Hello, habr. Hajoale ke moetapele oa thupelo ea Network Engineer course at OTUS.
Ka tebello ea ho qala ho ngolisoa ho hocha bakeng sa thupelo , Ke lokiselitse letoto la lihlooho tse mabapi le theknoloji ea VxLAN EVPN.
Ho na le boitsebiso bo bongata ba hore na VxLAN EVPN e sebetsa joang, kahoo ke batla ho bokella mesebetsi le mekhoa e sa tšoaneng ea ho rarolla mathata setsing sa morao-rao sa data.
Karolong ea pele ea letoto la theknoloji ea VxLAN EVPN, ke batla ho sheba mokhoa oa ho hlophisa khokahanyo ea L2 pakeng tsa mabotho ka holim'a lesela la marang-rang.
Mehlala eohle e tla etsoa ho Cisco Nexus 9000v, e kopantsoeng ho topology ea Spine-Leaf. Re ke ke ra lula ho theha marang-rang a Underlay sehloohong sena.
- Netweke e tlase
- BGP e shebile aterese-lelapa la l2vpn evpn
- Ho theha NVE
- Khatella-arp
Netweke e tlase
The topology e sebelisitsoeng ke e latelang:
Ha re hlophise aterese ho lisebelisoa tsohle:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Ha re hlahlobeng hore na ho na le khokahano ea IP lipakeng tsa lisebelisoa tsohle:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraHa re hlahlobeng hore na sebaka sa VPC se entsoe mme li-switches ka bobeli li fetile cheke le hore litlhophiso tsa li-node ka bobeli lia tšoana:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1BGP ho nyarela
Qetellong, o ka tsoela pele ho theha marang-rang a Overlay.
E le karolo ea sengoloa, hoa hlokahala ho hlophisa marang-rang pakeng tsa mabotho, joalo ka ha ho bonts'itsoe setšoantšong se ka tlase:
Ho lokisa marang-rang a Overlay, o hloka ho nolofalletsa BGP ho li-switches tsa Spine le Leaf ka tšehetso bakeng sa lelapa la l2vpn evpn:
feature bgp
nv overlay evpnKa mor'a moo, u lokela ho lokisa BGP peering pakeng tsa Leaf le Spine. Ho nolofatsa ho seta le ho ntlafatsa kabo ea tlhaiso-leseling ea ho tsamaisa, re hlophisa Spine joalo ka seva sa Route-Reflector. Re tla ngola Leaf kaofela tlhophisong re sebelisa litempele ho ntlafatsa setaele.
Kahoo li-setting tsa Spine li shebahala tjena:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFSetupong sa Leaf switch se shebahala joalo:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINEHo Spine, ha re hlahlobeng ho sheba ka li-switches tsohle tsa Leaf:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Joalokaha u bona, ho ne ho se na mathata ka BGP. Ha re tsoeleng pele ho theha VxLAN. Tlhophiso e 'ngoe e tla etsoa feela ka lehlakoreng la Lekhasi la li-switches. Mokokotlo o sebetsa feela e le motheo oa marang-rang mme o ameha feela ho fetisetsa sephethephethe. Mosebetsi oohle oa ho kopanya le oa ho tseba tsela o etsahala feela ka li-switches tsa Leaf.
Ho theha NVE
NVE - sehokelo sa marang-rang sa marang-rang
Pele re qala ho seta, a re ke re tsebiseng mantsoe a mang:
VTEP - Vitual Tunnel End Point, sesebelisoa seo kotopo ea VxLAN e qalang kapa e qetellang ho eona. VTEP ha e hlile ha se sesebelisoa leha e le sefe sa marang-rang. Seva e tšehetsang theknoloji ea VxLAN le eona e ka sebetsa joalo ka seva. Ho topology ea rona, li-switches tsohle tsa Leaf ke VTEP.
VNI - Virtual Network Index - sekhetho sa marang-rang ka har'a VxLAN. Papiso e ka huloa le VLAN. Leha ho le joalo, ho na le phapang e itseng. Ha u sebelisa lesela, li-VLAN li fetoha tse ikhethang feela ka har'a sesebelisoa se le seng sa Leaf 'me ha li fetisoe marang-rang. Empa VLAN ka 'ngoe e ka ba le nomoro ea VNI e amanang le eona, e seng e fetisitsoe holim'a marang-rang. Hore na e shebahala joang le hore na e ka sebelisoa joang ho tla tšohloa ho ea pele.
Ha re lumelleng karolo ea theknoloji ea VxLAN hore e sebetse le bokhoni ba ho hokahanya linomoro tsa VLAN le nomoro ea VNI:
feature nv overlay
feature vn-segment-vlan-basedHa re lokise sebopeho sa NVE, se ikarabellang bakeng sa ts'ebetso ea VxLAN. Sehokelo sena se na le boikarabello ba ho kenya liforeimi ho lihlooho tsa VxLAN. O ka etsa papiso le sebopeho sa Tunnel bakeng sa GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0Ho Leaf-21 switch ntho e 'ngoe le e' ngoe e etsoa ntle le mathata. Leha ho le joalo, haeba re hlahloba tlhahiso ea taelo show nve peers, joale e tla ba lefeela. Mona o hloka ho khutlela ho tlhophiso ea VPC. Re bona hore Leaf-11 le Leaf-12 li sebetsa ka bobeli 'me li kopantsoe ke sebaka sa VPC. Sena se re fa maemo a latelang:
Host-2 e romela foreimi e le 'ngoe ho Leaf-21 hore e e fetise holim'a marang-rang ho ea ho Host-1. Leha ho le joalo, Leaf-21 e bona hore aterese ea MAC ea Host-1 e fumaneha ka li-VTEP tse peli hang-hang. Leaf-21 e lokela ho etsa eng tabeng ee? Ntle le moo, sena se bolela hore ho ka hlaha loop ho netweke.
Ho rarolla boemo bona, re hloka Leaf-11 le Leaf-12 ho sebetsa joalo ka sesebelisoa se le seng ka har'a feme. Tharollo e bonolo haholo. Ho sebopeho sa Loopback seo re hahang kotopo ho sona, eketsa aterese ea bobeli. Aterese ea Bobeli e tlameha ho tšoana ho li-VTEP ka bobeli.
interface loopback0
ip add 10.255.1.10/32 secondaryKahoo, ho ea ka pono ea li-VTEP tse ling, re fumana topology e latelang:
Ke hore, joale kotopo e tla hahuoa lipakeng tsa aterese ea IP ea Leaf-21 le IP ea sebele lipakeng tsa Leaf-11 le Leaf-12. Hona joale ho ke ke ha e-ba le mathata a ho ithuta aterese ea MAC ho tloha lisebelisoa tse peli le sephethephethe se ka tloha ho VTEP ho ea ho e 'ngoe. Ke efe ho tse peli tsa VTEP e tla sebetsana le sephethephethe ho etsoa qeto ka ho sebelisa tafole ea ho tsamaisa ho Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraJoalokaha u ka bona ka holimo, aterese 10.255.1.10 e fumaneha hang-hang ka tse peli tse latelang-hop.
Mothating ona, re sebetsana le khokahano ea mantlha. Ha re tsoeleng pele ho theha sebopeho sa NVE:
Ha re lumelle Vlan 10 hang-hang 'me re e kopanye le VNI 10000 leqepheng le leng le le leng bakeng sa mabotho. Ha re theheng kotopo ea L2 lipakeng tsa mabotho
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPJoale ha re hlahlobeng lithaka tsa nve le tafole ea BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iKa holimo re bona feela EVPN-mofuta oa litsela tsa 3. Mofuta ona oa tsela o bua ka lithaka(Lekhasi), empa ba amohelang rona ba hokae?
Taba ke hore tlhahisoleseling e mabapi le mabotho a MAC e fetisoa ka mofuta oa mofuta oa 2 oa EVPN
E le hore u bone baeti ba rona, u lokela ho lokisa mofuta oa 2 oa EVPN:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoHa re bine ho tloha Host-2 ho ea ho Host-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 ms'Me ka tlase re ka bona hore mofuta oa 2 oa tsela e nang le aterese ea MAC e amohelehang e hlahile tafoleng ea BGP - 5001.0007.0007 le 5001.0008.0007
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iKa mor'a moo, u ka bona lintlha tse qaqileng ho Update, moo u fumaneng tlhahisoleseding mabapi le MAC Host. Ka tlase ha se tlhahiso eohle ea taelo.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Ha re bone hore na liforeimi li shebahala joang ha li fetisoa fekthering:
Khatella-ARP
E kholo, joale re na le puisano ea L2 lipakeng tsa ba amohelang 'me re ka qeta moo. Leha ho le joalo, hase bohle ba bonolo hakaalo. Ha feela re ntse re e-na le baamoheli ba fokolang ho ke ke ha e-ba le mathata. Empa a re nahaneng ka boemo boo ho bona re nang le mabotho a makholo le likete. Re ka ’na ra tobana le bothata bofe?
Bothata bona ke sephethephethe sa BUM(Broadcast, Unknown Unicast, Multicast). Sehloohong sena, re tla nahana ka khetho ea ho sebetsana le sephethephethe sa khaso.
Jenereithara e kholo ea Phatlalatso ho marang-rang a Ethernet ke mabotho ka bobona ka protocol ea ARP.
Nexus e sebelisa mokhoa o latelang ho loants'a likopo tsa ARP - suppress-arp.
Karolo ena e sebetsa ka tsela e latelang:
- Host-1 e romela kopo ea APR atereseng ea Phatlalatso ea marang-rang a eona.
- Kopo e fihla ho Leaf switch mme ho e-na le ho fetisetsa kopo ena ho ea pele lesela ho Host-2, Leaf e arabela ka boeona 'me e bontša IP e hlokahalang le MAC.
Ka hona, kopo ea Phatlalatso ha ea ka ea ea fekthering. Empa see se ka sebetsa joang haeba Leaf a tseba feela aterese ea MAC?
Ntho e ngoe le e ngoe e bonolo haholo, mofuta oa 2 oa tsela ea EVPN, ntle le aterese ea MAC, e ka fetisa motsoako oa MAC/IP. Ho etsa sena, o hloka ho lokisa aterese ea IP ho VLAN on Leaf. Ho hlaha potso, ke lokela ho beha IP efe? Ho nexus hoa khoneha ho theha aterese e ajoang (e tšoanang) ho li-switches tsohle:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macKahoo, ho ea ka maikutlo a ba amohelang, marang-rang a tla shebahala tjena:
Ha re hlahlobeng BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Ho tsoa ho taelo ea taelo u ka bona hore ho EVPN-mofuta oa 2, ho phaella ho MAC, joale re boetse re bona aterese ea IP ea moeti.
Ha re khutlele ho setuppress-arp. Tlhophiso ena e lumelletsoe VNI ka 'ngoe ka thoko:
interface nve1
member vni 10000
suppress-arpJoale ho hlaha mathata a mang:
- Hore karolo ena e sebetse, ho hlokahala sebaka mohopolong oa TCAM. Mona ke mohlala oa litlhophiso tsa ho hatella-arp:
hardware access-list tcam region arp-ether 256Setlhophiso sena se tla hloka habeli bophara. Ke hore, haeba u beha 256, joale u hloka ho lokolla 512 ho TCAM. Ho theha TCAM ho feta tekanyo ea sehlooho sena, kaha ho theha TCAM ho itšetlehile feela ka mosebetsi oo u o filoeng 'me ho ka fapana ho tloha marang-rang ho ea ho o mong.
- Ho kenya tšebetsong suppress-arp ho tlameha ho etsoa ho li-switches tsohle tsa Leaf. Leha ho le joalo, ho rarahana ho ka hlaha ha ho hlophisoa lipara tsa Leaf tse lulang sebakeng sa VPC. Haeba TCAM e fetoloa, ho lumellana pakeng tsa lipara ho tla robeha 'me node e le' ngoe e ka tlosoa mosebetsing. Ho phaella moo, ho ka 'na ha hlokahala hore sesebelisoa se qalelle ho sebelisa tlhophiso ea phetoho ea TCAM.
Ka lebaka leo, ho hlokahala hore u nahane ka hloko hore na, boemong ba hau, ho loketse ho kenya ts'ebetsong mokhoa ona ho fektheri e sebetsang.
Sena se phethela karolo ea pele ea letoto lena. Karolong e latelang re tla sheba mokhoa oa ho tsamaisa lesela la VxLAN le karohano ea marang-rang ho li-VRF tse fapaneng.
Mme jwale ke mema bohle ho tla , moo ke tla u bolella ka ho qaqileng ka thupelo. Barupeluoa ba pele ba 20 ba tla ingolisa bakeng sa webinar ena ba tla fumana Setifikeiti sa Theolelo ka lengolo-tsoibila nakong ea matsatsi a 1-2 kamora phatlalatso.
Source: www.habr.com