No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
Configuration Guide - VXLAN
S9300 and S9300X V200R019C10

This document describes the configurations of VXLAN.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VXLAN in Distributed Gateway Mode Using BGP EVPN

Configuring VXLAN in Distributed Gateway Mode Using BGP EVPN

Pre-configuration Tasks

Before configuring user communication over VXLAN tunnels, ensure route reachability.

Configuration Process

Figure 1-55 shows the flowchart of configuring VXLAN in distributed gateway mode.

Figure 1-55 Flowchart of configuring VXLAN in distributed gateway mode
The following table lists the differences in support for the optional configurations in the distributed gateway scenario between IPv4 overlay and IPv6 overlay networks.

Configuration Task

IPv4 Overlay Network

IPv6 Overlay Network

(Optional) Configuring Three-Segment VXLAN to Implement Layer 3 Interworking

Supported

Not supported

(Optional) Configuring ARP Broadcast Suppression

Supported

Not supported

(Optional) Configuring NS Multicast Suppression

Not supported

Supported

(Optional) Configuring Isolation on the Access Side

Supported

Supported

(Optional) Configuring Unidirectional Isolation from the Access Side to the Tunnel Side

Supported

Supported

(Optional) Configuring the Local Proxy ARP Function

Supported

Not supported

(Optional) Configuring the Routed Proxy ND Function

Not supported

Supported

(Optional) Configuring the Local Proxy ND Function

Not supported

Supported

(Optional) Configuring Traffic Suppression in a BD

Supported

Supported

(Optional) Configuring a Static MAC Address Entry

Supported

Supported

(Optional) Configuring a Static ARP Entry

Supported

Not supported

(Optional) Configuring a Static IPv6 Neighbor Entry

Not supported

Supported

Configuring Deployment Mode for VXLAN Access Service

Context

When configuring VXLAN on a device, you need to select a deployment mode for the VXLAN access service on the downlink interface.

At the access side, two methods are available for deploying VXLAN services:

  • Based on VLAN: You can associate one or more VLANs with a BD to add users in these VLANs to the BD. This VLAN-based mode implements larger-granularity control, but is easy to configure. It applies to VXLAN deployment on a live network.

  • Based on encapsulation mode: The device sends packets of different encapsulation modes to different Layer 2 sub-interfaces based on the VLAN tags contained in the packets. You can bind a Layer 2 sub-interface to a BD to add specified users to the BD. This mode implements refined and flexible control but requires more complex configuration. It applies to VXLAN deployment on a new network.

When NAC authentication is configured on the access-side main interface, VXLAN Layer 2 sub-interfaces cannot be created on the main interface to connect to the VXLAN.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run set vxlan resource super-mode

    The super VXLAN resource mode is set.

    By default, the device supports 4094 BDs. The device supports 16000 BDs after the super VXLAN resource mode is set.

    • After setting the super VXLAN resource mode, save the configuration and then restart the device to make the configuration take effect.

    • When the super VXLAN resource mode is configured, the forwarding performance of some services may degrade, such as the IP multicast, VPLS, VLAN mapping, Layer 3 traffic forwarding of sub-interfaces, and VLAN stacking services.

  3. Run bridge-domain bd-id

    A BD is created and the BD view is displayed.

    By default, no BD is created.

  4. (Optional) Run description description

    The description is configured for the BD.

    By default, no description is configured for a BD.

  5. Run quit

    Exit from the BD view and return to the system view.

  6. (Optional) Specify an interface as a VXLAN access-side interface.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run port nvo3 mode access

      The interface is specified as a VXLAN access-side interface.

      By default, a device's interface cannot perform VXLAN encapsulation for common IP packets that carry VXLAN packets and have the destination UDP port number 4789 when the tunnel-side is LE2D2X48SEC0.

    3. Run quit

      Return to the system view.

  7. Configure a service access point.

    • Based on VLAN:

      1. Run vlan vlan-id

        A VLAN is created and the VLAN view is displayed.

      2. Run quit

        Exit from the VLAN view and return to the system view.

      3. Run bridge-domain bd-id

        The view of an existing BD is displayed.

      4. Run l2 binding vlan vlan-id

        A VLAN is associated with the BD so that data packets can be forwarded in the BD.

        By default, a VLAN is not associated with a BD.

        • One VLAN can be associated with only one BD, but one BD can be associated with multiple VLANs.

        • After a global VLAN is associated with a BD, you need to add corresponding interfaces to the VLAN.

        • If member interfaces of a voice VLAN are located on cards except the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards, the voice VLAN cannot be associated with a BD.
        • In NAC authentication scenarios, if there are online users in a VLAN, running the undo l2 binding vlan command to unbind the VLAN from a BD makes the users go offline.
        • If a VLAN is an ISP VLAN authorized to users and users exist in the VLAN on the device, the VLAN cannot be associated with a BD.
        • If a VLAN is used as the management VLAN of a Fit AP, it is not recommended that the VLAN be associated with a BD.
    • Based on encapsulation mode:

      1. Run interface interface-type interface-number.subnum mode l2

        A Layer 2 sub-interface is created, and the sub-interface view is displayed.

      2. Run rewrite pop { single | double | none }

        The device is configured to remove VLAN tags from packets received by the Layer 2 sub-interface.

        By default, the device removes two VLAN tags from packets received by Layer 2 sub-interfaces that use QinQ encapsulation, removes one VLAN tag from packets received by Layer 2 sub-interfaces that use Dot1q encapsulation.

        • You can only configure the rewrite pop single command on Layer 2 sub-interfaces that use Dot1q encapsulation and no VLAN segment can be configured for Layer 2 sub-interfaces.
        • You can only configure the rewrite pop double command on Layer 2 sub-interfaces that use QinQ encapsulation and no VLAN segment can be configured for Layer 2 sub-interfaces.
        • You can only configure the rewrite pop none command on Layer 2 sub-interfaces that use Dot1q or QinQ encapsulation.

      3. Run encapsulation { dot1q vid low-pe-vid [ to high-pe-vid ] | default | untag | qinq vid low-vlan-vid [ to high-vlan-vid ] ce-vid low-ce-vid [ to high-ce-vid ] }

        An encapsulation mode is configured for a Layer 2 sub-interface to specify the type of packets that can pass through the sub-interface.

        By default, the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is not configured.

        When configuring an encapsulation mode on a Layer 2 sub-interface, pay attention to the following points:

        • The VLAN ID in dot1q mode or outer VLAN ID in qinq mode cannot be the same as the allowed VLAN of the corresponding main interface or the global VLAN.

        • On the same main interface, the VLAN ID in dot1q mode and the outer VLAN ID in qinq mode must be different.

        • After NAC authentication is configured on the main interface, the traffic encapsulation type on a Layer 2 sub-interface cannot be set to default.

        • When the encapsulation mode of a Layer 2 sub-interface is default, the corresponding main interface cannot be added to any VLAN, including VLAN 1.

        • Before the encapsulation mode of a Layer 2 sub-interface is set to default, the main interface has only one sub-interface.

        • After the encapsulation mode of a Layer 2 sub-interface is set to default, no other sub-interface can be created on the main interface.

        • When the encapsulation mode of a Layer 2 sub-interface is set to untag, the corresponding main interface cannot be added to VLAN 1, and other sub-interfaces of the main interface cannot be set to untag.

        • You can configure only one encapsulation mode for each Layer 2 sub-interface. If an encapsulation mode has been configured for a Layer 2 sub-interface, run the undo encapsulation command to delete the original mode before you configure another mode.

        • Before configuring a VLAN segment on a Dot1q or QinQ Layer 2 sub-interface, you must run the rewrite pop none command.

      4. Run bridge-domain bd-id

        A specified Layer 2 sub-interface is associated with a BD so that data packets can be forwarded in the BD.

        By default, a Layer 2 sub-interface is not associated with a BD.

Configuring a VXLAN Tunnel

Context

To allow VXLAN tunnel establishment using EVPN, configure an EVPN instance, establish a BGP EVPN peer relationship, and configure ingress replication.

VXLAN packets are transmitted through VXLAN tunnels. In distributed VXLAN gateway scenarios, perform the following steps on a VXLAN gateway to use EVPN for establishing VXLAN tunnels:

  1. Configure a BGP EVPN peer relationship. Configure VXLAN gateways to establish BGP EVPN peer relationships so that they can exchange EVPN routes. If an RR has been deployed, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR.

  2. (Optional) Configure an RR. If you configure an RR, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR. The deployment of RRs reduces the number of BGP EVPN peer relationships to be established, simplifying configuration. A live-network device can be used as an RR, or a standalone RR can be deployed.

  3. Configure an EVPN instance. EVPN instances are used to receive and advertise EVPN routes.

  4. Configure ingress replication. After ingress replication is configured for a VNI, the system uses BGP EVPN to construct a list of remote VTEPs. After a VXLAN gateway receives BUM packets, its sends a copy of the BUM packets to every VXLAN gateway in the list.

  5. (Optional) Configure subscription to the status of the exact route to a VXLAN tunnel destination. After this function is configured, a VXLAN tunnel is considered Up only if its source IP address and the destination IP address are reachable.

Procedure

  1. Configure a BGP EVPN peer relationship.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      BGP is enabled, and the BGP view is displayed.

      By default, the BGP is disabled.

    3. (Optional) Run router-id ipv4-address

      A router ID is set.

      By default, no BGP Router ID is configured.

    4. Run peer ipv4-address as-number as-number

      The peer device is configured as a BGP peer.

      By default, no BGP peer is configured, and no AS number is specified for a peer.

    5. (Optional) Run peer ipv4-address connect-interface interface-type interface-number [ ipv4-source-address ]

      A source interface and a source address are specified to set up a TCP connection with the BGP peer.

      By default, the outbound interface of a BGP packet serves as the source interface of a BGP packet.

      When loopback interfaces are used to establish a BGP connection, running the peer connect-interface command on both ends is recommended to ensure the connectivity. If this command is run on only one end, the BGP connection may fail to be established.

    6. (Optional) Run peer ipv4-address ebgp-max-hop [ hop-count ]

      The maximum number of hops is set for an EBGP EVPN connection.

      The default value of hop-count is 255.

      In most cases, a directly connected physical link must be available between EBGP EVPN peers. If you want to establish EBGP EVPN peer relationships between indirectly connected peers, run the peer ebgp-max-hop command. The command also can configure the maximum number of hops for an EBGP EVPN connection.

      When the IP address of loopback interface to establish an EBGP EVPN peer relationship, run the peer ebgp-max-hop (of which the value of hop-count is not less than 2) command. Otherwise, the peer relationship fails to be established.

    7. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

      By default, the BGP-EVPN address family view is disabled.

    8. Run peer ipv4-address enable

      The device is enabled to exchange EVPN routes with a specified peer.

      By default, only the peer in the BGP IPv4 unicast address family view is automatically enabled.

    9. (Optional) Run peer ipv4-address route-policy route-policy-name { import | export }

      A routing policy is specified for routes received from or to be advertised to a BGP EVPN peer.

      After the routing policy is applied, the routes received from or to be advertised to a specified BGP EVPN peer will be filtered, ensuring that only desired routes are imported or advertised. This configuration helps manage routes and reduce required routing entries and system resources.

    10. (Optional) Run peer ipv4-address next-hop-invariable

      The device is configured to advertise routes to EBGP EVPN peers without changing the next hops.

      If a VTEP node has established an EBGP EVPN peer relationship with a gateway, run the peer next-hop-invariable command on the VTEP node and ensure that the route's next hop received by the gateway is pointing to another gateway.

      By default, a BGP EVPN speaker changes the next hops of routes to the interface that it uses to establish EBGP EVPN peer relationships before advertising these routes to EBGP EVPN peers.

    11. (Optional) Run peer ipv4-address mac-limit number [ idle-forever | idle-timeout times ]

      The maximum number of MAC advertisement routes that can be received from each peer is configured.

      If an EVPN instance may import many invalid MAC advertisement routes from peers and these routes occupy a large proportion of the total MAC advertisement routes. If the received MAC advertisement routes exceed the specified maximum number, the system displays an alarm, instructing users to check the validity of the MAC advertisement routes received in the EVPN instance.

    12. Run quit

      Exit from the BGP-EVPN address family view.

    13. Run quit

      Exit from the BGP view.

  2. (Optional) Configure an RR. If an RR is configured, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR, reducing the number of BGP EVPN peer relationships to be established and simplifying configuration.
    1. (Optional) Run bgp optimized-send enable\

      The rapid BGP packet sending function is enabled.

      By default, the rapid BGP packet sending function is disabled.

      The S9303 does not support this configuration.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    4. Run peer ipv4-address enable

      The device is enabled to exchange EVPN routes with a specified peer.

      By default, only the peer in the BGP IPv4 unicast address family view is automatically enabled.

    5. (Optional) Run peer ipv4-address next-hop-invariable

      The device is prevented from changing the next hop address of a route when advertising the route to an EBGP peer.

      By default, a BGP EVPN speaker changes the next hops of routes to the interface that it uses to establish EBGP EVPN peer relationships before advertising these routes to EBGP EVPN peers.

    6. Run peer ipv4-address reflect-client

      The device is configured as an RR and an RR client is specified.

      By default, the route reflector and its client are not configured.

    7. (Optional) Run undo policy vpn-target

      The function to filter received EVPN routes based on VPN targets is disabled.

    8. Run quit

      Exit from the BGP-EVPN address family view.

    9. Run quit

      Exit from the BGP view.

  3. Configure an EVPN instance.
    1. (Optional) Run evpn mac-route enable

      The MAC route function for BGP EVPN is enabled.

      By default, the MAC route function for BGP EVPN is disabled.

    2. Run evpn vpn-instance vpn-instance bd-mode

      An EVPN instance is created and the EVPN instance view is displayed.

      By default, no EVPN instance is configured.

    3. Run route-distinguisher route-distinguisher

      An RD is configured for the EVPN instance.

      By default, no RD is configured for EVPN instances.

    4. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the EVPN instance. The export VPN target of the local end must be the same as the import VPN target of the remote end, and the import VPN target of the local end must be the same as the export VPN target of the remote end.

      By default, no VPN target is configured for EVPN instances.

      It is not recommended that one IRT be contained by more than 32 EVPN instances.

    5. (Optional) Run mac-route no-advertise

      The device is configured not to advertise local MAC routes.

      By default, a device advertises local MAC routes.

    6. (Optional) Run mac rib-only

      The device is not triggered by remote MAC routes to deliver MAC address entries.

      By default, a device is triggered by remote MAC routes to deliver MAC address entries.

    7. Run quit

      The EVPN instance view is exited.

  4. Create a bridge domain (BD) and bind it to an EVPN instance.
    1. Run bridge-domain bd-id

      The BD view is displayed.

      By default, no bridge domain is created.

    2. Run vxlan vni vni-id

      A VNI is created and mapped to the BD.

      By default, no VNI is created.

    3. Run evpn binding vpn-instance vpn-instance

      A BD is configured and bound to an EVPN instance.

      By default, no BD is bound to the EVPN instance.

    4. Run quit

      The BD view is exited.

  5. Configure an ingress replication list.
    1. Run interface nve nve-number

      An NVE interface is created, and the NVE interface view is displayed.

    2. Run source ip-address

      An IP address is configured for the source VTEP.

      By default, no IP address is configured for any source VTEP.

    3. Run vni vni-id head-end peer-list protocol bgp

      An ingress replication list is configured.

      By default, no ingress replication list is configured for any VNI.

      After the ingress of a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, it replicates these packets and sends a copy to each VTEP in the ingress replication list. The ingress replication list is a collection of remote VTEP IP addresses to which the ingress of a VXLAN tunnel should send replicated BUM packets to.

      BUM packet forwarding is implemented only using ingress replication. To establish a VXLAN tunnel between a Huawei device and a non-Huawei device, ensure that the non-Huawei device also has ingress replication configured. Otherwise, communication fails.

    4. Run quit

      Return to the system view.

  6. (Optional) Run vxlan tunnel-status track exact-route

    Subscription to the status of the exact route to a VXLAN tunnel destination is enabled.

    By default, subscription to the status of the exact route to a VXLAN tunnel destination is disabled.

    By default, if the source IP address of a VXLAN tunnel is reachable using an exact route and the network segment where the destination IP address belongs is reachable using a route, this VXLAN tunnel is considered Up. In real-world networking, there may be multiple destination addresses on the same network segment. If the network segment is considered reachable because one of the destination addresses is reachable, the tunnel status is reported incorrectly when an IP address on this network segment becomes unreachable. As a result, network faults cannot be discovered in a timely manner. To address this issue, run the vxlan tunnel-status track exact-route command to enable subscription to the status of the exact route to a VXLAN tunnel destination. Subsequently, the VXLAN tunnel is considered Up only when the destination VTEP is reachable using an exact route.

Follow-up Procedure

Because of card differences, when the LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards function as access-side cards and the switch encapsulates received packets, VXLAN packets in the same tunnel have the same source IP address, source MAC address, destination IP address, and destination MAC address, and only their transport-layer source port numbers are changed. To prevent a Higig-Trunk on an MPU or SFU from unevenly load balancing inter-card VXLAN traffic, you need to configure the transport-layer source port number as a load balancing factor for the Higig-Trunk on the MPU or SFU to perform load balancing.

Run the load-distribution enhanced ip-field l4-sport command in the system view to configure a Higig-Trunk on an MPU or SFU to use the transport-layer source port number as a load balancing factor when performing load balancing.

By default, a Higig-Trunk on an MPU or SFU uses the transport-layer source port number as a load balancing factor when performing load balancing.

  • This configuration takes effect for MPUs, SFUs, and the LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards on which the load balancing mode of a Higig-Trunk is enhanced mode. For details on how to configure enhanced load balancing mode for a Higig-Trunk on the LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards, see the load-distribution mode command.

  • You are advised to perform the preceding configuration on forwarding devices along the VXLAN tunnel. If VXLAN packets pass through an Eth-Trunk on a forwarding device, you are advised to run the load-balance command to set the load balancing mode of the Eth-Trunk to enhanced mode, and run the ipv4 field command to configure the transport-layer source port number of packets as a load balancing factor in the load balancing profile.

Configuring a Layer 3 VXLAN Gateway

Context

When distributed VXLAN gateways are deployed using BGP EVPN, Layer 3 VXLAN gateways must be configured to implement inter-subnet communication.

In distributed VXLAN gateway scenarios, inter-subnet communication between hosts requires Layer 3 forwarding. To allow this, Layer 3 VXLAN gateways must learn host routes. Perform the following operations on VXLAN gateways:

  • Configure a VPN instance whose routes can be installed into the routing table of the EVPN instance. This VPN instance is used to store host routes or network segment routes, differentiating tenants.

  • Bind the VPN instance to a Layer 3 VXLAN gateway, enable distributed gateway, and configure host route advertisement.

  • Configure the type of route to be advertised between VXLAN gateways. VXLAN gateways can send different routing information through different types of routes. If an RR is deployed on the network, only the type of route to be advertised between the RR and VXLAN gateways needs to be configured.

Figure 1-56 Layer 3 VXLAN gateway networking

When configuring a VXLAN Layer 3 gateway, choose configuration steps according to the Overlay network IP layer protocol.

Procedure

  • Configuration of VXLAN Layer 3 Gateway for an IPv4 overlay network:
    1. Configure a VPN instance whose routes can be installed into the routing table of the EVPN instance.

      1. Run system-view

        The system view is displayed.

      2. Run ip vpn-instance vpn-instance-name

        A VPN instance is created and the VPN instance view is displayed.

        By default, no VPN instance is created.

      3. Run vxlan vni vni-id

        A VNI is created and mapped to the VPN instance.

        By default, a VNI is not bound to any VPN instance.

      4. Run ipv4-family

        The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

        By default, the IPv4 address family is not enabled for any VPN instance.

      5. Run route-distinguisher route-distinguisher

        An RD is configured for the VPN instance IPv4 address family.

        By default, no RD is configured for the VPN instance IPv4 address family.

      6. (Optional) Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

        VPN targets are configured for the VPN instance IPv4 address family.

        By default, no VPN target is configured for the VPN instance IPv4 address family.

        A VPN target is the extended community attribute of BGP. It controls reception and advertisement of VPN routes. A maximum of eight VPN targets can be configured each time the vpn-target command is run. To configure more VPN targets for the VPN instance IPv4 address family, run the vpn-target command several times.

      7. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn

        VPN targets are configured for the VPN instance IPv4 address family for exchanging routes with the EVPN instance. vpn-target specified must be the same as the RT of the EVPN instance.

        The routes advertised by the VPN instance IPv4 address family to an EVPN instance do not carry the export VPN targets of the VPN instance IPv4 address family. Instead, the routes carry all VPN targets in the export VPN target list configured for the EVPN instance in the BD.

        The routes advertised by an EVPN instance can be added to the routing table of the VPN instance IPv4 address family only when the VPN targets of the routes are carried in the import VPN target list of the VPN instance IPv4 address family.

      8. (Optional) Run import route-policy policy-name evpn

        The VPN instance IPv4 address family is associated with an import route-policy that is used to filter routes imported from the EVPN instance to the VPN instance IPv4 address family.

        By default, an EVPN instance matches the export VPN targets of received routes against the import VPN targets of the VPN instance IPv4 address family to determine whether to import these routes. To precisely import routes advertised by an EVPN instance to the VPN instance IPv4 address family, perform this step to associate the VPN instance IPv4 address family with an import route-policy and set attributes for eligible routes.

      9. (Optional) Run export route-policy policy-name evpn

        The VPN instance IPv4 address family is associated with an export route-policy that is used to filter routes advertised from the VPN instance IPv4 address family to the EVPN instance.

        By default, the routes advertised by the VPN instance IPv4 address family to an EVPN instance carry all export VPN targets of the VPN instance IPv4 address family. To precisely import routes advertised by the VPN instance IPv4 address family to an EVPN instance, perform this step to associate the VPN instance IPv4 address family with an export route-policy and set attributes for eligible routes.

      10. Run quit

        Exit from the VPN instance IPv4 address family view.

      11. Run quit

        Exit from the VPN instance view.

    2. Bind the VPN instance to a Layer 3 VXLAN gateway, enable distributed gateway, and configure host route advertisement.

      1. Run interface vbdif bd-id

        A VBDIF interface is created, and the VBDIF interface view is displayed.

        By default, no VBDIF interface is created.

        • The number of the VBDIF interface must match an existing BD ID.

        • If the assign resource-mode command is run to set the resource mode to enhanced-arp, a tunnel-side interface of the LE2D2X48SEC0 card cannot forward VXLAN packets at Layer 3.

      2. Run ip binding vpn-instance vpn-instance-name

        A VPN instance is bound to the VBDIF interface.

        By default, no VPN instance is bound to a VBDIF interface.

      3. Run ip address ip-address { mask | mask-length } [ sub ]

        An IPv4 address is configured for the VBDIF interface.

        By default, no IP address is configured for a VBDIF interface.

      4. (Optional) Run mac-address mac-address

        A MAC address is configured for the VBDIF interface.

        By default, the MAC address of a VBDIF interface is the system MAC address.

        On a network with distributed VXLAN gateways that need to be simulated into one, you need to run the mac-address command to configure the same MAC address for the VBDIF interfaces of VXLAN Layer 3 gateways.

      5. Run arp distribute-gateway enable

        Distributed gateway is enabled.

        By default, distributed gateway is disabled.

        After distributed gateway is enabled on a Layer 3 gateway, the Layer 3 gateway discards network-side ARP packets and learns only user-side ARP packets.

      6. Run arp collect host enable

        Host route advertisement is configured for the VBDIF interface.

      7. Run quit

        Exit from the VBDIF interface view.

    3. Configure the type of route to be advertised between VXLAN gateways. If an RR has been deployed, configure the type of route to be advertised between VXLAN gateways and the RR.

      • Configure IRB route advertisement.

        1. Run bgp as-number

          The BGP view is displayed.

        2. Run l2vpn-family evpn

          The BGP-EVPN address family view.

        3. Run peer ipv4-address advertise irb

          IRB route advertisement is configured.

        4. Run quit

          Exit from the BGP-EVPN address family.

        5. Run quit

          Exit from the BGP view.

        IRB routes are Type 2 BGP EVPN routes that carry hosts' MAC and IP addresses as well as Layer 2 and Layer 3 VNIs. IRB routes can be used to advertise host IP routes as well as ARP entries. After IRB route advertisement is configured, running the arp broadcast-suppress [ mismatch-discard ] enable command in BD view implements ARP broadcast suppression. In addition, host ARP entry advertisement allows VM migration in distributed gateway scenarios. As such, configuring IRB route advertisement is recommended.

      • Configure IP prefix route advertisement.

        1. Run bgp as-number

          The BGP is displayed.

        2. Run ipv4-family vpn-instance vpn-instance-name

          The BGP-VPN instance IPv4 address family view is displayed.

        3. Run import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

          A type of route is imported to the BGP-VPN instance IPv4 address family view.

          If host IP route advertisement is required, configure direct in the command. If network segment route advertisement is required, use a dynamic routing protocol, such as OSPF. Then, configure the BGP-VPN instance IPv4 address family to import the routes of the dynamic routing protocol.

        4. Run advertise l2vpn evpn

          IP prefix route advertisement is configured.

        5. Run quit

          Exit from the BGP-VPN instance IPv4 address family view.

        6. Run quit

          Exit from the BGP view.

        IP prefix routes are Type 5 BGP EVPN routes that carry host IP addresses or network segment addresses as well as Layer 3 VNIs. IP prefix routes are used to advertise host IP routes as well as network segment routes to which the host IP routes belong. If a large number of specific host routes are available, configure IP prefix route advertisement so that the network segment routes can be imported to the BGP-VPN instance IPv4 address family, sparing the VXLAN gateways from storing all specific host routes.

        A VXLAN gateway can advertise network segment routes only if the network segments attached to the gateway are unique network-wide.

  • Configuration of VXLAN Layer 3 Gateway for an IPv6 overlay network:
    1. Configure a VPN instance whose routes can be installed into the routing table of the EVPN instance.

      1. Run system-view

        The system view is displayed.

      2. Run ip vpn-instance vpn-instance-name

        A VPN instance is created and the VPN instance view is displayed.

        By default, no VPN instance is created.

      3. Run vxlan vni vni-id

        A VNI is created and mapped to the VPN instance.

        By default, a VNI is not bound to any VPN instance.

      4. Run ipv6-family

        The IPv6 address family is enabled for the VPN instance, and the VPN instance IPv6 address family view is displayed.

        By default, the IPv6 address family is not enabled for any VPN instance.

      5. Run route-distinguisher route-distinguisher

        An RD is configured for the VPN instance IPv6 address family.

        By default, no RD is configured for the VPN instance IPv6 address family.

      6. (Optional) Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

        VPN targets are configured for the VPN instance IPv6 address family.

        By default, no VPN target is configured for the VPN instance IPv6 address family.

        A VPN target is the extended community attribute of BGP. It controls reception and advertisement of VPN routes. A maximum of eight VPN targets can be configured each time the vpn-target command is run. To configure more VPN targets for the VPN instance IPv6 address family, run the vpn-target command several times.

      7. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn

        VPN targets are configured for the VPN instance IPv6 address family for exchanging routes with the EVPN instance. vpn-target specified must be the same as the RT of the EVPN instance.

        The routes advertised by the VPN instance IPv6 address family to an EVPN instance do not carry the export VPN targets of the VPN instance IPv6 address family. Instead, the routes carry all VPN targets in the export VPN target list configured for the EVPN instance in the BD.

        The routes advertised by an EVPN instance can be added to the routing table of the VPN instance IPv6 address family only when the VPN targets of the routes are carried in the import VPN target list of the VPN instance IPv6 address family.

      8. (Optional) Run import route-policy policy-name evpn

        The VPN instance IPv6 address family is associated with an import route-policy that is used to filter routes imported from the EVPN instance to the VPN instance IPv6 address family.

        By default, an EVPN instance matches the export VPN targets of received routes against the import VPN targets of the VPN instance IPv6 address family to determine whether to import these routes. To precisely import routes advertised by an EVPN instance to the VPN instance IPv4 address family, perform this step to associate the VPN instance IPv6 address family with an import route-policy and set attributes for eligible routes.

      9. (Optional) Run export route-policy policy-name evpn

        The VPN instance IPv4 address family is associated with an export route-policy that is used to filter routes advertised from the VPN instance IPv6 address family to the EVPN instance.

        By default, the routes advertised by the VPN instance IPv6 address family to an EVPN instance carry all export VPN targets of the VPN instance IPv6 address family. To precisely import routes advertised by the VPN instance IPv4 address family to an EVPN instance, perform this step to associate the VPN instance IPv6 address family with an export route-policy and set attributes for eligible routes.

      10. Run quit

        Exit from the VPN instance IPv6 address family view.

      11. Run quit

        Exit from the VPN instance view.

    2. Bind the VPN instance to a Layer 3 VXLAN gateway, enable distributed gateway, and configure host route advertisement.

      1. Run ipv6

        IPv6 packet forwarding is enabled.

      2. Run interface vbdif bd-id

        A VBDIF interface is created, and the VBDIF interface view is displayed.

        By default, no VBDIF interface is created.

      3. Run ip binding vpn-instance vpn-instance-name

        A VPN instance is bound to the VBDIF interface.

        By default, no VPN instance is bound to a VBDIF interface.

      4. Run ipv6 enable

        The IPv6 function is enabled on the interface.

        By default, the IPv6 function is disabled on an interface.

      5. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

        An IPv6 global unicast address is manually configured.

        Alternatively, run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

        An IPv6 global unicast address is generated in EUI-64 format.

        By default, no IPv6 address is configured for a VBDIF interface.

      6. (Optional) Run mac-address mac-address

        A MAC address is configured for the VBDIF interface.

        By default, the MAC address of a VBDIF interface is the system MAC address.

        On a network with distributed VXLAN gateways that need to be simulated into one, you need to run the mac-address command to configure the same MAC address for the VBDIF interfaces of VXLAN Layer 3 gateways.

      7. Run ipv6 nd distribute-gateway enable

        Distributed gateway is enabled.

        By default, distributed gateway is disabled.

        After distributed gateway is enabled on a Layer 3 gateway, the Layer 3 gateway discards network-side NS packets and learns only user-side NS packets.

      8. Run ipv6 nd collect host enable

        Host IPv6 route advertisement is configured for the VBDIF interface.

      9. Run quit

        Exit from the VBDIF interface view.

    3. Configure the type of route to be advertised between VXLAN gateways. If an RR has been deployed, configure the type of route to be advertised between VXLAN gateways and the RR.

      • Configure IRB route advertisement.

        1. Run bgp as-number

          The BGP view is displayed.

        2. Run l2vpn-family evpn

          The BGP-EVPN address family view.

        3. Run peer ipv4-address advertise irbv6

          IRBv6 route advertisement is configured.

        4. Run quit

          Exit from the BGP-EVPN address family.

        5. Run quit

          Exit from the BGP view.

        IRB routes are Type 2 BGP EVPN routes that carry hosts' MAC and IP addresses as well as Layer 2 and Layer 3 VNIs. IRB routes can be used to advertise host IP routes as well as ARP entries. After IRB route advertisement is configured, running the ipv6 nd multicast-suppress [ mismatch-discard ] enable command in BD view implements ARP broadcast suppression. In addition, host ARP entry advertisement allows VM migration in distributed gateway scenarios. As such, configuring IRB route advertisement is recommended.

      • Configure IP prefix route advertisement.

        1. Run bgp as-number

          The BGP is displayed.

        2. Run ipv6-family vpn-instance vpn-instance-name

          The BGP-VPN instance IPv6 address family view is displayed.

        3. Run import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

          A type of route is imported to the BGP-VPN instance IPv6 address family view.

          If host IP route advertisement is required, configure direct in the command. If network segment route advertisement is required, use a dynamic routing protocol, such as OSPF. Then, configure the BGP-VPN instance IPv6 address family to import the routes of the dynamic routing protocol.

        4. Run advertise l2vpn evpn

          IPv6 prefix route advertisement is configured.

        5. Run quit

          Exit from the BGP-VPN instance IPv4 address family view.

        6. Run quit

          Exit from the BGP view.

        IP prefix routes are Type 5 BGP EVPN routes that carry host IP addresses or network segment addresses as well as Layer 3 VNIs. IP prefix routes are used to advertise host IP routes as well as network segment routes to which the host IP routes belong. If a large number of specific host routes are available, configure IP prefix route advertisement so that the network segment routes can be imported to the BGP-VPN instance IPv4 address family, sparing the VXLAN gateways from storing all specific host routes.

        A VXLAN gateway can advertise network segment routes only if the network segments attached to the gateway are unique network-wide.

Follow-up Procedure

If a device uses an interface on the LE2D2X48SEC0 card as the tunnel-side interface, the device can decapsulate received VXLAN packets and forward them at Layer 3 only after a VXLAN loopback interface is configured. As a result, you need to configure an Eth-Trunk interface as the VXLAN loopback interface when the device functions as the Layer 3 VXLAN gateway. Perform the configuration as follows:

  1. Run interface eth-trunk trunk-id

    The Eth-Trunk interface view is displayed.

  2. Run service type vxlan-tunnel

    The Eth-Trunk interface is configured as a VXLAN loopback interface.

    By default, an Eth-Trunk interface is not a VXLAN loopback interface.

  3. Run trunkport interface-type interface-number

    A physical interface is added to the Eth-Trunk interface.

    • After an Eth-Trunk is configured as a VXLAN loopback interface, STP is automatically disabled on the Eth-Trunk. The Eth-Trunk then does not support STP configuration commands. After the configuration is canceled, STP is automatically enabled on the Eth-Trunk.

    • Only one Eth-Trunk on a switch can be configured as the VXLAN loopback interface. VXLAN packets from all VBDIF interfaces are encapsulated and decapsulated by this loopback interface.

    • An Eth-Trunk containing member interfaces cannot be configured as a VXLAN loopback interface.

    • The configurations allowed on an Eth-Trunk to be configured as a loopback interface include description, enable snmp trap updown, jumboframe enable, mixed-rate link enable, qos car inbound, qos phb marking enable, set flow-stat interval, shutdown, local-preference enable, traffic-policy (interface view), and trust. If other configurations exist on the Eth-Trunk, the Eth-Trunk cannot be configured as a loopback interface.

    • After an Eth-Trunk is configured as a loopback interface, the Eth-Trunk supports only the following configurations: authentication open ucl-policy enable, description, enable snmp trap updown, jumboframe enable, mixed-rate link enable, qos car inbound, qos phb marking enable, set flow-stat interval, shutdown, local-preference enable, statistic enable (interface view), traffic-policy (interface view), vcmp disable, and trust.

    • Before running the undo service type vxlan-tunnel command, delete all the member interfaces of the Eth-Trunk interface and all VBDIF interfaces on the device.

    • Only interfaces on the X series, LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and LE2D2X48SEC0 cards can be added to a VXLAN loopback interface.

(Optional) Configuring Three-Segment VXLAN to Implement Layer 3 Interworking

Context

As shown in Figure 1-57, BGP EVPN must be configured to create VXLAN tunnels between distributed gateways in each campus and to create VXLAN tunnels between VTEP nodes so that the inter-subnet hosts in campus A and campus B can communicate with each other.

If a three-segment VXLAN is deployed, both devices that establish a BGP peer relationship between two campuses must regenerate the EVPN routes received within their local campus before advertising the EVPN routes to each other.

Figure 1-57 Configuring Three-Segment VXLAN

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp as-number

    The BGP view is displayed.

  3. Run l2vpn-family evpn

    The BGP-EVPN address family view is displayed.

  4. Run peer ipv4-address import reoriginate

    The function to re-originate routes received from BGP EVPN peers is enabled.

  5. Run peer ipv4-address advertise route-reoriginated evpn ip

    The function to advertise re-originated EVPN routes to BGP EVPN peers is enabled.

    After route re-origination is enabled, VTEP 2 or VTEP 3 changes the next hop of a received EVPN route to itself, replaces the router MAC address in the gateway MAC address attribute with its own router MAC address, and replaces the Layer 3 VNI with the VPN instance Layer 3 VNI.

(Optional) Configuring ARP Broadcast Suppression

Context

After you enable ARP broadcast suppression on a Layer 2 VXLAN gateway, configure Border Gateway Protocol Ethernet Virtual Private Network (BGP EVPN) on Layer 2 and Layer 3 VXLAN gateways to allow ARP broadcast suppression to take effect. BGP EVPN can then generate host information based on learned ARP entries and advertise the host information to Layer 2 VXLAN gateways. After the Layer 2 VXLAN gateways receive ARP broadcast packets, they convert the ARP broadcast packets into unicast packets based on the learned host information before forwarding the packets out. This decreases the number of broadcast packets in a BD, improving network performance.

Procedure

  1. Configure BGP EVPN on Layer 2 and Layer 3 VXLAN gateways to advertise host information.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

      By default, the BGP-EVPN address family view is disabled.

    4. By default, a device does not advertise ARP or IRB routes to a BGP EVPN peer. Configure advertisement of ARP or IRB routes to implement ARP broadcast suppression. The following two configurations cannot coexist.

      • Run peer ipv4-address advertise arp

        ARB route advertisement is configured.

      • Run peer ipv4-address advertise irb

        IRB route advertisement is configured.

  2. Enable BGP EVPN on a Layer 3 VXLAN gateway to collect host information.

    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      The VBDIF interface view is displayed.

    3. Run arp collect host enable

      BGP EVPN is enabled to collect host information.

      By default, BGP EVPN is disabled from collecting host information.

  3. Enable ARP broadcast suppression on a Layer 2 VXLAN gateway.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run arp broadcast-suppress [ mismatch-discard ] enable

      ARP broadcast suppression is enabled.

      By default, ARP broadcast suppression is disabled.

(Optional) Configuring NS Multicast Suppression

Context

On an IPv6 overlay network, IPv6 host neighbor discovery is implemented through NS multicast. When a gateway receives an NS message for IPv6 address resolution, it forwards the message in a multicast way in its BD. If the number of received NS messages within a period is large and all of them need to be forwarded, too many VXLAN network resources will be consumed, affecting proper service running. To address this issue, NS multicast suppression needs to be implemented. After this function is enabled, when receiving an NS message, the gateway checks whether it can obtain the destination user information in the NS message. If the gateway can obtain the destination user information, it performs multicast-to-unicast processing to reduce or suppress NS message flooding.

Procedure

  1. Configure BGP EVPN on Layer 2 and Layer 3 VXLAN gateways to advertise host information.

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

      By default, the BGP-EVPN address family view is disabled.

    4. By default, a device does not advertise ND or IRBv6 routes to a BGP EVPN peer. Configure advertisement of ND or IRBv6 routes to implement NS multicast suppression. The following two configurations cannot coexist.

      • Run peer ipv4-address advertise nd

        ND route advertisement is configured.

      • Run peer ipv4-address advertise irbv6

        IRBv6 route advertisement is configured.

  2. Enable BGP EVPN on a Layer 3 VXLAN gateway to collect host IPv6 information.

    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      The VBDIF interface view is displayed.

    3. Run ipv6 nd collect host enable

      BGP EVPN is enabled to collect host IPv6 information.

      By default, BGP EVPN is disabled from collecting host IPv6 information.

  3. Enable NS multicast suppression on a Layer 2 VXLAN gateway.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run ipv6 nd multicast-suppress [ mismatch-discard ] enable

      NS multicast suppression is enabled.

      By default, NS multicast suppression is disabled.

(Optional) Configuring Isolation on the Access Side

Context

In a virtual extensible LAN (VXLAN), users connected to the same bridge domain (BD) can directly communicate with each other. To isolate users in a BD on the access side, configure the isolation function on the access side.

This configuration only applies to the VXLAN access-side interfaces on LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run isolate enable

    The isolation function in a BD on the access side is enabled.

    By default, the isolation function in a BD on the access side is not configured.

  4. Run quit

    Return to the system view.

  5. (Optional) When the user connected to a BD through a VLAN or a Layer 2 sub-interface needs to communicate with other users on the access side in the BD, configure the access-side mode of this VLAN or Layer 2 sub-interface to Hub.

    • Configure the access-side mode of VLAN access to Hub.

      1. Run vlan vlan-id

        The VLAN view is displayed.

      2. Run hub-mode enable

        The access-side mode of the VLAN is set to hub.

    • Configure the access-side mode of Layer 2 sub-interface access to Hub.

      1. Run interface interface-type interface-number.subinterface-number mode l2

        The Layer 2 sub-interface view is displayed.

      2. Run hub-mode enable

        The access-side mode of the Layer 2 sub-interface is set to hub.

(Optional) Configuring Unidirectional Isolation from the Access Side to the Tunnel Side

Context

On a VXLAN network, users in the same BD can directly communicate with each other. To isolate unidirectional traffic from the access side to the tunnel side in a BD, you can configure unidirectional isolation from the access side to the tunnel side.

This configuration only applies to the VXLAN access-side interfaces on LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The view of a created BD is displayed.

  3. Run isolate remote enable

    Unidirectional isolation from the access side to the tunnel side is enabled in the BD.

    By default, unidirectional isolation from the access side to the tunnel side is disabled in a BD.

(Optional) Configuring the Local Proxy ARP Function

Context

In a virtual extensible LAN (VXLAN), BD refers to bridge domain. After receiving packets, BD member interfaces broadcast these packets within the domain. To reduce broadcast, network administrators usually run the isolate enable command to enable the isolation function on the access side. This function isolates access users in the BD, so they cannot communicate with each other at Layer 2. However, as user services develop rapidly, users have more and more communication demands. To meet their demands, network administrators can enable the local proxy ARP function on the VBDIF, allowing users having the isolation function enabled on the access side in the BD to communicate with each other.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF view is displayed.

  3. Run arp-proxy local enable

    The local proxy ARP function is enabled.

    By default, the local proxy ARP function is disabled.

(Optional) Configuring the Routed Proxy ND Function

Context

On an IPv6 overlay network, if two hosts physically belong to different network segments and no gateway is configured, configure the routed proxy ND function on the VBDIF interface of the device that connects the two hosts, so as to ensure the communication between the two hosts.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF view is displayed.

  3. Run ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  4. Run ipv6 nd proxy enable

    The routed proxy ND function is enabled.

    By default, the routed proxy ND function is disabled.

(Optional) Configuring the Local Proxy ND Function

Context

On an IPv6 overlay network, if two hosts belong to the same BD but they are isolated, to enable the hosts to communicate with each other, enable the local proxy ND function on VBDIF interfaces to implement interconnection.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF view is displayed.

  3. Run ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  4. Run ipv6 nd proxy enable

    The local proxy ND function is enabled.

    By default, the local proxy ND function is disabled.

(Optional) Configuring Traffic Suppression in a BD

Context

To limit the rate of broadcast, multicast, or unknown unicast packets in a BD and prevent broadcast storm, configure traffic suppression for the packets as required.

It is recommended that you configure traffic suppression in a BD in VXLAN scenarios.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    A BD is created and the BD view is displayed.

  3. Configure traffic suppression in a BD. Run one or more of the following commands as required.

    • Run broadcast-suppression cir cir-value [ cbs cbs-value ]

      Broadcast traffic suppression is enabled in a BD.

      By default, broadcast traffic suppression is disabled in a BD.

    • Run multicast-suppression cir cir-value [ cbs cbs-value ]

      Multicast traffic suppression is enabled in a BD.

      By default, multicast traffic suppression is disabled in a BD.

    • Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ]

      Unknown unicast traffic suppression is enabled in a BD.

      By default, unknown unicast traffic suppression is disabled in a BD.

    The EA, EC, and ED series cards (except LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and LE2D2X48SEC0) do not support traffic suppression in a BD.

(Optional) Configuring a Static MAC Address Entry

Context

When the device creates a MAC address table by learning source MAC addresses, the device cannot distinguish packets from authorized and unauthorized users. This threatens network security. If an unauthorized user uses the MAC address of an authorized user as the source MAC address of attack packets and connects to another interface of the device, the device learns an incorrect MAC address entry. The device incorrectly forwards the packets to the unauthorized user. Actually, the packets should be forwarded to the authorized user. You can manually add a static MAC address entry to the MAC address tables on the VXLAN access side and tunnel side. The static MAC address entry binds the MAC address to a specified interface, which prevents unauthorized users from intercepting data of authorized users. In addition, a manually configured static MAC address entry improves the unicast packet forwarding efficiency and saves bandwidth.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-address static mac-address interface-type interface-number.subnum bridge-domain bd-id { default | untag | vid vlan-id1 [ ce-vid vlan-id2 ] }

    A static MAC address entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.

    Alternatively, run mac-address static mac-address interface-type interface-number bridge-domain bd-id vid vlan-id3

    A VLAN-based static MAC address entry is configured on a VXLAN access-side interface.

    Before you configure a static MAC address entry on a VXLAN access-side interface, the interface must be connected to the VXLAN network first. Parameters here must be the same as those configured to connect to the interface to the VXLAN network.

(Optional) Configuring a Static ARP Entry

Context

Static ARP entries are manually configured and maintained. They will not be aged out or overridden by dynamic ARP entries. You can configure static ARP entries on a Layer 3 VXLAN gateway to improve communication security. Static ARP entries enable the local device and a specified device to communicate with each other using only specified MAC addresses. Attackers cannot modify mappings between IP addresses and MAC addresses in static ARP entries.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp static ip-address mac-address bridge-domain bd-id [ vid vlan-id1 [ cevid vlan-id2 ] ] interface interface-type interface-number.subnumer

    A static VXLAN ARP entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.

    Alternatively, run arp static ip-address mac-address bridge-domain bd-id [ vid vlan-id3 ] interface interface-type interface-number

    A VLAN-based static VXLAN ARP entry is configured on a VXLAN access-side interface.

    • If a static ARP entry already exists, the new configuration cannot be delivered.

    • The specified ip-address must be in the same network segment as the outbound interface address in the ARP entry.

    • To specify the vid vlan-id and cevid vlan-id parameters, set the same encapsulation type as that on the interface first.

    • When you configure a static ARP entry on an interface of the card except the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, SA, and X series card, you must configure a static MAC address entry for the MAC address in the ARP entry. Otherwise, the switch will broadcast traffic from this MAC address.

(Optional) Configuring a Static IPv6 Neighbor Entry

Context

On a VXLAN, if a Layer 3 gateway on a VXLAN is not enabled to send ND protocol packets, run the ipv6 neighbor command to configure a static IPv6 neighbor entry. To filter out invalid ND protocol packets, you can also run this command to bind the destination IPv6 addresses of these packets to nonexistent MAC addresses.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    A VBDIF interface is created, and the VBDIF interface view is displayed.

    By default, no VBDIF interface is created.

  3. Run ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  4. Run ipv6 neighbor ipv6-address mac-address { vid vlan-id1 [ cevid vlan-id2 ] } interface interface-type interface-num.subnum

    A static IPv6 neighbor entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.

    Alternatively, run ipv6 neighbor ipv6-address mac-address vid vlan-id3 interface interface-type interface-num

    A VLAN-based static IPv6 neighbor entry is configured on a VXLAN access-side interface.

(Optional) Enabling User Host Information Update Triggered by a MAC Address Entry Change

Context

If user hosts migrate between different gateways in a distributed VXLAN gateway scenario and do not send gratuitous ARP or NA packets after the migration, you can configure user host information update triggered by a MAC address entry change to ensure that user hosts can successfully go online after the migration. After this function is configured, the switch can be triggered to send ARP or NS requests to update user host information by changes in the user hosts' MAC address entries on the switch before and after the migration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF interface view is displayed.

  3. Run mac-address update host enable

    User host information update triggered by a MAC address entry change is enabled.

    By default, user host information update triggered by a MAC address entry change is disabled.

Verifying the VXLAN Configuration in Distributed Gateway Mode Using BGP EVPN

Prerequisites

All configurations related to VXLAN in distributed gateway mode (BGP EVPN) are completed.

If directly connected users exist in a centralized gateway deployment scenario, the VTEP address carried in Type 2 routes (MAC/IP routes) is the device's VTEP address, causing a route recursion failure. Therefore, check on route recursion results is not performed for Type 2 routes (MAC/IP routes), and the routes are marked as valid routes.

Procedure

  • Run the display bridge-domain [ bd-id [ brief | verbose ] ] command to query the configuration of the bridge domain (BD).
  • Run the display interface nve [ nve-number | main ] to query the status of the NVE interface.
  • Run the display vxlan tunnel [ tunnel-id ] [ verbose ] command to query the information about the VXLAN tunnel.
  • Run the display vxlan vni [ vni-id [ verbose ] ] command to query the VXLAN configuration of the VNI.
  • Run the display vxlan peer [ vni vni-id ] command to query the IP address of the destination VTEP of the VNI.
  • Run the display vxlan encapsulation interface interface-type interface-number [ bridge-domain bd-id | default | dot1q [ vid pe-vid ] | qinq [ vid vlan-vid [ ce-vid ce-vid ] ] | untag ] command to query the VXLAN encapsulation information about the Layer 2 sub-interface of the primary interface.
  • Run the display evpn vpn-instance [ verbose ] [ evpn-instance-name ] command to query the information about the EVPN instance.
  • Run the display bgp evpn peer [ ipv4-address verbose | verbose ] command to query the information about the BGP EVPN peer.
  • Run the display interface vbdif [ bd-id ] command to query the status, configurations, and statistics about the VBDIF.
  • Run the display arp broadcast-suppress user bridge-domain bd-id command to query the ARP broadcast suppression table of a specified BD.
  • Run the display arp static command to query the static ARP entry that has been configured.
  • Run the display mac-address static [ verbose ] command to query the static MAC address entry that has been configured.
  • Run the display bgp evpn all routing-table [ inclusive-route [ inclusive-route ] | mac-route [ mac-route ] | prefix-route [ prefix-route ] ] command or the display bgp evpn route-distinguisher route-distinguisher routing-table { inclusive-route [ inclusive-route ] | mac-route [ mac-route ] | prefix-route [ prefix-route ] } command to query the information about the EVPN route.
  • Run the display bgp evpn all routing-table statistics command to query the statistics about the EVPN route.
Translation
简体中文
Download
Updated: 2022-05-20

Document ID: EDOC1100126837

Views: 18778

Downloads: 20

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :