场景说明:左边为AS100、右边为AS200。同一个租户A分别在AS100、AS200存在相应的虚机,现需要互相访问,需要打通VXLAN网络。通过DCI-Leaf互联,DCI-Leaf之间邻居关系为eBGP ipv4/EVPN邻居关系,同时将本端的AS中的VTEP路由通过BGP ipv4协议栈通告至对端AS。Spine作为本AS内路由反射器,VXLAN采用分布式网关部署,underlay层均采用IS-IS协议作为IGP协议打通AS内VTEP互联。
DCI-Leaf-1配置:
# sysname DCI-Leaf-1 # evpn-overlay enable # isis 1 is-level level-2 network-entity 86.0471.0000.0000.0001.00 import-route bgp //引入BGP ipv4路由打通数据中心间VTEP,这里可以采用route-policy方式只接收对端Server-Leaf的VTEP prefix-priority level-2 critical tag 100 //优先优先IS-IS tag为100的路由,也就是VTEP路由 # interface GE1/0/0 undo portswitch undo shutdown ip address 10.0.11.1 255.255.255.252 isis enable 1 # interface GE1/0/9 undo portswitch undo shutdown ip address 100.0.12.1 255.255.255.252 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 isis enable 1 isis tag-value 100 //指定IS-IS tag为100 # bgp 100 peer 1.1.1.2 as-number 100 peer 1.1.1.2 connect-interface LoopBack0 peer 100.0.12.2 as-number 200 # ipv4-family unicast import-route isis 1 //将IGP路由引入bgp,打通AS间VTEP路由 undo peer 1.1.1.2 enable peer 100.0.12.2 enable # l2vpn-family evpn undo policy vpn-target peer 1.1.1.2 enable peer 1.1.1.2 advertise irb peer 1.1.1.2 next-hop-invariable //保证EVPN路由下一跳不变 peer 100.0.12.2 enable peer 100.0.12.2 advertise irb peer 100.0.12.2 next-hop-invariable //保证EVPN路由下一跳不变 # return
DC1-Spine配置:
# sysname DC1-Spine # evpn-overlay enable # isis 1 is-level level-2 network-entity 86.0471.0000.0000.0002.00 prefix-priority level-2 critical tag 100 # interface GE1/0/0 undo portswitch undo shutdown ip address 10.0.11.5 255.255.255.252 isis enable 1 # interface GE1/0/9 undo portswitch undo shutdown ip address 10.0.11.2 255.255.255.252 isis enable 1 # interface LoopBack0 ip address 1.1.1.2 255.255.255.255 isis enable 1 isis tag-value 100 # bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 peer 1.1.1.3 as-number 100 peer 1.1.1.3 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.1 enable undo peer 1.1.1.3 enable # l2vpn-family evpn undo policy vpn-target peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 1.1.1.1 reflect-client //作为AS100的RR peer 1.1.1.3 enable peer 1.1.1.3 advertise irb peer 1.1.1.3 reflect-client //作为AS100的RR # return
DC1-Leaf配置:
# sysname DC1-Leaf # evpn-overlay enable # ip vpn-instance A ipv4-family route-distinguisher 10:10000 vpn-target 10:10000 export-extcommunity evpn vpn-target 10:10000 import-extcommunity evpn vxlan vni 5000 # bridge-domain 10010 vxlan vni 10010 evpn route-distinguisher 1:10010 vpn-target 1:10010 export-extcommunity vpn-target 10:10000 export-extcommunity vpn-target 1:10010 import-extcommunity # isis 1 is-level level-2 network-entity 86.0471.0000.0000.0003.00 prefix-priority level-1 critical tag 100 prefix-priority level-2 critical tag 100 # interface Vbdif10010 ip binding vpn-instance A ip address 192.168.10.254 255.255.255.0 mac-address 0000-005e-0110 vxlan anycast-gateway enable arp collect host enable # interface GE1/0/0 undo shutdown # interface GE1/0/0.10 mode l2 encapsulation dot1q vid 10 bridge-domain 10010 # interface GE1/0/1 undo portswitch undo shutdown ip address 10.0.11.6 255.255.255.252 isis enable 1 # interface LoopBack0 ip address 1.1.1.3 255.255.255.255 isis enable 1 isis tag-value 100 # interface Nve1 source 1.1.1.3 vni 10010 head-end peer-list protocol bgp # interface NULL0 # bgp 100 peer 1.1.1.2 as-number 100 peer 1.1.1.2 connect-interface LoopBack0 # ipv4-family unicast undo peer 1.1.1.2 enable # l2vpn-family evpn policy vpn-target peer 1.1.1.2 enable peer 1.1.1.2 advertise irb //通告IRB路由,因为分布式网关Leaf同时作为L2、L3 GW因此要通告IRB路由 # return
DC2的配置与DC1类似,除了地址不一样几乎一致。
实验结果:
PC1访问PC2正常,然后查看DC1-Leaf的租户路由表。
可以看见192.168.20.1的主机路由,并且下一跳为DC2的Leaf。
然后ping通vxlan的192.168.10.2却ping不同,考虑可能是BUG导致,因为可以正常学习到对端的路由,并且DC2的Leaf也存在192.168.10.1的路由,并且两端正常建立头端复制通道,但是通讯的时候192.168.10.1访问192.168.10.2却无任何报文发出,因此怀疑BUG,并且Leaf上没有对端的ARP表项,不知道什么原因导致。