通過配置端到端VXLAN隧道,實現不同數據中心VM之間的互通。
適用產品和版本
CE12800、CE12800E、CE8800、CE7800、CE6800(除CE6850EI、CE6810EI、CE6810LI外)系列產品V200R002C50或更高版本。
組網需求
如圖1-13所示,某企業在不同的數據中心中都擁有自己的VM,服務器1上的VMa1屬於VLAN 10,服務器2上的VMb2屬於VLAN 20,且位於不同網段。現需要通過VXLAN分佈式網關,在數據中心A的Leaf1和數據中心B的Leaf4上配置BGP EVPN協議創建VXLAN隧道,實現數據中心A內VMa1和數據中心B內VMb2之間端到端的互相通信。
圖1-13 配置端到端VXLAN組網圖
配置思路
採用如下的思路配置端到端VXLAN:
- 配置各節點IP地址。
- 配置路由實現各節點之間的互通。
- 在數據中心A和數據中心B內配置BGP EVPN協議創建分佈式網關VXLAN隧道;在數據中心A和數據中心B內分別創建IBGP鄰居。
- 在Leaf2和Leaf3上創建EBGP鄰居。
- 在Leaf1和Leaf4上配置BGP EVPN協議創建VXLAN隧道。
數據準備
為完成此配置例,需準備如下的數據:
- VM所屬的VLAN ID。
- 廣播域BD ID。
- VXLAN網絡標示VNI和VPN實例下VXLAN網絡標識VNI ID。
操作步驟
- 配置各節點接口的IP地址及Loopback接口的地址配置各接口的IP地址和掩碼,具體配置過程請參考配置文件。
- 配置路由協議在數據中心內配置IGP,本示例使用OSPF。在數據中心間配置BGP。
- 具體配置過程請參考配置文件。
- 配置VXLAN隧道模式並使能VXLAN的ACL擴展功能(僅CE12800、CE6870EI、CE6875EI設備需要配置此步驟)# 配置Leaf1。Leaf4的配置與Leaf1類似,這裡不再贅述。
[~Leaf1] ip tunnel mode vxlan
[*Leaf1] assign forward nvo3 acl extend enable
[*Leaf1] commit
說明:
配置VXLAN隧道模式、使能VXLAN的ACL擴展功能後,需要保存配置並重啟設備才能生效,您可以選擇立即重啟或完成所有配置後再重啟。
配置BGP對等體
在數據中心A和數據中心B內分別配置IBGP對等體
# 配置Leaf1。
[~Leaf1] bgp 100 instance evpn1
[*Leaf1-bgp-instance-evpn1] peer 6.6.6.6 as-number 100
[*Leaf1-bgp-instance-evpn1] peer 6.6.6.6 connect-interface LoopBack 0
[*Leaf1-bgp-instance-evpn1] commit
[~Leaf1-bgp] quit
# 配置Leaf2。
[~Leaf2] bgp 100 instance evpn1
[*Leaf2-bgp-instance-evpn1] peer 5.5.5.5 as-number 100
[*Leaf2-bgp-instance-evpn1] peer 5.5.5.5 connect-interface LoopBack 0
[*Leaf2-bgp-instance-evpn1] commit
[~Leaf2-bgp] quit
Leaf3的配置和Leaf2的配置類似,Leaf4的配置和Leaf1的配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
Leaf2和Leaf3上配置EBGP對等體
# 配置Leaf2。
[~Leaf2] bgp 100 instance evpn1
[~Leaf2-bgp-instance-evpn1] peer 7.7.7.7 as-number 200
[*Leaf2-bgp-instance-evpn1] peer 7.7.7.7 connect-interface LoopBack 0
[*Leaf2-bgp-instance-evpn1] peer 7.7.7.7 ebgp-max-hop 255
[*Leaf2-bgp] commit
[~Leaf2-bgp] quit
Leaf3的配置與Leaf2的配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
在Leaf上使能EVPN,配置EVPN對等體。
在Leaf上配置業務接入點
# 配置Leaf1。
[~Leaf1] bridge-domain 10
[*Leaf1-bd10] quit
[*Leaf1] interface 10ge 1/0/2.1 mode l2
[*Leaf1-10GE1/0/2.1] encapsulation dot1q vid 10
[*Leaf1-10GE1/0/2.1] bridge-domain 10
[*Leaf1-10GE1/0/2.1] quit
[~Leaf1] commit
Leaf4的配置與Leaf1配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
在Leaf1、Leaf2、Leaf3和Leaf4上使能EVPN
# 配置Leaf1。
[~Leaf1] evpn-overlay enable
[*Leaf1] commit
Leaf2、Leaf3和Leaf4的配置與Leaf1配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
在Leaf1和Leaf2之間、在Leaf3和Leaf4之間配置IBGP EVPN對等體關係
# 配置Leaf1。
[~Leaf1] bgp 100 instance evpn1
[~Leaf1-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf1-bgp-instance-evpn1-af-evpn] peer 6.6.6.6 enable
[*Leaf1-bgp-instance-evpn1-af-evpn] quit
[*Leaf1-bgp-instance-evpn1] quit
[*Leaf1] commit
# 配置Leaf2。
[~Leaf2] bgp 100 instance evpn1
[~Leaf2-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf2-bgp-instance-evpn1-af-evpn] peer 5.5.5.5 enable
[*Leaf2-bgp-instance-evpn1-af-evpn] peer 5.5.5.5 next-hop-invariable
[*Leaf2-bgp-instance-evpn1-af-evpn] quit
[*Leaf2-bgp-instance-evpn1] quit
[*Leaf2] commit
# 配置Leaf3。
[~Leaf3] bgp 200 instance evpn1
[~Leaf3-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf3-bgp-instance-evpn1-af-evpn] peer 8.8.8.8 enable
[*Leaf3-bgp-instance-evpn1-af-evpn] peer 8.8.8.8 next-hop-invariable
[*Leaf3-bgp-instance-evpn1-af-evpn] quit
[*Leaf3-bgp-instance-evpn1] quit
[*Leaf3] commit
# 配置Leaf4。
[~Leaf4] bgp 200 instance evpn1
[~Leaf4-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf4-bgp-instance-evpn1-af-evpn] peer 7.7.7.7 enable
[*Leaf4-bgp-instance-evpn1-af-evpn] quit
[*Leaf4-bgp-instance-evpn1] quit
[*Leaf4] commit
在Leaf2和Leaf3之間配置EBGP EVPN對等體關係
# 配置Leaf2。
[~Leaf2] bgp 100 instance evpn1
[~Leaf2-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf2-bgp-instance-evpn1-af-evpn] undo policy vpn-target
[*Leaf2-bgp-instance-evpn1-af-evpn] peer 7.7.7.7 enable
[*Leaf2-bgp-instance-evpn1-af-evpn] peer 7.7.7.7 next-hop-invariable
[*Leaf2-bgp-instance-evpn1-af-evpn] quit
[*Leaf2-bgp-instance-evpn1] quit
[*Leaf2] commit
# 配置Leaf3。
[~Leaf3] bgp 200 instance evpn1
[~Leaf3-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf3-bgp-instance-evpn1-af-evpn] undo policy vpn-target
[*Leaf3-bgp-instance-evpn1-af-evpn] peer 6.6.6.6 enable
[*Leaf3-bgp-instance-evpn1-af-evpn] peer 6.6.6.6 next-hop-invariable
[*Leaf3-bgp-instance-evpn1-af-evpn] quit
[*Leaf3-bgp-instance-evpn1] quit
[*Leaf3] commit
在Leaf1和Leaf4之間創建VXLAN隧道。
在Leaf上配置VPN實例和EVPN實例
# 配置Leaf1。
[~Leaf1] ip vpn-instance vpn1
[*Leaf1-vpn-instance-vpn1] vxlan vni 5010
[*Leaf1-vpn-instance-vpn1] ipv4-family
[*Leaf1-vpn-instance-vpn1-af-ipv4] route-distinguisher 11:11
[*Leaf1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1
[*Leaf1-vpn-instance-vpn1-af-ipv4] vpn-target 11:1 evpn
[*Leaf1-vpn-instance-vpn1-af-ipv4] quit
[*Leaf1-vpn-instance-vpn1] quit
[*Leaf1] bridge-domain 10
[*Leaf1-bd10] vxlan vni 10
[*Leaf1-bd10] evpn
[*Leaf1-bd10-evpn] route-distinguisher 10:1
[*Leaf1-bd10-evpn] vpn-target 10:1
[*Leaf1-bd10-evpn] vpn-target 11:1 export-extcommunity
[*Leaf1-bd10-evpn] quit
[*Leaf1-bd10] quit
[*Leaf1] commit
Leaf4的配置與Leaf1配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
在Leaf上使能頭端複製功能
# 在配置Leaf1。
[~Leaf1] interface nve 1
[*Leaf1-Nve1] source 5.5.5.5
[*Leaf1-Nve1] vni 10 head-end peer-list protocol bgp
[*Leaf1-Nve1] quit
[*Leaf1] commit
Leaf4上的配置與Leaf1配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
配置分佈式網關和在VBDIF接口和VPN實例綁定
# 在Leaf1上配置業務環回接口。Leaf4的配置與Leaf1類似,這裡不再贅述。(CE12800、CE12800E、CE6855HI、CE6856HI、CE6865EI、CE6870EI、CE6875EI、CE6880EI、CE7855EI不需要配置此步驟)。
[~Leaf1] interface eth-trunk 2
[*Leaf1-Eth-Trunk2] service type tunnel
[*Leaf1-Eth-Trunk2] quit
[*Leaf1] interface 10ge 1/0/5
[*Leaf1-10GE1/0/5] eth-trunk 2
[*Leaf1-10GE1/0/5] quit
[*Leaf1] commit
說明:
成員接口必須是空閒的、沒有承載業務的物理接口,對物理接口的狀態無要求。
請保證業務環回Eth-Trunk接口的帶寬至少是VXLAN三層網關流量所佔帶寬的兩倍。例如:如果用戶側通過VXLAN網絡上送到網關的流量為10Gbps,則需要將兩個10GE接口加入到業務環回的Eth-Trunk接口中作為其物理成員口。
# 配置Leaf1。
[~Leaf1] interface vbdif 10
[*Leaf1-Vbdif10] ip binding vpn-instance vpn1
[*Leaf1-Vbdif10] ip address 10.1.1.1 24
[*Leaf1-Vbdif10] arp collect host enable
[*Leaf1-Vbdif10] vxlan anycast-gateway enable
[*Leaf1-Vbdif10] quit
[*Leaf1] commit
Leaf4上的配置與Leaf1配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
在Leaf之間配置BGP對鄰居發佈IRB類型的路由
# 配置Leaf1。
[~Leaf1] bgp 100 instance evpn1
[~Leaf1-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf1-bgp-instance-evpn1-af-evpn] peer 6.6.6.6 advertise irb
[*Leaf1-bgp-instance-evpn1-af-evpn] quit
[*Leaf1-bgp-instance-evpn1] quit
[*Leaf1] commit
# 配置Leaf2。
[~Leaf2] bgp 100 instance evpn1
[~Leaf2-bgp-instance-evpn1] l2vpn-family evpn
[*Leaf2-bgp-instance-evpn1-af-evpn] peer 5.5.5.5 advertise irb
[*Leaf2-bgp-instance-evpn1-af-evpn] peer 7.7.7.7 advertise irb
[*Leaf2-bgp-instance-evpn1-af-evpn] quit
[*Leaf2-bgp-instance-evpn1] quit
[*Leaf2] commit
Leaf4的配置與Leaf1的配置類似,Leaf3的配置與Leaf2的配置類似,這裡不再贅述。具體配置過程略,請參考配置文件。
驗證配置結果
配置完成後,在Leaf上執行display vxlan tunnel命令,可以看到建立的VXLAN隧道信息。以Leaf1的顯示為例:
[~Leaf1] display vxlan tunnel
Number of vxlan tunnel : 1
Tunnel ID Source Destination State Type Uptime
-----------------------------------------------------------------------------------
4026531842 5.5.5.5 8.8.8.8 up dynamic 00:10:16
配置完成後,VMa1和VMb2之間可以互相通信。
配置文件
配置文件以CE12800交換機為例。
Spine1的配置文件
#
sysname Spine1
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.10.1 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 192.168.20.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
return
Leaf1的配置文件
#
sysname Leaf1
#
assign forward nvo3 acl extend enable
#
evpn-overlay enable
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 11:11
vpn-target 1:1 export-extcommunity
vpn-target 11:1 export-extcommunity evpn
vpn-target 1:1 import-extcommunity
vpn-target 11:1 import-extcommunity evpn
vxlan vni 5010
#
bridge-domain 10
vxlan vni 10
evpn
route-distinguisher 10:1
vpn-target 10:1 export-extcommunity
vpn-target 11:1 export-extcommunity
vpn-target 10:1 import-extcommunity
#
interface Vbdif10
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
vxlan anycast-gateway enable
arp collect host enable
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.10.2 255.255.255.0
#
interface 10GE1/0/2.1 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface Nve1
source 5.5.5.5
vni 10 head-end peer-list protocol bgp
#
bgp 100 instance evpn1
peer 6.6.6.6 as-number 100
peer 6.6.6.6 connect-interface LoopBack0
#
l2vpn-family evpn
policy vpn-target
peer 6.6.6.6 enable
peer 6.6.6.6 advertise irb
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 192.168.10.0 0.0.0.255
#
return
Leaf2的配置文件
#
sysname Leaf2
#
evpn-overlay enable
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.20.2 255.255.255.0
#
interface 10GE1/0/3
undo portswitch
ip address 192.168.50.2 255.255.255.0
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
bgp 20
peer 192.168.50.1 as-number 10
#
ipv4-family unicast
network 5.5.5.5 255.255.255.255
network 6.6.6.6 255.255.255.255
peer 192.168.50.1 enable
#
bgp 100 instance evpn1
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack0
peer 7.7.7.7 as-number 200
peer 7.7.7.7 ebgp-max-hop 255
peer 7.7.7.7 connect-interface LoopBack0
#
l2vpn-family evpn
undo policy vpn-target
peer 5.5.5.5 enable
peer 5.5.5.5 advertise irb
peer 5.5.5.5 next-hop-invariable
peer 7.7.7.7 enable
peer 7.7.7.7 advertise irb
peer 7.7.7.7 next-hop-invariable
#
ospf 1
import-route bgp
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 192.168.20.0 0.0.0.255
network 192.168.50.0 0.0.0.255
#
return
Spine2的配置文件
#
sysname Spine2
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.30.1 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 192.168.40.1 255.255.255.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
#
return
Leaf3的配置文件
#
sysname Leaf3
#
evpn-overlay enable
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.30.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 192.168.60.2 255.255.255.0
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
bgp 30
peer 192.168.60.1 as-number 10
#
ipv4-family unicast
network 7.7.7.7 255.255.255.255
network 8.8.8.8 255.255.255.255
peer 192.168.60.1 enable
#
bgp 200 instance evpn1
peer 6.6.6.6 as-number 100
peer 6.6.6.6 ebgp-max-hop 255
peer 6.6.6.6 connect-interface LoopBack0
peer 8.8.8.8 as-number 200
peer 8.8.8.8 connect-interface LoopBack0
#
l2vpn-family evpn
undo policy vpn-target
peer 6.6.6.6 enable
peer 6.6.6.6 advertise irb
peer 6.6.6.6 next-hop-invariable
peer 8.8.8.8 enable
peer 8.8.8.8 advertise irb
peer 8.8.8.8 next-hop-invariable
#
ospf 1
import-route bgp
area 0.0.0.0
network 7.7.7.7 0.0.0.0
network 192.168.30.0 0.0.0.255
#
return
Leaf4的配置文件
#
sysname Leaf4
#
assign forward nvo3 acl extend enable
#
evpn-overlay enable
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 11:14
vpn-target 4:4 export-extcommunity
vpn-target 11:1 export-extcommunity evpn
vpn-target 4:4 import-extcommunity
vpn-target 11:1 import-extcommunity evpn
vxlan vni 5020
#
bridge-domain 20
vxlan vni 20
evpn
route-distinguisher 40:1
vpn-target 40:1 export-extcommunity
vpn-target 11:1 export-extcommunity
vpn-target 40:1 import-extcommunity
#
interface Vbdif20
ip binding vpn-instance vpn1
ip address 10.2.1.1 255.255.255.0
vxlan anycast-gateway enable
arp collect host enable
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.40.2 255.255.255.0
#
interface 10GE1/0/2.1 mode l2
encapsulation dot1q vid 20
bridge-domain 20
#
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
#
interface Nve1
source 8.8.8.8
vni 20 head-end peer-list protocol bgp
#
bgp 200 instance evpn1
peer 7.7.7.7 as-number 200
peer 7.7.7.7 connect-interface LoopBack0
#
l2vpn-family evpn
policy vpn-target
peer 7.7.7.7 enable
peer 7.7.7.7 advertise irb
#
ospf 1
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 192.168.40.0 0.0.0.255
#
return
Device1的配置文件
#
sysname Device1
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.50.1 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
peer 192.168.1.2 as-number 10
peer 192.168.50.2 as-number 20
#
ipv4-family unicast
peer 192.168.1.2 enable
peer 192.168.1.2 next-hop-local
peer 192.168.50.2 enable
#
return
Device2的配置文件
#
sysname Device2
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.60.1 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 192.168.1.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 10
peer 192.168.1.1 as-number 10
peer 192.168.60.2 as-number 30
#
ipv4-family unicast
peer 192.168.1.1 enable
peer 192.168.1.1 next-hop-local
peer 192.168.60.2 enable
#
return
閱讀更多 網絡觀察家 的文章
