No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Common EVPN Functions

Configuring Common EVPN Functions

Configuring Common EVPN Functions involve configuring EVPN instances, BGP EVPN peer relationships, BGP EVPN RRs, and ESIs.

Usage Scenario

EVPN is used for Layer 2 internetworking.

On the network shown in Figure 11-1, to allow Layer 2 networks at different sites to communicate, configure EVPN. Specifically:
  • Configure an EVPN instance on each PE and bind the EVPN instance on each PE to the interface that connects the PE to a site.

  • Configure EVPN source IP addresses to identify PEs in the EVPN networking.

  • Configure ESIs for PE interfaces connecting to CEs. PE interfaces connecting to the same CE have the same ESI.

  • Configure BGP EVPN peer relationships between PEs on the backbone network to allow MAC addresses to be advertised over routes.

  • Configure RRs to decrease the number of BGP EVPN peer relationships required.

Figure 11-1 EVPN networking

Pre-configuration Tasks

Before configuring common EVPN, complete the following tasks:

  • Configure an IGP on the backbone network to ensure IP connectivity.

  • Configure MPLS LDP or TE tunnels on the backbone network.

  • Configure Layer 2 connections between CEs and PEs.

Configuration Procedures

Figure 11-2 Flowchart for configuring EVPN

Configuring an EVPN Instance

Configure EVPN instances on PEs to manage EVPN routes.

Context

EVPN instances isolate EVPN routes from public network routes, and the routes of EVPN instances from each other. EVPN instances are required in all EVPN networking solutions.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run evpn vpn-instance vpn-instance-name

    An EVPN instance is created, and its view is displayed.

  3. (Optional) Run description description-information

    A description is configured for the EVPN instance.

    Similar to a host name or an interface description, an EVPN instance description helps you memorize the EVPN instance.

  4. Run route-distinguisher route-distinguisher

    An RD is configured for the EVPN instance.

    An EVPN instance takes effect only after the RD is configured. The RDs of different EVPN instances on a PE must be different.

    NOTE:

    After being configured, an RD cannot be modified, but can be deleted. After you delete the RD of an EVPN instance, the VPN targets of the EVPN instance will also be deleted.

  5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

    VPN targets are configured for the EVPN instance.

    A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of EVPN routes. A maximum of eight VPN targets can be configured using a vpn-target command. To configure more VPN targets for an EVPN instance address family, run the vpn-target command several times.

    NOTE:

    The RT used by an Ethernet segment route is generated based on the middle six bytes of the ESI. For example, if the ESI is 0011.1001.1001.1001.1002, then the Ethernet segment route uses 11.1001.1001.10 as its RT.

  6. (Optional) Run filter-policy { acl-number | acl-name acl-name } export

    The EVPN instance is configured to filter MAC advertisement routes to be sent.

    An export routing policy must be configured for precise EVPN route control. An export routing policy filters routes before they are sent to other PEs.

  7. (Optional) Run filter-policy { acl-number | acl-name acl-name } import

    The EVPN instance is configured to filter MAC advertisement routes received.

    An import routing policy must also be configured for precise EVPN route control. An import routing policy filters routes that are received from other PEs.

  8. (Optional) Run mac limit number [ simply-alert | mac-unchanged ]

    The maximum number of MAC addresses allowed by an EVPN instance is configured.

    After a device learns a large number of MAC addresses, system performance may deteriorate when the device is busy processing services. This is because MAC addresses consume system resources. To improve system security and reliability, run the mac limit command to configure the maximum number of MAC addresses allowed by an EVPN instance. If the number of MAC addresses learned by an EVPN instance exceeds the maximum number, the system displays an alarm message, instructing you to check the validity of MAC addresses in the EVPN instance.

    After you configure the maximum number of MAC addresses allowed by an EVPN instance, you can run the mac threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value command to configure the upper and lower thresholds for triggering MAC address alarms. This command enables you to learn MAC address usage based on MAC address alarm reporting and clearing.

  9. (Optional) Run tnl-policy policy-name

    The EVPN instance is associated with a tunnel policy.

    This configuration enables PEs to use TE tunnels to transmit data packets.

  10. (Optional) Run isolate spoken

    Forwarding isolation is enabled in the EVPN instance.

    When users who use the same service are bound to the same EVPN instance, configuring forwarding isolation in the EVPN instance prevents the users from accessing each other.

  11. Run commit

    The configuration is committed.

Configuring an EVPN Source Address

An EVPN source address uniquely identifies a PE in EVPN networking.

Context

The EVPN source address, which can be used to identify a PE on an EVPN, is part of EVPN route information. Configuring EVPN source addresses is a mandatory task for EVPN configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run evpn source-address ip-address

    An EVPN source address is configured.

  3. Run commit

    The configuration is committed.

Binding an Interface to an EVPN Instance

After an interface is bound to an EVPN instance, the interface becomes a part of the EVPN. Packets entering the interface will then be forwarded based on EVPN instance traffic forwarding entries.

Context

After an EVPN instance is configured on a PE, an interface that belongs to the EVPN must be bound to the EVPN instance. Otherwise, the interface functions as a public network interface and cannot forward EVPN traffic.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run evpn binding vpn-instance vpn-instance-name

    The interface is bound to an EVPN instance.

  4. Run commit

    The configuration is committed.

Configuring an ESI

Configure the same ESI for PE interfaces connecting to the same CE.

Context

PEs connecting to the same CE must have the same ESI configured. PEs exchange routes that carry ESIs, so that a PE can discover other PEs connecting to the same CE as itself. This helps implement load balancing.

Before configuring an ESI on an interface, ensure that:
  • The interface has been bound to an EVPN instance using the evpn binding vpn-instance command.

  • To generate Ethernet segment routes, an interface that has an ESI configured must be in the Up state. In scenarios where a CE is dual-homed to two PEs over an Eth-Trunk, E-Trunk must be configured to ensure that the two PE interfaces connecting to the CE are both Up.

An ESI can be either statically configured or dynamically generated on an interface.

Static configuration is recommended. Compared with dynamic ESI generation, static configuration allows EVPN to implement faster traffic switching during a DF election in a dual-homing scenario with active-active PEs.

NOTE:

Functions, such as rapid convergence, split horizon, and DF election that are required in the EVPN dual-homing scenario fail to take effect in a single homing scenario. In such a scenario, configuring the ESI is optional on a dual-homing PE.

Procedure

  • (Optional) Configure E-Trunk.
    1. Run system-view

      The system view is displayed.

    2. Run e-trunk e-trunk-id

      E-Trunk is configured, and the E-Trunk view is displayed.

    3. Run priority priority

      A priority is configured for the E-Trunk.

    4. Run peer-address peer-ip-address source-address source-ip-address

      IP addresses are configured for the local and peer ends of the E-Trunk.

    5. Run quit

      The system view is displayed.

    6. Run interface eth-trunk trunk-id

      The Eth-Trunk interface view is displayed.

    7. Run e-trunk e-trunk-id

      The Eth-Trunk interface is added to the E-Trunk.

      One Eth-Trunk interface can be added only to one E-Trunk mechanism.

    8. (Optional) Run e-trunk mode force-master

      The working mode of the E-Trunk member interface is set to master. After this configuration, the dual-homed PEs are both master devices, implementing load balancing.

    9. Run quit

      The system view is displayed.

    10. Run lacp e-trunk system-id mac-address

      An E-Trunk LACP system ID is configured.

      The LACP system IDs in one E-Trunk mechanism must be the same.

    11. (Optional) Run lacp e-trunk priority priority

      An E-Trunk LACP system priority is configured.

      The LACP system priorities in one E-Trunk mechanism must be the same.

    12. Run commit

      The configuration is committed.

  • Statically configure an ESI on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run esi esi

      An ESI is configured.

    4. Run commit

      The configuration is committed.

  • Configure an interface to dynamically generate an ESI.
    1. Run system-view

      The system view is displayed.

    2. Run interface eth-trunk trunk-id

      The Eth-Trunk interface view is displayed.

    3. Run mode lacp-static

      The working mode of the Eth-Trunk interface is configured as static LACP.

    4. Run commit

      The configuration is committed.

Configuring a BGP EVPN Peer Relationship

After two PEs establish a BGP EVPN peer relationship, they can exchange EVPN routes.

Context

In EVPN networking, PEs need to have BGP EVPN peer relationships established before they can exchange EVPN route information and implement communication between EVPN instances.

Perform the following steps on each PE.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp as-number

    The BGP view is displayed.

  3. Run peer ipv4-address as-number as-number

    A BGP EVPN peer IP address is specified.

  4. Run peer ipv4-address connect-interface loopback interface-number

    The interface on which a TCP connection to the specified peer is to be established is specified.

    NOTE:

    A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP peer relationship with the peer PE, so that VPN routes can be relayed to tunnels. The routes to the local loopback interface are advertised to the peer PE using an IGP on the MPLS backbone network.

  5. Run l2vpn-family evpn

    The BGP-EVPN address family view is displayed.

  6. Run peer { ipv4-address | group-name } enable

    The capability to exchange EVPN routes with the specified peer is enabled.

  7. (Optional) Run peer ipv4-address group group-name

    The BGP EVPN peer is added to a peer group.

    Adding BGP EVPN peers to peer groups simplifies BGP network configuration and management.

  8. (Optional) Run timer df-delay delay-value

    A DF election delay is configured.

    If the network is unstable, the PE interfaces connecting to a CE will frequently alternate between Up and Down, resulting in frequent DF elections. As a result, the network performance deteriorates. To prevent frequent DF elections, run the timer df-delay command to set a greater DF election delay. This ensures that the network remains stable.

    In an EVPN dual-homing scenario where interface-based DF election is enabled, you need to run this command to set the delay interval for DF election to 0s prevent the long-time existence of dual backup devices during switchback from causing a traffic interruption.

  9. (Optional) Run peer { group-name | ipv4-address } mac-limit number [ percentage ] [ alert-only | idle-forever | idle-timeout times ]

    The maximum number of MAC advertisement routes that can be received from each peer is configured.

    If an EVPN instance may import many invalid MAC advertisement routes from peers and these routes occupy a large proportion of the total MAC advertisement routes. If the received MAC advertisement routes exceed the specified maximum number, the system displays an alarm, instructing users to check the validity of the MAC advertisement routes received in the EVPN instance.

  10. Run commit

    The configuration is committed.

(Optional)Configuring a PE's Redundancy Mode

A PE's redundancy mode determines whether the PE can work with other PEs in load-balancing mode.

Context

By default, EVPN PEs work in All-Active mode. If a CE is multi-homed to several EVPN PEs, these PEs will load-balance traffic. If you do not want an EVPN PE to work with other EVPN PEs in load-balancing mode, change its redundancy mode to Single-Active.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run evpn redundancy-mode single-active

    The Single-Active redundancy mode is configured.

  3. Run commit

    The configuration is committed.

(Optional) Configuring a BGP EVPN RR

Configuring a BGP EVPN RR helps reduce the number of required BGP EVPN peer relationships, and therefore saves network resources.

Context

In an AS where a NE serves as an RR, other NE can serve as RR clients. The clients establish BGP EVPN peer relationships with the RR. The RR and its clients form a cluster. The RR reflects routes among the clients, and therefore the clients do not need to establish IBGP connections.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp as-number

    The BGP view is displayed.

  3. Run l2vpn-family evpn

    The BGP-EVPN address family view is displayed.

  4. Run peer { ipv4-address | group-name } reflect-client

    An RR and its clients are configured.

    The device where the peer reflect-client command is run serves as the RR and the specified peers or peer groups serve as clients.

  5. (Optional) Run undo reflect between-clients

    Route reflection between clients through the RR is disabled.

    By default, route reflection between the clients through the RR is enabled.

    If the clients of an RR have established full-mesh connections with each other, you can run the undo reflect between-clients command to disable route reflection between clients through the RR to reduce the link cost. The undo reflect between-clients command can only be run on an RR.

  6. (Optional) Run reflector cluster-id cluster-id

    A cluster ID is configured for the RR.

    If a cluster has multiple RRs, you can use this command to set the same cluster ID for these RRs to prevent routing loops.

    The reflector cluster-id command can only be run on an RR.

  7. Run commit

    The configuration is committed.

(Optional) Associating DF with BFD

When a CE is dual-homed to PEs, you can associate DF with BFD. If an access link fails, this configuration accelerates the primary/backup DF switchover.

Context

In a CE dual-homing scenario, to speed up primary/backup DF switching if an access link fails, you can create a BFD session between the two PEs, specify an access-side Eth-Trunk or PW-VE interface or PW-VE interface as the interface to be monitored by the BFD session, and then associate the interface with the BFD session. After the configuration is complete, if the access link connected to the PE on which the master DF resides goes faulty, BFD can rapidly detect the fault and transmit the fault to the other PE through the BFD session. This allows the backup DF to quickly become the primary DF.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bfd

    BFD is enabled globally, and the global BFD view is displayed.

  3. Run quit

    Return to the previous view.

  4. Run bfd bfd-session-name bind peer-ip pe-ip-address track-interface interface interface-type interface-number

    The binding between a BFD session and a peer IP address is created, and the BFD session view is displayed. pe-ip-address indicates the IP address of the remote PE, and interface-type interface-number indicates the type and number of the Eth-Trunk or PW-VE interface or PW-VE interface on the access side.

  5. Run the following commands to configure BFD session discriminators:

    • To set the local discriminator, run the discriminator local discr-value command.

    • To set the remote discriminator, run the discriminator remote discr-value command.

    The local discriminator at one end must be the remote discriminator at the other end.

  6. Run quit

    Return to the previous view.

  7. Run interface { eth-trunk trunk-id | PW-VE interface-number } | PW-VE interface-number }

    The Eth-Trunk interface view or PW-VE interface view or PW-VE interface view is displayed.

  8. Run es track bfd bfd-session-name

    The interface is associated with the BFD session.

  9. Run commit

    The configuration is committed.

Verifying the EVPN Configuration

After configuring EVPN, check the operating status and information about EVPN functions.

Prerequisites

EVPN has been configured.

Procedure

  • Run the display default-parameter evpn command to check default EVPN configurations during EVPN initialization.
  • Run the display evpn vpn-instance [ name vpn-instance-name ] command to check EVPN instance information.
  • Run the display evpn vpn-instance name vpn-instance-name df result [ esi esi ] command to check the DF election result of an EVPN instance.
  • Run the display evpn vpn-instance name vpn-instance-name df-timer state command to check the DF timer status of an EVPN instance.
  • Run the display bgp evpn { all | vpn-instance vpn-instance-name } esi [ esi ] command to check information about the ESIs of a specified or all EVPN instances.
  • Run the display bgp evpn { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } routing-table [ { ad-route | es-route | inclusive-route | mac-route | prefix-route } prefix ] command to check information about EVPN routes.
  • Run the display bgp evpn all routing-table statistics command to check statistics about EVPN routes.
  • Run the display evpn mac routing-table command to check MAC route information about EVPN instances.
  • Run the display evpn mac routing-table limit command to check MAC address limits of EVPN instances.
  • Run the display evpn mac routing-table statistics command displays MAC route statistics of EVPN instances.
  • Run the display arp broadcast-suppress user bridge-domain bd-id command to check the ARP broadcast suppression table of a specified BD.
  • Run the display arp packet statistics bridge-domain bd-id command to check statistics about the ARP packets in a specified BD.

Example

Run the display default-parameter evpn command. The command output shows default EVPN configurations during EVPN initialization.

<HUAWEI> display default-parameter evpn
 EVPN Access Mode           : Port Access
 EVPN Interface Service Mode: Vlan Unaware
 Apply Label Mode           : Label Per Instance

Run the display evpn vpn-instance command on PEs. The command output shows EVPN instance information.

# Display information about the EVPN instance evpn1.

<HUAWEI> display evpn vpn-instance name evpn1
  EVPN-Instance Name              RD                    Address-family
  evpn1                           1:1                   evpn

Run the display evpn vpn-instance name vpn-instance-name df result [ esi esi ] command on PEs. The command output shows the DF election result of an EVPN instance.

# Display the DF election result of EVPN instance evpn1.

<HUAWEI> display evpn vpn-instance name evpn1 df result
ESI Count: 1

ESI: 0010.1010.1010.1010.1010

 GigabitEthernet0/1/0:
  Current State: IFSTATE_UP
  DF Result    : Primary

Run the display evpn vpn-instance name vpn-instance-name df-timer state command on PEs. The command output shows the DF timer status of an EVPN instance.

# Display the DF timer status of EVPN instance evpn1.

<HUAWEI> display evpn vpn-instance name evpn1 df-timer state
Ifindex                       Type                     Mode        TimerLeft(s)      
GigabitEthernet0/1/0          BRM_EVRF_IF_DF_TIMER     IDLE        -----            

Esi                           Type                     Mode        TimerLeft(s)      
0010.1010.1010.1010.1010      BRM_EVRF_ESI_DF_TIMER    IDLE        ----- 

Run the display bgp evpn peer [ ipv4-address ] command on PEs. The command output shows information about EVPN BGP peers.

# Display information about EVPN BGP peers.

<HUAWEI> display bgp evpn peer
 
 BGP local router ID : 0.0.0.0
 Local AS number : 100
 Total number of peers : 1                 Peers in established state : 0

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  1.1.1.1         4          100    4456     3196     0 0045h29m Established        5

Run the display bgp evpn { all | vpn-instance vpn-instance-name } esi [ esi ] command. The command output shows information about the ESIs of all EVPN instances.

<HUAWEI> display bgp evpn all esi
Number of ESI for EVPN address family: 1

 ESI                                 IFName     
 0010.1010.1010.1010.1010            GigabitEthernet0/1/0

Number of ESI for evpn-instance c1: 1

 ESI                                 IFName     
 0010.1010.1010.1010.1010            GigabitEthernet0/2/0

Run the display bgp evpn all routing-table command on PEs. The command output shows information about EVPN routes.

<HUAWEI> display bgp evpn all routing-table
 Local AS number : 100

 BGP Local router ID is 1.1.1.1
 Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete


 EVPN address family:
 Number of A-D Routes: 1

 Route Distinguisher: 1:1
       Network(ESI/EthTagId)                                  NextHop
 *>    0010.1010.1010.1010.1010:0                             127.0.0.1       
   

 EVPN-Instance c1:
 Number of A-D Routes: 1
       Network(ESI/EthTagId)                                  NextHop
 *>    0010.1010.1010.1010.1010:0                             127.0.0.1      

 EVPN address family:
 Number of Inclusive Multicast Routes: 1

 Route Distinguisher: 1:1
       Network(EthTagId/IpAddrLen/OriginalIp)                 NextHop
 *>    0:32:1.1.1.1                                           127.0.0.1       
   

 EVPN-Instance c1:
 Number of Inclusive Multicast Routes: 1
       Network(EthTagId/IpAddrLen/OriginalIp)                 NextHop
 *>    0:32:1.1.1.1                                           127.0.0.1      

 EVPN address family:
 Number of ES Routes: 1

 Route Distinguisher: 1.1.1.1:0
       Network(ESI)                                           NextHop
 *>    0010.1010.1010.1010.1010                               127.0.0.1       
   

 EVPN-Instance c1:
 Number of ES Routes: 1
       Network(ESI)                                           NextHop
 *>    0010.1010.1010.1010.1010                               127.0.0.1      

Run the display bgp evpn all routing-table statistics command on PEs. The command output shows statistics about EVPN routes.

<HUAWEI> display bgp evpn all routing-table statistics
 Total number of routes from all PE: 6
 Number of A-D Routes: 2
 Number of Mac Routes: 0
 Number of Inclusive Multicast Routes: 2
 Number of ES Routes: 2

Run the display evpn mac routing-table command on a PE. The command output shows MAC route information about EVPN instances.

<HUAWEI> display evpn mac routing-table all-evpn-instance
 EVPN name: aaa
 MACs: 5        Entries: 5        

 MAC-Address           VLAN  PeerIP         Type      Interface           
 0601-0002-1111           0  2.2.2.2        Dynamic   --
 0601-0002-1112           0  2.2.2.2        Dynamic   --
 0601-0002-1113           0  2.2.2.2        Dynamic   --
 0601-0002-1114           0  2.2.2.2        Dynamic   --
 0601-0002-1115           0  2.2.2.2        Dynamic   --
------------------------------------------------------------------------------
 EVPN name: bbb
 MACs: 0         Entries: 0          

 MAC-Address           VLAN  PeerIP         Type      Interface

Run the display evpn mac routing-table limit command on a PE. The command output shows MAC address limits of an EVPN instance.

<HUAWEI> display evpn mac routing-table limit evpn-instance vpn1
 EVPN Instance Name: vpn1
 Limit-Type     Max-Limit    Upper-Limit  Lower-Limit  Current      
 Default        100          80           70           0            

Run the display evpn mac routing-table statistics command on a PE. The command output shows MAC route statistics of EVPN instances.

<HUAWEI> display evpn mac routing-table all-evpn-instance statistics
Summary Prefixes : 133
Protocol   route       active      added       deleted     freed
Local      0           0           0           0           0           
BGP        133         133         48659       48526       48526       
Total      133         133         48659       48526       48526
Run the display arp broadcast-suppress user bridge-domain bd-id command. The command output displays information about the ARP broadcast suppression table of a specified BD.
<HUAWEI> display arp broadcast-suppress user bridge-domain 10
Flags: S - Static, D - Dynamic, C - Conflict
Total:4
------------------------------------------------------------------------------------
IP Address      MAC Address      Vtep IP         Flags       Aging(M)      Interface
------------------------------------------------------------------------------------
10.1.1.5        0005-0005-0005   0.0.0.0         S           --            --              
10.1.1.1        3853-d121-0110   0.0.0.0         D           15            GigabitEthernet0/1/1.1
10.1.1.2        0002-0002-0002   0.0.0.0         D           15            GigabitEthernet0/1/1.2 
10.1.1.3        0001-0c01-0101   0.0.0.0         C           --            --              
Run the display arp packet statistics bridge-domain bd-id command. The command output displays statistics about the ARP packets in a specified BD.
<HUAWEI> display arp packet statistics bridge-domain 10
ARP Packets Received
  Total:                                        0
  ARP Pkt Revceive Request:                     0
  ARP Pkt Revceive Reply:                       0
  ARP Pkt Revceive Gratuitous:                  0
  Discard For Other:                            0
ARP Packets Sent
  Total:                                        0
  ARP Pkt Send Unicast:                         0
  ARP Pkt Send Broadcast:                       0
  ARP Pkt Send Gratuitous:                      0
  ARP Pkt Send L2 Proxy:                        0
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 33486

Downloads: 59

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next