Talofa, habr. O aʻu nei o le taʻitaʻi o le kosi mo le Network Engineer course i le OTUS.
I le fa'atalitali i le amataga o se fa'ailoga fou mo le kosi , Ua ou saunia se faasologa o tala ile tekinolosi VxLAN EVPN.
O loʻo i ai le tele o meafaitino ile auala e galue ai VxLAN EVPN, o lea ou te manaʻo e aoina galuega eseese ma faʻataʻitaʻiga mo le foia o faʻafitauli i se nofoaga autu o faʻamatalaga faʻaonapo nei.
I le vaega muamua o le faasologa i luga o tekinolosi VxLAN EVPN, ou te manaʻo e vaʻavaʻai i se auala e faʻapipiʻi ai le fesoʻotaʻiga L2 i le va o 'au i luga o se ie fesoʻotaʻiga.
O faʻataʻitaʻiga uma o le a faia i luga o se Cisco Nexus 9000v, faʻapipiʻiina i luga ole Spine-Leaf topology. O le a matou le nonofo i le faʻatulagaina o se fesoʻotaʻiga Underlay i lenei tusiga.
- Feso'ota'iga lalo
- BGP su'e mo tuatusi-aiga l2vpn evpn
- Fa'atulagaina le NVE
- Taofi-arp
Feso'ota'iga lalo
O le topology o loʻo faʻaaogaina e faʻapea:
Sei o tatou seti tuatusi i masini uma:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Sei o tatou siaki o loʻo i ai le fesoʻotaʻiga IP i le va o masini uma:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraSei o tatou siaki ua uma ona faia le VPC domain ma ua pasi uma suiga e lua i le siaki tutusa ma o tulaga i luga o pona e lua e tutusa:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1BGP va'ava'ai
Mulimuli ane, e mafai ona e agai i luma i le setiina o le Overlay network.
I le avea ai o se vaega o le tusiga, e tatau ona faʻatulagaina se fesoʻotaʻiga i le va o 'au, e pei ona faʻaalia i le ata o loʻo i lalo:
Ina ia faʻapipiʻi se fesoʻotaʻiga Overlay, e te manaʻomia le faʻatagaina o le BGP i luga o le Spine ma le Leaf ki faʻatasi ma le lagolago mo le aiga l2vpn evpn:
feature bgp
nv overlay evpnO le isi, e tatau ona e faʻatulagaina le BGP peering i le va o Leaf ma Spine. Ina ia faʻafaigofie le faʻatulagaina ma faʻamalieina le tufatufaina o faʻamatalaga faʻasalalau, matou te faʻapipiʻiina Spine e avea o se 'auʻaunaga Auala-Reflector. O le a matou tusia uma Laulau i le config e faʻaaoga ai faʻataʻitaʻiga e faʻamalieina ai le seti.
O le tulaga la i luga ole Spine e pei o lenei:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFE foliga tutusa le seti i luga ole laiga:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINEI luga ole Tula'au, se'i o tatou siaki le va'ava'ai ma sui uma Laulau:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0E pei ona e vaʻai, e leai ni faʻafitauli i le BGP. Sei o tatou agai atu i le seti VxLAN. O isi fa'atulagaga o le a faia na'o le itu Laulau o ki. Spine e na o le totonugalemu o fesoʻotaʻiga ma e naʻo le aʻafia i le felauaiga o feoaiga. O galuega fa'apipi'i uma ma le su'eina o ala e tupu na'o le la'au sui.
Fa'atulagaina le NVE
NVE - feso'ota'iga feso'ota'iga feso'ota'iga
Aʻo leʻi amataina le seti, seʻi o tatou faʻaalia nisi o faaupuga:
VTEP - Vitual Tunnel End Point, le masini lea e amata pe muta ai le alavai VxLAN. VTEP e le o so'o se masini feso'ota'iga. O se 'au'aunaga e lagolagoina VxLAN tekinolosi e mafai fo'i ona galue o se 'au'aunaga. I la matou topology, o suiga uma o Leaf o VTEP.
VNI - Fa'asinomaga Feso'ota'iga Va'aia - fa'ailoa feso'ota'iga i totonu VxLAN. E mafai ona tusia se tala fa'atusa ile VLAN. Peitaʻi, e iai ni eseesega. Pe a fa'aogaina se ie, e fa'apitoa VLAN i totonu o le ki Laulau e tasi ma e le tu'uina atu ile feso'otaiga. Ae o VLAN taʻitasi e mafai ona iai se numera VNI e fesoʻotaʻi ma ia, lea ua uma ona tuʻuina atu i luga ole fesoʻotaʻiga. O le a le mea e foliga mai ma pe faʻapefea ona faʻaaogaina o le a talanoaina atili.
Sei o tatou faʻatagaina le faʻaaliga mo tekinolosi VxLAN e galue ma le mafai ona faʻafesoʻotaʻi numera VLAN ma se numera VNI:
feature nv overlay
feature vn-segment-vlan-basedSei o tatou fetuutuunai le NVE interface, lea e nafa ma le faagaoioiga o VxLAN. O lenei atina'e e nafa ma le fa'apipi'iina o fa'avaa i ulutala VxLAN. E mafai ona e tusia se faʻatusa ma le tunnel interface mo GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0I luga ole laiga Leaf-21 e faia mea uma e aunoa ma ni faʻafitauli. Ae peitaʻi, pe a tatou siakiina le gaioiga o le poloaiga show nve peers, ona gaogao ai lea. O iinei e tatau ona e toe foi i le VPC configuration. Ua matou va'aia o le La'au-11 ma le Lau'au-12 o lo'o galulue ta'ito'alua ma tu'ufa'atasia e se VPC. O le mea lea e maua ai le tulaga lea:
Host-2 auina atu le tasi faʻavaa agai i le Leaf-21 ina ia faʻasalalau atu i luga o le fesoʻotaʻiga agai i le Host-1. Ae ui i lea, Leaf-21 o loʻo vaʻaia o le MAC tuatusi o le Host-1 e mafai ona maua e ala ile lua VTEP i le taimi e tasi. O le a le mea e tatau ona fai e Leaf-21 i lenei tulaga? A uma mea uma, o lona uiga e mafai ona faʻaalia se matasele i le fesoʻotaʻiga.
Ina ia foia lenei tulaga, matou te manaʻomia le Leaf-11 ma le Leaf-12 e galue foi o se tasi masini i totonu o le fale gaosimea. O le fofo e fai si faigofie. I luga o le Loopback interface lea tatou te fausia ai le alavai, faʻaopoopo se tuatusi lona lua. E tatau ona tutusa le tuatusi lona lua i VTEP uma e lua.
interface loopback0
ip add 10.255.1.10/32 secondaryO lea la, mai le vaaiga o isi VTEPs, matou te maua le topology nei:
O lona uiga, o le taimi nei o le a fausia le alavai i le va o le tuatusi IP o Leaf-21 ma le IP virtual i le va o le lua Leaf-11 ma le Leaf-12. O le taimi nei o le a leai ni faʻafitauli e aʻoaʻoina ai le tuatusi MAC mai masini e lua ma fefaʻatauaʻiga e mafai ona alu mai le tasi VTEP i le isi. O fea o VTEP e lua o le a faʻatautaia le auala e filifili e faʻaaoga ai le laulau faʻasolosolo ile Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraE pei ona mafai ona e vaʻai i luga, o le tuatusi 10.255.1.10 e avanoa vave lava e ala i le lua Next-hops.
I lenei laʻasaga, ua matou taulimaina le fesoʻotaʻiga faavae. Sei o tatou agai i luma i le setiina o le NVE interface:
Tatou fa'agaoioi loa le Vlan 10 ma fa'afeso'ota'i ma le VNI 10000 i Laulau ta'itasi mo 'au. Se'i o tatou fa'atu se alavai L2 i le va o au
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPSe'i o tatou siakia ni uo ma le laulau mo BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iI luga o loʻo tatou vaʻaia naʻo le EVPN auala-ituaiga auala 3. O lenei ituaiga o auala e talanoa e uiga i tupulaga (Lau), ae o fea oi ai a tatou 'au?
O le mea o loʻo tuʻuina atu faʻamatalaga e uiga i 'au MAC e ala ile EVPN auala-ituaiga 2
Ina ia mafai ona e vaʻai i la matou 'au, e tatau ona e faʻatulagaina le EVPN auala-ituaiga 2:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoTatou ping mai le Host-2 i le Host-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msMa lalo ifo e mafai ona tatou vaʻai i lena auala-ituaiga 2 ma le tuatusi MAC talimalo na faʻaalia i le laulau BGP - 5001.0007.0007 ma 5001.0008.0007
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iLe isi, e mafai ona e vaʻai i faʻamatalaga auiliili ile Faʻafouina, lea na e mauaina ai faʻamatalaga e uiga i le MAC Host. O lo'o i lalo e le o fa'atonuga uma.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Se'i o tatou va'ai pe fa'apei ni fa'avaa pe a pasi atu ile fale gaosimea:
Taofi-ARP
Lelei, ua i ai nei a matou fesoʻotaʻiga L2 i le va o le au talimalo ma e mafai ona matou faʻamaeʻaina iina. Ae ui i lea, e le o mea uma e faigofie. Afai lava e toaitiiti a matou talimalo e leai se faʻafitauli. Ae seʻi o tatou mafaufau i se tulaga e faitau selau ma afe o tatou au. O le ā le faafitauli atonu tatou te fesagaʻia?
Ole fa'afitauli ole BUM(Fa'asalalauga, Unicast Le iloa, Telecast) fefa'ataua'iga. I totonu o lenei tusiga, o le a tatou mafaufau i le filifiliga o le feagai ai ma faʻasalalauga faʻasalalauga.
O le fa'asalalauga autu o fa'asalalauga i feso'otaiga a Ethernet o 'au lava ia e ala i le ARP protocol.
O lo'o fa'atinoina e Nexus le faiga lea e fa'afetaui ai talosaga a le ARP - suppress-arp.
O lenei vaega e galue e pei ona taua i lalo:
- Host-1 auina atu se talosaga APR i le tuatusi Faasalalauga o lana fesootaiga.
- O le talosaga e oʻo atu i le suiga o le Laau ma nai lo le pasi atu o lenei talosaga i le ie agai i le Host-2, e tali atu Leaf ma faʻaalia le manaʻomia IP ma MAC.
O le mea lea, o le talosaga Faasalalau e leʻi alu i le fale gaosimea. Ae faʻafefea ona aoga lenei mea pe a naʻo Leaf e iloa le tuatusi MAC?
E faigofie mea uma, EVPN auala-ituaiga 2, faʻaopoopo i le tuatusi MAC, e mafai ona tuʻuina atu se tuʻufaʻatasiga MAC / IP. Ina ia faia lenei mea, e tatau ona e setiina se tuatusi IP ile VLAN ile Laulau. O le fesili e tulaʻi mai, o le a le IP e tatau ona ou setiina? I luga ole nexus e mafai ona fatuina se tuatusi tufatufaina (tutusa) i luga o suiga uma:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macO le mea lea, mai le vaaiga a le 'au, o le fesoʻotaʻiga o le a pei o lenei:
Sei o tatou siaki BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Mai le faʻatonuga faʻatonu e mafai ona e vaʻaia i le EVPN auala-ituaiga 2, faʻaopoopo i le MAC, matou te vaʻai nei foi i le tuatusi IP talimalo.
Tatou toe foi i le seti suppress-arp. O lenei fa'atulagaga e mafai mo VNI ta'itasi eseese:
interface nve1
member vni 10000
suppress-arpOna tulaʻi mai lea o nisi faʻalavelave:
- Mo lenei vaega e galue, avanoa i le TCAM manatua e manaʻomia. O se faʻataʻitaʻiga lea o faʻatulagaga mo suppress-arp:
hardware access-list tcam region arp-ether 256O lenei fa'atulagaga o le a mana'omia fa'alua-lautele. O lona uiga, afai e te setiina le 256, ona e manaʻomia lea e faʻasaʻoloto le 512 i le TCAM. O le setiina o le TCAM e sili atu nai lo le lautele o lenei tusiga, talu ai o le setiina o le TCAM e faʻalagolago lava i le galuega ua tuʻuina atu ia te oe ma atonu e ese mai le tasi fesoʻotaiga i le isi.
- O le fa'atinoina o le suppress-arp e tatau ona fai i sui uma o Laulau. Ae ui i lea, e mafai ona tula'i mai le lavelave pe a fa'atulaga i luga ole pa'aga Laulau o lo'o nonofo ile VPC. Afai e suia le TCAM, o le a malepe le tutusa i le va o paga ma tasi le pona e mafai ona aveese mai le gaioiga. E le gata i lea, e ono mana'omia le toe fa'afouina o le masini e fa'aoga ai le suiga o le TCAM.
O se taunuuga, e tatau ona e mafaufau ma le totoa pe, i lou tulaga, e aoga le faʻatinoina o lenei tulaga i totonu o se fale gaosi oloa.
E fa'ai'u ai le vaega muamua o le fa'asologa. I le isi vaega o le a tatou vaʻavaʻai i le taʻavaleina i se VxLAN ie ma le vavaeeseina o fesoʻotaʻiga i VRF eseese.
Ma o lenei ou te valaaulia tagata uma e , i totonu o le a ou taʻuina atu ia te oe auiliiliga e uiga i le kosi. O le 20 tagata muamua na auai e lesitala mo lenei webinar o le a maua se Faʻasalaga Faʻamaonia e ala i imeli i totonu ole 1-2 aso talu ona maeʻa le faʻasalalauga.
puna: www.habr.com