Configure Fabric Extend Logical Interfaces

Configure a Fabric Extend (FE) logical interface using the procedure that applies to your deployment.

Configure Fabric Extend Logical Interfaces for Native Support

Use this procedure to configure the Fabric Extend logical interface for all VOSS switches except the VSP 4450 Series.

Configuring Fabric Extend (FE) consists of two primary tasks: configuring the tunnel source address and configuring the logical interface. These tasks must be completed on both ends of the tunnel.

Before you begin

Configure the Fabric Extend tunnel with a tunnel source IP address. See Configure Fabric Extend Tunnels.

About this task

VRF is an optional parameter. If you do not configure a VRF, then FE uses the GRT.

For a logical IS-IS interface, Layer 2 and Layer 3 refer to the following use cases:

  • Layer 2 — Fabric Extend VID (FE-VID)

  • Layer 3 — Fabric Extend IP (FE-IP)

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select IS-IS.
  3. Select the Logical Interfaces tab.
  4. Select Insert.
  5. For Id, type the index number that uniquely identifies this logical interface.
  6. For Name, type the name of this logical interface.
  7. For Type, select the type of core network that the tunnel will traverse:
    Note

    Note

    Different fields are available depending on the type of core network you select.

    • If it is a Layer 2 Core, select layer2.
    • If it is a Layer 3 Core, select ip.
  8. Optional: For BFDEnable, select enable to enable BFD.
  9. For a Layer 2 Core, configure the following fields:
    Note

    Note

    This step does not apply to XA1400 Series.

    1. For DestIfIndex, select the physical port that the logical interface connects to or enter the name of the MLT.
    2. For Vids, type the list of VLANs for this logical interface.
    3. For PrimaryVid, type the primary tunnel VLAN ID.
      Note

      Note

      The primary VLAN ID must be one of the VIDs listed in the Vids field.

  10. For a Layer 3 Core, complete the following field:
    1. For DestIPAddr, type the destination IP address for the logical interface.
    2. For ISIS Mtu, enter the Maximum Transmission Unit value, in bytes.
      Note

      Note

      Fabric Extend Tunnel IS-IS MTU configuration is added to the document in advance of Fabric Extend Integration with ExtremeCloud SD-WAN support. Feature support is planned for 8.10.1.

      Note

      Note

      This step does not apply to XA1400 Series.

  11. Optional: Configure a parallel tunnel for Fabric Extend:
    Note

    Note

    This step only applies to VSP 4900 Series and VSP 7400 Series.

    1. For SrcIPAddr, type the source address for the parallel tunnel.
    2. For NextHopVrf, select the VRF name to reach the logical tunnel destination IP associated with the parallel tunnel.
    3. Select Apply.
  12. For XA1400 Series only, make the following selections:
    1. For Compression, select whether to enable compression for a Fabric Extend over IPsec connection.
    2. For IpsecEnable, select whether to enable a Fabric Extend over IPsec connection for the logical interface.
    3. For IpsecAuthMethod, select the IPsec authentication method.
    4. For a pre-shared key, in AuthenticationKey, type the authentication key to secure the Fabric Extend over IPsec connection for the logical interface.
    5. For ShapingRate, type the value in Mbps of the shaper used for Egress Tunnel Shaping.
    6. For Mtu, type a value to specify the size of the maximum transmission unit (MTU).
    7. For Esp, select the Encapsulating Security Payload (ESP) cipher suite for IPsec.
      Note

      Note

      You cannot change the ESP cipher suite when IPsec is enabled on the FE tunnel.

    8. For IpsecTunnelDestAddress, type the destination IP address for the IPsec tunnel.
    9. For TunnelSourceType, select the source type for the IPsec tunnel.
    10. For TunnelSourceAddress, type the source IP address for the IPsec tunnel.
    11. If you are using a VRF, for TunnelVrf, type the VRF name for the source IPsec tunnel.
  13. Select Insert.

What to do next

Configure Fabric Extend on the switch at the other end of the tunnel. Use the procedures that apply to that model of switch.

Configure Fabric Extend Logical Interfaces for ONA Support

Use this procedure to configure the Fabric Extend logical interface on VSP 4450 Series. The VSP 4450 Series source address command is different than other platforms. The logical interface commands are different between Layer 2 and Layer 3 networks.

Configuring Fabric Extend consists of two primary tasks: configuring the tunnel source address and configuring the logical interface. These tasks must be completed on both ends of the tunnel.

About this task

Note

Note

The interface VLAN that connects to the ONA network port is always in the GRT, and the member port that the VLAN is part of is always an access port.

VRF is an optional parameter. If you do not configure a VRF, then FE uses the GRT.

For a logical IS-IS interface, Layer 2 and Layer 3 refer to the following use cases:

  • Layer 2 — Fabric Extend VID (FE-VID)

  • Layer 3 — Fabric Extend IP (FE-IP)

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select IS-IS.
  3. Select the Logical Interfaces tab.
  4. Select Insert.
  5. In Id, type the index number that uniquely identifies this logical interface.
  6. For Name, type the name of this logical interface.
  7. For Type, select the type of core network that the tunnel will traverse:
    Note

    Note

    Different fields will be available depending on the type of core network you select.

    • If it is a Layer 2 Core, select layer2.
    • If it is a Layer 3 Core, select ip.
  8. For a Layer 2 Core, complete the following fields:
    1. For DestIfIndex, select the physical port that the logical interface connects to or enter the name of the MLT.
    2. In Vids, type the list of VLANs for this logical interface.
    3. In PrimaryVid, type the primary tunnel VLAN ID.
      Note

      Note

      The primary VLAN ID must be one of the VIDs listed in the Vids field.

  9. For a Layer 3 Core, configure the following field:
    1. In DestIPAddr, type the destination IP address for the logical interface.
    2. For ISIS Mtu, enter the Maximum Transmission Unit value, in bytes.
  10. Select Insert.

What to do next

Configure Fabric Extend on the switch at the other end of the tunnel. Use the procedures that apply to that model of switch.

Logical Interfaces Field Descriptions

Use the data in the following table to use the Logical Interfaces tab and the Insert Logical Interfaces dialog. The available fields in the dialog differ depending on the type of core you select: layer 2 or ip.

Name

Description

Id

Specifies the index number that uniquely identifies this logical interface.

This field displays on the Insert Logical Interfaces dialog only.

IfIndex

Specifies the index number that uniquely identifies this logical interface. This field is read-only.

This field displays on the Logical Interfaces tab only.

Name

Specifies the administratively assigned name of this logical interface, which can be up to 64 characters.

Type

Note:

Exception: Type Layer 2 is not supported on XA1400 Series.

Specifies the type of logical interface to create:

  • Specify layer 2 for a Layer 2 core network that the tunnel will traverse.

  • Specify ip for a Layer 3 core network that the tunnel will traverse.

DestIPAddr

Specifies the destination IP address for the IP-type logical interface.

DestIfIndex

Note:

Exception: Not supported on XA1400 Series.

Specifies the physical port or MultiLink Trunking (MLT) that the Layer 2 logical interface is connected to.

Vids

Note:

Exception: Not supported on XA1400 Series.

Specifies the list of VLANs that are associated with this logical interface.

PrimaryVid

Note:

Exception: Not supported on XA1400 Series.

Specifies the primary tunnel VLAN ID associated with this Layer 2 Intermediate-System-to-Intermediate-System (IS-IS) logical interface.

ISIS MTU

Note:

Fabric Extend Tunnel IS-IS MTU configuration is added to the document in advance of Fabric Extend Integration with ExtremeCloud SD-WAN support. Feature support is planned for 8.10.1.

Specifies the Maximum Transmission Unit (MTU) size in bytes for IS-IS packets that use this logical interface. The default value is 1600.

This field is not supported for XA1400 Series.

CircIndex

Identifies the IS-IS circuit created under the logical interface.

This field displays on the Logical Interfaces tab only.

NextHopVrf

Note:

Exception: Not supported on XA1400 Series.

Displays the next-hop VRF name to reach the logical tunnel destination IP.

This field displays on the Logical Interfaces tab only.

You can use this field to specify the VRF to reach the logical tunnel destination IP associated with a parallel tunnel.

IpsecEnable

Note:

Exception: Only supported on XA1400 Series.

Specifies whether the logical interface should use IPsec.

AuthenticationKey

Note:

Exception: Only supported on XA1400 Series.

Specifies the authentication key of this logical interface, which can be up to 32 characters.

ShapingRate

Note:

Exception: Only supported on XA1400 Series.

Specifies the value, in Mbps, of the Egress Tunnel Shaper applied to the logical interface.

Mtu

Note:

Exception: Only supported on XA1400 Series.

Specifies the Maximum Transmission Unit (MTU) size in bytes for the logical interface. The default MTU value is 1950.

IpsecTunnelDestAddress

Note:

Exception: Only supported on XA1400 Series.

Specifies the destination IP address for the IPsec tunnel.

Note:

When you configure the destination IP address for the IPsec tunnel, IKE protocol uses UDP port 500. However, if IPsec NAT-T is detected, IKE protocol uses UDP port 4500 instead.

BfdEnable
Note: Exception: Not supported on VSP 8600 Series or XA1400 Series.

Enables or disables BFD on an IS-IS Logical Interface.

IpsecResponderOnly

Note:

Exception: Only supported on XA1400 Series.

Specifies whether the device is a Responder device in an IPsec Network Address Translation Traversal (NAT-T) connection.

IpsecRemoteNatIPAddr
Note:

Exception: Only supported on XA1400 Series.

Specifies the public IP address of the NAT router connected to the Responder device in an IPsec NAT-T connection.

Note:

When you configure the IPsec remote NAT IP address, IKE protocol uses UDP port 4500.

IpsecAuthMethod

Note:

Exception: Only supported on XA1400 Series.

Configures the IPsec authentication method for the tunnel as either a pre-shared key or RSA signature for digital certificates. The default is pre-shared key.

CertSubjectName

Note:

Exception: Only supported on XA1400 Series.

Specifies the digital certificate subject name used as the identity certificate.

Compression

Note:

Exception: Only supported on XA1400 Series.

Reduces the size of the IP datagram to improve the communication performance between hosts connected behind Backbone Edge Bridges (BEB).

Tip:

As a best practice, use IPsec compression only for Fabric Extend tunnels where latency is greater than 70ms.

FragmentBeforeEncrypt

Note:

Exception: Only supported on XA1400 Series.

Enables or disables the fragmentation of packets before IPsec encryption on the tunnel. By default, fragmentation before encryption is disabled.

TunnelSourceType

Note:

Exception: Only supported on XA1400 Series.

Specifies the type of source IP address for the IPsec tunnel.

  • global specifies the tunnel source address configured in the IpTunnelSourceAddress field of the ISIS Globals tab.
  • static specifies the manually configured source IP address for the IPsec tunnel.
  • dhcp specifies the source IP address automatically obtained from the management IP assigned through DHCP.

The default is global.

TunnelSourceAddress

Note:

Exception: Only supported on XA1400 Series.

Specifies the source IP address for the IPsec tunnel.

TunnelVrf

Note:

Exception: Only supported on XA1400 Series.

Specifies the VRF name associated with the IPsec tunnel.

Esp

Note:

Exception: Only supported on XA1400 Series.

Specifies the Encapsulating Security Payload (ESP) cipher suite for IPsec.

  • aes128gcm16-sha256 specifies the AES cipher with a 128-bit encryption key and GCM block mode.
  • aes256-sha256 specifies the AES cipher with a 256-bit encryption key and CBC block mode (for QAT performance mode).
  • aes256gcm16-sha256 specifies the AES cipher with a 256-bit encryption key and GCM block mode.

The default value is aes128gcm16-sha256.

SrcIPAddr

Note:

Exception: Only supported on VSP 4900 Series and VSP 7400 Series.

Configures an additional source address to use as the parallel tunnel to create a backup adjacency.

Note:

To use an IPsec-encrypted tunnel as the parallel tunnel ensure that you configure the same source IP address on the logical IS-IS interface and in the Fabric IPsec Gateway virtual machine.

Origin

Specifies the origin of the IS-IS logical interface configuration, either through Zero Touch Fabric Configuration (ZTF) or manual configuration (config) through CLI or EDM.