一、 实验拓扑
二、 实验需求
1、 在CE1 CE2 CE3上配置路由协议,保证三层互通
2、 在CE1和CE3上配置业务接入点实现区分业务流量
3、 使用EVPN作为VXLAN
4、 PC1 PC2分别属于VLAN 10 VLAN 20
三、 配置步骤
1、 配置CE设备接口地址,启动OSPF(以下仅为CE1配置,CE2和CE3类似)
2、 分别在CE1和CE3配置业务接入点(配置类似,仅截取CE1配置)
3、 分别在CE1 CE2 CE3上使能EVPN作VXLAN控制层面功能
4、 配置BGP EVPN对等体关系
CE1:
CE2:
CE3:
5、配置EVPN实例
6、配置头端复制功能(仅截取CE3配置,CE1与其一致)
7、 SW1和SW2配置
SW1上行接口trunk,下行接口access 10
SW2上行接口trunk,下行接口access 20
8、 检查配置结果
9、 ping测试
四、 原理分析(抓包)
在CE1的下行接口抓包
点击ARP报文查看,开始PC1并不清楚PC2的MAC地址,所以需要发送ARP报文
在CE1的上行接口抓包
因为CE1并不清楚ARP消息,尽管通过EVPN学习到MAC地址也是于事无补,还是会转发ARP报文,此时封装已经是VXLAN封装
检验
接着在CE3的上行口进行抓包
检查MAC地址是否为CE2的出口MAC地址与CE3的入口MAC地址
接下来数据包到达SW2,转换为基础的VLAN封装
至此ARP请求报文转发到PC2,ARP回应与此类似,PC1收到ARP响应后,封装正常ICMP报文进行转发即可,数据到达CE1后,根据MAC地址远端表项发现到达此Mac地址,需要将数据转发给3.3.3.3,即CE3,与之前的ARP类似,只是此时是完全的单播发送,之前的虽然也仅仅是CE1转发给CE3,但是实际上是头端复制,如果有CE4,并且CE4配置了业务节点,也是会发送给CE4的。
五、配置详情
CE1配置:
sysname leaf1
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
evpn-overlay enable
#
bridge-domain 10
vxlan vni 10010
evpn
route-distinguisher 10:1
vpn-target 100:10010 export-extcommunity
vpn-target 100:10010 import-extcommunity
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
interface MEth0/0/0
undo shutdown
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 12.1.1.1 255.255.255.0
#
interface GE1/0/1
shutdown
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.10 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface GE1/0/3
shutdown
#
interface GE1/0/4
shutdown
#
interface GE1/0/5
shutdown
#
interface GE1/0/6
shutdown
#
interface GE1/0/7
shutdown
#
interface GE1/0/8
shutdown
#
interface GE1/0/9
shutdown
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Nve1
source 1.1.1.1
vni 10010 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
router-id 1.1.1.1
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 2.2.2.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 2.2.2.2 enable
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 12.1.1.1 0.0.0.0
#
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
ssh server dh-exchange min-len 1024
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
user-interface con 0
#
vm-manager
#
CE2配置:
sysname spine
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
evpn-overlay enable
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
interface MEth0/0/0
undo shutdown
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 12.1.1.2 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 23.1.1.1 255.255.255.0
#
interface GE1/0/2
shutdown
#
interface GE1/0/3
shutdown
#
interface GE1/0/4
shutdown
#
interface GE1/0/5
shutdown
#
interface GE1/0/6
shutdown
#
interface GE1/0/7
shutdown
#
interface GE1/0/8
shutdown
#
interface GE1/0/9
shutdown
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface NULL0
#
bgp 100
router-id 2.2.2.2
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
#
l2vpn-family evpn
undo policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client
peer 3.3.3.3 enable
peer 3.3.3.3 reflect-client
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 12.1.1.2 0.0.0.0
network 23.1.1.1 0.0.0.0
#
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
ssh server dh-exchange min-len 1024
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
user-interface con 0
#
vm-manager
#
CE3配置
#
sysname leaf2
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
evpn-overlay enable
#
bridge-domain 20
vxlan vni 10010
evpn
route-distinguisher 10:1
vpn-target 100:10010 export-extcommunity
vpn-target 100:10010 import-extcommunity
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
interface MEth0/0/0
undo shutdown
#
interface GE1/0/0
shutdown
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 23.1.1.2 255.255.255.0
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.20 mode l2
encapsulation dot1q vid 20
bridge-domain 20
#
interface GE1/0/3
shutdown
#
interface GE1/0/4
shutdown
#
interface GE1/0/5
shutdown
#
interface GE1/0/6
shutdown
#
interface GE1/0/7
shutdown
#
interface GE1/0/8
shutdown
#
interface GE1/0/9
shutdown
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Nve1
source 3.3.3.3
vni 10010 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
router-id 3.3.3.3
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 2.2.2.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 2.2.2.2 enable
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 23.1.1.2 0.0.0.0
#
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
ssh server dh-exchange min-len 1024
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr aes256_
cbc aes128_cbc 3des_cbc
#
user-interface con 0
#
vm-manager
六、BGP EVPN抓包分享
通过BGP update报文更新type 3类路由
注:各个场景对于EVPN的字段应用不一,无需过多纠结。