Sugeng rawuh, Habr. Saiki aku dadi ketua kursus "Network Engineer" ing OTUS.
Ing nunggu wiwitan enrollment anyar kanggo mesthi , Aku wis nyiapake seri artikel babagan teknologi VxLAN EVPN.
Ana akeh materi babagan operasi VxLAN EVPN, mula aku pengin ngumpulake macem-macem tugas lan praktik kanggo ngrampungake masalah ing pusat data modern.
Ing bagean pisanan saka seri ing teknologi VxLAN EVPN, Aku pengin nimbang cara kanggo ngatur panyambungan L2 antarane sarwa dumadi liwat kain jaringan.
Kabeh conto bakal ditindakake ing Cisco Nexus 9000v, dipasang ing topologi Spine-Leaf. Kita ora bakal mikir babagan persiyapan jaringan Underlay ing kerangka artikel iki.
- Jaringan dhasar
- BGP peering kanggo alamat-kulawarga l2vpn evpn
- Nyetel NVE
- Ngilangi ARP
Jaringan dhasar
Topologi sing digunakake kaya ing ngisor iki:
Ayo nyiyapake alamat ing kabeh piranti:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Ayo priksa manawa ana konektivitas IP ing antarane kabeh piranti:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraAyo priksa manawa domain VPC wis digawe lan loro switch wis lulus mriksa konsistensi lan setelan ing loro simpul padha:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1BGP peering
Pungkasan, sampeyan bisa nerusake nyetel jaringan Overlay.
Ing kerangka artikel iki, perlu kanggo ngatur jaringan antarane host, kaya sing ditampilake ing diagram ing ngisor iki:
Kanggo ngatur jaringan Overlay, sampeyan kudu ngaktifake BGP kanthi dhukungan kanggo kulawarga l2vpn evpn ing saklar Spine lan Leaf:
feature bgp
nv overlay evpnSabanjure, sampeyan kudu ngatur peering BGP antarane Leaf lan Spine. Kanggo nyederhanakake persiyapan lan ngoptimalake distribusi informasi rute, kita ngatur Spine minangka server Route-Reflector. Kita bakal nulis kabeh Leaf ing konfigurasi liwat template kanggo ngoptimalake persiyapan.
Dadi setelan ing Spine katon kaya iki:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFPersiyapan ing switch Leaf katon padha:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINEIng Spine, kita bakal mriksa peering karo kabeh switch Leaf:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Minangka kita bisa ndeleng, ora ana masalah karo BGP. Ayo pindhah menyang konfigurasi VxLAN. Konfigurasi luwih bakal ditindakake mung ing sisih switch Leaf. Spine mung tumindak minangka inti jaringan lan mung melu transmisi lalu lintas. Kabeh karya ing enkapsulasi lan penentuan path mung ana ing switch Leaf.
Nyetel NVE
NVE - antarmuka virtual jaringan
Sadurunge miwiti nyetel, ayo ngenalake sawetara terminologi:
VTEP - Virtual Tunnel End Point, piranti ing ngendi trowongan VxLAN diwiwiti utawa rampung. VTEP ora kudu piranti jaringan. Bisa uga dadi server kanthi dhukungan teknologi VxLAN. Ing topologi kita, kabeh switch Leaf yaiku VTEP.
VNI — Indeks Jaringan Virtual — pengenal jaringan ing VxLAN. Bisa dibandhingake karo VLAN. Nanging, ana sawetara beda. Nalika nggunakake kain, VLAN dadi unik mung ing siji ngalih Leaf lan ora ditularaké liwat jaringan. Nanging saben VLAN bisa digandhengake karo nomer VNI, sing wis dikirim liwat jaringan. Apa iki katon lan carane bisa digunakake bakal rembugan luwih.
Ayo ngaktifake fitur teknologi VxLAN lan kemampuan kanggo nggandhengake nomer VLAN karo nomer VNI:
feature nv overlay
feature vn-segment-vlan-basedAyo dadi ngatur antarmuka NVE, kang tanggung jawab kanggo operasi VxLAN. Antarmuka iki tanggung jawab kanggo encapsulating pigura ing header VxLAN. Kita bisa nggambar analogi karo antarmuka Tunnel kanggo operasi GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0Ing saklar Leaf-21 kabeh digawe tanpa masalah. Nanging, yen kita mriksa output saka printah show nve peers, banjur bakal kosong. Ing kene sampeyan kudu bali menyang konfigurasi VPC. Kita weruh yen Leaf-11 lan Leaf-12 bisa digunakake kanthi pasangan lan digabungake karo domain VPC. Saka kene kita entuk kahanan ing ngisor iki:
Host-2 ngirim siji pigura menyang Leaf-21, supaya bisa ngirim liwat jaringan menyang Host-1. Nanging, Leaf-21 ndeleng alamat MAC Host-1 bisa diakses liwat rong VTEP bebarengan. Apa sing kudu ditindakake Leaf-21 ing kasus iki? Sawise kabeh, iki tegese loop bisa uga katon ing jaringan.
Kanggo ngatasi kahanan iki, kita butuh Leaf-11 lan Leaf-12 kanggo tumindak minangka piranti siji ing pabrik. Iki ditanggulangi cukup prasaja. Ing antarmuka Loopback saka kang kita mbangun trowongan, nambah alamat secondary. Alamat sekunder kudu padha ing loro VTEP.
interface loopback0
ip add 10.255.1.10/32 secondaryDadi, saka sudut pandang VTEP liyane, kita entuk topologi ing ngisor iki:
Tegese, saiki trowongan bakal dibangun ing antarane alamat IP Leaf-21 lan IP virtual antarane loro Leaf-11 lan Leaf-12. Saiki ora bakal ana masalah nalika sinau alamat MAC saka rong piranti lan lalu lintas bisa pindhah saka siji VTEP menyang liyane. Endi saka loro VTEP sing bakal ngolah lalu lintas diputusake nggunakake tabel rute ing Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraNalika sampeyan bisa ndeleng ndhuwur, alamat 10.255.1.10 bisa diakses liwat loro Sabanjure-hops bebarengan.
Ing tahap iki, kita wis ngurutake konektivitas dhasar. Ayo pindhah menyang konfigurasi antarmuka NVE:
Ayo langsung ngaktifake Vlan 10 lan digandhengake karo VNI 10000 ing saben Leaf kanggo host. Ayo nyiyapake trowongan L2 antarane host
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPSaiki ayo mriksa kanca lan tabel kanggo BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iNdhuwur kita ndeleng rute mung EVPN rute-jinis 3. Jinis rute nyritakake babagan peer(Leaf), nanging ing ngendi host kita?
Masalahe yaiku informasi babagan host MAC ditularake liwat EVPN route-type 2
Kanggo ndeleng host kita, sampeyan kudu ngatur EVPN route-type 2:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoAyo ping saka Host-2 menyang Host-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msLan ing ngisor iki kita bisa ndeleng sing rute-jinis 2 karo alamat MAC host 5001.0007.0007 lan 5001.0008.0007 katon ing tabel BGP.
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iSabanjure sampeyan bisa ndeleng informasi rinci babagan Update, ing ngendi sampeyan nampa informasi babagan MAC Host. Ing ngisor iki ora kabeh output printah
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Ayo dipikirake kaya apa pigura nalika ngliwati pabrik:
Ngilangi ARP
Apik, kita duwe komunikasi L2 antarane host lan kita bisa rampung ing kene. Nanging, iku ora sing prasaja. Anggere kita duwe sawetara host, ora bakal ana masalah. Nanging ayo bayangake kahanan sing ana atusan lan ewonan sarwa dumadi. Masalah apa sing bisa kita temoni?
Masalah iki yaiku lalu lintas BUM (Broadcast, Unknown Unicast, Multicast). Ing artikel iki, kita bakal nimbang varian nglawan lalu lintas siaran.
Generator utama Broadcast ing jaringan Ethernet yaiku host dhewe liwat protokol ARP.
Nexus duwe mekanisme ing ngisor iki kanggo nglawan panjaluk ARP: suppress-arp.
Fitur iki dianggo kaya ing ngisor iki:
- Host-1 ngirim panjalukan APR menyang alamat Broadcast jaringan.
- Panjaluk kasebut tekan switch Leaf lan tinimbang ngirim panjaluk iki menyang pabrik menyang Host-2, Leaf nanggapi dhewe lan nemtokake IP lan MAC sing dibutuhake.
Dadi panyuwunan Broadcast ora menyang pabrik. Nanging kepiye carane iki bisa ditindakake yen Leaf mung ngerti alamat MAC?
Kabeh iku cukup prasaja, EVPN route-jinis 2 saliyane alamat MAC bisa ngirim MAC / IP mbendel. Kanggo nindakake iki, sampeyan kudu ngatur alamat IP ing VLAN ing Leaf. Pitakonan muncul, IP apa sing kudu disetel? Ing nexus, sampeyan bisa nggawe alamat sing disebarake (padha) ing kabeh switch:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macDadi saka sudut pandang host jaringan bakal katon kaya iki:
Ayo mriksa BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Saka output printah iku cetha sing ing EVPN route-jinis 2 saliyane MAC kita saiki uga ndeleng alamat IP saka inang.
Ayo bali menyang setelan suppress-arp. Setelan iki diaktifake kanggo saben VNI kanthi kapisah:
interface nve1
member vni 10000
suppress-arpBanjur sawetara kerumitan muncul:
- Fitur iki mbutuhake papan ing memori TCAM. Punika conto setelan kanggo suppress-arp:
hardware access-list tcam region arp-ether 256Setelan iki mbutuhake sudhut pindho. Sing, yen sampeyan nemtokake 256, sampeyan kudu mbebasake 512 ing TCAM. Nyiyapake TCAM ora ana ing ruang lingkup artikel iki, amarga nyetel TCAM mung gumantung marang tugas sadurunge sampeyan lan bisa uga beda-beda saka siji jaringan menyang jaringan liyane.
- Implementasi suppress-arp kudu ditindakake ing kabeh switch Leaf. Nanging, kerumitan bisa uga muncul nalika ngonfigurasi pasangan Leaf sing ana ing domain VPC. Nalika TCAM diganti, konsistensi antarane pasangan bakal rusak lan siji simpul bisa dijupuk metu saka operasi. Kajaba iku, urip maneh piranti bisa uga dibutuhake kanggo ngetrapake setelan pangowahan TCAM.
Akibaté, sampeyan kudu mikir kanthi teliti, apa iku worth ngleksanakake setelan iki ing pabrik mlaku ing kahanan.
Iki rampung bagean pisanan saka seri. Ing sisih sabanjure, kita bakal nimbang nuntun liwat kain VxLAN karo divisi jaringan menyang VRFs beda.
Lan saiki aku ngajak kabeh wong , sing bakal dakcritakake babagan kursus kasebut kanthi rinci. 20 peserta pisanan sing ndhaptar webinar iki bakal nampa sertifikat diskon liwat email sajrone 1-2 dina sawise siaran.
Source: www.habr.com
