Determine IRB Interface State Changes from Local L2 Interface or Remote Connectivity Status in EVPN Fabrics
To provide BGP-enabled services in a reliable way, the provider edge (PE) devices in an EVPN network need to detect when they experience network isolation conditions, and update interface statuses accordingly.
You can ensure that provider edge (PE) devices in an EVPN fabric consider both of the following factors when determining the state of a Layer 3 (L3) integrated routing and bridging (IRB) interface:
-
The associated local L2 interface states
-
The remote PE device reachability
Factors to Determine the State of an IRB Interface
In an integrated routing and bridging environment, when you allocate L3 interfaces, those interfaces encompass an L2 domain (also called a bridging domain or bridge domain). The L2 domain might span multiple physical or logical ports in your configuration. The device usually determines an L3 interface's state (up or down) based on the state of the corresponding L2 domain. The device sets the L2 domain state based on the status of the ports in the L2 domain, as follows:
-
The L2 domain is up if the device detects that at least one of the associated ports is up.
-
The L2 domain is down if the device detects that all of the associated ports are down.
When the L2 domain state changes, the device needs to update the operational state of the L3 interface too so the device can reflect the state of the upper layer protocols accordingly.
The EVPN protocol provides an integrated control plane with different data plane options (such as VXLAN or MPLS). In an EVPN environment:
-
L2 domains can span multiple PEs in a data center and span across data centers.
-
A device can support both L2 and L3 services over the same interfaces.
-
A bridge domain or VLAN might include a combination of local physical interfaces and, in the case of EVPN-VXLAN fabrics, remote VXLAN tunnel endpoints (VTEPs).
As a result, PE devices in an EVPN fabric should consider the following factors when determining the state of IRB interfaces that are associated with a bridge domain or a VLAN in an EVPN instance (EVI):
-
The states of the underlying local L2 ports or interfaces.
-
Remote provider edge (PE) device reachability, based on the availability of routes to remote VTEPs and the network isolation state of the bridge domain or the EVI.
A network isolation condition in an EVPN network is similar to a core isolation condition (isolation from the EVPN core network). When a device detects a core isolation condition, it implements default actions to bring down the L2 member interfaces in affected Ethernet Segment Identifier (ESI) link aggregation groups (LAGs).
In contrast, with network isolation conditions, you can configure a network isolation profile and attach that profile to a bridge domain, VLAN, or routing instance. The profile defines the parameters you want the device to use to detect network isolation condition changes that affect the associated IRB interfaces. A core isolation action can affect the network isolation state of the IRB interfaces if the action brings the underlying L2 interfaces up or down.
For more information on default core isolation behavior, see Understanding When to Disable EVPN-VXLAN Core Isolation.
Another factor that indicates a bridge domain, VLAN, or EVI is isolated in an EVPN-VXLAN network is when the device doesn't have a route to a remote VTEP. When the device sends traffic on a bridge domain or VLAN, it also needs to send the traffic on the VXLAN tunnels to the remote VTEPs in the bridge domain or VLAN.
The next sections describe the parameters you can customize so the device uses these factors to determine the state of an IRB interface with EVPN-VXLAN.
Set Local L2 Interface and Remote Device Reachability Status Used to Determine the IRB Interface State
PE devices can use the status of associated local L2 interfaces or remote provider edge (PE) device reachability as factors to determine the state of an IRB interface for a bridge domain or an EVPN instance (EVI). We use the network isolation status of the bridge domain or EVI to determine remote device reachability.
To specify the L2 interface and remote reachability factors the device uses to compute the
IRB interface state, configure the interface-state statement at the
[edit interfaces irb unit n] hierarchy.
Specify one of the following options:
-
local—Use the status of the associated local L2 interfaces:-
The interface is up if at least one local L2 interface is up.
-
The interface is down if none of the local L2 interfaces are up.
-
-
remote—Use remote device reachability (network isolation) status of the bridge domain or EVI:-
The interface is up if the bridge domain or EVI is not in a network isolation state.
-
The interface is down if the bridge domain or EVI is in a network isolation state.
-
-
local-remote—Use a combination of the status of the local L2 interfaces and remote reachability status:-
The interface is up if at least one local L2 interface is up or the bridge domain is not in a network isolation state.
-
The interface is down if no local L2 interfaces are up and the bridge domain is in a network isolation state.
-
You can also customize the minimum number of associated links that need to be up when the device computes whether the L3 interface is up:
-
local-count—Minimum number of local L2 links that must be up -
vtep-count—Minimum number of remote VTEP links that must be up
The next sections show a simple example configuration and how to verify those settings:
Sample Configuration—Interface State Parameters
In the following sample configuration, the device uses both local and remote factors to determine the interface state of the IRB interface irb.100 in bridge domain (VLAN) v100:
set interfaces irb unit 100 virtual-gateway-accept-data set interfaces irb unit 100 family inet address 10.0.1.11/24 virtual-gateway-address 10.0.1.254 set interfaces irb unit 100 family inet6 address 2001:db8:192:100:1:11/112 virtual-gateway-address 2001:db8:192:100:1:254 set interfaces irb unit 100 interface-state local-remote set interfaces irb unit 100 virtual-gateway-v4-mac 40:00:10:11:11:00 set interfaces irb unit 100 virtual-gateway-v6-mac 50:00:10:11:11:00
Verify IRB Interface State
To verify the state of the IRB interface irb.100 from the sample configuration in Sample Configuration—Interface State Parameters, enter the following CLI commands:
-
These commands show that the device determines the IRB interface state for bridge domain (VLAN) v100 using both local and remote factors (
Flags=LR). The device detected a network isolation condition, so the IRB interfaceLinkstate isdown.user@leaf01> show bridge domain v100 Routing instance Bridge domain VLAN ID Interfaces evpnA v100 100 ae0.0 user@leaf01> show interfaces irb.100 terse Interface Admin Link Proto Local Remote irb.100 up down inet 10.0.1.11/24 10.0.1.254/24 inet6 2001:db8:192:100:1:11/112 2001:db8:192:100:1:254/112 fe80::2e6b:f500:644f:3ef0/64 multiservice user@leaf01> show l2-learning interface-state bridge-domain v100 Information for IRB interface state: Flags ( L - Local, R - Remote, LR - Local-Remote, LI - Local-interface) Interface Bridging Network Flags Hold-time Hold-time Loopback Domain Isolation Up Down Interface irb.100 v100 None LR 0 0 user@leaf01> show l2-learning interface-state bridge-domain v100 extensive Information for IRB interface state: Name: irb.100 IRB state: Down IRB Down Reason: local and vtep interface below count Routing Instance: evpnA Bridge Domain: v100 Network Isolation state: isolated Number of local Interface in UP state : 0 Number of local Interface in DOWN state : 0 Number of VTEP Interface in UP state : 0 Number of VTEP Interface in DOWN state : 0Note:The
Network Isolationfield in theshow l2-learning interface-state bridge-domaincommand output shows the names of any network isolation groups you have assigned to the IRB interfaces associated with the bridge domain (VLAN). The field displaysNonefor an interface if you haven't applied any network isolation group to the corresponding bridge domain (VLAN). Don't mistake the valueNonein that field to mean the device didn't detect a network isolation condition.See Verify Interface State with Network Isolation Link Tracking for sample output from the
show l2-learning interface-state bridge-domaincommand that displays a network isolation group in that field instead ofNone. -
These commands show that the device's VTEP interfaces for bridge domain (VLAN) v100 are up and the device is not in a network isolation state, so the IRB interface
Linkstate isup.user@leaf01> show bridge domain Routing instance Bridge domain VLAN ID Interfaces evpnA v100 100 ae0.0 esi.903 vtep.32769 vtep.32770 vtep.32771 vtep.32772 vtep.32773 vtep.32774 vtep.32775 vtep.32776 vtep.32777 . . . user@leaf01> show l2-learning interface-state bridge-domain v100 extensive Information for IRB interface state: Name: irb.100 IRB state: Up IRB Down Reason: none Routing Instance: evpnA Bridge Domain: v100 Network Isolation state: not-isolated Number of local Interface in UP state : 1 Number of local Interface in DOWN state : 0 Number of VTEP Interface in UP state : 9 Number of VTEP Interface in DOWN state : 0 user@leaf01> show interfaces irb.100 terse Interface Admin Link Proto Local Remote irb.100 up up inet 10.0.1.11/24 10.0.1.254/24 inet6 2001:db8:192:100:1:11/112 2001:db8:192:100:1:254/112 fe80::2e6b:f500:644f:3ef0/64 multiservice
Set Network Isolation Status Parameters Used to Determine the IRB Interface State
PE devices in an EVPN fabric can consider the network isolation status of a bridge domain or an EVI to decide whether the remote provider edge (PE) devices are currently reachable.
To customize the parameters that determine when a bridge domain or an EVI is in a network isolation state:
-
Define a network isolation profile. To do this, configure the
network-isolation group group-namestatement at the[edit protocols]hierarchy level.When you create a network isolation group, you can customize parameters such as the following:
-
Set hold times for network isolation condition changes (up or down):
After detecting the network isolation status has changed, the device delays for the hold time before acting on the change.
-
Track the status of specified logical L3 uplink interfaces to detect a network isolation status change.
To do this, configure the
detection link-trackingstanza at the[edit protocols network-isolation group group-name]. Include the name of an L3 interface you want to track. You can customize the minimum number of those links that must be up for the device to record the IRB interface state is up.
Note:The network isolation group configuration
detectionstanza also has aservice-trackingstanza. Theservice-trackingoptions enable the device to track L2 interface status and perform a configuredservice-tracking-actionfor L2 interfaces upon detecting a core isolation condition. You can only configure either thelink-trackingoptions or theservice-trackingoptions in a particular network isolation group and assign that as a network isolation profile. You can't configure both options in the same network isolation group. -
-
Assign the network isolation group as a network isolation profile to an EVI, a bridge domain, or a VLAN using the
network-isolation-profile group group-namestatement at one of these hierarchy levels:-
[edit routing-instance instance-name switch-options] -
[edit routing-instances name bridge-domains name bridge-options] -
[edit routing-instances name vlans name switch-options] -
[edit switch-options] -
[edit bridge-domain name bridge-options] -
[edit vlans name switch-options]
-
The next sections show a simple example configuration and how to verify those settings:
- Sample Configuration—Network Isolation Group Parameters
- Verify Interface State with Network Isolation Link Tracking
Sample Configuration—Network Isolation Group Parameters
The following sample configuration defines a network isolation group
grp-v100 with the link-tracking option, and applies
that group as a network isolation profile to bridge domain (VLAN) v100. As a result, the
device tracks the state of interface ge-0/0/0.0 as a factor to determine the network
isolation status of bridge-domain (VLAN) v100:
set interfaces ge-0/0/0 unit 0 family inet address 192.168.23.34 set protocols network-isolation group grp-v100 detection link-tracking interface ge-0/0/0.0 set routing-instances evpnA bridge-domains v100 bridge-options network-isolation-profile group grp-v100
Verify Interface State with Network Isolation Link Tracking
To verify the state of the IRB interface irb.100 from the sample configuration in Sample Configuration—Network Isolation Group Parameters, enter the following CLI commands:
-
Use the
show l2-learning interface-statecommand to view the network isolation detection parameters assigned to the IRB interfaces on the device. The output here shows the device determines the IRB interface state for bridge domain (VLAN) v100 using both local and remote factors (Flags=LR). TheNetwork Isolationfield shows that you applied the network isolation groupgrp-v100to bridge domain (VLAN) v100. As a result, the device uses the parameters fromgrp-v100to determine the network isolation status of v100 and the state of irb.100.user@leaf01> show l2-learning interface-state Information for IRB interface state: Flags ( L - Local, R - Remote, LR - Local-Remote, LI - Local-interface) Interface Bridging Network Flags Hold-time Hold-time Loopback Domain Isolation Up Down Interface irb.100 v100 grp-v100 LR 0 0 -
View the status of the dependent link (
ge-0/0/0.0) from thelink-trackingstanza in the isolation groupgrp-v100, and the resulting status of the IRB interface. Both are up in this case.user@leaf01>
show interfaces ge-0/0/0.0 terseInterface Admin Link Proto Local Remote ge-0/0/0.0 up up inet 192.168.23.34 --> 0/0 multiservice user@leaf01> show interfaces irb.100 terse Interface Admin Link Proto Local Remote irb.100 up up inet 10.0.1.11/24 10.0.1.254/24 inet6 2001:db8:192:100:1:11/112 2001:db8:192:100:1:254/112 fe80::2e6b:f500:644f:3ef0/64 multiservice