Arista VXLan with QinQ

aristaqinqvxlan

I've got a weird situation. Three doctors offices are merging in two cities and we are planning on merging them into one building in each city. Due to politics and crappy software each office will run pseudo-independently, meaning we have three networks with their own (overlapping) VLAN's. I'm in charge of networking and our office has the nicest networking gear that will get re-purposed for each building. We're running Arista 7150's with EOS 4.21.1F (and also have 7124SX EOS-4.13.14M) and I plan on getting a 1G carrier ethernet circuit between the two buildings. I would use QinQ, but for whatever reason I have never got QinQ to work over WAN links (works everytime in the lab). I've asked the carrier for more information or to allow QinQ before and gotten nowhere, so I'm going to assume it's not in play. My next thought is to go to VXLAN.

I plan on the following physical design (if I can):

        ---- Site A (Arista 7150) ---- Site B (Arista 7150) ----
                          |                 |
Office 1 (Arista 7124SX) -|                 |- Office 1 (Arista 7124SX)
Office 2 (Arista 7124SX) -|                 |- Office 2 (Arista 7124SX)
Office 3 (Arista 7124SX) -|                 |- Office 3 (Arista 7124SX)

Can I use QinQ over VXLAN? This would make my life easy as I could assign a SVLAN to each office and be done with it.
Assuming I can't use QinQ over VXLAN, would I in theory have to manually map each vlan to an SVI? If so, to make my life easier, can I map each office to a range? AKA Office 1 [VLAN 1-4096 – VNI 10000-14096], Office 2 [VLAN 1-4096 – VNI 20000-24096], Office 3 [VLAN 1-4096 – VNI 30000-34096]

I've also put together the following basic config between sites, but it doesn't seem to be working.

## Site A
interface Ethernet1
    description Customer Port 1 Site A
    switchport access vlan 500
    switchport mode dot1q-tunnel

interface Ethernet23
   description Site A to Site B link
   switchport mode trunk

interface Loopback0
   description VXLAN VTEP IP address
   ip address 1.1.1.1/32

interface Vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 4789
   vxlan vlan 500 vni 1500
   vxlan flood vtep 2.2.2.2

## Site B 
interface Ethernet1
    description Customer Port 1 Site B
    switchport access vlan 500
    switchport mode dot1q-tunnel

interface Ethernet23
   description Site B to Site A link
   switchport mode trunk

interface Loopback0
   description VXLAN VTEP IP address
   ip address 2.2.2.2/32

interface Vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 4789
   vxlan vlan 500 vni 1500
   vxlan flood vtep 1.1.1.1

Best Answer

Can I use QinQ over VXLAN? This would make my life easy as I could assign a SVLAN to each office and be done with it.

Yes. We're doing Q-in-Q on DCS-7150S-24's currently running EOS-4.20.11.1M.

One thing I noticed when comparing our configs with yours is that your Vxlan1 interface does not have a flood VTEP defined for VLAN 500, just a VNI and a generic flood VTEP. I'm not sure if this makes the difference, but it's woth testing. We have an additional statement like this:

interface Vxlan1
   vxlan vlan 500 vni 1500
   vxlan vlan 500 flood vtep 2.2.2.2

7.2) VXLAN without CVX

Configuration on VTEPs:

!
vlan 100
vlan 200
!
interface Ethernet 1
  switchport access vlan 100
!
interface Ethernet 2
  switchport mode trunk
  switchport trunk allowed vlan 100,200
!
interface loopback 1
 ip address 1.1.1.1/32
!
interface Vxlan 1
  vxlan source-interface loopback 1
  vxlan vlan 100 vni 10100
  vxlan vlan 200 vni 10200
  vxlan vlan 100 flood vtep 2.2.2.2 4.4.4.4
  vxlan vlan 200 flood vtep 2.2.2.2 3.3.3.3 4.4.4.4
!

Notice that the VXLAN interface, Vxlan 1 has multiple VNIs, just like a trunk has multiple VLANs with tags. Basically, a VNI on a VXLAN is like a VLAN on a trunk. You shouldn't expect that an access interface allow any frames from tagged VLANs, nor should you expect a trunk interface to allow VLANs other than what it is configured to allow. Neither should a VNI have any traffic other than its corresponding VLAN, nor should a VXLAN interface allow traffic for VLANs for which it is not configured.

You really, really don't want frames with any VLAN tag coming into the access interface Ethernet 1. That could lead to security problems like VLAN hopping. One would hope that frames with VLAN tags coming into an access interface would be dropped as malformed.

Also, on interface Ethernet 2, the switchport trunk allowed vlan 100,200 instructs that all incoming frames except those tagged as VLAN 100 or VLAN 200 be dropped, and no frames except those in the two allowed VLANs be sent. Frames tagged with other VLAN numbers will be dropped.

The interface Vxlan 1 will send and receive traffic for VLANs 100 and 200, just like the trunk interface Ethernet 2.

Regarding VxLAN Encapsulation

Yes - your understanding of encapsulation is correct: a given frame has a VXLAN header applied. This is carried in a UDP packet.

UDP is used as a convenient format in terms of programming and its use of src/dst port provides a ready means to both multiplex connections as well as a means by which intermediary forwarding elements can hash connections over parallel links. In short, UDP is familiar, has low overhead and is already extremely well understood.

OTV can run over MPLS-GRE or UDP, with UDP being the preferred mechanism for the past few years. Again, one of the big drivers was depolarization of traffic (allowing parallel paths to carry determinstically hashed fractions of overall traffic).

Why not TCP? Excessive overhead on the encapsulating device and added latency are big examples. The bigger point, though, is that to get any value out of TCP would require the ability to concatenate the individual packets to be encapsulated into an overall stream to be managed via sliding windows rather than simply maintaining a 1:1 mapping. Add in the amount of state tracking and buffering issues associated with having the capability for retransmission and it becomes truly unruly.

Best Answer

Related Solutions

Vlan – How to encapsulate all VLAN traffic inside VXLAN

7.2) VXLAN without CVX

Regarding VxLAN Encapsulation

Related Topic