No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VXLAN

CloudEngine 12800 and 12800E V200R003C00

This document describes the configurations of VXLAN.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Static ARP/IPv6 Neighbor/MAC Address Entries and MAC Address Limiting

(Optional) Configuring Static ARP/IPv6 Neighbor/MAC Address Entries and MAC Address Limiting

Static ARP entries, IPv6 neighbor entries, or MAC address entries can be configured for traffic forwarding, and MAC address limiting can be configured to improve VXLAN security.

Context

VXLAN network security can be improved through the following methods:

  • Static ARP entries are manually configured and maintained. They can be neither aged nor overwritten by dynamic ARP entries. Therefore, configuring static ARP entries on VXLAN Layer 3 gateways enhances communication security. If a static ARP entry is configured on a device, the device can communicate with a peer device with a specified IP address using only the specified MAC address. Network attackers cannot modify the mapping between the IP and MAC addresses, which ensures communication between the two devices.
  • If a Layer 3 gateway is not enabled to send neighbor discovery (ND) PDUs, static IPv6 neighbor entries can be manually configured to specify the mapping between IPv6 and MAC addresses and prevent attacks from invalid ND packets.
  • After the source Network Virtualization Edge (NVE) on a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, the local virtual tunnel end point (VTEP) sends a copy of the BUM packets to every VTEP in the ingress replication list. Configuring static MAC address entries helps reduce the volume of broadcast traffic and also prevents unauthorized data access.
  • The maximum number of MAC addresses that a device can learn can be configured to limit the number of access users and prevent against attacks on MAC address tables. If the device has learned the maximum number of MAC addresses allowed, no more addresses can be learned. The device can also be configured to discard packets after learning the maximum allowed number of MAC addresses, improving network security.
  • If a VXLAN Layer 3 gateway does not need to learn MAC addresses of packets in a BD, MAC address learning can be disabled in the BD to conserve MAC address entry resources. If a VXLAN topology becomes stable and MAC address entry learning is complete, MAC address learning can also be disabled.

The following configurations apply to a Layer 2 gateway:

  • Configuring static MAC address entries

  • Configuring MAC address limiting

  • Disabling MAC address learning

The following configurations apply to a Layer 3 gateway:

  • Configuring static ARP entries

  • Configuring static IPv6 neighbor entries for the VXLAN tunnel side

  • Configuring static IPv6 neighbor entries for Layer 2 sub-interfaces

  • Disabling MAC address learning

NOTE:
  • Static ARP entries can be configured only on IPv4 overlay networks.

  • Static IPv6 neighbor entries can be configured only on IPv6 overlay networks.

Procedure

  • Configure a static ARP entry.

    1. Run system-view

      The system view is displayed.

    2. Run arp static ip-address mac-address vni vni-id source-ip source-ip peer-ip peer-ip

      A static ARP entry is configured for a VXLAN tunnel.

      By default, no static ARP entry is configured for a VXLAN tunnel.
      NOTE:
      • ip-address must reside on the same network segment as the Layer 3 gateway's IP address.

      • A static ARP entry is only configured for a static VXLAN tunnel.

    3. On a VXLAN, if the service access point is a Layer 2 sub-interface, an IP-MAC address mapping can be configured on the user access side, with interface interface-type interface-number specified as a Layer 2 sub-interface. Inner and outer VLAN IDs can also be specified, and the traffic encapsulation type of the Layer 2 sub-interface must be noted. To be specific, run either of the following commands according to the traffic encapsulation type of the Layer 2 sub-interface:
      • For dot1q traffic encapsulation, run the arp static ip-address mac-address { vlan vlan-id [ interface interface-type interface-number ] | interface interface-type interface-number } command. The vlan vlan-id value must be the same as the value specified in encapsulation dot1q [ vid vid ].
      • For QinQ traffic encapsulation, run the arp static ip-address mac-address vlan pevlan-id cevlan cevlan-id interface interface-type interface-number command. The pevlan-id and cevlan-id values must be the same as the values specified in encapsulation qinq [ vid pe-vid ce-vid ce-vid ].
      By default, no static ARP entry is configured.
    4. Run commit

      The configuration is committed.

  • Configure a static IPv6 neighbor entry for the VXLAN tunnel side.

    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      The VBDIF interface view is displayed.

    3. Run ipv6 neighbor ipv6-address mac-address vni vni-id source-ip source-ip peer-ip peer-ip-address

      A static IPv6 neighbor entry is configured.

      NOTE:

      A static IPv6 neighbor entry is only configured for a static VXLAN tunnel.

    4. Run commit

      The configuration is committed.

  • Configure a static IPv6 neighbor entry for a Layer 2 sub-interface.

    If a Layer 2 sub-interface functions as a service access point on the Layer 3 gateway, a static IPv6 neighbor entry can be configured for the Layer 2 sub-interface. interface-type interface-number must be specified as the Layer 2 sub-interface.

    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      The VBDIF interface view is displayed.

    3. Run one of the following commands according to the traffic encapsulation type of the Layer 2 sub-interface:

      • For untagged traffic encapsulation, run the ipv6 neighbor ipv6-address mac-address interface-type interface-number command.

      • For dot1q traffic encapsulation, run the ipv6 neighbor ipv6-address mac-address vlan vlan-id interface-type interface-number command.

        The vlan vlan-id value must be the same as the value specified in encapsulation dot1q [ vid vid ].

      • For QinQ traffic encapsulation, run the ipv6 neighbor ipv6-address mac-address vlan vlan-id cevlan ce-vid interface-type interface-number command.

        The vlan-id and ce-vid values must be the same as the values specified in encapsulation qinq [ vid pe-vid ce-vid ce-vid ].

    4. Run commit

      The configuration is committed.

  • Configure a static MAC address entry.

    1. Run system-view

      The system view is displayed.

    2. Run mac-address static mac-address bridge-domain bd-id source source-ip-address peer peer-ip vni vni-id

      A static MAC address entry is configured.

      By default, no static MAC address entry is configured.

    3. Run commit

      The configuration is committed.

  • Configure MAC address limiting.

    MAC address limiting can be implemented in the following ways:

    • Set the maximum number of MAC addresses that can be learned in a BD.
      1. Run system-view

        The system view is displayed.

      2. Run bridge-domain bd-id

        The BD view is displayed.

      3. Run mac-address limit { action { discard | forward } | maximum max | alarm { disable | enable } } *

        MAC address limiting is configured.

        By default, a device can learn MAC addresses without limit.

      4. Run commit

        The configuration is committed.

    • Set the maximum number of MAC addresses that can be learned on a Layer 2 sub-interface.
      1. Run system-view

        The system view is displayed.

      2. Run interface interface-type interface-number.subnum mode l2

        A Layer 2 sub-interface is created, and the sub-interface view is displayed.

        By default, no Layer 2 sub-interface is created.

        NOTE:

        Before running this command, ensure that the Layer 2 interface on which a Layer 2 sub-interface is to be created does not have the port link-type dot1q-tunnel command configuration. If this configuration exists, run the undo port link-type command to delete the configuration.

      3. Run mac-address limit { alarm { disable | enable } | maximum max } *

        MAC address limiting is configured.

        By default, a device can learn MAC addresses without limit.

      4. Run commit

        The configuration is committed.

  • Disable MAC address learning.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run mac-address learning disable

      MAC address learning is disabled.

      By default, MAC address learning is enabled in a BD.

    4. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-05-05

Document ID: EDOC1100004207

Views: 24764

Downloads: 65

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next