はじめに
NETCON(JANOG57) Level3-1の問題を解いた過程を記録します。
JANOG期間が終わった週末にも問題を公開頂いてありがたい限りです!!
1. Loopbackへの到達性確認
- LeafのLoからSpineのLoまでPingが通らない
RT-L-01#ping 10.1.254.11 source 10.1.254.21
PING 10.1.254.11 (10.1.254.11) from 10.1.254.21 : 72(100) bytes of data.
^C
--- 10.1.254.11 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 40ms
RT-L-01#
RT-L-01#ping 10.1.254.22 source 10.1.254.21
PING 10.1.254.22 (10.1.254.22) from 10.1.254.21 : 72(100) bytes of data.
80 bytes from 10.1.254.22: icmp_seq=1 ttl=64 time=2.22 ms
80 bytes from 10.1.254.22: icmp_seq=2 ttl=64 time=1.68 ms
80 bytes from 10.1.254.22: icmp_seq=3 ttl=64 time=1.69 ms
80 bytes from 10.1.254.22: icmp_seq=4 ttl=64 time=1.20 ms
80 bytes from 10.1.254.22: icmp_seq=5 ttl=64 time=1.29 ms
--- 10.1.254.22 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 1.201/1.613/2.218/0.361 ms, ipg/ewma 2.078/1.894 ms
RT-L-01#
2.ルーティングテーブルの確認
- SpineのLo宛経路が存在しない
RT-L-01#show ip route
Gateway of last resort is not set
C 10.1.254.21/32 [0/0]
via Loopback0, directly connected
B E 10.1.254.22/32 [200/0]
via fe80::a8c1:abff:fe30:8b16, Ethernet1
RT-L-01#
3.SpineのBGP状態を確認
- 自分のLoアドレスを広報していない
Network Next Hop Metric AIGP LocPref Weight Path
* > 10.1.254.21/32 fe80::a8c1:abff:fe86:58b%Et1 0 - 100 0 65201 i
* > 10.1.254.22/32 fe80::a8c1:abff:fecd:b2d%Et2 0 - 100 0 65202 i
RT-S-01#
4.SpineのBGP設定を確認
- networkコマンドで広報する設定にはなっている
- route-mapが怪しそうと思ったけど間違っていない
- Claudeに聞いてみるとnetworkコマンドで指定しているPrefixが間違っていると気づく
- 修正してみたけどSV-01からPingは相変わらず通らない
RT-S-01#show run | sec bgp
router bgp 65100
router-id 10.1.254.11
no bgp default ipv4-unicast
bgp default ipv4-unicast transport ipv6
bgp listen range 10.1.254.0/24 peer-group EVPN peer-filter ALLOW-ASN
neighbor EVPN peer group
neighbor EVPN update-source Loopback0
neighbor EVPN ebgp-multihop
neighbor LEAF peer group
neighbor LEAF bfd
neighbor interface Et1-2 peer-group LEAF peer-filter ALLOW-ASN
!
address-family evpn
neighbor EVPN activate
!
address-family ipv4
neighbor LEAF activate
neighbor LEAF route-map ACCEPT_PREFIX_LOOPBACK in
neighbor LEAF route-map ACCEPT_PREFIX_LOOPBACK out
neighbor LEAF next-hop address-family ipv6 originate
network 10.1.255.11/32
RT-S-01#
5. Leafのevpn状態を確認
- mac-ipは学習できていそう
- EVPNのNeighborがEstablishしていないのでこれが原因ぽい
RT-L-01#show bgp evpn
BGP routing table information for VRF default
Router identifier 10.1.254.21, local AS number 65201
Route status codes: * - valid, > - active, S - Stale, E - ECMP head, e - ECMP
c - Contributing to ECMP, % - Pending best path selection
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > RD: 10.1.254.21:1010 mac-ip aabb.cc10.1001
- - - 0 i
* > RD: 10.1.254.21:1010 imet 10.1.254.21
- - - 0 i
RT-L-01#
RT-L-01#show bgp evpn summary
BGP summary information for VRF default
Router identifier 10.1.254.21, local AS number 65201
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State PfxRcd PfxAcc PfxAdv
10.1.254.11 4 65100 0 0 0 0 23:19:29 Idle(NoIf)
RT-L-01#
6.LeafのBGP設定を再度確認
- SpineのConfigと見比べてみるとebgp-multihopの設定が足りていない
- オーバーレイのBGPはeBGPのLoopback同士でネイバーを張るためmultihopの設定が必須
- 設定を入れるとネイバーがEstablishとなった!
RT-L-01#show run | sec bgp
router bgp 65201
router-id 10.1.254.21
no bgp default ipv4-unicast
bgp default ipv4-unicast transport ipv6
neighbor EVPN peer group
neighbor EVPN remote-as 65100
neighbor EVPN update-source Loopback0
neighbor EVPN ebgp-multihop
neighbor EVPN send-community extended
neighbor SPINE peer group
neighbor SPINE remote-as 65100
neighbor SPINE bfd
neighbor 10.1.254.11 peer group EVPN
neighbor interface Et1 peer-group SPINE
!
vlan 10
rd 10.1.254.21:1010
route-target both 10:1010
redistribute learned
!
address-family evpn
neighbor EVPN activate
!
address-family ipv4
neighbor SPINE activate
neighbor SPINE route-map ACCEPT_PREFIX_LOOPBACK in
neighbor SPINE route-map ACCEPT_PREFIX_LOOPBACK out
neighbor SPINE next-hop address-family ipv6 originate
network 10.1.254.21/32
RT-L-01#
RT-L-01#show bgp evpn summary
BGP summary information for VRF default
Router identifier 10.1.254.21, local AS number 65201
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State PfxRcd PfxAcc PfxAdv
10.1.254.11 4 65100 15 15 0 0 00:03:16 Estab 1 1 1
RT-L-01#
7.SV-01からSV-02へ通信流してみる
- これで解決!と思ったもののPingは通らず...
8.もう一度Leafの状態を確認
- EVPNでmac-ipは学習できていそう
- ただVXLANにMACアドレスがのっていない...
- 手詰まりだったのでClaudeに聞いてみると、SpineでExtended Communityを転送していないことが判明
RT-L-01#show bgp evpn
BGP routing table information for VRF default
Router identifier 10.1.254.21, local AS number 65201
Route status codes: * - valid, > - active, S - Stale, E - ECMP head, e - ECMP
c - Contributing to ECMP, % - Pending best path selection
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > RD: 10.1.254.21:1010 mac-ip aabb.cc10.1001
- - - 0 i
* > RD: 10.1.254.22:1010 mac-ip aabb.cc10.1002
10.1.254.22 - 100 0 65100 65202 i
* > RD: 10.1.254.21:1010 imet 10.1.254.21
- - - 0 i
* > RD: 10.1.254.22:1010 imet 10.1.254.22
10.1.254.22 - 100 0 65100 65202 i
RT-L-01#
RT-L-01#show vxlan address-table
Vxlan Mac Address Table
----------------------------------------------------------------------
VLAN Mac Address Type Prt VTEP Moves Last Move
---- ----------- ---- --- ---- ----- ---------
Total Remote Mac Addresses for this criterion: 0
RT-L-01#
9.Spineの設定を変更
- SpineにExtended Communityを転送する設定を投入
- すると無事にSV-01からSV-02に通信することができた!
SV-01:~# ping 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
64 bytes from 192.168.10.2: icmp_seq=1 ttl=64 time=9.56 ms
64 bytes from 192.168.10.2: icmp_seq=2 ttl=64 time=4.06 ms
64 bytes from 192.168.10.2: icmp_seq=3 ttl=64 time=4.31 ms
^C
--- 192.168.10.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.060/5.979/9.564/2.536 ms
SV-01:~#
10.おさらい
- SpineにExtended Community設定が入っていない場合
- Leafから通知するルートにはExtended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlanの記載があるが、Spineを経由して通知されるルートにはExtended Communityの記載がない
RT-L-01#show bgp evpn detail
BGP routing table information for VRF default
Router identifier 10.1.254.21, local AS number 65201
BGP routing table entry for mac-ip aabb.cc10.1001, Route Distinguisher: 10.1.254.21:1010
Paths: 1 available
Local
- from - (0.0.0.0)
Origin IGP, metric -, localpref -, weight 0, tag 0, valid, local, best
Extended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlan
VNI: 1010 ESI: 0000:0000:0000:0000:0000
BGP routing table entry for mac-ip aabb.cc10.1002, Route Distinguisher: 10.1.254.22:1010
Paths: 1 available
65100 65202
10.1.254.22 from 10.1.254.11 (10.1.254.11)
Origin IGP, metric -, localpref 100, weight 0, tag 0, valid, external, best
VNI: 1010 ESI: 0000:0000:0000:0000:0000
BGP routing table entry for imet 10.1.254.21, Route Distinguisher: 10.1.254.21:1010
Paths: 1 available
Local
- from - (0.0.0.0)
Origin IGP, metric -, localpref -, weight 0, tag 0, valid, local, best
Extended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlan
VNI: 1010
PMSI Tunnel: Ingress Replication, MPLS Label: 1010, Leaf Information Required: false, Tunnel ID: 10.1.254.21
BGP routing table entry for imet 10.1.254.22, Route Distinguisher: 10.1.254.22:1010
Paths: 1 available
65100 65202
10.1.254.22 from 10.1.254.11 (10.1.254.11)
Origin IGP, metric -, localpref 100, weight 0, tag 0, valid, external, best
VNI: 1010
PMSI Tunnel: Ingress Replication, MPLS Label: 1010, Leaf Information Required: false, Tunnel ID: 10.1.254.22
RT-L-01#
- SpineにExtended community設定を入れた場合
- Spineを経由して通知されたルートにもExtended Communityの記載がある
RT-L-01#show bgp evpn detail
BGP routing table information for VRF default
Router identifier 10.1.254.21, local AS number 65201
BGP routing table entry for mac-ip aabb.cc10.1001, Route Distinguisher: 10.1.254.21:1010
Paths: 1 available
Local
- from - (0.0.0.0)
Origin IGP, metric -, localpref -, weight 0, tag 0, valid, local, best
Extended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlan
VNI: 1010 ESI: 0000:0000:0000:0000:0000
BGP routing table entry for mac-ip aabb.cc10.1002, Route Distinguisher: 10.1.254.22:1010
Paths: 1 available
65100 65202
10.1.254.22 from 10.1.254.11 (10.1.254.11)
Origin IGP, metric -, localpref 100, weight 0, tag 0, valid, external, best
Extended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlan
VNI: 1010 ESI: 0000:0000:0000:0000:0000
BGP routing table entry for imet 10.1.254.21, Route Distinguisher: 10.1.254.21:1010
Paths: 1 available
Local
- from - (0.0.0.0)
Origin IGP, metric -, localpref -, weight 0, tag 0, valid, local, best
Extended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlan
VNI: 1010
PMSI Tunnel: Ingress Replication, MPLS Label: 1010, Leaf Information Required: false, Tunnel ID: 10.1.254.21
BGP routing table entry for imet 10.1.254.22, Route Distinguisher: 10.1.254.22:1010
Paths: 1 available
65100 65202
10.1.254.22 from 10.1.254.11 (10.1.254.11)
Origin IGP, metric -, localpref 100, weight 0, tag 0, valid, external, best
Extended Community: Route-Target-AS:10:1010 TunnelEncap:tunnelTypeVxlan
VNI: 1010
PMSI Tunnel: Ingress Replication, MPLS Label: 1010, Leaf Information Required: false, Tunnel ID: 10.1.254.22
RT-L-01#
- VXLANもVTEPを通じてMACアドレスを学習できている
RT-L-01#show vxlan address-table
Vxlan Mac Address Table
----------------------------------------------------------------------
VLAN Mac Address Type Prt VTEP Moves Last Move
---- ----------- ---- --- ---- ----- ---------
10 aabb.cc10.1002 EVPN Vx1 10.1.254.22 1 0:00:55 ago
Total Remote Mac Addresses for this criterion: 1
RT-L-01#
参考
答え合わせとして以下の記事を参考にさせて頂きました、ありがとうございます。
JANOG57 NETCON Level3-1 問題解説 - Zenn