Configuring Layer 2 DCI
Configuring Spine Nodes
This section describes only the interconnection configuration between spine nodes and DCI leaf nodes. Other configurations are the same as those in Configuring Spine Nodes.
Spine Node |
Description |
|---|---|
vlan 2000 |
Create a service VLAN. |
# |
- |
interface Eth-Trunk1 description"to DCI Leaf" port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 2000 trunkport 10GE 3/0/1 to 3/0/2 mode lacp-static dfs-group 1 m-lag 1 lacp timeout fast # |
Create an Eth-Trunk and configure physical interfaces. Delete VLAN 1 from the Eth-Trunk interface. Configure the interface to allow packets from the service VLAN to pass through. |
interface 10GE3/0/1 storm suppression unknown-unicast 5 storm suppression multicast 2 storm suppression broadcast 2 # interface 10GE3/0/2 storm suppression unknown-unicast 5 storm suppression multicast 2 storm suppression broadcast 2 # |
Configure an interface for interconnecting with DCI Leaf1_1. Configure unknown unicast traffic suppression. The recommended value is 5%. Configure multicast traffic suppression. The recommended value is 2%. Do not configure multicast traffic suppression when multicast services are deployed across DCs. Configure broadcast traffic suppression. The recommended value is 2%. Configure an interface for interconnecting with DCI Leaf1_2. |
Configuring DCI Leaf Nodes
Configuration Summary
No. |
Configuration Task |
No. |
Configuration Task |
|---|---|---|---|
Step 1 |
Step 8 |
||
Step 2 |
Configure the user name and password for device maintenance and management. |
Step 9 |
Configure EBGP EVPN peer relationships on the overlay network. |
Step 3 |
Step 10 |
Configure interconnection links between the DCI leaf nodes and spine nodes. |
|
Step 4 |
Step 11 |
||
Step 5 |
Step 12 |
||
Step 6 |
Step 13 |
(Optional) Configure an ACL on the DCI leaf nodes to filter PVST BPDUs. |
|
Step 7 |
Configure interconnection interfaces between the DCI leaf nodes. |
Step 14 |
Procedure
- Configure basic device information and VPNs for device management.
DCI Leaf-01-01
DCI Leaf-01-02
Description
system-view immediately
system-view immediately
Enter the system view and set the immediate validation mode.
sysname DCI Leaf-01-01
sysname DCI Leaf-01-02
Name the DCI leaf nodes.
#
#
-
ip vpn-instance Management_out
ip vpn-instance Management_out
Create a dedicated out-of-band management VPN instance named Management_out.
ipv4-family
ipv4-family
route-distinguisher 15:40
route-distinguisher 16:40
ipv6-family
ipv6-family
route-distinguisher 15:40
route-distinguisher 15:40
#
#
-
interface MEth0/0/0
interface MEth0/0/0
Add MEth0/0/0 to the dedicated out-of-band management VPN instance.
ip binding vpn-instance Management_out
ip binding vpn-instance Management_out
ip address 192.168.21.20 24
ip address 192.168.21.21 24
Configure unique IP addresses for management interfaces on the devices.
ipv6 enable
ipv6 address 2001:db8:21::20/64
ipv6 enable
ipv6 address 2001:db8:21::21/64
#
#
-
ip route-static vpn-instance Management_out 10.0.0.0 255.0.0.0 192.168.21.1
ip route-static vpn-instance Management_out 10.0.0.0 255.0.0.0 192.168.21.1
Configure a static route for remote management. Do not use a default route.
ipv6 enable
ipv6 address 2001:db8:21::20/64
ipv6 enable
ipv6 address 2001:db8:21::21/64
#
#
-
DCI Leaf-02-01
DCI Leaf-02-02
Description
system-view immediately
system-view immediately
Enter the system view and set the immediate validation mode.
sysname DCI Leaf-02-01
sysname DCI Leaf-02-02
Name the DCI leaf nodes.
#
#
-
ip vpn-instance Management_out
ip vpn-instance Management_out
Create a dedicated out-of-band management VPN instance named Management_out.
ipv4-family
ipv4-family
route-distinguisher 17:40
route-distinguisher 18:40
ipv6-family
ipv6-family
route-distinguisher 17:40
route-distinguisher 17:40
#
#
-
interface MEth0/0/0
interface MEth0/0/0
Add MEth0/0/0 to the dedicated out-of-band management VPN instance.
ip binding vpn-instance Management_out
ip binding vpn-instance Management_out
ip address 192.168.21.22 24
ip address 192.168.21.23 24
Configure unique IP addresses for management interfaces on the devices.
ipv6 enable
ipv6 address 201:db8:21::22/64
ipv6 enable
ipv6 address 201:db8:21::23/64
#
#
-
ip route-static vpn-instance Management_out 10.0.0.0 255.0.0.0 192.168.21.1
ip route-static vpn-instance Management_out 10.0.0.0 255.0.0.0 192.168.21.1
Configure a static route for remote management. Do not use a default route.
ipv6 route-static vpn-instance Management_out fc00:: 64 2001:db8:21::1
ipv6 route-static vpn-instance Management_out fc00:: 64 2001:db8:21::1
#
#
-
- Configure the user name and password for device maintenance and management.
DCI Leaf Node
Description
user-interface console 0
Configure a console port login password to improve security. This configuration is mandatory.
authentication-mode password
set authentication password cipher Myrhgl@131
#
-
user-interface maximum-vty 21
Set the maximum number of VTY user interfaces to 21.
user-interface vty 0 20
-
authentication-mode aaa
Set the authentication mode to AAA.
user privilege level 3
Set the user level to 3.
protocol inbound ssh
Specify the SSH protocol to improve security.
#
-
stelnet server enable
Enable the STelnet service on an SSH server.
#
-
aaa
Enter the AAA view.
local-user huawei password irreversible-cipher Myrhgl@520
Set the local user name to huawei and password to Myrhgl@520 for an administrator to log in to and maintain the device.
local-user huawei service-type ssh
Specify the SSH protocol.
CE device running a V2 version:
local-user huawei level 3
CE device running a V3 version:
local-user huawei privilege level 3
Set the user level of the huawei user.
#
-
ssh user huawei
Create an SSH user.
ssh user huawei authentication-type password
-
ssh user huawei service-type stelnet
-
ssh server-source -i Meth0/0/0
Specify the source interface of the SSH server (for example, use the MEth interface for out-of-band management) to restrict logins and improve security.
If in-band management is used, you need to configure an in-band management interface, for example, VLANIF 4010 of a CE device running a V2 version or Loopback0 of a CE device running a V3 version.
If the device is upgraded from V200R005C20 to V200R019C10, this configuration is not required. If the device running V200R019C10 or a later version is deployed, perform this configuration.
ssh ipv6 server-source -a 201:db8:21::22 -vpn-instance Management_out
Specifies the source IP address of the SSH server to restrict logins and improve security. For out-of-band management, enter the Meth interface address and VPN. For in-band management, add the IPv6 address of the in-band management interface (vlanif4010).
- Configure the DCI leaf nodes to connect to the NMS.
DCI Leaf Node
Description
snmp-agent
Enable the SNMP agent.
snmp-agent sys-info version v3
Set the SNMP version to SNMPv3, which must be the same as the SNMP version used by the NMS.
snmp-agent mib-view included myview iso
Configure the MIB view that can be accessed by the NMS. To ensure that the NMS can manage devices normally (for example, discovering device links based on LLDP), the MIB view must contain the iso node.
snmp-agent group v3 uhmroot privacy write-view myview notify-view myview
-
snmp-agent usm-user v3 uhmroot group dc-admin
Set the SNMPv3 user name to uhmroot, which must be the same as the security name on the NMS.
snmp-agent usm-user v3 uhmroot authentication-mode sha
Configure the authentication mode and password for the uhmroot user, which must correspond to the authentication protocol and password on the NMS.
Myrhgl12#$
-
Myrhgl12#$
-
snmp-agent usm-user v3 uhmroot privacy-mode aes128
Set the encryption mode and password of the uhmroot user, which must correspond to the proprietary protocol and encryption password on the NMS.
Myrhgl12#$
-
Myrhgl12#$
-
#
-
snmp-agent trap enable
Enable the trap function for all modules. By default, the trap function of some modules is disabled.
snmp-agent trap source MEth0/0/0
Set the source interface for sending traps to MEth0/0/0.
#
-
rsa local-key-pair create
Generate a local key pair.
#
-
user-interface vty 0 4
-
authentication-mode aaa
-
protocol inbound ssh
Set the protocol type supported by VTY user interfaces to SSH.
#
-
stelnet server enable
Enable the STelnet service on an SSH server.
#
-
aaa
-
local-user client password irreversible-cipher Myrhgl@131
Create a user named client and set a password for the user, which must be the same as the STelnet user name and password used by the NMS.
CE device running a V2 version:
local-user client level 3
CE device running a V3 version:
local-user client privilege level 3
-
local-user client service-type ssh
Set the access type of the client user to SSH, which must be the same as the login protocol on the NMS.
#
-
ssh user client
Create an SSH user.
ssh user client authentication-type password
Set the authentication mode of the client user to password authentication, which must be the same as that on the NMS.
ssh user client service-type stelnet
Set the service type of the SSH user client to STelnet.
set net-manager vpn-instance Management-out
Set Management-out as the default VPN instance for the NMS to manage devices.
#
-
lldp enable
Enable LLDP.
#
-
- Configure VXLAN optimization commands.
Before configuring VXLAN on a CE device, configure VXLAN optimization commands, service loopback, and a reserved VLAN for a Layer 3 interface based on the device model to ensure stable service running.
- For the CE16800 (with P series cards), CE6866, CE6866K, CE8851, and CE8851K running a V3 version:
DCI Leaf Node
Description
vxlan tunnel-status track exact-route
Enable subscription to the status of the exact route to the VXLAN tunnel destination to optimize network convergence performance.
- For the CE16800 (with G series cards), CE6881, CE6881E, CE6881K, CE6863, CE6863E, and CE6863K running a V2 version:
DCI Leaf Node
Description
Remarks
system resource large-route
Set the system resource mode to the large-route mode. This configuration takes effect after the device is restarted.
-
vxlan tunnel-status track exact-route
Enable subscription to the status of the exact route to the VXLAN tunnel destination to optimize network convergence performance.
-
port high-performance mode { mode1 | mode2 | mode3 | mode4 | mode5 }
(Optional) When the CE6863, CE6863E, or CE6863K is used, configure the high-performance mode of the device to adjust the bandwidth of internal interconnection interfaces.
Configuration suggestion: When four or more 100GE uplink interfaces (two for each chip) are deployed, configure mode2 to adjust the bandwidth of internal interconnection interfaces to 400 Gbit/s. In this case, interfaces 21 to 28 are unavailable.
If the 400 Gbit/s bandwidth does not meet requirements, you can configure mode3/4/5 to adjust the bandwidth of internal interconnection interfaces to 450 Gbit/s to 600 Gbit/s. In this case, more physical interfaces are unavailable.
This configuration is required only on the CE6863, CE6863E, and CE6863K.
- For the CE12800 and CE16800 (with A series cards) running a V2 version:
DCI Leaf Node
Description
Remarks
assign forward nvo3 acl extend enable
Enable the NVO3 ACL extension function to optimize ACL resources in VXLAN scenarios. This configuration takes effect after the device is restarted.
-
set forward capability enhanced
Set the card interoperability mode to enhanced mode. This configuration takes effect after the device is restarted.
This configuration is required only on the CE12800.
set serdes capability enhanced
Set the SerDes rate mode to enhanced mode. This configuration takes effect after the device is restarted.
This configuration is required only on the CE12800.
assign forward nvo3 anycast-gateway extend enable
Enable the distributed gateway extension function on the device that does not need to learn network-side ARP or ND entries.
-
assign forward nvo3 evpn mac-address move disable
Disable static MAC address migration in EVPN. After this configuration is performed, the device cannot connect to compute servers.
-
assign forward nvo3 eth-trunk hash enable
Enable the LAG hash mode when the device is connected to the M-LAG of spine nodes.
This configuration is required when IPv6 is used.
vxlan tunnel-status track exact-route
Enable subscription to the status of the exact route to the VXLAN tunnel destination to optimize network convergence performance.
-
- For the CE6857EI, CE6857E, CE6857F, CE6865EI, CE6865E, CE8861, and CE8868 running a V2 version:
DCI Leaf Node
Description
system resource standard
Set the system resource mode to the standard mode, which is the default mode.
This configuration takes effect after the device is restarted.
BorderLeaf + ServiceLeaf + ServerLeaf
assign forward layer-3 resource large-overlay
Set the Layer 3 resource allocation mode to the large-overlay mode so that the device supports a larger number of VXLAN overlay entries.
This configuration takes effect after the device is restarted.
BorderLeaf + ServiceLeaf + ServerLeaf
assign forward ipv6 longer-mask resource share-mode
Set the resource allocation mode of IPv6 addresses or IPv6 routes with the prefix length greater than 64 bits and less than 128 bits to the shared mode. In this mode, IPv4 addresses/IPv4 routes and IPv6 addresses/IPv6 routes share chip resources.
This configuration takes effect after the device is restarted.
BorderLeaf + ServiceLeaf + ServerLeaf
vxlan tunnel-status track exact-route
Enable subscription to the status of the exact route to the VXLAN tunnel destination to optimize network convergence performance.
BorderLeaf + ServiceLeaf + ServerLeaf
vlan reserved for main-interface 4047 to 4062
Configure reserved VLANs for Layer 3 main interfaces. For leaf devices, 16 VLANs are planned, for example, VLANs 4047 to 4062. For spine devices, 63 VLANs are planned, for example, VLANs 4000 to 4062.
All
- For the CE16800 (with P series cards), CE6866, CE6866K, CE8851, and CE8851K running a V3 version:
- Configure an IP address of an NVE node and a DFS group.
- For a CE device running a V2 version:
DCI Leaf-01-01
DCI Leaf-01-02
Description
interface LoopBack0
description VTEP
ip address 10.88.21.43 255.255.255.255
#
interface LoopBack0
description VTEP
ip address 10.88.21.43 255.255.255.255
#
Configure the IP address of Loopback0 as the VTEP IP address. The IP addresses of the two devices that establish an M-LAG must be the same.
interface Nve1
source 10.88.21.43
mac-address 0000-5e00-0101
#
interface Nve1
source 10.88.21.43
mac-address 0000-5e00-0101
#
Configure NVE interfaces on the devices. The IP addresses and MAC addresses of NVE interfaces on the two devices that establish an M-LAG must be the same. In a distributed gateway scenario, when active-active VXLAN gateways are deployed and work in loopback mode, NVE interfaces in different M-LAGs on the network must be configured with different MAC addresses.
The MAC address range configured for NVE interfaces varies depending on the device model, which will be described later in this section.
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.41 255.255.255.255
#
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.42 255.255.255.255
#
Configure an IP address for Loopback1. The IP address is used as the router ID and DFS group address, and Loopback1 is used as the source interface for establishing a BGP EVPN peer relationship.
dfs-group 1
priority 150
source ip 10.88.21.41
#
dfs-group 1
priority 100
source ip 10.88.21.42
#
Configure a DFS group.
Set the priority of the DFS group. The default value is 100.
Configure the IP address of the DFS group.
DCI Leaf-02-01
DCI Leaf-02-02
Description
interface LoopBack0
description VTEP
ip address 10.88.21.46 255.255.255.255
#
interface LoopBack0
description VTEP
ip address 10.88.21.46 255.255.255.255
#
Configure the IP address of Loopback0 as the VTEP IP address. The IP addresses of the two devices that establish an M-LAG must be the same.
interface Nve1
source 10.88.21.46
mac-address 0000-5e00-0102
#
interface Nve1
source 10.88.21.46
mac-address 0000-5e00-0102
#
Configure NVE interfaces on the devices. The IP addresses and MAC addresses of NVE interfaces on the two devices that establish an M-LAG must be the same. In a distributed gateway scenario, when active-active VXLAN gateways are deployed and work in loopback mode, NVE interfaces in different M-LAGs on the network must be configured with different MAC addresses.
The MAC address range configured for NVE interfaces varies depending on the device model, which will be described later in this section.
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.44 255.255.255.255
#
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.45 255.255.255.255
#
Configure an IP address for Loopback1. The IP address is used as the router ID and DFS group address, and Loopback1 is used as the source interface for establishing a BGP EVPN peer relationship.
dfs-group 1
priority 150
source ip 10.88.21.44
consistency-check enable mode loose
#
dfs-group 1
priority 100
source ip 10.88.21.45
consistency-check enable mode loose
#
Configure a DFS group.
Set the priority of the DFS group. The default value is 100.
Configure the IP address of the DFS group.
Enable M-LAG configuration consistency check in loose mode.
- For a CE device running a V3 version (compared with a CE device running a V2 version, the bypass VXLAN and DFS group pairing authentication configurations are added):
DCI Leaf-01-01
DCI Leaf-01-02
Description
interface LoopBack0
description VTEP
ip address 10.88.21.43 255.255.255.255
#
interface LoopBack0
description VTEP
ip address 10.88.21.43 255.255.255.255
#
Configure the IP address of Loopback0 as the VTEP IP address. The IP addresses of the two devices that establish an M-LAG must be the same.
interface Nve1
source 10.88.21.43
mac-address 0000-5e00-0101
#
interface Nve1
source 10.88.21.43
mac-address 0000-5e00-0101
#
Configure NVE interfaces on the devices. The IP addresses and MAC addresses of NVE interfaces on the two devices that establish an M-LAG must be the same. In a distributed gateway scenario, when active-active VXLAN gateways are deployed and work in loopback mode, NVE interfaces in different M-LAGs on the network must be configured with different MAC addresses.
The MAC address range configured for NVE interfaces varies depending on the device model, which will be described later in this section.
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.41 255.255.255.255
#
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.42 255.255.255.255
#
Configure an IP address for Loopback1. The IP address is used as the router ID and DFS group address, and Loopback1 is used as the source interface for establishing a BGP EVPN peer relationship.
interface LoopBack2
description bypass-vxlan-tunnel
ip address 10.125.97.1 255.255.255.255
#
interface LoopBack2
description bypass-vxlan-tunnel
ip address 10.125.97.2 255.255.255.255
#
Configure the IP address of Loopback2 as the source IPv4 address of the static bypass VXLAN tunnel.
dfs-group 1
priority 150
dual-active detection source ip 10.88.21.41 peer 10.88.21.42
authentication-mode hmac-sha256 password Myrhgl@1314
consistency-check enable mode loose
#
dfs-group 1
priority 100
dual-active detection source ip 10.88.21.42 peer 10.88.21.41
authentication-mode hmac-sha256 password Myrhgl@1314
consistency-check enable mode loose
#
Configure a DFS group.
Set the priority of the DFS group. The default value is 100.
Configure the IP address of the DFS group.
Configure the authentication mode and password for DFS group synchronization packets.
Enable M-LAG configuration consistency check in loose mode.
vlan 100
m-lag peer-link reserved
#
vlan 100
m-lag peer-link reserved
#
Configure a VLAN for the static bypass VXLAN tunnel. This VLAN cannot be allocated to other services.
Only peer-link interfaces can be added to the VLAN to prevent loops.
interface vlanif 100
reserved for vxlan bypass
ip address 10.10.10.9 30
#
interface vlanif 100
reserved for vxlan bypass
ip address 10.10.10.10 30
#
Configure the IPv4 address of the VLANIF interface corresponding to the peer-link interface to be used only by the bypass VXLAN tunnel.
Configure the interconnection address for devices in the M-LAG.
ip route-static 10.125.97.2 32 10.10.10.10 preference 1
ip route-static 10.125.97.1 32 10.10.10.9 preference 1
Configure a static route to enable connectivity of the bypass VXLAN tunnel. The outbound interface of the next hop in the static route must be a peer-link interface.
interface nve 1
pip-source 10.125.97.1 peer 10.125.97.2 bypass
#
interface nve 1
pip-source 10.125.97.2 peer 10.125.97.1 bypass
#
Create a static bypass VXLAN tunnel and specify the source and peer IP addresses.
DCI Leaf-02-01
DCI Leaf-02-02
Description
interface LoopBack0
description VTEP
ip address 10.88.21.46 255.255.255.255
#
interface LoopBack0
description VTEP
ip address 10.88.21.46 255.255.255.255
#
Configure the IP address of Loopback0 as the VTEP IP address. The IP addresses of the two devices that establish an M-LAG must be the same.
interface Nve1
source 10.88.21.46
mac-address 0000-5e00-0102
#
interface Nve1
source 10.88.21.46
mac-address 0000-5e00-0102
#
Configure NVE interfaces on the devices. The IP addresses and MAC addresses of NVE interfaces on the two devices that establish an M-LAG must be the same. In a distributed gateway scenario, when active-active VXLAN gateways are deployed and work in loopback mode, NVE interfaces in different M-LAGs on the network must be configured with different MAC addresses.
The MAC address range configured for NVE interfaces varies depending on the device model, which will be described later in this section.
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.44 255.255.255.255
#
interface LoopBack1
description DFS-GROUP/ROUTER-ID
ip address 10.88.21.45 255.255.255.255
#
Configure an IP address for Loopback1. The IP address is used as the router ID and DFS group address, and Loopback1 is used as the source interface for establishing a BGP EVPN peer relationship.
interface LoopBack2
description bypass-vxlan-tunnel
ip address 10.125.98.1 255.255.255.255
#
interface LoopBack2
description bypass-vxlan-tunnel
ip address 10.125.98.2 255.255.255.255
#
Configure the IP address of Loopback2 as the source IPv4 address of the static bypass VXLAN tunnel.
dfs-group 1
priority 150
dual-active detection source ip 10.88.21.44 peer 10.88.21.45
authentication-mode hmac-sha256 password Myrhgl@1314
#
dfs-group 1
priority 100
dual-active detection source ip 10.88.21.45 peer 10.88.21.44
authentication-mode hmac-sha256 password Myrhgl@1314
#
Configure a DFS group.
Set the priority of the DFS group. The default value is 100.
Configure the IP address of the DFS group.
Configure the authentication mode and password for DFS group synchronization packets.
vlan 100
m-lag peer-link reserved
#
vlan 100
m-lag peer-link reserved
#
Configure a VLAN for the static bypass VXLAN tunnel. This VLAN cannot be allocated to other services.
Only peer-link interfaces can be added to the VLAN to prevent loops.
interface vlanif 100
reserved for vxlan bypass
ip address 10.10.9.9 30
#
interface vlanif 100
reserved for vxlan bypass
ip address 10.10.9.10 30
#
Configure the IPv4 address of the VLANIF interface corresponding to the peer-link interface to be used only by the bypass VXLAN tunnel.
Configure the interconnection address for devices in the M-LAG.
ip route-static 10.125.98.2 32 10.10.9.10 preference 1
ip route-static 10.125.98.1 32 10.10.9.9 preference 1
Configure a static route to enable connectivity of the bypass VXLAN tunnel. The outbound interface of the next hop in the static route must be a peer-link interface.
interface nve 1
pip-source 10.125.98.1 peer 10.125.98.2 bypass
#
interface nve 1
pip-source 10.125.98.2 peer 10.125.98.1 bypass
#
Create a static bypass VXLAN tunnel and specify the source and peer IP addresses.
The MAC address range configured for NVE interfaces varies depending on the device model.
- For a fixed switch running a V2 version, see mac-address (NVE interface view) in the product documentation.
- For a CE12800 series switch running a V2 version, see mac-address (NVE interface view) in the product documentation.
- For a CE16800 series switch running a V2 version, see mac-address (NVE interface view) in the product documentation.
- For a fixed switch running a V3 version, see mac-address (NVE interface view) in the product documentation.
- For a CE16800 series switch running a V3 version, see mac-address (NVE interface view) in the product documentation.
- For a CE device running a V2 version:
- Configure M-LAG globally.
DCI Leaf Node
Description
stp tc-protection
Enable TC BPDU attack defense.
stp mode rstp
Configure the working mode as RSTP. RSTP should be configured before the V-STP mode is configured.
stp v-stp enable
Configure the M-LAG in V-STP mode on the DCI leaf nodes.
#
-
interface Eth-Trunk0
Create an Eth-Trunk for the peer-link.
trunkport 40GE 1/0/1 to 1/0/2
Deploy the peer-link on multiple links. If multiple cards are installed on the switch, the peer-link must be deployed on different cards. When the interfaces on a card are of different types, configure port speed decrease or bundle interfaces at different rates. (To bundle interfaces, run the lacp mixed-rate link enable command to forward packets after the interfaces are added to an Eth-Trunk interface in LACP mode, and run the distribute-weight command to configure the weight of load sharing for a member interface.)
mode lacp-static
-
peer-link 1
-
port vlan exclude 1
Perform this step only on a device running a V3 version.
Configure the peer-link interface not to allow packets from VLAN 1 to pass through.
#
-
- Configure interconnection interfaces between the DCI leaf nodes.
DCI Leaf-01-01
DCI Leaf-01-02
Description
interface 40GE1/0/3
description "to DCI Leaf2_1"
undo portswitch
ip address 10.125.2.1 255.255.255.252
#
interface 40GE1/0/3
description "to DCI Leaf2_1"
undo portswitch
ip address 10.125.2.9 255.255.255.252
#
Configure an interface for interconnecting with DCI Leaf2_1.
interface 40GE1/0/4
description "to DCI Leaf2_2"
undo portswitch
ip address 10.125.2.5 255.255.255.252
#
interface 40GE1/0/4
description "to DCI Leaf2_2"
undo portswitch
ip address 10.125.2.13 255.255.255.252
#
Configure an interface for interconnecting with DCI Leaf2_2.
interface Eth-Trunk2
trunkport 40GE 1/0/5 to 1/0/6
undo portswitch
ip address 10.125.2.17 255.255.255.252
mode lacp-static
#
interface Eth-Trunk2
trunkport 40GE 1/0/5 to 1/0/6
undo portswitch
ip address 10.125.2.18 255.255.255.252
mode lacp-static
#
Configure interconnection interfaces between DCI Leaf1 nodes.
DCI Leaf-02-01
DCI Leaf-02-02
Description
interface 40GE1/0/3
description "to DCI Leaf1_1"
undo portswitch
ip address 10.125.2.2 255.255.255.252
#
interface 40GE1/0/3
description "to DCI Leaf1_1"
undo portswitch
ip address 10.125.2.6 255.255.255.252
#
Configure an interface for interconnecting with DCI Leaf1_1.
interface 40GE1/0/4
description "to DCI Leaf1_2"
undo portswitch
ip address 10.125.2.10 255.255.255.252
#
interface 40GE1/0/4
description "to DCI Leaf1_2"
undo portswitch
ip address 10.125.2.14 255.255.255.252
#
Configure an interface for interconnecting with DCI Leaf1_2.
interface Eth-Trunk2
trunkport 40GE 1/0/5 to 1/0/6
undo portswitch
ip address 10.125.2.21 255.255.255.252
mode lacp-static
#
interface Eth-Trunk2
trunkport 40GE 1/0/5 to 1/0/6
undo portswitch
ip address 10.125.2.22 255.255.255.252
mode lacp-static
#
Configure interconnection interfaces between DCI Leaf2 nodes.
- Configure EBGP routes on the underlay network.
DCI Leaf-01-01
DCI Leaf-01-02
Description
bfd
#
bfd
#
Enable BFD globally.
bgp 65001
router-id 10.88.21.41
bgp 65001
router-id 10.88.21.42
-
advertise lowest-priority all-address-family peer-up delay 360
advertise lowest-priority all-address-family peer-up delay 360
When the peer status changes from Down to Up, the priority of BGP routes is changed to be the lowest. Route advertisement is delayed to prevent packet loss during traffic switchback.
peer 10.125.2.2 as-number 65002
peer 10.125.2.2 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.2 bfd enable
peer 10.125.2.6 as-number 65002
peer 10.125.2.6 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.6 bfd enable
peer 10.125.2.10 as-number 65002
peer 10.125.2.10 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.10 bfd enable
peer 10.125.2.14 as-number 65002
peer 10.125.2.14 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.14 bfd enable
Establish an EBGP peer relationship with DCI Leaf2_1.
Configure BFD. Set the interval for receiving or sending BFD packets to 300 ms and the detection multiplier to 6 only when all devices in the networking support hardware-based BFD. In other scenarios, retain default values of BFD parameters. That is, the interval for receiving or sending BFD packets is 1000 ms and the detection multiplier is 3.
Establish an EBGP peer relationship with DCI Leaf2_2.
peer 10.125.2.18 as-number 65001
peer 10.125.2.18 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.18 bfd enable
#
peer 10.125.2.17 as-number 65001
peer 10.125.2.17 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.17 bfd enable
#
Establish an IBGP peer relationship between DCI Leaf1_1 and DCI Leaf1_2.
ipv4-family unicast
network 10.88.21.41 255.255.255.255
network 10.88.21.43 255.255.255.255
maximum load-balancing 2
peer 10.125.2.2 enable
peer 10.125.2.6 enable
peer 10.125.2.18 enable
#
ipv4-family unicast
network 10.88.21.42 255.255.255.255
network 10.88.21.43 255.255.255.255
maximum load-balancing 2
peer 10.125.2.10 enable
peer 10.125.2.14 enable
peer 10.125.2.17 enable
#
Advertise the DFS group address and address of the interface for establishing an EVPN peer relationship.
Advertise the VTEP IP address. (For a CE device running a V3 version, the loopback address used to establish a bypass tunnel is not advertised.)
DCI Leaf-02-01
DCI Leaf-02-02
Description
bfd
#
bfd
#
Enable BFD globally.
bgp 65002
router-id 10.88.21.44
bgp 65002
router-id 10.88.21.45
-
advertise lowest-priority all-address-family peer-up delay 360
advertise lowest-priority all-address-family peer-up delay 360
When the peer status changes from Down to Up, the priority of BGP routes is changed to be the lowest. Route advertisement is delayed to prevent packet loss during traffic switchback.
peer 10.125.2.1 as-number 65001
peer 10.125.2.1 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.1 bfd enable
peer 10.125.2.9 as-number 65001
peer 10.125.2.9 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.9 bfd enable
peer 10.125.2.5 as-number 65001
peer 10.125.2.5 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.5 bfd enable
peer 10.125.2.13 as-number 65001
peer 10.125.2.13 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.13 bfd enable
Establish an EBGP peer relationship with DCI Leaf1_1.
Configure BFD. Set the interval for receiving or sending BFD packets to 300 ms and the detection multiplier to 6 only when all devices in the networking support hardware-based BFD. In other scenarios, retain default values of BFD parameters. That is, the interval for receiving or sending BFD packets is 1000 ms and the detection multiplier is 3.
Establish an EBGP peer relationship with DCI Leaf1_2.
peer 10.125.2.22 as-number 65002
peer 10.125.2.22 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.22 bfd enable
#
peer 10.125.2.21 as-number 65002
peer 10.125.2.21 bfd min-tx-interval 300 min-rx-interval 300 detect-multiplier 6
peer 10.125.2.21 bfd enable
#
Establish an IBGP peer relationship between DCI Leaf2_1 and DCI Leaf2_2.
ipv4-family unicast
network 10.88.21.44 255.255.255.255
network 10.88.21.46 255.255.255.255
maximum load-balancing 2
peer 10.125.2.1 enable
peer 10.125.2.9 enable
peer 10.125.2.22 enable
#
ipv4-family unicast
network 10.88.21.45 255.255.255.255
network 10.88.21.46 255.255.255.255
maximum load-balancing 2
peer 10.125.2.5 enable
peer 10.125.2.13 enable
peer 10.125.2.21 enable
#
Advertise the DFS group address and address of the interface for establishing an EVPN peer relationship.
Advertise the VTEP IP address. (For a device running a V3 version, the loopback address used to establish a bypass tunnel is not advertised.)
- Configure EBGP EVPN peer relationships on the overlay network.
DCI Leaf-01-01
DCI Leaf-01-02
Description
evpn-overlay enable
evpn-overlay enable
Enable EVPN as the VXLAN control plane.
bgp 1001 instance overlay
router-id 10.88.21.41
peer 10.88.21.44 as-number 1002
peer 10.88.21.44 ebgp-max-hop 2
peer 10.88.21.44 connect-interface LoopBack1
peer 10.88.21.45 as-number 1002
peer 10.88.21.45 ebgp-max-hop 2
peer 10.88.21.45 connect-interface LoopBack1
#
bgp 1001 instance overlay
router-id 10.88.21.42
peer 10.88.21.44 as-number 1002
peer 10.88.21.44 ebgp-max-hop 2
peer 10.88.21.44 connect-interface LoopBack1
peer 10.88.21.45 as-number 1002
peer 10.88.21.45 ebgp-max-hop 2
peer 10.88.21.45 connect-interface LoopBack1
#
Establish an EVPN EBGP peer relationship with DCI Leaf2_1.
When loopback interfaces are used to establish an EBGP EVPN peer relationship, the maximum number of hops must be greater than or equal to 2. If DCI leaf nodes are not directly connected, adjust the parameter settings based on site requirements.
Establish an EVPN EBGP peer relationship with DCI Leaf2_2.
l2vpn-family evpn
policy vpn-target
peer 10.88.21.44 enable
peer 10.88.21.44 advertise irb
peer 10.88.21.45 enable
peer 10.88.21.45 advertise irb
#
l2vpn-family evpn
policy vpn-target
peer 10.88.21.44 enable
peer 10.88.21.44 advertise irb
peer 10.88.21.45 enable
peer 10.88.21.45 advertise irb
#
Configure IRB route advertisement to BGP EVPN peers.
DCI Leaf-02-01
DCI Leaf-02-02
Description
evpn-overlay enable
evpn-overlay enable
Enable EVPN as the VXLAN control plane.
bgp 1002 instance overlay
router-id 10.88.21.44
peer 10.88.21.41 as-number 1001
peer 10.88.21.41 ebgp-max-hop 2
peer 10.88.21.41 connect-interface LoopBack1
peer 10.88.21.42 as-number 1001
peer 10.88.21.42 ebgp-max-hop 2
peer 10.88.21.42 connect-interface LoopBack1
#
bgp 1002 instance overlay
router-id 10.88.21.45
peer 10.88.21.41 as-number 1001
peer 10.88.21.41 ebgp-max-hop 2
peer 10.88.21.41 connect-interface LoopBack1
peer 10.88.21.42 as-number 1001
peer 10.88.21.42 ebgp-max-hop 2
peer 10.88.21.42 connect-interface LoopBack1
#
Establish an EVPN EBGP peer relationship with DCI Leaf1_1.
When loopback interfaces are used to establish an EBGP EVPN peer relationship, the maximum number of hops must be greater than or equal to 2. If DCI leaf nodes are not directly connected, adjust the parameter settings based on site requirements.
Establish an EVPN EBGP peer relationship with DCI Leaf1_2.
l2vpn-family evpn
policy vpn-target
peer 10.88.21.41 enable
peer 10.88.21.41 advertise irb
peer 10.88.21.42 enable
peer 10.88.21.42 advertise irb
#
l2vpn-family evpn
policy vpn-target
peer 10.88.21.41 enable
peer 10.88.21.41 advertise irb
peer 10.88.21.42 enable
peer 10.88.21.42 advertise irb
#
Configure IRB route advertisement to BGP EVPN peers.
- Configure interconnection links between the DCI leaf nodes and spine nodes.
DCI Leaf Node
Description
interface Eth-Trunk1
description"to Spine"
port link-type trunk
undo port trunk allow-pass vlan 1
trunkport 10GE 1/0/1 to 1/0/2
mode lacp-static
dfs-group 1 m-lag 1
lacp timeout fast
#
Create an Eth-Trunk and configure physical interfaces.
Delete VLAN 1 from the Eth-Trunk.
interface 10GE1/0/1
storm suppression unknown-unicast 5
storm suppression multicast 2
storm suppression broadcast 2
#
interface 10GE1/0/2
storm suppression unknown-unicast 5
storm suppression multicast 2
storm suppression broadcast 2
#
Create an interface for interconnecting with Spine1.
Configure unknown unicast traffic suppression. The recommended value is 5%.
Configure multicast traffic suppression. The recommended value is 2%. Do not configure multicast traffic suppression when multicast services are deployed across DCs.
Configure broadcast traffic suppression. The recommended value is 2%.
Create an interface for interconnecting with Spine2.
Configure unknown unicast traffic suppression. The recommended value is 5%.
Configure multicast traffic suppression. The recommended value is 2%. Do not configure multicast traffic suppression when multicast services are deployed across DCs.
Configure broadcast traffic suppression. The recommended value is 2%.
- Configure VXLAN access at Layer 2.
DCI Leaf Node
Description
bridge-domain 5001
vxlan vni 1000
evpn
route-distinguisher 10:1000
vpn-target 0:1000 export-extcommunity
vpn-target 0:1000 import-extcommunity
#
Configure a BD.
interface Eth-Trunk1.2000 mode l2
encapsulation dot1q vid 2000
bridge-domain 5001
#
Configure a Layer 2 sub-interface.
Configure the same service VLAN as that of the spine nodes.
interface Nve1
vni 1000 head-end peer-list protocol bgp
#
Configure an ingress replication list.
- Set the aging time of MAC address entries to 30 minutes.
DCI Leaf Node
Description
mac-address aging-time 1800
#
Set the aging time of MAC address entries to 30 minutes to prevent a large number of routes on the VXLAN network from being repeatedly withdrawn and learned (which affects network processing performance) due to entry flapping on other networks.
- Configure an ACL on the DCI leaf nodes to filter PVST BPDUs.When a DC configured with PVST+ or other non-STP spanning tree protocols is connected, perform this configuration to prevent BPDUs from being flooded to the remote DC.
DCI Leaf Node
Description
acl number 4000
rule 5 deny destination-mac 0100-0ccc-cccd
rule 10 permit
#
Reject PVST BPDUs.
interface Eth-Trunk1
traffic-filter acl 4000 inbound
#
Configure packet filtering on the access interface.
- Configure CRC and disable unused interfaces.
DCI Leaf-01-01
DCI Leaf-01-02
Description
port-group group-member 10ge 1/0/3 to 10ge 1/0/48
port-group group-member 10ge 1/0/3 to 10ge 1/0/48
Create a temporary port group and add the unused physical interfaces to the port group.
shutdown
shutdown
Shut down the interfaces.
stp instance 0 cost 10000
stp instance 0 cost 10000
Increase the STP cost.
port link-type trunk
port link-type trunk
-
undo port trunk allow-pass vlan 1
undo port trunk allow-pass vlan 1
Delete VLAN 1 from the Eth-Trunk interface.
#
#
-
port-group group-member 40ge 1/0/1 to 40ge 1/0/6
port-group group-member 40ge 1/0/1 to 40ge 1/0/6
Create a temporary port group. CRC needs to be performed for all interfaces.
trap-threshold crc-statistics 100 interval 10
trap-threshold crc-statistics 100 interval 10
Set the alarm threshold of CRC error packets to 100 and the alarm interval to 10s.
port crc-statistics trigger error-down
port crc-statistics trigger error-down
Configure the interface to enter the Error-Down state when the number of received CRC error packets exceeds the threshold. In this way, services can be switched to the backup link in a timely manner, ensuring reliable data transmission.
#
#
-
