[j-nsp] EVPN

Sun Aug 9 03:43:06 EDT 2015

Hi,

We are in the final stages of testing EVPN for DCI as well as corporate customers access into a small IaaS provider cloud.

So far the testing was really good.
Few points we encountered:

1. On single active multi homing, when the CE is a L2 switch. When failing the active link the switch will learn the remote destination MAC through the standby link very quickly.
However, when the active link recovers and becomes active once again, the CE MAC table does not flush and the CE keep sending traffic to backup port that is now blocking.
Obviously this is only applicable to uni directional traffic scenarios. On bi-directional scenarios MAC learning works like a charm.

2. We couldn't find an elegant way to associate The inner vlan in a QinQ stack directly into an EVI. We had to use a an ingress bridge domain and the infamous loop cable to do this.
Still searching for a more elegant way.

3. Loop testing- we tested what happens when a customer creates a loop.
We looped several vlans, most were L2, but one was L3 running ospf with the MX.
With the default configuration the results were the expected disaster.
After applying interface specific ARP policers, and using flow detection for ddos protection (thanks to Saku Ytti for the pointers on this list), things look much better now.

This deployment is planned to go into production in a few weeks once we are all back from our various vacations.

Any feedback from other deployments will be much appreciated.

Cheers,

Amos

Sent from my iPhone

On 9 Aug 2015, at 00:03, Chuck Anderson <cra at WPI.EDU<mailto:cra at WPI.EDU>> wrote:

On Wed, May 06, 2015 at 12:13:41PM +0100, Matt Bernstein via juniper-nsp wrote:
On 05/05/2015 15:48, Chuck Anderson wrote:
On Fri, May 01, 2015 at 05:53:54PM -0400, Chuck Anderson wrote:
Is anyone doing EVPN in production yet?
I take it from the deafening silence that either no one is doing EVPN
in production, or no one is willing to admit it.
You could ask me again in a few months :)

I'm looking at a 10Gb/s L2 DCI over the Internet. EVPN (I think
MPLSoGRE pseudowires), then over IPsec, using active/active MX240
routers in each location. Looks elegant on paper, although if our
PoC turns up any gremlins we can fall back to boring (but obviously
less elegant) VPLSoGREoIPsec.

I can report back here, hopefully before August, if people find it
interesting. _I_ will be particularly interested in the encryption
latency tax, given that without dedicated circuits latency is
already potentially an issue.

I will also be interested to see if anything cheap can do
low-bandwidth encrypted EVPN; this might help those few corner-cases
where people insist on a VLAN over our L3 campus fabric. The SRX100
can do VPLSoGREoIPsec, but again EVPN strikes me as more elegant.

Hi Matt,

Do you have any news to report on your EVPN deployment?  Did you have
to fall back to VPLS?

Thanks,
Chuck
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp