所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE20E-S2 V800R010C10SPC500 配置指南 - IP业务 01

本文档是NE20E-S2 V800R010C10SPC500 配置指南 - IP业务
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置EVPN MPLS网络的NS组播抑制示例

配置EVPN MPLS网络的NS组播抑制示例

配置NS组播抑制功能以减少或抑制网络中过多的NS报文。

组网需求

在用户通过BD接入EVPN MPLS网络的场景中,IPv6主机邻居发现是通过NS组播方式实现的。当设备收到一个NS报文用来进行IPv6地址解析时,会将该报文在自己的BD域内组播转发。如果某设备在一段时间内收到大量的NS报文,并且将这些报文都进行转发,会导致EVPN网络中出现大量的NS报文,占用过多的网络资源,影响正常业务运行。

图12-9所示,可以在PE上配置NS组播抑制功能,当PE在收到NS报文时,先查看自己能否获取到该NS报文的目的用户的信息,如果能够获取就直接进行ND代答或组播转单播处理,从而减少或抑制NS报文洪泛。此外,NS组播抑制还能防止ND欺骗攻击。ND欺骗攻击是指攻击者将自己的MAC地址与某一主机的IPv6地址相关联,从而使发往该IPv6地址的任何流量都发送给攻击者。NS组播抑制功能通过ND代答表冲突检测触发IPv6地址冲突告警,进而提醒用户可能存在ND欺骗攻击。

图12-9 NS组播抑制组网图
说明:

本例中interface1、interface2分别代表GE0/1/0、GE0/2/0



配置思路

采用如下的思路配置EVPN MPLS网络的NS组播抑制功能:

  1. 配置EVPN基本功能。

  2. 使能NS组播抑制功能。

  3. 使能设备生成的ND代答表通过EVPN扩散的功能。

  4. 配置CE与PE之间相互通信。

数据准备

为完成此配置例,需准备如下的数据:

  • EVPN实例名称evpna。

  • PE的EVPN实例的RD值为3:3。

操作步骤

  1. 配置EVPN基本功能

    1. 配置接口的IP地址

      # 配置PE1。

      <HUAWEI> system-view
      [~HUAWEI] sysname PE1
      [*HUAWEI] commit
      [~PE1] interface gigabitethernet 0/1/0
      [~PE1-GigabitEthernet0/1/0] ip address 10.0.0.1 255.255.255.0
      [*PE1-GigabitEthernet0/1/0] commit
      [~PE1-GigabitEthernet0/1/0] quit
      [~PE1] interface loopback 0
      [*PE1-LoopBack0] ip address 1.1.1.1 255.255.255.255
      [*PE1-LoopBack0] commit
      [~PE1-LoopBack0] quit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

    2. 配置IGP实现PE之间互通,本例以OSPF进行说明

      # 配置PE1。

      [~PE1] ospf 1
      [*PE1-ospf-1] area 0
      [*PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
      [*PE1-ospf-1-area-0.0.0.0] network 10.0.0.0 0.0.0.255
      [*PE1-ospf-1-area-0.0.0.0] commit
      [~PE1-ospf-1-area-0.0.0.0] quit
      [~PE1-ospf-1] quit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

      配置完成后,PE1和PE2之间应能建立OSPF邻居关系,执行display ospf peer命令可以看到邻居状态为Full。执行display ip routing-table命令可以看到PE1和PE2之间学习到对方的Loopback1路由。

      以PE1的显示为例:

      [~PE1] display ospf peer
      (M) Indicates MADJ neighbor
      
      
                OSPF Process 1 with Router ID 1.1.1.1
                      Neighbors
      
       Area 0.0.0.0 interface 10.0.0.1 (GE0/1/0)'s neighbors
       Router ID: 2.2.2.2              Address: 10.0.0.2         
         State: Full           Mode:Nbr is Master     Priority: 1
         DR: 10.0.0.1          BDR: 10.0.0.2          MTU: 0
         Dead timer due in  38  sec
         Retrans timer interval: 5
         Neighbor is up for 01h54m10s
         Authentication Sequence: [ 0 ]
      [~PE1] display ip routing-table
      Route Flags: R - relay, D - download
      to fib, T - to vpn-instance, B - black hole route
      ------------------------------------------------------------------------------
      Routing Table : _public_
               Destinations : 9        Routes : 9         
      
      Destination/Mask    Proto   Pre  Cost        Flags NextHop         Interface
      
              1.1.1.1/32  Direct  0    0             D   127.0.0.1       LoopBack0
              2.2.2.2/32  OSPF    10   1             D   10.0.0.2        GigabitEthernet0/1/0
             10.0.0.0/24  Direct  0    0             D   10.0.0.1        GigabitEthernet0/1/0
             10.0.0.1/32  Direct  0    0             D   127.0.0.1       GigabitEthernet0/1/0
           10.0.0.255/32  Direct  0    0             D   127.0.0.1       GigabitEthernet0/1/0
            127.0.0.0/8   Direct  0    0             D   127.0.0.1       InLoopBack0
            127.0.0.1/32  Direct  0    0             D   127.0.0.1       InLoopBack0
      127.255.255.255/32  Direct  0    0             D   127.0.0.1       InLoopBack0
      255.255.255.255/32  Direct  0    0             D   127.0.0.1       InLoopBack0
    3. 配置MPLS基本能力和MPLS LDP,建立LDP LSP

      # 配置PE1。

      [~PE1] mpls lsr-id 1.1.1.1
      [*PE1] mpls
      [*PE1-mpls] mpls ldp
      [*PE1-mpls] commit
      [~PE1-mpls] quit
      [~PE1] interface gigabitethernet 0/1/0
      [~PE1-GigabitEthernet0/1/0] mpls
      [*PE1-GigabitEthernet0/1/0] mpls ldp
      [*PE1-GigabitEthernet0/1/0] commit
      [~PE1-GigabitEthernet0/1/0] quit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

      上述配置完成后,PE1和PE2之间应能建立LDP会话,执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”。执行display mpls ldp lsp命令,可以看到LDP LSP的建立情况。

      以PE1的显示为例:

      [~PE1] display mpls ldp session
      LDP Session(s) in Public Network
       Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
       An asterisk (*) before a session means the session is being deleted.
       --------------------------------------------------------------------------
       PeerID             Status      LAM  SsnRole  SsnAge       KASent/Rcv
       --------------------------------------------------------------------------
       2.2.2.2:0          Operational DU   Passive  0000:02:03   494/494
       --------------------------------------------------------------------------
       TOTAL: 1 Session(s) Found.
      [~PE1] display mpls ldp lsp
       LDP LSP Information
       -------------------------------------------------------------------------------
       Flag after Out IF: (I) - RLFA Iterated LSP, (I*) - Normal and RLFA Iterated LSP
       -------------------------------------------------------------------------------
       DestAddress/Mask   In/OutLabel    UpstreamPeer    NextHop          OutInterface
       -------------------------------------------------------------------------------
       1.1.1.1/32         3/NULL         2.2.2.2         127.0.0.1        Loop0
      *1.1.1.1/32         Liberal/32967                  DS/2.2.2.2       
       2.2.2.2/32         NULL/3         -               10.0.0.2         GE0/1/0
       2.2.2.2/32         32967/3        2.2.2.2         10.0.0.2         GE0/1/0
       -------------------------------------------------------------------------------
       TOTAL: 3 Normal LSP(s) Found.
       TOTAL: 1 Liberal LSP(s) Found.
       TOTAL: 0 FRR LSP(s) Found.
       An asterisk (*) before an LSP means the LSP is not established
       An asterisk (*) before a Label means the USCB or DSCB is stale
       An asterisk (*) before an UpstreamPeer means the session is stale
       An asterisk (*) before a DS means the session is stale
       An asterisk (*) before a NextHop means the LSP is FRR LSP
    4. 配置EVPN实例

      # 配置PE1。

      [~PE1] evpn vpn-instance evpna bd-mode
      [*PE1-evpn-instance-evpna] route-distinguisher 3:3
      [*PE1-evpn-instance-evpna] vpn-target 1:1
      [*PE1-evpn-instance-evpna] commit
      [~PE1-evpn-instance-evpna] quit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

    5. 配置EVPN源地址

      # 配置PE1。

      [~PE1] evpn source-address 1.1.1.1
      [*PE1] commit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

    6. 配置EVPN实例与BD的绑定关系

      # 配置PE1。

      [~PE1] bridge-domain 10
      [*PE1-bd10] evpn binding vpn-instance evpna
      [*PE1-bd10] commit
      [~PE1-bd10] quit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

    7. 配置BGP EVPN对等体关系

      # 配置PE1。

      [~PE1] bgp 100
      [*PE1-bgp] peer 2.2.2.2 as-number 100
      [*PE1-bgp] peer 2.2.2.2 connect-interface LoopBack 0
      [*PE1-bgp] l2vpn-family evpn
      [*PE1-bgp-af-evpn] peer 2.2.2.2 enable
      [*PE1-bgp-af-evpn] peer 2.2.2.2 advertise nd
      [*PE1-bgp-af-evpn] commit
      [~PE1-bgp-af-evpn] quit
      [~PE1-bgp] quit

      PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

  2. 使能NS组播抑制功能

    # 配置PE1。

    [~PE1] bridge-domain 10
    [~PE1-bd10] ipv6 nd multicast-suppress proxy-reply enable

    PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

  3. 使能设备生成的ND代答表通过EVPN扩散的功能

    # 配置PE1。

    [*PE1-bd10] ipv6 nd collect host enable
    [*PE1-bd10] commit
    [~PE1-bd10] quit

    PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

  4. 配置CE与PE之间相互通信

    # 配置PE1。

    [~PE1] interface gigabitethernet 0/2/0.1 mode l2
    [*PE1-GigabitEthernet0/2/0.1] encapsulation dot1q vid 1
    [*PE1-GigabitEthernet0/2/0.1] bridge-domain 10
    [*PE1-GigabitEthernet0/2/0.1] commit
    [~PE1-GigabitEthernet0/2/0.1] quit

    PE2的配置与PE1类似,这里不再赘述。具体配置过程略,请参考配置文件

    # 配置CE1。

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] interface gigabitethernet 0/2/0.1
    [*CE1-GigabitEthernet0/2/0.1] ipv6 enable
    [*CE1-GigabitEthernet0/2/0.1] ipv6 address 2001:db8::1 64
    [*CE1-GigabitEthernet0/2/0.1] vlan-type dot1q 1
    [*CE1-GigabitEthernet0/2/0.1] commit
    [~CE1-GigabitEthernet0/2/0.1] quit

    CE2的配置与CE1类似,这里不再赘述。具体配置过程略,请参考配置文件

  5. 检查配置结果

    在PE1设备上执行display bgp evpn all routing-table mac-route命令,可以看到去往PE2的MAC/IP地址通告路由。

    [~PE1] display bgp evpn all routing-table mac-route
     Local AS number : 100
    
     BGP Local router ID is 1.1.1.1
     Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
    
    
     EVPN address family:
     Number of Mac Routes: 6
     Route Distinguisher: 3:3
           Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
     *>    0:48:3800-1003-0000:0:0.0.0.0                          0.0.0.0
     *>i   0:48:38bd-6c31-0300:0:0.0.0.0                          2.2.2.2
     *>    0:48:3800-1003-0000:128:[FE80::3A00:10FF:FE03:0]       0.0.0.0
     *>    0:48:3800-1003-0000:128:[2001:DB8::1]                  0.0.0.0
     *>i   0:48:38bd-6c31-0300:128:[FE80::3ABD:6CFF:FE31:300]     2.2.2.2
     *>i   0:48:38bd-6c31-0300:128:[2001:DB8::2]                  2.2.2.2
        
    
     EVPN-Instance evpna:
     Number of Mac Routes: 6
           Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr)  NextHop
     *>    0:48:3800-1003-0000:0:0.0.0.0                          0.0.0.0
     *>i   0:48:38bd-6c31-0300:0:0.0.0.0                          2.2.2.2
     *>    0:48:3800-1003-0000:128:[FE80::3A00:10FF:FE03:0]       0.0.0.0
     *>    0:48:3800-1003-0000:128:[2001:DB8::1]                  0.0.0.0
     *>i   0:48:38bd-6c31-0300:128:[FE80::3ABD:6CFF:FE31:300]     2.2.2.2
     *>i   0:48:38bd-6c31-0300:128:[2001:DB8::2]                  2.2.2.2

    在PE1上执行display ipv6 nd multicast-suppress bridge-domain命令,可以看到ND代答表中存在CE1和CE2的表项信息。其中2001:db8::1的表项为本端设备生成的动态ND代答表项,2001:db8::2的表项为远端设备推送的ND代答表项。

    [~PE1] display ipv6 nd multicast-suppress bridge-domain
    ----------------------------------------------------------------------------------
    IPv6 Address
    MAC Address            BD         LifeTime (S)      Type 
    ----------------------------------------------------------------------------------
    2001:DB8::1                                                                     
    3800-1003-0000         10         76                Dynamic   
    
    2001:DB8::2                                                                     
    38bd-6c31-0300         10         -                 Evpn      
    
    FE80::3A00:10FF:FE03:0                                                          
    3800-1003-0000         10         75                Dynamic   
    
    FE80::3ABD:6CFF:FE31:300                                                        
    38bd-6c31-0300         10         -                 Evpn      
    
    ----------------------------------------------------------------------------------
    Total: 4        Dynamic: 2      Evpn: 2        

    在PE2上执行display ipv6 nd multicast-suppress bridge-domain命令,可以看到ND代答表中存在CE1和CE2的表项信息。其中2001:db8::2的表项为本端设备生成的动态ND代答表项,2001:db8::1的表项为远端设备推送的ND代答表项。

    [~PE1] display ipv6 nd multicast-suppress bridge-domain
    ----------------------------------------------------------------------------------
    IPv6 Address
    MAC Address            BD         LifeTime (S)      Type 
    ----------------------------------------------------------------------------------
    2001:DB8::1                                                                     
    3800-1003-0000         10         -                 Evpn      
    
    2001:DB8::2                                                                     
    38bd-6c31-0300         10         21                Dynamic   
    
    FE80::3A00:10FF:FE03:0                                                          
    3800-1003-0000         10         -                 Evpn      
    
    FE80::3ABD:6CFF:FE31:300                                                        
    38bd-6c31-0300         10         21                Dynamic   
    
    ----------------------------------------------------------------------------------
    Total: 4        Dynamic: 2      Evpn: 2  

    在CE1上执行ping ipv6命令,检测到CE2上的GE0/2/0.1接口的IPv6地址是可达的。

    [~CE1] ping ipv6 2001:db8::2
      PING 2001:DB8::2 : 56  data bytes, press CTRL_C to break
        Reply from 2001:DB8::2 
        bytes=56 Sequence=1 hop limit=64 time=5 ms
        Reply from 2001:DB8::2 
        bytes=56 Sequence=2 hop limit=64 time=2 ms
        Reply from 2001:DB8::2 
        bytes=56 Sequence=3 hop limit=64 time=3 ms
        Reply from 2001:DB8::2 
        bytes=56 Sequence=4 hop limit=64 time=3 ms
        Reply from 2001:DB8::2 
        bytes=56 Sequence=5 hop limit=64 time=2 ms
                
      --- 2001:DB8::2 ping statistics---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max=2/3/5 ms

    在CE2上执行ping ipv6命令,检测到CE1上的GE0/2/0.1接口的IPv6地址是可达的。

    [~CE2] ping ipv6 2001:db8::1
      PING 2001:DB8::1 : 56  data bytes, press CTRL_C to break
        Reply from 2001:DB8::1 
        bytes=56 Sequence=1 hop limit=64 time=10 ms
        Reply from 2001:DB8::1 
        bytes=56 Sequence=2 hop limit=64 time=3 ms
        Reply from 2001:DB8::1 
        bytes=56 Sequence=3 hop limit=64 time=3 ms
        Reply from 2001:DB8::1 
        bytes=56 Sequence=4 hop limit=64 time=4 ms
        Reply from 2001:DB8::1 
        bytes=56 Sequence=5 hop limit=64 time=3 ms
                
      --- 2001:DB8::1 ping statistics---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max=3/4/10 ms

配置文件

  • PE1的配置文件

    #
    sysname PE1
    #
    evpn vpn-instance evpna bd-mode
     route-distinguisher 3:3
     vpn-target 1:1 export-extcommunity
     vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.1
    #
    mpls
    #
    bridge-domain 10
     evpn binding vpn-instance evpna
     ipv6 nd multicast-suppress proxy-reply enable
     ipv6 nd collect host enable
    #
    mpls ldp
     #
     ipv4-family
    #
    interface GigabitEthernet0/2/0.1 mode l2
     encapsulation dot1q vid 1
     bridge-domain 10
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 10.0.0.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
    #
    bgp 100
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack0
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.2 enable
     #
     l2vpn-family evpn
      undo policy vpn-target
      peer 2.2.2.2 enable
      peer 2.2.2.2 advertise nd
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 10.0.0.0 0.0.0.255
    #
    evpn source-address 1.1.1.1
    #
    return
  • PE2的配置文件

    #
    sysname PE2
    #
    evpn vpn-instance evpna bd-mode
     route-distinguisher 3:3
     vpn-target 1:1 export-extcommunity
     vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 2.2.2.2
    #
    mpls
    #
    bridge-domain 10
     evpn binding vpn-instance evpna
     ipv6 nd multicast-suppress proxy-reply enable
     ipv6 nd collect host enable
    #
    mpls ldp
     #
     ipv4-family
    #
    interface GigabitEthernet0/2/0.1 mode l2
     encapsulation dot1q vid 1
     bridge-domain 10
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 10.0.0.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack0
     ip address 2.2.2.2 255.255.255.255
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack0
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
     #
     l2vpn-family evpn
      undo policy vpn-target
      peer 1.1.1.1 enable
      peer 1.1.1.1 advertise nd
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 10.0.0.0 0.0.0.255
    #
    evpn source-address 2.2.2.2
    #
    return
  • CE1的配置文件

    #
    sysname CE1
    #
    interface GigabitEthernet0/2/0.1
     vlan-type dot1q 1
     ipv6 enable
     ipv6 address 2001:DB8::1/64
    #
    return
  • CE2的配置文件

    #
    sysname CE2
    #
    interface GigabitEthernet0/2/0.1
     vlan-type dot1q 1
     ipv6 enable
     ipv6 address 2001:DB8::2/64
    #
    return
翻译
下载文档
更新时间:2018-12-29

文档编号:EDOC1100057893

浏览量:1479

下载量:11

平均得分:
本文档适用于这些产品
相关版本
相关文档
Share
上一页 下一页