华为VXLAN分布式网关DCI端到端互联实验

场景说明:左边为AS100、右边为AS200。同一个租户A分别在AS100、AS200存在相应的虚机,现需要互相访问,需要打通VXLAN网络。通过DCI-Leaf互联,DCI-Leaf之间邻居关系为eBGP ipv4/EVPN邻居关系,同时将本端的AS中的VTEP路由通过BGP ipv4协议栈通告至对端AS。Spine作为本AS内路由反射器,VXLAN采用分布式网关部署,underlay层均采用IS-IS协议作为IGP协议打通AS内VTEP互联。

DCI-Leaf-1配置:

#
sysname DCI-Leaf-1
#
evpn-overlay enable
#
isis 1
 is-level level-2
 network-entity 86.0471.0000.0000.0001.00
 import-route bgp //引入BGP ipv4路由打通数据中心间VTEP,这里可以采用route-policy方式只接收对端Server-Leaf的VTEP
 prefix-priority level-2 critical tag 100 //优先优先IS-IS tag为100的路由,也就是VTEP路由
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.11.1 255.255.255.252
 isis enable 1
#
interface GE1/0/9
 undo portswitch
 undo shutdown
 ip address 100.0.12.1 255.255.255.252
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
 isis tag-value 100 //指定IS-IS tag为100
#
bgp 100
 peer 1.1.1.2 as-number 100
 peer 1.1.1.2 connect-interface LoopBack0
 peer 100.0.12.2 as-number 200
 #
 ipv4-family unicast
  import-route isis 1 //将IGP路由引入bgp,打通AS间VTEP路由
  undo peer 1.1.1.2 enable
  peer 100.0.12.2 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.2 enable
  peer 1.1.1.2 advertise irb
  peer 1.1.1.2 next-hop-invariable //保证EVPN路由下一跳不变
  peer 100.0.12.2 enable
  peer 100.0.12.2 advertise irb
  peer 100.0.12.2 next-hop-invariable //保证EVPN路由下一跳不变
#
return

DC1-Spine配置:

#
sysname DC1-Spine
#
evpn-overlay enable
#
isis 1
 is-level level-2
 network-entity 86.0471.0000.0000.0002.00
 prefix-priority level-2 critical tag 100
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.11.5 255.255.255.252
 isis enable 1
#
interface GE1/0/9
 undo portswitch
 undo shutdown
 ip address 10.0.11.2 255.255.255.252
 isis enable 1
#
interface LoopBack0
 ip address 1.1.1.2 255.255.255.255
 isis enable 1
 isis tag-value 100
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack0
 peer 1.1.1.3 as-number 100
 peer 1.1.1.3 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.1 enable
  undo peer 1.1.1.3 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
  peer 1.1.1.1 reflect-client  //作为AS100的RR
  peer 1.1.1.3 enable
  peer 1.1.1.3 advertise irb
  peer 1.1.1.3 reflect-client //作为AS100的RR
#
return

DC1-Leaf配置:

#
sysname DC1-Leaf
#
evpn-overlay enable
#
ip vpn-instance A
 ipv4-family
  route-distinguisher 10:10000
  vpn-target 10:10000 export-extcommunity evpn
  vpn-target 10:10000 import-extcommunity evpn
 vxlan vni 5000
#
bridge-domain 10010
 vxlan vni 10010
 evpn
  route-distinguisher 1:10010
  vpn-target 1:10010 export-extcommunity
  vpn-target 10:10000 export-extcommunity
  vpn-target 1:10010 import-extcommunity
#
isis 1
 is-level level-2
 network-entity 86.0471.0000.0000.0003.00
 prefix-priority level-1 critical tag 100
 prefix-priority level-2 critical tag 100
#
interface Vbdif10010
 ip binding vpn-instance A
 ip address 192.168.10.254 255.255.255.0
 mac-address 0000-005e-0110
 vxlan anycast-gateway enable
 arp collect host enable
#
interface GE1/0/0
 undo shutdown
#
interface GE1/0/0.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10010
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 10.0.11.6 255.255.255.252
 isis enable 1
#
interface LoopBack0
 ip address 1.1.1.3 255.255.255.255
 isis enable 1
 isis tag-value 100
#
interface Nve1
 source 1.1.1.3
 vni 10010 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
 peer 1.1.1.2 as-number 100
 peer 1.1.1.2 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.2 enable
 #
 l2vpn-family evpn
  policy vpn-target
  peer 1.1.1.2 enable
  peer 1.1.1.2 advertise irb  //通告IRB路由,因为分布式网关Leaf同时作为L2、L3 GW因此要通告IRB路由
#
return

DC2的配置与DC1类似,除了地址不一样几乎一致。

实验结果:

PC1访问PC2正常,然后查看DC1-Leaf的租户路由表。

可以看见192.168.20.1的主机路由,并且下一跳为DC2的Leaf。

然后ping通vxlan的192.168.10.2却ping不同,考虑可能是BUG导致,因为可以正常学习到对端的路由,并且DC2的Leaf也存在192.168.10.1的路由,并且两端正常建立头端复制通道,但是通讯的时候192.168.10.1访问192.168.10.2却无任何报文发出,因此怀疑BUG,并且Leaf上没有对端的ARP表项,不知道什么原因导致。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据