Sawubona, habr. Njengamanje ngingumholi wesifundo se-Network Engineer e-OTUS.
Ngokulindele ukuqala kokubhaliswa okusha kwalesi sifundo , Ngilungiselele uchungechunge lwezihloko nge-VxLAN EVPN ubuchwepheshe.
Kukhona inani elikhulu lempahla yokuthi i-VxLAN EVPN isebenza kanjani, ngakho-ke ngifuna ukuqoqa imisebenzi ehlukahlukene kanye nemikhuba yokuxazulula izinkinga esikhungweni sedatha yesimanje.
Engxenyeni yokuqala yochungechunge kubuchwepheshe be-VxLAN EVPN, ngifuna ukubheka indlela yokuhlela ukuxhumana kwe-L2 phakathi kwababungazi phezu kwendwangu yenethiwekhi.
Zonke izibonelo zizokwenziwa ku-Cisco Nexus 9000v, ehlanganiswe ku-Spine-Leaf topology. Ngeke sihlale ekusetheni inethiwekhi ye-Underlay kulesi sihloko.
- Inethiwekhi engaphansi
- I-BGP ibheka ikheli-umndeni we-l2vpn evpn
- Isetha i-NVE
- Cindezela-arp
Inethiwekhi engaphansi
I-topology esetshenzisiwe imi kanje:
Masisethe amakheli kuwo wonke amadivayisi:
Spine-1 - 10.255.1.101
Spine-2 - 10.255.1.102
Leaf-11 - 10.255.1.11
Leaf-12 - 10.255.1.12
Leaf-21 - 10.255.1.21
Host-1 - 192.168.10.10
Host-2 - 192.168.10.20Ake sihlole ukuthi kukhona ukuxhumana kwe-IP phakathi kwawo wonke amadivayisi:
Leaf21# sh ip route
<........>
10.255.1.11/32, ubest/mbest: 2/0 ! Leaf-11 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 2/0 ! Leaf-12 доступен чеерз два Spine
*via 10.255.1.101, Eth1/4, [110/81], 00:00:03, ospf-UNDERLAY, intra
*via 10.255.1.102, Eth1/3, [110/81], 00:00:03, ospf-UNDERLAY, intra
10.255.1.21/32, ubest/mbest: 2/0, attached
*via 10.255.1.22, Lo0, [0/0], 00:02:20, local
*via 10.255.1.22, Lo0, [0/0], 00:02:20, direct
10.255.1.101/32, ubest/mbest: 1/0
*via 10.255.1.101, Eth1/4, [110/41], 00:00:06, ospf-UNDERLAY, intra
10.255.1.102/32, ubest/mbest: 1/0
*via 10.255.1.102, Eth1/3, [110/41], 00:00:03, ospf-UNDERLAY, intraAke sihlole ukuthi ingabe isizinda se-VPC senziwe futhi kokubili ukushintsha kudlule ukuhlola ukungaguquguquki futhi izilungiselelo kuwo womabili ama-node ziyefana:
Leaf11# show vpc
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 0
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
5 Po5 up success success 1BGP ukubuka
Ekugcineni, ungadlulela ekusetheni inethiwekhi ye-Overlay.
Njengengxenye ye-athikili, kuyadingeka ukuhlela inethiwekhi phakathi kwabasingathi, njengoba kukhonjisiwe kumdwebo ongezansi:
Ukuze ulungiselele inethiwekhi ye-Overlay, udinga ukunika amandla i-BGP ekushintsheni komgogodla kanye neLeaf ngosekelo lomndeni we-l2vpn evpn:
feature bgp
nv overlay evpnOkulandelayo, udinga ukulungisa ukubuka kwe-BGP phakathi kweLeaf ne-Spine. Ukwenza lula ukusetha nokuthuthukisa ukusatshalaliswa kolwazi lomzila, silungiselela i-Spine njengeseva ye-Route-Reflector. Sizobhala wonke Iqabunga ekucushweni sisebenzisa izifanekiso ukuze silungiselele ukusetha.
Ngakho-ke izilungiselelo ku-Spine zibukeka kanjena:
router bgp 65001
template peer LEAF
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.1.11
inherit peer LEAF
neighbor 10.255.1.12
inherit peer LEAF
neighbor 10.255.1.21
inherit peer LEAFUkusetha ku-Leaf switch kubukeka kufana:
router bgp 65001
template peer SPINE
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 10.255.1.101
inherit peer SPINE
neighbor 10.255.1.102
inherit peer SPINEKu-Spine, ake sihlole ukubuka ngawo wonke ama-Leaf switch:
Spine1# sh bgp l2vpn evpn summary
<.....>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.1.11 4 65001 7 8 6 0 0 00:01:45 0
10.255.1.12 4 65001 7 7 6 0 0 00:01:16 0
10.255.1.21 4 65001 7 7 6 0 0 00:01:01 0Njengoba ubona, azikho izinkinga nge-BGP. Masiqhubekele ekusetheni i-VxLAN. Ukucushwa okwengeziwe kuzokwenziwa kuphela ohlangothini Lweqabunga lamaswishi. Umgogodla usebenza kuphela njengomnyombo wenethiwekhi futhi uhileleke kuphela ekudluliseni ithrafikhi. Wonke umsebenzi we-encapsulation kanye nokunqunywa kwendlela kwenzeka kuphela ekushintsheni kweLeaf.
Isetha i-NVE
I-NVE - isixhumi esibonakalayo senethiwekhi
Ngaphambi kokuqala ukusetha, ake sethule amagama athile:
I-VTEP - I-Vitual Tunnel End Point, idivayisi lapho umhubhe we-VxLAN uqala noma uphela khona. I-VTEP akuyona neze idivayisi yenethiwekhi. Iseva esekela ubuchwepheshe be-VxLAN nayo ingasebenza njengeseva. Ku-topology yethu, zonke izinguquko zeLeaf ziyi-VTEP.
I-VNI - I-Virtual Network Index - isihlonzi senethiwekhi ngaphakathi kwe-VxLAN. Isifaniso singadwetshwa nge-VLAN. Nokho, kukhona umehluko. Uma usebenzisa indwangu, ama-VLAN ahluka kuphela ngaphakathi kweswishi yeLeaf eyodwa futhi awadluliswa kunethiwekhi yonkana. Kodwa i-VLAN ngayinye ingaba nenombolo ye-VNI ehlotshaniswa nayo, esivele idluliselwe kunethiwekhi. Ukuthi ibukeka kanjani nokuthi ingasetshenziswa kanjani kuzoxoxwa ngayo ngokuqhubekayo.
Ake sivumele isici sobuchwepheshe be-VxLAN ukuthi sisebenze kanye nekhono lokuhlobanisa izinombolo ze-VLAN nenombolo ye-VNI:
feature nv overlay
feature vn-segment-vlan-basedAke silungiselele i-interface ye-NVE, enesibopho sokusebenza kwe-VxLAN. Lesi sikhombimsebenzisi sinesibopho sokuhlanganisa amafreyimu kumaheda e-VxLAN. Ungadweba isifaniso ne-Tunnel interface ye-GRE:
interface nve1
no shutdown
host-reachability protocol bgp ! используем BGP для передачи маршрутной информации
source-interface loopback0 ! интерфейс с которого отправляем пакеты loopback0Ku-Leaf-21 switch yonke into idalwe ngaphandle kwezinkinga. Nokho, uma sibheka okukhipha umyalo show nve peers, khona-ke izobe ingenalutho. Lapha udinga ukubuyela ekucushweni kwe-VPC. Siyabona ukuthi iLeaf-11 kanye neLeaf-12 basebenza ngababili futhi bahlanganiswe yisizinda se-VPC. Lokhu kusinika isimo esilandelayo:
I-Host-2 ithumela uhlaka olulodwa ngaseLeaf-21 ukuze iludlulisele kunethiwekhi lubhekise ku-Host-1. Nokho, iLeaf-21 ibona ukuthi ikheli le-MAC le-Host-1 lifinyeleleka ngama-VTEP amabili ngesikhathi esisodwa. Yini okufanele yenziwe iLeaf-21 kulesi simo? Phela, lokhu kusho ukuthi iluphu ingavela kunethiwekhi.
Ukuze sixazulule lesi simo, sidinga iLeaf-11 neLeaf-12 ukuze nazo zisebenze njengedivayisi eyodwa ngaphakathi kwefekthri. Isixazululo silula. Ku-Loopback interface esakha kuyo umhubhe, engeza ikheli lesibili. Ikheli Lesibili kufanele lifane kuwo womabili ama-VTEP.
interface loopback0
ip add 10.255.1.10/32 secondaryNgakho-ke, ngokombono wamanye ama-VTEP, sithola i-topology elandelayo:
Okusho ukuthi, manje umhubhe uzokwakhiwa phakathi kwekheli le-IP leLeaf-21 kanye ne-IP ebonakalayo phakathi kwamaLeaf-11 amabili kanye neLeaf-12. Manje ngeke kube nezinkinga zokufunda ikheli le-MAC kusuka kumadivayisi amabili futhi ithrafikhi ingasuka ku-VTEP eyodwa iye kwenye. Iyiphi kulawa ma-VTEP amabili azocubungula ithrafikhi inqunywa kusetshenziswa ithebula lomzila ku-Spine:
Spine1# sh ip route
<.....>
10.255.1.10/32, ubest/mbest: 2/0
*via 10.255.1.11, Eth1/1, [110/41], 1d01h, ospf-UNDERLAY, intra
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intra
10.255.1.11/32, ubest/mbest: 1/0
*via 10.255.1.11, Eth1/1, [110/41], 1d22h, ospf-UNDERLAY, intra
10.255.1.12/32, ubest/mbest: 1/0
*via 10.255.1.12, Eth1/2, [110/41], 1d01h, ospf-UNDERLAY, intraNjengoba ubona ngenhla, ikheli 10.255.1.10 litholakala ngokushesha ngama-Next-hops amabili.
Kulesi sigaba, sibhekane nokuxhumana okuyisisekelo. Masiqhubekele phambili ekusetheni isixhumi esibonakalayo se-NVE:
Masivumele ngokushesha i-Vlan 10 futhi siyihlanganise ne-VNI 10000 eqabungeni ngalinye labasingathi. Masimise umhubhe we-L2 phakathi kwabasingathi
vlan 10 ! Включаем VLAN на всех VTEP подключенных к необходимым хостам
vn-segment 10000 ! Ассоциируем VLAN с номер VNI
interface nve1
member vni 10000 ! Добавляем VNI 10000 для работы через интерфейс NVE. для инкапсуляции в VxLAN
ingress-replication protocol bgp ! указываем, что для распространения информации о хосте используем BGPManje ake sihlole ontanga kanye netafula le-BGP EVPN:
Leaf21# sh nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- --------------- ----- --------- -------- -----------------
nve1 10.255.1.10 Up CP 00:00:41 n/a ! Видим что peer доступен с secondary адреса
Leaf11# sh bgp l2vpn evpn
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000) ! От кого именно пришел этот l2VNI
*>l[3]:[0]:[32]:[10.255.1.10]/88 ! EVPN route-type 3 - показывает нашего соседа, который так же знает об l2VNI10000
10.255.1.10 100 32768 i
*>i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
* i 10.255.1.20 100 0 i
Route Distinguisher: 10.255.1.21:32777
* i[3]:[0]:[32]:[10.255.1.20]/88
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iNgenhla sibona imizila engu-3 yohlobo lwe-EVPN kuphela. Lolu hlobo lomzila lukhuluma ngontanga(Leaf), kodwa baphi ababungazi bethu?
Into ukuthi imininingwane mayelana nabasingathi be-MAC idluliselwa nge-EVPN yohlobo 2 lomzila
Ukuze ubone abasingathi bethu, udinga ukulungisa uhlobo 2 lwe-EVPN:
evpn
vni 10000 l2
route-target import auto ! в рамках данной статьи используем автоматический номер для route-target
route-target export autoMasikhala sisuka ku-Host-2 siye ku-Host-1:
Firewall2# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.10.2: Destination Host Unreachable
Request 0 timed out
64 bytes from 192.168.10.1: icmp_seq=1 ttl=254 time=215.555 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=254 time=38.756 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=254 time=42.484 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=254 time=40.983 msFuthi ngezansi singabona ukuthi uhlobo 2 lomzila onekheli le-MAC lokusingatha livele kuthebula le-BGP - 5001.0007.0007 kanye no-5001.0008.0007
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 1
10.255.1.10 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216 ! evpn route-type 2 и mac адрес хоста 2
* i 10.255.1.20 100 0 i
*>l[3]:[0]:[32]:[10.255.1.10]/88
10.255.1.10 100 32768 i
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 iOkulandelayo, ungabona imininingwane enemininingwane ku-Update, lapho uthole khona ulwazi mayelana ne-MAC Host. Ngezansi akukhona konke ukuphuma komyalo.
Leaf21# sh bgp l2vpn evpn 5001.0007.0007
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 10.255.1.11:32777 ! отправил Update с MAC Host. Не виртуальный адрес VPC, а адрес Leaf
BGP routing table entry for [2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216,
version 1507
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW
Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
AS-Path: NONE, path sourced internal to AS
10.255.1.10 (metric 81) from 10.255.1.102 (10.255.1.102) ! с кем именно строим VxLAN тоннель
Origin IGP, MED not set, localpref 100, weight 0
Received label 10000 ! Номер VNI, который ассоциирован с VLAN, в котором находится Host
Extcommunity: RT:65001:10000 SOO:10.255.1.10:0 ENCAP:8 ! Тут видно, что RT сформировался автоматически на основе номеров AS и VNI
Originator: 10.255.1.11 Cluster list: 10.255.1.102
<........>Ake sibone ukuthi amafreyimu abukeka kanjani uma edlula efekthri:
Cindezela-ARP
Kuhle, manje sesinokuxhumana kwe-L2 phakathi kwababungazi futhi singaqeda lapho. Nokho, akuwona wonke elula kangaka. Inqobo nje uma sinabasingathi abambalwa ngeke kube nezinkinga. Kodwa ake sicabange ngesimo lapho sinamakhulu nezinkulungwane zababungazi. Iyiphi inkinga esingase sibhekane nayo?
Le nkinga yithrafikhi ye-BUM(Broadcast, Unknown Unicast, Multicast). Kulesi sihloko, sizocubungula inketho yokubhekana nethrafikhi yokusakaza.
Ijeneretha eyinhloko yokusakaza kumanethiwekhi e-Ethernet abasingathi ngokwabo ngephrothokholi ye-ARP.
I-Nexus isebenzisa indlela elandelayo yokulwa nezicelo ze-ARP - cindezela-arp.
Lesi sici sisebenza kanje:
- I-Host-1 ithumela isicelo se-APR ekhelini Lokusakaza lenethiwekhi yayo.
- Isicelo sifinyelela ekushintsheni kweLeaf futhi esikhundleni sokudlulisa lesi sicelo endwangu ebheke ku-Host-2, uLeaf uyaziphendula futhi ubonisa i-IP ne-MAC edingekayo.
Ngakho, isicelo Sokusakaza asizange siye efekthri. Kodwa lokhu kungasebenza kanjani uma uLeaf azi kuphela ikheli le-MAC?
Yonke into ilula, uhlobo 2 lwe-EVPN, ngaphezu kwekheli le-MAC, lungadlulisela inhlanganisela ye-MAC/IP. Ukuze wenze lokhu, udinga ukumisa ikheli le-IP ku-VLAN kuLeaf. Umbuzo uphakama, iyiphi i-IP okufanele ngiyibeke? Ku-nexus kungenzeka ukudala ikheli elisabalalisiwe (elifanayo) kuwo wonke amaswishi:
feature interface-vlan
fabric forwarding anycast-gateway-mac 0001.0001.0001 ! задаем virtual mac для создания распределенного шлюза между всеми коммутаторами
interface Vlan10
no shutdown
ip address 192.168.10.254/24 ! на всех Leaf задаем одинаковый IP
fabric forwarding mode anycast-gateway ! говорим использовать Virtual macNgakho, ngokombono wababungazi, inethiwekhi izobukeka kanje:
Ake sihlole i-BGP l2route evpn
Leaf11# sh bgp l2vpn evpn
<......>
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.255.1.11:32777 (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[5001.0007.0007]:[0]:[0.0.0.0]/216
10.255.1.21 100 32768 i
*>i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.10 100 0 i
* i 10.255.1.10 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
10.255.1.10 100 0 i
*>i 10.255.1.10 100 0 i
<......>
Route Distinguisher: 10.255.1.21:32777
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[0]:[0.0.0.0]/216
10.255.1.20 100 0 i
*>i 10.255.1.20 100 0 i
* i[2]:[0]:[0]:[48]:[5001.0008.0007]:[32]:[192.168.10.20]/248
*>i 10.255.1.20 100 0 i
<......>Kusukela ekuphumeni komyalo ungabona ukuthi kuhlobo 2 lwe-EVPN, ngaphezu kwe-MAC, manje sesibona nekheli le-IP lomsingathi.
Masibuyele ekusetheni i-sppress-arp. Lesi silungiselelo sinikwe amandla ku-VNI ngayinye ngokwehlukana:
interface nve1
member vni 10000
suppress-arpBese kuvela ubunkimbinkimbi obuthile:
- Ukuze lesi sici sisebenze, isikhala kumemori ye-TCAM siyadingeka. Nasi isibonelo sezilungiselelo ze-sppress-arp:
hardware access-list tcam region arp-ether 256Lesi silungiselelo sizodinga ububanzi obukabili. Okusho ukuthi, uma usetha i-256, khona-ke udinga ukukhulula i-512 ku-TCAM. Ukusetha i-TCAM kungaphezu kobubanzi balesi sihloko, njengoba ukusetha i-TCAM kuncike kuphela emsebenzini owabelwe wona futhi kungase kuhluke kusuka kunethiwekhi eyodwa kuya kwenye.
- Ukusebenzisa i-sppress-arp kumele kwenziwe kuwo wonke ama-Leaf switch. Nokho, ubunkimbinkimbi bungase buvele lapho kulungiswa kumapheya Amaqabunga ahlala esizindeni se-VPC. Uma i-TCAM ishintshiwe, ukuvumelana phakathi kwamapheya kuzophulwa futhi inodi eyodwa ingase ikhishwe ekusebenzeni. Ukwengeza, ukuqalisa kabusha idivayisi kungase kudingeke ukuze usebenzise ukulungiselelwa koshintsho lwe-TCAM.
Ngenxa yalokho, udinga ukucabangela ngokucophelela ukuthi, esimweni sakho, kufanelekile ukusebenzisa lesi silungiselelo embonini esebenzayo.
Lokhu kuphetha ingxenye yokuqala yochungechunge. Engxenyeni elandelayo sizobheka umzila ngendwangu ye-VxLAN ngokuhlukaniswa kwamanethiwekhi abe ama-VRF ahlukene.
Futhi manje ngimema wonke umuntu , lapho ngizokutshela khona ngokuningiliziwe mayelana nesifundo. Abahlanganyeli bokuqala abangu-20 abazobhalisela le webinar bazothola Isitifiketi Sesaphulelo nge-imeyili zingakapheli izinsuku ezingu-1-2 ngemva kokusakaza.
Source: www.habr.com