Hello habr. A halin yanzu ni ne jagoran kwas na "Network Engineer" a OTUS.
A cikin tsammanin fara sabon rajista don kwas , Na shirya jerin labarai akan fasahar VxLAN EVPN.
Akwai adadi mai yawa akan yadda VxLAN EVPN ke aiki, don haka ina so in tattara ayyuka da ayyuka daban-daban don magance matsaloli a cibiyar bayanan zamani.
A cikin ɓangaren farko na jerin akan fasahar VxLAN EVPN, Ina so in duba hanyar da za a tsara haɗin L2 tsakanin runduna a saman masana'anta na cibiyar sadarwa.
Duk misalan za a yi su akan Cisco Nexus 9000v, wanda aka taru a cikin Topology na Spine-Leaf. Ba za mu tsaya kan kafa cibiyar sadarwar Underlay ba a cikin wannan labarin.
- cibiyar sadarwa karkashin kasa
- BGP peering don adireshin-iyali l2vpn evpn
- Saitin NVE
- Suppress-arp
cibiyar sadarwa karkashin kasa
Ana amfani da topology kamar haka:
Bari mu saita adireshin akan duk na'urori:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Bari mu duba cewa akwai haɗin IP tsakanin duk na'urori:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraBari mu bincika cewa an ƙirƙiri yankin VPC kuma duka masu sauyawa biyu sun wuce rajistan daidaito kuma saitunan a kan nodes biyu iri ɗaya ne:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1Farashin BGP
A ƙarshe, za mu iya ci gaba zuwa daidaita hanyar sadarwar Overlay.
A matsayin wani ɓangare na labarin, wajibi ne a tsara hanyar sadarwa tsakanin runduna, kamar yadda aka nuna a cikin zanen da ke ƙasa:
Don saita hanyar sadarwa mai rufewa, kuna buƙatar kunna BGP akan Canjin Spine da Leaf tare da goyan bayan dangin l2vpn evpn:
feature bgp
nv overlay evpnNa gaba, kuna buƙatar saita peering BGP tsakanin Leaf da Spine. Don sauƙaƙe saitin da haɓaka rarraba bayanan kwatance, muna saita Spine azaman uwar garken Route-Reflector. Za mu rubuta duk Leaf a cikin saitin ta hanyar samfuri don inganta saitin.
Don haka saitin kan Spine yayi kama da haka:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFSaitin akan Canjin Leaf yayi kama da haka:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINEA kan Spine, bari mu bincika peering tare da duk Canjin Leaf:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Kamar yadda kuke gani, babu matsaloli tare da BGP. Bari mu ci gaba don saita VxLAN. Za a yi ƙarin daidaitawa ne kawai a gefen maɓallan Leaf. Spine yana aiki ne kawai azaman tushen cibiyar sadarwa kuma yana shiga cikin watsa zirga-zirga kawai. Duk aiki akan encapsulation da ma'anar hanya yana faruwa ne kawai akan maɓallan leaf.
Saitin NVE
NVE - cibiyar sadarwa kama-da-wane
Kafin fara saitin, bari mu gabatar da wasu kalmomi:
VTEP - Vitual Tunnel End Point, na'urar da ramin VxLAN ke farawa ko ƙare. VTEP ba dole ba ne kowace na'ura ta hanyar sadarwa ba. Sabar da ke goyan bayan fasahar VxLAN kuma na iya aiki. A cikin ilimin kimiyyar mu, duk masu canza Leaf sune VTEPs.
VNI - Virtual Network Index - mai gano hanyar sadarwa tsakanin VxLAN. Kuna iya zana kwatance tare da VLAN. Duk da haka, akwai wasu bambance-bambance. Lokacin amfani da masana'anta, VLANs sun zama na musamman kawai a cikin canjin ganye guda ɗaya kuma ba a yaɗa su a cikin hanyar sadarwa. Amma kowane VLAN yana iya samun lambar VNI mai alaƙa da ita, wanda aka rigaya yaɗa shi ta hanyar sadarwar. Abin da yake kama da kuma yadda za a iya amfani da shi za a tattauna a kasa.
Bari mu ba da damar fasalin don fasahar VxLAN ta yi aiki da ikon haɗa lambobin VLAN tare da lambar VNI:
feature nv overlay
feature vn-segment-vlan-basedBari mu saita ƙirar NVE, wanda ke da alhakin aikin VxLAN. Wannan keɓancewa yana da alhakin ɗaukar hotuna a cikin masu kai VxLAN. Kuna iya zana misalin tare da Tunnel interface don GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0A kan Leaf-21 canzawa, an halicce duk abin da ba tare da matsala ba. Koyaya, idan muka duba fitar da umarnin show nve peers, to zai zama fanko. Anan kuna buƙatar komawa zuwa saitin VPC. Mun ga cewa Leaf-11 da Leaf-12 an haɗa su kuma an haɗa su ta hanyar yankin VPC. Wannan yana haifar da yanayi mai zuwa:
Mai watsa shiri-2 yana aika firam ɗaya zuwa Leaf-21 don ya watsa shi akan hanyar sadarwa zuwa Mai watsa shiri-1. Koyaya, Leaf-21 yana ganin cewa adireshin MAC na Mai watsa shiri-1 yana samun damar ta hanyar VTEP guda biyu a lokaci ɗaya. Menene Leaf-21 ya kamata yayi a wannan yanayin? Bayan haka, wannan yana nufin cewa madauki zai iya bayyana a cikin hanyar sadarwa.
Don magance wannan yanayin, muna buƙatar Leaf-11 da Leaf-12 don yin aiki azaman na'ura ɗaya a cikin masana'anta. Ana warware shi a sauƙaƙe. A kan Maɓallin Loopback wanda muke gina rami, ƙara adireshin na biyu. Adireshin sakandare dole ne ya zama iri ɗaya akan duka VTEPs.
interface loopback0
ip add 10.255.1.10/32 secondaryDon haka, daga ra'ayi na sauran VTEPs, muna samun topology mai zuwa:
Wato, yanzu za a gina rami tsakanin adireshin IP na Leaf-21 da IP mai kama da juna tsakanin Leaf-11 guda biyu da Leaf-12. Yanzu ba za a sami matsala koyan adireshin MAC daga na'urori biyu ba kuma zirga-zirga na iya motsawa daga wannan VTEP zuwa wani. Wanne daga cikin VTEPs guda biyu zai aiwatar da zirga-zirgar zirga-zirgar an yanke shawarar ta amfani da tebur mai tuƙi akan Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraKamar yadda kake gani a sama, adireshin 10.255.1.10 yana samuwa nan da nan ta hanyar biyu Next-hops.
A wannan mataki, mun magance ainihin haɗin kai. Bari mu ci gaba don saita ƙirar NVE:
Nan da nan za mu kunna Vlan 10 kuma mu haɗa shi da VNI 10000 akan kowane Leaf don runduna. Saita rami L2 tsakanin runduna
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPYanzu bari mu bincika nve takwarorina da tebur don BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iA sama muna ganin hanyoyin EVPN kawai-nau'in 3. Wannan nau'in hanyar yana magana game da peer (Leaf), amma ina masu masaukin mu suke?
Abun shine cewa ana watsa bayanai game da rundunonin MAC ta hanyar hanyar EVPN-nau'in 2
Domin ganin rundunoninmu, kuna buƙatar saita hanyar EVPN-nau'in 2:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoBari mu yi amfani da Mai watsa shiri-2 zuwa Mai watsa shiri-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msKuma a ƙasa za mu iya ganin cewa nau'in hanya-2 tare da adireshin MAC mai watsa shiri ya bayyana a cikin tebur BGP - 5001.0007.0007 da 5001.0008.0007
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iNa gaba, zaku iya ganin cikakken bayani akan Sabuntawa, wanda kuka karɓi bayanai game da Mai watsa shiri na MAC. A ƙasa ba duk fitarwar umarni bane.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Bari mu ga yadda firam ɗin ke kama da lokacin da aka ratsa su cikin masana'anta:
Ƙaddamarwa-ARP
Mai girma, yanzu muna da sadarwar L2 tsakanin runduna kuma zamu iya gamawa a can. Duk da haka, ba duka ba ne mai sauƙi. Muddin muna da 'yan kaɗan ba za a sami matsala ba. Amma bari mu yi tunanin yanayin da muke da ɗaruruwa da dubban runduna. Wace matsala za mu iya fuskanta?
Wannan matsalar ita ce zirga-zirgar BUM(Broadcast, Unknown Unicast, Multicast). A cikin tsarin wannan labarin, za mu yi la'akari da zaɓi na magance zirga-zirgar watsa shirye-shirye.
Babban janareta na Watsa shirye-shiryen a cikin hanyoyin sadarwar Ethernet shine runduna da kansu ta hanyar ka'idar ARP.
Nexus yana aiwatar da tsarin da ke gaba don magance buƙatun ARP - suppress-arp.
Wannan fasalin yana aiki kamar haka:
- Mai watsa shiri-1 yana aika buƙatar APR zuwa adireshin Watsa shirye-shiryen cibiyar sadarwar sa.
- Buƙatar ta kai ga Canjin Leaf kuma maimakon wuce wannan buƙatar ta gaba zuwa masana'anta zuwa Mai watsa shiri-2, Leaf yana amsa kanta kuma yana nuna IP da MAC da ake buƙata.
Don haka, buƙatar Watsa shirye-shiryen ba ta je masana'anta ba. Amma ta yaya wannan zai iya aiki idan Leaf kawai ya san adireshin MAC?
Komai abu ne mai sauƙi, nau'in hanyar EVPN-nau'in 2, ban da adireshin MAC, na iya watsa haɗin MAC/IP. Don yin wannan, kuna buƙatar saita adireshin IP a cikin VLAN akan Leaf. Tambayar ta taso, menene IP zan saita? A kan nexus yana yiwuwa a ƙirƙiri adireshi da aka rarraba (daya) akan duk masu sauyawa:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macDon haka, daga mahangar runduna, hanyar sadarwar za ta kasance kamar haka:
Duba BGP l2routeevpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Daga fitowar umarni zaku iya ganin cewa a cikin nau'in hanyar EVPN-nau'in 2, ban da MAC, yanzu muna kuma ga adireshin IP ɗin mai watsa shiri.
Bari mu koma zuwa saitin suppress-arp. An kunna wannan saitin don kowane VNI daban:
interface nve1
member vni 10000
suppress-arpSa'an nan wasu rikitarwa sun taso:
- Don wannan fasalin yayi aiki, ana buƙatar sarari a cikin ƙwaƙwalwar TCAM. Ga misalin saituna don suppress-arp:
hardware access-list tcam region arp-ether 256Wannan saitin zai buƙaci fa'ida biyu. Wato idan kun saita 256, to kuna buƙatar 'yantar da 512 a cikin TCAM. Kafa TCAM ya wuce iyakar wannan labarin, tunda kafa TCAM ya dogara ne kawai akan aikin da aka ba ku kuma yana iya bambanta daga wannan hanyar sadarwa zuwa waccan.
- Dole ne a aiwatar da aiwatar da suppress-arp akan duk maɓallan Leaf. Koyaya, rikitarwa na iya tasowa lokacin daidaitawa akan nau'ikan Leaf waɗanda ke zaune a cikin yankin VPC. Idan an canza TCAM, daidaito tsakanin nau'i-nau'i zai karye kuma za'a iya cire kumburi ɗaya daga aiki. Bugu da ƙari, ana iya buƙatar sake kunna na'urar don amfani da saitin canjin TCAM.
A sakamakon haka, kuna buƙatar yin la'akari da hankali ko, a cikin halin ku, yana da daraja aiwatar da wannan saitin a cikin masana'anta mai gudana.
Wannan ya ƙare ɓangaren farko na jerin. A kashi na gaba za mu kalli yadda za a bi ta hanyar masana'anta ta VxLAN tare da rabuwar hanyoyin sadarwa zuwa VRF daban-daban.
Kuma yanzu ina gayyatar kowa da kowa zuwa , a cikin abin da zan gaya muku dalla-dalla game da kwas. Mahalarta 20 na farko don yin rajista don wannan gidan yanar gizon za su sami Takaddun Rangwame ta imel a cikin kwanaki 1-2 bayan watsa shirye-shiryen.
source: www.habr.com