No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VXLAN

CloudEngine 12800 and 12800E V200R003C00

This document describes the configurations of VXLAN.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for VXLANs

Licensing Requirements and Limitations for VXLANs

Involved Network Elementsredirect remote

You can configure VXLAN on an Agile Controller-DCN or in single-node mode. Different network elements (NEs) are required for the configuration modes. During the configuration, select a proper controller version.

Configuration Mode

Product

Description

Agile Controller-DCN mode

Agile Controller

Uses the NETCONF protocol to control VXLAN tunnel setup between devices and uses the OpenFlow protocol to control packet forwarding over the tunnels.

Single-node mode

No other NEs are required.

Licensing Requirements

VXLAN is a basic feature of the switch and is not under license control.

Version Requirements

Table 7-1 Products and minimum version supporting VXLAN

Product

Minimum Version Required in Agile Controller-DCN Mode

Minimum Version Required in Single-Node Mode

CE12804/CE12808/CE12812/CE12816

V100R006C00

V100R005C00

CE12804S/CE12808S

V100R006C00

V100R005C00

CE12800E

V200R002C50

V200R002C50

Configuration Mode Description

This feature can be configured on the command-line interface (CLI) or the Agile Controller-DCN. This document only describes the CLI configuration mode. For details about the Agile Controller-DCN configuration mode, see the deployment guide of the Cloud Fabric DCN solution in the appropriate version.

Feature Limitations

The VXLAN-related feature dependencies and limitations are as follows:

VXLAN Specifications and Performance

Table 7-2 lists VXLAN specifications.
NOTE:

The values in the following table indicate the maximum values when the network transmits only the VXLAN service. If the service configurations of the real network differ from those of the test network, the values may be different from those provided here.

Table 7-2 VXLAN specifications

Item

Specifications

Number of BDs

  • CE12800:

    • When a card is not working in enhanced mode: 4000
    • When a card is working in enhanced mode and a CE-FWA/CE-IPSA interface card is also installed: 4000
    • When a card is working in enhanced mode and the large Layer 3 interface mode is not configured: 8000
    • When a card is working in enhanced mode, the large Layer 3 interface mode is configured, and ARP resource allocation is in non-extended mode: 32,000
    • When a card is working in enhanced mode, the large Layer 3 interface mode is configured, and ARP resource allocation is in extended mode: 8000
  • CE12800E (configured with ED-E, EG-E, and EGA-E series cards): 32,000
  • CE12800E (configured with FD-X series cards): 8000

Number of MAC addresses supported on VBDIF interfaces

  • The CE12800E (configured with ED-E, EG-E, and EGA-E series cards) supports 500 any unicast MAC addresses.

  • The CE12800E (configured with FD-X series cards) supports 1000 any unicast MAC addresses.
  • When the CE12800 works in non-enhanced mode:
    • If the switch is configured with the EA series cards, CE-L48GT-EC card, or CE-L48GS-EC card, the MAC address supported by the switch is in the range of 0000-5e00-0100 to 0000-5e00-0107, and a maximum of eight MAC addresses are allowed.
    • If the switch is configured with other cards, the MAC address supported by the switch is in the range of 0000-5e00-0100 to 0000-5e00-01ff, and a maximum of eight MAC addresses can be configured.

    In enhanced mode, the MAC address supported by the switch is in the range of 0000-5e00-0100 to 0000-5e00-01ff and a maximum of 16 MAC addresses can be configured.

VXLAN Feature Constraints

  • In versions earlier than V200R002C50, VXLAN overlay networks can only be IPv4 networks. In V200R002C50 and later versions, overlay networks can be IPv6 networks.
  • In versions earlier than V200R003C00, underlay networks of VXLAN networks can only be IPv4 networks. In V200R003C00 and later versions, underlay networks can be IPv6 networks. When a VXLAN tunnel is established based on an IPv6 network:
    • The CE12800E configured with the ED-E, EG-E, and EGA-E series cards supports the IPv6 VXLAN function. The CE12800E configured with the FD-X series cards does not support the IPv6 VXLAN function.

    • Only the CE12800E (configured with ED-E, EG-E, and EGA-E series cards) supports the IPv6 VXLAN Layer 3 gateway, and the CE12800 only supports the IPv6 VXLAN Layer 2 gateway.

    • On the CE12800, only the CE-L48XS-FG, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, CE-L48XS-FD1, CE-L08CF-FG1, and CE-L16CQ-FD cards support the IPv6 VXLAN function, and the other cards do not support this function.

    • An IPv6 VXLAN tunnel can be deployed only in static mode.

    • Only the IPv6 VXLAN centralized gateway can be deployed, and distributed gateways cannot be deployed.

  • You cannot configure the enhanced mode for the CE12800E when it works as an NVO3 gateway. The CE12800E works in non-loopback mode by default.
  • After you run the port default vlan command on an interface of the dot1q-tunnel type to configure a default VLAN, this VLAN cannot be bound to a BD. Similarly, after you bind a VLAN to a BD, you cannot run the port default vlan command on the interface of the dot1q-tunnel type to configure a default VLAN.
  • On the CE12800E (configured with ED-E, EG-E, and EGA-E series cards), when the VLAN is used or a Layer 2 sub-interface connects to the VXLAN, a traffic policy cannot match the original VLAN ID of packets and a traffic policy cannot be applied to the VLAN. You can configure the traffic classifier to match fields except for the VLAN ID and apply the traffic policy in a BD corresponding to the VLAN.
  • A VBDIF interface cannot function as an outbound interface on the VXLAN underlay network side.
  • When a standalone switch or stack functions as the VXLAN access device, you do not need to configure MAC addresses for NVE interfaces. When an M-LAG functions as the VXLAN access device in a distributed gateway scenario, you need to configure the same MAC address for NVE interfaces on the M-LAG master and backup devices.
  • When VXLAN dual-active access is configured and the gateways work in loopback mode in a distributed gateway scenario, the NVE interfaces of different M-LAG systems on the network must be configured with different MAC addresses. For example, if devices A and B establish M-LAG system 1 and devices C and D establish M-LAG system 2, the NVE interfaces of M-LAG systems 1 and 2 must be configured with different MAC addresses.

  • For the CE12800E configured with ED-E, EG-E, and EGA-E series cards, the IPv6 VXLAN function and M-LAG function are mutually exclusive and cannot be deployed on the same switch.
  • For CE12800 switches, if a VXLAN tunnel is established over an IPv6 network and an M-LAG is connected to the VXLAN network, configure peer-link interfaces on the CE-L48XS-FG, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, CE-L48XS-FD1, CE-L08CF-FG1, or CE-L16CQ-FD card.

  • For CE12800 switches, if a VXLAN tunnel is established over an IPv6 network, the egress node of the tunnel cannot perform Eth-Trunk load balancing based on the IPv6 address or Layer 4 port number of inner IPv6 packets or the Layer 4 port number of inner IPv4 packets. This problem also exists when ECMP/Eth-Trunk load balancing is performed on the intermediate transit node with the VXLAN tunnel configuration.
  • In V200R003C00 and later versions, the device functions as a PE node in an IPv6 VXLAN network. When the device also functions as a transit or an egress node in an MPLS network, traffic cannot be load balanced based on the inner IP header.

    In V200R003C00 and later versions, the device functions as a PE node in an IPv6 VXLAN network. When the device also functions as a transit or an egress node in a VPLS network, traffic cannot be load balanced based on the inner Ethernet header.

  • To forward common IP packets carrying VXLAN-encapsulated destination UDP port (4789 by default) over a VXLAN network, you need to run the port nvo3 mode access command on the access port of a CE12800E (configured with FD-X series cards).
  • After VXLAN packets are forwarded at Layer 3 to a loopback interface on a CE12800 in loopback or Layer 2 non-loopback mode, the CE12800 unicasts the packets only after finding the MAC address of the next hop. Otherwise, the packets are broadcast in the BD. You are advised to set the aging time of MAC address entries to be longer than the aging time of ARP entries.

  • In versions earlier than V200R001C00, STP cannot be configured on a user-side interface of a VXLAN tunnel. Starting from V200R001C00, STP can be configured on a user-side interface of a VXLAN tunnel that accesses the VXLAN as a VLAN. In V200R002C50 and later versions, STP can be configured on a user-side interface of a VXLAN tunnel when the device is deployed to provide VXLAN access through a Layer 2 sub-interface or to provide VLAN access.
  • It is recommended that the controller mode and single-node mode not be used simultaneously for networking. The controller mode applies to large-scale networks, and the single-node mode applies to small- and medium-scale networks.
  • Only the CE12800E switches (configured with ED-E, EG-E, and EGA-E series cards) support fragmentation or reassembly of VXLAN packets. On a VXLAN network where both CE and non-CE devices are deployed, when packets are fragmented on a non-CE device, the packets cannot be reassembled by a CE device. In this case, packet forwarding fails. To prevent this problem, set the maximum frame length to 1400 bytes on the server.
  • For CE12800 switches, on the device at the VXLAN tunnel egress, all VXLAN packets cannot be redirected to interfaces.

  • After all-active gateways are configured, you need to specify the non-gateway IP address as the source IP address for sending ICMP Echo Request packets when pinging the host address from a gateway.
  • 80 There is a high probability that packet loss occurs if the volume of Layer 2 VXLAN-encapsulated traffic or Layer 3 VXLAN-encapsulated or VXLAN-decapsulated traffic exceeds 50% of line cards' total forwarding performance. There is higher probability of packet loss if the switch functions as a Layer 3 VXLAN gateway.
  • The uplink interfaces on the CE12800E (configured with FD-X series cards) at both ends of a VXLAN tunnel only support Ethernet packets.
  • For the CE12800E (configured with ED-E, EG-E, and EGA-E series cards), only the IP address of a loopback interface can be configured as the source VTEP IP address of an NVE interface.
  • For the CE12800E (configured with FD-X series cards) in large ARP table mode, only the IP address of a loopback interface can be configured as the source VTEP IP address of an NVE interface.
  • When you upgrade a device running a version earlier than V100R006C00, delete the VXLAN configuration before the upgrade if the configuration exists and the corresponding VXLAN tunnel is Down. Otherwise, functions using ACLs may not take effect after the upgrade.
  • On a VXLAN network in EVPN mode for the CE12800, MAC address entries of migrated VMs are updated through gratuitous ARP packets or RARP packets sent by the VMs after they are migrated.
  • If an Eth-Trunk works in dynamic LACP mode, it cannot connect to the VXLAN using Layer 2 sub-interfaces.
  • During the upgrade from V200R001C00SPC100 to a later version, if a static route's next hop is iterated to a remote VPN cross route and the next hop is a VXLAN tunnel, the static route is inactive in the source version but will become active in the target version. This modification will cause inconsistent traffic transmission paths before and after the upgrade. To prevent this, check whether a static route's next hop is iterated to a remote VPN cross route and the next hop is a VXLAN tunnel. If yes, delete this static route.
  • In V100R005C00, you cannot create a VBDIF interface for the BD after a Layer 2 sub-interface is added to a BD.

    From V100R005C10, after a Layer 2 sub-interface with the flow encapsulation type set to default is added to a BD, you cannot create a VBDIF interface for the BD.

  • In V100R005C10 and earlier versions, switches can only connect to the VXLAN through Layer 2 sub-interfaces. Starting from V100R006C00, switches can also connect to the VXLAN through VLANs. When connecting switches to the VXLAN network through VLANs, pay attention to the following restrictions:

    • After a VLAN is bound to a BD, you cannot create a VBDIF interface for the BD and cannot create a VLANIF interface for the VLAN.

    • ARP broadcast suppression is not supported when VLANs are connected to the VXLAN.

  • Starting from V200R002C50, use the encapsulation qinq vid low-pe-vid [ to high-pe-vid ] ce-vid low-ce-vid [ to high-ce-vid ] command to configure inner and outer VLAN IDs for a Layer 2 QinQ sub-interface. When a Layer 2 QinQ sub-interface without VLAN IDs configured is used to connect to the VXLAN, it has the following constraints:
    • Layer 2 sub-interfaces that use the QinQ traffic encapsulation type cannot be configured in VXLAN active-active access scenarios. In V200R003C00 and later versions, for CE12800 switches, termination QinQ Layer 2 sub-interfaces can be configured and transparent transmission QinQ Layer 2 sub-interfaces cannot be configured in VXLAN active-active access scenarios.

      NOTE:

      QinQ Layer 2 sub-interfaces that are configured with the rewrite pop double command are of the QinQ termination type. QinQ Layer 2 sub-interfaces that do not have the rewrite pop double command configured are of the QinQ transparent transmission type.

    • In versions earlier than V200R002C50, static MAC addresses cannot be configured for Layer 2 sub-interfaces where the encapsulation mode is QinQ.
    • When a Layer 2 sub-interface in the QinQ encapsulation mode is bound to a BD, the corresponding VBDIF interface cannot be created for the BD. Additionally, neither DHCP snooping nor ARP broadcast suppression can be configured. Starting from V200R002C50, when a Layer 2 sub-interface in the QinQ encapsulation mode is bound to a BD and the rewrite pop double command is configured, the corresponding VBDIF interface can be created for the BD. In addition, DHCP Snooping and ARP broadcast suppression can be configured.
    • The rewrite pop double command must be configured for either all or none of the Layer 2 sub-interfaces in the QinQ encapsulation mode in the same BD.
  • When a Layer 2 QinQ sub-interface with VLAN IDs configured is used to connect to the VXLAN, it has the following constraints:
    • In a dual-active VXLAN access scenario, the QinQ encapsulation mode cannot be used on Layer 2 sub-interfaces.
    • When a Layer 2 sub-interface in the QinQ encapsulation mode is bound to a BD, the corresponding VBDIF interface cannot be created for the BD. Additionally, neither DHCP snooping nor ARP broadcast suppression can be configured.
    • If a QinQ Layer 2 sub-interface has an outer or inner VLAN ID range, the rewrite pop double command cannot be configured on the sub-interface.
  • The following tables describe the compatibility of binding Layer 2 sub-interfaces to the same BD in V200R002C50 and later versions. In these tables, N indicates that the two Layer 2 sub-interfaces cannot be bound to the same BD; while Y indicates that the two Layer 2 sub-interfaces can be bound to the same BD.
    • Binding compatibility to the same BD of two Layer 2 sub-interfaces from the same port

      Layer 2 sub-interface type

      Default

      Untag

      Dot1q

      QinQ termination

      QinQ transparent transmission

      Default

      N

      N

      N

      N

      N

      Untag

      N

      N

      Y

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      N

      Dot1q

      N

      Y

      Y

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      N

      QinQ termination

      N

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      N

      QinQ transparent transmission

      N

      N

      N

      N

      Y

    • Binding compatibility to the same BD of two Layer 2 sub-interfaces from different ports

      Layer 2 sub-interface type

      Default

      Untag

      Dot1q

      QinQ termination

      QinQ transparent transmission

      Default

      Y

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      N

      N

      Untag

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      Y

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      N

      Dot1q

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      Y

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      N

      QinQ termination

      N

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      NOTE:

      N in V200R002C50 and earlier versions

      Y

      N

      QinQ transparent transmission

      N

      N

      N

      N

      Y

  • In MP-BGP scenarios, if the NVE interfaces of Layer 2 and Layer 3 modes are simultaneously configured on the device, you must specify different source VTEP IP addresses for each of them.
  • After centralized all-active VXLAN gateways are created, do not immediately delete or shut down the VBDIF interfaces on all these gateways. Use proper route planning to ensure that traffic is directed to another gateway before deleting or shutting down a VBDIF interface on a gateway. Otherwise, some traffic may be lost.
  • After a distributed gateway is configured, the gateway discards received network-side ARP packets and learns only user-side ARP packets.
  • When distributed gateways work in non-loopback mode, the number of MAC address entries in the hardware table may be larger than that in the software table when Layer 3 traffic is forwarded across subnets.
  • In VXLAN dual-active access scenarios, when traffic enters the peer-link interface, the switch uses only the DSCP priority to map IP packets and uses only the priority by the port priority command to map non-IP packets.
  • When one server is connected to two active access devices on the VXLAN network, you cannot run the encapsulation command to change the encapsulation type of the Layer 2 sub-interfaces that are configured on the dual-homed interfaces to default.
  • In V200R003C00 versions, when a switch with the CE-L48XS-FG, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, CE-L48XS-FD1, CE-L08CF-FG1, or CE-L16CQ-FD card is configured as a Layer 3 VXLAN gateway and performs VXLAN encapsulation, the DSCP priority in the outer IP header of a VXLAN packet is incorrectly mapped and differs from the DSCP priority in the inner IP header. It is recommended that you do not configure a switch with such cards as a Layer 3 VXLAN gateway.

  • After a MAC address is configured for a VBDIF interface on the CE12800 or CE12800E (configured with ED-E, EG-E, and EGA-E series cards), the MAC address encapsulated in packets forwarded by the gateway is the system MAC address and is not the configured MAC address.
  • When you use the ping command to test the connectivity of an IPv6 VXLAN tunnel and only a link-local address is configured for the outbound interface of the tunnel, you must specify a source IPv6 address that is not of the link-local type to ensure that the ping succeeds.
  • After the VXLAN ping/tracert function is enabled using the nqa vxlanecho enable command, packets with the destination MAC address 00:00:5E:90:00:01 are identified as VXLAN ping/tracert packets and cannot be forwarded normally.
  • By default, the VXLAN ping/tracert function uses the source IP address of the underlay network. If the route from the peer end to the local end cannot be assured, you are advised to specify the IP address of the tunnel as source IP address by setting the -a parameter.
  • After a Layer 2 sub-interface that uses Dot1q encapsulation receives ARP packets that contain more than two VLAN tags, the ARP packets are discarded, and broadcast suppression cannot be performed for the packets.
  • The following describes the default path load balancing situation on the CE12800. Specific cards in the following are CE-L48XS-FG, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, CE-L48XS-FD1, CE-L08CF-FG1, and CE-L16CQ-FD cards.

    • Eth-Trunk hash can be performed on IPv4 and IPv6 packets that are forwarded at Layer 2 to the IPv4 VXLAN tunnel based on dst-mac, src-mac, src-ip, dst-ip, l4-src-port, and l4-dst-port; ECMP hash can be performed on the packets based on dst-mac, src-mac, src-ip, dst-ip, l4-src-port (on the specific cards), and l4-dst-port (on the specific cards).
    • Eth-Trunk or ECMP hash can be performed on IPv4 and IPv6 packets that are forwarded at Layer 3 to the IPv4 VXLAN tunnel based on src-ip, dst-ip, l4-src-port, and l4-dst-port.
    • Eth-Trunk hash can be performed on IPv4 packers that are forwarded at Layer 2 from the IPv4 VXLAN tunnel based on dst-mac, src-mac, src-ip, and dst-ip. Eth-Trunk hash can be performed on IPv6 packets that are forwarded at Layer 2 from the IPv4 VXLAN tunnel based on dst-mac, src-mac, and dst-ip (32 to 95 bits).
    • Eth-Trunk or ECMP hash can be performed on IPv4 packets that are forwarded at Layer 3 from the IPv4 VXLAN tunnel based on src-ip and dst-ip. Eth-Trunk or ECMP hash can be performed on IPv6 packets that are forwarded at Layer 3 from the IPv4 VXLAN tunnel based on src-ip (32 to 95 bits).
    • Eth-Trunk or ECMP hash can be performed on IPv4 and IPv6 packets that are encapsulated in an IPv4 VXLAN tunnel based on dst-mac, src-mac, src-ip, dst-ip, l4-src-port, and l4-dst-port on an VXLAN-disabled intermediate forwarding node.
    • Eth-Trunk hash can be performed on IPv4 packets that are encapsulated in an IPv4 VXLAN tunnel based on dst-mac, src-mac, src-ip, and dst-ip on an VXLAN-enabled intermediate forwarding node; ECMP hash can be performed on packets based on dst-mac, src-mac, src-ip (on the specific cards), and dst-ip (on the specific cards).
    • Eth-Trunk or ECMP hash can be performed on IPv6 packets that are encapsulated in an IPv4 VXLAN tunnel based on dst-mac, src-mac, and dst-ip (32 to 95 bits) on an VXLAN-enabled intermediate forwarding node.

    For CE12800 switches on which the card interoperability mode is enhanced mode, Eth-Trunk or ECMP hash can be performed based on l4-src-port in the outer packet after the assign forward nvo3 eth-trunk/ecmp hash enable command is configured.

  • For the CE12800E configured with the ED-E, EG-E, and EGA-E series cards, after the ip fragment enable command is executed to enable IPv4 packet fragmentation and a Layer 3 main interface is created on the physical interface or Eth-Trunk of the Layer 2 sub-interface in the BD, the MTU of the Layer 3 main interface takes effect and the MTU of the corresponding VBDIF interface does not take effect.

  • On a CE12800E switch configured with FD-X series cards, when double-tagged packets enter a Dot1q Layer 2 sub-interface, are forwarded across chips, and sent from another Dot1q Layer 2 sub-interface, the inner tag of the packets is lost.

  • Packet loss occurs when a CE12800E switch configured with FD-X series cards functions as a leaf node on a VXLAN network and forwards VXLAN packets whose length ranges from 108 bytes to 128 bytes at full bandwidth.

  • Packets on the VXLAN overlay network do not support the function of calculating the Eth-Trunk or ECMP outbound interface based on specified packet characteristics (including 5-tuple, source MAC address, and destination MAC address).

  • For the CE12800E (configured with FD-X series cards), ECMP hash cannot be performed after VXLAN-encapsulated packets with double-tagged inner packets are decapsulated on the VXLAN tunnel side for Layer 2 and Layer 3 forwarding. In enhanced mode, Eth-Trunk hash cannot be performed. In non-enhanced mode, Eth-Trunk hash can be performed based only on MAC addresses.

  • When forwarding VXLAN packets, the switch does not check the mapping between a tunnel and a VNI. If both the tunnel and VNI exist, VXLAN packets can be forwarded.
  • When a VXLAN tunnel has multiple paths, excess BUM packets may exist or some BUM packets may be discarded for a short period of time during link failure recovery.
  • When the CE12800 (in non-loopback mode) functions as a Layer 3 VXLAN gateway, the gateway cannot terminate VXLAN packets in which the TTL value is 1. The gateway forwards the VXLAN packets and reduces the TTL value to 0.
  • When the CE12800 (in non-loopback mode) running V200R003C00 or an earlier version functions as the egress node of a VXLAN tunnel, the switch cannot send tracert packets in which the inner TTL value is 1 to the CPU, and forwards the packets. As a result, two consecutive hops are the same when tracert is performed.
  • In a VXLAN EVPN scenario, if a device or server is connected to a CE12800E switch in active/standby mode, dynamic MAC address entries that do not match traffic on a card are aged out and EVPN MAC address entries are triggered to be revoked on the remote device. When dynamic MAC address entries on the card are updated, EVPN MAC address entries are advertised and ARP probe is triggered. To prevent ARP probe caused by multiple times of MAC address entry aging in this scenario, you are advised to set the aging time of dynamic MAC address entries to a value greater than 1200s.

Constraints on VXLAN Traffic Statistics Collection

The following constraints on VXLAN traffic statistics collection apply to all switches:

  • During traffic statistics collection for a VXLAN tunnel, statistics on traffic received from the specified source VTEP are collected. When unicast and multicast tunnels coexist, statistics on traffic of the multicast tunnel are collected as the statistics on traffic of the unicast tunnel.
  • Traffic statistics collection for VPN instances is not supported on VBDIF interfaces.
  • If an active/standby switchover is performed or an interface card is removed, VXLAN traffic statistics may be less than the actual values.

For CE12800 switches:

  • In BD-based traffic statistics, the statistics in the outbound direction for packets forwarded from the Ethernet to VXLAN network do not include the number of bytes added during VXLAN encapsulation. The statistics in the inbound direction for packets forwarded from the VXLAN to Ethernet network include the number of bytes added during VXLAN encapsulation.
  • BD-based traffic statistics in the outbound direction do not include packets that are forwarded at Layer 3.
  • Traffic statistics collection on a Layer 2 sub-interface is mutually exclusive with BD traffic statistics collection and VLAN traffic statistics collection.
  • There is a slight difference for outgoing traffic on the device enabled with BD-based traffic statistics in earlier versions of V100R005C10. The maximum difference of each packet is 16 bytes. This issue has been fixed in V100R005C10 and later versions.
  • When the card interoperability mode is non-enhanced mode, the function of collecting traffic statistics in the outbound direction of a VXLAN tunnel can collect statistics only on known unicast traffic.

  • When the card interoperability mode is non-enhanced mode, traffic statistics collected in the outbound direction of a VXLAN tunnel are inaccurate and statistics on BUM packets that are transmitted from other tunnels and forwarded at Layer 2 are collected by mistake. (BUM packets are discarded but statistics on these packets are collected by mistake.)

  • Among 5-tuple, BD, MQC, and VXLAN tunnel traffic statistics collection, the first has the highest priority and the last has the lowest priority. If two or all of them are configured, only the one with the highest priority takes effect.
  • When the enhanced mode for the NVO3 gateway is configured, VXLAN tunnel traffic statistics contain only the number of bytes of incoming packets transmitted between VXLAN networks.
  • After the enhanced mode for the NVO3 gateway is configured, BD traffic statistics in the outbound direction are inaccurate.
  • When the device collects packet statistics based on the VXLAN tunnel and VNI, it can only collect statistics on packets forwarded at Layer 2 in the outbound direction.
  • If a card works in non-enhanced mode, VXLAN tunnel-based statistics collection cannot collect IPv6 packet statistics in the outgoing direction.
  • For the CE12800 configured with FD (except the CE-L16CQ-FD) and FDA series cards, if the next hop of an IP route is an ECMP group that consists of VXLAN tunnels and the outbound interfaces of the VXLAN tunnels are also ECMP groups, traffic cannot be evenly load balanced.

For CE12800E switches:

  • If traffic statistics collection is enabled in a VXLAN tunnel, traffic statistics in the inbound direction of the VXLAN tunnel differ from the actual number of packets when packets are reassembled, and 18 bytes are added to each packet.

  • A CE12800E (configured with FD-X series cards) switch that functions as a decapsulation device on a VXLAN tunnel cannot collect BD-based traffic statistics on decapsulated ARP unicast packets. To query ARP packet statistics, run the display arp packet statistics [ interface [ interface-type interface-number ] ] command.
  • For the CE12800E configured with the FD-X series card, when traffic statistics are collected based on the VXLAN tunnel and VNI on a device (transit leaf) configured with segment VXLAN for Layer 2 DCI, traffic after VNI mapping is collected as traffic before VNI mapping.

Constraints on Segment VXLAN for Layer 2 DCI

  • In V200R005C00 and earlier versions, the CE12800E (configured with ED-E, EG-E, and EGA-E series cards) does not support segment VXLAN for Layer 2 DCI.

  • For the CE12800, segment VXLAN for Layer 2 DCI is supported only when the card interoperability mode of a switch is enhanced mode. When the card interoperability mode is non-enhanced mode, segment VXLAN for Layer 2 DCI is not supported.
  • In V200R003C00, you cannot configure segment VXLAN for Layer 2 DCI on a switch configured with M-LAG or as one of the all-active gateways. In V200R005C00 and later versions, you cannot configure segment VXLAN for Layer 2 DCI on a switch configured with M-LAG, and can configure the function on a switch configured as one of the all-active gateways. In this case, a VXLAN tunnel can be established using only BGP EVPN. In addition, Layer 2 local access traffic on the switch configured with segment VXLAN for Layer 2 DCI can be forwarded only in the data center.

  • When segment VXLAN for Layer 2 DCI is configured on the CE12800 or CE12800E (configured with FD-X series cards), the mapping VNIs configured for transit leaf nodes of two DCs must be the same. Otherwise, Layer 2 interworking cannot be implemented between the DCs.

  • When configuring segment VXLAN for Layer 2 DCI, if a VXLAN tunnel is established between two devices in static mode and the function of importing MAC routes learned by a VXLAN tunnel in static mode to BGP is enabled (using the vxlan tunnel-mac import enable command), a BGP EVPN peer relationship cannot be established between the two devices; otherwise, the MAC address flapping occurs and traffic fails to be properly forwarded.

  • When the VXLAN ping/tracert detection is triggered on a device configured with segment VXLAN for Layer 2 DCI, only nodes in the same DC can be pinged or tracerted and the ping/tracert operation cannot be performed between DCs.
  • The following functions cannot be used together with the segment VXLAN for Layer 2 DCI service:
    • IGMP Snooping Over VXLAN
    • Multicast replication for BUM packets
  • For the CE12800E (configured with ED-E, EG-E, and EGA-E series cards), If segment VXLAN is used to implement Layer 2 communication and a traffic policy containing a matching rule based on inner information in VXLAN packets is applied to the outbound direction of a BD, the traffic policy does not take effect.

Constraints Between VXLAN and Other Features

  • In versions earlier than V200R002C50, when distributed VXLAN gateways are used and cards are working in enhanced mode, you are not advised to configure ARP extended mode. If you configure ARP extended mode, different Layer 2 sub-interfaces in the same BD must be bound to different VLANs.
  • In a dual-active VXLAN access scenario where QinQ termination sub-interfaces are configured, you cannot configure 2:1 VLAN mapping.

  • A QinQ sub-interface of transparent transmission type on a CE12800 or CE12800E switch configured with FD-X series cards will remove the outer VLAN tag if the outer VLAN tag in the packets to be sent is the same as that configured by using the port default vlan or port hybrid untagged vlan command.
  • After VXLAN is configured on the CE12800E (configured with FD-X series cards), Layer 3 sub-interfaces do not support Layer 3 transparent transmission of VXLAN packets.

  • When a CE12800 switch functions as the decapsulation device on a VXLAN tunnel and performs mapping between the DSCP priority and per-hop behavior (PHB) for packets to be forwarded at Layer 3, the switch uses the inner DSCP field in VXLAN packets and the mapping template on the VBDIF interface to map the PHB to the internal DSCP priority. To modify the outer DSCP field in the VXLAN packet, configure a traffic policy that defines a traffic behavior of re-marking the DSCP priority in the inbound direction.
  • In V200R001C00, the bpdu bridge enable command is not supported on the VXLAN network. If this command is configured in a version earlier than V200R001C00, it will be deleted from the device configurations after an upgrade to V200R001C00. To enable BPDU packets to traverse the VXLAN network, run the undo mac-address bpdu [ mac-address [ mac-address-mask ] ] command in the system view. In this command, mac-address specifies the MAC address of BPDU packets that need to traverse the VXLAN network.
  • VBST cannot be deployed on the user-side network of the VXLAN tunnel.

  • If both VXLAN and other services are configured, delivery of other services may fail due to insufficient ACL resources. Only some services can be deployed when VXLAN is configured. For details, see section "Using VXLAN/EVPN with Other Services" in CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches ACL Technical Topics.
  • VXLAN cannot be configured simultaneously with GRE, TRILL, FCoE, MPLS, and multicast VPN. Starting from V100R005C00, you can configure TRILL or FCoE after the VXLAN configuration is deleted. However, the modification takes effect only after the device restarts.
  • In V100R003C10 and V100R005C00, VXLAN takes effect only in the admin-VS.
  • Starting from V100R005C10, only the admin-VS in port mode supports VXLAN; all VSs in group mode support VXLAN.
  • Starting from V100R005C10, the admin-VS shares the BD specification with all the VSs in group mode. That is, if the number of BDs created in a VS reaches the upper limit, no BD can be created in other VS.
  • After a QoS group containing VLANs or VLANIF member interfaces is configured on a VXLAN network, ARP broadcast suppression cannot be configured. Similarly, after ARP broadcast suppression is configured on a VXLAN network, a QoS group containing VLANs or VLANIF member interfaces cannot be configured.
  • When a traffic policy is applied to a VLANIF interface in the inbound direction on the VXLAN decapsulation device, VXLAN packets cannot be matched.

    When a traffic policy is applied to a Layer 3 sub-interface in the inbound direction on the VXLAN decapsulation device, VXLAN packets cannot be matched.

  • When applying a traffic policy to the outbound direction of a BD on the CE12800, pay attention to the following points:
    • If the matching rule in the traffic classifier is if-match any or based on Layer 2 fields (such as the source MAC address, destination MAC address, Ethernet type, and VLAN ID), the traffic policy takes effect only for Layer 2 traffic.
    • If the matching rule in the traffic classifier is based on Layer 3 fields (such as the source IPv4 address, destination IPv4 address, and protocol type) or Layer 4 fields (such as the source port number and destination port number), the traffic policy takes effect only for Layer 3 traffic.
  • After the device has VXLAN configured, the external TCAM cannot be configured to increase the multicast entry space.
  • The EA series LPUs and EC LPUs at the GE rate remove the first 16 bytes from obtained or mirrored packets forwarded through VXLAN.
  • The device does not support MPLS encapsulation after VXLAN encapsulation, or VXLAN decapsulation after MPLS decapsulation.
  • sFlow cannot collect inner information about VXLAN packets.
  • In versions earlier than V200R001C00, NetStream cannot collect inner information about VXLAN packets. Starting from V200R001C00, NetStream can collect inner information about VXLAN packets.

    On the device that decapsulates VXLAN packets, inbound NetStream cannot sample VXLAN packets on Layer 3 sub-interfaces.

  • In versions earlier than V200R001C00, Layer 2 port isolation does not take effect for Layer 2 packets that are encapsulated through VXLAN tunnels. In V200R001C00 and later versions, for the CE12800, Layer 2 port isolation takes effect for Layer 2 packets that are encapsulated at the VXLAN service access side.
  • Port security does not take effect on interfaces connected to the VXLAN.
  • DHCP snooping can only be configured on a VXLAN network-side interface, and cannot be configured simultaneously with DHCP relay.
  • DHCP snooping cannot be configured on the IPv6 VXLAN tunnel.
  • Do not configure the EVN function when VNI IDs ranging from 1 to 4096 exist on the switch. Similarly, do not configure VNI IDs ranging from 1 to 4096 when the EVN function is configured.
  • Starting from V100R005C10, use either of the following methods on the NVO3-enabled device to prevent service overlay failures:
    • On the CE12800, run the assign forward nvo3 acl extend enable command to enable the ACL extension function and then restart the device.
    • On the CE12800, if the network-side interface of the VXLAN tunnel or the EVN tunnel is not an Eth-Trunk interface, run the assign forward nvo3 eth-trunk hash disable command to disable the Eth-Trunk interface from load balancing NVO3 packets in optimized mode.
  • On the CE12800, if you roll back the switch from V200R001C00 or later version to V100R006C00 or earlier version, configure the assign forward nvo3 acl extend enable command, save the configuration, and restart it to upgrade to V200R001C00 or later version. All the cards on the switch will be started again after the switch is started.
  • The VLAN, VXLAN, carrier VLAN, main interface, and Eth-Trunk where card interoperability mode is set to enhanced share system resources. If system resources are insufficient, the configuration may fail.

  • In a VXLAN scenario, IPsec authentication and encryption cannot be configured on a DHCPv6 relay agent.
  • PFC does not backpressure for traffic on the loopback interface of VXLAN services.
  • The original VLAN specified in the port vlan-stacking command cannot be the same as the outer VLAN configured on a QinQ Layer 2 sub-interface.

  • Only the CE12800 (on which the card interoperability mode is enhanced mode) and the CE12800E (configured with FD-X series cards) support traffic diversion for VXLAN services through policy-based routing (PBR), and you are advised to run the redirect remote command to configure PBR.
  • After the Layer 3 resource allocation mode is set to large-underlay using the assign forward layer-3 resource command, the Layer 3 VXLAN function is unavailable.
  • For the CE12800E (configured with FD-X series cards), if the number of learned MAC addresses in a BD reaches the upper limit or the MAC address learning function is disabled in the BD, the packet discarding action configured using the mac-address limit action discard command on the Layer 2 sub-interfaces added to the BD becomes invalid.

Card-related Constraints

  • After the FD, FD1, FDA, FG, SD or FG1 series card encapsulates packets and sends them to a VXLAN tunnel, the packets are not evenly load balanced if an intermediate device in the tunnel has 128 ECMP routes.
  • When the enhanced mode of the NVO3 gateway is loopback, the FD, FD1, FDA, FG, SD, and FG1 series cards do not support fast ICMP reply to VXLAN-encapsulated ICMP packets.
  • For the CE-L48GT-ED, CE-L48GS-ED, CE-L12XS-ED, CE-L24XS-EC, CE-L24XS-ED, CE-L48XT- EC, CE-L48XS-EC, CE-L48XS-ED, CE-L48XS-EF, CE-L02LQ-EC, CE-L06LQ-EC, CE-L12LQ-EF, CE-L24LQ-EC, CE-L24LQ-EC1, CE-L36LQ-EG, CE-L04CF-EC, CE-L04CF-EF, CE- L08CC-EC, and CE-L12CF-EG cards in Layer 3 non-loopback mode, or the FD, FD1, FDA, FG, SD, and FG1 series cards, if there are multiple uplink interfaces on the switch at the VXLAN network side, MAC address flapping may occur. You can configure a VXLAN BD whitelist that does not require MAC address flapping detection or disable MAC address flapping detection.
  • If the switch has the FD, FD1, FDA, FG, SD, or FG1 series card installed, two Layer 2 sub-interfaces on a port cannot be bound to the same BD. The switch running V200R002C50 or a later version does not have this restriction if it does not serve as the Layer 3 gateway.

  • For FD, FD1, FDA, FG, SD, or FG1 series cards, VXLAN tunnel-based statistics collection cannot collect IPv4 packet statistics in the outgoing direction in Layer 3 non-loopback mode.
  • The assign forward nvo3 service extend enable command for enabling the NVO3 service extension function does not take effect on the CE-L48GT-EA, CE-L48GT-EC, CE-L48GS-EA, CE-L48GS-EC, CE-L24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XS-EA, and CE-L24LQ-EA cards.
  • You can run the assign forward nvo3-gateway enhanced command to configure the enhanced mode of the NVO3 gateway. When this function is configured, there are the following card-related constraints:
    • You cannot configure the enhanced mode for the CE12800E when it works as an NVO3 gateway. The CE12800E works in non-loopback mode by default.
    • GE interface cards do not support the Layer 2 non-loopback mode. Among non-GE interface cards, EA series cards support only the Layer 2 non-loopback mode, and other series cards support Layer 2 and Layer 3 non-loopback modes. Therefore, do not use GE interface cards at the network side of a VXLAN tunnel after the enhanced mode of the NVO3 gateway is configured.

    • When the enhanced mode of the NVO3 gateway is set to Layer 3 non-loopback, pay attention to the following constraints:

      • You also need to run the assign forward nvo3 service extend enable command to enable the NVO3 service extension function. Ensure that the switch does not contain the CE-L48GT-EA, CE-L48GT-EC, CE-L48GS-EA, CE-L48GS-EC, CE-L24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XS-EA, or CE-L24LQ-EA card, or VXLAN-related services are not configured on the card.
      • The switch cannot function as a VXLAN Layer 2 gateway.
      • If the CE-L24XS-EC, CE-L48XS-EC, CE-L24LQ-EC, CE-L48XT-EC, CE-L24LQ-EC1, CE-L08CC-EC, CE-L02LQ-EC or CE-L06LQ-EC card is used to transmit the VXLAN service, VXLAN tunnel encapsulation can be implemented by querying the hosts' ARP entries only but not the longest match routing entries.

  • For the CE12800, if VXLAN traffic is forwarded between cards when the card interoperability mode is non-enhanced mode, the VXLAN traffic may fail to be forwarded. To use the VXLAN function, you must configure the assign forward nvo3 f-linecard compatibility enable command when the card interoperability mode is non-enhanced mode.

Specific Constraints in Agile Controller-DCN Mode

  • When VMs are online, do not run commands on the device to modify configurations delivered by the Agile Controller-DCN; otherwise, the VXLAN service will not be able to run properly. For example, do not run commands to delete the BD, cancel the mapping between the VNI and BD, modify the VTEP IP address, delete the VBDIF interface of a Layer 3 gateway, or modify the IP address of the VBDIF interface when VMs are online.
Translation
Download
Updated: 2019-05-05

Document ID: EDOC1100004207

Views: 25555

Downloads: 65

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next