10065503 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

119、blic#CiscoLiveL3 External MigrationDefault Gateway in CE/FPBRKDCN-2951100Once all subnets have been migrated,decommission L3 interconnect and peering to coreAll traffic now flows through VXLANLayer 2Server 2Server 2ClassicEthernetVXLAN192.168.20.2192.168.10.2Server 1Server 1SVI 1010 DAG(VRF-A)192.16

120、8.10.1/24SVI 2020 DAG(VRF-A)192.168.20.1/24Layer 3Layer 3VRF-A6550165502X XX XVRF-A(VNI 50001)100.100.100.10065503 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in VXLANTraffic flows to core in CE/FP network to externalCE/FP networks

121、bridge to VXLAN network then route through L3 interconnectMigrated subnets use L3 VNI to route to VXLAN border across L3 interconnectBRKDCN-2951101Layer 2Server 2Server 2ClassicEthernetVXLAN192.168.20.2192.168.10.2Server 1Server 1VLAN 20VLAN 206550165502SVI 1010 DAG(VRF-A)192.168.10.1/24SVI 2020 DAG

122、(VRF-A)192.168.20.1/24Layer 3VRF-AVRF-A(VNI 50001)100.100.100.10065503 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in VXLANBRKDCN-2951102Core device can connect to VXLAN border used for interconnect*No L3 interconnect neededLayer 2S

123、erver 2ClassicEthernetVXLAN192.168.20.2192.168.10.2Server 1VLAN 20VLAN 2065501SVI 1010 DAG(VRF-A)192.168.10.1/24SVI 2020 DAG(VRF-A)192.168.20.1/24Layer 3VRF-AVRF-A(VNI 50001)100.100.100.10065503*Assuming all DG have moved to VXLAN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

124、coLiveL3 External MigrationDefault Gateway in VXLANBRKDCN-2951103Layer 2Server 2Server 2ClassicEthernetVXLAN192.168.20.2192.168.10.2Server 1Server 1VLAN 20VLAN 2065501SVI 1010 DAG(VRF-A)192.168.10.1/24SVI 2020 DAG(VRF-A)192.168.20.1/24Layer 3VRF-AVRF-A(VNI 50001)Core device can connect to VXLAN dedi

125、cated border*No L3 interconnect needed*Assuming all DG have moved to VXLAN100.100.100.10065503 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3 External MigrationDefault Gateway in VXLANBRKDCN-2951104Once all subnets have been migrated,decommission L2 interconnect All tr

126、affic now flows through VXLANLayer 2Server 2Server 2ClassicEthernetVXLAN192.168.20.2192.168.10.2Server 1Server 1SVI 1010 DAG(VRF-A)192.168.10.1/24SVI 2020 DAG(VRF-A)192.168.20.1/24Layer 3VRF-A65501VRF-A(VNI 50001)X X100.100.100.10065503References 2023 Cisco and/or its affiliates.All rights reserved.

127、Cisco Public#CiscoLiveReferencesBRKDCN-2951106Migrating Cisco FabricPath Environments to VXLAN BGP EVPNMigrating Classic Ethernet Environments to VXLAN BGP EVPN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum o

128、f four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!107BRKDCN-2951These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every su

129、rvey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for

130、more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive110Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234110 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-2951#CiscoLive