ENSP实现同租户下不同子网/vlan之间分布式网关vxlan+EVPN互联

 

 注意华为ENSP存在数据层面的bug，如果检查配置相同但是无法ping通主机请尝试rebootCE 交换机

本实验underlay采用ospf+IBGP 宣告环回口在ospf中，主要配置思路如下:

1.底层OSPF互通，保证leaf1环回口1.1.1.1 可以ping通leaf2 的环回口2.2.2.2

2.BGP邻居建立，可以用dis bgp peer br 查看保证establish 状态

3.enable evpn 先。建立vlan子接口-bridge domain/L2vni(evpn 下both 2层RT 一个bd用一对RT，不同bd用不同的对，export 3层RT带上)--L3vni ip vpninstance (注意import L2vni带上evpn)-- binding int vbdif  arp host collect 使能EVN BGP或BGP EVPN进行主机信息搜集的功能。2类路由。--vxlan anycast gateway enable使能分布式网关

 

 4.创建VTEP 绑定2层vni并使能bgp动态头端复制生成3类路由 intnve1 source x.x.x.x    vni 10010 headend peer list protocol bgp 

5. bgp 下l2vpn family 与spine建立邻居并且发布irb路由，spine上注意两点，作为RR需要undo policy vpntarget 并且指定leaf 为reflect client /advertise irb

6. 两个lsw 配置上行接口trunk 划vlan。

7. 主机互ping 检验连通性

以下为验证步骤  dis vxlan tunnel  / dis bgp evpn all ro / dis arp vpn-instance VRF1 /dis ip routing-table vpn-ins VRF1

[~leaf1]dis vxlan tunnel 
Number of vxlan tunnel : 1
Tunnel ID   Source                Destination           State  Type     Uptime
--------------------------------------------------------------------------------
---
4026531841  1.1.1.1               2.2.2.2               up     dynamic  06:26

[~leaf1]dis bgp evpn all routing-table 
 Local AS number : 65001

 BGP Local router ID is 1.1.1.1
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete

  
 EVPN address family:
  Number of Mac Routes: 6
 Route Distinguisher: 10:10
       Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
 *>    0:48:5489-98d9-4477:32:192.168.10.1                    0.0.0.0
 *>    0:48:707b-e888-5e34:0:0.0.0.0                          0.0.0.0
 Route Distinguisher: 20:20
       Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
 *>    0:48:5489-9822-5e81:32:192.168.20.1                    0.0.0.0
 *>i   0:48:5489-988d-4330:32:192.168.20.2                    2.2.2.2
 *>i   0:48:707b-e86d-5840:0:0.0.0.0                          2.2.2.2
 *>    0:48:707b-e888-5e34:0:0.0.0.0                          0.0.0.0

   EVPN-Instance 10010:
  
 Number of Mac Routes: 2
       Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
 *>    0:48:5489-98d9-4477:32:192.168.10.1                    0.0.0.0
 *>    0:48:707b-e888-5e34:0:0.0.0.0                          0.0.0.0

   EVPN-Instance 10020:
  
 Number of Mac Routes: 4
       Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
 *>    0:48:5489-9822-5e81:32:192.168.20.1                    0.0.0.0
 *>i   0:48:5489-988d-4330:32:192.168.20.2                    2.2.2.2
 *>i   0:48:707b-e86d-5840:0:0.0.0.0                          2.2.2.2
 *>    0:48:707b-e888-5e34:0:0.0.0.0                          0.0.0.0

   EVPN-Instance __RD_1_1_1__:
  
 Number of Mac Routes: 1
       Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
 *>i   0:48:5489-988d-4330:32:192.168.20.2                    2.2.2.2
  
 EVPN address family:
  Number of Inclusive Multicast Routes: 3
 Route Distinguisher: 10:10
       Network(EthTagId/IpAddrLen/OriginalIp)                 NextHop
 *>    0:32:1.1.1.1                                           0.0.0.0
 Route Distinguisher: 20:20
       Network(EthTagId/IpAddrLen/OriginalIp)                 NextHop
 *>    0:32:1.1.1.1                                           0.0.0.0
 *>i   0:32:2.2.2.2                                           2.2.2.2

   EVPN-Instance 10010:
  
 Number of Inclusive Multicast Routes: 1
       Network(EthTagId/IpAddrLen/OriginalIp)                 NextHop
 *>    0:32:1.1.1.1                                           0.0.0.0

   EVPN-Instance 10020:
  
 Number of Inclusive Multicast Routes: 2
       Network(EthTagId/IpAddrLen/OriginalIp)                 NextHop
 *>    0:32:1.1.1.1                                           0.0.0.0
 *>i   0:32:2.2.2.2                                           2.2.2.2

[~leaf1] dis arp vpn-instance VRF1 
ARP Entry Types: D - Dynamic, S - Static, I - Interface, O - OpenFlow, RD - Redi
rect
EXP: Expire-time VLAN:VLAN or Bridge Domain

IP ADDRESS      MAC ADDRESS    EXP(M) TYPE/VLAN       INTERFACE        VPN-INSTA
NCE
--------------------------------------------------------------------------------
--------
192.168.10.254  707b-e888-5e34        I               Vbdif10010       VRF1
192.168.10.1    5489-98d9-4477    2   D/BD10010       GE1/0/1.10       VRF1
192.168.20.254  707b-e888-5e34        I               Vbdif10020       VRF1
192.168.20.1    5489-9822-5e81   20   D/BD10020       GE1/0/1.20       VRF1
--------------------------------------------------------------------------------
--------
Total:4         Dynamic:2       Static:0    Interface:2    OpenFlow:0

 

 各设备配置如下： spine

<spine1>dis cu
!Software Version V200R005C10SPC607B607
!Last configuration was updated at 2022-04-21 12:45:10+00:00
!Last configuration was saved at 2022-04-21 13:31:22+00:00
#
sysname spine1
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
evpn-overlay enable
#
aaa
 #
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
 domain default_admin
#
interface MEth0/0/0
 undo shutdown
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.13.3 255.255.255.0
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 10.0.23.3 255.255.255.0
#
interface GE1/0/2
 shutdown
#
interface GE1/0/3
 shutdown
#
interface GE1/0/4
 shutdown
#
interface GE1/0/5
 shutdown
#
interface GE1/0/6
 shutdown
#
interface GE1/0/7
 shutdown
#
interface GE1/0/8
 shutdown
#
interface GE1/0/9
 shutdown
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#
interface NULL0
#
bgp 65001
 router-id 3.3.3.3
 peer 1.1.1.1 as-number 65001
 peer 1.1.1.1 connect-interface LoopBack0
 peer 2.2.2.2 as-number 65001
 peer 2.2.2.2 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.1 enable
  undo peer 2.2.2.2 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
  peer 1.1.1.1 reflect-client
  peer 2.2.2.2 enable
  peer 2.2.2.2 advertise irb
  peer 2.2.2.2 reflect-client
#
ospf 10 router-id 3.3.3.3
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0
  network 10.0.13.3 0.0.0.0
  network 10.0.23.3 0.0.0.0
#
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
ssh server dh-exchange min-len 1024
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
user-interface con 0
#
vm-manager
#
return

leaf1 

<leaf1>dis cu 
!Software Version V200R005C10SPC607B607
!Last configuration was updated at 2022-04-21 19:41:38+00:00
!Last configuration was saved at 2022-04-21 20:03:38+00:00
#
sysname leaf1
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
evpn-overlay enable
#
ip vpn-instance VRF1
 ipv4-family
  route-distinguisher 1:1
  vpn-target 11:11 export-extcommunity evpn
  vpn-target 11:11 import-extcommunity evpn
 vxlan vni 1000
#
bridge-domain 10010
 vxlan vni 10010
 evpn
  route-distinguisher 10:10
  vpn-target 10:10 export-extcommunity
  vpn-target 11:11 export-extcommunity
  vpn-target 10:10 import-extcommunity
#
bridge-domain 10020
 vxlan vni 10020
 evpn
  route-distinguisher 20:20
  vpn-target 20:20 export-extcommunity
  vpn-target 11:11 export-extcommunity
  vpn-target 20:20 import-extcommunity
#
aaa
 #
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
 domain default_admin
#
interface Vbdif10010
 ip binding vpn-instance VRF1
 ip address 192.168.10.254 255.255.255.0
 vxlan anycast-gateway enable
 arp collect host enable
#
interface Vbdif10020
 ip binding vpn-instance VRF1
 ip address 192.168.20.254 255.255.255.0
 vxlan anycast-gateway enable
 arp collect host enable
#
interface MEth0/0/0
 undo shutdown
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.13.1 255.255.255.0
#
interface GE1/0/1
 undo shutdown
#
interface GE1/0/1.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10010
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 10020
#
interface GE1/0/2
 shutdown
#
interface GE1/0/3
 shutdown
#
interface GE1/0/4
 shutdown
#
interface GE1/0/5
 shutdown
#
interface GE1/0/6
 shutdown
#
interface GE1/0/7
 shutdown
#
interface GE1/0/8
 shutdown
#
interface GE1/0/9
 shutdown
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
interface Nve1
 source 1.1.1.1
 vni 10010 head-end peer-list protocol bgp
 vni 10020 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 65001
 router-id 1.1.1.1
 peer 3.3.3.3 as-number 65001
 peer 3.3.3.3 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 3.3.3.3 enable
 #
 l2vpn-family evpn
  policy vpn-target
  peer 3.3.3.3 enable
  peer 3.3.3.3 advertise irb
#
ospf 10 router-id 1.1.1.1
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 10.0.13.1 0.0.0.0
#
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
ssh server dh-exchange min-len 1024
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
user-interface con 0
#
vm-manager
#
return

Leaf2

[~leaf2-bgp]dis cu
!Software Version V200R005C10SPC607B607
!Last configuration was updated at 2022-04-21 12:52:48+00:00
!Last configuration was saved at 2022-04-21 13:31:18+00:00
#
sysname leaf2
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
evpn-overlay enable
#
evpn
#
ip vpn-instance VRF1
 ipv4-family
  route-distinguisher 2:2
  vpn-target 11:11 export-extcommunity evpn
  vpn-target 11:11 import-extcommunity evpn
 vxlan vni 1000
#
bridge-domain 10020
 vxlan vni 10020
 evpn
  route-distinguisher 20:20
  vpn-target 20:20 export-extcommunity
  vpn-target 11:11 export-extcommunity
  vpn-target 20:20 import-extcommunity
#
aaa
 #
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
 domain default_admin
#
interface Vbdif10020
 ip binding vpn-instance VRF1
 ip address 192.168.20.254 255.255.255.0
 vxlan anycast-gateway enable
 arp collect host enable
#
interface MEth0/0/0
 undo shutdown
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.23.2 255.255.255.0
#
interface GE1/0/1
 undo shutdown
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 10020
#
interface GE1/0/2
 shutdown
#
interface GE1/0/3
 shutdown
#
interface GE1/0/4
 shutdown
#
interface GE1/0/5
 shutdown
#
interface GE1/0/6
 shutdown
#
interface GE1/0/7
 shutdown
#
interface GE1/0/8
 shutdown
#
interface GE1/0/9
 shutdown
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
interface Nve1
 source 2.2.2.2
 vni 10020 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 65001
 router-id 2.2.2.2
 peer 3.3.3.3 as-number 65001
 peer 3.3.3.3 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 3.3.3.3 enable
 #
 l2vpn-family evpn
  policy vpn-target
  peer 3.3.3.3 enable
  peer 3.3.3.3 advertise irb
#
ospf 10 router-id 2.2.2.2
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 10.0.23.2 0.0.0.0
#
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
ssh server dh-exchange min-len 1024
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
user-interface con 0
#
vm-manager
#
return

 互ping结果如下

PC1  10.1 ping PC2 20.1 / PC3 20.2 均通

 

 PC2 20.1 ping PC3 20.2 PC1 10.1 均通

 

 

 

 互通成功。实验完成。