BGP EVPN 分布式网关实验
分布式网关EVPN实验
配置步骤:
1.配置全网互联,串口互联
2.配置开启evpn,配置bgp ,配置evpn peer,配置RR,取消策略RT,
3.配置BD,EVPN RT,VNI, 再配置一下三层RTexport,子接口vlan,绑定bd
4.配置VRF,配置三层vni,三层RT
5.配置VBDif接口,绑定VRF,配置IP,mac,arp主机收集,开启VXLAN 网关功能
6.配置NVE ,头端列表,
详细步骤:
1. CE1,AR1,CE2,CE3 三层互联,环口互联,下面交换机vlan互联
2. CE1,CE2,CE3开启EVPN功能,配置BGP协议,CE2作为EVPN RR,不作为VXLAN 网关,
CE1,CE3只需跟CE2建立BGP邻居,并通告IRB路由,CE2需要关闭RT策略过滤
[CE1-bgp]dis this (CE3与CE1相同都与CE2J建立EVPN对等体)
#
bgp 100
peer 10.1.2.2 as-number 100
peer 10.1.2.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 10.1.2.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 10.1.2.2 enable
peer 10.1.2.2 advertise irb
[CE2-bgp]dis this
#
bgp 100
peer 10.1.1.1 as-number 100
peer 10.1.1.1 connect-interface LoopBack0
peer 10.1.3.3 as-number 100
peer 10.1.3.3 connect-interface LoopBack0
#
ipv4-family unicast
peer 10.1.1.1 enable
peer 10.1.2.2 enable
peer 10.1.3.3 enable
#
l2vpn-family evpn
undo policy vpn-target
peer 10.1.1.1 enable
peer 10.1.1.1 advertise irb
peer 10.1.1.1 reflect-client
peer 10.1.3.3 enable
peer 10.1.3.3 advertise irb
peer 10.1.3.3 reflect-client
3. CE1,CE3上配置BD域100,200,配置VNI,开启EVPN,配置RD,RT值,创建子接口,将子接口放入不同BD域内(CE3略,与CE1相同)
[CE1-bd100]dis this
#
bridge-domain 100
vxlan vni 100
evpn
route-distinguisher 100:10
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
vpn-target 100:200 export-extcommunity //增加3层RT值,交叉生成路由
#
bridge-domain 200
vxlan vni 200
evpn
route-distinguisher 200:20
vpn-target 200:200 export-extcommunity
vpn-target 200:200 import-extcommunity
vpn-target 100:200 export-extcommunity //增加3层RT值,交叉生成路由
[CE1-bgp]int g 1/0/1
[CE1-GE1/0/1]undo shut
interface GE1/0/1.100 mode l2
encapsulation dot1q vid 10
bridge-domain 100
interface GE1/0/1.200 mode l2
encapsulation dot1q vid 20
bridge-domain 200
4. CE1,CE3上配置三层vpn实例和三层VNI,并配置分布式网关,
配置VBD接口IP地址和MAC地址,开启VXLAN分布式网关,并绑定VRF,使能主机ARP收集(CE3可直接复制)
[CE1-vpn-instance-yeslab]dis this
#
ip vpn-instance yeslab
ipv4-family
route-distinguisher 100:200
vpn-target 100:200 export-extcommunity
vpn-target 100:200 export-extcommunity evpn
vpn-target 100:200 import-extcommunity
vpn-target 100:200 import-extcommunity evpn
vxlan vni 1000 //配置三层VNI
interface Vbdif100 //配置VBD接口和VRF绑定
ip binding vpn-instance yeslab
ip address 10.1.10.254 255.255.255.0
mac-address 0000-005e-0001 //CE3可配置相同mac
vxlan anycast-gateway enable
arp collect host enable
interface Vbdif200
ip binding vpn-instance yeslab
ip address 10.1.20.254 255.255.255.0
mac-address 0000-005e-0002
vxlan anycast-gateway enable
arp collect host enable
5. CE1,CE3上配置头端列表(CE3略)
interface Nve1
source 10.1.1.1
vni 100 head-end peer-list protocol bgp
vni 200 head-end peer-list protocol bgp
6.检查命令
BGP EVPN外部路由引入(采用type5路由通告外部路由)
配置任务:
1.CE1,2,3是VXLAN组网,AR2是出口设备,PC1-4可以通过BGP EVPN访问AR2。
2.要求CE2通过BGPevpn引入外部路由通告到EVPN网络中。(采用type5路由通告外部路由)
(拓扑中的BGPevpn已经建立基础上做此实验。)
- 配置步骤
建立vpn instance,配置RD,RT,VXLAN VNI,(有多少个租户,就有多少RT,但这种情况下适合多个租户共享同样的网络,如果PC1要访问出口,但PC2不想访问出口,可以建立多个vpn instance,单独建立RT给PC2,BGP evpn vpn instance里单独引入路由。),下面是一个vpn实例里配置多个RT,
[CE2-vpn-instance-yeslab]dis this
#
ip vpn-instance yeslab
ipv4-family
route-distinguisher 1:1
vpn-target 100:200 export-extcommunity (三层RT值)
vpn-target 100:200 export-extcommunity evpn (如果不加EVPN,无法接收到其他设备的instance的主机ip路由。)
vpn-target 100:200 import-extcommunity (三层RT值)
vpn-target 100:200 import-extcommunity evpn (如果不加EVPN,无法接收到其他设备的instance的主机ip路由。)
vxlan vni 5000 (因为instance内的路由是引入到BGP evpn中,所以VNI不需要相同,这个三层的VNI是用来封装)
- 把需要引入的接口放到vpn instance里
interface LoopBack1
ip binding vpn-instance yeslab
ip address 22.22.22.22 255.255.255.255
interface GE1/0/1
undo portswitch
undo shutdown
ip binding vpn-instance yeslab
ip address 192.168.1.1 255.255.255.252
- 出口设备必须要有回包路由
[AR2]ip route-static 10.1.10.0 24 192.168.1.1
[AR2]ip route-static 10.1.20.0 24 192.168.1.1
[CE2]ip route-static 0.0.0.0 0 vpn-instance yeslab 192.168.1.2(这条是错的,不能部署到全局路由表,要部署到VPN instance路由表)
[CE2]ip route-static vpn-instance yeslab 0.0.0.0 0 vpn-instance yeslab 192.168.1
.2
- BGP引入vpn instance 中的直连,静态路由,并通告到EVPN中
[CE2-bgp]dis this
#
bgp 100
peer 10.1.1.1 as-number 100
peer 10.1.1.1 connect-interface LoopBack0
peer 10.1.3.3 as-number 100
peer 10.1.3.3 connect-interface LoopBack0
#
ipv4-family unicast
peer 10.1.1.1 enable
peer 10.1.3.3 enable
#
ipv4-family vpn-instance yeslab
import-route direct
import-route static
advertise l2vpn evpn
#
l2vpn-family evpn
undo policy vpn-target
peer 10.1.1.1 enable
peer 10.1.1.1 advertise irb
peer 10.1.1.1 reflect-client
peer 10.1.3.3 enable
peer 10.1.3.3 advertise irb
peer 10.1.3.3 reflect-client
- 配置NVE接口,否则BGP不会把type5路由传送给其他EVPN设备
[CE2-Nve1]dis this
#
interface Nve1
source 10.1.2.2
vni 100 head-end peer-list protocol bgp
vni 200 head-end peer-list protocol bgp
- 检查BGP evpn type5路由
再检查其他CE是否收到type5
- 检查PCping出口路由
- 查看抓包,发现去的包VNI是用的vni5000,回包用的是vni1000,