Ndewo, habr. A bụ m onye ndu nkuzi maka usoro injinia netwọkụ na OTUS.
Na atụmanya mmalite nke ndebanye aha ọhụrụ maka usoro ahụ , A kwadola m usoro isiokwu na teknụzụ VxLAN EVPN.
Enwere nnukwu ihe gbasara otu VxLAN EVPN si arụ ọrụ, yabụ achọrọ m ịnakọta ọrụ na omume dị iche iche maka idozi nsogbu na ebe data ọgbara ọhụrụ.
N'akụkụ mbụ nke usoro na teknụzụ VxLAN EVPN, achọrọ m ilele ụzọ isi hazie njikọ L2 n'etiti ndị ọbịa n'elu akwa netwọkụ.
A ga-eme ihe atụ niile na Cisco Nexus 9000v, gbakọtara na Spine-Leaf topology. Anyị agaghị ebi na ịtọlite netwọọdụ Underlay n'isiokwu a.
- Netwọk n'okpuru
- BGP peering maka adreesị-ezinụlọ l2vpn evpn
- Ịtọlite NVE
- Suppress-arp
Netwọk n'okpuru
A na-eji topology eme ihe bụ ndị a:
Ka anyị tọọ adreesị na ngwaọrụ niile:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Ka anyị lelee na enwere njikọ IP n'etiti ngwaọrụ niile:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraKa anyị lelee na e mebere ngalaba VPC na mgbanwe abụọ ahụ agafeela nlele ngbanwe na ntọala dị na ọnụ abụọ ahụ bụ otu:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1Ọnụ ego nke BGP
N'ikpeazụ, ị nwere ike ịga n'ihu ịmepụta netwọk overlay.
Dịka akụkụ nke akụkọ ahụ, ọ dị mkpa ịhazi netwọk n'etiti ndị ọbịa, dị ka egosiri na eserese dị n'okpuru:
Iji hazie netwọk overlay, ị ga-eme ka BGP rụọ ọrụ na Spine and Leaf switches site na nkwado maka ezinụlọ l2vpn evpn:
feature bgp
nv overlay evpnNa-esote, ịkwesịrị ịhazi BGP peering n'etiti akwukwo na spine. Iji mee ka ntọlite dị mfe na kwalite nkesa ozi ntụgharị, anyị na-ahazi Spine dị ka ihe nkesa Route-Reflector. Anyị ga-ede akwụkwọ niile dị na nhazi site na iji ndebiri iji bulie ntọala ahụ.
Ya mere ntọala na Spine dị ka nke a:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFNtọlite na mgba ọkụ akwụkwọ yiri nke a:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINENa Spine, ka anyị jiri mgbanwe akwụkwọ niile lelee peering:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Dịka ị na-ahụ, enweghị nsogbu na BGP. Ka anyị gaa n'ihu n'ịhazi VxLAN. A ga-eme nhazi ọzọ naanị n'akụkụ akwukwo nke switches. Ọkpụkpụ azụ na-arụ ọrụ naanị dị ka isi nke netwọkụ ma na-etinye aka na mbufe okporo ụzọ. All encapsulation na ụzọ mkpebi na-arụ ọrụ na-eme naanị na Leaf switches.
Ịtọlite NVE
NVE - netwọk mebere interface
Tupu ịmalite ntọlite a, ka anyị webata okwu ụfọdụ:
VTEP - Vitual Tunnel End Point, ngwaọrụ nke ọwara VxLAN na-amalite ma ọ bụ mechie. VTEP abụghị ngwaọrụ netwọk ọ bụla. Ihe nkesa na-akwado teknụzụ VxLAN nwekwara ike ịrụ ọrụ dị ka ihe nkesa. Na topology anyị, ihe ntụgharị akwụkwọ niile bụ VTEP.
VNI - Virtual Network Index - ihe nchọpụta netwọk n'ime VxLAN. Enwere ike iji VLAN see ihe atụ. Agbanyeghị, enwere ụfọdụ ọdịiche. Mgbe ị na-eji akwa akwa, VLAN na-aghọ ihe pụrụ iche naanị n'ime otu mgba ọkụ akwụkwọ na anaghị ebufe ya n'ofe netwọkụ. Mana VLAN ọ bụla nwere ike ịnwe nọmba VNI jikọtara ya na ya, nke ebufegoro na netwọkụ. A ga-atụlekwu ihe ọ dị ka na otú e nwere ike isi jiri ya mee ihe.
Ka anyị mee ka atụmatụ maka teknụzụ VxLAN rụọ ọrụ yana ike ijikọ nọmba VLAN na nọmba VNI:
feature nv overlay
feature vn-segment-vlan-basedKa anyị hazie interface NVE, nke na-ahụ maka ọrụ VxLAN. Ihe interface a bụ maka ịtinye okpokolo agba na nkụnye eji isi mee VxLAN. Ị nwere ike ise ihe atụ na Tunnel interface maka GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0Na Leaf-21 mgba ọkụ na-emepụta ihe niile na-enweghị nsogbu. Agbanyeghị, ọ bụrụ na anyị lelee nsonaazụ nke iwu ahụ show nve peers, mgbe ahụ ọ ga-abụ ihe efu. N'ebe a, ịkwesịrị ịlaghachi na nhazi VPC. Anyị na-ahụ na Leaf-11 na Leaf-12 na-arụ ọrụ na abụọ na ngalaba VPC jikọtara ya. Nke a na-enye anyị ọnọdụ ndị a:
Host-2 na-eziga otu etiti gaa na Leaf-21 ka o wee bufee ya na netwọk ahụ kwupụta onye ọbịa-1. Otú ọ dị, Leaf-21 na-ahụ na adreesị MAC nke Host-1 na-enweta site na VTEP abụọ n'otu oge. Kedu ihe Leaf-21 kwesịrị ime na nke a? E kwuwerị, nke a pụtara na loop nwere ike ịpụta na netwọkụ.
Iji dozie ọnọdụ a, anyị kwesịrị Leaf-11 na Leaf-12 na-eme ihe dị ka otu ngwaọrụ n'ime ụlọ ọrụ mmepụta ihe. Ihe ngwọta dị nnọọ mfe. Na Loopback interface nke anyị na-ewu ọwara, tinye adreesị nke abụọ. Adreesị nke abụọ ga-abụrịrị otu na VTEP abụọ ahụ.
interface loopback0
ip add 10.255.1.10/32 secondaryYa mere, site n'echiche nke VTEP ndị ọzọ, anyị na-enweta topology ndị a:
Nke ahụ bụ, ugbu a, a ga-ewu ọwara n'etiti adreesị IP nke Leaf-21 na IP mebere n'etiti akwụkwọ-11 abụọ na akwukwo-12. Ugbu a, a gaghị enwe nsogbu ịmụta adreesị MAC site na ngwaọrụ abụọ na okporo ụzọ nwere ike isi n'otu VTEP gaa na nke ọzọ. Kedu n'ime VTEP abụọ a ga-ahazi okporo ụzọ a na-ekpebi site na iji tebụl ntụgharị na Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraDịka ị nwere ike ịhụ n'elu, adreesị 10.255.1.10 dị ozugbo site na abụọ na-esote-hops.
N'oge a, anyị ejirila njikọ dị n'okpuru. Ka anyị gaa n'ihu ịtọlite interface NVE:
Ka anyị ozugbo mee Vlan 10 ma jikọta ya na VNI 10000 na akwukwo ọ bụla maka ndị ọbịa. Ka anyị guzobe ọwara L2 n'etiti ndị ọbịa
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPUgbu a ka anyị lelee ndị ọgbọ nve na tebụl maka BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iN'elu anyị na-ahụ naanị ụzọ EVPN-ụdị ụzọ 3. Ụdị ụzọ a na-ekwu maka ọgbọ (Akwukwo), ma olee ebe ndị ọbịa anyị nọ?
Ihe bụ na ozi gbasara ndị ọbịa MAC na-ebufe site na ụzọ EVPN-ụdị 2
Iji hụ ndị ọbịa anyị, ịkwesịrị ịhazi ụzọ EVPN-ụdị 2:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoKa anyị si na Host-2 banye Host-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msNa n'okpuru anyị nwere ike ịhụ na ụzọ-ụdị 2 nwere adreesị MAC onye ọbịa pụtara na tebụl BGP - 5001.0007.0007 na 5001.0008.0007.
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iNa-esote, ị nwere ike ịhụ ozi zuru ezu na Mmelite, nke ị nwetara ozi gbasara onye ọbịa MAC. N'okpuru abụghị ihe mmepụta iwu niile.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Ka anyị hụ ka okpokolo agba dị ka mgbe a na-agafe n'ime ụlọ mmepụta ihe:
Suppress-ARP
Ọ dị mma, ugbu a anyị nwere nkwukọrịta L2 n'etiti ndị ọbịa na anyị nwere ike mechaa ebe ahụ. Otú ọ dị, ọ bụghị ihe niile dị mfe. Ọ bụrụhaala na anyị nwere ndị ọbịa ole na ole agaghị enwe nsogbu. Ma ka anyị were were were ọnọdụ ebe anyị nwere ọtụtụ narị puku ndị ọbịa. Olee nsogbu anyị nwere ike iche ihu?
Nsogbu a bụ okporo ụzọ BUM(Broadcast, Unknown Unicast, Multicast). N'isiokwu a, anyị ga-atụle nhọrọ nke na-emeso okporo ụzọ mgbasa ozi.
Onye na-emepụta mgbasa ozi mgbasa ozi na netwọk Ethernet bụ ndị na-akwado onwe ha site na usoro ARP.
Nexus na-arụ ọrụ ndị a iji luso arịrịọ ARP ọgụ - suppress-arp.
Njirimara a na-arụ ọrụ dị ka ndị a:
- Onye ọbịa-1 na-eziga arịrịọ APR na adreesị mgbasa ozi nke netwọk ya.
- Arịrịọ ahụ rutere ngbanwe nke akwukwo na kama ịgafe arịrịọ a n'ihu na akwa ahụ gaa n'ihu onye ọbịa-2, akwukwo na-aza onwe ya ma gosi IP na MAC achọrọ.
Ya mere, arịrịọ Mgbasa ozi agaghị aga ụlọ ọrụ ahụ. Ma olee otú nke a ga-esi rụọ ọrụ ma ọ bụrụ na Leaf maara naanị adreesị MAC?
Ihe niile dị nnọọ mfe, ụzọ EVPN-ụdị 2, na mgbakwunye na adreesị MAC, nwere ike ịnyefe njikọ MAC/IP. Iji mee nke a, ịkwesịrị ịhazi adreesị IP na VLAN na akwukwo. Ajụjụ na-ebilite, kedu IP m kwesịrị ịtọ? Na nexus ọ ga-ekwe omume ịmepụta adreesị ekesa (otu) na mgba ọkụ niile:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macYa mere, site n'echiche nke ndị ọbịa, netwọk ga-adị ka nke a:
Ka anyị lelee BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Site na mmepụta iwu ị nwere ike ịhụ na na ụzọ EVPN-ụdị 2, na mgbakwunye na MAC, anyị na-ahụkwa adreesị IP onye ọbịa.
Ka anyị laghachi na mwube suppress-arp. Enyere ntọala a maka VNI ọ bụla iche iche:
interface nve1
member vni 10000
suppress-arpMgbe ahụ ụfọdụ mgbagwoju anya na-ebili:
- Ka njirimara a rụọ ọrụ, achọrọ ohere na ebe nchekwa TCAM. Nke a bụ ọmụmaatụ ntọala maka suppress-arp:
hardware access-list tcam region arp-ether 256Ntọala a ga-achọ okpukpu abụọ. Ya bụ, ọ bụrụ na ịtọlite 256, mgbe ahụ ịkwesịrị ịtọhapụ 512 na TCAM. Ịtọlite TCAM karịrị nke isiokwu a, ebe ọ bụ na ịtọlite TCAM na-adabere naanị n'ọrụ e kenyere gị ma nwee ike ịdị iche site na otu netwọk gaa na nke ọzọ.
- A ga-emerịrị mmejuputa suppress-arp na mgba ọkụ akwụkwọ niile. Otú ọ dị, mgbagwoju anya nwere ike ibili mgbe ị na-ahazi na akwụkwọ abụọ na-ebi na ngalaba VPC. Ọ bụrụ na agbanwere TCAM, a ga-agbaji nkwụsi ike n'etiti ụzọ abụọ ma enwere ike iwepụ otu ọnụ na arụ ọrụ. Na mgbakwunye, enwere ike ịchọgharị ngwaọrụ iji tinye ntọala mgbanwe TCAM.
N'ihi ya, ịkwesịrị iji nlezianya tụlee ma, n'ọnọdụ gị, ọ bara uru itinye ntọala a n'ime ụlọ ọrụ na-agba ọsọ.
Nke a mechiri akụkụ mbụ nke usoro ahụ. N'akụkụ nke ọzọ, anyị ga-eleba anya na-ebugharị site na akwa VxLAN na nkewa nke netwọk n'ime VRF dị iche iche.
Ma ugbu a, m na-akpọ onye ọ bụla ka ọ bịa , n'ime nke m ga-agwa gị n'ụzọ zuru ezu banyere N'ezie. Ndị sonyere 20 mbụ ga-edebanye aha maka webinar a ga-enweta Asambodo ego site na email n'ime ụbọchị 1-2 ka mgbasa ozi gasịrị.
isi: www.habr.com