EVPN hub-and-spoke L3VPN

nathanbycroft · Sep 15, 2024 · b501519 · b501519
1 parent 7b6c46c
commit b501519
Show file tree

Hide file tree

Showing 15 changed files with 1,049 additions and 0 deletions.
diff --git a/EVPN/l3vpn-hub-spoke/README.md b/EVPN/l3vpn-hub-spoke/README.md
@@ -0,0 +1,5 @@
+# Hub-and-Spoke Layer-3 VPN with EVPN Control Plane
+
+This directory contains the lab topology used in the [EVPN Hub-and-Spoke Layer-3 VPN](https://blog.ipspace.net/2024/09/hub-spoke-evpn/) blog post.
+
+![Lab topology](topology.png)
diff --git a/EVPN/l3vpn-hub-spoke/config/ce_hub-daemons b/EVPN/l3vpn-hub-spoke/config/ce_hub-daemons
@@ -0,0 +1,91 @@
+# Generated by frr_daemons.j2, based on standard frr config template
+
+# This file tells the frr package which daemons to start.
+#
+# Sample configurations for these daemons can be found in
+# /usr/share/doc/frr/examples/.
+#
+# ATTENTION:
+#
+# When activating a daemon for the first time, a config file, even if it is
+# empty, has to be present *and* be owned by the user and group "frr", else
+# the daemon will not be started by /etc/init.d/frr. The permissions should
+# be u=rw,g=r,o=.
+# When using "vtysh" such a config file is also needed. It should be owned by
+# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
+#
+# The watchfrr, zebra and staticd daemons are always started.
+#
+bgpd=no
+ospfd=no
+ospf6d=no
+ripd=no
+ripngd=no
+isisd=no
+pimd=no
+ldpd=no
+nhrpd=no
+eigrpd=no
+babeld=no
+sharpd=no
+pbrd=no
+bfdd=no
+fabricd=no
+vrrpd=no
+pathd=no
+
+#
+# If this option is set the /etc/init.d/frr script automatically loads
+# the config via "vtysh -b" when the servers are started.
+# Check /etc/pam.d/frr if you intend to use "vtysh"!
+#
+vtysh_enable=yes
+zebra_options="  -A 127.0.0.1 -s 90000000"
+bgpd_options="   -A 127.0.0.1"
+ospfd_options="  -A 127.0.0.1"
+ospf6d_options=" -A ::1"
+ripd_options="   -A 127.0.0.1"
+ripngd_options=" -A ::1"
+isisd_options="  -A 127.0.0.1"
+pimd_options="   -A 127.0.0.1"
+ldpd_options="   -A 127.0.0.1"
+nhrpd_options="  -A 127.0.0.1"
+eigrpd_options=" -A 127.0.0.1"
+babeld_options=" -A 127.0.0.1"
+sharpd_options=" -A 127.0.0.1"
+pbrd_options="   -A 127.0.0.1"
+staticd_options="-A 127.0.0.1"
+bfdd_options="   -A 127.0.0.1"
+fabricd_options="-A 127.0.0.1"
+vrrpd_options="  -A 127.0.0.1"
+pathd_options="  -A 127.0.0.1"
+
+# configuration profile
+#
+#frr_profile="traditional"
+frr_profile="datacenter"
+
+#
+# This is the maximum number of FD's that will be available.
+# Upon startup this is read by the control files and ulimit
+# is called.  Uncomment and use a reasonable value for your
+# setup if you are expecting a large number of peers in
+# say BGP.
+#MAX_FDS=1024
+
+# The list of daemons to watch is automatically generated by the init script.
+#watchfrr_options=""
+
+# To make watchfrr create/join the specified netns, use the following option:
+#watchfrr_options="--netns"
+# This only has an effect in /etc/frr/<somename>/daemons, and you need to
+# start FRR with "/usr/lib/frr/frrinit.sh start <somename>".
+
+# for debugging purposes, you can specify a "wrap" command to start instead
+# of starting the daemon directly, e.g. to use valgrind on ospfd:
+#   ospfd_wrap="/usr/bin/valgrind"
+# or you can use "all_wrap" for all daemons, e.g. to use perf record:
+#   all_wrap="/usr/bin/perf record --call-graph -"
+# the normal daemon command is added to this at the end.
+
+bgpd=yes
diff --git a/EVPN/l3vpn-hub-spoke/config/ce_hub.cfg b/EVPN/l3vpn-hub-spoke/config/ce_hub.cfg
@@ -0,0 +1,42 @@
+frr version 10.0.1_git
+frr defaults datacenter
+hostname ce_hub
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+vrf mgmt
+exit-vrf
+!
+interface eth1
+ description ce_hub -> pe_h [external]
+ ip address 10.1.0.21/30
+exit
+!
+interface eth2
+ description ce_hub -> pe_h [external]
+ ip address 10.1.0.25/30
+exit
+!
+interface lo
+ ip address 10.0.0.5/32
+exit
+!
+router bgp 65100
+ bgp router-id 10.0.0.5
+ no bgp default ipv4-unicast
+ bgp bestpath as-path multipath-relax
+ neighbor 10.1.0.22 remote-as 65000
+ neighbor 10.1.0.22 description pe_h
+ neighbor 10.1.0.26 remote-as 65000
+ neighbor 10.1.0.26 description pe_h
+ !
+ address-family ipv4 unicast
+  network 10.0.0.5/32
+  neighbor 10.1.0.22 activate
+  neighbor 10.1.0.22 as-override
+  no neighbor 10.1.0.22 send-community extended
+  neighbor 10.1.0.26 activate
+  no neighbor 10.1.0.26 send-community extended
+ exit-address-family
+exit
+!
diff --git a/EVPN/l3vpn-hub-spoke/config/ce_s1-daemons b/EVPN/l3vpn-hub-spoke/config/ce_s1-daemons
@@ -0,0 +1,91 @@
+# Generated by frr_daemons.j2, based on standard frr config template
+
+# This file tells the frr package which daemons to start.
+#
+# Sample configurations for these daemons can be found in
+# /usr/share/doc/frr/examples/.
+#
+# ATTENTION:
+#
+# When activating a daemon for the first time, a config file, even if it is
+# empty, has to be present *and* be owned by the user and group "frr", else
+# the daemon will not be started by /etc/init.d/frr. The permissions should
+# be u=rw,g=r,o=.
+# When using "vtysh" such a config file is also needed. It should be owned by
+# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
+#
+# The watchfrr, zebra and staticd daemons are always started.
+#
+bgpd=no
+ospfd=no
+ospf6d=no
+ripd=no
+ripngd=no
+isisd=no
+pimd=no
+ldpd=no
+nhrpd=no
+eigrpd=no
+babeld=no
+sharpd=no
+pbrd=no
+bfdd=no
+fabricd=no
+vrrpd=no
+pathd=no
+
+#
+# If this option is set the /etc/init.d/frr script automatically loads
+# the config via "vtysh -b" when the servers are started.
+# Check /etc/pam.d/frr if you intend to use "vtysh"!
+#
+vtysh_enable=yes
+zebra_options="  -A 127.0.0.1 -s 90000000"
+bgpd_options="   -A 127.0.0.1"
+ospfd_options="  -A 127.0.0.1"
+ospf6d_options=" -A ::1"
+ripd_options="   -A 127.0.0.1"
+ripngd_options=" -A ::1"
+isisd_options="  -A 127.0.0.1"
+pimd_options="   -A 127.0.0.1"
+ldpd_options="   -A 127.0.0.1"
+nhrpd_options="  -A 127.0.0.1"
+eigrpd_options=" -A 127.0.0.1"
+babeld_options=" -A 127.0.0.1"
+sharpd_options=" -A 127.0.0.1"
+pbrd_options="   -A 127.0.0.1"
+staticd_options="-A 127.0.0.1"
+bfdd_options="   -A 127.0.0.1"
+fabricd_options="-A 127.0.0.1"
+vrrpd_options="  -A 127.0.0.1"
+pathd_options="  -A 127.0.0.1"
+
+# configuration profile
+#
+#frr_profile="traditional"
+frr_profile="datacenter"
+
+#
+# This is the maximum number of FD's that will be available.
+# Upon startup this is read by the control files and ulimit
+# is called.  Uncomment and use a reasonable value for your
+# setup if you are expecting a large number of peers in
+# say BGP.
+#MAX_FDS=1024
+
+# The list of daemons to watch is automatically generated by the init script.
+#watchfrr_options=""
+
+# To make watchfrr create/join the specified netns, use the following option:
+#watchfrr_options="--netns"
+# This only has an effect in /etc/frr/<somename>/daemons, and you need to
+# start FRR with "/usr/lib/frr/frrinit.sh start <somename>".
+
+# for debugging purposes, you can specify a "wrap" command to start instead
+# of starting the daemon directly, e.g. to use valgrind on ospfd:
+#   ospfd_wrap="/usr/bin/valgrind"
+# or you can use "all_wrap" for all daemons, e.g. to use perf record:
+#   all_wrap="/usr/bin/perf record --call-graph -"
+# the normal daemon command is added to this at the end.
+
+bgpd=yes
diff --git a/EVPN/l3vpn-hub-spoke/config/ce_s1.cfg b/EVPN/l3vpn-hub-spoke/config/ce_s1.cfg
@@ -0,0 +1,32 @@
+frr version 10.0.1_git
+frr defaults datacenter
+hostname ce_s1
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+vrf mgmt
+exit-vrf
+!
+interface eth1
+ description ce_s1 -> pe_a [external]
+ ip address 10.1.0.13/30
+exit
+!
+interface lo
+ ip address 10.0.0.6/32
+exit
+!
+router bgp 65101
+ bgp router-id 10.0.0.6
+ no bgp default ipv4-unicast
+ bgp bestpath as-path multipath-relax
+ neighbor 10.1.0.14 remote-as 65000
+ neighbor 10.1.0.14 description pe_a
+ !
+ address-family ipv4 unicast
+  network 10.0.0.6/32
+  neighbor 10.1.0.14 activate
+  no neighbor 10.1.0.14 send-community extended
+ exit-address-family
+exit
+!
diff --git a/EVPN/l3vpn-hub-spoke/config/ce_s2-daemons b/EVPN/l3vpn-hub-spoke/config/ce_s2-daemons
@@ -0,0 +1,91 @@
+# Generated by frr_daemons.j2, based on standard frr config template
+
+# This file tells the frr package which daemons to start.
+#
+# Sample configurations for these daemons can be found in
+# /usr/share/doc/frr/examples/.
+#
+# ATTENTION:
+#
+# When activating a daemon for the first time, a config file, even if it is
+# empty, has to be present *and* be owned by the user and group "frr", else
+# the daemon will not be started by /etc/init.d/frr. The permissions should
+# be u=rw,g=r,o=.
+# When using "vtysh" such a config file is also needed. It should be owned by
+# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
+#
+# The watchfrr, zebra and staticd daemons are always started.
+#
+bgpd=no
+ospfd=no
+ospf6d=no
+ripd=no
+ripngd=no
+isisd=no
+pimd=no
+ldpd=no
+nhrpd=no
+eigrpd=no
+babeld=no
+sharpd=no
+pbrd=no
+bfdd=no
+fabricd=no
+vrrpd=no
+pathd=no
+
+#
+# If this option is set the /etc/init.d/frr script automatically loads
+# the config via "vtysh -b" when the servers are started.
+# Check /etc/pam.d/frr if you intend to use "vtysh"!
+#
+vtysh_enable=yes
+zebra_options="  -A 127.0.0.1 -s 90000000"
+bgpd_options="   -A 127.0.0.1"
+ospfd_options="  -A 127.0.0.1"
+ospf6d_options=" -A ::1"
+ripd_options="   -A 127.0.0.1"
+ripngd_options=" -A ::1"
+isisd_options="  -A 127.0.0.1"
+pimd_options="   -A 127.0.0.1"
+ldpd_options="   -A 127.0.0.1"
+nhrpd_options="  -A 127.0.0.1"
+eigrpd_options=" -A 127.0.0.1"
+babeld_options=" -A 127.0.0.1"
+sharpd_options=" -A 127.0.0.1"
+pbrd_options="   -A 127.0.0.1"
+staticd_options="-A 127.0.0.1"
+bfdd_options="   -A 127.0.0.1"
+fabricd_options="-A 127.0.0.1"
+vrrpd_options="  -A 127.0.0.1"
+pathd_options="  -A 127.0.0.1"
+
+# configuration profile
+#
+#frr_profile="traditional"
+frr_profile="datacenter"
+
+#
+# This is the maximum number of FD's that will be available.
+# Upon startup this is read by the control files and ulimit
+# is called.  Uncomment and use a reasonable value for your
+# setup if you are expecting a large number of peers in
+# say BGP.
+#MAX_FDS=1024
+
+# The list of daemons to watch is automatically generated by the init script.
+#watchfrr_options=""
+
+# To make watchfrr create/join the specified netns, use the following option:
+#watchfrr_options="--netns"
+# This only has an effect in /etc/frr/<somename>/daemons, and you need to
+# start FRR with "/usr/lib/frr/frrinit.sh start <somename>".
+
+# for debugging purposes, you can specify a "wrap" command to start instead
+# of starting the daemon directly, e.g. to use valgrind on ospfd:
+#   ospfd_wrap="/usr/bin/valgrind"
+# or you can use "all_wrap" for all daemons, e.g. to use perf record:
+#   all_wrap="/usr/bin/perf record --call-graph -"
+# the normal daemon command is added to this at the end.
+
+bgpd=yes
diff --git a/EVPN/l3vpn-hub-spoke/config/ce_s2.cfg b/EVPN/l3vpn-hub-spoke/config/ce_s2.cfg
@@ -0,0 +1,32 @@
+frr version 10.0.1_git
+frr defaults datacenter
+hostname ce_s2
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+vrf mgmt
+exit-vrf
+!
+interface eth1
+ description ce_s2 -> pe_b [external]
+ ip address 10.1.0.17/30
+exit
+!
+interface lo
+ ip address 10.0.0.7/32
+exit
+!
+router bgp 65102
+ bgp router-id 10.0.0.7
+ no bgp default ipv4-unicast
+ bgp bestpath as-path multipath-relax
+ neighbor 10.1.0.18 remote-as 65000
+ neighbor 10.1.0.18 description pe_b
+ !
+ address-family ipv4 unicast
+  network 10.0.0.7/32
+  neighbor 10.1.0.18 activate
+  no neighbor 10.1.0.18 send-community extended
+ exit-address-family
+exit
+!