EVPN技术简介
EVPN控制层面
- EVPN控制平面特点
- 隧道建立和VXLAN关联:利用EVPN实现邻居发现 ,自动发现VXLAN网络中的 VTEP,并在有相同VXLAN ID各VTEP之间自动创建VXLAN隧道,自动关联VXLAN 隧道和VXLAN;
- 地址同步:利用EVPN 的MP-BGP路由协议完成MAC地址同步、主机路由同步两 个功能;
- VXLAN隧道,是通过EVPN对等体间发布3类路由完成自动建立的。
- 通过3类路由建立隧道时,对等体间的VXLAN必须配置,且VXLAN id一样才可以建立隧道连接。3类路由建立隧道时,只需在对等体VSI下配置相同VXXLAN,创建EVPN实例,并配置对应EVPN实例的RD和RT。
- EVPN控制平面设备角色:
- Spine设备实现EVPN的BGP RR角色;
- Leaf设备实现EVPN的RR Client角色;
- Border设备作为EVPN网络和外网互通的网络出口。传统网络以及VXLAN网络对接
MAC/IP路由同步
VTEP A上线的VM1的MAC/IP路由同步的过程如下:
- 第一步:VM1上线,VTEP A把学习到的VM1 MAC地址和主机路由通过EVPN 2类路由消息向RR(Route Reflector路由反射器)同步。
- 第二步:RR把接收到的路由更新同步给所有邻居(VTEP B&C)。
- 第三步:VTEP接收到2类路由消息,把学习到的VM的MAC地址放到相同VXLAN的 L2MAC地址表项中和把学习到主机路由放到L3路由表项中。
RT、RD的填充原则
- RT值可以手工配置,也可以配置auto。auto表示自动生成RT。自动生成的RT取值为BGP AS:VXLAN ID。
- RD值可以手工配置,也可以配置auto。auto表示自动生成RD。自动生成的RD取值为N:VXLAN ID,N从1开始的整数。如果N:VXLAN索引已经被使用,则RD取值改为(N+1):VXLAN ID,如此反复,直到找到未被使用的RD值。
在EVPN的组网中,存在三个地方可以配置RT值:
- 虚拟服务实例视图; 二层转发通信
- VPN视图下ipv4地址族中;用于与传统ipv4网络通信 5类EVPN路由
- VPN视图下EVPN地址族中。跨三层转发通信 irb路由
EVPN的2类路由
- mac路由 二层mac leaf mac表项引导下一跳
- arp路由 集中式转发 网关向leaf询问mac表项
- irb路由 分布式转发
L3VNI / L2VNI
-
L2 VNI:代表一个二层广播域(创通VXLAN VNI概念)广播泛洪BUM流量表 只要在同一隧道内都会泛洪BUM流量
-
L3 VNI:
- 网关之间通过VXLAN隧道转发流量时,属于同一路由域(同一VPN实例路由表内)、能够进行三层互通的流量通通过L3 VNI表示
- L3 VNI唯一关联一个VPN实例(一个L3 VNI(VRF)关联多个L2 VNI)
-
三层vsi用于寻找ipv4实例
-
二层vsi用于寻找evpn实例
分布式网关-对称IRB三层转发
分布式网关 - 对称IRB三层转发:
-
转发路径:对称IRB流量来回路径一致,去程流量使用VNI 1000对应的隧道,回程流量使用VNI 1000对应的隧道;
-
VTEP配置:在VTEP配置本地VNI的VSI,需要配一个新类型L3 VNI ,L3 VNI会有同一个VRF内的路由,三层转发的流量会在L3 VNI完成转发;
-
表项:每个VTEP上只需要维护其下挂主机所在的VNI内的MAC信息,只需要知道远端VTEP的Router MAC,表项占用更少;
-
转发流程:VTEP A收到报文如果需要进行三层转发,将报文从源VNI转发到L3 VNI,内层DMAC切换为目的VTEP的RMAC-C。VTEP C解封装后发现内层DMAC为自己,将内层报文在L3 VNI所对应的VRF中做三层转发。
-
对称IRB优势:
- 配置简单:每个VTEP上只需要配置其下主机所在VNI的VSI信息和所在的VRF的L3 VNI的VSI, 配置简单,更有利于自动化部署;
- 表项占用少:每个VTEP上只需要维护其下挂主机所在的VNI内的MAC信息,只需要知道远端VTEP的Router MAC,表项占用更少;
- 来回路径一致:对称IRB流量来回路径一致,如本例中,去程流量使用VNI 1000对应的隧道,回程流量也使用VNI 1000对应的隧道。
转发过程
分布式网关 - 对称IRB三层转发,网关在接入设备。该场景下三层转发的具体过程如下:
- 虚机VM1属于VXLAN10,虚机VM2属于VXLAN20,虚机VM1和虚机VM2为不同网段虚机,虚机VM1的IP为IP1,MAC地址为MAC1,发出的报文携带VLAN tag 10,虚机VM2的IP为IP2,MAC地址为MAC2,虚机发出报文携带VLAN tag 20,在VTEP设备下行口配置VLAN 10映射到VXLAN 10和VLAN 20映射到VXLAN 20的配置,实现虚机发送过来的携带VLAN tag的报文能映射到到对应VXLAN中。
- 虚机VM1发送ARP请求网关的MAC地址,VTEP A返回网关的MAC地址GMAC-A。虚机VM1发送报文给虚机VM2,源MAC地址为MAC1,目的地址为网关MAC地址GMAC-A,VLAN tag为10。[此处是跨三层通信 数据发送给网关]
- 网关收到报文,在L3 VNI 1000中查表,根据报文目的ip,查找路由表和ARP表,找到出接口为Tunnel 1,封装报文格式为VXLAN,目的ip为VTEP C的ip,目的mac为underlay下一跳的mac,VXLAN ID为1000,转发报文到VTEP C。[查询vpn实例路由表(VNI1000) 封装并转发报文]
- VTEP C收到报文,剥离VXLAN报文,还原出原始的数据帧。在L3 VNI 1000中查表,根据目的ip找到出端口为GE2/0/1,替换报文目的mac为MAC 3,源MAC为网关GMAC C。VTEP C从接口GE2/0/1将数据帧加封装VLAN tag 20发送给VM2。[查询vpn实例路由表 解封装并转发报文]
EVPN网络常用命令
- ARP表项:缺省20分钟老化。
- ARP抑制表项:固定25分钟老化。
- L2VPN MAC表项:缺省5分钟老化。
配置举例
LEAF关键配置 [S1/S11/S2配置]
#
ip vpn-instance a
route-distinguisher 1000:1000
#
address-family evpn
vpn-target 1000:1000 import-extcommunity
vpn-target 1000:1000 export-extcommunity
#
interface Vsi-interface10
ip binding vpn-instance a // 绑定vpn实例
ip address 192.168.10.254 255.255.255.0 // 分布式网关地址相同
mac-address 0001-0001-0001 // 配置mac地址 leaf网关mac相同
distributed-gateway local //使能分布式网关功能
#
interface Vsi-interface20
ip binding vpn-instance a
ip address 192.168.20.254 255.255.255.0
mac-address 0002-0002-0002
distributed-gateway local
#
vsi vpna
gateway vsi-interface 10 // 关联网关 关联之后三层vsi接口开启
#
vsi vpnb
gateway vsi-interface 20
#
interface Vsi-interface8191
ip binding vpn-instance a
l3-vni 1000 // 绑定之后 三层vni开启
配置验证
完整配置
S1
#
vxlan tunnel mac-learning disable
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
#
vlan 1
#
vlan 10
#
vlan 20
#
stp instance 0 priority 4096
stp global enable
#
l2vpn enable
vxlan tunnel arp-learning disable
evpn m-lag group 1.2.3.4
#
vsi vpna
vxlan 10
evpn encapsulation vxlan
route-distinguisher 10:10
vpn-target 10:10 export-extcommunity
vpn-target 10:10 import-extcommunity
#
vsi vpnb
vxlan 20
evpn encapsulation vxlan
route-distinguisher 20:20
vpn-target 20:20 export-extcommunity
vpn-target 20:20 import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag group 2
vtep access port
#
service-instance 10
encapsulation s-vid 10
xconnect vsi vpna
#
service-instance 20
encapsulation s-vid 20
xconnect vsi vpnb
#
interface Bridge-Aggregation2
description peerlink
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack1
ip address 1.2.3.4 255.255.255.255
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable fiber
ip address 13.1.1.1 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 14.1.1.1 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/6
port link-mode route
description keeplive
combo enable fiber
ip address 192.168.99.1 255.255.255.252
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 2
#
interface GigabitEthernet1/0/5
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 2
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
m-lag mad exclude interface GigabitEthernet1/0/6
m-lag restore-delay 10
m-lag role priority 120
m-lag system-mac 40a3-cfe4-0300
m-lag system-number 1
m-lag system-priority 0
m-lag consistency-check disable
m-lag keepalive ip destination 192.168.99.2
S11
#
vxlan tunnel mac-learning disable
#
ospf 1 router-id 11.11.11.11
area 0.0.0.0
#
vlan 1
#
vlan 10
#
vlan 20
#
stp instance 0 priority 4096
stp global enable
#
l2vpn enable
l2vpn m-lag peer-link ac-match-rule vxlan-mapping
vxlan tunnel arp-learning disable
evpn m-lag group 1.2.3.4
#
vsi vpna
vxlan 10
evpn encapsulation vxlan
route-distinguisher 10:10
vpn-target 10:10 export-extcommunity
vpn-target 10:10 import-extcommunity
#
vsi vpnb
vxlan 20
evpn encapsulation vxlan
route-distinguisher 20:20
vpn-target 20:20 export-extcommunity
vpn-target 20:20 import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag group 2
vtep access port
#
service-instance 10
encapsulation s-vid 10
xconnect vsi vpna
#
service-instance 20
encapsulation s-vid 20
xconnect vsi vpnb
#
interface Bridge-Aggregation2
description peerlink
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 11.11.11.11 255.255.255.255
ospf 1 area 0.0.0.0
#
interface LoopBack1
ip address 1.2.3.4 255.255.255.255
ospf 1 area 0.0.0.0
#
interface FortyGigE1/0/53
port link-mode bridge
#
interface FortyGigE1/0/54
port link-mode bridge
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable fiber
ip address 113.1.1.11 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 114.1.1.11 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/6
port link-mode route
description keeplive
combo enable fiber
ip address 192.168.99.2 255.255.255.252
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 2
#
interface GigabitEthernet1/0/5
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 2
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
m-lag mad exclude interface GigabitEthernet1/0/6
m-lag restore-delay 10
m-lag system-mac 40a3-cfe4-0300
m-lag system-number 2
m-lag system-priority 0
m-lag consistency-check disable
m-lag keepalive ip destination 192.168.99.1
S2
#
vxlan tunnel mac-learning disable
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
#
vlan 1
#
vlan 10
#
vlan 20
#
stp global enable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vsi vpna
vxlan 10
evpn encapsulation vxlan
route-distinguisher 10:10
vpn-target 10:10 export-extcommunity
vpn-target 10:10 import-extcommunity
#
vsi vpnb
vxlan 20
evpn encapsulation vxlan
route-distinguisher 20:20
vpn-target 20:20 export-extcommunity
vpn-target 20:20 import-extcommunity
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
ip address 23.1.1.2 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable fiber
ip address 24.1.1.2 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
vtep access port
#
service-instance 10
encapsulation s-vid 10
xconnect vsi vpna
#
service-instance 20
encapsulation s-vid 20
xconnect vsi vpnb
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 3.3.3.3 enable
peer 4.4.4.4 enable
S3
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
#
vlan 1
#
stp global enable
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
ip address 13.1.1.3 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable fiber
ip address 23.1.1.3 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 113.1.1.3 255.255.255.0
ospf network-type p2p
ospf 1 area 0.0.0.0
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 11.11.11.11 as-number 100
peer 11.11.11.11 connect-interface LoopBack0
#
address-family l2vpn evpn
undo policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client
peer 2.2.2.2 enable
peer 2.2.2.2 reflect-client
peer 11.11.11.11 enable
peer 11.11.11.11 reflect-client
S5
#
vlan 1
#
vlan 10
#
vlan 20
#
stp global enable
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
combo enable fiber
stp edged-port
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 20
combo enable fiber
stp edged-port
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 1
