No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VXLAN in Centralized Gateway Mode for Static Tunnel Establishment

Configuring VXLAN in Centralized Gateway Mode for Static Tunnel Establishment

When VXLAN in centralized gateway mode for static tunnel establishment is deployed, traffic across network segments is forwarded through Layer 3 VXLAN gateways to implement centralized traffic management.

Usage Scenario

An enterprise has allocated VMs in different locations to a tenant. Some of the VMs reside on the same network segment, and the others reside on different network segments. To allow communication between VMs, deploy Layer 2 and Layer 3 VXLAN gateways and establish VXLAN tunnels.

On the network shown in Figure 17-5, Server 2 and Server 3 belong to the same network segment and access the VXLAN through Device 1 and Device 2, respectively; Server 1 and Server 2 belong to different network segments and both access the VXLAN through Device 1.
  • To allow VM 1 on Server 2 and VM 1 on Server 3 to communicate, deploy Layer 2 VXLAN gateways on Device 1 and Device 2 and establish a VXLAN tunnel between Device 1 and Device 2 so that tenants on the same network segment can communicate.
  • To allow VM 1 on Server 1 and VM 1 on Server 3 to communicate, deploy a Layer 3 VXLAN gateway on Device 3 and establish a VXLAN tunnel between Device 1 and Device 3 and between Device 2 and Device 3 so that tenants on different network segments can communicate.
Figure 17-5 VXLAN in centralized gateway mode

Pre-configuration Tasks

Before configuring VXLAN in centralized gateway mode for static tunnel establishment, ensure that the network is reachable at Layer 3.

Configuration Procedures

Figure 17-6 Flowchart for configuring centralized VXLAN gateways

NOTE:

If only VMs on the same network segment need to communicate with each other, Layer 3 VXLAN gateways do not need to be deployed. If VMs on different network segments need to communicate with each other or VMs on the same network segment need to communicate with external networks, Layer 3 VXLAN gateways must be deployed.

Configuring a VXLAN Service Access Point

Layer 2 sub-interfaces are used for service access on VXLANs. These Layer 2 sub-interfaces can have different encapsulation types configured to transmit various types of data packets. A bridge domain (BD) is a broadcast domain. After a Layer 2 sub-interface is associated with a BD, the sub-interface can transmit data packets through this BD.

Context

As shown in Table 17-2, Layer 2 sub-interfaces can have different encapsulation types configured to transmit various types of data packets.
Table 17-2 Traffic encapsulation types

Traffic Encapsulation Type

Description

dot1q

This type of sub-interface accepts only packets with a specified tag.

When encapsulating an original packet to a VXLAN packet, this type of sub-interface removes all the VLAN tags from the original packet. When decapsulating a VXLAN packet, if the packet carries an inner VLAN tag, the sub-interface replaces the tag with a specified tag before forwarding the packet to the destination. If the packet does not carry any inner VLAN tag, it adds a specified VLAN tag before forwarding.

The dot1q traffic encapsulation type has the following restrictions:
  • The VLAN ID encapsulated by a Layer 2 sub-interface cannot be the same as that allowed to pass by the Layer 2 interface where the sub-interface resides.
  • The VLAN IDs encapsulated by a Layer 2 sub-interface and a Layer 3 sub-interface cannot be the same.

untag

This type of sub-interface accepts only untagged packets.

When encapsulating an original packet to a VXLAN packet, this type of sub-interface does not add any VLAN tag. When decapsulating a VXLAN packet, if the packet carries an inner VLAN tag, the sub-interface removes the VLAN tag before forwarding. For a QinQ packet, the sub-interface removes only the outer VLAN tag.

The untag traffic encapsulation type has the following restrictions:
  • The physical interface where the sub-interface resides must have only default configurations.
  • Only Layer 2 physical interfaces and Layer 2 Eth-Trunk interfaces can have untag Layer 2 sub-interfaces created.
  • Only one untag Layer 2 sub-interface can be created on a main interface.

default

This type of sub-interface accepts all packets, irrespective of whether the packets carry VLAN tags.

For VXLAN packet encapsulation or decapsulation, this type of sub-interface does not perform any VLAN tag-related action on the original packets, be it addition, replacement, or removal.

The default traffic encapsulation type has the following restrictions:
  • The interface where the sub-interface resides must not be added to any VLAN.
  • Only Layer 2 physical interfaces and Layer 2 Eth-Trunk interfaces can have default Layer 2 sub-interfaces created.
  • If default is configured for a Layer 2 sub-interface on a main interface, the main interface cannot have other types of Layer 2 sub-interfaces configured.

qinq

Packets received by this type of sub-interface carry two or more VLAN tags. The sub-interface determines whether to accept the packets based on the innermost two VLAN tags.

Configure a service access point on a Layer 2 gateway:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    A BD is created, and the BD view is displayed.

  3. (Optional) Run description description

    A description is configured for the BD.

  4. Run quit

    Return to the system view.

  5. Run interface interface-type interface-number.subnum mode l2

    A Layer 2 sub-interface is created, and the sub-interface view is displayed.

    NOTE:

    Before running this command, ensure that the Layer 2 main interface does not have the port link-type dot1q-tunnel command configuration. If the configuration has existed, run the undo port link-type command to delete it.

  6. Run encapsulation { dot1q [ vid vid ] | default | untag | qinq [ vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] } ] }

    A traffic encapsulation type is specified for the Layer 2 sub-interface.

  7. Run rewrite pop { single | double }

    The sub-interface is enabled to remove single or double VLAN tags from received packets.

    If the received packets each carry a single VLAN tag, specify single.

    If the traffic encapsulation type is specified as qinq in the preceding step using the encapsulation qinq vid pe-vid ce-vid { low-ce-vid [ to high-ce-vid ] | default } command, specify double.

  8. Run bridge-domain bd-id

    The Layer 2 sub-interface is added to the BD so that the sub-interface can transmit data packets through this BD.

    NOTE:

    If a default Layer 2 sub-interface is added to a BD, no BDIF interface can be created for the BD.

  9. Run commit

    The configuration is committed.

Configuring a VXLAN Tunnel

VXLAN uses MAC-in-UDP encapsulation to extend Layer 2 networks, allowing a large number of tenant accesses to virtual networks.

Context

To ensure VXLAN packet forwarding, VXLAN tunnels must be configured on VXLAN gateways.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

    bd-id specified here must be the same as that of the BD created in Step 2 in Configuring a Service Access Point.

  3. Run vxlan vni vni-id

    A VNI is created and mapped to the BD.

    When a VXLAN network and a VPLS network intersect, run the vxlan vni vni-id split-horizon-mode command on the edge devices at the intersection of the two networks to create a VNI and bind it to a BD, and configure split horizon for packet forwarding.

  4. Run quit

    Return to the system view.

  5. Run interface nve nve-number

    An NVE interface is created, and the NVE interface view is displayed.

  6. Run source ip-address

    An IP address is configured for the source VTEP.

    Either a physical interface's IP address or loopback interface address can be specified for a source VTEP. Using the loopback interface address as the source VTEP's IP address is recommended.

  7. Run vni vni-id head-end peer-list ip-address &<1-10>

    An ingress replication list is configured.

    After the ingress of a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, it replicates these packets and sends a copy to each VTEP in the ingress replication list. The ingress replication list is a collection of remote VTEP IP addresses to which the ingress of a VXLAN tunnel should send replicated BUM packets to.

    NOTE:

    BUM packet forwarding is implemented only using ingress replication. To establish a VXLAN tunnel between a Huawei device and a non-Huawei device, ensure that the non-Huawei device also has ingress replication configured. Otherwise, communication fails.

  8. (Optional) Run vxlan central-reassemble enable

    Centralized inter-board reassembly is enabled on VXLAN tunnels.

  9. Run commit

    The configuration is committed.

Configuring a Layer 3 VXLAN Gateway

This section describes how to configure a Layer 3 VXLAN gateway. To allow VMs on different network segments to communicate, a Layer 3 VXLAN gateway must be deployed, and the default gateway address of the VMs must be the IP address of the BDIF interface of the Layer 3 gateway.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    A BDIF interface is created, and the BDIF interface view is displayed.

    The BD ID specified must exist.

  3. Run ip address ip-address { mask | mask-length } [ sub ]

    An IP address is configured for the VBDIF interface to implement Layer 3 interworking.

  4. (Option) Run mac-address mac-address

    An MAC address is configured for the BDIF interface.

  5. Run commit

    The configuration is committed.

(Optional) Configuring Static MAC Address Entries and MAC Address Limiting

Static MAC address entries can be configured for traffic forwarding, and MAC address limiting can be configured to improve VXLAN security.

Context

After the source NVE on a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, the local VTEP sends a copy of the BUM packets to every VTEP in the ingress replication list. Configuring static MAC address entries helps reduce broadcast traffic and prevent unauthorized data access from bogus users.

The maximum number of MAC addresses that a device can learn can be configured to limit the number of access users and prevent against attacks on MAC address tables. If the device has learned the maximum number of MAC addresses allowed, no more addresses can be learned. The device can also be configured to discard packets after learning the maximum allowed number of MAC addresses, improving network security.

If Layer 3 VXLAN gateway does not need to learn MAC addresses of packets in a BD, MAC address learning can be disabled from the BD to conserve MAC address entry resources. If the network topology of a VXLAN becomes stable and MAC address entry learning is complete, MAC address learning can also be disabled.

Configuring static MAC address entries and MAC address limiting applies to Layer 2 VXLAN gateways; disabling MAC address limiting applies to both Layer 2 and Layer 3 VXLAN gateways.

Procedure

  • Configure a static MAC address entry.

    1. Run system-view

      The system view is displayed.

    2. Run mac-address static mac-address bridge-domain bd-id source source-ip-address peer peer-ip vni vni-id

      A static MAC address entry is configured.

    3. Run commit

      The configuration is committed.

  • Configure MAC address limiting.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run mac-limit { action { discard | forward } | maximum max [ rate interval ] } *

      MAC address limiting is configured.

    4. Run commit

      The configuration is committed.

  • Disable MAC address learning.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run mac-address learning disable

      MAC address learning is disabled.

    4. Run commit

      The configuration is committed.

Verifying the Configuration of VXLAN in Centralized Gateway Mode

After configuring VXLAN in centralized gateway mode for static tunnel establishment, check VXLAN tunnel, VNI, and VBDIF interface information.

Prerequisites

VXLAN in centralized gateway mode has been configured for static tunnel establishment.

Procedure

  • Run the display bridge-domain [ bd-id [ brief | verbose ] ] command to check BD configurations.
  • Run the display interface nve [ nve-number | main ] command to check NVE interface information.
  • Run the display vxlan tunnel [ tunnel-id ] [ verbose ] command to check VXLAN tunnel information.
  • Run the display vxlan vni [ vni-id [ verbose ] ] command to check VNI information.
  • Run the display mac-address static bridge-domain bd-id command to check static MAC address entries in a BD.
  • Run the display mac-limit bridge-domain bd-id command to check MAC address limiting configurations of a BD.
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059440

Views: 29667

Downloads: 21

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next