MLAG and Vxlan mixing.

I've been trying to figure out what makes MLAG implementation in a vxlan enviroment different from other more 'regular vlan' implementations. The user guide suggests that the isc link gets turned into an ospf routed link, but it doesn't go into detail on how this impacts the rest of the mlag setup.

I've gotten this far with my configuration so far, it's working for traffic to and from vmware-hosts, however when connecting to other existing l2 enviroments strange things seem to happen with broadcast packets, and a switch-loop like scenario seems to appear.

I'm at wit's end on what the correct implementation of mlag and vxlan is supposed to be, I'm attaching the configuration I've done so far in hopes more experienced minds can figure out what I'm missing.

The configuration example omits ospf information, since I have done no such configuration in regards to mlag.

# Setting the same IP on both switches ensures both identify as the same
# vxlan endpoint
# Mlag peer creation: # Both:
enable sharing 1 grouping 1 algorithm address-based L2 lacp
# Left: create vlan "ISC" configure vlan ISC tag 4000 configure vlan ISC add ports 117 untagged
configure vlan ISC ipaddress configure mlag ports convergence-control fast
create mlag peer "right" configure mlag peer "right" ipaddress vr VR-Default
enable mlag port 1 peer "right" id 1
# Right: create vlan "ISC" configure vlan ISC tag 4000 configure vlan ISC add ports 117 untagged
configure vlan ISC ipaddress configure mlag ports convergence-control fast
create mlag peer "left" configure mlag peer "left" ipaddress vr VR-Default
enable mlag port 1 peer "left" id 1
#vxlan related config:
create vlan loopback enable loopback-mode loopback configure vlan loopback ipaddress create vlan mlag-test disable igmp snooping vlan "mlag-test" configure vlan mlag-test tag 1000 configure vlan mlag-test add ports 1,117 tagged
create virtual-network "vni10001" flooding standard configure virtual-network "vni10001" vxlan vni 10001 configure virtual-network "vni10001" add vlan mlag-test configure virtual-network local-endpoint [/code]
OSPF router-ID and local address is configured as a secondary-IP on the vlan loopback. This is to keep the number of OSPF interfaces down so we can still keep under the limit imposed on the Advanced Edge licence.

9 replies

Userlevel 7
For the OSPF underlay part you miss:

create vlan routed-isc tag 11
config routed-isc add port 117 tagged
config routed-isc ipaddress
config ospf add routed-isc area link-type point-to-point[/code]
For VXLAN I recommend using a dedicated virtual LTEP:

create vlan vltep
enable loopback-mode vltep
config vltep ipaddress
enable ipforwarding vltep
config ospf add vltep area passive
config virtual-network local-endpoint ipaddress[/code]
Userlevel 5
Hello Linus

There is one configuration example shows how to configure MLAG with VXLAN.

Best regards,
Unfortunatly the suggested configuration would push me over the 4-ospf device limit imposed on the Advanced Edge license. I already have two OSPF links to the l3 layer on each switch, and one loopback-vlan for local routerID configuration.

Adding a routed-isc vlan would set me at 4 total OSPF devices, but a dedicated vltep vlan makes 5.Can I combine the vltep vlan with an ospf routerid as a secondary-IP, or will things break horribly?

I'm also a bit curious as to how this changes the underlying configuration of the mlag tenant VLANs, do these still need to be added to the isc port in a tagged manner. And what does the route-isc link provide?
Userlevel 7
I'd add the loopback as a passive interface.
Userlevel 7
Sorry, I missed the question at the end. You still have to configure a proper MLAG for the tenant VLANs, no change on that. What you are adding is a second loopback that will be common between the two peers and used as the Local VTEP address (so same address on both peers), plus a routed-link between the two (a vlan on the same physical path than the ISC), in OSPF as well. I personally prefer to use p2p links everywhere (and loopback as passive). OSPF router-id is different on each MLAG peer, using another loopback interface (also a passive interface in OSPF). You'll see traffic on that routed-isc link, and depending on the design you may have to configure a higher metric for that link (that's more a backup link than something else). You have to configure that routed-isc link.

- do not use MLAG alternate IP
- do not use the W MLAG (2 ISC feature)
I missed that adding passive interfaces doesn't count against the 4 ospf link limit. Thanks!

What I'm more curious about is the routed vlan over the ISC link, I'm not quite sure what that adds to the mlag configuration as a whole, and in my specific design I already have two uplinks on each switch to the L3 layer, so more redundancy might just complicate things.

Basically from how I figure it, the routed-isc link would be used if none of the other ospf links are avaliable?
Userlevel 7
I believe it's in the event you lose your local link to the end-system (MLAG side) as well.
Userlevel 7
If one switch of the MLAG pair loses all uplinks, the transfer network across the ISC still connects it to the rest of the network via the other MLAG switch. This is important if only one uplink per MLAG switch is used (I would not recommend to use only one uplink per switch).
Ah, so it's just more redundancy. The route-isc link in this example would just provide alternative paths to the L3 enviroment in case of a fault, and has nothing to do with the actual mlag syncronization?