No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VXLAN in Centralized Gateway Mode Using BGP EVPN

Configuring VXLAN in Centralized Gateway Mode Using BGP EVPN

When VXLAN in centralized gateway mode using BGP EVPN is deployed, traffic across network segments is forwarded through Layer 3 VXLAN gateways to implement centralized traffic management.

Usage Scenario

An enterprise has allocated VMs in different locations to a tenant. Some of the VMs reside on the same network segment, and the others reside on different network segments. To allow communication between VMs, deploy Layer 2 and Layer 3 VXLAN gateways and establish VXLAN tunnels.

On the network shown in Figure 17-7, Server 2 and Server 3 belong to the same network segment and access the VXLAN through Device 1 and Device 2, respectively; Server 1 and Server 2 belong to different network segments and both access the VXLAN through Device 1.
  • To allow VM 1 on Server 2 and VM 1 on Server 3 to communicate, deploy Layer 2 VXLAN gateways on Device 1 and Device 2 and establish a VXLAN tunnel between Device 1 and Device 2 so that tenants on the same network segment can communicate.
  • To allow VM 1 on Server 1 and VM 1 on Server 3 to communicate, deploy a Layer 3 VXLAN gateway on Device 3 and establish a VXLAN tunnel between Device 1 and Device 3 and between Device 2 and Device 3 so that tenants on different network segments can communicate.
Figure 17-7 VXLAN in centralized gateway mode

Pre-configuration Tasks

Before configuring VXLAN in centralized gateway mode for static tunnel establishment, ensure that the network is reachable at Layer 3.

Configuration Procedures

Figure 17-8 Flowchart for configuring centralized VXLAN gateways

NOTE:

If only VMs on the same network segment need to communicate with each other, Layer 3 VXLAN gateways do not need to be deployed. If VMs on different network segments need to communicate with each other or VMs on the same network segment need to communicate with external networks, Layer 3 VXLAN gateways must be deployed.

Configuring a Service Access Point

Layer 2 sub-interfaces are used for service access on VXLANs. These Layer 2 sub-interfaces can have different encapsulation types configured to transmit various types of data packets. A bridge domain (BD) is a broadcast domain. After a Layer 2 sub-interface is associated with a BD, the sub-interface can transmit data packets through this BD.

Context

As shown in Table 17-3, Layer 2 sub-interfaces can have different encapsulation types configured to transmit various types of data packets.
Table 17-3 Traffic encapsulation types

Traffic Encapsulation Type

Description

dot1q

This type of sub-interface accepts only packets with a specified tag.

When encapsulating an original packet to a VXLAN packet, this type of sub-interface removes all the VLAN tags from the original packet. When decapsulating a VXLAN packet, if the packet carries an inner VLAN tag, the sub-interface replaces the tag with a specified tag before forwarding the packet to the destination. If the packet does not carry any inner VLAN tag, it adds a specified VLAN tag before forwarding.

The dot1q traffic encapsulation type has the following restrictions:
  • The VLAN ID encapsulated by a Layer 2 sub-interface cannot be the same as that allowed to pass by the Layer 2 interface where the sub-interface resides.
  • The VLAN IDs encapsulated by a Layer 2 sub-interface and a Layer 3 sub-interface cannot be the same.

untag

This type of sub-interface accepts only untagged packets.

When encapsulating an original packet to a VXLAN packet, this type of sub-interface does not add any VLAN tag. When decapsulating a VXLAN packet, if the packet carries an inner VLAN tag, the sub-interface removes the VLAN tag before forwarding. For a QinQ packet, the sub-interface removes only the outer VLAN tag.

The untag traffic encapsulation type has the following restrictions:
  • The physical interface where the sub-interface resides must have only default configurations.
  • Only Layer 2 physical interfaces and Layer 2 Eth-Trunk interfaces can have untag Layer 2 sub-interfaces created.
  • Only one untag Layer 2 sub-interface can be created on a main interface.

default

This type of sub-interface accepts all packets, irrespective of whether the packets carry VLAN tags.

For VXLAN packet encapsulation or decapsulation, this type of sub-interface does not perform any VLAN tag-related action on the original packets, be it addition, replacement, or removal.

The default traffic encapsulation type has the following restrictions:
  • The interface where the sub-interface resides must not be added to any VLAN.
  • Only Layer 2 physical interfaces and Layer 2 Eth-Trunk interfaces can have default Layer 2 sub-interfaces created.
  • If default is configured for a Layer 2 sub-interface on a main interface, the main interface cannot have other types of Layer 2 sub-interfaces configured.

qinq

Packets received by this type of sub-interface carry two or more VLAN tags. The sub-interface determines whether to accept the packets based on the innermost two VLAN tags.

Configure a service access point on a Layer 2 gateway:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    A BD is created, and the BD view is displayed.

  3. (Optional) Run description description

    A description is configured for the BD.

  4. Run quit

    Return to the system view.

  5. Run interface interface-type interface-number.subnum mode l2

    A Layer 2 sub-interface is created, and the sub-interface view is displayed.

    NOTE:

    Before running this command, ensure that the Layer 2 main interface does not have the port link-type dot1q-tunnel command configuration. If the configuration has existed, run the undo port link-type command to delete it.

  6. Run encapsulation { dot1q [ vid vid ] | default | untag | qinq [ vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] } ] }

    A traffic encapsulation type is specified for the Layer 2 sub-interface.

  7. Run rewrite pop { single | double }

    The sub-interface is enabled to remove single or double VLAN tags from received packets.

    If the received packets each carry a single VLAN tag, specify single.

    If the traffic encapsulation type is specified as qinq in the preceding step using the encapsulation qinq vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] | default } command, specify double.

  8. Run bridge-domain bd-id

    The Layer 2 sub-interface is added to the BD so that the sub-interface can transmit data packets through this BD.

    NOTE:

    If a default Layer 2 sub-interface is added to a BD, no BDIF interface can be created for the BD.

  9. Run commit

    The configuration is committed.

Configuring a VXLAN Tunnel

To allow VXLAN tunnel establishment using EVPN, establish a BGP EVPN peer relationship, configure an EVPN instance, and configure ingress replication.

Context

In centralized VXLAN gateway scenarios, perform the following steps on the Layer 2 and Layer 3 VXLAN gateways to use EVPN for establishing VXLAN tunnels:
  1. Configure a BGP EVPN peer relationship. Configure VXLAN gateways to establish BGP EVPN peer relationships so that they can exchange EVPN routes. If an RR has been deployed, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR.

  2. (Optional) Configure an RR. The deployment of RRs reduces the number of BGP EVPN peer relationships to be established, simplifying configuration. A live-network device can be used as an RR, or a standalone RR can be deployed. Layer 3 VXLAN gateways are generally used as RRs, and Layer 2 VXLAN gateways as RR clients.

  3. Configure an EVPN instance. EVPN instances are used to receive and advertise EVPN routes.

  4. Configure ingress replication. After ingress replication is configured for a VNI, the system uses BGP EVPN to construct a list of remote VTEPs. After a VXLAN gateway receives BUM packets, its sends a copy of the BUM packets to every VXLAN gateway in the list.

NOTE:

BUM packet forwarding is implemented only using ingress replication. To establish a VXLAN tunnel between a Huawei device and a non-Huawei device, ensure that the non-Huawei device also has ingress replication configured. Otherwise, communication fails.

Procedure

  1. Configure a BGP EVPN peer relationship.
    1. Run bgp as-number

      BGP is enabled, and the BGP view is displayed.

    2. (Optional) Run router-id ipv4-address

      A router ID is set.

    3. Run peer ipv4-address as-number as-number

      The peer device is configured as a BGP peer.

    4. (Optional) Run peer ipv4-address connect-interface interface-type interface-number [ ipv4-source-address ]

      A source interface and a source address are specified to set up a TCP connection with the BGP peer.

      NOTE:

      When loopback interfaces are used to establish a BGP connection, running the peer connect-interface command on both ends is recommended to ensure the connectivity. If this command is run on only one end, the BGP connection may fail to be established.

    5. (Optional) Run peer ipv4-address ebgp-max-hop [ hop-count ]

      The maximum number of hops is set for an EBGP EVPN connection.

      In most cases, a directly connected physical link must be available between EBGP EVPN peers. If you want to establish EBGP EVPN peer relationships between indirectly connected peers, run the peer ebgp-max-hop command. The command also can configure the maximum number of hops for an EBGP EVPN connection.

      NOTE:

      When the IP address of loopback interface to establish an EBGP EVPN peer relationship, run the peer ebgp-max-hop (of which the value of hop-count is not less than 2) command. Otherwise, the peer relationship fails to be established.

    6. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    7. Run peer { group-name | ipv4-address } enable

      The device is enabled to exchange EVPN routes with a specified peer or peer group.

    8. Run peer { group-name | ipv4-address } advertise encap-type vxlan

      The device is enabled to advertise VXLAN-encapsulated EVPN routes to its peers.

    9. (Optional) Run peer { group-name | ipv4-address } route-policy route-policy-name { import | export }

      A routing policy is specified for routes received from or to be advertised to a BGP EVPN peer or peer group.

      After the routing policy is applied, the routes received from or to be advertised to a specified BGP EVPN peer or peer group will be filtered, ensuring that only desired routes are imported or advertised. This configuration helps manage routes and reduce required routing entries and system resources.

    10. (Optional) Run peer { group-name | ipv4-address } mac-limit number [ percentage ] [ alert-only | idle-forever | idle-timeout times ]

      The maximum number of MAC advertisement routes that can be received from each peer is configured.

      If an EVPN instance may import many invalid MAC advertisement routes from peers and these routes occupy a large proportion of the total MAC advertisement routes. If the received MAC advertisement routes exceed the specified maximum number, the system displays an alarm, instructing users to check the validity of the MAC advertisement routes received in the EVPN instance.

    11. Run quit

      Exit from the BGP-EVPN address family view.

    12. Run quit

      Exit from the BGP view.

  2. (Optional) Configure a Layer 3 VXLAN gateway as an RR. If an RR is configured, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR, reducing the number of BGP EVPN peer relationships to be established and simplifying configuration.
    1. Run bgp as-number

      The BGP view is displayed.

    2. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    3. Run peer { ipv4-address | group-name } enable

      The device is enabled to exchange EVPN routes with a specified peer or peer group.

    4. (Optional) Run peer { ipv4-address | group-name } next-hop-invariable

      The device is prevented from changing the next hop address of a route when advertising the route to an EBGP peer.

    5. Run peer { ipv4-address | group-name } reflect-client

      The device is configured as an RR and an RR client is specified.

    6. Run undo policy vpn-target

      The function to filter received EVPN routes based on VPN targets is disabled. If you do not perform this step, the RR will fail to receive and reflect the routes sent by clients.

    7. Run quit

      Exit from the BGP-EVPN address family view.

    8. Run quit

      Exit from the BGP view.

  3. Configure an EVPN instance.
    1. Run evpn vpn-instance vpn-instance-name bd-mode

      A BD EVPN instance is created, and the EVPN instance view is displayed.

    2. Run route-distinguisher route-distinguisher

      An RD is configured for the EVPN instance.

    3. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the EVPN instance. The export VPN target of the local end must be the same as the import VPN target of the remote end, and the import VPN target of the local end must be the same as the export VPN target of the remote end.

    4. (Optional) Run import route-policy policy-name

      The current EVPN instance is associated with an import routing policy.

    5. (Optional) Run export route-policy policy-name

      The current EVPN instance is associated with an export routing policy.

    6. (Optional) Run tnl-policy policy-name

      The EVPN instance is associated with a tunnel policy.

    7. (Optional) Run mac limit number { simply-alert | mac-unchanged }

      The maximum number of MAC addresses allowed by an EVPN instance is configured.

      After a device learns a large number of MAC addresses, system performance may deteriorate when the device is busy processing services. This is because MAC addresses consume system resources. To improve system security and reliability, run the mac limit command to configure the maximum number of MAC addresses allowed by an EVPN instance. If the number of MAC addresses learned by an EVPN instance exceeds the maximum number, the system displays an alarm message, instructing you to check the validity of MAC addresses in the EVPN instance.

    8. Run quit

      Exit from the EVPN instance view.

    9. Run bridge-domain bd-id

      The BD view is displayed.

    10. Run vxlan vni vni-id split-horizon-mode

      A VNI is created and associated with the BD, and split horizon is applied to the BD.

    11. Run evpn binding vpn-instance vpn-instance-name [ bd-tag bd-tag ]

      A specified EVPN instance is bound to the BD. By specifying different bd-tag values, you can bind multiple BDs with different VLANs to the same EVPN instance and isolate services in the BDs.

    12. Run quit

      Return to the system view.

  4. Configure an ingress replication list.
    1. Run interface nve nve-number

      An NVE interface is created, and the NVE interface view is displayed.

    2. Run source ip-address

      An IP address is configured for the source VTEP.

    3. Run vni vni-id head-end peer-list protocol bgp

      An ingress replication list is configured.

      After the ingress of a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, it replicates these packets and sends a copy to each VTEP in the ingress replication list. The ingress replication list is a collection of remote VTEP IP addresses to which the ingress of a VXLAN tunnel should send replicated BUM packets to.

    4. Run quit

      Return to the system view.

  5. Run commit

    The configuration is committed.

Configuring a Layer 3 VXLAN Gateway

To allow users on different network segments to communicate, a Layer 3 VXLAN gateway must be deployed, and the default gateway address of the users must be the IP address of the VBDIF interface of the Layer 3 gateway.

Context

A tenant is identified by a VNI. VNIs can be mapped to BDs in 1:1 mode so that a BD can function as a VXLAN network entity to transmit VXLAN data packets. A VBDIF interface is a Layer 3 logical interface created for a BD. After an IP address is configured for a VBDIF interface of a BD, the VBDIF interface can function as the gateway for tenants in the BD for Layer 3 forwarding. VBDIF interfaces allow Layer 3 communication between VXLANs on different network segments and between VXLANs and non-VXLANs, and implement Layer 2 network access to a Layer 3 network.

VBDIF interfaces are configured on Layer 3 VXLAN gateways for inter-segment communication, and are not needed in the case of intra-segment communication.

NOTE:

The DHCP relay function can be configured on the VBDIF interface so that hosts can request IP addresses from the external DHCP server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    A VBDIF interface is created, and the VBDIF interface view is displayed.

  3. Run ip address ip-address { mask | mask-length } [ sub ]

    An IP address is configured for the VBDIF interface to implement Layer 3 interworking.

  4. (Optional) Run mac-address mac-address

    A MAC address is configured for the VBDIF interface.

  5. Run commit

    The configuration is committed.

(Optional) Configuring Static MAC Address Entries and MAC Address Limiting

Static MAC address entries can be configured for traffic forwarding, and MAC address limiting can be configured to improve VXLAN security.

Context

After the source NVE on a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, the local VTEP sends a copy of the BUM packets to every VTEP in the ingress replication list. Configuring static MAC address entries helps reduce broadcast traffic and prevent unauthorized data access from bogus users.

The maximum number of MAC addresses that a device can learn can be configured to limit the number of access users and prevent against attacks on MAC address tables. If the device has learned the maximum number of MAC addresses allowed, no more addresses can be learned. The device can also be configured to discard packets after learning the maximum allowed number of MAC addresses, improving network security.

If Layer 3 VXLAN gateway does not need to learn MAC addresses of packets in a BD, MAC address learning can be disabled from the BD to conserve MAC address entry resources. If the network topology of a VXLAN becomes stable and MAC address entry learning is complete, MAC address learning can also be disabled.

Configuring static MAC address entries and MAC address limiting applies to Layer 2 VXLAN gateways; disabling MAC address limiting applies to both Layer 2 and Layer 3 VXLAN gateways.

Procedure

  • Configure a static MAC address entry.

    1. Run system-view

      The system view is displayed.

    2. Run mac-address static mac-address bridge-domain bd-id source source-ip-address peer peer-ip vni vni-id

      A static MAC address entry is configured.

    3. Run commit

      The configuration is committed.

  • Configure MAC address limiting.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run mac-limit { action { discard | forward } | maximum max [ rate interval ] } *

      MAC address limiting is configured.

    4. Run commit

      The configuration is committed.

  • Disable MAC address learning.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run mac-address learning disable

      MAC address learning is disabled.

    4. Run commit

      The configuration is committed.

Verifying the Configuration of VXLAN in Centralized Gateway Mode Using BGP EVPN

After configuring VXLAN in centralized gateway mode for dynamic tunnel establishment, check VXLAN tunnel, VNI, and VBDIF interface information.

Prerequisites

VXLAN in centralized gateway mode has been configured for dynamic tunnel establishment.

Procedure

  • Run the display bridge-domain [ bd-id [ brief | verbose ] ] command to check BD configurations.
  • Run the [ nve-number | main ] command to check NVE interface information.
  • Run the display evpn vpn-instance [ name vpn-instance-name ] command to check EVPN instance information.
  • Run the display bgp evpn peer [ [ ipv4-address ] verbose ] command to check BGP EVPN peer information.
  • Run the display vxlan peer [ vni vni-id ] command to check ingress replication lists of a VNI or all VNIs.
  • Run the display vxlan tunnel [ tunnel-id ] [ verbose ] command to check VXLAN tunnel information.
  • Run the display vxlan vni [ vni-id [ verbose ] ] command to check VNI information.
  • Run the display interface vbdif [ bd-id ] command to check VBDIF interface information and statistics.
  • Run the display mac-address limit bridge-domain bd-id command to check dynamically learning MAC address limiting configurations of a BD.
  • Run the display bgp evpn all routing-table command to check EVPN route information.
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16810

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next