http://m.getsatisfaction.com/topics/7739661 Static VXLAN Tunnels with MLAG 2018-05-24T08:50:23Z 2018-05-23T14:39:35Z 7739661 http://m.getsatisfaction.com/topics/7739661 7739661 Static VXLAN Tunnels with MLAG 2018-05-24T08:50:23Z 2018-05-23T14:39:35Z Serhii Shmalko http://m.getsatisfaction.com/people/9671497 https://www.gravatar.com/avatar/3886f2d9db49f2f726e9f18498bf8010?d=identicon&s=55&r=PG serhii_shmalko Hi all. I didn't find any manual about how to configure Static VXLAN Tunnels with MLAG, but I want to test such topology:<br /><img src="https://d2r1vs3d9006ap.cloudfront.net/s3_images/1731611/RackMultipart20180523-128460-1ngtsdp-Screenshot_2018-05-23_16-58-59_inline.png?1527084920" title="Image https//d2r1vs3d9006apcloudfrontnet/s3_images/1731611/RackMultipart20180523-128460-1ngtsdp-Screenshot_2018-05-23_16-58-59_inlinepng1527084920" /><br />Links DC1-1 - DC2-2, DC1-2 - DC3-1, DC2-1 - DC3-2 are L3<br />Links DC1-1 - DC1-2, DC2-2 - DC2-1, DC3-1 - DC3-2 are MLAG peer-links with bonds to S-1, S-2 and S-3 respectively<br />OSPF for full IP connectivity<br /><br />To make MLAG work with static VXLAN I have clagd-vxlan-anycast-ip under loopback (You can see it in a picture as anycast)<br /><br />Below full config of DC3-1:<br /><br />root@DC3-1:~# net sh configuration int<br /><br />interface lo<br />&nbsp; # The primary network interface<br />&nbsp; address 172.26.1.31/32<br />&nbsp; clagd-vxlan-anycast-ip 172.26.9.9<br /><br />interface eth0<br />&nbsp; address dhcp<br /><br />interface swp1<br /><br />interface swp2<br />&nbsp; address 172.26.0.6/30<br /><br />interface swp3<br /><br />interface swp6<br /><br />interface bond-leaf-3<br />&nbsp; bond-slaves swp6<br />&nbsp; bridge-access 100<br />&nbsp; clag-id 1<br />&nbsp; mtu 9216<br /><br />interface bridge<br />&nbsp; bridge-ports bond-leaf-3 peerlink vni-100<br />&nbsp; bridge-vids 1 100 666<br />&nbsp; bridge-vlan-aware yes<br /><br />interface peerlink<br />&nbsp; bond-slaves swp1 swp3<br />&nbsp; mtu 9216<br /><br />interface peerlink.4094<br />&nbsp; address 169.254.1.9/30<br />&nbsp; clagd-backup-ip 1.1.0.32<br />&nbsp; clagd-peer-ip 169.254.1.10<br />&nbsp; clagd-priority 1000<br />&nbsp; clagd-sys-mac 44:38:39:FF:00:03<br /><br />interface vlan100<br />&nbsp; address 1.1.0.31/22<br />&nbsp; vlan-id 100<br />&nbsp; vlan-raw-device bridge<br /><br />interface vlan666<br />&nbsp; address 172.26.0.33/30<br />&nbsp; vlan-id 666<br />&nbsp; vlan-raw-device bridge<br /><br />interface vni-100<br />&nbsp; bridge-access 100<br />&nbsp; mstpctl-bpduguard yes<br />&nbsp; mstpctl-portbpdufilter yes<br />&nbsp; vxlan-id 100<br />&nbsp; vxlan-local-tunnelip 172.26.1.31<br />&nbsp; vxlan-remoteip 172.26.7.7<br />&nbsp; vxlan-remoteip 172.26.8.8<br /><br />--------------------<br /><br />Below full config of DC3-1<br /><br />root@DC3-2:~# net sh conf int<br /><br />interface lo<br />&nbsp; # The primary network interface<br />&nbsp; address 172.26.1.32/32<br />&nbsp; clagd-vxlan-anycast-ip 172.26.9.9<br /><br />interface eth0<br />&nbsp; address dhcp<br /><br />interface swp1<br /><br />interface swp2<br />&nbsp; address 172.26.0.10/30<br /><br />interface swp3<br /><br />interface swp6<br /><br />interface bond-leaf-3<br />&nbsp; bond-slaves swp6<br />&nbsp; bridge-access 100<br />&nbsp; clag-id 1<br />&nbsp; mtu 9216<br /><br />interface bridge<br />&nbsp; bridge-ports bond-leaf-3 peerlink vni-100<br />&nbsp; bridge-vids 1 100 666<br />&nbsp; bridge-vlan-aware yes<br /><br />interface peerlink<br />&nbsp; bond-slaves swp1 swp3<br />&nbsp; mtu 9216<br /><br />interface peerlink.4094<br />&nbsp; address 169.254.1.10/30<br />&nbsp; clagd-backup-ip 1.1.0.31<br />&nbsp; clagd-peer-ip 169.254.1.9<br />&nbsp; clagd-priority 2000<br />&nbsp; clagd-sys-mac 44:38:39:FF:00:03<br /><br />interface vlan100<br />&nbsp; address 1.1.0.32/22<br />&nbsp; vlan-id 100<br />&nbsp; vlan-raw-device bridge<br /><br />interface vlan666<br />&nbsp; address 172.26.0.34/30<br />&nbsp; vlan-id 666<br />&nbsp; vlan-raw-device bridge<br /><br />interface vni-100<br />&nbsp; bridge-access 100<br />&nbsp; mstpctl-bpduguard yes<br />&nbsp; mstpctl-portbpdufilter yes<br />&nbsp; vxlan-id 100<br />&nbsp; vxlan-local-tunnelip 172.26.1.32<br />&nbsp; vxlan-remoteip 172.26.7.7<br />&nbsp; vxlan-remoteip 172.26.8.8<br />-------------------------<br /><br />When traffic goes via vxlan tunnel, routers always set source IP from clagd-vxlan-anycast-ip and ignore vxlan-local-tunnelip.<br /><br />For example, ip packet is created at DC3-1 with source IP 172.26.9.9 and destination IP 172.26.8.8. According to routing table it should go via DC3-2 and then reach destination 172.26.8.8.<br />But in this case DC3-2 drops such packets, because it has the same source IP as router has on its loopback.<br />I found workaround - set "1" in /proc/sys/net/ipv4/conf/all/accept_local.<br /><br />I wonder if it is a reliable workaround and if it is robust topology at all, because there is to such schema in official docs. question 2 2 1 comment http://m.getsatisfaction.com/topics/7739661/replies/19540458 http://m.getsatisfaction.com/topics/7739661 19540458 Jason Guy responded to "Static VXLAN Tunnels with MLAG" 2018-05-23T16:54:38Z 2018-05-23T16:54:38Z Jason Guy http://m.getsatisfaction.com/people/7610836 https://d2r1vs3d9006ap.cloudfront.net/public/uploaded_images/10572443/photo_medium.jpg jason_guy I see a few potential issues with this. <br />- First, think of the MLAG pair as a single switch. It is not a good idea to peer a routing protocol across the peerlink. If you must, be sure to make the prefixes learned from an mlag peer switch, are less preferred. Generally if there is an uplink failure, you really do not want the traffic routing laterally. The better way to do this is dual-connect each MLAG router to the core switches, and remove the peering between the MLAG switches. Anyhow, this should correct the routing plane, and you would not need the kernel hack.<br />- Secondly, it is best to create a VTEP per remote anycast pair. I have never statically configured multiple remote-ip's on a VTEP, and I am not entirely sure how that would work.&nbsp;<br />- Finally, after all of these things are corrected, hopefully things will work. With your configurations, I think the VXLAN tunnel should source from the configured local-ip, and destined to the remote anycast-ip.&nbsp; 2 http://m.getsatisfaction.com/topics/7739661/replies/19542001 http://m.getsatisfaction.com/topics/7739661/replies/19540458 19542001 Serhii Shmalko responded to "Static VXLAN Tunnels with MLAG" 2018-05-24T08:50:23Z 2018-05-24T08:50:23Z Serhii Shmalko http://m.getsatisfaction.com/people/9671497 https://www.gravatar.com/avatar/3886f2d9db49f2f726e9f18498bf8010?d=identicon&s=55&r=PG serhii_shmalko Hi Jason,<br />Many thanks for the answer. 0