Page MenuHomePhabricator
Create Task
Maniphest T420351

Drain ssw1-d8-eqiad and reset BGP EVPN sessions to force new vxlan tunnel establishment
Closed, ResolvedPublic
Actions

Description

Similar to the work done under T420180 this task will focus on draining traffic through ssw1-d8-eqiad (and thus via cr2-eqiad), so we can proceed and reset BGP sessions from Nokia leaf switches in rows C/D which have an invalid vxlan tunnel id to it, triggering the DHCP bug described in the parent task.

Process
  • Set cr1 to be VRRP master for all vlans P89874
    • This will ensure row a/b hosts send traffic to cr1, which will then route to ssw1-d1
    • It will ensure that only ssw1-d1 learns the VRRP GW MAC for the row c/d vlans, so leaf switches will not see route to it from ssw1-d8
  • Disable VRRP for row-wide vlan sub-interfaces of cr2-eqiad et-1/0/5 - P89872
    • This is needed as we don't want to create a VRRP "split brain" scenario (P89795)
  • Increase the OSPF cost on the far-side of all transport links terminating on cr2
    • This will ensure traffic from other sites to row c/d vlans should instead arrive on cr1, and take path out via ssw1-d1
  • Set 'graceful-shutdown' for all server BGP groups on cr2-eqiad, to lower local pref for routes learnt P89873
    • This will make cr2 prefer the routes hosts are announcing to cr1 via the IBGP route
  • Also set 'graceful-shutdown' for internet-facing BGP groups on cr2-eqiad and pre-pend out P89873
    • This will shift incoming traffic for the public1-c-eqiad and public1-d-eqiad ranges to come in on cr1, and use ssw1-d1
  • Disable the EVPN IBGP peering between ssw1-d8 and ssw1-d1:
    • ssw1-d8: set / network-instance default protocols bgp neighbor 10.64.128.17 admin-state disable
    • This ensures that ssw1-d1 does not reflect routes from ssw1-d8 to leafs
    • Which means clearing ssw1-d8 BGP session to leaf will remove all routes using it as next-hop
  • Adjust the ssw1-d8 BGP config to not accept or announce any routes to cr2 or other row e/f spines
    • By changing the import/export policies to 'NONE' - P89816
  • Adjust the cr2 BGP policy for row e/f and cloudsw to not export directly connected routes
    • cr2-eqiad: delete policy-options policy-statement Switch_out term direct
    • This ensures no L3 switches will use cr2 to get to row c/d vlans, instead they will use cr1 uplink

Once complete we should be able to observe there is no traffic on cr2-eqiad et-1/0/5. Provided that is the case we can proceed on the leaf switches in rows C and D and reset the BGP peering to ssw1-d8-eqiad without interrupting traffic flows.

Related Objects
Search...

Event Timeline

cmooney created this task.Mar 17 2026, 1:43 PM
cmooney triaged this task as Medium priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2026, 1:43 PM
cmooney added a parent task: T411054: Nokia SR-Linux DHCP Relay Bug.Mar 17 2026, 1:43 PM
Stashbot added a comment.Mar 17 2026, 2:05 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:05:14Z] <topranks> setting cr1-eqiad as VRRP master for all vlans T420351

Stashbot added a comment.Mar 17 2026, 2:13 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:13:43Z] <topranks> disable VRRP on cr2-eqiad interfaces facing ssw1-d8-eqiad T420351

Stashbot added a comment.Mar 17 2026, 2:27 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:27:29Z] <topranks> de-pref internet circuits landing on cr2-eqiad to shift traffic to cr1 T420351

Stashbot added a comment.Mar 17 2026, 2:40 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:40:44Z] <topranks> disabling EVPN IBGP peering from ssw1-d8-eqiad to ssw1-d1-eqiad to stop them reflecting routes T420351

Stashbot added a comment.Mar 17 2026, 2:44 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:44:20Z] <topranks> stop announcing "direct" routes to ssw1-d8-eqiad from cr2-eqiad T420351

Stashbot added a comment.Mar 17 2026, 2:49 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:49:58Z] <topranks> stop announcing routes from ssw1-d8-eqiad to external peers (cr2-eqiad, other spines) T420351

Stashbot added a comment.Mar 17 2026, 2:51 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-17T14:51:54Z] <topranks> stop accepting routes on ssw1-d8-eqiad from external peers (cr2-eqiad, other spines) T420351

cmooney closed this task as Resolved.Mar 17 2026, 3:13 PM

Ok this work is now complete. Only had to reset the tunnel on lsw1-d4-eqiad it was the only one with an ID of '1' going to ssw1-d8.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits