[j-nsp] EVPN with IRB and static routing

Alex D. listensammler at gmx.de
Wed Apr 18 17:50:45 EDT 2018 

Hello,
in our core network, we have an EVPN with IRB setup on 2 MX480. JUNOS is 
17.3R1-S1.6.
Here are the relevant parts of my configuration:

routing-instance:
EVPN_TEST {
     instance-type virtual-switch;
     route-distinguisher x.x.x.x:1002;
     vrf-target target:1002:10;
     protocols {
         evpn {
             extended-vlan-list 10;
             default-gateway do-not-advertise;
         }
     }
     bridge-domains {
         VLAN-10 {
             vlan-id 10;
             interface ae10.10;
             routing-interface irb.1002;
         }
     }
}

interfaces:
irb {
     unit 1002 {
         family inet {
             address a.b.c.d/29;
         }
         mac 84:b5:9c:af:fe:02;
     }
}
ae10 {
     flexible-vlan-tagging;
     encapsulation flexible-ethernet-services;
     aggregated-ether-options {
         ~ snip ~
     }
     unit 10 {
         encapsulation vlan-bridge;
         vlan-id 10;
         family bridge;
     }
}

Both routers PE1 and PE2 have identical setup (apart from the 
route-distinguisher). The irb interfaces act as default-gateway for a 
firewall cluster connected to ae10 on both PE routers. The firewall 
cluster has VRRP configured on it's external interfaces, which is 
running fine over EVPN. Connectivity to/from the VRRP IP is given 
regardless of whether first or second cluster member is VRRP master. So 
far everything is going as expected...
Let's come to my problem now...
On both PE routers, I have static routes for DMZ networks (which resides 
behind the firewall) towards the VRRP IP. These DMZ networks are only 
reacheable, when the packet arrives over the PE router which has the 
VRRP master attached.
Here's an example: VRRP master is attached at PE1. PE2 learns this VRRP 
IP via an EVPN type-2 route from PE1. Now, an IP packet for a DMZ host 
arrives at PE2 which has a static route pointing to the VRRP IP. PE2 
doesn't label-switch the IP ipacket to PE1 (where the next-hop is 
connected), but tries to use the local irb as outgoing interface. I hope 
my problem description is reasonably understandable.

Based on the observations, the following questions arise for me:
- could my setup work at all, or do I have a basic understanding problem 
here ? Most EVPN with IRB examples i found focuses on hosts (and not 
firewalls/routers) and therefore doesn't use static routes.
- if my setup should work as described, is there a known bug with EVPN 
with IRB and static routing ?
- does someone have a similar, but working setup
If you need more informations, a more detailed and non-anonymized 
configurations or some output of show commands, feel free to ask. I will 
provide them accordingly.

Thanks in advance.
Regards,
Alex

More information about the juniper-nsp mailing list