VXLAN EVPN Leaf and Spine – Part 6 – L3VNI Configuration – Multi Tenant

In the last part, we got a single tenant VRF working, in this part, we will look at splitting vlan 20 off into its own separate Tenant to show a multi-tenant setup.

Lets remind ourselves of the topology:

All of the configuration below is for the Leaves in the topology.

Vlan Configuration

Firstly, we need to configure another L3VNI vlan for the routing in this new tenant, this configuration is for the leaves:

vlan 998
  vn-segment 100998

VRF Configuration

We also need another tenant VRF to be configured which will house the overlay routing:

vrf context OVERLAY-TENANT2
  vni 100998
  rd auto
  address-family ipv4 unicast
    route-target both auto
    route-target both auto evpn

This configuration also brings in the EVPN information too.

We should also move the SVI for Vlan 20 over to the new VRF and add the Layer 3 info back in:

interface Vlan20
  vrf member OVERLAY-TENANT2
  ip address 10.20.1.254/24
  fabric forwarding mode anycast-gateway

SVI and NVE Configuration

We also need to setup a new L3VNI SVI on the Leaves. This is a duplicate of what Vlan999 was used for in the last part. With multi-tenant setups we need a separate L3VNI for it:

interface Vlan998
  no shutdown
  vrf member OVERLAY-TENANT2
  ip forward

We also need to add the VNI to the original nve interface:

interface nve1
  member vni 100998 associate-vrf

BGP Configuration

The final part is the BGP configuration, we need to put in the new VRF but also make sure we remove the vlan 20 network from being advertised in the other VRF:

router bgp 64500
  vrf OVERLAY-TENANT1
    address-family ipv4 unicast
      no network 10.20.1.0/24
  vrf OVERLAY-TENANT2
    log-neighbor-changes
    address-family ipv4 unicast
      network 10.20.1.0/24

Verification

At this point, we need to give BGP some time to converge and then we can see the separate BGP tables:

leaf-1# show bgp ipv4 unicast vrf OVERLAY-TENANT1 | beg Network
   Network            Next Hop            Metric     LocPrf     Weight Path
* i10.10.1.0/24       10.0.0.4                          100          0 i
* i                   10.0.0.5                          100          0 i
*>l                   0.0.0.0                           100      32768 i
*>i10.10.1.2/32       10.0.0.4                          100          0 i

leaf-1# show bgp ipv4 unicast vrf OVERLAY-TENANT2 | beg Network
   Network            Next Hop            Metric     LocPrf     Weight Path
* i10.20.1.0/24       10.0.0.5                          100          0 i
* i                   10.0.0.4                          100          0 i
*>l                   0.0.0.0                           100      32768 i
*>i10.20.1.2/32       10.0.0.4                          100          0 i
*>i10.20.1.3/32       10.0.0.5                          100          0 i

Here we can see that Leaf-1 knows about 10.20.1.0/24 (Vlan20) from leaf-2 and leaf-3, and its being locally originated.

We should still have layer 2 connectivity within the VNIs but we should have broken layer 3 connectivity between the two vlans because they reside in separate tenants:

server-0-vl10:~$ ping 10.20.1.3
PING 10.20.1.3 (10.20.1.3): 56 data bytes
^C
--- 10.20.1.3 ping statistics ---
<strong>10 packets transmitted, 0 packets received, 100% packet loss</strong>

This is what we expected, the tenants are now separate. However, there are ways to regain communications between the networks despite them being in different tenants. This may be required in some topologies. We will explore this in the next part.