Vxlan BGP-EVPN分布式网关ENSP实验

实验拓扑图如下:

忽略Spine之间的互联及peer

underlay网络使用的协议是OSPF

 VTEP地址规划如下:

由于本场景中所有设备都是单节点,不涉及隧道的负载,所以VTEP地址和建立BGP的地址可以是同一个地址

对于是有m-lag的节点或其他需要实现隧道负载的场景,VTEP地址和建立BGP的地址不能使用相同的地址。

 详细业务规划如下:

   假设有两个租户(业务),分别为业务A和业务B,详细规划如下:

配置信息如下:

<Spine1>dis current-configuration
sysname Spine1
#
evpn-overlay enable
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.13.1 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.14.1 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 10.1.15.1 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 10.1.16.1 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/4
undo portswitch
undo shutdown
ip address 10.1.12.1 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack0
peer 6.6.6.6 as-number 100
peer 6.6.6.6 connect-interface LoopBack0
#
ipv4-family unicast
 undo peer 3.3.3.3 enable
 undo peer 4.4.4.4 enable
 undo peer 5.5.5.5 enable
 undo peer 6.6.6.6 enable
 undo peer 2.2.2.2 enable
#
l2vpn-family evpn
 undo policy vpn-target
 peer 2.2.2.2 enable
 peer 2.2.2.2 advertise irb
 peer 2.2.2.2 reflect-client
 peer 3.3.3.3 enable
 peer 3.3.3.3 advertise irb
 peer 3.3.3.3 reflect-client
 peer 4.4.4.4 enable
 peer 4.4.4.4 advertise irb
 peer 4.4.4.4 reflect-client
 peer 5.5.5.5 enable
 peer 5.5.5.5 advertise irb
 peer 5.5.5.5 reflect-client
 peer 6.6.6.6 enable
 peer 6.6.6.6 advertise irb
 peer 6.6.6.6 reflect-client
#
ospf 1
area 0.0.0.0
#

Spine1
Spine1
<Spine2>dis current-configuration
sysname Spine2
#
evpn-overlay enable
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.23.2 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.24.2 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 10.1.25.2 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 10.1.26.2 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/4
undo portswitch
undo shutdown
ip address 10.1.12.2 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
ospf enable 1 area 0.0.0.0
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack0
peer 6.6.6.6 as-number 100
peer 6.6.6.6 connect-interface LoopBack0
#
ipv4-family unicast
 undo peer 1.1.1.1 enable
 undo peer 3.3.3.3 enable
 undo peer 4.4.4.4 enable
 undo peer 5.5.5.5 enable
 undo peer 6.6.6.6 enable
#
l2vpn-family evpn
 undo policy vpn-target
 peer 1.1.1.1 enable
 peer 1.1.1.1 advertise irb
 peer 1.1.1.1 reflect-client
 peer 3.3.3.3 enable
 peer 3.3.3.3 advertise irb
 peer 3.3.3.3 reflect-client
 peer 4.4.4.4 enable
 peer 4.4.4.4 advertise irb
 peer 4.4.4.4 reflect-client
 peer 5.5.5.5 enable
 peer 5.5.5.5 advertise irb
 peer 5.5.5.5 reflect-client
 peer 6.6.6.6 enable
 peer 6.6.6.6 advertise irb
 peer 6.6.6.6 reflect-client
#
ospf 1
area 0.0.0.0
#
Spine2
       
[~Leaf1]dis current-configuration
#
sysname Leaf1
#
evpn-overlay enable
#
ip vpn-instance vpnA
ipv4-family
 route-distinguisher 1111:1111
 vpn-target 1111:1111 export-extcommunity evpn
 vpn-target 1111:1111 import-extcommunity evpn
vxlan vni 5010
#
bridge-domain 10
vxlan vni 10
evpn
 route-distinguisher 10:10
 vpn-target 10:10 export-extcommunity
 vpn-target 1111:1111 export-extcommunity
 vpn-target 10:10 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
interface Vbdif10
ip binding vpn-instance vpnA
ip address 10.1.1.1 255.255.255.0
mac-address 00e0-1010-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.13.3 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.23.3 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.10 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 3.3.3.3
vni 10 head-end peer-list protocol bgp
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
 undo peer 1.1.1.1 enable
 undo peer 2.2.2.2 enable
#
l2vpn-family evpn
 policy vpn-target
 peer 1.1.1.1 enable
 peer 1.1.1.1 advertise irb
 peer 2.2.2.2 enable
 peer 2.2.2.2 advertise irb
#
ospf 1
area 0.0.0.0
#
leaf1
<Leaf2>dis current-configuration
#
sysname Leaf2
#
evpn-overlay enable
#
ip vpn-instance vpnA
ipv4-family
 route-distinguisher 1111:1111
 vpn-target 1111:1111 export-extcommunity evpn
 vpn-target 1111:1111 import-extcommunity evpn
vxlan vni 5010
#
bridge-domain 20
vxlan vni 20
evpn
 route-distinguisher 20:20
 vpn-target 20:20 export-extcommunity
 vpn-target 1111:1111 export-extcommunity
 vpn-target 20:20 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
bridge-domain 30
vxlan vni 30
evpn
 route-distinguisher 30:30
 vpn-target 30:30 export-extcommunity
 vpn-target 1111:1111 export-extcommunity
 vpn-target 30:30 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
interface Vbdif20
ip binding vpn-instance vpnA
ip address 20.1.1.1 255.255.255.0
mac-address 00e0-2020-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif30
ip binding vpn-instance vpnA
ip address 30.1.1.1 255.255.255.0
mac-address 00e0-3030-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.14.4 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.24.4 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.20 mode l2
encapsulation dot1q vid 20
bridge-domain 20
#
interface GE1/0/2.30 mode l2
encapsulation dot1q vid 30
bridge-domain 30
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 4.4.4.4
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
 undo peer 1.1.1.1 enable
 undo peer 2.2.2.2 enable
#
l2vpn-family evpn
 policy vpn-target
 peer 1.1.1.1 enable
 peer 1.1.1.1 advertise irb
 peer 2.2.2.2 enable
 peer 2.2.2.2 advertise irb
#
ospf 1
area 0.0.0.0
#
leaf2
<Leaf3>dis current-configuration
#
sysname Leaf3
#
evpn-overlay enable
#
ip vpn-instance vpnA
ipv4-family
  route-distinguisher 1111:1111
  vpn-target 1111:1111 export-extcommunity evpn
  vpn-target 1111:1111 import-extcommunity evpn
vxlan vni 5010
#
ip vpn-instance vpnB
ipv4-family
  route-distinguisher 2222:2222
  vpn-target 2222:2222 export-extcommunity evpn
  vpn-target 2222:2222 import-extcommunity evpn
vxlan vni 5020
#
bridge-domain 20
vxlan vni 20
evpn
  route-distinguisher 20:20
  vpn-target 20:20 export-extcommunity
  vpn-target 1111:1111 export-extcommunity
  vpn-target 20:20 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
bridge-domain 40
vxlan vni 40
evpn
  route-distinguisher 40:40
  vpn-target 40:40 export-extcommunity
  vpn-target 2222:2222 export-extcommunity
  vpn-target 40:40 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
interface Vbdif20
ip binding vpn-instance vpnA
ip address 20.1.1.1 255.255.255.0
mac-address 00e0-2020-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif40
ip binding vpn-instance vpnB
ip address 40.1.1.1 255.255.255.0
mac-address 00e0-4040-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.15.5 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.25.5 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.20 mode l2
encapsulation dot1q vid 20
bridge-domain 20
#
interface GE1/0/2.40 mode l2
encapsulation dot1q vid 40
bridge-domain 40
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 5.5.5.5
vni 20 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
  undo peer 1.1.1.1 enable
  undo peer 2.2.2.2 enable
#
l2vpn-family evpn
  policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
  peer 2.2.2.2 enable
  peer 2.2.2.2 advertise irb
#
ospf 1
area 0.0.0.0
#
Leaf3
<Leaf4>dis current-configuration
#
sysname Leaf4
#
evpn-overlay enable
#
ip vpn-instance vpnA
ipv4-family
  route-distinguisher 1111:1111
  vpn-target 1111:1111 export-extcommunity evpn
  vpn-target 1111:1111 import-extcommunity evpn
vxlan vni 5010
#
ip vpn-instance vpnB
ipv4-family
  route-distinguisher 2222:2222
  vpn-target 2222:2222 export-extcommunity evpn
  vpn-target 2222:2222 import-extcommunity evpn
vxlan vni 5020
#
bridge-domain 30
vxlan vni 30
evpn
  route-distinguisher 30:30
  vpn-target 30:30 export-extcommunity
  vpn-target 1111:1111 export-extcommunity
  vpn-target 30:30 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
bridge-domain 40
vxlan vni 40
evpn
  route-distinguisher 40:40
  vpn-target 40:40 export-extcommunity
  vpn-target 2222:2222 export-extcommunity
  vpn-target 40:40 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
bridge-domain 50
vxlan vni 50
evpn
  route-distinguisher 50:50
  vpn-target 50:50 export-extcommunity
  vpn-target 2222:2222 export-extcommunity
  vpn-target 50:50 import-extcommunity
arp broadcast-suppress mismatch-discard enable
#
interface Vbdif30
ip binding vpn-instance vpnA
ip address 30.1.1.1 255.255.255.0
mac-address 00e0-3030-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif40
ip binding vpn-instance vpnB
ip address 40.1.1.1 255.255.255.0
mac-address 00e0-4040-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif50
ip binding vpn-instance vpnB
ip address 50.1.1.1 255.255.255.0
mac-address 00e0-5050-0001
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.16.6 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.26.6 255.255.255.0
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.30 mode l2
encapsulation dot1q vid 30
bridge-domain 30
#
interface GE1/0/2.40 mode l2
encapsulation dot1q vid 40
bridge-domain 40
#
interface GE1/0/2.50 mode l2
encapsulation dot1q vid 50
bridge-domain 50
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 6.6.6.6
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
vni 50 head-end peer-list protocol bgp
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
  undo peer 1.1.1.1 enable
  undo peer 2.2.2.2 enable
#
l2vpn-family evpn
  policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
  peer 2.2.2.2 enable
  peer 2.2.2.2 advertise irb
#
ospf 1
area 0.0.0.0
#
Leaf4
sysname Vswitch1
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sysname Vswitch2
#
vlan batch 20 30
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sysname Vswitch3
#
vlan batch 20 40
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sysname Vswitch4
#
vlan batch 30 40 50
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 50
Vswitch

 在Spine设备查看EVPN邻居关系:

 查看每个leaf上的vxlan隧道:

 在所有PC上Ping网关地址,以PC1为例,其他设备同,如下:

目的是为了让所有leaf上学习到ARP信息:

 在所有的leaf上查看ARP信息,如下:

 leaf1在BD10下游2个主机

 leaf2在BD20和BD30下各有一台主机

 leaf3在BD20和BD40下各有一台主机

 leaf4在BD30、BD40和BD50下各有一台主机

 不同leaf相同BD下的主机互ping一下,为了观察MAC地址表

以PC5 ping PC3为例,如下:

先看下PC5的MAC地址,如下:

然后在leaf2上查看BD20的MAC地址表,是否有PC5的MAC地址:

leaf2上已经记录了PC5的MAC地址,如下:

查看ARP的广播抑制表,以leaf2为例,如下:

如果同网段互访的所有BUM帧都在leaf上进行头端复制,向所有相同VNI泛洪,必然比占用大量的资源开销,开启ARP的广播抑制后,当leaf收到BUM帧后,先查自身的ARP抑制表,匹配则广播变单播,表象如下:

查看每个leaf上的实例路由表,查看是否学习到了路由:

4个leaf都学习到了同租户的所有ARP路由,如下:

 

 

 有路由后验证跨leaf同网段和不同网段的互访是否正常:

PC1访问PC7跨网段互访,可以ping通,如下图:

PC1访问PC7的ICMP抓包如下图:

跨网段互访VXLAN封装的是三层VNI

 

 PC8访问PC6为同网段互访,可以ping通,如下图:

 

  PC8访问PC6的ICMP抓包如下图:

同网段互访VXLAN封装的是二层VNI

 

 

 接下来看一下EVPN路由是什么样子的,以leaf1为例,如下图:

 

 看一下路由条目的详细信息:

路由更新过程的抓包,以leaf1发送的BGP Updata报文为例,如下:(Type2路由)

TYPE2路由的字段解读:

 接下来再看一下Type5类路由是怎么传递的

Type5类路由是外部路由产生的,在leaf1上配置一个loop100口,然后引入直连

在leaf1上需要增加以下配置:

interface LoopBack100
 ip binding vpn-instance vpnA
 ip address 100.1.1.1 255.255.255.255
bgp 100
 ipv4-family vpn-instance vpnA
  import-route direct
  advertise l2vpn evpn
leaf1

在leaf1上看下EVPN的路由表,如下:

看下leaf1发送的Updata报文,如下:(Type5路由)

TYPE5路由的字段解读:

 接下来在看下Type3的UPdata路由,以leaf1为例。如下图:(Type3路由)

 

 Type3的路由抓包如下:

TYPE3路由的字段解读:

 关于RT值:

同网段互访使用BD下的RT进行导入导出(二层互访)

不同网段的互访使用VPN实例下的RT进行导入导出(三层互访)

如上图:BD下的eiRT为10:10  ,VPN实例下的eiRT值为1111:1111

默认情况下UPDATA路由会携带RT值为10:10

如果想让RT值1111:1111也添加到BGP路由的团体属性中,需要在BD的EVPN视图下 再次配置export RT: (1111:1111)

这样BGP路由会携带RT(10:10)RT(1111:1111)

一旦路由添加上RT属性,对于BD下的RT和VPN实例下的RT值是不做区分的,看报文如下:

在报文中的表示方式除了RT值不同以外,无其他区分标识

那么这样当路由到达对端设备时,对端就可以用任何一个RT值进行导入即可。

如:leaf2的要接受leaf1的路由(不同网段的)

那就需要在leaf2的实例下导入BGP路由对于的RT值,上面提到该路由携带了两个RT(10:10)RT(1111:1111)

两个RT值有没有任何区分的标识

所以leaf2在实例下导入iRT(1111:1111)可以接收改路由,导入iRT(10:10)也可以接收该路由

如下:

虽然在实例下导入RT值时可以导入任一个RT值,但是在实际使用中最好还是BD的RT互相导入导出,实例下的RT互相导入导出。

如下图:

关于ENSP做Vxlan实验遇到的问题:

1、重启可能丢失配置,做好配置后把导出一份,防止配置丢失(勤导出,不然你可能会哭。。。。)

2、重启后可能同网段互通出现问题、在leaf的子接口下undo bridge-domain 然后在重新配置,即可解决。

3、关于Vbox下将CE虚拟机的内存调的尽可能大,不然可能有时可能会看不到现象或者直接卡死,我的物理主机内存有380G,所以每个CE128我给40G内存
4、wireshark一定要用最新版,老版本抓包看不到EVPN的路由信息。

综上所述:四个结论

1、本端VPN实例下的导出值不配置也没关系,只要BD的EVPN下配置了对应的导出即可
2、我要导入对端发送的路由时,可以导入对端实例下的eRT值,也可以导入对端EVPN下的eRT值
3、为了维护方便,查看方便,最好还是VPN与VPN对应,EVPN与EVPN对应
4、由于是EVPN邻居,传递的是EVPN路由,所以只有在本地的EVPN下配置的eRT才会被添加到EVPN路由上。
 

ENSP、CE镜像、抓包软件可在百度云下载:

链接:https://pan.baidu.com/s/1F8NwUZnzqzvTanM69jd5Tg
提取码:v2t6
复制这段内容后打开百度网盘手机App,操作更方便哦

 

posted @ 2020-06-23 12:03  YangYongming  阅读(9517)  评论(5编辑  收藏  举报