Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IP Address-based Microsegmentation
Networking Requirements
On a distributed VXLAN gateway network (BGP EVPN) shown in Figure 5-5, the physical server, database server, VM1, and VM2 are deployed in the data center. The requirements on the communication between them are as follows:
- The physical server, VM1, and VM2 can access the database server.
- VM1 and VM2 cannot communicate with the physical server.
- VM1 and VM2 can communicate with each other.
Table 5-2 Interface IP addresses
Device |
Interface |
IP Address |
|---|---|---|
SwitchA |
10GE1/0/1 |
192.168.2.1/24 |
LoopBack0 |
2.2.2.2/32 |
|
SwitchB |
10GE1/0/1 |
192.168.3.1/24 |
LoopBack0 |
1.1.1.1/32 |
|
SwitchC |
10GE1/0/1 |
192.168.2.2/24 |
10GE1/0/2 |
192.168.3.2/24 |
|
LoopBack0 |
3.3.3.3/32 |
Configuration Roadmap
The configuration roadmap is as follows:
- Enable microsegmentation.
- Configure a default microsegmentation policy.
- Configure EPGs and specify GBPs.
Procedure
- Configure the VXLAN. For details, see configuration files.
- Enable microsegmentation.
# Configure SwitchA. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] traffic-segment enable [*SwitchA] commit
- Configure a default microsegmentation policy.
# Configure SwitchA. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] traffic-segment unknown-segment permit //Configure the default access control policy for unknown EPG members. By default, the permit policy is used. [~SwitchA] traffic-segment default-policy deny //Configure the default access control policy for EPG members. By default, the deny policy is used. [~SwitchA] traffic-segment same-segment permit //Configure the default access control policy for members in an EPG. By default, the none policy is used. [*SwitchA] commit
- Configure EPGs and specify GBPs.
# On SwitchA, add VM1 and VM2 to EPG1. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] traffic-segment segment-id 32768 segment-name EPG1 [*SwitchA-traffic-segment-32768] segment-member ip 192.168.10.1 32 vpn-instance vpn1 [*SwitchA-traffic-segment-32768] segment-member ip 192.168.20.1 32 vpn-instance vpn1 [*SwitchA-traffic-segment-32768] quit [*SwitchA] commit
# On SwitchA, specify GBPs. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] segment classifier EPG1-EPG3 //Configure matching rules for traffic transmitted between EPG1 and EPG3. [*SwitchA-segmentclassifier-EPG1-EPG3] rule permit source-segment 32768 destination-segment 32770 [*SwitchA-segmentclassifier-EPG1-EPG3] rule permit source-segment 32770 destination-segment 32768 [*SwitchA-segmentclassifier-EPG1-EPG3] quit [*SwitchA] commit [~SwitchA] segment classifier EPG2-EPG3 //Configure matching rules for traffic transmitted between EPG2 and EPG3. [*SwitchA-segmentclassifier-EPG2-EPG3] rule permit source-segment 32769 destination-segment 32770 [*SwitchA-segmentclassifier-EPG2-EPG3] rule permit source-segment 32770 destination-segment 32769 [*SwitchA-segmentclassifier-EPG2-EPG3] quit [*SwitchA] commit [~SwitchA] segment behavior EPG1-EPG3 //Configure behaviors for traffic transmitted between EPG1 and EPG3. [*SwitchA-segmentbehavior-EPG1-EPG3] quit [*SwitchA] commit [~SwitchA] segment behavior EPG2-EPG3 //Configure behaviors for traffic transmitted between EPG2 and EPG3. [*SwitchA-segmentbehavior-EPG2-EPG3] quit [*SwitchA] commit [~SwitchA] segment policy GBP //Configure and apply a policy for traffic between EPGs. [*SwitchA-segmentpolicy-GBP] classifier EPG1-EPG3 behavior EPG1-EPG3 [*SwitchA-segmentpolicy-GBP] classifier EPG2-EPG3 behavior EPG2-EPG3 [*SwitchA-segmentpolicy-GBP] quit [*SwitchA] commit
- Verify the configuration.
# Run the display traffic-segment configured-information command on SwitchA to check the EPG configuration.
[~SwitchA] display traffic-segment configured-information ------------------------------------------------------------------------------ Segment-Id Segment-Name Segment-Type MemberNum ------------------------------------------------------------------------------ 32768 EPG1 IPv4 2 ------------------------------------------------------------------------------ Total:1 Segment,2 Member. ------------------------------------------------------------------------------After the configuration, the following functions can be implemented:- The physical server, VM1, and VM2 can access the database server.
- VM1 and VM2 cannot communicate with the physical server.
- VM1 and VM2 can communicate with each other.
Configuration Files
SwitchA configuration file
# sysname SwitchA # evpn-overlay enable # traffic-segment same-segment permit # traffic-segment segment-id 32768 segment-name EPG1 segment-member ip 192.168.10.1 255.255.255.255 vpn-instance vpn1 segment-member ip 192.168.20.1 255.255.255.255 vpn-instance vpn1 # segment classifier EPG1-EPG3 rule permit source-segment 32768 destination-segment 32770 rule permit source-segment 32770 destination-segment 32768 # segment classifier EPG2-EPG3 rule permit source-segment 32769 destination-segment 32770 rule permit source-segment 32770 destination-segment 32769 # segment behavior EPG1-EPG3 # segment behavior EPG2-EPG3 # segment policy GBP classifier EPG1-EPG3 behavior EPG1-EPG3 precedence 3 classifier EPG2-EPG3 behavior EPG2-EPG3 precedence 6 # traffic-segment enable # ip vpn-instance vpn1 ipv4-family route-distinguisher 11:11 vpn-target 1:1 export-extcommunity vpn-target 11:1 export-extcommunity evpn vpn-target 1:1 import-extcommunity vpn-target 11:1 import-extcommunity evpn vxlan vni 5010 # bridge-domain 10 vxlan vni 10 evpn route-distinguisher 10:1 vpn-target 10:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 10:1 import-extcommunity # bridge-domain 20 vxlan vni 20 evpn route-distinguisher 20:1 vpn-target 20:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 20:1 import-extcommunity # interface Vbdif10 ip binding vpn-instance vpn1 ip address 192.168.10.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface Vbdif20 ip binding vpn-instance vpn1 ip address 192.168.20.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface 10GE1/0/1 undo portswitch ip address 192.168.2.1 255.255.255.0 # interface 10GE1/0/2.1 mode l2 encapsulation dot1q vid 10 bridge-domain 10 # interface 10GE1/0/3.1 mode l2 encapsulation dot1q vid 20 bridge-domain 20 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # interface Nve1 source 2.2.2.2 vni 10 head-end peer-list protocol bgp vni 20 head-end peer-list protocol bgp # bgp 200 peer 192.168.2.2 as-number 100 # ipv4-family unicast network 2.2.2.2 255.255.255.255 peer 192.168.2.2 enable # bgp 100 instance evpn1 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 # l2vpn-family evpn policy vpn-target peer 3.3.3.3 enable peer 3.3.3.3 advertise irb # return
SwitchB configuration file
# sysname SwitchB # evpn-overlay enable # traffic-segment same-segment permit # traffic-segment segment-id 32769 segment-name EPG2 segment-member ip 192.168.30.1 255.255.255.255 vpn-instance vpn1 # traffic-segment segment-id 32770 segment-name EPG3 segment-member ip 192.168.40.1 255.255.255.255 vpn-instance vpn1 # segment classifier EPG1-EPG3 rule permit source-segment 32768 destination-segment 32770 rule permit source-segment 32770 destination-segment 32768 # segment classifier EPG2-EPG3 rule permit source-segment 32769 destination-segment 32770 rule permit source-segment 32770 destination-segment 32769 # segment behavior EPG1-EPG3 # segment behavior EPG2-EPG3 # segment policy GBP classifier EPG1-EPG3 behavior EPG1-EPG3 precedence 3 classifier EPG2-EPG3 behavior EPG2-EPG3 precedence 6 # traffic-segment enable # ip vpn-instance vpn1 ipv4-family route-distinguisher 22:22 vpn-target 2:2 export-extcommunity vpn-target 11:1 export-extcommunity evpn vpn-target 2:2 import-extcommunity vpn-target 11:1 import-extcommunity evpn vxlan vni 5010 # bridge-domain 30 vxlan vni 30 evpn route-distinguisher 30:1 vpn-target 30:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 30:1 import-extcommunity # bridge-domain 40 vxlan vni 40 evpn route-distinguisher 40:1 vpn-target 40:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 40:1 import-extcommunity # interface Vbdif30 ip binding vpn-instance vpn1 ip address 192.168.30.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface Vbdif40 ip binding vpn-instance vpn1 ip address 192.168.40.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface 10GE1/0/1 undo portswitch ip address 192.168.3.1 255.255.255.0 # interface 10GE1/0/2.1 mode l2 encapsulation dot1q vid 30 bridge-domain 30 # interface 10GE1/0/3.1 mode l2 encapsulation dot1q vid 40 bridge-domain 40 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # interface Nve1 source 1.1.1.1 vni 30 head-end peer-list protocol bgp vni 40 head-end peer-list protocol bgp # bgp 300 peer 192.168.3.2 as-number 100 # ipv4-family unicast network 1.1.1.1 255.255.255.255 peer 192.168.3.2 enable # bgp 100 instance evpn1 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 # l2vpn-family evpn policy vpn-target peer 3.3.3.3 enable peer 3.3.3.3 advertise irb # return
- SwitchC configuration file
# sysname SwitchC # evpn-overlay enable # interface 10GE1/0/1 undo portswitch ip address 192.168.2.2 255.255.255.0 # interface 10GE1/0/2 undo portswitch ip address 192.168.3.2 255.255.255.0 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # bgp 100 peer 192.168.2.1 as-number 200 peer 192.168.3.1 as-number 300 # ipv4-family unicast network 3.3.3.3 255.255.255.255 peer 192.168.2.1 enable peer 192.168.3.1 enable # bgp 100 instance evpn1 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 # l2vpn-family evpn undo policy vpn-target peer 2.2.2.2 enable peer 2.2.2.2 advertise irb peer 2.2.2.2 reflect-client peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 1.1.1.1 reflect-client # return