Kia ora, habr. Ko ahau te kaiarahi akoranga mo te akoranga Network Engineer i OTUS.
I te tatari mo te timatanga o te whakaurunga hou mo te akoranga , Kua whakaritea e ahau he raupapa tuhinga mo te hangarau VxLAN EVPN.
He nui nga korero mo te mahi a VxLAN EVPN, no reira e hiahia ana ahau ki te kohikohi i nga momo mahi me nga mahi hei whakaoti rapanga i roto i te pokapū raraunga hou.
I te waahanga tuatahi o te raupapa i runga i te hangarau VxLAN EVPN, e hiahia ana ahau ki te titiro ki tetahi huarahi ki te whakarite hononga L2 i waenga i nga kaihautu i runga ake o te papanga whatunga.
Ko nga tauira katoa ka mahia i runga i te Cisco Nexus 9000v, ka whakaemihia i roto i te topology Spine-Leaf. E kore matou e noho ki te whakatu i tetahi whatunga Underlay i tenei tuhinga.
- Whatunga raro
- BGP titiro mo te wahitau-whānau l2vpn evpn
- Te whakatu NVE
- Pehi-arp
Whatunga raro
Ko te topology e whakamahia ana e whai ake nei:
Me whakarite te wahitau ki nga taputapu katoa:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Kia tirohia he hononga IP kei waenga i nga taputapu katoa:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraMe titiro kua hangahia te rohe VPC a kua paahitia nga huringa e rua ki te arowhai rite, a he rite nga tautuhinga o nga pona e rua:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1Ko te tirohanga a BGP
Ka mutu, ka taea e koe te neke atu ki te whakarite i te whatunga Paparua.
Hei waahanga o te tuhinga, he mea tika ki te whakarite i tetahi whatunga i waenga i nga kaihautu, penei i te hoahoa i raro nei:
Hei whirihora i te whatunga Whakapapa, me whakaahei koe i te BGP i runga i nga huringa Spine me te Rau me te tautoko mo te whanau l2vpn evpn:
feature bgp
nv overlay evpnMuri iho, me whirihora e koe te titiro BGP i waenga i te Rau me te Spine. Hei whakangawari i te tatūnga me te arotau i te tohatoha o nga korero ararere, ka whirihorahia e matou a Spine hei tūmau Whakaata-Arahi. Ka tuhia e matou te Rau katoa ki te whirihora ma te whakamahi i nga tauira hei arotau i te tatūnga.
Na ko nga tautuhinga mo Spine te ahua penei:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFHe rite te ahua o te tatūnga i runga i te whakawhiti Rau:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINEI runga i te Spine, me tirotirohia te titiro me nga huringa Rau katoa:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Ka kite koe, kaore he raru mo te BGP. Me neke tatou ki te whakarite VxLAN. Ko etahi atu whirihoranga ka mahia anake ki te taha Rau o nga whakawhiti. Ko te tuara anake te uho o te whatunga ka uru noa ki te tuku waka. Ko nga mahi whakaahuru me te whakatau huarahi ka puta anake i runga i nga huringa Rau.
Te whakatu NVE
NVE - atanga mariko whatunga
I mua i te tiimata i te tatūnga, me whakauru etahi kupu:
VTEP - Vitual Tunnel End Point, te taputapu ka timata, ka mutu ranei te kauhanga VxLAN. Ko te VTEP ehara i te mea he taputapu whatunga. Ka taea hoki e te tūmau tautoko hangarau VxLAN te mahi hei tūmau. I roto i to maatau topology, ko nga huringa Leaf katoa he VTEP.
VNI - Taurangi Whatunga Mariko - tohu whatunga i roto i te VxLAN. Ka taea te tuhi whakataurite ki te VLAN. Heoi ano, he rereke etahi. Ina whakamahi papanga, ka noho ahurei nga VLAN i roto i te huringa Rau kotahi, karekau e tukuna puta noa i te whatunga. Engari ka taea e ia VLAN he nama VNI e hono ana ki a ia, kua tukuna atu i runga i te whatunga. He aha te ahua me pehea te whakamahi ka korerohia ano.
Kia taea e tatou te mahi mo te hangarau VxLAN me te kaha ki te hono i nga tau VLAN me te tau VNI:
feature nv overlay
feature vn-segment-vlan-basedMe whirihora i te atanga NVE, kei a ia te kawenga mo te mahi a VxLAN. Ko tenei atanga te kawenga mo te whakauru i nga papa ki nga pane VxLAN. Ka taea e koe te tuhi whakataurite me te atanga Tunnel mo GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0I runga i te whakawhiti Leaf-21 ka hangaia nga mea katoa kaore he raruraru. Heoi, ki te tirohia e tatou te putanga o te whakahau show nve peers, katahi ka takoto kau. I konei me hoki koe ki te whirihoranga VPC. Ka kite tatou kei te mahi takirua a Leaf-11 me te Leaf-12, ka honoa e tetahi rohe VPC. Ma tenei e whakaatu mai te ahuatanga e whai ake nei:
Ka tukuna e Host-2 tetahi anga ki te Leaf-21 kia tukuna atu ki runga i te whatunga ki te Host-1. Heoi, ka kite a Leaf-21 kei te waatea te wahitau MAC o Host-1 ma nga VTEP e rua i te wa kotahi. Me aha a Leaf-21 i tenei keehi? I muri i nga mea katoa, ko te tikanga tenei ka puta mai he koropiko ki te whatunga.
Hei whakatau i tenei ahuatanga, me mahi te Rau-11 me te Rau-12 hei taputapu kotahi i roto i te wheketere. He tino ngawari te otinga. I runga i te atanga Loopback i hanga ai e matou te kauhanga, taapirihia he wahitau tuarua. Me ōrite te wāhitau Tuarua ki ngā VTEP e rua.
interface loopback0
ip add 10.255.1.10/32 secondaryNo reira, mai i te tirohanga o etahi atu VTEP, ka whiwhi tatou i nga topology e whai ake nei:
Arā, ināianei ka hangaia te kauhanga i waenga i te wāhitau IP o Leaf-21 me te IP mariko i waenganui i te rua Leaf-11 me te Leaf-12. Inaianei karekau he raru ki te ako i te wahitau MAC mai i nga taputapu e rua ka taea e nga waka te neke mai i tetahi VTEP ki tetahi atu. Ko tehea o nga VTEP e rua ka whakahaere i nga waka ka whakatauhia ma te whakamahi i te ripanga ararere ki Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraKa taea e koe te kite i runga ake nei, ko te wahitau 10.255.1.10 e waatea ana ma roto i nga waahanga e rua.
I tenei wahanga, kua korerohia e matou te hononga taketake. Me haere tatou ki te whakarite i te atanga NVE:
Me whakahohea tonu a Vlan 10 ka hono atu ki te VNI 10000 ki ia Rau mo nga kaihautu. Me whakarite he kauhanga L2 ki waenga i nga kaihautu
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPInaianei ka tirohia e tatou nga hoa me te tepu mo BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iKei runga ake ka kite tatou i nga huarahi ara-momo EVPN anake e 3. Ko tenei momo ara e korero ana mo te hoa(Leaf), engari kei hea o tatou kaihautu?
Ko te mea ko nga korero mo nga kaihautu MAC ka tukuna ma te EVPN ara-momo 2
Hei kite i o maatau kaihautu, me whirihora e koe te ara-momo EVPN 2:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoMe ping mai i te Kaihautū-2 ki te Kaihautū-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msA i raro ka taea e tatou te kite i taua ara-momo 2 me te wahitau MAC manaaki i puta i te tepu BGP - 5001.0007.0007 me 5001.0008.0007
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iI muri mai, ka taea e koe te kite i nga korero taipitopito mo te Whakahoutanga, i whiwhi koe i nga korero mo te MAC Host. Kei raro ko te katoa o nga putanga whakahau.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Kia kite tatou he aha te ahua o nga papa i te wa e tukuna ana i roto i te wheketere:
Pehi-ARP
He pai, kei a maatau te korero L2 i waenga i nga kaihautu ka taea e taatau te whakaoti i reira. Heoi, ehara i te mea ngawari katoa. I te mea he tokoiti a matou kaihautu karekau he raruraru. Engari me whakaaro tatou ki tetahi ahuatanga kei a tatou nga rau me nga mano o nga kaihautu. He aha te raru ka pa ki a tatou?
Ko tenei raruraru ko te hokohoko BUM(Paoho, Unicast Unknown, Multicast). I roto i tenei tuhinga, ka whai whakaaro tatou ki te kowhiringa mo te whakahaere i nga waka haapurororaa.
Ko te kaihanga Broadcast matua i roto i nga whatunga Ethernet ko nga kaihautu ano ma te kawa ARP.
Ka whakatinanahia e Nexus te tikanga e whai ake nei hei whawhai i nga tono ARP - suppress-arp.
Ka mahi tenei ahuatanga e whai ake nei:
- Ka tukuna e te Kaihautū-1 he tono APR ki te wāhitau Pāohotanga o tana whatunga.
- Ka tae atu te tono ki te whakawhiti Rau, engari kaua e tukuna atu tenei tono ki te papanga ki te Kaihautu-2, ka whakautu a Leaf me te tohu i te IP me te MAC e hiahiatia ana.
No reira, kaore te tono Broadcast i haere ki te wheketere. Engari me pehea tenei mahi mena ka mohio noa a Leaf ki te wahitau MAC?
He tino ngawari nga mea katoa, EVPN ara-momo 2, i tua atu i te wahitau MAC, ka taea te tuku i te huinga MAC/IP. Ki te mahi i tenei, me whirihora e koe he wahitau IP i roto i te VLAN i runga i te Rau. Ka puta ake te patai, he aha te IP me whakatakoto e au? I runga i te nohonga ka taea te hanga i tetahi wahitau toha (taurite) ki nga huringa katoa:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macNo reira, mai i te tirohanga a nga kaihautu, ka penei te ahua o te whatunga:
Kia tirohia BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Mai i te putanga whakahau ka taea e koe te kite kei roto i te EVPN ara-momo 2, i tua atu i te MAC, ka kite ano tatou i te wahitau IP manaaki.
Me hoki ano ki te tautuhi suppress-arp. Ka taea tenei tautuhinga mo ia VNI motuhake:
interface nve1
member vni 10000
suppress-arpNa ka puta ake etahi uaua:
- Kia mahi ai tenei ahuatanga, ka hiahiatia he waahi i roto i te mahara TCAM. Anei he tauira o nga tautuhinga mo te suppress-arp:
hardware access-list tcam region arp-ether 256Ko tenei tautuhinga ka hiahia kia rua-whanui. Arā, ki te tautuhi koe i te 256, ka hiahia koe ki te wetewete i te 512 i roto i te TCAM. Ko te whakatuu TCAM kei tua atu i te waahanga o tenei tuhinga, na te mea ko te whakatuu TCAM ka whakawhirinaki anake ki te mahi kua tohua ki a koe, ka rereke pea mai i tetahi whatunga ki tetahi atu.
- Ko te whakatinana i te pehi-arp me mahi ki nga huringa Rau katoa. Heoi, ka puta ake te uauatanga ina whirihora i nga takirua Rau e noho ana ki te rohe VPC. Mena ka hurihia te TCAM, ka pakaru te rite i waenga i nga takirua ka tangohia tetahi pona kia kore e mahi. I tua atu, ka hiahiatia he whakaara ano i te taputapu hei tono i te tautuhinga huringa TCAM.
Ko te mutunga, me ata whakaaro koe mehemea, i roto i to ahuatanga, he pai ki te whakauru i tenei waahanga ki roto i te wheketere whakahaere.
Ka mutu te wahanga tuatahi o te raupapa. I te waahanga e whai ake nei ka titiro tatou ki te ararere i roto i te papanga VxLAN me te wehenga o nga whatunga ki nga VRF rereke.
Na inaianei ka tono ahau ki nga tangata katoa , i roto ka korero au ki a koe mo te akoranga. Ko nga kaiuru 20 tuatahi ki te rehita mo tenei webinar ka whiwhi Tiwhikete Whakataunga ma te imeera i roto i nga ra 1-2 i muri i te panuitanga.
Source: will.com