Damien Arnodo
1b918a4cbc
## Summary Closes #23. Implements a single unified `bgp_yang_transform` covering the complete BGP router stanza for all 10 fabric devices. **Design decision:** One transform (one query + one template) rather than 4 separate transforms, because all BGP components (process config, peer groups, neighbors, AFs) live under a single `router bgp <ASN>` stanza and must be consistent. This avoids multiple API calls per device and keeps the data model coherent. | File | Description | |------|-------------| | `infrahub/transforms/queries/bgp_intent.gql` | Unified GraphQL query — `InfraBGPRouterConfig` (with peer_groups, sessions) + `InfraBGPAddressFamily` (with active_peer_groups, active_sessions, networks, optional vrf) | | `infrahub/transforms/templates/bgp_yang.j2` | Jinja2 template — renders `bgp.global`, `bgp.peer_groups`, `bgp.neighbors`, `bgp.address_families`, `bgp.vrf_neighbors`, `bgp.vrf_address_families`; returns `[]` for devices with no BGP config | | `infrahub/transforms/tests/bgp_yang/test.yml` | Smoke check + unit render tests for leaf1, spine1, leaf7 | | `infrahub/transforms/tests/bgp_yang/leaf1/` | 3 peer-groups, 5 global neighbors, 2 global AFs | | `infrahub/transforms/tests/bgp_yang/spine1/` | 1 peer-group (evpn/next-hop-unchanged), 16 neighbors (8 direct underlay + 8 EVPN), IPv4 AF activates individual sessions | | `infrahub/transforms/tests/bgp_yang/leaf7/` | leaf1 pattern + VRF gold border session (AS 64999) + VRF-scoped IPv4 unicast AF | | `.infrahub.yml` | Registers `bgp_intent` query and `bgp_yang_transform` | ## Validation | Device | Expected output | |--------|----------------| | `leaf1` | 3 peer-groups, 5 global neighbors (underlay×2, iBGP×1, EVPN×2), 2 AFs, empty VRF sections | | `spine1` | 1 peer-group (evpn, next-hop-unchanged), 16 neighbors (8 direct with `remote_asn`, 8 EVPN via peer-group), IPv4 AF activates individual sessions | | `leaf7` | Same as leaf1 (AS 65004) + `vrf_neighbors: [{10.90.90.1, AS 64999, VRF gold}]` + `vrf_address_families: [{ipv4, VRF gold, active_sessions: [10.90.90.1]}]` | ```bash infrahubctl render bgp_yang_transform device_name=leaf1 infrahubctl render bgp_yang_transform device_name=spine1 infrahubctl render bgp_yang_transform device_name=leaf7 ``` ## Design notes - Follows identical conventions to existing transforms (#20–#22) - All optional relationships (`remote_asn`, `peer_group`, `vrf`, `peer_device`, `update_source`, etc.) wrapped in `is defined and is not none` guards - `send_community` value `"none"` (schema default) is normalised to `null` in the output — keeps the rendered JSON clean for downstream consumers - VRF-scoped sessions and AFs are separated into `vrf_neighbors` / `vrf_address_families` arrays, each entry carrying a `"vrf"` key, so the template consumer can trivially iterate per-VRF without filtering
Arista EVPN-VXLAN ContainerLab
A production-ready Arista BGP EVPN-VXLAN data center fabric topology using ContainerLab and cEOS.
🎯 Overview
This lab demonstrates a complete EVPN-VXLAN data center fabric with:
- 2 Spine switches (BGP Route Reflectors)
- 8 Leaf switches forming 4 VTEPs (MLAG pairs)
- BGP EVPN overlay with L2/L3 VXLAN
- MLAG configuration for high availability
- Test hosts for validation
📐 Topology
🚀 Quick Start
Prerequisites
- ContainerLab installed
- Docker installed
- Arista cEOS image:
ceos:4.35.0
Deploy the Lab
# Clone the repository
git clone https://gitea.arnodo.fr/Damien/arista-evpn-vxlan-clab.git
cd arista-evpn-vxlan-clab
# Deploy the topology
sudo containerlab deploy -t evpn-lab.clab.yml
# Check status
sudo containerlab inspect -t evpn-lab.clab.yml
Access Devices
# SSH to any device (password: admin)
ssh admin@clab-arista-evpn-fabric-leaf1
# Or use docker exec
docker exec -it clab-arista-evpn-fabric-leaf1 Cli
📋 Configuration Details
AS Numbers
- Spine: AS 65000
- VTEP1 (Leaf1/2): AS 65001
- VTEP2 (Leaf3/4): AS 65002
- VTEP3 (Leaf5/6): AS 65003
- VTEP4 (Leaf7/8): AS 65004
IP Addressing
Management Network
- Subnet:
172.16.0.0/24 - Spine1:
172.16.0.1 - Spine2:
172.16.0.2 - Leaf1-8:
172.16.0.25-32
Loopback Interfaces
-
Router-ID Loopbacks (Lo0):
10.0.250.0/24- Spine1:
10.0.250.1/32 - Spine2:
10.0.250.2/32 - Leaf1-8:
10.0.250.11-18/32
- Spine1:
-
VTEP Loopbacks (Lo1):
10.0.255.0/24- VTEP1:
10.0.255.11/32 - VTEP2:
10.0.255.12/32 - VTEP3:
10.0.255.13/32 - VTEP4:
10.0.255.14/32
- VTEP1:
Underlay P2P Links
- Spine1 to Leafs:
10.0.1.0/31,10.0.1.2/31, ...10.0.1.14/31 - Spine2 to Leafs:
10.0.2.0/31,10.0.2.2/31, ...10.0.2.14/31 - MLAG iBGP peering:
10.0.3.0/31,10.0.3.2/31,10.0.3.4/31,10.0.3.6/31
Host Network Addressing
| Host | VLAN | VRF | IP Address | Gateway | Type |
|---|---|---|---|---|---|
| host1 | 40 | default | 10.40.40.101/24 | - | L2 VXLAN |
| host2 | 34 | gold | 10.34.34.102/24 | 10.34.34.1 | L3 VXLAN |
| host3 | 40 | default | 10.40.40.103/24 | - | L2 VXLAN |
| host4 | 78 | gold | 10.78.78.104/24 | 10.78.78.1 | L3 VXLAN |
Notes:
- Host1 and Host3 are in VLAN 40 (L2 VXLAN only) and can communicate at Layer 2
- Host2 and Host4 are in VRF "gold" with different subnets, communicating via EVPN Type-5 routes (L3 VXLAN)
- All hosts use LACP bonding (802.3ad) with dual-homing to MLAG leaf pairs
VXLAN Network Identifiers (VNI)
L2 VNI (VLAN to VNI Mapping)
| VLAN | Description | VNI | VTEPs | Route Target | Route Distinguisher |
|---|---|---|---|---|---|
| 40 | test-l2-vxlan | 110040 | VTEP1, VTEP3 (Leaf1/2, Leaf5/6) | 40:110040 | 65001:110040, 65003:110040 |
L2 VNI Details:
- VLAN 40 is stretched across VTEP1 (Leaf1/2) and VTEP3 (Leaf5/6) for pure Layer 2 connectivity
- Hosts in VLAN 40 (host1 and host3) communicate at Layer 2 across the EVPN fabric
- EVPN Type-2 (MAC/IP) routes are used for MAC address learning and distribution
L3 VNI (VRF to VNI Mapping)
| VRF | Description | VNI | VTEPs | Route Target | VLANs |
|---|---|---|---|---|---|
| gold | L3 VRF for inter-subnet routing | 100001 | VTEP2, VTEP4 (Leaf3/4, Leaf7/8) | 1:100001 | 34, 78 |
L3 VNI Details:
- VRF "gold" uses VNI 100001 for Layer 3 VXLAN routing between different subnets
- VLAN 34 (10.34.34.0/24) on VTEP2 and VLAN 78 (10.78.78.0/24) on VTEP4 are both in VRF gold
- EVPN Type-5 (IP Prefix) routes are used for inter-subnet routing
- Each VTEP advertises its local subnets via EVPN, enabling routed connectivity between host2 and host4
VNI Summary
| VNI Type | VNI | Purpose | EVPN Route Type |
|---|---|---|---|
| L2 VNI | 110040 | Layer 2 extension for VLAN 40 | Type-2 (MAC/IP) |
| L3 VNI | 100001 | Layer 3 routing for VRF gold | Type-5 (IP Prefix) |
Features Implemented
✅ Underlay
- BGP IPv4 Unicast
- ECMP with 4 paths
- eBGP between Spine-Leaf
- iBGP between MLAG pairs
✅ Overlay
- BGP EVPN address family
- VXLAN data plane
- EVPN Type-2 (MAC/IP routes)
- EVPN Type-5 (IP Prefix routes)
✅ High Availability
- MLAG dual-homing
- Dual-active detection
- Anycast VTEP gateway
🧪 Testing & Validation
Verify BGP EVPN Neighbors
# On any spine
show bgp evpn summary
# On any leaf
show bgp evpn summary
Verify VXLAN
# Check VXLAN interface
show interface vxlan1
# Check remote VTEPs
show vxlan vtep
# Check VXLAN address table
show vxlan address-table
Verify MLAG
# Check MLAG status
show mlag
# Check MLAG interfaces
show mlag interfaces
Test Connectivity
L2 VXLAN Testing (VLAN 40)
Test Layer 2 connectivity between host1 and host3 across the EVPN fabric:
# From host1 to host3 (same VLAN 40, different VTEPs)
docker exec -it clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
# Check host1 interface
docker exec -it clab-arista-evpn-fabric-host1 ip addr show bond0
# From host3 to host1
docker exec -it clab-arista-evpn-fabric-host3 ping -c 4 10.40.40.101
L3 VXLAN Testing (VRF gold)
Test Layer 3 connectivity between host2 and host4 in VRF "gold":
# From host2 to host4 (different subnets via EVPN Type-5)
docker exec -it clab-arista-evpn-fabric-host2 ping -c 4 10.78.78.104
# From host4 to host2
docker exec -it clab-arista-evpn-fabric-host4 ping -c 4 10.34.34.102
# Check routing table on hosts
docker exec -it clab-arista-evpn-fabric-host2 ip route
docker exec -it clab-arista-evpn-fabric-host4 ip route
Verify EVPN Routes on Switches
# Check EVPN Type-2 routes (MAC/IP) - for VLAN 40
ssh admin@clab-arista-evpn-fabric-leaf1
show bgp evpn route-type mac-ip
# Check EVPN Type-5 routes (IP Prefix) - for VRF gold
ssh admin@clab-arista-evpn-fabric-leaf3
show bgp evpn route-type ip-prefix ipv4
# Verify VXLAN learned MACs
show vxlan address-table
# Check MAC addresses learned via EVPN
show mac address-table
📁 Repository Structure
arista-evpn-vxlan-clab/
├── README.md # This file
├── TROUBLESHOOTING.md # Troubleshooting guide
├── END_TO_END_TESTING.md # Testing procedures
├── evpn-lab.clab.yml # ContainerLab topology
├── configs/ # Device configurations
│ ├── spine1.cfg
│ ├── spine2.cfg
│ ├── leaf1.cfg
│ ├── leaf2.cfg
│ ├── leaf3.cfg
│ ├── leaf4.cfg
│ ├── leaf5.cfg
│ ├── leaf6.cfg
│ ├── leaf7.cfg
│ └── leaf8.cfg
└── hosts/ # Host interface configurations
├── README.md
├── host1_interfaces
├── host2_interfaces
├── host3_interfaces
└── host4_interfaces
🗑️ Cleanup
# Destroy the lab
sudo containerlab destroy -t evpn-lab.clab.yml
# Remove all related containers and networks
sudo containerlab destroy -t evpn-lab.clab.yml --cleanup