Hello, habr. Lọwọlọwọ Emi ni oludari iṣẹ-ẹkọ fun iṣẹ Onimọ-ẹrọ Nẹtiwọọki ni OTUS.
Ni ifojusona ti ibẹrẹ iforukọsilẹ tuntun fun iṣẹ-ẹkọ naa , Mo ti pese lẹsẹsẹ awọn nkan lori imọ-ẹrọ VxLAN EVPN.
Iye nla ti ohun elo wa lori bii VxLAN EVPN ṣe n ṣiṣẹ, nitorinaa Mo fẹ lati gba ọpọlọpọ awọn iṣẹ ṣiṣe ati awọn iṣe fun yiyan awọn iṣoro ni ile-iṣẹ data ode oni.
Ni apakan akọkọ ti jara lori imọ-ẹrọ VxLAN EVPN, Mo fẹ lati wo ọna lati ṣeto Asopọmọra L2 laarin awọn ọmọ-ogun lori oke aṣọ nẹtiwọọki kan.
Gbogbo awọn apẹẹrẹ yoo ṣee ṣe lori Sisiko Nesusi 9000v kan, ti o pejọ ni oke-ọpọlọ Spine-Leaf. A kii yoo gbe lori iṣeto nẹtiwọọki Underlay kan ninu nkan yii.
- Underlay nẹtiwọki
- BGP peering fun adirẹsi-ebi l2vpn evpn
- Eto NVE
- Dinku-arp
Underlay nẹtiwọki
Topology ti a lo jẹ bi atẹle:
Jẹ ki a ṣeto adirẹsi lori gbogbo awọn ẹrọ:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Jẹ ki a ṣayẹwo pe asopọ IP wa laarin gbogbo awọn ẹrọ:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraJẹ ki a ṣayẹwo pe a ti ṣẹda ašẹ VPC ati pe awọn iyipada mejeeji ti kọja ayẹwo aitasera ati awọn eto lori awọn apa mejeji jẹ aami kanna:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1Iye owo ti BGP
Nikẹhin, o le tẹsiwaju lati ṣeto nẹtiwọki Ikọja.
Gẹgẹbi apakan ti nkan naa, o jẹ dandan lati ṣeto nẹtiwọọki kan laarin awọn ọmọ-ogun, bi o ṣe han ninu aworan atọka ni isalẹ:
Lati tunto nẹtiwọọki Overlay, o nilo lati mu BGP ṣiṣẹ lori Awọn iyipada Spine ati Leaf pẹlu atilẹyin fun idile l2vpn evpn:
feature bgp
nv overlay evpnNigbamii ti, o nilo lati tunto BGP peering laarin bunkun ati Spine. Lati mu iṣeto ni irọrun ati mu pinpin alaye ipa-ọna ṣiṣẹ, a tunto Spine bi olupin ipa-ọna-Reflector. A yoo kọ gbogbo bunkun ni atunto nipa lilo awọn awoṣe lati mu iṣeto naa dara.
Nitorinaa awọn eto lori Spine dabi eyi:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFIṣeto lori iyipada Ewe dabi iru:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINELori Spine, jẹ ki a ṣayẹwo peering pẹlu gbogbo awọn iyipada Ewe:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Bi o ti le ri, ko si awọn iṣoro pẹlu BGP. Jẹ ki a tẹsiwaju si iṣeto VxLAN. Siwaju iṣeto ni yoo ṣee ṣe nikan lori bunkun ẹgbẹ ti awọn yipada. Ọpa ẹhin n ṣiṣẹ nikan bi ipilẹ ti nẹtiwọọki ati pe o ni ipa nikan ninu gbigbe ijabọ. Gbogbo encapsulation ati ipa ọna ipinnu iṣẹ waye nikan lori bunkun yipada.
Eto NVE
NVE - nẹtiwọki foju ni wiwo
Ṣaaju ki o to bẹrẹ iṣeto, jẹ ki a ṣafihan diẹ ninu awọn ọrọ-ọrọ:
VTEP - Oju opo Ipari Tunnel Vitual, ẹrọ lori eyiti oju eefin VxLAN bẹrẹ tabi pari. VTEP kii ṣe ẹrọ nẹtiwọọki eyikeyi dandan. Olupin ti n ṣe atilẹyin imọ-ẹrọ VxLAN tun le ṣe bi olupin. Ninu topology wa, gbogbo awọn iyipada Ewe jẹ VTEP.
VNI - Foju Network Atọka - nẹtiwọki idamo laarin VxLAN. Apejuwe le ti wa ni kale pẹlu VLAN. Sibẹsibẹ, awọn iyatọ kan wa. Nigbati o ba nlo aṣọ, awọn VLAN di alailẹgbẹ nikan laarin iyipada Ewe kan ati pe ko tan kaakiri nẹtiwọọki naa. Ṣugbọn VLAN kọọkan le ni nọmba VNI ti o ni nkan ṣe pẹlu rẹ, eyiti o ti tan tẹlẹ lori nẹtiwọọki naa. Ohun ti o dabi ati bi o ṣe le ṣee lo ni a yoo jiroro siwaju sii.
Jẹ ki a mu ẹya naa ṣiṣẹ fun imọ-ẹrọ VxLAN lati ṣiṣẹ ati agbara lati ṣepọ awọn nọmba VLAN pẹlu nọmba VNI kan:
feature nv overlay
feature vn-segment-vlan-basedJẹ ki a tunto wiwo NVE, eyiti o jẹ iduro fun iṣẹ ti VxLAN. Ni wiwo yii jẹ iduro fun fifipamọ awọn fireemu ni awọn akọle VxLAN. O le fa afiwe pẹlu wiwo Tunnel fun GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0Lori Leaf-21 yipada ohun gbogbo ni a ṣẹda laisi awọn iṣoro. Sibẹsibẹ, ti a ba ṣayẹwo abajade ti aṣẹ naa show nve peers, lẹhinna o yoo jẹ ofo. Nibi o nilo lati pada si iṣeto VPC. A rii pe Leaf-11 ati Leaf-12 ṣiṣẹ ni awọn orisii ati pe o jẹ iṣọkan nipasẹ agbegbe VPC kan. Eyi fun wa ni ipo atẹle:
Host-2 fi fireemu kan ranṣẹ si Leaf-21 ki o gbejade lori nẹtiwọọki si Host-1. Sibẹsibẹ, Leaf-21 rii pe adiresi MAC ti Host-1 wa nipasẹ awọn VTEP meji ni ẹẹkan. Kini o yẹ ki Leaf-21 ṣe ninu ọran yii? Lẹhinna, eyi tumọ si pe lupu kan le han ninu nẹtiwọọki naa.
Lati yanju ipo yii, a nilo Leaf-11 ati Leaf-12 lati tun ṣiṣẹ bi ẹrọ kan laarin ile-iṣẹ naa. Ojutu jẹ ohun rọrun. Lori wiwo Loopback lati eyiti a kọ oju eefin, ṣafikun adirẹsi keji. Adirẹsi Atẹle gbọdọ jẹ kanna lori awọn VTEP mejeeji.
interface loopback0
ip add 10.255.1.10/32 secondaryNitorinaa, lati oju wiwo ti awọn VTEP miiran, a gba topology atẹle yii:
Iyẹn ni, ni bayi oju eefin naa yoo kọ laarin adiresi IP ti Leaf-21 ati IP foju laarin Leaf-11 meji ati Leaf-12. Bayi kii yoo ni awọn iṣoro lati kọ adiresi MAC lati awọn ẹrọ meji ati ijabọ le gbe lati VTEP kan si omiiran. Ewo ninu awọn VTEP meji yoo ṣe ilana ijabọ naa ni a pinnu nipa lilo tabili ipa-ọna lori Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraBi o ti le ri loke, adirẹsi 10.255.1.10 wa lẹsẹkẹsẹ nipasẹ awọn atẹle-hops meji.
Ni ipele yii, a ti ṣe pẹlu asopọ ipilẹ. Jẹ ki a tẹsiwaju si iṣeto wiwo NVE:
Jẹ ki a lẹsẹkẹsẹ jeki Vlan 10 ki o si so o pẹlu VNI 10000 lori kọọkan bunkun fun awọn ogun. Jẹ ká ṣeto soke ohun L2 eefin laarin awọn ogun
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPBayi jẹ ki a ṣayẹwo awọn ẹlẹgbẹ nve ati tabili fun BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iLoke a rii nikan EVPN ipa-iru awọn ipa-ọna 3. Iru ipa ọna yii sọrọ nipa ẹlẹgbẹ (Awe), ṣugbọn nibo ni awọn agbalejo wa wa?
Ohun naa ni pe alaye nipa awọn agbalejo MAC ti wa ni gbigbe nipasẹ EVPN ipa-iru 2
Lati le rii awọn agbalejo wa, o nilo lati tunto ipa-ọna EVPN-iru 2:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoJẹ ki a ping lati Host-2 si Gbalejo-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msAti ni isalẹ a le rii pe iru-ọna 2 pẹlu adiresi MAC ogun ti o han ni tabili BGP - 5001.0007.0007 ati 5001.0008.0007
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iNigbamii ti, o le wo alaye alaye lori Imudojuiwọn, ninu eyiti o ti gba alaye nipa Mac Gbalejo. Ni isalẹ kii ṣe gbogbo iṣelọpọ aṣẹ.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Jẹ ki a wo kini awọn fireemu dabi nigbati wọn ba kọja nipasẹ ile-iṣẹ:
Dinku-ARP
Nla, a ni ibaraẹnisọrọ L2 laarin awọn ọmọ-ogun ati pe a le pari nibẹ. Sibẹsibẹ, ko gbogbo ki o rọrun. Niwọn igba ti a ba ni awọn agbalejo diẹ kii yoo si awọn iṣoro. Ṣugbọn jẹ ki a foju inu wo ipo kan nibiti a ti ni awọn ọgọọgọrun ati ẹgbẹẹgbẹrun ogun. Nuhahun tẹwẹ mí sọgan pehẹ?
Iṣoro yii jẹ ijabọ BUM (Broadcast, Unicast Aimọ, Multicast). Ninu nkan yii, a yoo gbero aṣayan ti ṣiṣe pẹlu ijabọ igbohunsafefe.
Olupilẹṣẹ Broadcast akọkọ ni awọn nẹtiwọọki Ethernet jẹ awọn ọmọ-ogun funrararẹ nipasẹ ilana ARP.
Nesusi ṣe ilana ilana atẹle lati koju awọn ibeere ARP - suppress-arp.
Ẹya yii ṣiṣẹ bi atẹle:
- Host-1 firanṣẹ ibeere APR kan si adirẹsi Broadcast ti nẹtiwọọki rẹ.
- Ibeere naa de iyipada bunkun ati dipo gbigbe ibeere yii siwaju si aṣọ si ọna Host-2, bunkun dahun funrararẹ ati tọka IP ati MAC ti o nilo.
Nitorinaa, ibeere Broadcast ko lọ si ile-iṣẹ naa. Ṣugbọn bawo ni eyi ṣe le ṣiṣẹ ti Ewe ba mọ adirẹsi MAC nikan?
Ohun gbogbo jẹ ohun rọrun, EVPN ipa-iru 2, ni afikun si awọn Mac adirẹsi, le atagba a MAC/IP apapo. Lati ṣe eyi, o nilo lati tunto adiresi IP kan ninu VLAN lori bunkun. Ibeere naa waye, IP wo ni MO yẹ ki o ṣeto? Lori nexus o ṣee ṣe lati ṣẹda adirẹsi pinpin (kanna) lori gbogbo awọn iyipada:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macNitorinaa, lati oju wiwo awọn ọmọ ogun, nẹtiwọọki yoo dabi eyi:
Jẹ ki a ṣayẹwo BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Lati iṣelọpọ aṣẹ o le rii pe ni iru-ọna EVPN 2, ni afikun si MAC, a tun rii adiresi IP agbalejo naa.
Jẹ ki a pada si eto suppress-arp. Eto yii ṣiṣẹ fun VNI kọọkan lọtọ:
interface nve1
member vni 10000
suppress-arpLẹhinna diẹ ninu awọn idiju dide:
- Fun ẹya yii lati ṣiṣẹ, aaye ninu iranti TCAM nilo. Eyi ni apẹẹrẹ ti awọn eto fun suppress-arp:
hardware access-list tcam region arp-ether 256Eto yii yoo nilo ilọpo meji. Iyẹn ni, ti o ba ṣeto 256, lẹhinna o nilo lati gba 512 laaye ni TCAM. Ṣiṣeto TCAM ko kọja aaye ti nkan yii, niwọn igba ti iṣeto TCAM da lori iṣẹ ti a yàn si ọ nikan ati pe o le yato lati nẹtiwọki kan si ekeji.
- Ṣiṣe imuse-arp gbọdọ ṣee ṣe lori gbogbo awọn iyipada Ewe. Sibẹsibẹ, idiju le dide nigbati atunto lori awọn orisii Ewe n gbe ni agbegbe VPC kan. Ti TCAM ba yipada, aitasera laarin awọn orisii yoo fọ ati pe ipade kan le mu kuro ni iṣẹ. Ni afikun, atunbere ẹrọ le nilo lati lo eto iyipada TCAM.
Bi abajade, o nilo lati farabalẹ ronu boya, ni ipo rẹ, o tọ lati ṣe imuse eto yii sinu ile-iṣẹ nṣiṣẹ.
Eyi pari apakan akọkọ ti jara. Ni apakan atẹle a yoo wo ipa-ọna nipasẹ aṣọ VxLAN kan pẹlu ipinya ti awọn nẹtiwọọki sinu awọn VRF oriṣiriṣi.
Ati nisisiyi Mo pe gbogbo eniyan lati , laarin eyi ti Emi yoo sọ fun ọ ni awọn alaye nipa ẹkọ naa. Awọn olukopa 20 akọkọ lati forukọsilẹ fun webinar yii yoo gba Iwe-ẹri Ẹdinwo nipasẹ imeeli laarin awọn ọjọ 1-2 lẹhin igbohunsafefe naa.
orisun: www.habr.com