华为VXLAN分布式网关DCI端到端互联实验

场景说明:左边为AS100、右边为AS200。同一个租户A分别在AS100、AS200存在相应的虚机,现需要互相访问,需要打通VXLAN网络。通过DCI-Leaf互联,DCI-Leaf之间邻居关系为eBGP ipv4/EVPN邻居关系,同时将本端的AS中的VTEP路由通过BGP ipv4协议栈通告至对端AS。Spine作为本AS内路由反射器,VXLAN采用分布式网关部署,underlay层均采用IS-IS协议作为IGP协议打通AS内VTEP互联。

DCI-Leaf-1配置:

#
sysname DCI-Leaf-1
#
evpn-overlay enable
#
isis 1
is-level level-2
network-entity 86.0471.0000.0000.0001.00
import-route bgp //引入BGP ipv4路由打通数据中心间VTEP,这里可以采用route-policy方式只接收对端Server-Leaf的VTEP
prefix-priority level-2 critical tag 100 //优先优先IS-IS tag为100的路由,也就是VTEP路由
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.0.11.1 255.255.255.252
isis enable 1
#
interface GE1/0/9
undo portswitch
undo shutdown
ip address 100.0.12.1 255.255.255.252
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
isis tag-value 100 //指定IS-IS tag为100
#
bgp 100
peer 1.1.1.2 as-number 100
peer 1.1.1.2 connect-interface LoopBack0
peer 100.0.12.2 as-number 200
#
ipv4-family unicast
import-route isis 1 //将IGP路由引入bgp,打通AS间VTEP路由
undo peer 1.1.1.2 enable
peer 100.0.12.2 enable
#
l2vpn-family evpn
undo policy vpn-target
peer 1.1.1.2 enable
peer 1.1.1.2 advertise irb
peer 1.1.1.2 next-hop-invariable //保证EVPN路由下一跳不变
peer 100.0.12.2 enable
peer 100.0.12.2 advertise irb
peer 100.0.12.2 next-hop-invariable //保证EVPN路由下一跳不变
#
return
# sysname DCI-Leaf-1 # evpn-overlay enable # isis 1 is-level level-2 network-entity 86.0471.0000.0000.0001.00 import-route bgp //引入BGP ipv4路由打通数据中心间VTEP,这里可以采用route-policy方式只接收对端Server-Leaf的VTEP prefix-priority level-2 critical tag 100 //优先优先IS-IS tag为100的路由,也就是VTEP路由 # interface GE1/0/0 undo portswitch undo shutdown ip address 10.0.11.1 255.255.255.252 isis enable 1 # interface GE1/0/9 undo portswitch undo shutdown ip address 100.0.12.1 255.255.255.252 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 isis enable 1 isis tag-value 100 //指定IS-IS tag为100 # bgp 100 peer 1.1.1.2 as-number 100 peer 1.1.1.2 connect-interface LoopBack0 peer 100.0.12.2 as-number 200 # ipv4-family unicast import-route isis 1 //将IGP路由引入bgp,打通AS间VTEP路由 undo peer 1.1.1.2 enable peer 100.0.12.2 enable # l2vpn-family evpn undo policy vpn-target peer 1.1.1.2 enable peer 1.1.1.2 advertise irb peer 1.1.1.2 next-hop-invariable //保证EVPN路由下一跳不变 peer 100.0.12.2 enable peer 100.0.12.2 advertise irb peer 100.0.12.2 next-hop-invariable //保证EVPN路由下一跳不变 # return
#
sysname DCI-Leaf-1
#
evpn-overlay enable
#
isis 1
 is-level level-2
 network-entity 86.0471.0000.0000.0001.00
 import-route bgp //引入BGP ipv4路由打通数据中心间VTEP,这里可以采用route-policy方式只接收对端Server-Leaf的VTEP
 prefix-priority level-2 critical tag 100 //优先优先IS-IS tag为100的路由,也就是VTEP路由
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.11.1 255.255.255.252
 isis enable 1
#
interface GE1/0/9
 undo portswitch
 undo shutdown
 ip address 100.0.12.1 255.255.255.252
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
 isis tag-value 100 //指定IS-IS tag为100
#
bgp 100
 peer 1.1.1.2 as-number 100
 peer 1.1.1.2 connect-interface LoopBack0
 peer 100.0.12.2 as-number 200
 #
 ipv4-family unicast
  import-route isis 1 //将IGP路由引入bgp,打通AS间VTEP路由
  undo peer 1.1.1.2 enable
  peer 100.0.12.2 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.2 enable
  peer 1.1.1.2 advertise irb
  peer 1.1.1.2 next-hop-invariable //保证EVPN路由下一跳不变
  peer 100.0.12.2 enable
  peer 100.0.12.2 advertise irb
  peer 100.0.12.2 next-hop-invariable //保证EVPN路由下一跳不变
#
return

DC1-Spine配置:

#
sysname DC1-Spine
#
evpn-overlay enable
#
isis 1
is-level level-2
network-entity 86.0471.0000.0000.0002.00
prefix-priority level-2 critical tag 100
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.0.11.5 255.255.255.252
isis enable 1
#
interface GE1/0/9
undo portswitch
undo shutdown
ip address 10.0.11.2 255.255.255.252
isis enable 1
#
interface LoopBack0
ip address 1.1.1.2 255.255.255.255
isis enable 1
isis tag-value 100
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 1.1.1.3 as-number 100
peer 1.1.1.3 connect-interface LoopBack0
#
ipv4-family unicast
undo peer 1.1.1.1 enable
undo peer 1.1.1.3 enable
#
l2vpn-family evpn
undo policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 advertise irb
peer 1.1.1.1 reflect-client //作为AS100的RR
peer 1.1.1.3 enable
peer 1.1.1.3 advertise irb
peer 1.1.1.3 reflect-client //作为AS100的RR
#
return
# sysname DC1-Spine # evpn-overlay enable # isis 1 is-level level-2 network-entity 86.0471.0000.0000.0002.00 prefix-priority level-2 critical tag 100 # interface GE1/0/0 undo portswitch undo shutdown ip address 10.0.11.5 255.255.255.252 isis enable 1 # interface GE1/0/9 undo portswitch undo shutdown ip address 10.0.11.2 255.255.255.252 isis enable 1 # interface LoopBack0 ip address 1.1.1.2 255.255.255.255 isis enable 1 isis tag-value 100 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 1.1.1.3 as-number 100 peer 1.1.1.3 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 1.1.1.3 enable # l2vpn-family evpn undo policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 1.1.1.1 reflect-client //作为AS100的RR peer 1.1.1.3 enable peer 1.1.1.3 advertise irb peer 1.1.1.3 reflect-client //作为AS100的RR # return
#
sysname DC1-Spine
#
evpn-overlay enable
#
isis 1
 is-level level-2
 network-entity 86.0471.0000.0000.0002.00
 prefix-priority level-2 critical tag 100
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.11.5 255.255.255.252
 isis enable 1
#
interface GE1/0/9
 undo portswitch
 undo shutdown
 ip address 10.0.11.2 255.255.255.252
 isis enable 1
#
interface LoopBack0
 ip address 1.1.1.2 255.255.255.255
 isis enable 1
 isis tag-value 100
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack0
 peer 1.1.1.3 as-number 100
 peer 1.1.1.3 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.1 enable
  undo peer 1.1.1.3 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
  peer 1.1.1.1 reflect-client  //作为AS100的RR
  peer 1.1.1.3 enable
  peer 1.1.1.3 advertise irb
  peer 1.1.1.3 reflect-client //作为AS100的RR
#
return

DC1-Leaf配置:

#
sysname DC1-Leaf
#
evpn-overlay enable
#
ip vpn-instance A
ipv4-family
route-distinguisher 10:10000
vpn-target 10:10000 export-extcommunity evpn
vpn-target 10:10000 import-extcommunity evpn
vxlan vni 5000
#
bridge-domain 10010
vxlan vni 10010
evpn
route-distinguisher 1:10010
vpn-target 1:10010 export-extcommunity
vpn-target 10:10000 export-extcommunity
vpn-target 1:10010 import-extcommunity
#
isis 1
is-level level-2
network-entity 86.0471.0000.0000.0003.00
prefix-priority level-1 critical tag 100
prefix-priority level-2 critical tag 100
#
interface Vbdif10010
ip binding vpn-instance A
ip address 192.168.10.254 255.255.255.0
mac-address 0000-005e-0110
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0
undo shutdown
#
interface GE1/0/0.10 mode l2
encapsulation dot1q vid 10
bridge-domain 10010
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.0.11.6 255.255.255.252
isis enable 1
#
interface LoopBack0
ip address 1.1.1.3 255.255.255.255
isis enable 1
isis tag-value 100
#
interface Nve1
source 1.1.1.3
vni 10010 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
peer 1.1.1.2 as-number 100
peer 1.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
undo peer 1.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 1.1.1.2 enable
peer 1.1.1.2 advertise irb //通告IRB路由,因为分布式网关Leaf同时作为L2、L3 GW因此要通告IRB路由
#
return
# sysname DC1-Leaf # evpn-overlay enable # ip vpn-instance A ipv4-family route-distinguisher 10:10000 vpn-target 10:10000 export-extcommunity evpn vpn-target 10:10000 import-extcommunity evpn vxlan vni 5000 # bridge-domain 10010 vxlan vni 10010 evpn route-distinguisher 1:10010 vpn-target 1:10010 export-extcommunity vpn-target 10:10000 export-extcommunity vpn-target 1:10010 import-extcommunity # isis 1 is-level level-2 network-entity 86.0471.0000.0000.0003.00 prefix-priority level-1 critical tag 100 prefix-priority level-2 critical tag 100 # interface Vbdif10010 ip binding vpn-instance A ip address 192.168.10.254 255.255.255.0 mac-address 0000-005e-0110 vxlan anycast-gateway enable arp collect host enable # interface GE1/0/0 undo shutdown # interface GE1/0/0.10 mode l2 encapsulation dot1q vid 10 bridge-domain 10010 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.0.11.6 255.255.255.252 isis enable 1 # interface LoopBack0 ip address 1.1.1.3 255.255.255.255 isis enable 1 isis tag-value 100 # interface Nve1 source 1.1.1.3 vni 10010 head-end peer-list protocol bgp # interface NULL0 # bgp 100 peer 1.1.1.2 as-number 100 peer 1.1.1.2 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.2 enable # l2vpn-family evpn policy vpn-target peer 1.1.1.2 enable peer 1.1.1.2 advertise irb //通告IRB路由,因为分布式网关Leaf同时作为L2、L3 GW因此要通告IRB路由 # return
#
sysname DC1-Leaf
#
evpn-overlay enable
#
ip vpn-instance A
 ipv4-family
  route-distinguisher 10:10000
  vpn-target 10:10000 export-extcommunity evpn
  vpn-target 10:10000 import-extcommunity evpn
 vxlan vni 5000
#
bridge-domain 10010
 vxlan vni 10010
 evpn
  route-distinguisher 1:10010
  vpn-target 1:10010 export-extcommunity
  vpn-target 10:10000 export-extcommunity
  vpn-target 1:10010 import-extcommunity
#
isis 1
 is-level level-2
 network-entity 86.0471.0000.0000.0003.00
 prefix-priority level-1 critical tag 100
 prefix-priority level-2 critical tag 100
#
interface Vbdif10010
 ip binding vpn-instance A
 ip address 192.168.10.254 255.255.255.0
 mac-address 0000-005e-0110
 vxlan anycast-gateway enable
 arp collect host enable
#
interface GE1/0/0
 undo shutdown
#
interface GE1/0/0.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10010
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 10.0.11.6 255.255.255.252
 isis enable 1
#
interface LoopBack0
 ip address 1.1.1.3 255.255.255.255
 isis enable 1
 isis tag-value 100
#
interface Nve1
 source 1.1.1.3
 vni 10010 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
 peer 1.1.1.2 as-number 100
 peer 1.1.1.2 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.2 enable
 #
 l2vpn-family evpn
  policy vpn-target
  peer 1.1.1.2 enable
  peer 1.1.1.2 advertise irb  //通告IRB路由,因为分布式网关Leaf同时作为L2、L3 GW因此要通告IRB路由
#
return

DC2的配置与DC1类似,除了地址不一样几乎一致。

实验结果:

PC1访问PC2正常,然后查看DC1-Leaf的租户路由表。

可以看见192.168.20.1的主机路由,并且下一跳为DC2的Leaf。

然后ping通vxlan的192.168.10.2却ping不同,考虑可能是BUG导致,因为可以正常学习到对端的路由,并且DC2的Leaf也存在192.168.10.1的路由,并且两端正常建立头端复制通道,但是通讯的时候192.168.10.1访问192.168.10.2却无任何报文发出,因此怀疑BUG,并且Leaf上没有对端的ARP表项,不知道什么原因导致。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据