No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
Configuration Guide - VXLAN
S9300 and S9300X V200R019C10

This document describes the configurations of VXLAN.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VXLAN in Centralized Gateway Mode Using Static Mode

Configuring VXLAN in Centralized Gateway Mode Using Static Mode

Pre-configuration Tasks

Before configuring user communication over VXLAN tunnels, ensure route reachability.

Configuration Process

Figure 1-58 shows the flowchart of configuring VXLAN in centralized gateway mode.

Figure 1-58 Flowchart of configuring VXLAN in centralized gateway mode
The following table lists the differences in support for the optional configurations in the centralized gateway scenario between IPv4 overlay and IPv6 overlay networks.

Configuration Task

IPv4 Overlay Network

IPv6 Overlay Network

(Optional) Configuring Isolation on the Access Side

Supported

Supported

(Optional) Configuring Unidirectional Isolation from the Access Side to the Tunnel Side

Supported

Supported

(Optional) Configuring the Local Proxy ARP Function

Supported

Not supported

(Optional) Configuring the Routed Proxy ND Function

Not supported

Supported

(Optional) Configuring the Local Proxy ND Function

Not supported

Supported

(Optional) Configuring Traffic Suppression in a BD

Supported

Supported

(Optional) Configuring a Static MAC Address Entry

Supported

Supported

(Optional) Configuring a Static ARP Entry

Supported

Not supported

(Optional) Configuring a Static IPv6 Neighbor Entry

Not supported

Supported

Configuring Deployment Mode for VXLAN Access Service

Context

When configuring VXLAN on a device, you need to select a deployment mode for the VXLAN access service on the downlink interface.

At the access side, two methods are available for deploying VXLAN services:

  • Based on VLAN: You can associate one or more VLANs with a BD to add users in these VLANs to the BD. This VLAN-based mode implements larger-granularity control, but is easy to configure. It applies to VXLAN deployment on a live network.

  • Based on encapsulation mode: The device sends packets of different encapsulation modes to different Layer 2 sub-interfaces based on the VLAN tags contained in the packets. You can bind a Layer 2 sub-interface to a BD to add specified users to the BD. This mode implements refined and flexible control but requires more complex configuration. It applies to VXLAN deployment on a new network.

When NAC authentication is configured on the access-side main interface, VXLAN Layer 2 sub-interfaces cannot be created on the main interface to connect to the VXLAN.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run set vxlan resource super-mode

    The super VXLAN resource mode is set.

    By default, the device supports 4094 BDs. The device supports 16000 BDs after the super VXLAN resource mode is set.

    • After setting the super VXLAN resource mode, save the configuration and then restart the device to make the configuration take effect.

    • When the super VXLAN resource mode is configured, the forwarding performance of some services may degrade, such as the IP multicast, VPLS, VLAN mapping, Layer 3 traffic forwarding of sub-interfaces, and VLAN stacking services.

  3. Run bridge-domain bd-id

    A BD is created and the BD view is displayed.

    By default, no BD is created.

  4. (Optional) Run description description

    The description is configured for the BD.

    By default, no description is configured for a BD.

  5. Run quit

    Exit from the BD view and return to the system view.

  6. (Optional) Specify an interface as a VXLAN access-side interface.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run port nvo3 mode access

      The interface is specified as a VXLAN access-side interface.

      By default, a device's interface cannot perform VXLAN encapsulation for common IP packets that carry VXLAN packets and have the destination UDP port number 4789 when the tunnel-side is LE2D2X48SEC0.

    3. Run quit

      Return to the system view.

  7. Configure a service access point.

    • Based on VLAN:

      1. Run vlan vlan-id

        A VLAN is created and the VLAN view is displayed.

      2. Run quit

        Exit from the VLAN view and return to the system view.

      3. Run bridge-domain bd-id

        The view of an existing BD is displayed.

      4. Run l2 binding vlan vlan-id

        A VLAN is associated with the BD so that data packets can be forwarded in the BD.

        By default, a VLAN is not associated with a BD.

        • One VLAN can be associated with only one BD, but one BD can be associated with multiple VLANs.

        • After a global VLAN is associated with a BD, you need to add corresponding interfaces to the VLAN.

        • If member interfaces of a voice VLAN are located on cards except the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards, the voice VLAN cannot be associated with a BD.
        • In NAC authentication scenarios, if there are online users in a VLAN, running the undo l2 binding vlan command to unbind the VLAN from a BD makes the users go offline.
        • If a VLAN is an ISP VLAN authorized to users and users exist in the VLAN on the device, the VLAN cannot be associated with a BD.
        • If a VLAN is used as the management VLAN of a Fit AP, it is not recommended that the VLAN be associated with a BD.
    • Based on encapsulation mode:

      1. Run interface interface-type interface-number.subnum mode l2

        A Layer 2 sub-interface is created, and the sub-interface view is displayed.

      2. Run rewrite pop { single | double | none }

        The device is configured to remove VLAN tags from packets received by the Layer 2 sub-interface.

        By default, the device removes two VLAN tags from packets received by Layer 2 sub-interfaces that use QinQ encapsulation, removes one VLAN tag from packets received by Layer 2 sub-interfaces that use Dot1q encapsulation.

        • You can only configure the rewrite pop single command on Layer 2 sub-interfaces that use Dot1q encapsulation and no VLAN segment can be configured for Layer 2 sub-interfaces.
        • You can only configure the rewrite pop double command on Layer 2 sub-interfaces that use QinQ encapsulation and no VLAN segment can be configured for Layer 2 sub-interfaces.
        • You can only configure the rewrite pop none command on Layer 2 sub-interfaces that use Dot1q or QinQ encapsulation.

      3. Run encapsulation { dot1q vid low-pe-vid [ to high-pe-vid ] | default | untag | qinq vid low-vlan-vid [ to high-vlan-vid ] ce-vid low-ce-vid [ to high-ce-vid ] }

        An encapsulation mode is configured for a Layer 2 sub-interface to specify the type of packets that can pass through the sub-interface.

        By default, the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is not configured.

        When configuring an encapsulation mode on a Layer 2 sub-interface, pay attention to the following points:

        • The VLAN ID in dot1q mode or outer VLAN ID in qinq mode cannot be the same as the allowed VLAN of the corresponding main interface or the global VLAN.

        • On the same main interface, the VLAN ID in dot1q mode and the outer VLAN ID in qinq mode must be different.

        • After NAC authentication is configured on the main interface, the traffic encapsulation type on a Layer 2 sub-interface cannot be set to default.

        • When the encapsulation mode of a Layer 2 sub-interface is default, the corresponding main interface cannot be added to any VLAN, including VLAN 1.

        • Before the encapsulation mode of a Layer 2 sub-interface is set to default, the main interface has only one sub-interface.

        • After the encapsulation mode of a Layer 2 sub-interface is set to default, no other sub-interface can be created on the main interface.

        • When the encapsulation mode of a Layer 2 sub-interface is set to untag, the corresponding main interface cannot be added to VLAN 1, and other sub-interfaces of the main interface cannot be set to untag.

        • You can configure only one encapsulation mode for each Layer 2 sub-interface. If an encapsulation mode has been configured for a Layer 2 sub-interface, run the undo encapsulation command to delete the original mode before you configure another mode.

        • Before configuring a VLAN segment on a Dot1q or QinQ Layer 2 sub-interface, you must run the rewrite pop none command.

      4. Run bridge-domain bd-id

        A specified Layer 2 sub-interface is associated with a BD so that data packets can be forwarded in the BD.

        By default, a Layer 2 sub-interface is not associated with a BD.

Configuring an IPv6 VXLAN Tunnel

Context

When configuring VXLAN on a device, you need to configure related information for IPv6 VXLAN tunnel establishment on an uplink interface.

An IPv6 VXLAN tunnel is established based on the IPv6 addresses of two VXLAN Tunnel Endpoints (VTEPs). Therefore, you need to configure the source VTEP IPv6 address and destination VTEP IPv6 address on the devices on both ends of a tunnel.

Take VTEP1 in Figure 1-59 as an example. The following describes the configurations required for establishment of an IPv6 VXLAN tunnel:

  • Source VTEP IPv6 address: source IPv6 address in an IPv6 VXLAN packet, that is, IPv6 address of GE1/0/1 on VTEP1
  • Destination VTEP IPv6 address: destination IPv6 address in an IPv6 VXLAN packet, that is, IPv6 address of GE1/0/1 on VTEP2
Figure 1-59 IPv6 VXLAN tunnel establishment

  • You need to run the vni head-end peer-list command to configure the corresponding VTEP address even if the source VTEP matches only one destination VTEP.

  • Run the ping command to check whether a reachable route exists between two ends of the tunnel. If there is a reachable route, the tunnel can be established and packets can be normally forwarded. If the two devices have a route to each other but the route is unreachable, the tunnel can still go Up but packets cannot be forwarded.

  • If a switch uses static routes to forward traffic at the tunnel side, you are advised to configure BFD for static routes. Routes then can be deleted promptly when a link failure occurs. This configuration prevents VXLAN packet loss that occurs because routes are unreachable but the tunnel is still Up.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run vxlan vni vni-id

    A VNI is configured for the BD.

    By default, no VNI is associated with a BD.

  4. Run quit

    Exit from the BD view and return to the system view.

  5. Run interface nve nve-number

    An NVE interface is created, and the NVE interface view is displayed.

  6. Run source ipv6-address

    An IPv6 address is configured for the source VTEP.

    By default, no IPv6 address is configured for a source VTEP.

  7. Run vni vni-id head-end peer-list ipv6-address &<1-10>

    An ingress replication list is configured.

    By default, no ingress replication list is configured for any VNI.

    After the ingress of a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, it replicates these packets and sends a copy to each VTEP in the ingress replication list. The ingress replication list is a collection of remote VTEP IPv6 addresses to which the ingress of a VXLAN tunnel should send replicated BUM packets to.

    BUM packet forwarding is implemented only using ingress replication. To establish a VXLAN tunnel between a Huawei device and a non-Huawei device, ensure that the non-Huawei device also has ingress replication configured. Otherwise, communication fails.

  8. Run quit

    Exit from the NVE interface view and return to the system view.

  9. (Optional) Run vxlan tunnel-status track exact-route

    Subscription to the status of the exact route to a VXLAN tunnel destination is enabled.

    By default, subscription to the status of the exact route to a VXLAN tunnel destination is disabled.

    By default, if the source IPv6 address of a VXLAN tunnel is reachable using a exact and the network segment where the destination IPv6 address belongs is reachable using a route, this VXLAN tunnel is considered Up. In real-world networking, there may be multiple destination addresses on the same network segment. If the network segment is considered reachable because one of the destination addresses is reachable, the tunnel status is reported incorrectly when an IPv6 address on this network segment becomes unreachable. As a result, network faults cannot be discovered in a timely manner. To address this issue, run the vxlan tunnel-status track exact-route command to enable subscription to the status of the exact route to a VXLAN tunnel destination. Subsequently, the VXLAN tunnel is considered Up only when the destination VTEP is reachable using a exact route.

Configuring a Layer 3 VXLAN Gateway

Context

A VBDIF interface is configured on a VXLAN Layer 3 gateway to forward packets across network segments. You do not need to create a VBDIF interface for communication between users in the same network segment.

If end users in a VXLAN site need to access the Internet or communicate with end users in another VXLAN site, a VXLAN Layer 3 gateway needs to be deployed to provide end users with Layer 3 services.

In Figure 1-60, after you create a logical Layer 3 VBDIF interface and configure an IP address for the VBDIF interface, the VBDIF interface functions as the gateway for tenants in the BD to forward packets at Layer 3 based on the IP address. Each BD has only one VBDIF interface.

To ensure that users in different network segments can communicate with each other, ensure that the default gateway address is the IP address of the VBDIF interface on the VXLAN Layer 3 gateway.

Figure 1-60 Layer 3 VXLAN gateway networking

When configuring a VXLAN Layer 3 gateway, choose configuration steps according to the Overlay network IP layer protocol.

Procedure

  • Configuration of VXLAN Layer 3 Gateway for an IPv4 overlay network:
    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      A VBDIF interface is created and the VBDIF interface view is displayed.

      • The number of the VBDIF interface must match an existing BD ID.

      • If the assign resource-mode command is run to set the resource mode to enhanced-arp, a tunnel-side interface of the LE2D2X48SEC0 card cannot forward VXLAN packets at Layer 3.

    3. Run ip address ip-address { mask | mask-length } [ sub ]

      An IP address is configured for the VBDIF interface to implement Layer 3 communication.

      By default, no IP address is configured for a VBDIF interface.

    4. (Optional) Run mac-address mac-address

      A MAC address is configured for the VBDIF interface.

      By default, the MAC address of a VBDIF interface is the system MAC address.

    5. Run quit

      Exit from the VBDIF interface view and return to the system view.

  • Configuration of VXLAN Layer 3 Gateway for an IPv6 overlay network:
    1. Run system-view

      The system view is displayed.

    2. Run ipv6

      IPv6 packet forwarding is enabled.

    3. Run interface vbdif bd-id

      A VBDIF interface is created and the VBDIF interface view is displayed.

      • The number of the VBDIF interface must match an existing BD ID.

      • If the assign resource-mode command is run to set the resource mode to enhanced-arp, a tunnel-side interface of the LE2D2X48SEC0 card cannot forward VXLAN packets at Layer 3.

    4. Run ipv6 enable

      The IPv6 function is enabled on the interface.

      By default, the IPv6 function is disabled on an interface.

    5. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

      An IPv6 global unicast address is manually configured.

      Alternatively, run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

      An IPv6 global unicast address is generated in EUI-64 format.

    6. (Optional) Run mac-address mac-address

      A MAC address is configured for the VBDIF interface.

      By default, the MAC address of a VBDIF interface is the system MAC address.

    7. Run quit

      Exit from the VBDIF interface view and return to the system view.

Follow-up Procedure

If a device uses an interface on the LE2D2X48SEC0 card as the tunnel-side interface, the device can decapsulate received VXLAN packets and forward them at Layer 3 only after a VXLAN loopback interface is configured. As a result, you need to configure an Eth-Trunk interface as the VXLAN loopback interface when the device functions as the Layer 3 VXLAN gateway. Perform the configuration as follows:

  1. Run interface eth-trunk trunk-id

    The Eth-Trunk interface view is displayed.

  2. Run service type vxlan-tunnel

    The Eth-Trunk interface is configured as a VXLAN loopback interface.

    By default, an Eth-Trunk interface is not a VXLAN loopback interface.

  3. Run trunkport interface-type interface-number

    A physical interface is added to the Eth-Trunk interface.

    • After an Eth-Trunk is configured as a VXLAN loopback interface, STP is automatically disabled on the Eth-Trunk. The Eth-Trunk then does not support STP configuration commands. After the configuration is canceled, STP is automatically enabled on the Eth-Trunk.

    • Only one Eth-Trunk on a switch can be configured as the VXLAN loopback interface. VXLAN packets from all VBDIF interfaces are encapsulated and decapsulated by this loopback interface.

    • An Eth-Trunk containing member interfaces cannot be configured as a VXLAN loopback interface.

    • The configurations allowed on an Eth-Trunk to be configured as a loopback interface include description, enable snmp trap updown, jumboframe enable, mixed-rate link enable, qos car inbound, qos phb marking enable, set flow-stat interval, shutdown, local-preference enable, traffic-policy (interface view), and trust. If other configurations exist on the Eth-Trunk, the Eth-Trunk cannot be configured as a loopback interface.

    • After an Eth-Trunk is configured as a loopback interface, the Eth-Trunk supports only the following configurations: authentication open ucl-policy enable, description, enable snmp trap updown, jumboframe enable, mixed-rate link enable, qos car inbound, qos phb marking enable, set flow-stat interval, shutdown, local-preference enable, statistic enable (interface view), traffic-policy (interface view), vcmp disable, and trust.

    • Before running the undo service type vxlan-tunnel command, delete all the member interfaces of the Eth-Trunk interface and all VBDIF interfaces on the device.

    • Only interfaces on the X series, LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and LE2D2X48SEC0 cards can be added to a VXLAN loopback interface.

(Optional) Configuring Isolation on the Access Side

Context

In a virtual extensible LAN (VXLAN), users connected to the same bridge domain (BD) can directly communicate with each other. To isolate users in a BD on the access side, configure the isolation function on the access side.

This configuration only applies to the VXLAN access-side interfaces on LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The BD view is displayed.

  3. Run isolate enable

    The isolation function in a BD on the access side is enabled.

    By default, the isolation function in a BD on the access side is not configured.

  4. Run quit

    Return to the system view.

  5. (Optional) When the user connected to a BD through a VLAN or a Layer 2 sub-interface needs to communicate with other users on the access side in the BD, configure the access-side mode of this VLAN or Layer 2 sub-interface to Hub.

    • Configure the access-side mode of VLAN access to Hub.

      1. Run vlan vlan-id

        The VLAN view is displayed.

      2. Run hub-mode enable

        The access-side mode of the VLAN is set to hub.

    • Configure the access-side mode of Layer 2 sub-interface access to Hub.

      1. Run interface interface-type interface-number.subinterface-number mode l2

        The Layer 2 sub-interface view is displayed.

      2. Run hub-mode enable

        The access-side mode of the Layer 2 sub-interface is set to hub.

(Optional) Configuring Unidirectional Isolation from the Access Side to the Tunnel Side

Context

On a VXLAN network, users in the same BD can directly communicate with each other. To isolate unidirectional traffic from the access side to the tunnel side in a BD, you can configure unidirectional isolation from the access side to the tunnel side.

This configuration only applies to the VXLAN access-side interfaces on LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and X series cards.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The view of a created BD is displayed.

  3. Run isolate remote enable

    Unidirectional isolation from the access side to the tunnel side is enabled in the BD.

    By default, unidirectional isolation from the access side to the tunnel side is disabled in a BD.

(Optional) Configuring the Local Proxy ARP Function

Context

In a virtual extensible LAN (VXLAN), BD refers to bridge domain. After receiving packets, BD member interfaces broadcast these packets within the domain. To reduce broadcast, network administrators usually run the isolate enable command to enable the isolation function on the access side. This function isolates access users in the BD, so they cannot communicate with each other at Layer 2. However, as user services develop rapidly, users have more and more communication demands. To meet their demands, network administrators can enable the local proxy ARP function on the VBDIF, allowing users having the isolation function enabled on the access side in the BD to communicate with each other.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF view is displayed.

  3. Run arp-proxy local enable

    The local proxy ARP function is enabled.

    By default, the local proxy ARP function is disabled.

(Optional) Configuring the Routed Proxy ND Function

Context

On an IPv6 overlay network, if two hosts physically belong to different network segments and no gateway is configured, configure the routed proxy ND function on the VBDIF interface of the device that connects the two hosts, so as to ensure the communication between the two hosts.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF view is displayed.

  3. Run ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  4. Run ipv6 nd proxy enable

    The routed proxy ND function is enabled.

    By default, the routed proxy ND function is disabled.

(Optional) Configuring the Local Proxy ND Function

Context

On an IPv6 overlay network, if two hosts belong to the same BD but they are isolated, to enable the hosts to communicate with each other, enable the local proxy ND function on VBDIF interfaces to implement interconnection.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vbdif bd-id

    The VBDIF view is displayed.

  3. Run ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  4. Run ipv6 nd proxy enable

    The local proxy ND function is enabled.

    By default, the local proxy ND function is disabled.

(Optional) Configuring Traffic Suppression in a BD

Context

To limit the rate of broadcast, multicast, or unknown unicast packets in a BD and prevent broadcast storm, configure traffic suppression for the packets as required.

It is recommended that you configure traffic suppression in a BD in VXLAN scenarios.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    A BD is created and the BD view is displayed.

  3. Configure traffic suppression in a BD. Run one or more of the following commands as required.

    • Run broadcast-suppression cir cir-value [ cbs cbs-value ]

      Broadcast traffic suppression is enabled in a BD.

      By default, broadcast traffic suppression is disabled in a BD.

    • Run multicast-suppression cir cir-value [ cbs cbs-value ]

      Multicast traffic suppression is enabled in a BD.

      By default, multicast traffic suppression is disabled in a BD.

    • Run unknown-unicast-suppression cir cir-value [ cbs cbs-value ]

      Unknown unicast traffic suppression is enabled in a BD.

      By default, unknown unicast traffic suppression is disabled in a BD.

    The EA, EC, and ED series cards (except LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, and LE2D2X48SEC0) do not support traffic suppression in a BD.

(Optional) Configuring a Static MAC Address Entry

Context

When the device creates a MAC address table by learning source MAC addresses, the device cannot distinguish packets from authorized and unauthorized users. This threatens network security. If an unauthorized user uses the MAC address of an authorized user as the source MAC address of attack packets and connects to another interface of the device, the device learns an incorrect MAC address entry. The device incorrectly forwards the packets to the unauthorized user. Actually, the packets should be forwarded to the authorized user. You can manually add a static MAC address entry to the MAC address tables on the VXLAN access side and tunnel side. The static MAC address entry binds the MAC address to a specified interface, which prevents unauthorized users from intercepting data of authorized users. In addition, a manually configured static MAC address entry improves the unicast packet forwarding efficiency and saves bandwidth.

Procedure

  • Configure a static MAC address entry on a VXLAN access-side interface.
    1. Run system-view

      The system view is displayed.

    2. Run mac-address static mac-address interface-type interface-number.subnum bridge-domain bd-id { default | untag | vid vlan-id1 [ cevid vlan-id2 ] }

      A static MAC address entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.

      Alternatively, run mac-address static mac-address interface-type interface-number bridge-domain bd-id vid vlan-id3

      A VLAN-based static MAC address entry is configured on a VXLAN access-side interface.

      Before you configure a static MAC address entry on a VXLAN access-side interface, the interface must be connected to the VXLAN network first. Parameters here must be the same as those configured to connect to the interface to the VXLAN network.

  • Configure a static MAC address entry on a VXLAN tunnel-side interface.
    1. Run system-view

      The system view is displayed.

    2. Run mac-address static mac-address bridge-domain bd-id source-ipv6-ipv6-address1 peer-ipv6 ipv6-address2 vni vni-id

      A static MAC address entry is configured on a VXLAN tunnel-side interface.

      Before you configure a static MAC address entry on a VXLAN tunnel-side interface, a VXLAN tunnel must have been created. Parameters here must be the same as those configured to create a VXLAN tunnel.

(Optional) Configuring a Static ARP Entry

Context

Static ARP entries are manually configured and maintained. They will not be aged out or overridden by dynamic ARP entries. You can configure static ARP entries on a Layer 3 VXLAN gateway to improve communication security. Static ARP entries enable the local device and a specified device to communicate with each other using only specified MAC addresses. Attackers cannot modify mappings between IP addresses and MAC addresses in static ARP entries.

Procedure

  • Configure a static VXLAN ARP entry on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run arp static ip-address mac-address bridge-domain bd-id [ vid vlan-id1 [ cevid vlan-id2 ] ] interface interface-type interface-number.subnum

      A static VXLAN ARP entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.

      Alternatively, run arp static ip-address mac-address bridge-domain bd-id [ vid vlan-id3 ] interface interface-type interface-number

      A VLAN-based static VXLAN ARP entry is configured on a VXLAN access-side interface.

      • If a static ARP entry already exists, the new configuration cannot be delivered.

      • The specified ip-address must be in the same network segment as the outbound interface address in the ARP entry.

      • To specify the vid vlan-id and cevid vlan-id parameters, set the same encapsulation type as that on the interface first.

      • When you configure a static ARP entry on an interface of the card except the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, SA, and X series card, you must configure a static MAC address entry for the MAC address in the ARP entry. Otherwise, the switch will broadcast traffic from this MAC address.

  • Configure a static ARP entry for a VXLAN tunnel.
    1. Run system-view

      The system view is displayed.

    2. Run arp static ip-address mac-address vni vni-id source-ipv6 ipv6-address peer-ipv6 ipv6-address

      A static ARP entry is configured for a VXLAN tunnel.

      • If a static ARP entry already exists, the new configuration cannot be delivered.

      • The specified IP address must be in the same network segment as the outbound interface address in the ARP entry.

      • Before you configure a static VXLAN ARP entry for a tunnel, a VXLAN tunnel must have been created.

(Optional) Configuring a Static IPv6 Neighbor Entry

Context

On a VXLAN, if a Layer 3 gateway on a VXLAN is not enabled to send ND protocol packets, run the ipv6 neighbor command to configure a static IPv6 neighbor entry. To filter out invalid ND protocol packets, you can also run this command to bind the destination IPv6 addresses of these packets to nonexistent MAC addresses.

Procedure

  • Configure a static IPv6 neighbor entry on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      A VBDIF interface is created, and the VBDIF interface view is displayed.

      By default, no VBDIF interface is created.

    3. Run ipv6 enable

      The IPv6 function is enabled on the interface.

      By default, the IPv6 function is disabled on an interface.

    4. Run ipv6 neighbor ipv6-address mac-address { vid vlan-id1 [ cevid vlan-id2 ] } interface interface-type interface-num.subnum

      A static IPv6 neighbor entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.

      Alternatively, run ipv6 neighbor ipv6-address mac-address vid vlan-id3 interface interface-type interface-num

      A VLAN-based static IPv6 neighbor entry is configured on a VXLAN access-side interface.

  • Configure a static IPv6 neighbor entry for a VXLAN tunnel.
    1. Run system-view

      The system view is displayed.

    2. Run interface vbdif bd-id

      A VBDIF interface is created, and the VBDIF interface view is displayed.

      By default, no VBDIF interface is created.

    3. Run ipv6 enable

      The IPv6 function is enabled on the interface.

      By default, the IPv6 function is disabled on an interface.

    4. Run ipv6 neighbor ipv6-address mac-address vni vni-id source-ipv6 ipv6-address1 peer-ipv6 ipv6-address2

      A VLAN-based static IPv6 neighbor entry is configured on a VXLAN access-side interface.

      A static IPv6 neighbor entry is configured for a VXLAN tunnel.

Verifying the VXLAN Configuration in Centralized Gateway Mode Using Static Mode

Context

After you complete configuring VXLAN service access points and VXLAN tunnels, run the following commands to verify the VXLAN configuration.

Procedure

  • Run the display bridge-domain [ bd-id [ brief | verbose ] ] command to view the BD configuration.
  • Run the display vxlan tunnel [ tunnel-id ] [ verbose ] command to view VXLAN tunnel information.
  • Run the display vxlan vni [ vni-id [ verbose ] ] command to view VXLAN configuration of a specified VNI or all VNIs.
  • Run the display vxlan peer [ vni vni-id ] command to view the destination VTEP IP address with a specified VNI.
  • Run the display vxlan encapsulation interface interface-type interface-number [ bridge-domain bd-id | default | dot1q [ vid pe-vid ] | qinq [ vid vlan-vid [ ce-vid ce-vid ] ] | untag ] command to view VXLAN encapsulation information about Layer 2 sub-interfaces of a main interface.
Translation
简体中文
Download
Updated: 2022-05-20

Document ID: EDOC1100126837

Views: 18878

Downloads: 20

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :