No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring DCI Functions

Configuring DCI Functions

This section describes how to configure Data Center Interconnect (DCI) functions, which helps you understand basic DCI information.

Background

To meet the requirements of cross-region operation, user access, and inter-city disaster recovery that arise during enterprise development, an increasing number of enterprises have deployed data centers in multiple regions and across carrier networks. Currently, leased fibers or leased lines are commonly used to interconnect cross-region data centers, causing the following disadvantages:
  • For enterprises, leased fibers or leased lines are costly.
  • For carriers, service exploration is difficult, and resource utilization is low.

To cope with these disadvantages, a DCI network that is characterized by high security and reliability and flexible scheduling needs to be constructed and operated.Data Center Interconnection (DCI) provides solutions to interconnect data centers. Using Virtual extensible local area network (VXLAN), Ethernet virtual private network (EVPN), and BGP/MPLS IP VPN technologies, DCI solutions allow packets that are exchanged between data centers to be transmitted securely and reliably over carrier networks, allowing VMs in different data centers to communicate with each other.

Figure 11-17 Configuring DCI functions

Pre-configuration Tasks

Before configuring DCI functions, configure MPLS tunnels over the DCI backbone network.

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring a DCI Scenario with an E2E VXLAN EVPN Deployed on a Gateway

An end-to-end VXLAN EVPN uses one service platform, which helps implement unified VXLAN VNI resource management.

Context

GWs and DCI-PEs are separately deployed. DCI-PEs function as edge devices on the underlay network and ensure VTEPs in data centers are reachable through routes, without saving data center tenant and host information.

In Figure 11-18, data center gateways GW1 and GW2 are connected to the backbone network. BGP/MPLS IP VPN functions are deployed on the DCI backbone network to transmit VTEP IP information between GW1 and GW2. A VXLAN tunnel is established between GW1 and GW2 for inter-data center E2E VXLAN packet encapsulation and VM communication.

Figure 11-18 Configuring a DCI Scenario with an E2E VXLAN EVPN Deployed on a Gateway

Procedure

  1. Configure basic L3VPN functions on the DCI backbone network. For configuration details, see Configuring a Basic BGP/MPLS IP VPN.
  2. Establish a VXLAN tunnel to GW1 on GW2. For configuration details, see Configuring Device-specific VXLAN.

Configuring a DCI Scenario with a VLAN Layer 3 Sub-interface Accessing a Common L3VPN

The DCI Scenario with a VLAN Layer 3 Sub-interface Accessing a Common L3VPN uses different cloud management platforms, and a Layer 3 Ethernet sub-interface is associated with a VLAN to access an L3VPN.

Context

An underlay VLAN can access a DCI network through a Layer 3 gateway when traditional DCs are connected through the DCI network.

GWs and DCI-PEs are separately deployed. Each DCI-PE considers the GW of a data center as a CE, uses a Layer 3 VPN routing protocol to receive VM host routes from the data center, and saves and maintains the routes.

If VXLAN is deployed in the data center, the solution of Underlay VLAN Layer 3 access to DCI can be used. In Figure 11-19, VXLAN tunnels are established within data centers to allow intra-DC VM communication. To allow inter-data center VM communication, BGP/MPLS IP VPN functions are deployed on the DCI backbone network, and a Layer 3 Ethernet sub-interface is configured on each DCI-PE, added to the same VLAN, and bound to the VPN instance of each DCI-PE.

Figure 11-19 Configuring a DCI Scenario with a VLAN Layer 3 Sub-interface Accessing a Common L3VPN

Procedure

  1. Configure basic L3VPN functions on the DCI backbone network. For configuration details, see Configuring a Basic BGP/MPLS IP VPN.
  2. Configure a dot1q VLAN tag termination sub-interface and bind the sub-interface to a VPN instance.
    1. Run interface interface-type interface-number.subinterface-number

      An Ethernet sub-interface is created, and its view is displayed.

    2. Run vlan-type dot1q vlan-id

      A VLAN is bound to the sub-interface, and a VLAN encapsulation mode is specified.

    3. Run ip binding vpn-instance vpn-instance-name

      The sub-interface is bound to a VPN instance.

    4. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the sub-interface.

  3. Run commit

    The configuration is committed.

Configuring a DCI Scenario with a VXLAN EVPN L3VPN Accessing a Common L3VPN

The DCI scenario with a VXLAN EVPN L3VPN Accessing a common L3VPN uses different cloud management platforms, and a VXLAN tunnel is used to access the DCI backbone network.

Context

GWs and DCI-PEs are separately deployed. EVPN is used as a control plane protocol to dynamically establish VXLAN tunnels. VPNv4 is used to send received host IP routes to the peer DCI-PE, and packets of VM hosts can be forwarded at Layer 3.

In Figure 11-20, data center gateway devices GW1 and GW2 are connected to the DCI backbone network. To allow inter-data center VM communication, BGP/MPLSIP VPN functions are deployed on the DCI backbone network. In addition, EVPN and a VXLAN tunnel are deployed between the GW and DCI-PE to transmit VM host routes so that VMs in different data centers can communicate with each other.

Figure 11-20 Configuring a DCI Scenario with a VXLAN EVPN L3VPN Accessing a Common L3VPN

Procedure

  1. Configure a VXLAN tunnel between each DCI PE and the corresponding GW. For configuration details, see Configuring VXLAN.
  2. Configure basic L3VPN functions on the DCI backbone network. For configuration details, see Configuring a Basic BGP/MPLS IP VPN.
  3. Configure the DCI-PE to send the routes that are regenerated in the EVPN address family to a VPNv4 peer.
    1. Run bgp as-number

      The BGP view is displayed.

    2. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    3. Run peer { ipv4-address | group-name } import reoriginate

      The DCI-PE is configured to add the regeneration flag to the routes to be received from a BGP EVPN peer.

    4. Run quit

      The BGP view is displayed.

    5. Run ipv4-family vpnv4

      The BGP-VPNv4 address family view is displayed.

    6. Run peer { ipv4-address | group-name } advertise route-reoriginated evpn { mac-ip | ip }

      The DCI-PE is configured to send the routes that are regenerated in the EVPN address family to a VPNv4 peer.

      After the command is run, the DCI-PE uses MPLS to re-encapsulate the VXLAN-encapsulated EVPN routes received from the data center to VPNv4 routes and then sends the VPNv4 routes to the VPNv4 peer on the DCI backbone network.

  4. Configure the DCI-PE to send the routes that are regenerated in the VPNv4 address family to a BGP EVPN peer.
    1. Run bgp as-number

      The BGP view is displayed.

    2. Run ipv4-family vpnv4

      The BGP-VPNv4 address family view is displayed.

    3. Run peer { ipv4-address | group-name } import reoriginate

      The DCI-PE is configured to add the regeneration flag to the routes received from a VPNv4 peer.

    4. Run quit

      The BGP view is displayed.

    5. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    6. Run peer { ipv4-address | group-name } advertise route-reoriginated vpnv4

      The DCI-PE is configured to send the routes that are regenerated in the VPNv4 address family to a BGP EVPN peer.

      After the command is run, the DCI-PE uses VxLAN to re-encapsulate MPLS-encapsulated VPNv4 routes received from the DCI backbone network into EVPN routes and sends the EVPN routes to the BGP EVPN peer in the data center.

    7. Run peer { ipv4-address | group-name } advertise encap-type vxlan

      VxLAN-encapsulated EVPN routes are sent to the BGP EVPN peer on the data center side.

  5. Run commit

    The configuration is committed.

Configuring a DCI Scenario with a VLAN Base Accessing an MPLS EVPN IRB

To enable a DCI backbone network to carry Layer 2 or Layer 3 services, you can associate an Ethernet interface with a VLAN to access the DCI backbone network and deploy MPLS EVPN over the DCI backbone network.

Context

DC-GWs and DCI-PEs are separately deployed. The DCI-PEs consider the connected DC-GWs as CEs, receive VM IP routes from the DCs through a routing protocol, and save and maintain the received routes.

On the network shown in Figure 11-21, a VXLAN tunnel is established in each DC to implement intra-DC VM communication. L3VPN and EVPN instances are created on DCI-PEs over the DCI backbone network. Ethernet sub-interfaces are associated with a VLAN to access the DC-GWs. BGP EVPN is configured between DCI-PEs to enable them to exchange IRB routes. These configurations implement inter-DC VM communication.

Figure 11-21 Configuring a DCI scenario with a VLAN base accessing an MPLS EVPN IRB

Pre-configuration Tasks

Before configuring a DCI scenario with a VLAN base accessing an MPLS EVPN IRB, ensure that routes on the IPv4 network are reachable.

Procedure

  1. Configure an L3VPN instance to store and manage received VM routes.
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      A VPN instance is created, and the VPN instance view is displayed.

    3. Run ipv4-family

      The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    4. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

    5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the VPN instance IPv4 address family to mutually import routes with the remote PE's L3VPN instance.

    6. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn

      VPN targets are configured for the VPN instance IPv4 address family to mutually import routes with the local EVPN instance.

    7. Run evpn mpls routing-enable

      EVPN is enabled to generate and advertise IP prefix routes and IRB routes.

    8. (Optional) Run tnl-policy policy-name evpn

      EVPN routes that can be imported into the VPN instance IPv4 address family are associated with a tunnel policy.

      This configuration allows Layer 3 service traffic between VMs in different DCs to be transmitted through a TE tunnel between the DCI-PEs.

    9. Run quit

      Exit from the VPN instance IPv4 address family view.

    10. Run quit

      Exit from the VPN instance view.

    11. Run interfaceinterface-type interface-number.subinterface-number

      An Ethernet sub-interface is created, and the Ethernet sub-interface view is displayed.

    12. (Optional) Run vlan-type dot1q vlan-id

      A VLAN to be associated with the Ethernet sub-interface is specified, and the VLAN encapsulation type is set.

    13. Run ip binding vpn-instance vpn-instance-name

      The Ethernet sub-interface is bound to the VPN instance.

    14. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the Ethernet sub-interface.

    15. Run quit

      Exit from the Ethernet sub-interface view.

    16. Run commit

      The configuration is committed.

  2. Configure an EVPN instance in BD mode.
    1. Run evpn vpn-instance vpn-instance-name bd-mode

      An EVPN instance in BD mode is created, and the EVPN instance view is displayed.

    2. Run route-distinguisher route-distinguisher

      An RD is configured for the EVPN instance.

    3. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the EVPN instance. The export RT of the local EVPN instance must be the same as the import RT of the remote EVPN instance. Similarly, the import RT of the local EVPN instance must be the same as the export RT of the remote EVPN instance.

    4. (Optional) Run import route-policy policy-name

      The EVPN instance is associated with an import route-policy.

      To strictly control the import of routes into the EVPN instance, specify an import route policy to filter routes and set route attributes for routes that meet the filter criteria.

    5. (Optional) Run export route-policy policy-name

      The EVPN instance is associated with an export route-policy.

      To strictly control the advertisement of EVPN routes, specify an export route policy and set route attributes for routes that meet the filter criteria.

    6. (Optional) Run mac limit number { simply-alert | mac-unchanged }

      The maximum number of MAC addresses allowable is set for the EVPN instance.

      If a device imports a large number of MAC addresses, which consumes a lot of system resources, device operation may be affected when the system processes many services concurrently. To improve system security and reliability, run the mac limit command to limit the number of MAC addresses to be imported into the EVPN instance. After this configuration, if the number of MAC addresses exceeds the preset value, an alarm is triggered to prompt you to check the validity of existing MAC addresses.

    7. Run quit

      Exit from the EVPN instance view.

  3. Configure BGP EVPN peers.

    NOTE:

    If a BGP RR needs to be configured on the network, establish BGP EVPN peer relationships between all the PEs and the RR.

    1. Run bgp { as-number-plain | as-number-dot }

      BGP is enabled, and the BGP view is displayed.

    2. Run peer ipv4-address as-number { as-number-plain | as-number-dot }

      The remote DCI-PE is specified as the BGP peer.

    3. (Optional) Run peer ipv4-address connect-interface interface-type interface-number [ ipv4-source-address ]

      A source interface and a source IP address are specified to set up a TCP connection between the BGP peers.

      NOTE:

      When loopback interfaces are used to establish a BGP connection, it is recommended that the peer connect-interface command be run on both ends to ensure correct connection. If this command is run on only one end, the BGP connection may fail to be established.

    4. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    5. Run import-route { direct | isis process-id | ospf process-id | rip process-id | static } [ med med | route-policy route-policy-name ] *

      The device is enabled to import non-BGP routing protocol routes into the BGP-VPN instance IPv4 address family. To advertise host IP routes, only enable the device to import direct routes. To advertise the routes of the network segment where a host resides, configure a dynamic routing protocol (such as OSPF) to advertise the network segment routes. Then enable the device to import routes of the configured routing protocol.

    6. Run advertise l2vpn evpn

      The BGP device is enabled to advertise IP prefix routes to the BGP peer. This configuration allows the BGP device to advertise both host IP routes and routes of the network segment where the host resides.

    7. Run quit

      Exit from the BGP-VPN instance IPv4 address family view.

    8. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    9. Run peer { ipv4-address | group-name } enable

      The local BGP device is enabled to exchange EVPN routes with a peer or peer group.

    10. Run peer { ipv4-address | group-name } advertise irb

      The BGP device is enabled to advertise IRB routes to the BGP EVPN peer.

    11. Run quit

      Exit from the BGP-EVPN address family view.

    12. Run quit

      Exit from the BGP view.

  4. (Optional) Configure an RR. To minimize the number of BGP EVPN peers on the network, deploy an RR so that the PEs establish BGP EVPN peer relationships only with the RR.
    1. Run bgp { as-number-plain | as-number-dot }

      BGP is enabled, and the BGP view is displayed.

    2. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    3. Run peer { ipv4-address | group-name } reflect-client

      The local device is configured as an RR, and a peer or peer group is specified as the RR client.

      The NE where the peer reflect-client command is run functions as the RR, and the specified peer or peer group functions as a client.

    4. (Optional) Run undo reflect between-clients

      Route reflection between clients through the RR is disabled.

      By default, route reflection between clients through an RR is enabled.

      If the clients of an RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between clients through the RR to reduce the link cost. The undo reflect between-clients command applies only to RRs.

    5. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the RR.

      If a cluster has multiple RRs, run this command to set the same cluster ID for these RRs to prevent routing loops.

      The reflector cluster-id command applies only to RRs.

    6. Run quit

      Exit from the BGP-EVPN address family view.

    7. Run quit

      Exit from the BGP view.

  5. Run commit

    The configuration is committed.

Configuring a DCI Scenario with a VLAN Base Accessing an MPLS EVPN IRB (A PE Functions as a Gateway)

In a DCI scenario where a PE on the DCI backbone network serves as a data center gateway. To enable the DCI network to carry Layer 2 or Layer 3 services, you can deploy gateway access by associating an Ethernet interface with a VLAN and configure EVPN IRB.

Context

On the network shown in Figure 11-22, a VXLAN tunnel is established in each DC to implement intra-DC VM communication. A data center gateway and a DCI backbone network PE are the same device (DCI-PE-GW). After an L3VPN instance is configured on the DCI-PE-GW of the DCI backbone network or an EVPN instance and EVPN IRB are configured on the DCI-PE-GW, Layer 2 or Layer 3 service can be communicated between VMs in different data centers.

Figure 11-22 Configuring a DCI scenario with a VLAN base accessing an MPLS EVPN IRB (a PE functions as a gateway)

Pre-configuration Tasks

Before configuring a DCI scenario with a VLAN base accessing an MPLS EVPN IRB, ensure that routes on the IPv4 network are reachable.

Procedure

  1. Configure BGP EVPN peers.

    NOTE:

    If a BGP RR needs to be configured on the network, establish BGP EVPN peer relationships between all the PEs and the RR.

    1. Run bgp { as-number-plain | as-number-dot }

      BGP is enabled, and the BGP view is displayed.

    2. Run peer ipv4-address as-number { as-number-plain | as-number-dot }

      The remote PE is specified as the BGP peer.

    3. (Optional) Run peer ipv4-address connect-interface interface-type interface-number [ ipv4-source-address ]

      A source interface and a source IP address are specified to set up a TCP connection between the BGP peers.

      NOTE:

      When loopback interfaces are used to establish a BGP connection, it is recommended that the peer connect-interface command be run on both ends to ensure correct connection. If this command is run on only one end, the BGP connection may fail to be established.

    4. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    5. Run import-route { direct | isis process-id | ospf process-id | rip process-id | static } [ med med | route-policy route-policy-name ] *

      The device is enabled to import non-BGP routing protocol routes into the BGP-VPN instance IPv4 address family. To advertise host IP routes, only enable the device to import direct routes. To advertise the routes of the network segment where a host resides, configure a dynamic routing protocol (such as OSPF) to advertise the network segment routes. Then enable the device to import routes of the configured routing protocol.

    6. Run advertise l2vpn evpn

      The BGP device is enabled to advertise IP prefix routes to the BGP peer. This configuration allows the BGP device to advertise both host IP routes and routes of the network segment where the host resides.

    7. Run quit

      Exit from the BGP-VPN instance IPv4 address family view.

    8. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    9. Run peer { ipv4-address | group-name } enable

      The local BGP device is enabled to exchange EVPN routes with a peer or peer group.

    10. Run peer { ipv4-address | group-name } advertise irb

      The BGP device is enabled to advertise IRB routes to the BGP EVPN peer.

    11. Run quit

      Exit from the BGP-EVPN address family view.

    12. Run quit

      Exit from the BGP view.

  2. (Optional) Configure an L3VPN instance to store and manage received VM routes. You must perform this step if you want the network to carry Layer 3 services.
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      A VPN instance is created, and the VPN instance view is displayed.

    3. Run ipv4-family

      The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    4. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

    5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn

      VPN targets are configured for the VPN instance IPv4 address family to mutually import routes with the remote PE's L3VPN instance.

      When the local PE advertises EVPN routes to the remote PE, the EVPN routes carry the export VPN target configured using this command. When the local PE receives an EVPN route from the remote end, the route can be imported into the routing table of the VPN instance IPv4 address family only if the VPN target carried in the EVPN route is included in the import VPN target list of the VPN instance IPv4 address family.

    6. Run evpn mpls routing-enable

      EVPN is enabled to generate and advertise IP prefix routes and IRB routes.

    7. (Optional) Run tnl-policy policy-name evpn

      EVPN routes that can be imported into the VPN instance IPv4 address family are associated with a tunnel policy.

      This configuration allows data packets between PEs to be forwarded through a TE tunnel.

    8. Run quit

      Exit from the VPN instance IPv4 address family view.

    9. Run quit

      Exit from the VPN instance view.

  3. Configure access-side interfaces.

    • If you want the network to carry both Layer 2 and Layer 3 services, perform the following configurations:

      1. Run the bridge-domain bd-id command to enter the BD view.
      2. Run the vxlan vni vni-id split-horizon-mode command to create a VNI, associate it with the BD, and apply split horizon to the BD.
      3. Run the evpn binding vpn-instance vpn-instance-name [ bd-tag bd-tag ] command to bind a specified EVPN instance to the BD. By specifying different bd-tag values, you can bind multiple BDs with different VLANs to the same EVPN instance and isolate services in the BDs..
      4. Run the quit command to exit from the BD view.
      5. Run the interface interface-type interface-number.subnum mode l2 command to create a Layer 2 sub-interface and enter the Layer 2 sub-interface view.

      6. Run the encapsulation { dot1q [ vid low-pe-vid [ to high-pe-vid ] ] | untag | qinq [ vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] | default } ] } command to configure a flow encapsulation type so that different interfaces can access different data packets.

      7. Run the rewrite pop { single | double } command to remove VLAN tags of received packets.

      8. Run the bridge-domain bd-id command to add the Layer 2 sub-interface to the BD so that the sub-interface can transmit data packets through this BD.

      9. Run the quit command to exit from the sub-interface view and return to the system view.

      10. Run the interface vbdif bd-id command to create a VBDIF interface enter the VBDIF interface view.

      11. Run the ip binding vpn-instance vpn-instance-name command to bind the VBDIF interface to the VPN instance.

      12. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure an IP address for the VBDIF interface to implement Layer 3 communication.

      13. (Optional) Run the mac-address mac-address command to specify a MAC address for the VBDIF interface.

      14. Run the arp distribute-gateway enable command to enable the distributed gateway function.

        After distributed gateway is enabled, the device discards the ARP packets received from the network side, learns only ARP packets from hosts on the user side, and generates host routes.

      15. Run the arp collect host enable command to collect host information.

      16. Run the quit command to exit from the interface view and return to the system view.

    • If you want the network to carry only Layer 2 services, perform the following configurations:

      1. Run the bridge-domain bd-id command to enter the BD view.
      2. Run the vxlan vni vni-id split-horizon-mode command to create a VNI, associate it with the BD, and apply split horizon to the BD.
      3. Run the evpn binding vpn-instance vpn-instance-name [ bd-tag bd-tag ] command to bind a specified EVPN instance to the BD. By specifying different bd-tag values, you can bind multiple BDs with different VLANs to the same EVPN instance and isolate services in the BDs..
      4. Run the quit command to exit from the BD view.
      5. Run the interface interface-type interface-number.subnum mode l2 command to create a Layer 2 sub-interface and enter the Layer 2 sub-interface view.

      6. Run the encapsulation { dot1q [ vid low-pe-vid [ to high-pe-vid ] ] | untag | qinq [ vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] | default } ] } command to configure a flow encapsulation type so that different interfaces can access different data packets.

      7. Run the rewrite pop { single | double } command to remove VLAN tags of received packets.

      8. Run the bridge-domain bd-id command to add the Layer 2 sub-interface to the BD so that the sub-interface can transmit data packets through this BD.

      9. Run the quit command to exit from the interface view and return to the system view.

    • If you want the network to carry only Layer 3 services, see Binding Interfaces to a VPN Instance.

  4. Configure a VBDIF interface.
    1. Run bridge-domain bd-id

      A BD is created, and the BD view is displayed.

    2. Run quit

      Return to the system view.

    3. Run interface interface-type interface-number.subinterface-number

      An Ethernet sub-interface is created, and the Ethernet sub-interface view is displayed.

    4. Run encapsulation { dot1q [ vid vid ] | default | untag | qinq }

      An encapsulation type of packets allowed to pass through the Layer 2 sub-interface is specified.

      By default, an encapsulation type of packets allowed to pass through a Layer 2 sub-interface is not specified.

    5. Run rewrite pop { single | double }

      The traffic behavior is set to pop so that the Ethernet sub-interface removes VLAN tags from received packets.

      For single-tagged packets that a Layer 2 sub-interface receives, specify single to remove the tags from these packets.

      If the encapsulation type of packets has been set to QinQ using the encapsulation qinq vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] | default } command, specify double in this step to remove double VLAN tags from the received packets.

    6. Run quit

      Exit from the Ethernet sub-interface view.

    7. Run interface vbdif bd-id

      A VBDIF interface is created, and the VBDIF interface view is displayed.

    8. Run ip binding vpn-instance vpn-instance-name

      The VBDIF interface is bound to the VPN instance.

    9. Run ip address ip-address { mask | mask-length } [ sub ]

      An IP address is configured for the VBDIF interface to implement Layer 3 interworking.

      By default, no IP address is configured for a VBDIF interface.

    10. Run arp collect host enable

      The local device is enabled to advertise IRB routes to the peer device.

    11. (Optional) Run mac-address mac-address

      A MAC address is configured for the VBDIF interface.

      By default, the MAC address of a VBDIF interface is the system MAC address.

    12. Run quit

      Exit from the VBDIF interface view.

    13. Run commit

      The configuration is committed.

  5. Configure an EVPN instance in BD mode.
    1. Run evpn vpn-instance vpn-instance-name bd-mode

      An EVPN instance in BD mode is created, and the EVPN instance view is displayed.

    2. Run route-distinguisher route-distinguisher

      An RD is configured for the EVPN instance.

    3. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the EVPN instance. The export RT of the local EVPN instance must be the same as the import RT of the remote EVPN instance. Similarly, the import RT of the local EVPN instance must be the same as the export RT of the remote EVPN instance.

    4. (Optional) Run import route-policy policy-name

      The EVPN instance is associated with an import route-policy.

      To strictly control the import of routes into the EVPN instance, specify an import route policy to filter routes and set route attributes for routes that meet the filter criteria.

    5. (Optional) Run export route-policy policy-name

      The EVPN instance is associated with an export route-policy.

      To strictly control the advertisement of EVPN routes, specify an export route policy and set route attributes for routes that meet the filter criteria.

    6. (Optional) Run tnl-policy policy-name

      EVPN routes that can be imported into the VPN instance IPv4 address family are associated with a tunnel policy.

      This configuration allows data packets between PEs to be forwarded through a TE tunnel.

    7. (Optional) Run mac limit number { simply-alert | mac-unchanged }

      The maximum number of MAC addresses allowable is set for the EVPN instance.

      If a device imports a large number of MAC addresses, which consumes a lot of system resources, device operation may be affected when the system processes many services concurrently. To improve system security and reliability, run the mac limit command to limit the number of MAC addresses to be imported into the EVPN instance. After this configuration, if the number of MAC addresses exceeds the preset value, an alarm is triggered to prompt you to check the validity of existing MAC addresses.

    8. Run quit

      Exit from the EVPN instance view.

  6. (Optional) Configure an RR. To minimize the number of BGP EVPN peers on the network, deploy an RR so that the PEs establish BGP EVPN peer relationships only with the RR.
    1. Run bgp { as-number-plain | as-number-dot }

      BGP is enabled, and the BGP view is displayed.

    2. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    3. Run peer { ipv4-address | group-name } reflect-client

      The local device is configured as an RR, and a peer or peer group is specified as the RR client.

      The NE where the peer reflect-client command is run functions as the RR, and the specified peer or peer group functions as a client.

    4. (Optional) Run undo reflect between-clients

      Route reflection between clients through the RR is disabled.

      By default, route reflection between clients through an RR is enabled.

      If the clients of an RR have established full-mesh connections with each other, run the undo reflect between-clients command to disable route reflection between clients through the RR to reduce the link cost. The undo reflect between-clients command applies only to RRs.

    5. (Optional) Run reflector cluster-id cluster-id

      A cluster ID is configured for the RR.

      If a cluster has multiple RRs, run this command to set the same cluster ID for these RRs to prevent routing loops.

      The reflector cluster-id command applies only to RRs.

    6. Run quit

      Exit from the BGP-EVPN address family view.

    7. Run quit

      Exit from the BGP view.

  7. Run commit

    The configuration is committed.

Configuring a DCI Scenario with a VXLAN EVPN Accessing an MPLS EVPN IRB

The underlay VXLAN Layer 3 access to DCI uses different cloud management platforms, and VXLAN tunnels are established to access the DCI backbone network, over which EVPN-MPLS is used to carry Layer 3 services.

Context

DC-GWs and DCI-PEs are separately deployed, and EVPN is used as the control plane protocol to establish VXLAN tunnels. A DCI-PE runs EVPN to learn a VM's IP route from a DC and sends the learned host IP route to the peer DCI-PE through a BGP EVPN peer relationship to implement Layer 3 service forwarding between VMs.

On the network shown in Figure 11-23, the DC-GWs GW1 and GW2 are connected to the DCI backbone network with BGP EVPN configured. After BGP EVPN peer relationships and VXLAN tunnels are established between the DC-GWs and the DCI-PEs, host IP routes can be exchanged between different DCs, implementing communication between VMs in different DCs.

Figure 11-23 Configuring a DCI Scenario with a VXLAN EVPN Accessing an MPLS EVPN IRB

Pre-configuration Tasks

Before configuring a DCI scenario with a VXLAN EVPN accessing an MPLS EVPN IRB, ensure Layer 3 route reachability on the IPv4 network.

Procedure

  1. Configure an IGP on the DCI backbone network to ensure IP connectivity.
  2. Configure VXLAN tunnels on the DCI-PEs destined for the DC-GWs. For configuration details, see VXLAN Configuration.
  3. Configure VPN instances to exchange routes with EVPN instances.
    1. Run ip vpn-instance vpn-instance-name

      A VPN instance is created, and the VPN instance view is displayed.

    2. Run ipv4-family

      The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    3. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

    4. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the VPN instance IPv4 address family to mutually import routes with the remote PE's L3VPN instance.

    5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn

      VPN targets are configured for the VPN instance IPv4 address family to mutually import routes with the local EVPN instance.

    6. Run evpn mpls routing-enable

      EVPN is enabled to generate and advertise IP prefix routes and IRB routes.

    7. (Optional) Run tnl-policy policy-name evpn

      EVPN routes that can be imported into the VPN instance IPv4 address family are associated with a tunnel policy.

      This configuration allows Layer 3 service traffic between VMs in different DCs to be transmitted through a TE tunnel between the DCI-PEs.

    8. Run quit

      Exit from the VPN instance IPv4 address family view.

    9. Run quit

      Exit from the VPN instance view.

  4. Establish on the local DCI-PE a BGP EVPN peer relationship with the remote DCI-PE, and enable the local DCI-PE to advertise routes regenerated by the EVPN address family to the BGP EVPN peer.
    1. Run system-view

      The system view is displayed.

    2. Run bgp { as-number-plain | as-number-dot }

      BGP is enabled, and the BGP view is displayed.

    3. (Optional) Run router-id ipv4-address

      A BGP router ID is configured.

    4. Run peer ipv4-address as-number { as-number-plain | as-number-dot }

      The remote DCI-PE is specified as the BGP peer.

    5. (Optional) Run peer ipv4-address connect-interface interface-type interface-number [ ipv4-source-address ]

      A source interface and a source IP address are specified to set up a TCP connection between the BGP peers.

      NOTE:

      When loopback interfaces are used to establish a BGP connection, it is recommended that the peer connect-interface command be run on both ends to ensure correct connection. If this command is run on only one end, the BGP connection may fail to be established.

    6. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    7. Run peer { ipv4-address | group-name } enable

      The local BGP device is enabled to exchange EVPN routes with a peer or peer group.

    8. Run peer { ipv4-address | group-name } import reoriginate

      The BGP device is enabled to add regeneration flags to the routes received from the BGP EVPN peer.

    9. Configure types of routes to be advertised:

      • If you want the network to carry only Layer 2 services, perform the following configurations:
        1. Run the peer { ipv4-address | group-name } advertise route-reoriginated evpn { mac-ip | mac } command to configure the device to regenerate EVPN routes and advertise them to the BGP EVPN peer.

        2. Run the peer { ipv4-address | group-name } advertise { arp | nd } command to configure the device to advertise ARP (ND) routes.

      • If you want the network to carry only Layer 3 services, perform the following configurations:
        1. Run the peer { ipv4-address | group-name } advertise route-reoriginated evpn { mac-ip | ip } command to configure the device to regenerate EVPN routes and advertise them to the BGP EVPN peer.

        2. Run the peer { ipv4-address | group-name } advertise irb command to configure the device to advertise IRB routes.

      • If you want the network to carry both Layer 2 and Layer 3 services, perform the following configurations:
        1. Run the peer { ipv4-address | group-name } advertise route-reoriginated evpn { mac | mac-ip | ip } command to configure the device to regenerate EVPN routes and advertise them to the BGP EVPN peer.

        2. Run the peer { ipv4-address | group-name } advertise irb command to configure the device to advertise IRB routes.

  5. Run commit

    The configuration is committed.

Verifying the Configuration of DCI Functions

After configuring the DCI solution, check the VPN instance, EVPN instance, and VXLAN tunnel configurations.

Prerequisites

A DCI solution has been configured.

Procedure

  • Run the display ip vpn-instance vpn-instance-name command to check brief information about a specified VPN instance.
  • Run the display ip vpn-instance verbose vpn-instance-name command to check detailed information about a specified VPN instance, including information in the IPv4 address family of the VPN instance.
  • Run the display ip vpn-instance [ vpn-instance-name ] interface command to view information about the interfaces bound to a specified VPN instance.
  • Run the display evpn vpn-instance [ vpn-instance-name ] command to check EVPN instance information.
  • Run the display vxlan tunnel [ tunnel-id ] [ verbose ] command to check VXLAN tunnel information.
  • Run the display evpn mac routing-table { all-evpn-instance | mac-address mac-address } command to check information about MAC routes of a specified EVPN instance.
  • Run the display bgp evpn peer [ [ ipv4-address ] verbose ] command to check information about BGP EVPN peers.
  • Run the display bgp evpn { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } routing-table mac-route command to check MAC route information.
  • Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-instance vpn-instance-name } routing-table command to check BGP VPNv4 route information.
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 31695

Downloads: 57

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next