评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置基于IP地址的微分段示例
组网需求
如图5-5所示的VXLAN分布式(BGP EVPN方式)网关组网图中,数据中心内部拥有虚拟服务器VM1和VM2、物理服务器、数据库Server。现要求如下:
- VM1、VM2、物理服务器可以访问数据库Server。
- VM1和物理服务器、VM2和物理服务器不能互访。
- VM1和VM2可以互访。
表5-2 接口的IP地址
设备 |
接口 |
IP地址 |
|---|---|---|
SwitchA |
10GE1/0/1 |
192.168.2.1/24 |
LoopBack0 |
2.2.2.2/32 |
|
SwitchB |
10GE1/0/1 |
192.168.3.1/24 |
LoopBack0 |
1.1.1.1/32 |
|
SwitchC |
10GE1/0/1 |
192.168.2.2/24 |
10GE1/0/2 |
192.168.3.2/24 |
|
LoopBack0 |
3.3.3.3/32 |
操作步骤
- 配置VXLAN。详细配置内容请见配置文件。
- 使能微分段功能
# 配置SwitchA。SwitchB的配置与SwitchA相同,详见配置文件。
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] traffic-segment enable [*SwitchA] commit
- 配置微分段默认策略
# 配置SwitchA。SwitchB的配置与SwitchA相同,详见配置文件。
[~SwitchA] traffic-segment unknown-segment permit //配置未知EPG分组成员的默认访问控制策略,缺省为permit [~SwitchA] traffic-segment default-policy deny //配置EPG分组成员的默认访问控制策略,缺省为deny [~SwitchA] traffic-segment same-segment permit //配置EPG分组的组内成员的默认访问控制策略,缺省为none [*SwitchA] commit
- 配置EPG分组并指定GBP策略
# 在SwitchA上将VM1、VM2加入分组EPG1中。SwitchB的配置与SwitchA相同,详见配置文件。
[~SwitchA] traffic-segment segment-id 32768 segment-name EPG1 [*SwitchA-traffic-segment-32768] segment-member ip 192.168.10.1 32 vpn-instance vpn1 [*SwitchA-traffic-segment-32768] segment-member ip 192.168.20.1 32 vpn-instance vpn1 [*SwitchA-traffic-segment-32768] quit [*SwitchA] commit
# 在SwitchA上指定GBP策略。SwitchB的配置与SwitchA相同,详见配置文件。
[~SwitchA] segment classifier EPG1-EPG3 //配置EPG1、EPG3互访流量的匹配规则 [*SwitchA-segmentclassifier-EPG1-EPG3] rule permit source-segment 32768 destination-segment 32770 [*SwitchA-segmentclassifier-EPG1-EPG3] rule permit source-segment 32770 destination-segment 32768 [*SwitchA-segmentclassifier-EPG1-EPG3] quit [*SwitchA] commit [~SwitchA] segment classifier EPG2-EPG3 //配置EPG2、EPG3互访流量的匹配规则 [*SwitchA-segmentclassifier-EPG2-EPG3] rule permit source-segment 32769 destination-segment 32770 [*SwitchA-segmentclassifier-EPG2-EPG3] rule permit source-segment 32770 destination-segment 32769 [*SwitchA-segmentclassifier-EPG2-EPG3] quit [*SwitchA] commit [~SwitchA] segment behavior EPG1-EPG3 //配置EPG1、EPG3互访流量的行为 [*SwitchA-segmentbehavior-EPG1-EPG3] quit [*SwitchA] commit [~SwitchA] segment behavior EPG2-EPG3 //配置EPG2、EPG3互访流量的行为 [*SwitchA-segmentbehavior-EPG2-EPG3] quit [*SwitchA] commit [~SwitchA] segment policy GBP //配置并应用EPG分组互访流量的策略 [*SwitchA-segmentpolicy-GBP] classifier EPG1-EPG3 behavior EPG1-EPG3 [*SwitchA-segmentpolicy-GBP] classifier EPG2-EPG3 behavior EPG2-EPG3 [*SwitchA-segmentpolicy-GBP] quit [*SwitchA] commit
- 验证配置结果
# 上述配置成功后,在SwitchA上执行命令display traffic-segment configured-information,可以查看EPG分组的配置信息。
[~SwitchA] display traffic-segment configured-information ------------------------------------------------------------------------------ Segment-Id Segment-Name Segment-Type MemberNum ------------------------------------------------------------------------------ 32768 EPG1 IPv4 2 ------------------------------------------------------------------------------ Total:1 Segment,2 Member. ------------------------------------------------------------------------------配置完成后,可以实现如下访问控制:- VM1、VM2、物理服务器可以访问数据库Server。
- VM1和物理服务器、VM2和物理服务器不能互访。
- VM1和VM2可以互访。
配置文件
SwitchA的配置文件
# sysname SwitchA # evpn-overlay enable # traffic-segment same-segment permit # traffic-segment segment-id 32768 segment-name EPG1 segment-member ip 192.168.10.1 255.255.255.255 vpn-instance vpn1 segment-member ip 192.168.20.1 255.255.255.255 vpn-instance vpn1 # segment classifier EPG1-EPG3 rule permit source-segment 32768 destination-segment 32770 rule permit source-segment 32770 destination-segment 32768 # segment classifier EPG2-EPG3 rule permit source-segment 32769 destination-segment 32770 rule permit source-segment 32770 destination-segment 32769 # segment behavior EPG1-EPG3 # segment behavior EPG2-EPG3 # segment policy GBP classifier EPG1-EPG3 behavior EPG1-EPG3 precedence 3 classifier EPG2-EPG3 behavior EPG2-EPG3 precedence 6 # traffic-segment enable # ip vpn-instance vpn1 ipv4-family route-distinguisher 11:11 vpn-target 1:1 export-extcommunity vpn-target 11:1 export-extcommunity evpn vpn-target 1:1 import-extcommunity vpn-target 11:1 import-extcommunity evpn vxlan vni 5010 # bridge-domain 10 vxlan vni 10 evpn route-distinguisher 10:1 vpn-target 10:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 10:1 import-extcommunity # bridge-domain 20 vxlan vni 20 evpn route-distinguisher 20:1 vpn-target 20:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 20:1 import-extcommunity # interface Vbdif10 ip binding vpn-instance vpn1 ip address 192.168.10.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface Vbdif20 ip binding vpn-instance vpn1 ip address 192.168.20.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface 10GE1/0/1 undo portswitch ip address 192.168.2.1 255.255.255.0 # interface 10GE1/0/2.1 mode l2 encapsulation dot1q vid 10 bridge-domain 10 # interface 10GE1/0/3.1 mode l2 encapsulation dot1q vid 20 bridge-domain 20 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # interface Nve1 source 2.2.2.2 vni 10 head-end peer-list protocol bgp vni 20 head-end peer-list protocol bgp # bgp 200 peer 192.168.2.2 as-number 100 # ipv4-family unicast network 2.2.2.2 255.255.255.255 peer 192.168.2.2 enable # bgp 100 instance evpn1 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 # l2vpn-family evpn policy vpn-target peer 3.3.3.3 enable peer 3.3.3.3 advertise irb # return
SwitchB的配置文件
# sysname SwitchB # evpn-overlay enable # traffic-segment same-segment permit # traffic-segment segment-id 32769 segment-name EPG2 segment-member ip 192.168.30.1 255.255.255.255 vpn-instance vpn1 # traffic-segment segment-id 32770 segment-name EPG3 segment-member ip 192.168.40.1 255.255.255.255 vpn-instance vpn1 # segment classifier EPG1-EPG3 rule permit source-segment 32768 destination-segment 32770 rule permit source-segment 32770 destination-segment 32768 # segment classifier EPG2-EPG3 rule permit source-segment 32769 destination-segment 32770 rule permit source-segment 32770 destination-segment 32769 # segment behavior EPG1-EPG3 # segment behavior EPG2-EPG3 # segment policy GBP classifier EPG1-EPG3 behavior EPG1-EPG3 precedence 3 classifier EPG2-EPG3 behavior EPG2-EPG3 precedence 6 # traffic-segment enable # ip vpn-instance vpn1 ipv4-family route-distinguisher 22:22 vpn-target 2:2 export-extcommunity vpn-target 11:1 export-extcommunity evpn vpn-target 2:2 import-extcommunity vpn-target 11:1 import-extcommunity evpn vxlan vni 5010 # bridge-domain 30 vxlan vni 30 evpn route-distinguisher 30:1 vpn-target 30:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 30:1 import-extcommunity # bridge-domain 40 vxlan vni 40 evpn route-distinguisher 40:1 vpn-target 40:1 export-extcommunity vpn-target 11:1 export-extcommunity vpn-target 40:1 import-extcommunity # interface Vbdif30 ip binding vpn-instance vpn1 ip address 192.168.30.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface Vbdif40 ip binding vpn-instance vpn1 ip address 192.168.40.2 255.255.255.0 vxlan anycast-gateway enable arp collect host enable # interface 10GE1/0/1 undo portswitch ip address 192.168.3.1 255.255.255.0 # interface 10GE1/0/2.1 mode l2 encapsulation dot1q vid 30 bridge-domain 30 # interface 10GE1/0/3.1 mode l2 encapsulation dot1q vid 40 bridge-domain 40 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # interface Nve1 source 1.1.1.1 vni 30 head-end peer-list protocol bgp vni 40 head-end peer-list protocol bgp # bgp 300 peer 192.168.3.2 as-number 100 # ipv4-family unicast network 1.1.1.1 255.255.255.255 peer 192.168.3.2 enable # bgp 100 instance evpn1 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack0 # l2vpn-family evpn policy vpn-target peer 3.3.3.3 enable peer 3.3.3.3 advertise irb # return
- SwitchC的配置文件
# sysname SwitchC # evpn-overlay enable # interface 10GE1/0/1 undo portswitch ip address 192.168.2.2 255.255.255.0 # interface 10GE1/0/2 undo portswitch ip address 192.168.3.2 255.255.255.0 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # bgp 100 peer 192.168.2.1 as-number 200 peer 192.168.3.1 as-number 300 # ipv4-family unicast network 3.3.3.3 255.255.255.255 peer 192.168.2.1 enable peer 192.168.3.1 enable # bgp 100 instance evpn1 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack0 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack0 # l2vpn-family evpn undo policy vpn-target peer 2.2.2.2 enable peer 2.2.2.2 advertise irb peer 2.2.2.2 reflect-client peer 1.1.1.1 enable peer 1.1.1.1 advertise irb peer 1.1.1.1 reflect-client # return
