Vxlan BGP-EVPN分布式网关ENSP实验
实验拓扑图如下:
忽略Spine之间的互联及peer
underlay网络使用的协议是OSPF
VTEP地址规划如下:
由于本场景中所有设备都是单节点,不涉及隧道的负载,所以VTEP地址和建立BGP的地址可以是同一个地址
对于是有m-lag的节点或其他需要实现隧道负载的场景,VTEP地址和建立BGP的地址不能使用相同的地址。
详细业务规划如下:
假设有两个租户(业务),分别为业务A和业务B,详细规划如下:
配置信息如下:
<Spine1>dis current-configuration sysname Spine1 # evpn-overlay enable # interface GE1/0/0 undo portswitch undo shutdown ip address 10.1.13.1 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.1.14.1 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/2 undo portswitch undo shutdown ip address 10.1.15.1 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/3 undo portswitch undo shutdown ip address 10.1.16.1 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/4 undo portswitch undo shutdown ip address 10.1.12.1 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 ospf enable 1 area 0.0.0.0 # bgp 100 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 peer 4.4.4.4 as-number 100 peer 4.4.4.4 connect-interface LoopBack0 peer 5.5.5.5 as-number 100 peer 5.5.5.5 connect-interface LoopBack0 peer 6.6.6.6 as-number 100 peer 6.6.6.6 connect-interface LoopBack0 # ipv4-family unicast undo peer 3.3.3.3 enable undo peer 4.4.4.4 enable undo peer 5.5.5.5 enable undo peer 6.6.6.6 enable undo peer 2.2.2.2 enable # l2vpn-family evpn undo policy vpn-target peer 2.2.2.2 enable peer 2.2.2.2 advertise irb peer 2.2.2.2 reflect-client peer 3.3.3.3 enable peer 3.3.3.3 advertise irb peer 3.3.3.3 reflect-client peer 4.4.4.4 enable peer 4.4.4.4 advertise irb peer 4.4.4.4 reflect-client peer 5.5.5.5 enable peer 5.5.5.5 advertise irb peer 5.5.5.5 reflect-client peer 6.6.6.6 enable peer 6.6.6.6 advertise irb peer 6.6.6.6 reflect-client # ospf 1 area 0.0.0.0 # Spine1
<Spine2>dis current-configuration sysname Spine2 # evpn-overlay enable # interface GE1/0/0 undo portswitch undo shutdown ip address 10.1.23.2 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.1.24.2 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/2 undo portswitch undo shutdown ip address 10.1.25.2 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/3 undo portswitch undo shutdown ip address 10.1.26.2 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/4 undo portswitch undo shutdown ip address 10.1.12.2 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 ospf enable 1 area 0.0.0.0 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 peer 4.4.4.4 as-number 100 peer 4.4.4.4 connect-interface LoopBack0 peer 5.5.5.5 as-number 100 peer 5.5.5.5 connect-interface LoopBack0 peer 6.6.6.6 as-number 100 peer 6.6.6.6 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 3.3.3.3 enable undo peer 4.4.4.4 enable undo peer 5.5.5.5 enable undo peer 6.6.6.6 enable # l2vpn-family evpn undo policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 1.1.1.1 reflect-client peer 3.3.3.3 enable peer 3.3.3.3 advertise irb peer 3.3.3.3 reflect-client peer 4.4.4.4 enable peer 4.4.4.4 advertise irb peer 4.4.4.4 reflect-client peer 5.5.5.5 enable peer 5.5.5.5 advertise irb peer 5.5.5.5 reflect-client peer 6.6.6.6 enable peer 6.6.6.6 advertise irb peer 6.6.6.6 reflect-client # ospf 1 area 0.0.0.0 #
[~Leaf1]dis current-configuration # sysname Leaf1 # evpn-overlay enable # ip vpn-instance vpnA ipv4-family route-distinguisher 1111:1111 vpn-target 1111:1111 export-extcommunity evpn vpn-target 1111:1111 import-extcommunity evpn vxlan vni 5010 # bridge-domain 10 vxlan vni 10 evpn route-distinguisher 10:10 vpn-target 10:10 export-extcommunity vpn-target 1111:1111 export-extcommunity vpn-target 10:10 import-extcommunity arp broadcast-suppress mismatch-discard enable # interface Vbdif10 ip binding vpn-instance vpnA ip address 10.1.1.1 255.255.255.0 mac-address 00e0-1010-0001 vxlan anycast-gateway enable arp collect host enable # interface GE1/0/0 undo portswitch undo shutdown ip address 10.1.13.3 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.1.23.3 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/2 undo shutdown # interface GE1/0/2.10 mode l2 encapsulation dot1q vid 10 bridge-domain 10 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 ospf enable 1 area 0.0.0.0 # interface Nve1 source 3.3.3.3 vni 10 head-end peer-list protocol bgp # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 2.2.2.2 enable # l2vpn-family evpn policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 2.2.2.2 enable peer 2.2.2.2 advertise irb # ospf 1 area 0.0.0.0 #
<Leaf2>dis current-configuration # sysname Leaf2 # evpn-overlay enable # ip vpn-instance vpnA ipv4-family route-distinguisher 1111:1111 vpn-target 1111:1111 export-extcommunity evpn vpn-target 1111:1111 import-extcommunity evpn vxlan vni 5010 # bridge-domain 20 vxlan vni 20 evpn route-distinguisher 20:20 vpn-target 20:20 export-extcommunity vpn-target 1111:1111 export-extcommunity vpn-target 20:20 import-extcommunity arp broadcast-suppress mismatch-discard enable # bridge-domain 30 vxlan vni 30 evpn route-distinguisher 30:30 vpn-target 30:30 export-extcommunity vpn-target 1111:1111 export-extcommunity vpn-target 30:30 import-extcommunity arp broadcast-suppress mismatch-discard enable # interface Vbdif20 ip binding vpn-instance vpnA ip address 20.1.1.1 255.255.255.0 mac-address 00e0-2020-0001 vxlan anycast-gateway enable arp collect host enable # interface Vbdif30 ip binding vpn-instance vpnA ip address 30.1.1.1 255.255.255.0 mac-address 00e0-3030-0001 vxlan anycast-gateway enable arp collect host enable # interface GE1/0/0 undo portswitch undo shutdown ip address 10.1.14.4 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.1.24.4 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/2 undo shutdown # interface GE1/0/2.20 mode l2 encapsulation dot1q vid 20 bridge-domain 20 # interface GE1/0/2.30 mode l2 encapsulation dot1q vid 30 bridge-domain 30 # interface LoopBack0 ip address 4.4.4.4 255.255.255.255 ospf enable 1 area 0.0.0.0 # interface Nve1 source 4.4.4.4 vni 20 head-end peer-list protocol bgp vni 30 head-end peer-list protocol bgp # interface NULL0 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 2.2.2.2 enable # l2vpn-family evpn policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 2.2.2.2 enable peer 2.2.2.2 advertise irb # ospf 1 area 0.0.0.0 #
<Leaf3>dis current-configuration # sysname Leaf3 # evpn-overlay enable # ip vpn-instance vpnA ipv4-family route-distinguisher 1111:1111 vpn-target 1111:1111 export-extcommunity evpn vpn-target 1111:1111 import-extcommunity evpn vxlan vni 5010 # ip vpn-instance vpnB ipv4-family route-distinguisher 2222:2222 vpn-target 2222:2222 export-extcommunity evpn vpn-target 2222:2222 import-extcommunity evpn vxlan vni 5020 # bridge-domain 20 vxlan vni 20 evpn route-distinguisher 20:20 vpn-target 20:20 export-extcommunity vpn-target 1111:1111 export-extcommunity vpn-target 20:20 import-extcommunity arp broadcast-suppress mismatch-discard enable # bridge-domain 40 vxlan vni 40 evpn route-distinguisher 40:40 vpn-target 40:40 export-extcommunity vpn-target 2222:2222 export-extcommunity vpn-target 40:40 import-extcommunity arp broadcast-suppress mismatch-discard enable # interface Vbdif20 ip binding vpn-instance vpnA ip address 20.1.1.1 255.255.255.0 mac-address 00e0-2020-0001 vxlan anycast-gateway enable arp collect host enable # interface Vbdif40 ip binding vpn-instance vpnB ip address 40.1.1.1 255.255.255.0 mac-address 00e0-4040-0001 vxlan anycast-gateway enable arp collect host enable # interface GE1/0/0 undo portswitch undo shutdown ip address 10.1.15.5 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.1.25.5 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/2 undo shutdown # interface GE1/0/2.20 mode l2 encapsulation dot1q vid 20 bridge-domain 20 # interface GE1/0/2.40 mode l2 encapsulation dot1q vid 40 bridge-domain 40 # interface LoopBack0 ip address 5.5.5.5 255.255.255.255 ospf enable 1 area 0.0.0.0 # interface Nve1 source 5.5.5.5 vni 20 head-end peer-list protocol bgp vni 40 head-end peer-list protocol bgp # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 2.2.2.2 enable # l2vpn-family evpn policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 2.2.2.2 enable peer 2.2.2.2 advertise irb # ospf 1 area 0.0.0.0 #
<Leaf4>dis current-configuration # sysname Leaf4 # evpn-overlay enable # ip vpn-instance vpnA ipv4-family route-distinguisher 1111:1111 vpn-target 1111:1111 export-extcommunity evpn vpn-target 1111:1111 import-extcommunity evpn vxlan vni 5010 # ip vpn-instance vpnB ipv4-family route-distinguisher 2222:2222 vpn-target 2222:2222 export-extcommunity evpn vpn-target 2222:2222 import-extcommunity evpn vxlan vni 5020 # bridge-domain 30 vxlan vni 30 evpn route-distinguisher 30:30 vpn-target 30:30 export-extcommunity vpn-target 1111:1111 export-extcommunity vpn-target 30:30 import-extcommunity arp broadcast-suppress mismatch-discard enable # bridge-domain 40 vxlan vni 40 evpn route-distinguisher 40:40 vpn-target 40:40 export-extcommunity vpn-target 2222:2222 export-extcommunity vpn-target 40:40 import-extcommunity arp broadcast-suppress mismatch-discard enable # bridge-domain 50 vxlan vni 50 evpn route-distinguisher 50:50 vpn-target 50:50 export-extcommunity vpn-target 2222:2222 export-extcommunity vpn-target 50:50 import-extcommunity arp broadcast-suppress mismatch-discard enable # interface Vbdif30 ip binding vpn-instance vpnA ip address 30.1.1.1 255.255.255.0 mac-address 00e0-3030-0001 vxlan anycast-gateway enable arp collect host enable # interface Vbdif40 ip binding vpn-instance vpnB ip address 40.1.1.1 255.255.255.0 mac-address 00e0-4040-0001 vxlan anycast-gateway enable arp collect host enable # interface Vbdif50 ip binding vpn-instance vpnB ip address 50.1.1.1 255.255.255.0 mac-address 00e0-5050-0001 vxlan anycast-gateway enable arp collect host enable # interface GE1/0/0 undo portswitch undo shutdown ip address 10.1.16.6 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.1.26.6 255.255.255.0 ospf network-type p2p ospf enable 1 area 0.0.0.0 # interface GE1/0/2 undo shutdown # interface GE1/0/2.30 mode l2 encapsulation dot1q vid 30 bridge-domain 30 # interface GE1/0/2.40 mode l2 encapsulation dot1q vid 40 bridge-domain 40 # interface GE1/0/2.50 mode l2 encapsulation dot1q vid 50 bridge-domain 50 # interface LoopBack0 ip address 6.6.6.6 255.255.255.255 ospf enable 1 area 0.0.0.0 # interface Nve1 source 6.6.6.6 vni 30 head-end peer-list protocol bgp vni 40 head-end peer-list protocol bgp vni 50 head-end peer-list protocol bgp # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 2.2.2.2 enable # l2vpn-family evpn policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 2.2.2.2 enable peer 2.2.2.2 advertise irb # ospf 1 area 0.0.0.0 #
sysname Vswitch1 # vlan batch 10 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sysname Vswitch2 # vlan batch 20 30 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # interface GigabitEthernet0/0/3 port link-type access port default vlan 30 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sysname Vswitch3 # vlan batch 20 40 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # interface GigabitEthernet0/0/3 port link-type access port default vlan 40 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sysname Vswitch4 # vlan batch 30 40 50 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/2 port link-type access port default vlan 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 40 # interface GigabitEthernet0/0/4 port link-type access port default vlan 50
在Spine设备查看EVPN邻居关系:
查看每个leaf上的vxlan隧道:
在所有PC上Ping网关地址,以PC1为例,其他设备同,如下:
目的是为了让所有leaf上学习到ARP信息:
在所有的leaf上查看ARP信息,如下:
leaf1在BD10下游2个主机
leaf2在BD20和BD30下各有一台主机
leaf3在BD20和BD40下各有一台主机
leaf4在BD30、BD40和BD50下各有一台主机
不同leaf相同BD下的主机互ping一下,为了观察MAC地址表
以PC5 ping PC3为例,如下:
先看下PC5的MAC地址,如下:
然后在leaf2上查看BD20的MAC地址表,是否有PC5的MAC地址:
leaf2上已经记录了PC5的MAC地址,如下:
查看ARP的广播抑制表,以leaf2为例,如下:
如果同网段互访的所有BUM帧都在leaf上进行头端复制,向所有相同VNI泛洪,必然比占用大量的资源开销,开启ARP的广播抑制后,当leaf收到BUM帧后,先查自身的ARP抑制表,匹配则广播变单播,表象如下:
查看每个leaf上的实例路由表,查看是否学习到了路由:
4个leaf都学习到了同租户的所有ARP路由,如下:
有路由后验证跨leaf同网段和不同网段的互访是否正常:
PC1访问PC7跨网段互访,可以ping通,如下图:
PC1访问PC7的ICMP抓包如下图:
跨网段互访VXLAN封装的是三层VNI
PC8访问PC6为同网段互访,可以ping通,如下图:
PC8访问PC6的ICMP抓包如下图:
同网段互访VXLAN封装的是二层VNI
接下来看一下EVPN路由是什么样子的,以leaf1为例,如下图:
看一下路由条目的详细信息:
路由更新过程的抓包,以leaf1发送的BGP Updata报文为例,如下:(Type2路由)
TYPE2路由的字段解读:
接下来再看一下Type5类路由是怎么传递的
Type5类路由是外部路由产生的,在leaf1上配置一个loop100口,然后引入直连
在leaf1上需要增加以下配置:
interface LoopBack100 ip binding vpn-instance vpnA ip address 100.1.1.1 255.255.255.255 bgp 100 ipv4-family vpn-instance vpnA import-route direct advertise l2vpn evpn
在leaf1上看下EVPN的路由表,如下:
看下leaf1发送的Updata报文,如下:(Type5路由)
TYPE5路由的字段解读:
接下来在看下Type3的UPdata路由,以leaf1为例。如下图:(Type3路由)
Type3的路由抓包如下:
TYPE3路由的字段解读:
关于RT值:
同网段互访使用BD下的RT进行导入导出(二层互访)
不同网段的互访使用VPN实例下的RT进行导入导出(三层互访)
如上图:BD下的eiRT为10:10 ,VPN实例下的eiRT值为1111:1111
默认情况下UPDATA路由会携带RT值为10:10
如果想让RT值1111:1111也添加到BGP路由的团体属性中,需要在BD的EVPN视图下 再次配置export RT: (1111:1111)
这样BGP路由会携带RT(10:10)RT(1111:1111)
一旦路由添加上RT属性,对于BD下的RT和VPN实例下的RT值是不做区分的,看报文如下:
在报文中的表示方式除了RT值不同以外,无其他区分标识
那么这样当路由到达对端设备时,对端就可以用任何一个RT值进行导入即可。
如:leaf2的要接受leaf1的路由(不同网段的)
那就需要在leaf2的实例下导入BGP路由对于的RT值,上面提到该路由携带了两个RT(10:10)RT(1111:1111)
两个RT值有没有任何区分的标识
所以leaf2在实例下导入iRT(1111:1111)可以接收改路由,导入iRT(10:10)也可以接收该路由
如下:
虽然在实例下导入RT值时可以导入任一个RT值,但是在实际使用中最好还是BD的RT互相导入导出,实例下的RT互相导入导出。
如下图:
关于ENSP做Vxlan实验遇到的问题:
综上所述:四个结论
ENSP、CE镜像、抓包软件可在百度云下载:
提取码:v2t6
复制这段内容后打开百度网盘手机App,操作更方便哦