配置VXLAN over IPSec双活场景示例

NE20E-S V800R012C00SPC300 配置指南 - 局域网与城域网接入 04

评分并提供意见反馈 :

华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言，希望能帮助您更容易理解此文档的内容。请注意：即使是最好的机器翻译，其准确度也不及专业翻译人员的水平。华为对于翻译的准确性不承担任何责任，并建议您参考英文文档（已提供链接）。

在数据中心与企业Site对接的场景中，CE双归接入VXLAN网络，增强VXLAN的接入可靠性，遇到故障可以更快速的收敛。通过IPSec封装，可以实现加密传输，保证传输安全。

组网需求

如图16-27所示，CE1双归接入PE1和PE2，PE1和PE2对外使用一个虚地址作为NVE源的VTEP地址。这样从CPE侧只感知到一个远端NVE，CPE与Anycast VTEP地址之间建立静态的VXLAN隧道实现CPE与PE设备之间的互通。VXLAN是明文报文在网络传输不安全，通过IPSec封装，可以实现加密传输，保证传输安全。

图16-27 配置VXLAN over IPSec双活场景组网图

本示例中interface1，interface2，interface3分别代表GigabitEthernet0/1/1，GigabitEthernet0/2/0，GigabitEthernet0/3/0。

表16-10 接口的IP地址

设备	接口	IP地址
PE1	GigabitEthernet 0/1/1	10.1.20.1/24
	GigabitEthernet 0/1/2	192.168.1.1/24
	GigabitEthernet 0/1/3	10.1.1.1/24
	LoopBack0	1.1.1.1/32
	LoopBack1	3.3.3.3/32
	LoopBack2	5.5.5.5/32
PE2	GigabitEthernet 0/1/1	10.1.20.2/24
	GigabitEthernet 0/1/2	192.168.2.1/24
	GigabitEthernet 0/1/3	10.1.2.1/24
	LoopBack0	2.2.2.2/32
	LoopBack1	3.3.3.3/32
	LoopBack2	5.5.5.5/32
CE1	GigabitEthernet 0/1/1	192.168.1.2/24
CE1	GigabitEthernet 0/1/2	192.168.2.2/24
CPE	GigabitEthernet0/1/1	10.1.1.2/24
	LoopBack0	4.4.4.4/32
	LoopBack1	6.6.6.6/32

配置思路

采用如下的思路配置：

在CE、PE和CPE设备上配置路由协议，保证网络二层互通。
在PE1和PE2上配置业务接入点，实现CE1双归接入PE1和PE2。
在PE设备与CPE之间创建静态VXLAN隧道，实现PE设备与EPC设备之间的互通。
在PE1与PE2之间创建Bypass VXLAN隧道，实现PE1与PE2之间的互通。
（可选）在PE1和PE2上配置使能UDP端口，防止回切多包。
在PE设备和CPE设备上配置IPSec功能，创建IPSec Tunnel。

数据准备

为完成此配置例，需准备如下的数据：

接口与IP地址。
EVPN实例的名称。
EVPN实例的收发路由属性VPN-Target。
预共享密钥。
IPSec安全提议中采用的安全协议，加密算法，认证算法。
IKE安全提议采用的认证算法和加密算法。

操作步骤

配置各节点接口的IP地址及Loopback接口的地址。
具体配置过程请参考配置文件。
配置IGP协议，本示例使用ISIS。
具体配置过程请参考配置文件。

使能EVPN相关能力

# 配置PE1。

<PE1> system-view
[~PE1] evpn

[*PE1-evpn] vlan-extend private enable

[*PE1-evpn] vlan-extend redirect enable

[*PE1-evpn] local-remote frr enable

[*PE1-evpn] bypass-vxlan enable

[*PE1-evpn] quit

[*PE1] commit

在PE2上的配置与PE1类似，具体配置过程请参考配置文件。

配置PE1与PE2之间的BGP对等体和EVPN IBGP邻居，收发VXLAN路由。

# 配置PE1。

[~PE1] bgp 100

[*PE1-bgp] peer 2.2.2.2 as-number 100

[*PE1-bgp] peer 2.2.2.2 connect-interface LoopBack 0

[*PE1-bgp] ipv4-family unicast

[*PE1-bgp-af-ipv4] undo synchronization

[*PE1-bgp-af-ipv4] peer 2.2.2.2 enable

[*PE1-bgp-af-ipv4] quit

[*PE1-bgp] l2vpn-family evpn

[*PE1-bgp-af-evpn] undo policy vpn-target

[*PE1-bgp-af-evpn] peer 2.2.2.2 enable

[*PE1-bgp-af-evpn] peer 2.2.2.2 advertise encap-type vxlan

[*PE1-bgp-af-evpn] quit

[*PE1-bgp] quit

[*PE1] commit

在PE2上的配置与PE1类似，具体配置过程请参考配置文件。

创建VXLAN隧道。

在PE上配置EVPN实例，并绑定BD。

# 配置PE1。

[~PE1] evpn vpn-instance evpn1 bd-mode

[*PE1-evpn-instance-evpn1] route-distinguisher 11:11

[*PE1-evpn-instance-evpn1] vpn-target 1:1 export-extcommunity

[*PE1-evpn-instance-evpn1] vpn-target 1:1 import-extcommunity

[*PE1-evpn-instance-evpn1] quit

[*PE1] bridge-domain 10

[*PE1-bd10] vxlan vni 10 split-horizon-mode

[*PE1-bd10] evpn binding vpn-instance evpn1

[*PE1-bd10] quit

[*PE1] commit

在PE2的配置与PE1类似，具体配置过程请参考配置文件。

在PE上使能头端复制功能

# 配置CPE。

[~CPE] interface nve 1

[*CPE-Nve1] source 4.4.4.4

[*CPE-Nve1] vni 10 head-end peer-list 3.3.3.3

[*CPE-Nve1] quit

[*CPE] commit

# 配置PE1。

[~PE1] interface nve 1

[*PE1-Nve1] source 3.3.3.3

[*PE1-Nve1] bypass source 1.1.1.1

[*PE1-Nve1] mac-address 00e0-fc12-7890

[*PE1-Nve1] vni 10 head-end peer-list protocol bgp

[*PE1-Nve1] vni 10 head-end peer-list 4.4.4.4

[*PE1-Nve1] quit

[*PE1] commit

在PE2上配置与PE1类似，具体配置过程请参考配置文件。

配置CE接入PE

在PE1上配置

[*PE1] e-trunk 1

[*PE1-e-trunk-1] priority 10

[*PE1-e-trunk-1] peer-address 2.2.2.2 source-address 1.1.1.1

[*PE1-e-trunk-1] quit

[*PE1] interface eth-trunk 1

[*PE1-Eth-Trunk1] mac-address 00e0-fc12-3456

[*PE1-Eth-Trunk1] mode lacp-static

[*PE1-Eth-Trunk1] e-trunk 1

[*PE1-Eth-Trunk1] e-trunk mode force-master

[*PE1-Eth-Trunk1] es track evpn-peer 2.2.2.2

[*PE1-Eth-Trunk1] esi 0000.0001.0001.0001.0001

[*PE1-Eth-Trunk1] quit

[*PE1] interface eth-trunk1.1 mode l2

[*PE1-Eth-Trunk1.1] encapsulation dot1q vid 1

[*PE1-Eth-Trunk1.1] rewrite pop single

[*PE1-Eth-Trunk1.1] bridge-domain 10

[*PE1-Eth-Trunk1.1] quit

[~PE1] commit

在PE2上配置与PE1类似，具体配置过程请参考配置文件。

(可选) 配置UDP端口号。
# 配置PE1.
```
[~PE1] evpn enhancement port 1345
```
```
[*PE1] commit
```
处于双活场景下的两台PE设备上配置的UDP端口号port-id必须一样。

在PE2上配置与PE1类似，具体配置过程请参考配置文件。

配置PE1的IPSec功能。

配置高级ACL 3000。

[~PE1] acl 3000
[*PE1-acl-adv-3000] rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
[*PE1acl-adv-3000] quit
[*PE1] commit

配置名称为tran1的IPSec安全提议。

[~PE1] ipsec proposal tran1
[*PE1-ipsec-proposal-tran1] encapsulation-mode tunnel
[*PE1-ipsec-proposal-tran1] transform esp
[*PE1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*PE1-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*PE1-ipsec-proposal-tran1] quit
[*PE1] commit

配置序号为10的IKE安全提议。

[~PE1] ike proposal 10
[*PE1-ike-proposal-10] authentication-method pre-share
[*PE1-ike-proposal-10] authentication-algorithm sha2-256
[*PE1-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*PE1-ike-proposal-10] dh group14
[*PE1-ike-proposal-10] quit
[*PE1] commit

配置名称为b的IKE peer。
```
[~PE1] ike peer b
[*PE1-ike-peer-b] ike-proposal 10
[*PE1-ike-peer-b] remote-address 4.4.4.4
[*PE1-ike-peer-b] pre-shared-key abcde
[*PE1-ike-peer-b] quit
[*PE1] commit
```
NE20E同时开启IKEv1和IKEv2，缺省情况下采用IKEv2进行协商，若对端不支持IKEv2，请禁用IKEv2，采用IKEv1进行协商。

预共享密钥的配置需要与对端设备相同。

配置名称为map1序号为10的IPSec安全策略。

[~PE1] ipsec policy map1 10 isakmp
[*PE1-ipsec-policy-isakmp-map1-10] security acl 3000
[*PE1-ipsec-policy-isakmp-map1-10] proposal tran1
[*PE1-ipsec-policy-isakmp-map1-10] ike-peer b
[~PE1-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[*PE1-ipsec-policy-isakmp-map1-10] quit
[*PE1] commit

配置IPsec服务实例组group1。

当NE20E属于NSP 1:1保护模式时请参照如下配置：

[*PE1]service-location 1

[*PE1-service-location-1] location follow-forwarding-mode

[*PE1-service-location-1] commit

[*PE1-service-location-1] quit

当NE20E不属于NSP 1:1保护模式时，请参照如下配置：

[~PE1] service-location 1

[*PE1-service-location-1] location slot 10

[*PE1-service-location-1] commit

[~PE1-service-location-1] quit

[~PE1] service-instance-group group1

[*PE1-service-instance-group-group1] service-location 1

[*PE1-service-instance-group-group1] quit

[*PE1] commit

创建并配置IPSec Tunnel。

[~PE1] interface Tunnel 1
[*PE1-Tunnel1] ip address 10.11.1.1 255.255.255.255
[*PE1-Tunnel1] tunnel-protocol ipsec
[*PE1-Tunnel1] ipsec policy map1 service-instance-group group1
[*PE1-Tunnel1] quit
[*PE1] commit

配置引流入隧道的静态路由。

[~PE1] ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2
[*PE1] ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6
[*PE1] commit

在PE2上配置与PE1类似，具体配置过程请参考配置文件。

配置CPE的IPSec功能。

配置高级ACL 3000。

[~CPE] acl 3000
[*CPE-acl-adv-3000] rule 5 permit ip
[*CPE-acl-adv-3000] quit
[*CPE] commit

配置名称为tran1的IPSec安全提议。

[~CPE] ipsec proposal tran1
[*CPE-ipsec-proposal-tran1] encapsulation-mode tunnel
[*CPE-ipsec-proposal-tran1] transform esp
[*CPE-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*CPE-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*CPE-ipsec-proposal-tran1] quit
[*CPE] commit

配置序号为10的IKE安全提议。

[~CPE] ike proposal 10
[*CPE-ike-proposal-10] authentication-method pre-share
[*CPE-ike-proposal-10] authentication-algorithm sha2-256
[*CPE-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*CPE-ike-proposal-10] dh group14
[*CPE-ike-proposal-10] quit
[*CPE] commit

配置名称为1的IKE peer。
```
[~CPE] ike peer 1
[*CPE-ike-peer-1] ike-proposal 10
[*CPE-ike-peer-1] remote-address 5.5.5.5
[*CPE-ike-peer-1] pre-shared-key abcde
[*CPE-ike-peer-1] quit
[*CPE] commit
```
NE20E同时开启IKEv1和IKEv2，缺省情况下采用IKEv2进行协商，若对端不支持IKEv2，请禁用IKEv2，采用IKEv1进行协商。

预共享密钥的配置需要与对端设备相同。

配置名称为temp1序号为1的IPSec安全策略模板。

[~CPE] ipsec policy-template temp1 1
[*CPE-ipsec-policy-templet-temp1-1] security acl 3000
[*CPE-ipsec-policy-templet-temp1-1] proposal tran1
[*CPE-ipsec-policy-templet-temp1-1] ike-peer 1
[*CPE-ipsec-policy-templet-temp1-1] local-address 6.6.6.6
[*CPE-ipsec-policy-templet-temp1-1] quit
[*CPE] commit

根据安全模板创建安全策略。

[~CPE] ipsec policy 1 1 isakmp template temp1
[*CPE] commit

配置IPSec服务实例组group1。

当NE20E属于NSP 1:1保护模式时请参照如下配置：

[~CPE] service-location 1

[*CPE-service-location-1] location follow-forwarding-mode

[*CPE-service-location-1] commit

[~CPE-service-location-1] quit

当NE20E不属于NSP 1:1保护模式时，请参照如下配置：

[~CPE] service-location 1

[*CPE-service-location-1] location slot 10

[*CPE-service-location-1] commit

[~CPE-service-location-1] quit

[~CPE] service-instance-group group1

[*CPE-service-instance-group-group1] service-location 1

[*CPE-service-instance-group-group1] quit

[*CPE] commit

创建并配置IPSec Tunnel。

[~CPE] interface Tunnel 1
[*CPE-Tunnel1] ip address 10.22.2.2 255.255.255.255
[*CPE-Tunnel1] tunnel-protocol ipsec
[*CPE-Tunnel1] ipsec policy 1 service-instance-group group1
[*CPE-Tunnel1] quit
[*CPE] commit

配置引流入隧道的静态路由。

[~CPE] ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
[*CPE] commit

配置文件

PE1的配置文件

#
sysname PE1
#
evpn enhancement port 1345
#
evpn
 vlan-extend private enable
 vlan-extend redirect enable
 local-remote frr enable
 bypass-vxlan enable
#
evpn vpn-instance evpn1 bd-mode
 route-distinguisher 11:11
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
 evpn binding vpn-instance evpn1
#  
acl number 3000
  rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
#
e-trunk 1
 priority 10
 peer-address 2.2.2.2 source-address 1.1.1.1
#
isis 1
 network-entity 10.0000.0000.0001.00
 frr
#

#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 6.6.6.6
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 5.5.5.5
# 
interface Eth-Trunk1
 mac-address 00e0-fc12-3456
 mode lacp-static
 e-trunk 1
 e-trunk mode force-master
 es track evpn-peer 2.2.2.2
 esi 0000.0001.0001.0001.0001
#
interface Eth-Trunk1.1 mode l2
 encapsulation dot1q vid 1
 rewrite pop single
 bridge-domain 10
#
interface GigabitEthernet 0/1/1
 undo shutdown
 ip address 10.1.20.1 255.255.255.0
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface LoopBack2
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface Nve1
 source 3.3.3.3
 bypass source 1.1.1.1
 mac-address 00e0-fc12-7890
 vni 10 head-end peer-list protocol bgp
 vni 10 head-end peer-list 4.4.4.4
#
bgp 100
 peer 2.2.2.2 as-number 100
 peer 2.2.2.2 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 2.2.2.2 enable
#
 l2vpn-family evpn
  undo policy vpn-target
  peer 2.2.2.2 enable
  peer 2.2.2.2 advertise encap-type vxlan
#
interface Tunnel1 
 ip address 10.11.1.1 255.255.255.0
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2        
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
#
return

PE2的配置文件

#
sysname PE2
# evpn enhancement port 1345
#
evpn
 vlan-extend redirect enable
 vlan-extend private enable
 local-remote frr enable
 bypass-vxlan enable
#
evpn vpn-instance evpn1 bd-mode
 route-distinguisher 22:22
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
 evpn binding vpn-instance evpn1
#
acl number 3000
  rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0

#
service-location 1
 location follow-forwarding-mode//NSP 1:1保护模式
 location slot 11//非NSP 1:1保护模式
#
service-instance-group group1
 service-location 1
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 2.2.2.2
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 5.5.5.5

#
e-trunk 1
 priority 10
 peer-address 1.1.1.1 source-address 2.2.2.2
#
isis 1
 network-entity 10.0000.0000.0002.00
 frr
#
interface Eth-Trunk1
 mac-address 00e0-fc12-3456
 mode lacp-static
 e-trunk 1
 e-trunk mode force-master
 es track evpn-peer 1.1.1.1
 esi 0000.0001.0001.0001.0001
#
interface Eth-Trunk1.1 mode l2
 encapsulation dot1q vid 1
 rewrite pop single
 bridge-domain 10
#
interface GigabitEthernet 0/1/1
 undo shutdown
  ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface LoopBack2
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface Nve1
 source 3.3.3.3
 bypass source 2.2.2.2
 mac-address 00e0-fc12-7890
 vni 10 head-end peer-list protocol bgp
 vni 10 head-end peer-list 4.4.4.4
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.1 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise encap-type vxlan
 #

interface Tunnel1 
 ip address 10.11.1.1 255.255.255.0
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.2.2        
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
#
return

CE的配置文件

#
sysname CE
#
vlan batch 1 to 4094
#
interface Eth-Trunk1
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 1
#
interface GigabitEthernet 0/1/1
  undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
return

CPE的配置文件

#
sysname CPE
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
#
acl number 3000
  rule 5 permit ip

#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer 1
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 5.5.5.5
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy-template temp1 1
#
 security acl 3000
 ike-peer 1
 proposal tran1
 local-address 6.6.6.6
#
ipsec policy 1 1 isakmp template temp1

#
isis 1
 network-entity 20.0000.0000.0001.00
 frr
#
interface GigabitEthernet 0/1/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
 isis enable 1
#
interface GigabitEthernet 0/1/1.1 mode l2
 encapsulation dot1q vid 10
 rewrite pop single
 bridge-domain 10
#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 6.6.6.6 255.255.255.255
 isis enable 1
#
interface Nve1
 source 4.4.4.4
 vni 10 head-end peer-list 3.3.3.3
#

interface Tunnel1 
 ip address 10.22.2.2 255.255.255.255                                             
 tunnel-protocol ipsec 
 ipsec policy 1 service-instance-group group1                                                                         
#
 ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
#
return

翻译

English

下载文档

更新时间：2020-07-02

文档编号：EDOC1100147136

浏览量：1850

下载量：33

平均得分:

本文档适用于这些产品

提示

组网需求

配置思路

数据准备

操作步骤

配置文件

相关版本

相关文档

关于华为

如何购买

合作伙伴

资源

快速链接

企业业务App

提示

企业用户

集团网站

个人用户

运营商用户

AFRICA

LATIN AMERICA

MIDDLE EAST

ASIA PACIFIC

NORTH AMERICA

EUROPE

配置VXLAN over IPSec双活场景示例

组网需求

配置思路

数据准备

操作步骤

配置文件

相关版本

相关文档

关于华为

如何购买

合作伙伴

资源

快速链接

企业业务App