No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - SFC

CloudEngine 12800E V200R003C00

This document describes the configurations of Service function chain (SFC).
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring SFC in the Distributed VXLAN Gateway Networking

Example for Configuring SFC in the Distributed VXLAN Gateway Networking

Networking Requirements

SFC technology allows traffic to pass through specified SFs as required. On a distributed VXLAN gateway network (BGP EVPN) shown in Figure 8-2, SwitchA and SwitchB are leaf nodes, and there are reachable routes between Spine and egress gateway. The tenant server and NSH-aware FW connect to the VXLAN through VLANs.

The customer requires that traffic from the tenant server be processed by the FW before being forwarded to the external network to ensure service forwarding security. SFC can meet customer requirements.
NOTE:

In the following figure, interface1 and interface2 represent 10GE1/0/1 and 10GE1/0/2, respectively.

Figure 8-2  SFC configuration networking in a distributed VXLAN gateway scenario
Table 8-2  Interface IP addresses

Device

Interface

IP Address

SwitchA

10GE1/0/1

192.168.2.1/24

LoopBack0

2.2.2.2/32

SwitchB

10GE1/0/1

192.168.3.1/24

LoopBack0

1.1.1.1/32

SwitchC

10GE1/0/1

192.168.2.2/24

10GE1/0/2

192.168.3.2/24

LoopBack0

3.3.3.3/32

Configuration Roadmap

The configuration roadmap is as follows:
  • Enable SFC on leaf nodes of the distributed gateway.

  • Configure SwitchA as the SC to direct traffic matching rules to the SFP.

  • Configure SwitchB as an SFF to define the IP address of the next hop.

Procedure

  1. Configure the VXLAN. For details, see configuration files.
  2. Configure the SC. Enable SFC on SwitchA, configure the traffic classifier nsh to match packets with the source IP is 10.1.1.2 and the destination IP is 30.1.1.1, redirect traffic to SFP 100, and set the SI to 5.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] service-chain enable
    [*SwitchA] commit
    [~SwitchA] service-chain service-path 100
    [*SwitchA-service-chain-100] service-index 5 next-hop sff vtep 1.1.1.1 vni 5010
    [*SwitchA-service-chain-100] commit
    [~SwitchA-service-chain-100] quit
    [~SwitchA] acl 3001
    [*SwitchA-acl4-advance-3001] rule permit ip source 10.1.1.2 24 destination 30.1.1.1 24
    [*SwitchA-acl4-advance-3001] commit
    [~SwitchA-acl4-advance-3001] quit
    [~SwitchA] traffic classifier nsh type and
    [*SwitchA-classifier-nsh] if-match acl 3001
    [*SwitchA-classifier-nsh] commit
    [~SwitchA-classifier-nsh] quit
    [~SwitchA] traffic behavior nsh_1
    [*SwitchA-behavior-nsh_1] redirect service-path 100 service-index 5
    [*SwitchA-behavior-nsh_1] commit
    [~SwitchA-behavior-nsh_1] quit
    [~SwitchA] traffic policy nsh_2
    [*SwitchA-trafficpolicy-nsh_2] classifier nsh behavior nsh_1
    [*SwitchA-trafficpolicy-nsh_2] commit
    [~SwitchA-trafficpolicy-nsh_2] quit
    [~SwitchA] interface vbdif 10
    [~SwitchA-Vbdif10] traffic-policy nsh_2 inbound
    [*SwitchA-Vbdif10] commit
    

  3. Configure the SFF. Enable SFC on SwitchB and configure the SF as its next hop. Note that the SFP ID must be the same as the ID of the redirected SFP.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] service-chain enable
    [*SwitchB] commit
    [~SwitchB] service-chain service-path 100
    [*SwitchB-service-chain-100] service-index 5 next-hop sf remote-ip 20.1.1.2
    [*SwitchB-service-chain-100] service-index 4 path-terminal
    [*SwitchB-service-chain-100] commit

  4. Verify the configuration.

    Run the display service-chain service-path [ path-id ] command on SwitchB to view the SFP configuration.
    <SwitchB> display service-chain service-path 100
    SPI: ServicePathIndex    SI: ServiceIndex
    ServiceType: NA - NSH-aware, NUA - NSH-unaware
    NodeType: SF - Service Function, SFF - Service Function Forward, PS - Post Service
    Detailed ServicePath Information:
    ---------------------------------------------------------------------------------------------------------------------
    
         SPI     SI     RouteStatus     ServiceType     NodeType     NextHop              Vni     VpnInstance
    ---------------------------------------------------------------------------------------------------------------------
         100      5     Reachable       NA              SF           20.1.1.2            5010     --
         100      4     --              NUA             PS           --                     0     --

    Traffic can be forwarded to the external network after being processed by the FW.

Configuration Files

  • SwitchA configuration file

    #
    sysname SwitchA
    #
    evpn-overlay enable
    #
    service-chain enable
    #
    ip vpn-instance nsh
     ipv4-family
      route-distinguisher 11:11
      vpn-target 1:1 export-extcommunity
      vpn-target 11:1 export-extcommunity evpn
      vpn-target 1:1 import-extcommunity
      vpn-target 11:1 import-extcommunity evpn
     vxlan vni 5010
    #
    service-chain service-path 100
     service-index 5 next-hop sff vtep 1.1.1.1 vni 5010
    #
    bridge-domain 10
     vxlan vni 10
     evpn 
      route-distinguisher 10:1
      vpn-target 10:1 export-extcommunity
      vpn-target 11:1 export-extcommunity
      vpn-target 10:1 import-extcommunity
    #
    acl number 3001
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 30.1.1.0 0.0.0.255
    #
    traffic classifier nsh type and
     if-match acl 3001
    #
    traffic behavior nsh_1
     redirect service-path 100 service-index 5 
    #
    traffic policy nsh_2
     classifier nsh behavior nsh_1 precedence 5
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 192.168.2.1 255.255.255.0
    #
    interface 10GE1/0/2.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 10
    #
    interface Vbdif10
     ip binding vpn-instance nsh
     ip address 10.1.1.1 255.255.255.0
     vxlan anycast-gateway enable
     arp collect host enable
     traffic-policy nsh_2 inbound 
    #
    interface LoopBack0
     ip address 2.2.2.2 255.255.255.255
    #
    interface Nve1
     source 2.2.2.2
     vni 10 head-end peer-list protocol bgp
    #
    bgp 200
     peer 192.168.2.2 as-number 100
     #
     ipv4-family unicast
      network 2.2.2.2 255.255.255.255
      peer 192.168.2.2 enable
    #
    bgp 100 instance evpn1
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack0
     #
     l2vpn-family evpn
      policy vpn-target
      peer 3.3.3.3 enable
      peer 3.3.3.3 advertise irb
    #
    return
  • SwitchB configuration file

    #
    sysname SwitchB
    #
    evpn-overlay enable
    #
    service-chain enable
    #
    ip vpn-instance nsh
     ipv4-family
      route-distinguisher 22:22
      vpn-target 2:2 export-extcommunity
      vpn-target 11:1 export-extcommunity evpn
      vpn-target 2:2 import-extcommunity
      vpn-target 11:1 import-extcommunity evpn
     vxlan vni 5010
    #
    service-chain service-path 100
     service-index 5 next-hop sf remote-ip 20.1.1.2
     service-index 4 path-terminal
    #
    bridge-domain 20
     vxlan vni 20
     evpn 
      route-distinguisher 20:1
      vpn-target 20:1 export-extcommunity
      vpn-target 11:1 export-extcommunity
      vpn-target 20:1 import-extcommunity
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 192.168.3.1 255.255.255.0
    #
    interface 10GE1/0/2.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 20
    #
    interface Vbdif20
     ip binding vpn-instance nsh
     ip address 20.1.1.1 255.255.255.0
     vxlan anycast-gateway enable
     arp collect host enable
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
    #
    interface Nve1
     source 1.1.1.1
     vni 20 head-end peer-list protocol bgp
    #
    bgp 300
     peer 192.168.3.2 as-number 100
     #
     ipv4-family unicast
      network 1.1.1.1 255.255.255.255
      peer 192.168.3.2 enable
    #
    bgp 100 instance evpn1
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack0
     #
     l2vpn-family evpn
      policy vpn-target
      peer 3.3.3.3 enable
      peer 3.3.3.3 advertise irb
    #
    return
  • SwitchC configuration file
    #
    sysname SwitchC
    #
    evpn-overlay enable
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 192.168.2.2 255.255.255.0
    #
    interface 10GE1/0/2
     undo portswitch
     ip address 192.168.3.2 255.255.255.0
    #
    interface LoopBack0
     ip address 3.3.3.3 255.255.255.255
    #
    bgp 100
     peer 192.168.2.1 as-number 200
     peer 192.168.3.1 as-number 300
     #
     ipv4-family unicast
      network 3.3.3.3 255.255.255.255
      peer 192.168.2.1 enable
      peer 192.168.3.1 enable
    #
    bgp 100 instance evpn1
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack0
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack0
     #
     l2vpn-family evpn
      undo policy vpn-target
      peer 2.2.2.2 enable
      peer 2.2.2.2 advertise irb
      peer 2.2.2.2 reflect-client
      peer 1.1.1.1 enable
      peer 1.1.1.1 advertise irb
      peer 1.1.1.1 reflect-client
    #
    return
Translation
Download
Updated: 2019-05-05

Document ID: EDOC1100004204

Views: 3088

Downloads: 19

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next