求Vxlan+EBGP EVPN的配置案例

如上图所示，leaf_01和leaf_02作为VxLAN的VTEP设备，下挂VM1、VM2、VM3虚机或物理机。构建OVERLAY网络使各个主机间可以二三层互通。

同时Spine_01和Spine_02作为Border连接外部网络，同时作为OVERlAY的RR角色负责转发EVPN的路由信息。

Spine采用S6800H1设备，R2509P02版本。

Leaf 采用S6800H1设备，R2509P02版本。

UnderLay 地址规划：

Spine_01:

Spine_02:

Leaf_01:

Leaf_02:

Router_外网:

UnderLay 地址配置：

按上述表格配置IP地址，配置loopback口及连接leaf_01和leaf_02互联接口的ip地址，下面以Spine_01为例,其他设备配置类似。

[Spine_01]interface LoopBack 0

[Spine_01-LoopBack0] ip address 1.1.1.1 32

[Spine_01]interface Ten-GigabitEthernet1/0/1

[Spine_01-Ten-GigabitEthernet1/0/1]port link-mode route

[Spine_01-Ten-GigabitEthernet1/0/1]ip address 10.1.1.1 30

[Spine_01]interface Ten-GigabitEthernet1/0/2

[Spine_01-Ten-GigabitEthernet1/0/1]port link-mode route

[Spine_01-Ten-GigabitEthernet1/0/1]ip address 10.1.2.1 30

UnderLay 路由配置：

通过OSPF打通underlay的路由，配置OSPF使能loopback口及连接leaf_01和leaf_02端口的OSPF协议，下面以Spine_01为例,其他设备配置类似。

ospf 1 router-id 1.1.1.1    //router-id使用loopback地址

 silent-interface all

 undo silent-interface Ten-GigabitEthernet1/0/1

 undo silent-interface Ten-GigabitEthernet1/0/2

area 0.0.0.0

  network 10.1.1.1 0.0.0.0

  network 10.1.2.1 0.0.0.0

  network 1.1.1.1  0.0.0.0

EVPN 初始配置：

Spine_01:配置MP-IBGP的邻居，Spine_01 Spine_02作为BGP的RR。Spine_02的配置相同。

#

bgp 100

 graceful-restart

 group evpn internal

 peer evpn connect-interface LoopBack0

 peer 3.3.3.3 group evpn

 peer 4.4.4.4 group evpn

#

 address-family l2vpn evpn

  undo policy vpn-target

  peer evpn enable

  peer evpn reflect-client

leaf_01：配置MP-IBGP的邻居，leaf_01 leaf_02作为BGP的client。leaf_02的配置相同。

bgp 100

 graceful-restart

 peer 1.1.1.1 as-number 100

 peer 1.1.1.1 connect-interface LoopBack0

 peer 2.2.2.2 as-number 100

 peer 2.2.2.2 connect-interface LoopBack0

 #

 address-family l2vpn evpn

  peer 1.1.1.1 enable

  peer 2.2.2.2 enable

设备Overlay预配置：

Spine_01/Spine_02：配置如下的两条命令，然后保存配置重启设备。

[Spine_01]hardware-resource switch-mode 4

Do you want to change the specified hardware resource working mode? [Y/N]:y

The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.

[Spine_01]hardware-resource vxlan border24k

Do you want to change the specified hardware resource working mode? [Y/N]:y

The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.

<Spine_01>reboot

Start to check configuration with next startup configuration file, please wait.........DONE!

This command will reboot the device. Continue? [Y/N]:Y

注意：仅仅S68H1作为SPINE的时候才需要上述配置。

使能Vtep功能，配置l2vpn及禁止tunnel接口自动学习arp及mac地址。

[Spine_01]vtep enable

[Spine_01]l2vpn enable

[Spine_01]vxlan tunnel arp-learning disable

[Spine_01]vxlan tunnel mac-learning disable

Leaf_01/leaf_02：配置如下的两条命令，然后保存配置重启设备。

[leaf_01]hardware-resource switch-mode 4

Do you want to change the specified hardware resource working mode? [Y/N]:y

The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.

[leaf_01]hardware-resource vxlan border24k

Do you want to change the specified hardware resource working mode? [Y/N]:y

The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.

<leaf_01>reboot

Start to check configuration with next startup configuration file, please wait.........DONE!

This command will reboot the device. Continue? [Y/N]:Y

配置l2vpn及禁止tunnel接口自动学习arp及mac地址。

[leaf_01]l2vpn enable

[leaf_01]vxlan tunnel arp-learning disable

[leaf_01]vxlan tunnel mac-learning disable

使能vtep功能，并配置接入服务器的接口，如1/0/5端口为trunk，且使能vtep access port功能。

[leaf_01]vtep enable

[leaf_01]interface Ten-GigabitEthernet1/0/5

[LA1-Ten-GigabitEthernet1/0/5]vtep access port

Overlay网络的部署：

完整的环境中VCFC可以对OVERLAY的配置自动下发，本次实验室环境不涉及VCFC，因此这些配置需手工配置。

Leaf1的配置：创建租户所在的VPN实例，并配置RD，RT。RD采用1:l3vni，RT采用的是0:l3vni。

#

ip vpn-instance vpn1

 route-distinguisher 1:24001

 description SDN_VRF_vpn1

 #

 address-family ipv4

  vpn-target 0:24001 import-extcommunity

  vpn-target 0:24001 export-extcommunity

 #

 address-family evpn

  vpn-target 0:24001 import-extcommunity

  vpn-target 0:24001 export-extcommunity

创建VLAN

#

vlan 601 to 602

#

配置VSI实例，分别指定l2vni为601、602，开启arp抑制功能，关闭广播泛洪，配置Vxlan RD RT自动生成。

vsi SDN_VSI_601

 statistics enable

 arp suppression enable

 flooding disable all

 vxlan 601

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

vsi SDN_VSI_602

statistics enable

 arp suppression enable

 flooding disable all

 vxlan 602

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

配置连接VM1的接口，将VM1划入vxlan 601的网络。注意端口pvid设置为601，并且vxlan的接入模式为ethernet。

#

interface Ten-GigabitEthernet1/0/5

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 601

port trunk pvid vlan 601

 vtep access port

 service-instance 601

  encapsulation s-vid 601

  xconnect vsi SDN_VSI_601 access-mode ethernet

#

配置连接VM2的接口，将VM2划入vxlan 602的网络。

#

interface Ten-GigabitEthernet1/0/6

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 602

port trunk pvid vlan 602

 vtep access port

 service-instance 602

  encapsulation s-vid 602

  xconnect vsi SDN_VSI_602 access-mode ethernet

#

创建VSI接口作为VM的网关。

interface Vsi-interface601

 description SDN_VSI_Interface_601

 ip binding vpn-instance vpn1

 ip address 10.1.2.1 255.255.255.0 sub

 mac-address 6805-ca21-d6e5

 distributed-gateway local

#

interface Vsi-interface602

 description SDN_VSI_Interface_602

 ip binding vpn-instance vpn1

 ip address 10.1.3.1 255.255.255.0 sub

 mac-address 6805-ca21-d6e5

 distributed-gateway local

#

将网关和对应的VSI实例绑定

vsi SDN_VSI_601

 gateway vsi-interface 601

#

vsi SDN_VSI_602

 gateway vsi-interface 602

创建L3VIN的三层接口，并绑定L3VNI

interface Vsi-interface24001

 description SDN_VRF_VSI_Interface_24001

 ip binding vpn-instance vpn1

 l3-vni 24001

#

配置BGP将OVERLAY的路由发布出去

#

bgp 100

 ip vpn-instance vpn1

  address-family ipv4 unicast

   balance 4

   network 10.1.2.0 255.255.255.0

   network 10.1.2.1 255.255.255.255

   network 10.1.3.0 255.255.255.0

   network 10.1.3.1 255.255.255.255

#

此时leaf的配置配置结束，可以验证跨网段同leaf两个VM直接的互访了。

Leaf2的配置：

创建租户所在的VPN实例，并配置RD，RT。RD采用1:l3vni，RT采用的是0:l3vni。

#

ip vpn-instance vpn1

 route-distinguisher 1:24001

 description SDN_VRF_vpn1

 #

 address-family ipv4

  vpn-target 0:24001 import-extcommunity

  vpn-target 0:24001 export-extcommunity

 #

 address-family evpn

  vpn-target 0:24001 import-extcommunity

  vpn-target 0:24001 export-extcommunity

创建VLAN

#

vlan 601

#

配置VSI实例，分别指定l2vni为601，开启arp抑制功能，关闭广播泛洪，配置Vxlan RD RT自动生成。

vsi SDN_VSI_601

 statistics enable

 arp suppression enable

 flooding disable all

 vxlan 601

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

配置连接VM3的接口，将VM3划入vxlan 601的网络。注意端口pvid设置为601，并且vxlan的接入模式为ethernet。

#

interface Ten-GigabitEthernet1/0/5

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 601

port trunk pvid vlan 601

 vtep access port

 service-instance 601

  encapsulation s-vid 601

  xconnect vsi SDN_VSI_601 access-mode ethernet

#

创建VSI接口作为VM的网关。

interface Vsi-interface601

 description SDN_VSI_Interface_601

 ip binding vpn-instance vpn1

 ip address 10.1.2.1 255.255.255.0 sub

 mac-address 6805-ca21-d6e5

 distributed-gateway local

#

将网关和对应的VSI实例绑定

vsi SDN_VSI_601

 gateway vsi-interface 601

创建L3VIN的三层接口，并绑定L3VNI

interface Vsi-interface24001

 description SDN_VRF_VSI_Interface_24001

 ip binding vpn-instance vpn1

 l3-vni 24001

#

配置BGP将OVERLAY的路由发布出去

#

bgp 100

 ip vpn-instance vpn1

  address-family ipv4 unicast

   balance 4

   network 10.1.2.0 255.255.255.0

   network 10.1.2.1 255.255.255.255

#

至此leaf2的配置完毕，配置VM1、VM2、VM3的IP地址验证三个VM直接的互通性。

OVERLAY网络VM间主机互访验证

按照上述表格配置VM的地址，测试VM间互通性，并查看设备上学习的本端及远端主机的表项信息（具体命令见后文）。

部署Spine（Border）Overlay与外部网络互通

Spine_01&Spine_02：在两个核心设备上创建vpn实例，配置RD属性:1000：24001（Spine_01），1001：24001（Spine_02），RT属性：0:24001,并配置L3VNI接口。

ip vpn-instance vpn1

 route-distinguisher 1000:24001

 #

 address-family ipv4

  vpn-target 0:24001 import-extcommunity

  vpn-target 0:24001 export-extcommunity

 #

 address-family evpn

  vpn-target 0:24001 import-extcommunity

  vpn-target 0:24001 export-extcommunity

创建L3VIN的三层接口，并绑定L3VNI

interface Vsi-interface24001

 description SDN_VRF_VSI_Interface_24001

 ip binding vpn-instance vpn1

 l3-vni 24001

#

配置Spine_01& Spine_02连接Router_外网的互联接口：

[Spine_01]interface Ten-GigabitEthernet1/0/3

[Spine_01-Ten-GigabitEthernet1/0/1]port link-mode route

[Spine_01-Ten-GigabitEthernet1/0/1]ip binding vpn-instance vpn1

[Spine_01-Ten-GigabitEthernet1/0/1]ip address 10.1.3.1 30

[Spine_02]interface Ten-GigabitEthernet1/0/2

[Spine_02-Ten-GigabitEthernet1/0/1]port link-mode route

[Spine_02-Ten-GigabitEthernet1/0/1]ip binding vpn-instance vpn1

[Spine_02-Ten-GigabitEthernet1/0/1]ip address 10.1.6.1 30

配置基于vpn实例的OSPF进程，与Router_外网建立邻居关系，接收Router_外网发布外部路由，并且引入BGP的路由。

Spine_01:

ospf 3 vpn-instance vpn1

 import-route bgp 100 allow-ibgp

 area 0.0.0.0

  network 10.1.3.1 0.0.0.0

#

Spine_02:

ospf 3 vpn-instance vpn1

 import-route bgp 100 allow-ibgp

 area 0.0.0.0

  network 10.1.6.1 0.0.0.0

#

配置Spine_01&Spine_02上的BGP，引入OSPF路由。

bgp 65205 instance SDN_INSTANCE_BGP

 ip vpn-instance vpn1

  address-family ipv4 unicast

   import-route ospf 3

至此与外网互通的工作配置完毕。

测试overlay与传统网络的互通

配置Router_外网连接Spine_01& Spine_02的互联接口：

[Router_外网]interface Ten-GigabitEthernet1/0/1

[Router_外网-Ten-GigabitEthernet1/0/1]port link-mode route

[Router_外网-Ten-GigabitEthernet1/0/1]ip address 10.1.3.2 30

[Router_外网]interface Ten-GigabitEthernet1/0/2

[Router_外网-Ten-GigabitEthernet1/0/1]port link-mode route

[Router_外网-Ten-GigabitEthernet1/0/1]ip address 10.1.6.2 30

配置Loopback，并发布在OSPF中

interface LoopBack0

 ip address 220.1.1.1 255.255.255.255

#

ospf 1

area 0.0.0.0

  network 10.1.3.2 0.0.0.0

  network 10.1.6.2 0.0.0.0

  network 220.1.1.1 0.0.0.0

至此Router_外网设备的配置完毕，可以测试VM 与220.1.1.1的互通性。

实验中涉及到的一些查看命令

查看设备的路由表：

<leaf_01>display ip routing-table vpn-instance vpn1

Destinations : 21       Routes : 21

Destination/Mask   Proto   Pre Cost        NextHop         Interface

220.1.1.1/32       BGP     255 2           2.2.2.1         Vsi24001

查看邻居信息：

<LA1>display bgp peer l2vpn evpn 

 BGP local router ID: 2.2.2.6

 Local AS number: 65205

 Total number of peers: 2                 Peers in established state: 2

  * - Dynamically created peer

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

  2.2.2.4              65205     2184     1901    0      13 0030h02m Established

  2.2.2.5              65205     2109     1844    0      13 0030h02m Established

查看EVPN的路由表

<LA1>display  bgp  l2vpn evpn 

 BGP local router ID is 2.2.2.6

 Status codes: * - valid, > - best, d - dampened, h - history,

               s - suppressed, S - stale, i - internal, e - external

               Origin: i - IGP, e - EGP, ? - incomplete

 Total number of routes from all PEs: 27

 Route distinguisher: 1:601

 Total number of routes: 1

     Network            NextHop         MED        LocPrf     PrefVal Path/Ogn

* >  [3][0][32][2.2.2.6]/80

                        0.0.0.0         0          100        32768   i

 Route distinguisher: 1:24001(vpn1)

 Total number of routes: 26

     Network            NextHop         MED        LocPrf     PrefVal Path/Ogn

* >i [5][0][32][220.1.1.1]/80

                        2.2.2.1         2          100        0       ?

*  i                     2.2.2.1         2          100        0       ?