Uploaded by KeViN TO

HPE a00052915en us R650x-HPE FlexFabric 5945 Switch Series VXLAN Configuration Guide

advertisement
HPE FlexFabric 5945 Switch Series
VXLAN Configuration Guide
Part number: 5200-4787
Software version: Release 6508 and later
Document version: 6W100-20180730
© Copyright 2018 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Contents
VXLAN overview ··············································································1
VXLAN benefits ························································································································· 1
VXLAN network model ················································································································ 1
VXLAN packet format ················································································································· 2
VXLAN working mechanisms········································································································ 3
Generic VXLAN network establishment and forwarding process ···················································· 3
VXLAN tunnel establishment and assignment············································································ 3
Assignment of traffic to VXLANs ····························································································· 3
MAC learning ····················································································································· 4
Unicast forwarding ··············································································································· 5
Flood ································································································································ 6
Access modes of VSIs ·········································································································· 8
ARP flood suppression ················································································································ 9
VXLAN IP gateways ················································································································· 10
Protocols and standards ············································································································ 10
Configuring basic VXLAN features ····················································· 11
VXLAN tasks at a glance ··········································································································· 11
Prerequisites for VXLAN ············································································································ 11
Setting the VXLAN hardware resource mode ················································································· 11
Creating a VXLAN on a VSI ······································································································· 12
Configuring a VXLAN tunnel ······································································································· 13
Manually creating a VXLAN tunnel ························································································ 13
Enabling BFD on a VXLAN tunnel ························································································· 14
Manually assigning VXLAN tunnels to a VXLAN ············································································· 14
Assigning customer frames to a VSI ····························································································· 15
Restrictions and guidelines for configuring different traffic assignment methods ······························ 15
Mapping a static Ethernet service instance to a VSI ·································································· 15
Configuring VLAN-based VXLAN assignment ·········································································· 17
Managing MAC address entries ·································································································· 17
About MAC address entry management ················································································· 17
Configuring static MAC address entries ·················································································· 18
Disabling remote-MAC address learning················································································· 18
Enabling local-MAC logging ································································································· 18
Setting the MAC learning priority of an Ethernet service instance ················································· 19
Setting the VXLAN Layer 2 forwarding mode and the MAC learning mode ····································· 19
Configuring VXLAN over VXLAN ································································································· 22
Configuring a multicast-mode VXLAN ··························································································· 22
About multicast methods for multicast-mode VXLANs ······························································· 22
Prerequisites for multicast-mode VXLANs··············································································· 23
Configuring a multicast-mode VXLAN that uses the PIM method ················································· 23
Configuring a multicast-mode VXLAN that uses the IGMP host method ········································ 23
Setting the destination UDP port number of VXLAN packets ····························································· 24
Configuring VXLAN packet check ································································································ 24
Disabling flooding for a VSI ········································································································ 25
Enabling ARP flood suppression ································································································· 26
Enabling VXLAN packet statistics ································································································ 26
Enabling packet statistics for a VSI ······················································································· 26
Enabling packet statistics for an AC ······················································································ 27
Enabling packet statistics for VXLAN tunnels··········································································· 27
Testing the reachability of a remote VM ························································································ 28
Display and maintenance commands for VXLANs ··········································································· 28
VXLAN configuration examples ··································································································· 29
Example: Configuring a unicast-mode VXLAN ········································································· 29
Example: Configuring a multicast-mode VXLAN ······································································· 34
i
Configuring VXLAN IP gateways ······················································· 41
About VXLAN IP gateways········································································································· 41
VXLAN IP gateways separated from VTEPs············································································ 41
Centralized VXLAN IP gateway deployment ············································································ 42
Centralized VXLAN gateway group deployment ······································································· 43
Distributed VXLAN IP gateway deployment ············································································· 44
Restrictions and guidelines: VXLAN IP gateway configuration ··························································· 48
VXLAN IP gateway tasks at a glance ··························································································· 48
Prerequisites for VXLAN IP gateway configuration ·········································································· 48
Configuring a centralized VXLAN IP gateway ················································································· 48
Restrictions and guidelines ·································································································· 48
Configuring a gateway interface on a centralized VXLAN IP gateway ··········································· 48
Assigning a subnet to a VSI ································································································· 49
Configuring a centralized VXLAN IP gateway group ········································································ 49
Configuring a VTEP group ··································································································· 49
Specifying a VTEP group as the gateway for an access layer VTEP ············································· 50
Configuring a distributed VXLAN IP gateway ················································································· 51
Restrictions and guidelines for distributed VXLAN IP gateway configuration ··································· 51
Configuring a gateway interface on a distributed VXLAN IP gateway ············································ 51
Enabling dynamic ARP or ND entry synchronization for distributed VXLAN IP gateways··················· 52
Assigning a subnet to a VSI ································································································· 52
Managing ARP entries and ND entries ························································································· 53
Adding a static ARP entry ··································································································· 53
Disabling remote ARP or ND learning for VXLANs ···································································· 53
Configuring a VSI interface ········································································································ 54
Configuring optional parameters for a VSI interface ·································································· 54
Restoring the default settings of the VSI interface····································································· 54
Enabling packet statistics for a VSI interface ··········································································· 55
Display and maintenance commands for VXLAN IP gateways ··························································· 55
VXLAN IP gateway configuration examples ··················································································· 56
Example: Configuring a centralized VXLAN IP gateway ····························································· 56
Example: Configuring a centralized VXLAN IP gateway group ···················································· 61
Example: Configuring distributed VXLAN IPv4 gateways ··························································· 64
Example: Configuring distributed VXLAN IPv6 gateways ··························································· 74
Configuring VXLAN-DCI ·································································· 84
About VXLAN-DCI···················································································································· 84
VXLAN-DCI network model ································································································· 84
Working mechanisms ········································································································· 84
Intra-VXLAN traffic forwarding between sites ··········································································· 85
Inter-VXLAN traffic forwarding between sites ··········································································· 86
VXLAN-DCI tasks at a glance ····································································································· 87
Configuring a VXLAN-DCI tunnel································································································· 87
Assigning VXLAN-DCI tunnels to a VXLAN ··················································································· 88
Configuring a gateway interface on an ED ····················································································· 89
Setting the VXLAN-DCI Layer 2 forwarding mode and the MAC learning mode ····································· 89
Enabling packet statistics for manually created VXLAN-DCI tunnels ··················································· 91
Display and maintenance commands for VXLAN-DCI ······································································ 91
VXLAN-DCI configuration examples ····························································································· 92
Example: Configuring a basic VXLAN-DCI network ··································································· 92
Configuring the VTEP as an OVSDB VTEP ······································· 100
About OVSDB VTEP ·············································································································· 100
Working mechanisms ······································································································· 100
Protocols and standards ·········································································································· 100
Restrictions and guidelines: OVSDB VTEP configuration ································································ 100
OVSDB VTEP tasks at a glance ································································································ 100
Prerequisites for OVSDB VTEP configuration ·············································································· 101
Setting up an OVSDB connection to a controller ··········································································· 101
About OVSDB connection types ························································································· 101
Restrictions and guidelines for OVSDB controller connection setup ············································ 101
ii
Prerequisites for OVSDB controller connection setup ······························································ 101
Configuring active SSL connection settings ··········································································· 102
Configuring passive SSL connection settings ········································································ 102
Configuring active TCP connection settings ·········································································· 102
Configuring passive TCP connection settings ········································································ 103
Enabling the OVSDB server ····································································································· 103
Enabling the OVSDB VTEP service ··························································································· 103
Specifying a global source address for VXLAN tunnels ·································································· 103
Specifying a VTEP access port ································································································· 104
Enabling flood proxy on multicast VXLAN tunnels ········································································· 104
OVSDB VTEP configuration examples ······················································································· 104
Example: Configuring a unicast-mode VXLAN ······································································· 104
Example: Configuring flood proxy for a VXLAN ······································································ 107
Document conventions and icons ···················································· 112
Conventions ························································································································· 112
Network topology icons ··········································································································· 113
Support and other resources ·························································· 114
Accessing Hewlett Packard Enterprise Support ············································································ 114
Accessing updates ················································································································· 114
Websites ······················································································································· 115
Customer self repair········································································································· 115
Remote support ·············································································································· 115
Documentation feedback ·································································································· 115
Index ························································································· 117
iii
VXLAN overview
Virtual eXtensible LAN (VXLAN) is a MAC-in-UDP technology that provides Layer 2 connectivity
between distant network sites across an IP network. VXLAN is typically used in data centers and the
access layer of campus networks for multitenant services.
The device supports only IPv4-based VXLAN. IPv6-based VXLAN is not supported.
VXLAN benefits
VXLAN provides the following benefits:
•
Support for more virtual switched domains than VLANs—Each VXLAN is uniquely
identified by a 24-bit VXLAN ID. The total number of VXLANs can reach 16777216 (224). This
specification makes VXLAN a better choice than 802.1Q VLAN to isolate traffic for user
terminals.
•
Easy deployment and maintenance—VXLAN requires deployment only on the edge devices
of the transport network. Devices in the transport network perform typical Layer 3 forwarding.
VXLAN network model
As shown in Figure 1, a VXLAN is a virtual Layer 2 network (known as the overlay network) built on
top of an existing physical Layer 3 network (known as the underlay network). The overlay network
encapsulates inter-site Layer 2 frames into VXLAN packets and forwards the packets to the
destination along the Layer 3 forwarding paths provided by the underlay network. The underlay
network is transparent to tenants, and geographically dispersed sites of a tenant are merged into a
Layer 2 network.
The transport edge devices assign user terminals to different VXLANs, and then forward traffic
between sites for user terminals by using VXLAN tunnels. Supported user terminals include PCs,
wireless terminals, and VMs on servers.
NOTE:
This document uses VMs as examples to describe the mechanisms of VXLAN. The mechanisms do
not differ between different kinds of user terminals.
The transport edge devices are VXLAN tunnel endpoints (VTEP). The VTEP implementation of the
device uses ACs, VSIs, and VXLAN tunnels to provide VXLAN services.
•
VSI—A virtual switch instance is a virtual Layer 2 switched domain. Each VSI provides
switching services only for one VXLAN. VSIs learn MAC addresses and forward frames
independently of one another. VMs in different sites have Layer 2 connectivity if they are in the
same VXLAN.
•
Attachment circuit (AC)—An AC is a physical or virtual link that connects a VTEP to a local
site. Typically, ACs are Ethernet service instances that are associated with the VSI of a VXLAN.
Traffic received from an AC is assigned to the VSI associated with the AC. Ethernet service
instances are created on site-facing Layer 2 interfaces. An Ethernet service instance matches a
list of custom VLANs by using a frame match criterion.
•
VXLAN tunnel—Logical point-to-point tunnels between VTEPs over the transport network.
Each VXLAN tunnel can trunk multiple VXLANs.
VTEPs encapsulate VXLAN traffic in the VXLAN, outer UDP, and outer IP headers. The devices in
the transport network forward VXLAN traffic only based on the outer IP header.
1
Figure 1 VXLAN network model
VSI/VXLAN 10
VSI/VXLAN 10
VSI/VXLAN 20
VSI/VXLAN 20
Terminal
VXLAN tunnel
Terminal
Terminal
Terminal
Overlay network
VTEP 2
VTEP 1
P
Site 2
Transport
network
Site 1
Underlay network
VXLAN packet format
As shown in Figure 2, a VTEP encapsulates a frame in the following headers:
•
8-byte VXLAN header—VXLAN information for the frame.
{
Flags—If the I bit is 1, the VXLAN ID is valid. If the I bit is 0, the VXLAN ID is invalid. All
other bits are reserved and set to 0.
{
24-bit VXLAN ID—Identifies the VXLAN of the frame. It is also called the virtual network
identifier (VNI).
•
8-byte outer UDP header for VXLAN—The default VXLAN destination UDP port number is
4789.
•
20-byte outer IP header—Valid addresses of VTEPs or VXLAN multicast groups on the
transport network. Devices in the transport network forward VXLAN packets based on the outer
IP header.
Figure 2 VXLAN packet format
2
VXLAN working mechanisms
Generic VXLAN network establishment and forwarding
process
The VTEP uses the following process to establish the VXLAN network and forward an inter-site
frame:
1.
Discovers remote VTEPs, establishes VXLAN tunnels, and assigns the VXLAN tunnels to
VXLANs.
2.
Assigns the frame to its matching VXLAN if the frame is sent between sites.
3.
Performs MAC learning on the VXLAN's VSI.
4.
Forwards the frame through VXLAN tunnels.
This section describes this process in detail. For intra-site frames in a VSI, the system performs
typical Layer 2 forwarding, and it processes 802.1Q VLAN tags as described in "Access modes of
VSIs."
VXLAN tunnel establishment and assignment
To provide Layer 2 connectivity for a VXLAN between two sites, you must create a VXLAN tunnel
between the sites and assign the tunnel to the VXLAN.
VXLAN tunnel establishment
VXLAN supports manual and automatic VXLAN tunnel establishment.
•
Manual creation—Manually create a VXLAN tunnel interface, and specify the tunnel source
and destination IP addresses on the peer VTEPs.
•
Automatic creation—Configure Ethernet Virtual Private Network (EVPN) to automatically
discover VTEPs and set up VXLAN tunnels. For more information about EVPN, see EVPN
Configuration Guide.
VXLAN tunnel assignment
VXLAN supports manual and automatic VXLAN tunnel assignment.
•
Manual assignment—Manually assign VXLAN tunnels to VXLANs.
•
Automatic assignment—Run EVPN to automatically assign VXLAN tunnels to VXLANs. For
more information about EVPN, see EVPN Configuration Guide.
Assignment of traffic to VXLANs
Traffic from the local site to a remote site
The VTEP uses the following methods to assign customer frames to a VXLAN:
•
Ethernet service instance-to-VSI mapping—This method uses the frame match criterion of
an Ethernet service instance to match a list of VLANs on a site-facing Layer 2 interface. The
frame match criterion specifies the characteristics of traffic from the VLANs, such as tagging
status and VLAN IDs. The VTEP assigns customer traffic to a VXLAN by mapping the Ethernet
service instance to a VSI.
•
VLAN-based VXLAN assignment—This method maps a VLAN to a VXLAN. The VTEP
assigns all frames of the VLAN to the VXLAN.
3
As shown in Figure 3, Ethernet service instance 1 matches VLAN 2 and is mapped to VSI A (VXLAN
10). When a frame from VLAN 2 arrives, the VTEP assigns the frame to VXLAN 10, and looks up VSI
A's MAC address table for the outgoing interface.
Figure 3 Identifying traffic from the local site
Traffic from a remote site to the local site
When a frame arrives at a VXLAN tunnel, the VTEP uses the VXLAN ID in the frame to identify its
VXLAN.
MAC learning
The VTEP performs source MAC learning on the VSI as a Layer 2 switch.
•
For traffic from the local site to the remote site, the VTEP learns the source MAC address before
VXLAN encapsulation.
•
For traffic from the remote site to the local site, the VTEP learns the source MAC address after
removing the VXLAN header.
A VSI's MAC address table includes the following types of MAC address entries:
•
•
Local MAC—MAC entries learned from the local site. The outgoing interfaces for the MAC
address entries are site-facing interfaces.
{
Static—Manually added MAC entries.
{
Dynamic—Dynamically learned MAC entries.
Remote MAC—MAC entries learned from a remote site, including static and dynamic MAC
entries. The outgoing interfaces for the MAC addresses are VXLAN tunnel interfaces.
{
Static—Manually added MAC entries.
{
Dynamic—MAC entries learned in the data plane from incoming traffic on VXLAN tunnels.
The learned MAC addresses are contained in the inner Ethernet header.
{
BGP EVPN—MAC entries advertised through BGP EVPN. For more information, see
EVPN Configuration Guide.
{
OpenFlow—MAC entries issued by a remote controller through OpenFlow. For more
information, see OpenFlow Configuration Guide.
{
OVSDB—MAC entries issued by a remote controller through OVSDB.
The following shows the priority order of different types of remote MAC address entries:
a. Static MAC address entries, and MAC address entries issued by a remote controller
through OpenFlow or OVSDB. These types of entries have the same priority and overwrite
each other.
b. MAC address entries advertised through BGP EVPN.
c. Dynamic MAC address entries.
4
Unicast forwarding
Intra-site unicast forwarding
The VTEP uses the following process to forward a known unicast frame within a site:
1.
Identifies the VSI of the frame.
2.
Looks up the destination MAC address in the VSI's MAC address table for the outgoing
interface.
3.
Sends the frame out of the matching outgoing interface.
As shown in Figure 4, VTEP 1 forwards a frame from VM 1 to VM 4 within the local site in VLAN 10 as
follows:
4.
Identifies that the frame belongs to VSI A when the frame arrives at Interface A.
5.
Looks up the destination MAC address (MAC 4) in the MAC address table of VSI A for the
outgoing interface.
6.
Sends the frame out of the matching outgoing interface (Interface B) to VM 4 in VLAN 10.
Figure 4 Intra-site unicast
Inter-site unicast forwarding
The following process (see Figure 5) applies to a known unicast frame between sites:
1.
The source VTEP encapsulates the Ethernet frame in the VXLAN/UDP/IP header.
In the outer IP header, the source IP address is the source VTEP's VXLAN tunnel source IP
address. The destination IP address is the VXLAN tunnel destination IP address.
2.
The source VTEP forwards the encapsulated packet out of the outgoing VXLAN tunnel
interface found in the VSI's MAC address table.
3.
The intermediate transport devices (P devices) forward the frame to the destination VTEP by
using the outer IP header.
4.
The destination VTEP removes the headers on top of the inner Ethernet frame. It then performs
MAC address table lookup in the VXLAN's VSI to forward the frame out of the matching
outgoing interface.
5
Figure 5 Inter-site unicast
Flood
The source VTEP floods a broadcast, multicast, or unknown unicast frame to all site-facing
interfaces and VXLAN tunnels in the VXLAN, except for the incoming interface. Each destination
VTEP floods the inner Ethernet frame to all site-facing interfaces in the VXLAN. To avoid loops, the
destination VTEPs do not flood the frame back to VXLAN tunnels.
VXLAN supports unicast mode (also called head-end replication), multicast mode (also called
tandem replication), and flood proxy mode for flood traffic.
Unicast mode (head-end replication)
As shown in Figure 6, the source VTEP replicates the flood frame, and then sends one replica to the
destination IP address of each VXLAN tunnel in the VXLAN.
6
Figure 6 Unicast mode
Multicast mode (tandem replication)
As shown in Figure 7, the source VTEP sends the flood frame in a multicast VXLAN packet destined
for a multicast group address. Transport network devices replicate and forward the packet to remote
VTEPs based on their multicast forwarding entries.
Figure 7 Multicast mode
7
Flood proxy mode (proxy server replication)
As shown in Figure 8, the source VTEP sends the flood frame in a VXLAN packet over a VXLAN
tunnel to a flood proxy server. The flood proxy server replicates and forwards the packet to each
remote VTEP through its VXLAN tunnels.
The flood proxy mode applies to VXLANs that have many sites. This mode reduces flood traffic in the
transport network without using a multicast protocol. To use a flood proxy server, you must set up a
VXLAN tunnel to the server on each VTEP.
Figure 8 Flood proxy mode
Replicate and forward packet
Source: Flood proxy server
Destination: Each remote VTEP
VM 1
Flood proxy
server
VM 2
VM 3
Server 1
Encapsulate
with flood proxy
server address
l
ne
un
t
N
LA
VX
VX
LA
N
Transport
network
VM 4
VM 5
VTEP 1
VM 7
tun
ne
l
VM 8
VX
LA
Nt
un
ne
l
LA
VX
l
ne
un
t
N
VTEP 2
VM 9
Server 3
VTEP 3
VM 6
Server 2
VM 10
VM 11
VM 12
Server 4
The flood proxy mode is typically used in SDN transport networks that have a flood proxy server. For
VTEPs to forward packets based on the MAC address table issued by an SDN controller, you must
perform the following tasks on the VTEPs:
•
Disable remote-MAC address learning by using the vxlan tunnel mac-learning
disable command.
•
Disable source MAC check on all transport-facing interfaces by using the undo
mac-address static source-check enable command. If the VTEP is an IRF fabric,
you must also disable the feature on all IRF ports.
Access modes of VSIs
The access mode of a VSI determines how the VTEP processes the 802.1Q VLAN tags in the
Ethernet frames.
VLAN access mode
In this mode, Ethernet frames received from or sent to the local site must contain 802.1Q VLAN tags.
•
For an Ethernet frame received from the local site, the VTEP removes all its 802.1Q VLAN tags
before forwarding the frame.
8
•
For an Ethernet frame destined for the local site, the VTEP adds 802.1Q VLAN tags to the
frame before forwarding the frame.
In VLAN access mode, VXLAN packets sent between sites do not contain 802.1Q VLAN tags. You
can use different 802.1Q VLANs to provide the same service in different sites.
Ethernet access mode
The VTEP does not process the 802.1Q VLAN tags of Ethernet frames received from or sent to the
local site.
•
For an Ethernet frame received from the local site, the VTEP forwards the frame with the
802.1Q VLAN tags intact.
•
For an Ethernet frame destined for the local site, the VTEP forwards the frame without adding
802.1Q VLAN tags.
In Ethernet access mode, VXLAN packets sent between VXLAN sites contain 802.1Q VLAN tags.
You must use the same VLAN to provide the same service between sites.
ARP flood suppression
ARP flood suppression reduces ARP request broadcasts by enabling the VTEP to reply to ARP
requests on behalf of VMs.
As shown in Figure 9, this feature snoops ARP packets to populate the ARP flood suppression table
with local and remote MAC addresses. If an ARP request has a matching entry, the VTEP replies to
the request on behalf of the VM. If no match is found, the VTEP floods the request to both local and
remote sites.
Figure 9 ARP flood suppression
ARP flood suppression uses the following workflow:
1.
VM 1 sends an ARP request to obtain the MAC address of VM 7.
2.
VTEP 1 creates a suppression entry for VM 1, and floods the ARP request in the VXLAN.
3.
VTEP 2 and VTEP 3 de-encapsulate the ARP request. The VTEPs create a suppression entry
for VM 1, and broadcast the request in the local site.
9
4.
VM 7 sends an ARP reply.
5.
VTEP 2 creates a suppression entry for VM 7 and forwards the ARP reply to VTEP 1.
6.
VTEP 1 de-encapsulates the ARP reply, creates a suppression entry for VM 7, and forwards the
ARP reply to VM 1.
7.
VM 4 sends an ARP request to obtain the MAC address of VM 1 or VM 7.
8.
VTEP 1 creates a suppression entry for VM 4 and replies to the ARP request.
9.
VM 10 sends an ARP request to obtain the MAC address of VM 1.
10. VTEP 3 creates a suppression entry for VM 10 and replies to the ARP request.
VXLAN IP gateways
A VXLAN IP gateway provides Layer 3 forwarding services for VMs in VXLANs. A VXLAN IP gateway
can be an independent device or be collocated with a VTEP. For more information about VXLAN IP
gateway placement, see "Configuring VXLAN IP gateways."
Protocols and standards
RFC 7348, Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized
Layer 2 Networks over Layer 3 Networks
10
Configuring basic VXLAN features
VXLAN tasks at a glance
To configure basic VXLAN settings, perform the following tasks on VTEPs:
1.
(Optional.) Setting the VXLAN hardware resource mode
2.
Creating a VXLAN on a VSI
3.
Configuring a VXLAN tunnel
4.
Manually assigning VXLAN tunnels to a VXLAN
5.
Assigning customer frames to a VSI
6.
(Optional.) Managing MAC address entries
{
Configuring static MAC address entries
{
Disabling remote-MAC address learning
{
Enabling local-MAC logging
{
Setting the MAC learning priority of an Ethernet service instance
{
Setting the VXLAN Layer 2 forwarding mode and the MAC learning mode
7.
(Optional.) Configuring VXLAN over VXLAN
8.
Configuring a multicast-mode VXLAN
If the network is multicast dense, configure the VTEP to flood VXLAN traffic in multicast mode.
9.
(Optional.) Configuring VXLAN packet parameters
{
Setting the destination UDP port number of VXLAN packets
{
Configuring VXLAN packet check
10. (Optional.) Reducing flood traffic in the transport network
{
Disabling flooding for a VSI
{
Enabling ARP flood suppression
11. Maintaining VXLAN networks
{
Enabling VXLAN packet statistics
{
Testing the reachability of a remote VM
Prerequisites for VXLAN
Configure a routing protocol on the devices in the transport network to make sure the VTEPs can
reach one another.
Setting the VXLAN hardware resource mode
About the VXLAN hardware resource mode
The device supports the following VXLAN hardware resource modes:
•
l2gw—Layer 2 gateway mode.
•
l3gw—Layer 3 gateway mode.
You must set the VXLAN hardware resource mode to l3gw on EDs of a VXLAN-DCI network.
11
Restrictions and guidelines
For the hardware resource mode to take effect, you must reboot the device.
Procedure
1.
Enter system view.
system-view
2.
Set the VXLAN hardware resource mode.
hardware-resource vxlan { l2gw | l3gw }
By default, the VXLAN hardware resource mode is l2gw.
For more information about this command, see VXLAN Command Reference.
Creating a VXLAN on a VSI
Restrictions and guidelines
If you use both the restrain and bandwidth commands on a VSI, the bandwidth command
limits only the bandwidth of the traffic not restrained by the restrain command.
Procedure
1.
Enter system view.
system-view
2.
Enable L2VPN.
l2vpn enable
By default, L2VPN is disabled.
3.
Create a VSI and enter VSI view.
vsi vsi-name
4.
Enable the VSI.
undo shutdown
By default, a VSI is enabled.
5.
Create a VXLAN and enter VXLAN view.
vxlan vxlan-id
You can create only one VXLAN on a VSI.
The VXLAN ID must be unique for each VSI.
6.
(Optional.) Configure VSI parameters:
a. Return to VSI view.
quit
b. Configure a VSI description.
description text
By default, a VSI does not have a description.
c. Set the MTU for the VSI.
mtu size
The default MTU for a VSI is 1500 bytes.
d. Set the maximum bandwidth for the VSI.
bandwidth bandwidth
By default, the maximum bandwidth is not limited for a VSI.
e. Set the broadcast, multicast, or unknown unicast restraint bandwidth for the VSI.
12
restrain { broadcast | multicast | unknown-unicast } bandwidth
By default, a VSI's broadcast restraint bandwidth, multicast restraint bandwidth, and
unknown unicast restraint bandwidth are not set.
f. Enable MAC address learning for the VSI.
mac-learning enable
By default, MAC address learning is enabled for a VSI.
Configuring a VXLAN tunnel
Manually creating a VXLAN tunnel
About manual VXLAN tunnel creation
When you manually create a VXLAN tunnel, specify addresses on the local VTEP and the remote
VTEP as the tunnel source and destination addresses, respectively.
Restrictions and guidelines
As a best practice, do not configure multiple VXLAN tunnels to use the same source and destination
IP addresses.
Make sure the following VXLAN tunnels are not associated with the same VXLAN when they have
the same tunnel destination IP address:
•
A VXLAN tunnel automatically created by EVPN.
•
A manually created VXLAN tunnel.
For more information about EVPN, see EVPN Configuration Guide.
This task provides basic VXLAN tunnel configuration. For more information about tunnel
configuration and commands, see Layer 3—IP Services Configuration Guide and Layer 3—IP
Services Command Reference.
Procedure
1.
Enter system view.
system-view
2.
(Optional.) Specify a global source IP address for VXLAN tunnels.
tunnel global source-address ip-address
By default, no global source IP address is specified for VXLAN tunnels.
A VXLAN tunnel uses the global source address if you do not specify a source interface or
source address for the tunnel.
3.
Create a VXLAN tunnel interface and enter tunnel interface view.
interface tunnel tunnel-number mode vxlan
The endpoints of a tunnel must use the same tunnel mode.
4.
Specify a source address for the tunnel. Choose one of the following methods:
{
Specify a source IP address for the tunnel.
source ipv4-address
The specified IP address is used in the outer IP header of tunneled VXLAN packets.
{
Specify a source interface for the tunnel.
source interface-type interface-number
The primary IP address of the specified interface is used in the outer IP header of tunneled
VXLAN packets.
13
By default, no source IP address or source interface is specified for a tunnel.
Do not perform this step if you are using OVSDB for VXLAN tunnel management.
For a multicast-mode VXLAN, the source IP address cannot be a loopback interface's address,
and the source interface cannot be a loopback interface.
5.
Specify a destination IP address for the tunnel.
destination ipv4-address
By default, no destination IP address is specified for a tunnel.
Specify the remote VTEP's IP address. This IP address will be the destination IP address in the
outer IP header of tunneled VXLAN packets.
Enabling BFD on a VXLAN tunnel
About BFD on a VXLAN tunnel
Enable BFD on both ends of a VXLAN tunnel for quick link connectivity detection. The VTEPs
periodically send BFD single-hop control packets to each other through the VXLAN tunnel. A VTEP
sets the tunnel state to Defect if it has not received control packets from the remote end for 5
seconds. In this situation, the tunnel interface state is still Up. The tunnel state will change from
Defect to Up if the VTEP can receive BFD control packets again.
Restrictions and guidelines
You must enable BFD on both ends of a VXLAN tunnel.
Procedure
1.
Enter system view.
system-view
2.
Specify the reserved VXLAN.
reserved vxlan vxlan-id
By default, no VXLAN has been reserved.
For BFD sessions to come up, you must reserve a VXLAN.
You can specify only one reserved VXLAN on the VTEP. The reserved VXLAN cannot be the
VXLAN created on any VSI.
3.
4.
The reserved VXLAN ID cannot be the same as the remote VXLAN ID specified by using the
mapping vni command. For more information about the mapping vni command, see
EVPN Command Reference.
Enter VXLAN tunnel interface view.
interface tunnel tunnel-number
Enable BFD on the tunnel.
tunnel bfd enable destination-mac mac-address
By default, BFD is disabled on a tunnel.
Manually assigning VXLAN tunnels to a VXLAN
About VXLAN tunnel manual assignment
To provide Layer 2 connectivity for a VXLAN between two sites, you must assign the VXLAN tunnel
between the sites to the VXLAN.
You can assign multiple VXLAN tunnels to a VXLAN, and configure a VXLAN tunnel to trunk multiple
VXLANs. For a unicast-mode VXLAN, the system floods unknown unicast, multicast, and broadcast
traffic to each tunnel associated with the VXLAN. If a flood proxy server is used, the VTEP sends
14
flood traffic to the server through the flood proxy tunnel. The flood proxy server replicates and
forwards flood traffic to remote VTEPs.
Restrictions and guidelines
For full Layer 2 connectivity in the VXLAN, make sure the VXLAN contains the VXLAN tunnel
between each pair of sites in the VXLAN.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Enter VXLAN view.
vxlan vxlan-id
4.
Assign VXLAN tunnels to the VXLAN.
tunnel { tunnel-number [ backup-tunnel tunnel-number |
flooding-proxy } ] | all }
By default, a VXLAN does not contain any VXLAN tunnels.
Parameter
Description
backup-tunnel tunnel-number
Specifies a backup tunnel. When the primary
VXLAN tunnel is operating correctly, the backup
VXLAN tunnel does not forward traffic. When the
primary VXLAN tunnel goes down, traffic is
switched to the backup VXLAN tunnel.
flooding-proxy
Enables flood proxy on a tunnel for it to send flood
traffic to the flood proxy server. The flood proxy
server replicates and forwards flood traffic to
remote VTEPs.
Assigning customer frames to a VSI
Restrictions and guidelines for configuring different traffic
assignment methods
VLAN-based VXLAN assignment is mutually exclusive with the manually created Ethernet service
instances. To manually create Ethernet service instances, you must first disable VLAN-based
VXLAN assignment by using the undo vxlan vlan-based command. To enable VLAN-based
VXLAN assignment, you must first delete all Ethernet service instances.
Mapping a static Ethernet service instance to a VSI
About static Ethernet service instance mappings
A static Ethernet service instance matches a list of VLANs on a site-facing interface. The VTEP
assigns customer traffic from the VLANs to a VXLAN by mapping the Ethernet service instance to a
VSI.
Restrictions and guidelines
You can create static Ethernet service instances on both a Layer 2 aggregate interface and its
member ports and map the Ethernet service instances to VSIs. However, the Ethernet service
15
instances on the aggregation member ports are down. For the Ethernet service instances to come up,
you must remove the aggregation member ports from the aggregation group.
For information about the frame match criterion configuration restrictions and guidelines of Ethernet
service instances, see VXLAN Command Reference.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
{
Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
{
Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3.
Create an Ethernet service instance and enter Ethernet service instance view.
service-instance instance-id
4.
Configure a frame match criterion. Choose one of the following options:
{
Match frames tagged with the specified outer 802.1Q VLAN IDs.
encapsulation s-vid vlan-id [ only-tagged ]
encapsulation s-vid vlan-id-list
{
Match frames tagged with the specified outer and inner 802.1Q VLAN IDs.
encapsulation s-vid vlan-id-list c-vid vlan-id
encapsulation s-vid vlan-id c-vid { vlan-id | all }
{
Match any 802.1Q tagged or untagged frames.
encapsulation { tagged | untagged }
{
Match frames that do not match any other service instance on the interface.
encapsulation default
An interface can contain only one Ethernet service instance that uses the
encapsulation default match criterion.
An Ethernet service instance that uses the encapsulation default match criterion
matches any frames if it is the only instance on the interface.
By default, an Ethernet service instance does not contain a frame match criterion.
5.
(Optional.) Configure the VLAN tag processing rule for incoming traffic.
rewrite inbound tag { remark 1-to-1 s-vid vlan-id | strip s-vid }
By default, VLAN tags of incoming traffic are not processed.
6.
(Optional.) Configure the VLAN tag processing rule for outgoing traffic.
rewrite outbound tag nest s-vid vlan-id
7.
(Optional.) Set the bandwidth limit for the Ethernet service instance.
bandwidth bandwidth
By default, VLAN tags of outgoing traffic are not processed.
By default, no bandwidth limit is set for an Ethernet service instance.
8.
Map the Ethernet service instance to a VSI.
xconnect vsi vsi-name [ access-mode { ethernet | vlan } ] [ track
track-entry-number&<1-3> ]
By default, an Ethernet service instance is not mapped to any VSI.
16
Configuring VLAN-based VXLAN assignment
About VLAN-based VXLAN assignment
VLAN-based VXLAN assignment enables the device to assign all traffic of a VLAN to a VXLAN. If
you enable this feature and map a VLAN to a VXLAN, the device automatically performs the
following operations:
1.
Creates an Ethernet service instance that uses the VLAN ID as its instance ID on each interface
in the VLAN. The matching outer VLAN ID of the Ethernet service instances is the VLAN ID.
2.
Maps the Ethernet service instances to the VSI of the VXLAN.
Restrictions and guidelines
Do not configure this feature together with EVPN distributed relay. For information about EVPN
distributed relay, see EVPN Configuration Guide.
If you map a VLAN to a VXLAN, the VTEP cannot perform non-VXLAN Layer 2 forwarding in the
VLAN. The VLAN interface of the VLAN cannot perform Layer 3 forwarding, either.
The Ethernet service instance creation or deletion time is affected by the number of VLANs mapped
to a VXLAN and the number of trunk ports assigned to the VLANs. The larger the numbers, the
longer the time. During AC creation or deletion, other operations are queued.
Prerequisites
Use the vxlan command to create the VXLAN to which a VLAN is mapped.
Procedure
1.
Enter system view.
system-view
2.
Enable VLAN-based VXLAN assignment.
vxlan vlan-based
By default, VLAN-based VXLAN assignment is disabled.
3.
Create a VLAN and enter VLAN view.
vlan vlan-id
Do not specify VLAN 1 for VLAN-based VXLAN assignment.
4.
Map the VLAN to a VXLAN.
vxlan vni vxlan-id
By default, a VLAN is not mapped to a VXLAN.
Do not map a VLAN to the L3 VXLAN ID of EVPN.
Managing MAC address entries
About MAC address entry management
Local-MAC address entries can be manually added or dynamically learned. You can log local MAC
addresses and local-MAC changes.
Remote-MAC address entries have a variety of types, including manually added entries and
dynamically learned entries.
17
Configuring static MAC address entries
Restrictions and guidelines
Do not configure static remote-MAC entries for VXLAN tunnels that are automatically established by
using EVPN.
•
EVPN re-establishes VXLAN tunnels if the transport-facing interface goes down and then
comes up. If you have configured static remote-MAC entries, the entries are deleted when the
tunnels are re-established.
•
EVPN re-establishes VXLAN tunnels if you perform configuration rollback. If the tunnel IDs
change during tunnel re-establishment, configuration rollback fails, and static remote-MAC
entries on the tunnels cannot be restored.
For more information about EVPN, see EVPN Configuration Guide.
Procedure
1.
Enter system view.
system-view
2.
Add a static local-MAC address entry.
mac-address static mac-address interface interface-type
interface-number service-instance instance-id vsi vsi-name
For successful configuration, make sure the Ethernet service instance has been mapped to the
VSI.
3.
Add a static remote-MAC address entry.
mac-address static mac-address interface tunnel tunnel-number vsi
vsi-name
For the setting to take effect, make sure the VSI's VXLAN has been specified on the VXLAN
tunnel.
Disabling remote-MAC address learning
About disabling remote-MAC address learning
When network attacks occur, disable remote-MAC address learning to prevent the device from
learning incorrect remote MAC addresses. You can manually add static remote-MAC address
entries.
Procedure
1.
Enter system view.
system-view
2.
Disable remote-MAC address learning.
vxlan tunnel mac-learning disable
By default, remote-MAC address learning is enabled.
Enabling local-MAC logging
About local-MAC logging
When the local-MAC logging feature is enabled, the VXLAN module immediately sends a log
message with its local MAC addresses to the information center. When a local MAC address is
added or removed, a log message is also sent to the information center to notify the local-MAC
change.
18
With the information center, you can set log message filtering and output rules, including output
destinations. For more information about configuring the information center, see Network
Management and Monitoring Configuration Guide.
Procedure
1.
Enter system view.
system-view
2.
Enable local-MAC logging.
vxlan local-mac report
By default, local-MAC logging is disabled.
Setting the MAC learning priority of an Ethernet service
instance
About the MAC learning priority of Ethernet service instances
A VSI uses the MAC learning priority to control MAC address learning of its Ethernet service
instances. An Ethernet service instance with high MAC learning priority takes precedence over an
Ethernet service instance with low MAC learning priority when they learn the same MAC address.
For example:
•
A MAC address entry of a high-priority Ethernet service instance can be overwritten only when
the MAC address is learned on another high-priority Ethernet service instance.
•
A MAC address entry of a low-priority Ethernet service instance is overwritten when the MAC
address is learned on a high-priority Ethernet service instance or another low-priority Ethernet
service instance.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
{
Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
{
Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3.
Enter Ethernet service instance view.
service-instance instance-id
4.
Set the MAC learning priority of the Ethernet service instance.
mac-address mac-learning priority { high | low }
By default, the MAC learning priority of an Ethernet service instance is low.
This setting takes effect only after the Ethernet service instance is mapped to a VSI.
Setting the VXLAN Layer 2 forwarding mode and the MAC
learning mode
About the VXLAN Layer 2 forwarding mode and the MAC learning mode
By default, a VTEP uses MAC forwarding mode, which means forwarding Layer 2 traffic based on
the destination MAC address. If the network contains a large number of user terminals, use
double-VID or SVID-only forwarding mode to reduce the MAC address table size and avoid
19
forwarding failure caused by MAC address conflicts. For correct forwarding, make sure the traffic of a
VLAN is forwarded along the same path.
In double-VID or SVID-only forwarding mode, a VTEP forwards the traffic received from an Ethernet
service instance or VXLAN tunnel based on the VLAN information. The VTEP can perform MAC
address table lookup based on the outer VLAN ID or both the inner and outer VLAN IDs. If
double-VID or SVID-only forwarding mode is used, make sure the VSI's MAC address table contains
VLAN-based MAC address entries. The entries can be manually created or dynamically learned.
The device supports the following MAC learning modes for Ethernet service instances and VXLAN
tunnels:
•
Source MAC learning mode—The device generates MAC address entries based on the
source MAC addresses of data frames.
•
SVID-only learning mode—The device generates MAC address entries based on the outer
VLAN IDs (SVLAN tags) of data frames. The MAC address in a MAC address entry uses the
0-SVLAN tag-0 format.
•
Double-VID learning mode—The device generates MAC address entries based on the inner
and outer VLAN IDs (CVLAN and SVLAN tags) of data frames. The MAC address in a MAC
address entry uses the 0-SVLAN tag-CVLAN tag format.
In any of the learning modes, the outgoing interface in a MAC address entry is the Ethernet service
instance or VXLAN tunnel interface where the entry is learned.
For correct forwarding, the VXLAN tunnels and Ethernet service instances of a VSI must use
matching MAC learning modes and VXLAN Layer 2 forwarding modes. For example, if a VSI has an
Ethernet service instance and a VXLAN tunnel, the following requirements must be met:
•
If the Ethernet service instance uses MAC forwarding mode, the VXLAN tunnel must use
source MAC learning mode. If the VXLAN tunnel uses MAC forwarding mode, the Ethernet
service instance must use source MAC learning mode.
•
If the Ethernet service instance uses SVID-only forwarding mode, the VXLAN tunnel must use
SVID-only learning mode. If the VXLAN tunnel uses SVID-only forwarding mode, the Ethernet
service instance must use SVID-only learning mode.
•
If the Ethernet service instance uses double-VID forwarding mode, the VXLAN tunnel must use
double-VID learning mode. If the VXLAN tunnel uses double-VID forwarding mode, the
Ethernet service instance must use double-VID learning mode.
Restrictions and guidelines for the VXLAN Layer 2 forwarding mode and the MAC learning
mode
As a best practice to avoid forwarding failure, use the following settings:
•
Enable MAC forwarding mode and double-VID or SVID-only learning mode on Ethernet service
instances.
•
Enable double-VID or SVID-only forwarding mode and source MAC learning mode on VXLAN
tunnels.
When VXLAN tunnels use double-VID or SVID-only forwarding mode, Ethernet service instances of
the same VSI must use the Ethernet access mode.
Prerequisites for the VXLAN Layer 2 forwarding mode and the MAC learning mode
Before you set the VXLAN Layer 2 forwarding mode, execute the mac-address mac-learning
ingress command in system view. For more information about the command, see MAC address
table commands in Layer 2—LAN Switching Command Reference.
Setting the VXLAN Layer 2 forwarding mode and the MAC learning mode for an Ethernet
service instance
1.
Enter system view.
system-view
20
2.
Enter interface view.
{
Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
{
Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3.
Enter Ethernet service instance view.
service-instance instance-id
4.
Set the VXLAN Layer 2 forwarding mode.
forwarding mode { double-vid | mac | svid-only }
By default, MAC forwarding mode is used.
5.
Configure static or dynamic MAC address entry settings.
{
Configure a static VLAN-based MAC address entry.
vlan-forwarding static s-vid vlan-id [ c-vid vlan-id ]
The MAC address in a static VLAN-based MAC address entry uses the 0-SVLAN
tag-CVLAN tag or 0-SVLAN tag-0 format. The outgoing interface in the entry is the
Ethernet service instance where the entry is configured.
{
Set the MAC learning mode.
learning mode { disable | double-vid | mac | svid-only }
By default, source MAC learning mode is enabled.
If an Ethernet service instance on a Layer 2 Ethernet interface uses source MAC,
double-VID, or SVID-only learning mode, MAC address learning must be enabled on the
interface.
Setting the VXLAN Layer 2 forwarding mode and the MAC learning mode for a VXLAN tunnel
1.
Enter system view.
system-view
2.
Enter tunnel interface view.
interface tunnel tunnel-number [ mode vxlan ]
3.
Set the VXLAN Layer 2 forwarding mode.
forwarding mode { double-vid | mac | svid-only }
By default, MAC forwarding mode is used.
4.
Configure static or dynamic MAC address entry settings.
{
Execute the following commands in sequence to configure a static VLAN-based MAC
address entry.
quit
mac-address static mac-address interface tunnel tunnel-number vsi
vsi-name
The MAC address in a static VLAN-based MAC address entry uses the 0-SVLAN
tag-CVLAN tag or 0-SVLAN tag-0 format.
{
Set the MAC learning mode.
learning mode { disable | double-vid | mac | svid-only }
By default, source MAC learning mode is enabled.
If a VXLAN tunnel uses source MAC, double-VID, or SVID-only learning mode,
remote-MAC address learning must be enabled on the tunnel.
21
Configuring VXLAN over VXLAN
About VXLAN over VXLAN
By default, the device de-encapsulates an incoming VXLAN packet if the packet's destination UDP
port number is the VXLAN destination UDP port number (configured by using vxlan udp-port).
For VXLAN packets received from a non-transport-facing interface on the device to traverse the
VXLAN network through VXLAN tunnels, perform the following tasks on the interface:
•
Enable VXLAN over VXLAN.
•
Configure Ethernet service instance and VSI settings for matching the VXLAN packets.
When receiving VXLAN packets on the interface, the device adds a second layer of VXLAN
encapsulation to the packets and forwards them over VXLAN tunnels.
Restrictions and guidelines
An interface enabled with VXLAN over VXLAN does not de-encapsulate incoming VXLAN packets.
Do not enable this feature on a transport-facing interface.
For an aggregate interface, you do not need to enable VXLAN over VXLAN on its member ports if
this feature is already enabled on that aggregate interface.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
3.
{
Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
{
Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
Enable VXLAN over VXLAN.
vxlan-over-vxlan enable
By default, VXLAN over VXLAN is disabled on an interface.
Configuring a multicast-mode VXLAN
About multicast methods for multicast-mode VXLANs
A multicast-mode VXLAN supports the following multicast methods:
•
PIM—VTEPs and transport network devices run PIM to generate multicast forwarding entries.
To forward multicast traffic correctly, you must use the source IP address of an up VXLAN
tunnel as the source IP address of multicast VXLAN packets. As a best practice, use the source
IP address of a VXLAN tunnel that uses the IP address of a loopback interface. If the VTEP has
multiple transport-facing interfaces, PIM dynamically selects the outgoing interfaces for
multicast VXLAN packets.
•
IGMP host—VTEPs and transport network devices run PIM and IGMP to generate multicast
forwarding entries.
{
Transport-facing interfaces of VTEPs act as IGMP hosts.
{
Transport network devices connected to a VTEP run IGMP.
{
All transport network devices run PIM.
22
On a VTEP, you must use the IP address of the transport-facing interface as the source IP
address for multicast VXLAN packets. If the VTEP has multiple transport-facing interfaces,
multicast VXLAN packets are sent to the transport network through the interface that provides
the source IP address for multicast VXLAN packets.
VTEPs in a multicast-mode VXLAN can use different multicast methods.
Prerequisites for multicast-mode VXLANs
For a multicast-mode VXLAN to flood traffic, you must perform the following tasks in addition to
multicast-mode configuration:
•
Enable IP multicast routing on all VTEPs and transport network devices.
•
Configure a multicast routing protocol on transport network devices. A VTEP can be both a
multicast source and multicast group member. As a best practice, use BIDIR-PIM.
•
Enable IGMP on transport network devices that are connected to an IGMP host-enabled VTEP.
Configuring a multicast-mode VXLAN that uses the PIM
method
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Enter VXLAN view.
vxlan vxlan-id
4.
Assign a multicast group address for flood traffic, and specify a source IP address for multicast
VXLAN packets.
group group-address source source-address
By default, a VXLAN uses unicast mode for flood traffic. No multicast group address or source
IP address is specified for multicast VXLAN packets.
You must assign all VTEPs in a multicast-mode VXLAN to the same multicast group.
5.
Enter interface view.
interface interface-type interface-number
Enable PIM on the loopback interface and all transport-facing interfaces.
6.
Enable PIM. Choose one of the following modes:
{
Enable PIM-SM.
pim sm
{
Enable PIM-DM.
pim dm
By default, PIM is disabled on an interface.
Configuring a multicast-mode VXLAN that uses the IGMP
host method
1.
Enter system view.
system-view
2.
Enter VSI view.
23
vsi vsi-name
3.
Enter VXLAN view.
vxlan vxlan-id
4.
Assign a multicast group address for flood traffic, and specify a source IP address for multicast
VXLAN packets.
group group-address source source-address
By default, a VXLAN uses unicast mode for flood traffic. No multicast group address or source
IP address is specified for multicast VXLAN packets.
You must assign all VTEPs in a multicast-mode VXLAN to the same multicast group.
5.
Enter the view of the transport-facing interface.
interface interface-type interface-number
6.
Enable the IGMP host feature.
igmp host enable
By default, the IGMP host feature is disabled on an interface.
The IGMP host feature enables the interface to send IGMP reports in response to IGMP queries
before it can receive traffic from the multicast group.
Setting the destination UDP port number of
VXLAN packets
1.
Enter system view.
system-view
2.
Set a destination UDP port for VXLAN packets.
vxlan udp-port port-number
By default, the destination UDP port number is 4789 for VXLAN packets.
You must configure the same destination UDP port number on all VTEPs in a VXLAN.
Configuring VXLAN packet check
About VXLAN packet check
The device can check the UDP checksum and 802.1Q VLAN tags of each received VXLAN packet.
•
UDP checksum check—The device always sets the UDP checksum of VXLAN packets to zero.
For compatibility with third-party devices, a VXLAN packet can pass the check if its UDP
checksum is zero or correct. If its UDP checksum is incorrect, the VXLAN packet fails the check
and is dropped.
•
VLAN tag check—The device checks the inner Ethernet header of each VXLAN packet for
802.1Q VLAN tags. If the header contains 802.1Q VLAN tags, the device drops the packet.
Restrictions and guidelines
If a remote VTEP uses the Ethernet access mode, its VXLAN packets might contain 802.1Q VLAN
tags. To prevent the local VTEP from dropping the VXLAN packets, do not execute the vxlan
invalid-vlan-tag discard command on the local VTEP.
The access mode is configurable by using the xconnect vsi command.
Procedure
1.
Enter system view.
24
system-view
2.
Enable the VTEP to drop VXLAN packets that fail UDP checksum check.
vxlan invalid-udp-checksum discard
By default, the VTEP does not check the UDP checksum of VXLAN packets.
3.
Enable the VTEP to drop VXLAN packets that have 802.1Q VLAN tags in the inner Ethernet
header.
vxlan invalid-vlan-tag discard
By default, the VTEP does not check the inner Ethernet header for 802.1Q VLAN tags.
Disabling flooding for a VSI
About VSI flooding
By default, the VTEP floods broadcast, unknown unicast, and unknown multicast frames received
from the local site to the following interfaces in the frame's VXLAN:
•
All site-facing interfaces except for the incoming interface.
•
All VXLAN tunnel interfaces.
When receiving broadcast, unknown unicast, and unknown multicast frames on VXLAN tunnel
interfaces, the device floods the frames to all site-facing interfaces in the frames' VXLAN.
To confine a kind of flood traffic, disable flooding for that kind of flood traffic on the VSI bound to the
VXLAN.
To exclude a remote MAC address from the remote flood suppression done by using this feature,
enable selective flood for the MAC address. The VTEP will flood the frames destined for the MAC
address to remote sites.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Disable flooding for the VSI.
flooding disable { all | { broadcast | unknown-multicast |
unknown-unicast } * } [ all-direction | dci ]
By default, flooding is enabled for a VSI.
If VXLAN-DCI is configured, flood traffic is also sent out of VXLAN-DCI tunnel interfaces. To
confine flood traffic to the site-facing interfaces and VXLAN tunnels within a data center, you
can specify the dci keyword to disable flooding only to VXLAN-DCI tunnel interfaces.
The all-direction keyword disables flooding traffic received from an AC or VXLAN tunnel
interface to any other ACs and VXLAN tunnel interfaces of the same VSI. If VXLAN-DCI is
configured, this keyword also disables flooding between VXLAN tunnel interfaces and
VXLAN-DCI tunnel interfaces.
4.
(Optional.) Enable selective flood for a MAC address.
selective-flooding mac-address mac-address
25
Enabling ARP flood suppression
Restrictions and guidelines
The aging timer is fixed at 25 minutes for ARP flood suppression entries. If the suppression table is
full, the VTEP stops learning new entries. For the VTEP to learn new entries, you must wait for old
entries to age out, or use the reset arp suppression vsi command to clear the table.
If the flooding disable command is configured, set the MAC aging timer to a higher value than
the aging timer for ARP flood suppression entries on all VTEPs. This setting prevents the traffic
blackhole that occurs when a MAC address entry ages out before its ARP flood suppression entry
ages out. To set the MAC aging timer, use the mac-address timer command.
When remote ARP learning is disabled for VXLANs, the device does not use ARP flood suppression
entries to respond to ARP requests received on VXLAN tunnels.
Procedure
1.
Enter system view.
system-view
2.
(Optional.) Enable the device to generate dynamic IPv4SG bindings based on ARP flood
suppression entries.
arp suppression ip-source-binding record
By default, the device does not generate dynamic IPv4SG bindings based on ARP flood
suppression entries.
After you execute this command, the device notifies the IP source guard module of ARP flood
suppression entries for it to generate dynamic IPv4SG bindings based on these entries. These
bindings are sent to controllers for the controllers to have user online and offline information.
They are not used for packet filtering. For more information about IP source guard, see Security
Configuration Guide.
3.
Enter VSI view.
vsi vsi-name
4.
Enable ARP flood suppression.
arp suppression enable
By default, ARP flood suppression is disabled.
Enabling VXLAN packet statistics
Enabling packet statistics for a VSI
Restrictions and guidelines
To display the packet statistics for a VSI, use the display l2vpn vsi verbose command in any
view.
To clear the packet statistics for a VSI, use the reset l2vpn statistics vsi command in user
view.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
26
3.
Enable packet statistics for the VSI.
statistics enable
By default, the packet statistics feature is disabled for all VSIs.
Enabling packet statistics for an AC
Restrictions and guidelines
For the statistics enable command to take effect on an Ethernet service instance, you must
configure a frame match criterion for the Ethernet service instance and map it to a VSI. When you
modify the frame match criterion or VSI mapping, the packet statistics of the instance are cleared.
Enabling packet statistics for an Ethernet service instance
1.
Enter system view.
system-view
2.
Enter interface view.
{
Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
{
Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3.
Enter Ethernet service instance view.
service-instance instance-id
4.
Enable packet statistics for the Ethernet service instance.
statistics enable
By default, the packet statistics feature is disabled for all Ethernet service instances.
Enabling packet statistics for Ethernet service instances of a VLAN
1.
Enter system view.
system-view
2.
Enter VLAN view.
vlan vlan-id
3.
Enable packet statistics for Ethernet service instances of the VLAN.
ac statistics enable
By default, packet statistics are disabled for Ethernet service instances of a VLAN.
This feature enables packet statistics for the Ethernet service instances automatically created
for VLAN-based VXLAN assignment. Before you enable this feature, you must use the vxlan
vlan-based command to enable VLAN-based VXLAN assignment.
Enabling packet statistics for VXLAN tunnels
About packet statistics of VXLAN tunnels
VXLAN tunnels can be manually or automatically created. For manually created VXLAN tunnels, you
can enable packet statistics on a per-tunnel interface basis. For automatically created VXLAN
tunnels, you can enable packet statistics globally in system view.
To display the packet statistics for a VXLAN tunnel, use the display interface tunnel
command in any view.
To clear the packet statistics for a VXLAN tunnel, use the reset counters interface tunnel
command in user view.
27
Enabling packet statistics for a manually created VXLAN tunnel
1.
Enter system view.
system-view
2.
Enter VXLAN tunnel interface view.
interface tunnel tunnel-number [ mode vxlan ]
3.
Enable packet statistics for the tunnel.
statistics enable
By default, the packet statistics feature is disabled for manually created VXLAN tunnels.
Enabling packet statistics for automatically created VXLAN tunnels
1.
Enter system view.
system-view
2.
Enable packet statistics for automatically created VXLAN tunnels.
tunnel statistics vxlan auto
By default, the packet statistics feature is disabled for automatically created VXLAN tunnels.
This command enables the device to collect packet statistics for all VXLAN tunnels that are
automatically created by EVPN or OVSDB. For more information about EVPN, see EVPN
Configuration Guide. For more information about OVSDB, see "Configuring the VTEP as an
OVSDB VTEP."
Testing the reachability of a remote VM
About testing the reachability of remote VMs
This feature enables the device to test the reachability of a remote VM by simulating a local VM to
send ICMP echo requests. The requests are encapsulated in Layer 2 data frames and then sent to
the remote VM in the specified VXLAN. The device determines the reachability of the remote VM
based on the response time and the number of received ICMP echo replies.
Restrictions and guidelines
An EVPN VTEP does not support this feature when configured with EVPN distributed relay. For more
information about EVPN distributed relay, see EVPN Configuration Guide.
Procedure
Execute the following command in any view to test the reachability of a remote VM:
emulate-ping vxlan [ -c count | -m interval | -s packet-size | -t time-out ]
* vxlan-id vxlan-id source-mac mac-address destination-mac mac-address
Display and maintenance commands for VXLANs
Execute display commands in any view and reset commands in user view.
Task
Command
Display ARP flood suppression entries
on VSIs.
display arp suppression vsi [ name vsi-name ]
[ slot slot-number ] [ count ]
Display the VXLAN hardware resource
mode.
display hardware-resource [ vxlan ]
28
Task
Command
Display information about the multicast
groups that contain IGMP host-enabled
interfaces.
display igmp host group [ group-address |
interface interface-type interface-number ]
[ verbose ]
Display information about tunnel
interfaces.
display interface [ tunnel [ number ] ] [ brief
[ description | down ] ]
Display MAC address entries for VSIs.
display l2vpn mac-address [ vsi vsi-name ]
[ dynamic ] [ count | verbose ]
Display information about Ethernet
service instances.
display l2vpn service-instance [ interface
interface-type interface-number
[ service-instance instance-id ] ]
[ verbose ]
Display information about VSIs.
display l2vpn vsi [ name vsi-name ] [ verbose ]
Display VXLAN tunnel information for
VXLANs.
display vxlan tunnel [ vxlan vxlan-id ]
Clear ARP flood suppression entries
on VSIs.
reset arp suppression vsi [ name vsi-name ]
Clear dynamic MAC address entries on
VSIs.
reset l2vpn mac-address [ vsi vsi-name ]
Clear packet statistics on ACs.
reset l2vpn statistics ac [ interface
interface-type interface-number
[ service-instance instance-id ] ]
Clear packet statistics on VSIs.
reset l2vpn statistics vsi [ name vsi-name ]
NOTE:
For more information about the display interface tunnel command, see tunneling
commands in Layer 3—IP Services Command Reference.
VXLAN configuration examples
Example: Configuring a unicast-mode VXLAN
Network configuration
As shown in Figure 10:
•
Configure VXLAN 10 as a unicast-mode VXLAN on Switch A, Switch B, and Switch C to provide
Layer 2 connectivity for the VMs across the network sites.
•
Manually establish VXLAN tunnels and assign the tunnels to VXLAN 10.
•
Enable remote-MAC address learning.
29
Figure 10 Network diagram
Loop0
1.1.1.1/32
Vlan-int11 Vlan-int11
11.1.1.1/24 11.1.1.4/24
WGE1/0/1
VM 1
VLAN 2
Server 1
Loop0
3.3.3.3/32
Transport
network
Vlan-int13
Vlan-int13
13.1.1.4/24 13.1.1.3/24
Vlan-int12
12.1.1.4/24 Switch D
Vlan-int12
12.1.1.2/24
Switch A
WGE1/0/1
VM 3
VLAN 2
Switch C
Server 3
Loop0
2.2.2.2/32
WGE1/0/1 Switch B
VLAN 2
VM 2
Server 2
Procedure
1.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 10. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through D). (Details not
shown.)
2.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch B and Switch C.
[SwitchA] interface loopback 0
[SwitchA-Loopback0] ip address 1.1.1.1 255.255.255.255
[SwitchA-Loopback0] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 1.1.1.1
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 2.
[SwitchA] interface tunnel 2 mode vxlan
[SwitchA-Tunnel2] source 1.1.1.1
[SwitchA-Tunnel2] destination 3.3.3.3
[SwitchA-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
30
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] tunnel 2
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
3.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch C.
[SwitchB] interface loopback 0
[SwitchB-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchB-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan
[SwitchB-Tunnel2] source 2.2.2.2
[SwitchB-Tunnel2] destination 1.1.1.1
[SwitchB-Tunnel2] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 3.
[SwitchB] interface tunnel 3 mode vxlan
[SwitchB-Tunnel3] source 2.2.2.2
[SwitchB-Tunnel3] destination 3.3.3.3
[SwitchB-Tunnel3] quit
# Assign Tunnel 2 and Tunnel 3 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] tunnel 3
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchB-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
31
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchB-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchB-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchB-Twenty-FiveGigE1/0/1] quit
4.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch B.
[SwitchC] interface loopback 0
[SwitchC-Loopback0] ip address 3.3.3.3 255.255.255.255
[SwitchC-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 1.
[SwitchC] interface tunnel 1 mode vxlan
[SwitchC-Tunnel1] source 3.3.3.3
[SwitchC-Tunnel1] destination 1.1.1.1
[SwitchC-Tunnel1] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 3.
[SwitchC] interface tunnel 3 mode vxlan
[SwitchC-Tunnel3] source 3.3.3.3
[SwitchC-Tunnel3] destination 2.2.2.2
[SwitchC-Tunnel3] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] tunnel 1
[SwitchC-vsi-vpna-vxlan-10] tunnel 3
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchC-Twenty-FiveGigE1/0/1] quit
Verifying the configuration
1.
Verify the VXLAN settings on the VTEPs. This example uses Switch A.
# Verify that the VXLAN tunnel interfaces on the VTEP are up.
[SwitchA] display interface tunnel 1
32
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VXLAN tunnels have been assigned to the VXLAN.
[SwitchA] display l2vpn vsi verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
ACs:
AC
Link ID
State
Type
WGE1/0/1 srv1000
0
Up
Manual
# Verify that the VTEP has learned the MAC addresses of remote VMs.
<SwitchA> display l2vpn mac-address
MAC Address
State
VSI Name
Link ID/Name
Aging
cc3e-5f9c-6cdb
Dynamic
vpna
Tunnel1
Aging
cc3e-5f9c-23dc
Dynamic
vpna
Tunnel2
Aging
--- 2 mac address(es) found
2.
---
Verify that VM 1, VM 2, and VM 3 can ping each other. (Details not shown.)
33
Example: Configuring a multicast-mode VXLAN
Network configuration
As shown in Figure 11:
•
Configure VXLAN 10 as a multicast-mode VXLAN on Switch A, Switch B, and Switch C to
provide Layer 2 connectivity for the VMs across the network sites.
•
Manually establish VXLAN tunnels and assign the tunnels to VXLAN 10.
•
Enable remote-MAC address learning.
NOTE:
You can use this switch series only as Switch A, Switch B, and Switch C. Switches D through G must
be devices that support BIDIR-PIM.
Figure 11 Network diagram
Switch E
Switch D
Vlan-int13
Vlan-int11
WGE1/0/1
Switch A
Vlan-int13
Vlan-int23
Vlan-int11
Vlan-int21
Vlan-int21
VLAN 2
Vlan-int23
VM 3
Vlan-int22
Transport
network
Server 1
VLAN 2
Loop0
Switch F
VM 1
WGE1/0/1
Switch C
Server 3
Vlan-int22
Switch G
Vlan-int12
Vlan-int12
WGE1/0/1 Switch B
VLAN 2
VM 2
Server 2
Table 1 IP address assignment
Device
Interface
IP address
VLAN-interface 11
11.1.1.1/24
Switch A:
Device
Interface
IP address
VLAN-interface 13
13.1.1.3/24
Switch C:
Switch D:
Switch E:
VLAN-interface 11
11.1.1.4/24
VLAN-interface 13
13.1.1.5/24
VLAN-interface 21
21.1.1.4/24
VLAN-interface 23
23.1.1.5/24
Switch F:
Switch G:
VLAN-interface 21
21.1.1.6/24
VLAN-interface 12
12.1.1.7/24
VLAN-interface 22
22.1.1.6/24
VLAN-interface 22
22.1.1.7/24
VLAN-interface 23
23.1.1.6/24
Loop 0
6.6.6.6/32
VLAN-interface 12
12.1.1.2/24
34
Switch B:
Procedure
1.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 11. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through G). (Details not
shown.)
2.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Enable IP multicast routing.
[SwitchA] multicast routing
[SwitchA-mrib] quit
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Assign an IP address to VLAN-interface 11, and enable the IGMP host feature on the
interface. This interface's IP address will be the source IP address of VXLAN packets sent by
the VTEP.
[SwitchA] interface vlan-interface 11
[SwitchA-Vlan-interface11] ip address 11.1.1.1 24
[SwitchA-Vlan-interface11] igmp host enable
[SwitchA-Vlan-interface11] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 11.1.1.1
[SwitchA-Tunnel1] destination 12.1.1.2
[SwitchA-Tunnel1] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 2.
[SwitchA] interface tunnel 2 mode vxlan
[SwitchA-Tunnel2] source 11.1.1.1
[SwitchA-Tunnel2] destination 13.1.1.3
[SwitchA-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] tunnel 2
# Configure the multicast group address and source IP address for multicast VXLAN packets.
[SwitchA-vsi-vpna-vxlan-10] group 225.1.1.1 source 11.1.1.1
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
35
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
3.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Enable IP multicast routing.
[SwitchB] multicast routing
[SwitchB-mrib] quit
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign an IP address to VLAN-interface 12, and enable the IGMP host feature on the
interface. This interface's IP address will be the source IP address of VXLAN packets sent by
the VTEP.
[SwitchB] interface vlan-interface 12
[SwitchB-Vlan-interface12] ip address 12.1.1.2 24
[SwitchB-Vlan-interface12] igmp host enable
[SwitchB-Vlan-interface12] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan
[SwitchB-Tunnel2] source 12.1.1.2
[SwitchB-Tunnel2] destination 11.1.1.1
[SwitchB-Tunnel2] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 3.
[SwitchB] interface tunnel 3 mode vxlan
[SwitchB-Tunnel3] source 12.1.1.2
[SwitchB-Tunnel3] destination 13.1.1.3
[SwitchB-Tunnel3] quit
# Assign Tunnel 2 and Tunnel 3 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] tunnel 3
# Configure the VXLAN multicast group address and the source IP address for VXLAN packets.
[SwitchB-vsi-vpna-vxlan-10] group 225.1.1.1 source 12.1.1.2
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchB-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchB-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
36
[SwitchB-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchB-Twenty-FiveGigE1/0/1] quit
4.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Enable IP multicast routing.
[SwitchC] multicast routing
[SwitchC-mrib] quit
# Create VSI vpna and VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Assign an IP address to VLAN-interface 13, and enable the IGMP host feature on the
interface. This interface's IP address will be the source IP address of VXLAN packets sent by
the VTEP.
[SwitchC] interface vlan-interface 13
[SwitchC-Vlan-interface13] ip address 13.1.1.3 24
[SwitchC-Vlan-interface13] igmp host enable
[SwitchC-Vlan-interface13] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 1.
[SwitchC] interface tunnel 1 mode vxlan
[SwitchC-Tunnel1] source 13.1.1.3
[SwitchC-Tunnel1] destination 11.1.1.1
[SwitchC-Tunnel1] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 3.
[SwitchC] interface tunnel 3 mode vxlan
[SwitchC-Tunnel3] source 13.1.1.3
[SwitchC-Tunnel3] destination 12.1.1.2
[SwitchC-Tunnel3] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] tunnel 1
[SwitchC-vsi-vpna-vxlan-10] tunnel 3
# Configure the multicast group address and source IP address for VXLAN multicast packets.
[SwitchC-vsi-vpna-vxlan-10] group 225.1.1.1 source 13.1.1.3
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchC-Twenty-FiveGigE1/0/1] quit
37
5.
Configure Switch D:
# Enable IP multicast routing.
<SwitchD> system-view
[SwitchD] multicast routing
[SwitchD-mrib] quit
# Enable IGMP and PIM-SM on VLAN-interface 11.
[SwitchD] interface vlan-interface 11
[SwitchD-Vlan-interface11] igmp enable
[SwitchD-Vlan-interface11] pim sm
[SwitchD-Vlan-interface11] quit
# Enable PIM-SM on VLAN-interface 21.
[SwitchD] interface vlan-interface 21
[SwitchD-Vlan-interface21] pim sm
[SwitchD-Vlan-interface21] quit
# Enable BIDIR-PIM.
[SwitchD] pim
[SwitchD-pim] bidir-pim enable
[SwitchD-pim] quit
6.
Configure Switch E:
# Enable IP multicast routing.
<SwitchE> system-view
[SwitchE] multicast routing
[SwitchE-mrib] quit
# Enable IGMP and PIM-SM on VLAN-interface 13.
[SwitchE] interface vlan-interface 13
[SwitchE-Vlan-interface13] igmp enable
[SwitchE-Vlan-interface13] pim sm
[SwitchE-Vlan-interface13] quit
# Enable PIM-SM on VLAN-interface 23.
[SwitchE] interface vlan-interface 23
[SwitchE-Vlan-interface23] pim sm
[SwitchE-Vlan-interface23] quit
# Enable BIDIR-PIM.
[SwitchE] pim
[SwitchE-pim] bidir-pim enable
[SwitchE-pim] quit
7.
Configure Switch F:
# Enable IP multicast routing.
<SwitchF> system-view
[SwitchF] multicast routing
[SwitchF-mrib] quit
# Enable PIM-SM on VLAN-interface 21, VLAN-interface 22, VLAN-interface 23, and Loopback
0.
[SwitchF] interface vlan-interface 21
[SwitchF-Vlan-interface21] pim sm
[SwitchF-Vlan-interface21] quit
[SwitchF] interface vlan-interface 22
38
[SwitchF-Vlan-interface22] pim sm
[SwitchF-Vlan-interface22] quit
[SwitchF] interface vlan-interface 23
[SwitchF-Vlan-interface23] pim sm
[SwitchF-Vlan-interface23] quit
[SwitchF] interface loopback 0
[SwitchF-LoopBack0] pim sm
[SwitchF-LoopBack0] quit
# Enable BIDIR-PIM.
[SwitchF] pim
[SwitchF-pim] bidir-pim enable
# Configure VLAN-interface 22 as a candidate-BSR, and configure Loopback 0 as a
candidate-RP for BIDIR-PIM.
[SwitchF-pim] c-bsr 22.1.1.6
[SwitchF-pim] c-rp 6.6.6.6 bidir
[SwitchF-pim] quit
8.
Configure Switch G:
# Enable IP multicast routing.
<SwitchG> system-view
[SwitchG] multicast routing
[SwitchG-mrib] quit
# Enable IGMP and PIM-SM on VLAN-interface 12.
[SwitchG] interface vlan-interface 12
[SwitchG-Vlan-interface12] igmp enable
[SwitchG-Vlan-interface12] pim sm
[SwitchG-Vlan-interface12] quit
# Enable PIM-SM on VLAN-interface 22.
[SwitchG] interface vlan-interface 22
[SwitchG-Vlan-interface22] pim sm
[SwitchG-Vlan-interface22] quit
# Enable BIDIR-PIM.
[SwitchG] pim
[SwitchG-pim] bidir-pim enable
[SwitchG-pim] quit
Verifying the configuration
1.
Verify the VXLAN settings on the VTEPs. This example uses Switch A.
# Verify that the VXLAN tunnel interfaces on the VTEP are up.
[SwitchA] display interface tunnel 1
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 11.1.1.1, destination 12.1.1.2
39
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VXLAN tunnels have been assigned to the VXLAN.
[SwitchA] display l2vpn vsi verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
MTunnel0
0x6000000
Up
Auto
Disabled
ACs:
AC
Link ID
State
Type
WGE1/0/1 srv1000
0
Up
Manual
# Verify that the VTEP has learned the MAC addresses of remote VMs.
<SwitchA> display l2vpn mac-address
MAC Address
State
VSI Name
Link ID/Name
cc3e-5f9c-6cdb
Dynamic
vpna
Tunnel1
Aging
cc3e-5f9c-23dc
Dynamic
vpna
Tunnel2
Aging
--- 2 mac address(es) found
Aging
---
# Verify that the VTEP has joined the VXLAN multicast group on VLAN-interface 11.
<SwitchA> display igmp host group
IGMP host groups in total: 1
Vlan-interface11(11.1.1.1):
IGMP host groups in total: 1
2.
Group address
Member state
Expires
225.1.1.1
Idle
Off
Verify that VM 1, VM 2, and VM 3 can ping each other. (Details not shown.)
40
Configuring VXLAN IP gateways
About VXLAN IP gateways
The following are available IP gateway placement designs for VXLANs:
•
VXLAN IP gateways separated from VTEPs—Use a VXLAN-unaware device as a gateway to
the external network for VXLANs. On the gateway, you do not need to configure VXLAN
settings.
•
VXLAN IP gateways collocated with VTEPs—Include the following placement designs:
{
Centralized VXLAN IP gateway deployment—Use one VTEP to provide Layer 3
forwarding for VXLANs. Typically, the gateway-collocated VTEP connects to other VTEPs
and the external network. To use this design, make sure the IP gateway has sufficient
bandwidth and processing capability. Centralized VXLAN IP gateways provide services only
for IPv4 networks.
{
Centralized VXLAN gateway group deployment—Use one VTEP group that contains
redundant centralized VXLAN IP gateways to provide reliable gateway services for
VXLANs.
{
Distributed VXLAN IP gateway deployment—Deploy one VXLAN IP gateway on each
VTEP to provide Layer 3 forwarding for VXLANs at their respective sites. This design
distributes the Layer 3 traffic load across VTEPs. However, its configuration is more
complex than the centralized VXLAN IP gateway design. Distributed gateways can provide
services for both IPv4 and IPv6 networks.
In a collocation design, the VTEPs use virtual Layer 3 VSI interfaces as gateway interfaces to
provide services for VXLANs.
VXLAN IP gateways separated from VTEPs
As shown in Figure 12, an independent VXLAN IP gateway connects a Layer 3 network to a VTEP.
VMs send Layer 3 traffic in Layer 2 frames to the gateway through VXLAN tunnels. When the
tunneled VXLAN packets arrive, the VTEP terminates the VXLANs and forwards the inner frames to
the gateway. In this gateway placement design, the VTEP does not perform Layer 3 forwarding for
VXLANs.
41
Figure 12 VXLAN IP gateway separated from VTEPs
Centralized VXLAN IP gateway deployment
As shown in Figure 13, a VTEP acts as a gateway for VMs in the VXLANs. The VTEP both
terminates the VXLANs and performs Layer 3 forwarding for the VMs.
Figure 13 Centralized VXLAN IP gateway placement design
As shown in Figure 14, the network uses the following process to forward Layer 3 traffic from VM
10.1.1.11 to the Layer 3 network:
1.
The VM sends an ARP request to obtain the MAC address of the gateway (VTEP 3) at 10.1.1.1.
2.
VTEP 1 floods the ARP request to all remote VTEPs.
3.
VTEP 3 de-encapsulates the ARP request, creates an ARP entry for the VM, and sends an
ARP reply to the VM.
42
4.
VTEP 1 forwards the ARP reply to the VM.
5.
The VM learns the MAC address of the gateway, and sends the Layer 3 traffic to the gateway.
6.
VTEP 3 removes the VXLAN encapsulation and inner Ethernet header for the traffic, and
forwards the traffic to the destination node.
Inter-VXLAN forwarding is the same as this process except for the last step. At the last step of
inter-VLAN forwarding, the gateway replaces the source-VXLAN encapsulation with the
destination-VXLAN encapsulation, and then forwards the traffic.
Figure 14 Example of centralized VXLAN IP gateway deployment
VM
VM
VM
10.1.1.11
20.1.1.11
30.1.1.11
VSI/VXLAN 10
VSI/VXLAN 10
VSI/VXLAN 20
VSI/VXLAN 20
VSI/VXLAN 30
VSI/VXLAN 30
Transport
network
10.1.1.12
20.1.1.12
30.1.1.12
VM
VM
VM
VXLAN tunnel
VTEP 1
Server
Site 1
VX
LA
N
P
tu n
ne
l
N
LA
VX
l
ne
tu n
VTEP 2
Server
Site 2
VTEP 3/Centralized VXLAN IP
gateway
VSI/VXLAN 10
VSI-interface10
10.1.1.1/24
VSI/VXLAN 20
VSI-interface20
20.1.1.1/24
VSI/VXLAN 30
VSI-interface30
30.1.1.1/24
L3 network
Centralized VXLAN gateway group deployment
As shown in Figure 15, a VTEP group uses redundant centralized VXLAN IP gateways to provide
reliable gateway services for VMs in the VXLANs. All member VTEPs in the group participate in
Layer 3 forwarding and load share traffic between the Layer 3 network and the VXLANs. This design
distributes processing among multiple VTEPs and prevents single points of failure.
43
Figure 15 Example of centralized VXLAN IP gateway group deployment
L3 network
Centralized VXLAN IP
gateway group
VX
N
LA
tun
VX
LA
N
l
ne
tu n
ne
l
P
Server
Access layer
VTEP
VXLAN tunnel
Transport
network
Access layer
VTEP
Site 1
Server
Site 2
The VTEP group is a virtual gateway that provides services at a group IP address. Access layer
VTEPs set up VXLAN tunnels to the group IP address for data traffic forwarding. Each access layer
VTEP also automatically sets up tunnels to the member IP addresses of VTEPs in the VTEP group.
For all VTEPs in the VTEP group to have consistent forwarding entries, these tunnels are used for
transmitting broadcast, multicast, and unknown unicast floods.
Distributed VXLAN IP gateway deployment
About distributed VXLAN IP gateway deployment
As shown in Figure 16, each site's VTEP acts as a gateway to perform Layer 3 forwarding for the
VXLANs of the local site. A VTEP acts as a border gateway to the Layer 3 network for the VXLANs.
44
Figure 16 Distributed VXLAN IP gateway placement design
Figure 17 shows an example of distributed VXLAN IP gateway deployment. Create VSI interfaces on
each distributed VXLAN IP gateway and the border gateway as gateway interfaces. Assign the same
IP address to the same VSI interface on the distributed VXLAN IP gateways. Enable one of the
following features on a distributed VXLAN IP gateway:
•
ARP flood suppression. The gateway performs Layer 2 forwarding based on MAC address
entries and performs Layer 3 forwarding based on ARP entries.
•
Local proxy ARP or local ND proxy. The gateway performs Layer 3 forwarding based on ARP or
ND entries. The following sections use distributed VXLAN IP gateways enabled with the local
proxy ARP or local ND proxy feature to describe the forwarding processes for intra-VXLAN
traffic, inter-VXLAN traffic, and traffic from a VXLAN to an external network.
A distributed VXLAN IP gateway can generate ARP or ND entries by a variety of methods. The
following sections use dynamically learned ARP or ND entries to describe the forwarding processes.
45
Figure 17 Example of distributed VXLAN IP gateway deployment
VM 1
VM 2
VM 3
10.1.1.11
20.1.1.11
30.1.1.11
VSI/VXLAN 10
VSI-interface10
10.1.1.1/24
VSI/VXLAN 10
VSI/VXLAN 20
VSI-interface20
20.1.1.1/24
VSI/VXLAN 20
VSI/VXLAN 30
VSI-interface30
30.1.1.1/24
VSI/VXLAN 30
10.1.1.12
20.1.1.12
30.1.1.12
VM 4
VM 5
VM 6
VXLAN tunnel
GW 1
Server
Site 1
VX
LA
P
Nt
un
ne
l
V
AN
XL
ne
tun
l
GW 2
Server
Site 2
Border gateway
VSI/VXLAN 10
VSI-interface10
10.1.1.2/24
VSI/VXLAN 20
VSI-interface20
20.1.1.2/24
VSI/VXLAN 30
VSI-interface30
30.1.1.2/24
L3 network
Intra-VXLAN traffic forwarding between sites
As shown in Figure 17, the network uses the following process to forward traffic in a VXLAN between
sites (for example, from VM 1 to VM 4 in VXLAN 10):
1.
VM 1 sends an ARP request to obtain the MAC address of VM 4.
2.
GW 1 performs the following operations:
a. Creates an ARP entry for VM 1 and replies with the MAC address of VSI-interface 10 (the
gateway interface for VXLAN 10).
b. Replaces the sender MAC address of the ARP request with the MAC address of
VSI-interface 10, and then floods the request to all remote VTEPs.
3.
VM 1 creates an ARP entry for VM 4. The MAC address in the entry is the MAC address of
VSI-interface 10 on GW 1.
4.
GW 2 (the VTEP for VM 4) performs the following operations:
a. De-encapsulates the ARP request and creates an ARP entry for VM 1. The entry contains
VM 1's IP address (10.1.1.11), the MAC address of VSI-interface 10 on GW 1, and the
incoming tunnel interface.
b. Replaces the sender MAC address of the request with the MAC address of VSI-interface 10
on GW 2, and then floods the request to the local site in VXLAN 10.
5.
VM 4 creates an ARP entry for VM 1, and then sends a reply to GW 2. The MAC address in the
ARP entry is the MAC address of VSI-interface 10 on GW 2.
6.
GW 2 performs the following operations:
a. Creates an ARP entry for VM 4.
b. Replaces the sender MAC address of the request with the MAC address of VSI-interface 10
on GW 2, and sends the reply to GW 1.
7.
GW 1 de-encapsulates the ARP request and creates an ARP entry for VM 4. The entry contains
VM 4's IP address (10.1.1.12), the MAC address of VSI-interface 10 on GW 2, and the incoming
tunnel interface.
8.
For subsequent traffic between VM 1 and VM 4, GW 1 and GW 2 use their respective ARP
tables to make the forwarding decision.
46
Inter-VXLAN traffic forwarding between sites
As shown in Figure 17, the network uses the following process to forward traffic between VXLANs
(for example, from VM 1 in VXLAN 10 to VM 5 in VXLAN 20):
1.
VM 1 sends an ARP request to obtain the MAC address of the gateway at 10.1.1.1.
2.
GW 1 creates an ARP entry for VM 1 and replies with the MAC address of VSI-interface 10 (the
gateway interface for VXLAN 10).
3.
VM 1 sends the packet destined for VM 5 to GW 1.
4.
GW 1 sends an ARP request to the local site and remote sites to obtain the MAC address of VM
5. In the ARP request, the sender IP address is 20.1.1.1, and the sender MAC address is the
MAC address of VSI-interface 20 on GW 1.
5.
GW 2 performs the following operations:
a. De-encapsulates the ARP request and creates an ARP entry for GW 1. The entry contains
IP address 20.1.1.1 and MAC address of VSI-interface 20 on GW 1, and the incoming
tunnel interface.
b. Replaces the sender MAC address of the request with the MAC address of VSI-interface 20
on GW 2, and then floods the request to the local site in VXLAN 20.
6.
VM 5 creates an ARP entry for GW 2, and then sends a reply to GW 2. The entry contains the IP
address (20.1.1.1) and MAC address of VSI-interface 20 on GW 2).
7.
GW 2 performs the following operations:
a. Creates an ARP entry for VM 5.
b. Replaces the sender MAC address in the request with the MAC address of VSI-interface 20
on GW 2, and then sends the reply to GW 1.
8.
GW 1 de-encapsulates the ARP request and creates an ARP entry for VM 5. The entry contains
VM 5's IP address 20.1.1.12, the MAC address of VSI-interface 20 on GW 2, and the incoming
tunnel interface.
9.
For subsequent traffic between VM 1 and VM 5, GW 1 and GW 2 use their respective ARP
tables to make the forwarding decision.
VXLAN-to-external network traffic forwarding
As shown in Figure 17, the network uses the following process to forward traffic from a VXLAN to the
Layer 3 network (for example, from VM 1 to the host at 50.1.1.1):
1.
VM 1 sends an ARP request to obtain the MAC address of the gateway at 10.1.1.1.
2.
GW 1 creates an ARP entry for VM 1 and replies with the MAC address of VSI-interface 10 (the
gateway interface for VXLAN 10).
3.
VM 1 sends a packet destined for the host to GW 1.
4.
GW 1 performs the following operations:
a. Searches the IP routing policies or routing table for the next hop. In this example, the next
hop for the packet is 10.1.1.2 (the border gateway).
b. Floods an ARP request to the local and remote sites in VXLAN 10 to obtain the MAC
address of 10.1.1.2.
5.
The border gateway de-encapsulates the ARP request, creates an ARP entry for GW 1, and
tunnels a reply to GW 1.
6.
GW 1 de-encapsulates the ARP reply and creates an ARP entry for 10.1.1.2.
7.
GW 1 sends the packet destined for the host to the border gateway.
8.
The border gateway de-encapsulates the packet and forwards it to the host.
47
Restrictions and guidelines: VXLAN IP gateway
configuration
Do not configure both centralized VXLAN IP gateway settings and centralized VXLAN IP gateway
group settings on a device.
VXLAN IP gateway tasks at a glance
To configure a VXLAN IP gateway, perform the following tasks:
1.
Configure a VXLAN IP gateway
Choose one of the following tasks:
{
Configuring a centralized VXLAN IP gateway
{
Configuring a centralized VXLAN IP gateway group
{
Configuring a distributed VXLAN IP gateway
2.
(Optional.) Managing ARP entries and ND entries
3.
(Optional.) Configuring a VSI interface
Prerequisites for VXLAN IP gateway configuration
Before you configure a centralized or distributed VXLAN IP gateway, you must perform the following
tasks on VTEPs:
•
Set the VXLAN hardware resource mode to Layer 3 gateway.
•
Create VSIs and VXLANs.
•
Configure VXLAN tunnels and assign them to VXLANs.
Configuring a centralized VXLAN IP gateway
Restrictions and guidelines
Do not execute the local-proxy-arp enable command on a centralized VXLAN IP gateway.
Configuring a gateway interface on a centralized VXLAN IP
gateway
1.
Enter system view.
system-view
2.
Create a VSI interface and enter VSI interface view.
interface vsi-interface vsi-interface-id
3.
Assign an IPv4 address to the VSI interface.
ip address ip-address { mask | mask-length }
By default, no IPv4 address is assigned to a VSI interface.
4.
Return to system view.
quit
48
5.
Enter VSI view.
vsi vsi-name
6.
Specify a gateway interface for the VSI.
gateway vsi-interface vsi-interface-id
By default, no gateway interface is specified for a VSI.
Assigning a subnet to a VSI
About subnet assignment to a VSI
Perform this task on VSIs that share a gateway interface. This task enables the VSI interface to
identify the VSI of a packet.
You can assign a maximum of eight IPv4 and IPv6 subnets to a VSI. Make sure these subnets are on
the same network as one of the IP addresses on the gateway interface.
For VSIs that share a gateway interface, the subnets must be unique.
If you remove the gateway interface from the VSI, the VSI's subnet settings are automatically
deleted.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Assign a subnet to the VSI.
gateway subnet ipv4-address wildcard-mask
By default, no subnet exists on a VSI.
Configuring a centralized VXLAN IP gateway
group
Configuring a VTEP group
Restrictions and guidelines
Make sure the member VTEPs use the same VXLAN settings.
Procedure
1.
Enter system view.
system-view
2.
Create a VSI interface and enter VSI interface view.
interface vsi-interface vsi-interface-id
This interface will be used as the gateway interface for the VSI.
3.
Assign an IP address to the VSI interface.
ip address ip-address { mask | mask-length }
By default, no IP address is assigned to a VSI interface.
You must assign the same IP address to the VSI interface on each VTEP in the VTEP group.
4.
Assign a MAC address to the VSI interface.
49
mac-address mac-address
By default, the MAC address of VSI interfaces is the subsequent higher MAC address of
VLAN-interface 4094's MAC address.
You must assign the same MAC address to the VSI interface on each VTEP in the VTEP group.
5.
Return to system view.
quit
6.
Enter VSI view.
vsi vsi-name
7.
Specify the VSI interface as the gateway interface for the VSI.
gateway vsi-interface vsi-interface-id
By default, no gateway interface is specified for a VSI.
8.
Return to system view.
quit
9.
Assign the local VTEP to a VTEP group and specify a member IP address for the VTEP.
vtep group group-ip member local member-ip
By default, a VTEP is not assigned to any VTEP group.
The specified member IP address must already exist on the local VTEP and be unique in the
VTEP group. You must configure a routing protocol to advertise the IP address to the transport
network.
10. Specify the member IP address of all the other VTEPs in the VTEP group.
vtep group group-ip member remote member-ip&<1-8>
By default, the list of remote VTEPs is not configured.
Specifying a VTEP group as the gateway for an access layer
VTEP
Prerequisites
Before you specify a VTEP group on an access layer VTEP, perform the following tasks on the
VTEP:
•
Enable Layer 2 forwarding for VXLANs.
•
Configure VSIs and VXLANs.
•
Set up VXLAN tunnels to remote sites and the VTEP group, and assign the tunnels to VXLANs.
Procedure
1.
Enter system view.
system-view
2.
Specify a VTEP group and all its member VTEPs.
vtep group group-ip member remote member-ip&<1-8>
By default, no VTEP group is specified.
Perform this task to specify all member VTEPs in the VTEP group.
50
Configuring a distributed VXLAN IP gateway
Restrictions and guidelines for distributed VXLAN IP gateway
configuration
For a VXLAN that requires access to the external network, specify the VXLAN's VSI interface on the
border gateway as the next hop by using one of the following methods:
•
Configure a static route.
•
Configure a routing policy, and apply the policy by using the apply default-next-hop
command. For more information about configuring routing policies, see routing policy
configuration in Layer 3—IP Routing Configuration Guide.
If both ARP flood suppression and local proxy ARP are enabled on a distributed VXLAN IP gateway,
only local proxy ARP takes effect. As a best practice, do not use these features together on
distributed VXLAN IP gateways. For more information about ARP flood suppression, see "Enabling
ARP flood suppression."
Make sure a VSI interface uses the same MAC address to provide service on distributed VXLAN IP
gateways connected to IPv4 sites. Make sure a VSI interface uses different link-local addresses to
provide service on distributed VXLAN IP gateways connected to both IPv4 and IPv6 sites.
Configuring a gateway interface on a distributed VXLAN IP
gateway
1.
Enter system view.
system-view
2.
Create a VSI interface and enter VSI interface view.
interface vsi-interface vsi-interface-id
3.
Assign an IP address to the VSI interface.
IPv4:
ip address ip-address { mask | mask-length } [ sub ]
IPv6:
See IPv6 basics in Layer 3—IP Services Configuration Guide.
By default, no IP address is assigned to a VSI interface.
4.
Specify the VSI interface as a distributed gateway.
distributed-gateway local
By default, a VSI interface is not a distributed gateway.
5.
Enable local proxy ARP or local ND proxy.
IPv4:
local-proxy-arp enable [ ip-range startIP to endIP ]
By default, local proxy ARP is disabled.
For more information about this command, see proxy ARP commands in Layer 3—IP Services
Command Reference.
IPv6:
local-proxy-nd enable
By default, local ND proxy is disabled.
51
For more information about this command, see IPv6 basics commands in Layer 3—IP Services
Command Reference.
6.
Bring up the VSI interface.
undo shutdown
By default, a VSI interface is up.
7.
Return to system view.
quit
8.
Enter VSI view.
vsi vsi-name
9.
Specify the VSI interface as the gateway interface for the VSI.
gateway vsi-interface vsi-interface-id
By default, no gateway interface is specified for a VSI.
Enabling dynamic ARP or ND entry synchronization for
distributed VXLAN IP gateways
About dynamic ARP or ND entry synchronization for distributed VXLAN IP gateways
When local proxy ARP or local ND proxy is enabled on distributed VXLAN IP gateways, enable this
feature for all gateways to have the same ARP or ND entries.
A controller or the EVPN feature can also synchronize ARP or ND entries among distributed VXLAN
IP gateways. When you use a controller or the EVPN feature, do not enable dynamic ARP or ND
entry synchronization.
Enabling dynamic ARP entry synchronization
1.
Enter system view.
system-view
2.
Enable dynamic ARP entry synchronization for distributed VXLAN IP gateways.
arp distributed-gateway dynamic-entry synchronize
By default, dynamic ARP entry synchronization is disabled for distributed VXLAN IP gateways.
Enabling dynamic ND entry synchronization
1.
Enter system view.
system-view
2.
Enable dynamic ND entry synchronization for distributed VXLAN IP gateways.
ipv6 nd distributed-gateway dynamic-entry synchronize
By default, dynamic ND entry synchronization is disabled for distributed VXLAN IP gateways.
Assigning a subnet to a VSI
About subnet assignment to a VSI
Perform this task on VSIs that share a gateway interface. This task enables the VSI interface to
identify the VSI of a packet.
You can assign a maximum of eight IPv4 and IPv6 subnets to a VSI. Make sure these subnets are on
the same network as one of the IP addresses on the gateway interface.
For VSIs that share a gateway interface, the subnets must be unique.
52
If you remove the gateway interface from the VSI, the VSI's subnet settings are automatically
deleted.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Assign a subnet to the VSI.
gateway subnet { ipv4-address wildcard-mask | ipv6-address
prefix-length }
By default, no subnet exists on a VSI.
Managing ARP entries and ND entries
Adding a static ARP entry
About static ARP entries
A VXLAN IP gateway can dynamically learn ARP entries and use manually configured static ARP
entries.
Procedure
1.
Enter system view.
system-view
2.
Add a static local-ARP entry.
arp static ip-address mac-address vsi-interface vsi-interface-id
interface-type interface-number service-instance instance-id vsi
vsi-name [ vpn-instance vpn-instance-name ]
For more information about this command, see ARP commands in Layer 3—IP Services
Command Reference.
3.
Add a static remote-ARP entry.
arp static ip-address mac-address vsi-interface vsi-interface-id
tunnel number vsi vsi-name [ vpn-instance vpn-instance-name ]
For more information about this command, see ARP commands in Layer 3—IP Services
Command Reference.
Disabling remote ARP or ND learning for VXLANs
About remote ARP and ND learning
By default, the device learns ARP or ND information of remote user terminals from packets received
on VXLAN tunnel interfaces. To save resources on VTEPs in an SDN transport network, you can
temporarily disable remote ARP or ND learning when the controller and VTEPs are synchronizing
entries. After the entry synchronization is completed, enable remote ARP or ND learning.
Restrictions and guidelines
As a best practice, disable remote ARP or ND learning for VXLANs only when the controller and
VTEPs are synchronizing entries.
53
Procedure
1.
Enter system view.
system-view
2.
Disable remote ARP learning.
vxlan tunnel arp-learning disable
By default, remote ARP learning is enabled for VXLANs.
3.
Disable remote ND learning.
vxlan tunnel nd-learning disable
By default, remote ND learning is enabled for VXLANs.
Configuring a VSI interface
Configuring optional parameters for a VSI interface
1.
Enter system view.
system-view
2.
Enter VSI interface view.
interface vsi-interface vsi-interface-id
3.
Assign a MAC address to the VSI interface.
mac-address mac-address
By default, the MAC address of VSI interfaces is the subsequent higher MAC address of
VLAN-interface 4094's MAC address.
4.
Configure the description of the VSI interface.
description text
The default description of a VSI interface is interface-name plus Interface (for example,
Vsi-interface100 Interface).
5.
Set the MTU for the VSI interface.
mtu size
The default MTU is 1444 bytes.
6.
Set the expected bandwidth for the VSI interface.
bandwidth bandwidth-value
The default expected bandwidth (in kbps) equals the interface baudrate divided by 1000.
The expected bandwidth is an informational parameter used only by higher-layer protocols for
calculation. You cannot adjust the actual bandwidth of an interface by using this command.
7.
Set an ARP packet sending rate limit for the VSI interface.
arp send-rate pps
By default, the ARP packet sending rate is not limited for a VSI interface.
Restoring the default settings of the VSI interface
Restrictions and guidelines
CAUTION:
This operation might interrupt ongoing network services. Make sure you are fully aware of the impact
of this operation when you perform it on a live network.
54
This operation might fail to restore the default settings for some commands for reasons such as
command dependencies or system restrictions. Use the display this command in interface view
to identify these commands. Use their undo forms or follow the command reference to restore their
default settings. If your restoration attempt still fails, follow the error message instructions to resolve
the problem.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI interface view.
interface vsi-interface vsi-interface-id
3.
Restore the default settings of the VSI interface.
default
Enabling packet statistics for a VSI interface
About packet statistics for a VSI interface
To enable packet statistics for a VSI and its associated VSI interface, execute the statistics
enable command in VSI view.
Restrictions and guidelines
Packet statistics take effect on a VSI interface only if it is associated with only one VSI.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Enable packet statistics for the VSI.
statistics enable
By default, the packet statistics feature is disabled for all VSIs.
Display and maintenance commands for VXLAN
IP gateways
Execute display commands in any view and reset commands in user view.
Task
Command
Display information about VSI
interfaces.
display interface [ vsi-interface
[ vsi-interface-id ] ] [ brief [ description |
down ] ]
Clear statistics on VSI interfaces.
reset counters interface [ vsi-interface
[ vsi-interface-id ] ]
55
VXLAN IP gateway configuration examples
Example: Configuring a centralized VXLAN IP gateway
Network configuration
As shown in Figure 18:
•
Configure VXLAN 10 as a unicast-mode VXLAN on Switch A, Switch B, and Switch C to provide
connectivity for the VMs across the network sites.
•
Configure a centralized VXLAN IP gateway on Switch B to provide gateway services for VXLAN
10.
•
Manually establish VXLAN tunnels and assign the tunnels to VXLAN 10.
•
Enable remote-MAC address learning.
Figure 18 Network diagram
Transport
network
Loop0
1.1.1.1/32
10.1.1.11
WGE1/0/1
VM 1
Vlan-int11 Vlan-int11
11.1.1.1/24 11.1.1.4/24
VLAN 2
Server 1
Loop0
3.3.3.3/32
Vlan-int13
Vlan-int13
13.1.1.4/24 13.1.1.3/24
Vlan-int12
12.1.1.4/24 Switch D
Switch A
10.1.1.12
WGE1/0/1
VM 2
VLAN 2
Switch C
Server 2
Vlan-int12
12.1.1.2/24
VSI-int1
10.1.1.1/24
Loop0
2.2.2.2/32
Vlan-int20 Switch B
20.1.1.2/24
Vlan-int20
20.1.1.5/24 Switch E
Procedure
1.
On VM 1 and VM 2, specify 10.1.1.1 as the gateway address. (Details not shown.)
2.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 18. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through D). (Details not
shown.)
# Configure OSPF to advertise routes to networks 10.1.1.0/24 and 20.1.1.0/24 on Switch B and
Switch E. (Details not shown.)
3.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
56
[SwitchA-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch B and Switch C.
[SwitchA] interface loopback 0
[SwitchA-Loopback0] ip address 1.1.1.1 255.255.255.255
[SwitchA-Loopback0] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 1.1.1.1
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 2.
[SwitchA] interface tunnel 2 mode vxlan
[SwitchA-Tunnel2] source 1.1.1.1
[SwitchA-Tunnel2] destination 3.3.3.3
[SwitchA-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] tunnel 2
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
4.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchB] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch C.
[SwitchB] interface loopback 0
[SwitchB-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchB-Loopback0] quit
57
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan
[SwitchB-Tunnel2] source 2.2.2.2
[SwitchB-Tunnel2] destination 1.1.1.1
[SwitchB-Tunnel2] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 3.
[SwitchB] interface tunnel 3 mode vxlan
[SwitchB-Tunnel3] source 2.2.2.2
[SwitchB-Tunnel3] destination 3.3.3.3
[SwitchB-Tunnel3] quit
# Assign Tunnel 2 and Tunnel 3 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] tunnel 3
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Create VSI-interface 1 and assign the interface an IP address. The IP address will be used as
the gateway address for VXLAN 10.
[SwitchB] interface vsi-interface 1
[SwitchB-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vsi-interface1] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] gateway vsi-interface 1
[SwitchB-vsi-vpna] quit
5.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch B.
[SwitchC] interface loopback 0
[SwitchC-Loopback0] ip address 3.3.3.3 255.255.255.255
[SwitchC-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 1.
[SwitchC] interface tunnel 1 mode vxlan
[SwitchC-Tunnel1] source 3.3.3.3
[SwitchC-Tunnel1] destination 1.1.1.1
[SwitchC-Tunnel1] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 3.
[SwitchC] interface tunnel 3 mode vxlan
[SwitchC-Tunnel3] source 3.3.3.3
58
[SwitchC-Tunnel3] destination 2.2.2.2
[SwitchC-Tunnel3] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] tunnel 1
[SwitchC-vsi-vpna-vxlan-10] tunnel 3
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchC-Twenty-FiveGigE1/0/1] quit
Verifying the configuration
1.
Verify the VXLAN IP gateway settings on Switch B:
# Verify that the VXLAN tunnel interfaces are up on Switch B.
[SwitchB] display interface tunnel 2
Tunnel2
Current state: UP
Line protocol state: UP
Description: Tunnel2 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 2.2.2.2, destination 1.1.1.1
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that VSI-interface 1 is up.
[SwitchB] display interface vsi-interface 1
Vsi-interface1
Current state: UP
Line protocol state: UP
Description: Vsi-interface1 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet address: 10.1.1.1/24 (primary)
IP packet frame type: Ethernet II, hardware address: 0011-2200-0102
IPv6 packet frame type: Ethernet II, hardware address: 0011-2200-0102
Physical: Unknown, baudrate: 1000000 kbps
59
Last clearing of counters: Never
Input (total):
0 packets, 0 bytes
Output (total):
0 packets, 0 bytes
# Verify that the VXLAN tunnels have been assigned to the VXLAN, and VSI-interface 1 is the
gateway interface of VSI vpna.
[SwitchB] display l2vpn vsi verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway interface
: VSI-interface 1
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel2
0x5000002
Up
Manual
Disabled
Tunnel3
0x5000003
Up
Manual
Disabled
# Verify that Switch B has created ARP entries for the VMs.
[SwitchB] display arp
Type: S-Static
D-Dynamic
IP address
MAC address
20.1.1.5
10.1.1.11
10.1.1.12
O-Openflow
VLAN/VSI
R-Rule
M-Multiport
I-Invalid
Interface/Link ID
Aging Type
000c-29c1-5e46 20
Vlan20
19
D
0000-1234-0001 0
Tunnel2
20
D
0000-1234-0002 0
Tunnel3
19
D
# Verify that Switch B has created FIB entries for the VMs.
[SwitchB] display fib 10.1.1.11
Destination count: 1 FIB entry count: 1
Flag:
2.
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination/Mask
Nexthop
Flag
OutInterface/Token
Label
10.1.1.11/32
10.1.1.11
UH
Vsi1
Null
Verify that the VMs can access the WAN:
# Verify that VM 1 and VM 2 can ping each other. (Details not shown.)
# Verify that VM 1, VM 2, and VLAN-interface 20 (20.1.1.5) on Switch E can ping each other.
(Details not shown.)
60
Example: Configuring a centralized VXLAN IP gateway group
Network configuration
As shown in Figure 19:
•
Configure VXLAN 10 as a unicast-mode VXLAN on Switch A, Switch B, and Switch C.
•
Manually establish VXLAN tunnels and assign the tunnels to VXLAN 10.
•
Assign Switch B and Switch C to a VTEP group to provide gateway services for VXLAN 10.
Figure 19 Network diagram
Procedure
1.
On VM 1, specify 10.1.1.1 as the gateway address. (Details not shown.)
2.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 19. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through D). (Details not
shown.)
3.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnel to the VTEP group.
[SwitchA] interface loopback 0
[SwitchA-Loopback0] ip address 1.1.1.1 255.255.255.255
[SwitchA-Loopback0] quit
# Create a VXLAN tunnel to the VTEP group. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 1.1.1.1
61
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
# Assign Tunnel 1 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
# Specify VTEP group 2.2.2.2 and its member VTEPs at 3.3.3.3 and 4.4.4.4.
[SwitchA] vtep group 2.2.2.2 member remote 3.3.3.3 4.4.4.4
4.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchB] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign IP address 2.2.2.2/32 to Loopback 0. The IP address will be used as the IP address of
the VTEP group.
[SwitchB] interface loopback 0
[SwitchB-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchB-Loopback0] quit
# Assign an IP address to Loopback 1. The IP address will be used as the member IP address
of the VTEP.
[SwitchB] interface loopback 1
[SwitchB-Loopback1] ip address 3.3.3.3 255.255.255.255
[SwitchB-Loopback1] quit
# Create a VXLAN tunnel to Switch A. The tunnel source IP address is 2.2.2.2, and the tunnel
interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan
[SwitchB-Tunnel2] source 2.2.2.2
[SwitchB-Tunnel2] destination 1.1.1.1
[SwitchB-Tunnel2] quit
# Assign Tunnel 2 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
62
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Create VSI-interface 1 and assign the interface an IP address and a MAC address. The IP
address will be used as the gateway address for VXLAN 10.
[SwitchB] interface vsi-interface 1
[SwitchB-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vsi-interface1] mac-address 2-2-2
[SwitchB-Vsi-interface1] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] gateway vsi-interface 1
[SwitchB-vsi-vpna] quit
# Assign the local VTEP to VTEP group 2.2.2.2, and specify the member IP address of the local
VTEP.
[SwitchB] vtep group 2.2.2.2 member local 3.3.3.3
# Specify the other member VTEP Switch C.
[SwitchB] vtep group 2.2.2.2 member remote 4.4.4.4
5.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchC] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Assign IP address 2.2.2.2/32 to Loopback 0. The IP address will be used as the IP address of
the VTEP group.
[SwitchC] interface loopback 0
[SwitchC-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchC-Loopback0] quit
# Assign an IP address to Loopback 1. The IP address will be used as the member IP address
of the VTEP.
[SwitchC] interface loopback 1
[SwitchC-Loopback1] ip address 4.4.4.4 255.255.255.255
[SwitchC-Loopback1] quit
# Create a VXLAN tunnel to Switch A. The tunnel source IP address is 2.2.2.2, and the tunnel
interface name is Tunnel 2.
[SwitchC] interface tunnel 2 mode vxlan
[SwitchC-Tunnel2] source 2.2.2.2
[SwitchC-Tunnel2] destination 1.1.1.1
[SwitchC-Tunnel2] quit
# Assign Tunnel 2 to VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
63
[SwitchC-vsi-vpna-vxlan-10] tunnel 2
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Create VSI-interface 1 and assign the interface an IP address and a MAC address. The IP
address will be used as the gateway address for VXLAN 10.
[SwitchC] interface vsi-interface 1
[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
[SwitchC-Vsi-interface1] mac-address 2-2-2
[SwitchC-Vsi-interface1] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] gateway vsi-interface 1
[SwitchC-vsi-vpna] quit
# Assign the local VTEP to VTEP group 2.2.2.2, and specify the member IP address of the local
VTEP.
[SwitchC] vtep group 2.2.2.2 member local 4.4.4.4
# Specify the other member VTEP Switch B.
[SwitchC] vtep group 2.2.2.2 member remote 3.3.3.3
Example: Configuring distributed VXLAN IPv4 gateways
Network configuration
As shown in Figure 20:
•
Configure VXLAN 10 and VXLAN 30 as unicast-mode VXLANs on Switch A, Switch B, and
Switch C to provide connectivity for the VMs across the network sites.
•
Manually establish VXLAN tunnels and assign the tunnels to the VXLANs.
•
Configure distributed VXLAN IP gateways on Switch A and Switch C to forward traffic between
the VXLANs.
•
Configure Switch B as a border gateway to forward traffic between the VXLANs and the WAN
connected to Switch E.
64
Figure 20 Network diagram
Procedure
1.
On VM 1 and VM 3, specify 10.1.1.1 and 20.1.1.1 as the gateway address, respectively.
(Details not shown.)
2.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 20. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through D). (Details not
shown.)
# Configure OSPF to advertise routes to networks 10.1.1.0/24, 20.1.1.0/24, and 25.1.1.0/24 on
Switch B and Switch E. (Details not shown.)
3.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchA] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Create VSI vpnc and VXLAN 30.
[SwitchA] vsi vpnc
[SwitchA-vsi-vpnc] vxlan 30
[SwitchA-vsi-vpnc-vxlan-30] quit
[SwitchA-vsi-vpnc] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch B and Switch C.
[SwitchA] interface loopback 0
65
[SwitchA-Loopback0] ip address 1.1.1.1 255.255.255.255
[SwitchA-Loopback0] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 1.1.1.1
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 2.
[SwitchA] interface tunnel 2 mode vxlan
[SwitchA-Tunnel2] source 1.1.1.1
[SwitchA-Tunnel2] destination 3.3.3.3
[SwitchA-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] tunnel 2
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 30.
[SwitchA] vsi vpnc
[SwitchA-vsi-vpnc] vxlan 30
[SwitchA-vsi-vpnc-vxlan-30] tunnel 1
[SwitchA-vsi-vpnc-vxlan-30] tunnel 2
[SwitchA-vsi-vpnc-vxlan-30] quit
[SwitchA-vsi-vpnc] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
# Create VSI-interface 1 and assign the interface an IP address and a MAC address. The IP
address will be used as the gateway address for VXLAN 10.
[SwitchA] interface vsi-interface 1
[SwitchA-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
[SwitchA-Vsi-interface1] mac-address 1-1-1
# Specify VSI-interface 1 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchA-Vsi-interface1] distributed-gateway local
[SwitchA-Vsi-interface1] local-proxy-arp enable
[SwitchA-Vsi-interface1] quit
# Create VSI-interface 2 and assign the interface an IP address and a MAC address. The IP
address will be used as the gateway address for VXLAN 30.
[SwitchA] interface vsi-interface 2
[SwitchA-Vsi-interface2] ip address 20.1.1.1 255.255.255.0
[SwitchA-Vsi-interface2] mac-address 2-2-2
66
# Specify VSI-interface 2 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchA-Vsi-interface2] distributed-gateway local
[SwitchA-Vsi-interface2] local-proxy-arp enable
[SwitchA-Vsi-interface2] quit
# Enable dynamic ARP entry synchronization for distributed VXLAN IP gateways.
[SwitchA] arp distributed-gateway dynamic-entry synchronize
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] gateway vsi-interface 1
[SwitchA-vsi-vpna] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnc.
[SwitchA] vsi vpnc
[SwitchA-vsi-vpnc] gateway vsi-interface 2
[SwitchA-vsi-vpnc] quit
# Configure a PBR policy for VXLAN 10. Set the policy name to vxlan10, and set the next hop
to 10.1.1.2 (VSI-interface 1 on Switch B).
[SwitchA] acl advanced 3000
[SwitchA-acl-ipv4-adv-3000] rule 0 permit ip
[SwitchA-acl-ipv4-adv-3000] quit
[SwitchA] policy-based-route vxlan10 permit node 5
[SwitchA-pbr-vxlan10-5] if-match acl 3000
[SwitchA-pbr-vxlan10-5] apply next-hop 10.1.1.2
[SwitchA-pbr-vxlan10-5] quit
# Configure a PBR policy for VXLAN 30. Set the policy name to vxlan30, and set the next hop
to 20.1.1.2 (VSI-interface 2 on Switch B).
[SwitchA] policy-based-route vxlan30 permit node 5
[SwitchA-pbr-vxlan30-5] if-match acl 3000
[SwitchA-pbr-vxlan30-5] apply next-hop 20.1.1.2
[SwitchA-pbr-vxlan30-5] quit
# Apply policies vxlan10 and vxlan30 to VSI-interface 1 and VSI-interface 2, respectively.
[SwitchA] interface vsi-interface 1
[SwitchA-Vsi-interface1] ip policy-based-route vxlan10
[SwitchA-Vsi-interface1] quit
[SwitchA] interface vsi-interface 2
[SwitchA-Vsi-interface2] ip policy-based-route vxlan30
[SwitchA-Vsi-interface2] quit
# Configure a default route. Set the next hop to 10.1.1.2 (VSI-interface 1 on Switch B).
[SwitchA] ip route-static 0.0.0.0 0 10.1.1.2
4.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchB] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
67
[SwitchB-vsi-vpna] quit
# Create VSI vpnc and VXLAN 30.
[SwitchB] vsi vpnc
[SwitchB-vsi-vpnc] vxlan 30
[SwitchB-vsi-vpnc-vxlan-30] quit
[SwitchB-vsi-vpnc] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch C.
[SwitchB] interface loopback 0
[SwitchB-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchB-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan
[SwitchB-Tunnel2] source 2.2.2.2
[SwitchB-Tunnel2] destination 1.1.1.1
[SwitchB-Tunnel2] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 3.
[SwitchB] interface tunnel 3 mode vxlan
[SwitchB-Tunnel3] source 2.2.2.2
[SwitchB-Tunnel3] destination 3.3.3.3
[SwitchB-Tunnel3] quit
# Assign Tunnel 2 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign Tunnel 3 to VXLAN 30.
[SwitchB] vsi vpnc
[SwitchB-vsi-vpnc] vxlan 30
[SwitchB-vsi-vpnc-vxlan-30] tunnel 3
[SwitchB-vsi-vpnc-vxlan-30] quit
[SwitchB-vsi-vpnc] quit
# Create VSI-interface 1 and assign the interface an IP address.
[SwitchB] interface vsi-interface 1
[SwitchB-Vsi-interface1] ip address 10.1.1.2 255.255.255.0
[SwitchB-Vsi-interface1] quit
# Create VSI-interface 2 and assign the interface an IP address.
[SwitchB] interface vsi-interface 2
[SwitchB-Vsi-interface2] ip address 20.1.1.2 255.255.255.0
[SwitchB-Vsi-interface2] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] gateway vsi-interface 1
[SwitchB-vsi-vpna] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnc.
[SwitchB] vsi vpnc
[SwitchB-vsi-vpnc] gateway vsi-interface 2
68
[SwitchB-vsi-vpnc] quit
5.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchC] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Create VSI vpnb and VXLAN 30.
[SwitchC] vsi vpnb
[SwitchC-vsi-vpnb] vxlan 30
[SwitchC-vsi-vpnb-vxlan-30] quit
[SwitchC-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch B.
[SwitchC] interface loopback 0
[SwitchC-Loopback0] ip address 3.3.3.3 255.255.255.255
[SwitchC-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 1.
[SwitchC] interface tunnel 1 mode vxlan
[SwitchC-Tunnel1] source 3.3.3.3
[SwitchC-Tunnel1] destination 1.1.1.1
[SwitchC-Tunnel1] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 3.
[SwitchC] interface tunnel 3 mode vxlan
[SwitchC-Tunnel3] source 3.3.3.3
[SwitchC-Tunnel3] destination 2.2.2.2
[SwitchC-Tunnel3] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] tunnel 1
[SwitchC-vsi-vpna-vxlan-10] tunnel 3
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 30.
[SwitchC] vsi vpnb
[SwitchC-vsi-vpnb] vxlan 30
[SwitchC-vsi-vpnb-vxlan-30] tunnel 1
[SwitchC-vsi-vpnb-vxlan-30] tunnel 3
[SwitchC-vsi-vpnb-vxlan-30] quit
[SwitchC-vsi-vpnb] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 4.
69
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 4
# Map Ethernet service instance 1000 to VSI vpnb.
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpnb
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchC-Twenty-FiveGigE1/0/1] quit
# Create VSI-interface 1 and assign the interface an IP address and a MAC address. The IP
address will be used as the gateway address for VXLAN 10.
[SwitchC] interface vsi-interface 1
[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
[SwitchC-Vsi-interface1] mac-address 1-1-1
# Specify VSI-interface 1 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchC-Vsi-interface1] distributed-gateway local
[SwitchC-Vsi-interface1] local-proxy-arp enable
[SwitchC-Vsi-interface1] quit
# Enable dynamic ARP entry synchronization for distributed VXLAN IP gateways.
[SwitchC] arp distributed-gateway dynamic-entry synchronize
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] gateway vsi-interface 1
[SwitchC-vsi-vpna] quit
# Create VSI-interface 2 and assign the interface an IP address and a MAC address. The IP
address will be used as the gateway address for VXLAN 30.
[SwitchC] interface vsi-interface 2
[SwitchC-Vsi-interface2] ip address 20.1.1.1 255.255.255.0
[SwitchC-Vsi-interface2] mac-address 2-2-2
# Specify VSI-interface 2 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchC-Vsi-interface2] distributed-gateway local
[SwitchC-Vsi-interface2] local-proxy-arp enable
[SwitchC-Vsi-interface2] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnb.
[SwitchC] vsi vpnb
[SwitchC-vsi-vpnb] gateway vsi-interface 2
[SwitchC-vsi-vpnb] quit
# Configure a PBR policy for the VXLANs. Set the policy name to vxlan and set the next hop to
20.1.1.2 (VSI-interface 1 on Switch B).
[SwitchC] acl advanced 3000
[SwitchC-acl-ipv4-adv-3000] rule 0 permit ip
[SwitchC-acl-ipv4-adv-3000] quit
[SwitchC] policy-based-route vxlan permit node 5
[SwitchC-pbr-vxlan-5] if-match acl 3000
[SwitchC-pbr-vxlan-5] apply next-hop 20.1.1.2
[SwitchC-pbr-vxlan-5] quit
# Apply policy vxlan to VSI-interface 2.
[SwitchC] interface vsi-interface 2
[SwitchC-Vsi-interface2] ip policy-based-route vxlan
[SwitchC-Vsi-interface2] quit
70
# Configure a default route. Set the next hop to 20.1.1.2 (VSI-interface 1 on Switch B).
[SwitchC] ip route-static 0.0.0.0 0 20.1.1.2
Verifying the configuration
1.
Verify the VXLAN IP gateway settings on Switch A:
# Verify that the VXLAN tunnel interfaces are up on Switch A.
[SwitchA] display interface tunnel 2
Tunnel2
Current state: UP
Line protocol state: UP
Description: Tunnel2 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 1.1.1.1, destination 3.3.3.3
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that VSI-interface 1 is up.
[SwitchA] display interface vsi-interface 1
Vsi-interface1
Current state: UP
Line protocol state: UP
Description: Vsi-interface1 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet address: 10.1.1.1/24 (primary)
IP packet frame type: Ethernet II, hardware address: 0001-0001-0001
IPv6 packet frame type: Ethernet II, hardware address: 0001-0001-0001
Physical: Unknown, baudrate: 1000000 kbps
Last clearing of counters: Never
Input (total):
Output (total):
0 packets, 0 bytes
0 packets, 0 bytes
# Verify that the VXLAN tunnels have been assigned to VXLAN 10, and VSI-interface 1 is the
gateway interface for VSI vpna.
[SwitchA] display l2vpn vsi name vpna verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
71
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway Interface
: VSI-interface 1
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
ACs:
AC
Link ID
State
Type
XGE1/0/1 srv1000
0
Up
Manual
# Verify that Switch A has created ARP entries for the VMs.
[SwitchA] display arp
Type: S-Static
2.
D-Dynamic
O-Openflow
VLAN/VSI
R-Rule
M-Multiport
I-Invalid
IP address
MAC address
Interface/Link ID
Aging Type
11.1.1.4
000c-29c1-5e46 11
Vlan11
19
D
10.1.1.2
3c8c-400d-867a 0
Tunnel1
20
D
10.1.1.11
0cda-41b5-cf09 0
0
20
D
20.1.1.12
0001-0001-0001 1
Tunnel2
19
D
Verify the configuration on the border gateway Switch B:
# Verify that the VXLAN tunnel interfaces are up on Switch B.
[SwitchB] display interface tunnel 2
Tunnel2
Current state: UP
Line protocol state: UP
Description: Tunnel2 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 2.2.2.2, destination 1.1.1.1
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that VSI-interface 1 is up.
[SwitchB] display interface vsi-interface 1
Vsi-interface1
Current state: UP
Line protocol state: UP
Description: Vsi-interface1 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet address: 10.1.1.2/24 (primary)
IP packet frame type: Ethernet II, hardware address: 0011-2200-0102
72
IPv6 packet frame type: Ethernet II, hardware address: 0011-2200-0102
Physical: Unknown, baudrate: 1000000 kbps
Last clearing of counters: Never
Input (total):
0 packets, 0 bytes
Output (total):
0 packets, 0 bytes
# Verify that the VXLAN tunnels have been assigned to VXLAN 10, and VSI-interface 1 is the
gateway interface for VSI vpna.
[SwitchB] display l2vpn vsi name vpna verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway interface
: VSI-interface 1
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel2
0x5000002
Up
Manual
Disabled
# Verify that Switch B has created ARP entries for the VMs.
[SwitchB] display arp
Type: S-Static
D-Dynamic
O-Openflow
VLAN/VSI
R-Rule
M-Multiport
I-Invalid
IP address
MAC address
Interface/Link ID
Aging Type
12.1.1.4
0000-fc00-00ab 12
Vlan12
14
D
25.1.1.5
4431-9234-24bb 20
Vlan20
17
D
10.1.1.1
0001-0001-0001 0
Tunnel2
17
D
10.1.1.11
0001-0001-0001 0
Tunnel2
20
D
20.1.1.1
0002-0002-0002 1
Tunnel3
17
D
20.1.1.12
0002-0002-0002 1
Tunnel3
20
D
# Verify that Switch B has created FIB entries for the VMs.
[SwitchB] display fib 10.1.1.11
Destination count: 1 FIB entry count: 1
Flag:
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination/Mask
Nexthop
Flag
OutInterface/Token
Label
10.1.1.11/32
10.1.1.11
UH
Vsi1
Null
[SwitchB] display fib 20.1.1.12
Destination count: 1 FIB entry count: 1
Flag:
73
3.
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination/Mask
Nexthop
Flag
OutInterface/Token
Label
20.1.1.12/32
20.1.1.12
UH
Vsi3
Null
Verify that the network connectivity for VMs meets the requirements:
# Verify that VM 1 and VM 3 can ping each other. (Details not shown.)
# Verify that VM 1 and VM 3 can ping VLAN-interface 20 (25.1.1.5) on Switch E for WAN access.
(Details not shown.)
Example: Configuring distributed VXLAN IPv6 gateways
Network configuration
As shown in Figure 21:
•
Configure VXLAN 10 and VXLAN 20 as unicast-mode VXLANs on Switch A, Switch B, and
Switch C to provide connectivity for the VMs across the network sites.
•
Manually establish VXLAN tunnels and assign the tunnels to the VXLANs.
•
Configure distributed VXLAN IP gateways on Switch A and Switch C to forward traffic between
the VXLANs.
•
Configure Switch B as a border gateway to forward traffic between the VXLANs and the WAN
connected to Switch E.
Figure 21 Network diagram
Loop0
1.1.1.1/32
1::100/64
WGE1/0/1
VM 1
Transport
network
Vlan-int11 Vlan-int11
11.1.1.1/24 11.1.1.4/24
VLAN 2
Server 1
VSI-int1
1::1/64 anycast
VSI-int2
4::1/64 anycast
Switch A
Loop0
3.3.3.3/32
Vlan-int13
Vlan-int13
13.1.1.4/24 13.1.1.3/24
Vlan-int12
12.1.1.4/24 Switch D
Vlan-int12
12.1.1.2/24
Loop0
2.2.2.2/32
VSI-int1
1::1/64 anycast
VSI-int2
4::1/64 anycast
4::400/64
WGE1/0/1
VM 2
VLAN 4
Switch C
Server 2
VSI-int1
1::2/64
VSI-int2
4::2/64
Vlan-int20 Switch B
3::200/64
Vlan-int20
3::300/64 Switch E
Procedure
1.
On VM 1 and VM 2, specify 1::1 and 4::1 as the gateway address, respectively. (Details not
shown.)
2.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 21. (Details not shown.)
# Configure OSPF on all transport network switches (switches A through D). (Details not
shown.)
# Configure OSPFv3 to advertise routes to networks 1::/64, 4::/64, and 3::/64 on Switch B and
Switch E. (Details not shown.)
74
3.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchA] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Create VSI vpnb and VXLAN 20.
[SwitchA] vsi vpnb
[SwitchA-vsi-vpnb] vxlan 20
[SwitchA-vsi-vpnb-vxlan-20] quit
[SwitchA-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch B and Switch C.
[SwitchA] interface loopback 0
[SwitchA-Loopback0] ip address 1.1.1.1 255.255.255.255
[SwitchA-Loopback0] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 1.1.1.1
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 2.
[SwitchA] interface tunnel 2 mode vxlan
[SwitchA-Tunnel2] source 1.1.1.1
[SwitchA-Tunnel2] destination 3.3.3.3
[SwitchA-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] tunnel 2
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 20.
[SwitchA] vsi vpnb
[SwitchA-vsi-vpnb] vxlan 20
[SwitchA-vsi-vpnb-vxlan-20] tunnel 1
[SwitchA-vsi-vpnb-vxlan-20] tunnel 2
[SwitchA-vsi-vpnb-vxlan-20] quit
[SwitchA-vsi-vpnb] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 2.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
75
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 2
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
# Enable dynamic ND entry synchronization for distributed VXLAN IP gateways.
[SwitchA] ipv6 nd distributed-gateway dynamic-entry synchronize
# Create VSI-interface 1 and assign the interface an IPv6 anycast address. The IP address will
be used as the gateway address for VXLAN 10.
[SwitchA] interface vsi-interface 1
[SwitchA-Vsi-interface1] ipv6 address 1::1/64 anycast
# Specify VSI-interface 1 as a distributed gateway and enable local ND proxy on the interface.
[SwitchA-Vsi-interface1] distributed-gateway local
[SwitchA-Vsi-interface1] local-proxy-nd enable
[SwitchA-Vsi-interface1] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] gateway vsi-interface 1
[SwitchA-vsi-vpna] quit
# Create VSI-interface 2 and assign the interface an IPv6 anycast address. The IP address will
be used as the gateway address for VXLAN 20.
[SwitchA] interface vsi-interface 2
[SwitchA-Vsi-interface2] ipv6 address 4::1/64 anycast
# Specify VSI-interface 2 as a distributed gateway and enable local ND proxy on the interface.
[SwitchA-Vsi-interface2] distributed-gateway local
[SwitchA-Vsi-interface2] local-proxy-nd enable
[SwitchA-Vsi-interface2] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnb.
[SwitchA] vsi vpnb
[SwitchA-vsi-vpnb] gateway vsi-interface 2
[SwitchA-vsi-vpnb] quit
# Configure an IPv6 static route. Set the destination address to 3::/64 and the next hop to 1::2.
[SwitchA] ipv6 route-static 3:: 64 1::2
4.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchB] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Create VSI vpnb and VXLAN 20.
[SwitchB] vsi vpnb
[SwitchB-vsi-vpnb] vxlan 20
76
[SwitchB-vsi-vpnb-vxlan-20] quit
[SwitchB-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch C.
[SwitchB] interface loopback 0
[SwitchB-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchB-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan
[SwitchB-Tunnel2] source 2.2.2.2
[SwitchB-Tunnel2] destination 1.1.1.1
[SwitchB-Tunnel2] quit
# Create a VXLAN tunnel to Switch C. The tunnel interface name is Tunnel 3.
[SwitchB] interface tunnel 3 mode vxlan
[SwitchB-Tunnel3] source 2.2.2.2
[SwitchB-Tunnel3] destination 3.3.3.3
[SwitchB-Tunnel3] quit
# Assign Tunnel 2 and Tunnel 3 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] tunnel 3
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign Tunnel 2 and Tunnel 3 to VXLAN 20.
[SwitchB] vsi vpnb
[SwitchB-vsi-vpnb] vxlan 20
[SwitchB-vsi-vpnb-vxlan-20] tunnel 2
[SwitchB-vsi-vpnb-vxlan-20] tunnel 3
[SwitchB-vsi-vpnb-vxlan-20] quit
[SwitchB-vsi-vpnb] quit
# Create VSI-interface 1 and assign the interface an IPv6 address.
[SwitchB] interface vsi-interface 1
[SwitchB-Vsi-interface1] ipv6 address 1::2/64
[SwitchB-Vsi-interface1] quit
# Create VSI-interface 2 and assign the interface an IPv6 address.
[SwitchB] interface vsi-interface 2
[SwitchB-Vsi-interface2] ipv6 address 4::2/64
[SwitchB-Vsi-interface2] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] gateway vsi-interface 1
[SwitchB-vsi-vpna] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnb.
[SwitchB] vsi vpnb
[SwitchB-vsi-vpnb] gateway vsi-interface 2
[SwitchB-vsi-vpnb] quit
5.
Configure Switch C:
77
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchC] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Create VSI vpnb and VXLAN 20.
[SwitchC] vsi vpnb
[SwitchC-vsi-vpnb] vxlan 20
[SwitchC-vsi-vpnb-vxlan-20] quit
[SwitchC-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnels to Switch A and Switch B.
[SwitchC] interface loopback 0
[SwitchC-Loopback0] ip address 3.3.3.3 255.255.255.255
[SwitchC-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 1.
[SwitchC] interface tunnel 1 mode vxlan
[SwitchC-Tunnel1] source 3.3.3.3
[SwitchC-Tunnel1] destination 1.1.1.1
[SwitchC-Tunnel1] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 3.
[SwitchC] interface tunnel 3 mode vxlan
[SwitchC-Tunnel3] source 3.3.3.3
[SwitchC-Tunnel3] destination 2.2.2.2
[SwitchC-Tunnel3] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 10.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] vxlan 10
[SwitchC-vsi-vpna-vxlan-10] tunnel 1
[SwitchC-vsi-vpna-vxlan-10] tunnel 3
[SwitchC-vsi-vpna-vxlan-10] quit
[SwitchC-vsi-vpna] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 20.
[SwitchC] vsi vpnb
[SwitchC-vsi-vpnb] vxlan 20
[SwitchC-vsi-vpnb-vxlan-20] tunnel 1
[SwitchC-vsi-vpnb-vxlan-20] tunnel 3
[SwitchC-vsi-vpnb-vxlan-20] quit
[SwitchC-vsi-vpnb] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 4.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 4
78
# Map Ethernet service instance 1000 to VSI vpnb.
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpnb
[SwitchC-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchC-Twenty-FiveGigE1/0/1] quit
# Enable dynamic ND entry synchronization for distributed VXLAN IP gateways.
[SwitchC] ipv6 nd distributed-gateway dynamic-entry synchronize
# Create VSI-interface 1 and assign the interface an IPv6 anycast address. The IP address will
be used as the gateway address for VXLAN 10.
[SwitchC] interface vsi-interface 1
[SwitchC-Vsi-interface1] ipv6 address 1::1/64 anycast
# Specify VSI-interface 1 as a distributed gateway and enable local ND proxy on the interface.
[SwitchC-Vsi-interface1] distributed-gateway local
[SwitchC-Vsi-interface1] local-proxy-nd enable
[SwitchC-Vsi-interface1] quit
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchC] vsi vpna
[SwitchC-vsi-vpna] gateway vsi-interface 1
[SwitchC-vsi-vpna] quit
# Create VSI-interface 2 and assign the interface an IPv6 anycast address. The IP address will
be used as the gateway address for VXLAN 20.
[SwitchC] interface vsi-interface 2
[SwitchC-Vsi-interface2] ipv6 address 4::1/64 anycast
# Specify VSI-interface 2 as a distributed gateway and enable local ND proxy on the interface.
[SwitchC-Vsi-interface2] distributed-gateway local
[SwitchC-Vsi-interface2] local-proxy-nd enable
[SwitchC-Vsi-interface2] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnb.
[SwitchC] vsi vpnb
[SwitchC-vsi-vpnb] gateway vsi-interface 2
[SwitchC-vsi-vpnb] quit
# Configure an IPv6 static route. Set the destination address to 3::/64 and the next hop to 4::2.
[SwitchC] ipv6 route-static 3:: 64 4::2
Verifying the configuration
1.
Verify the distributed VXLAN IP gateway settings on Switch A:
# Verify that the VXLAN tunnel interfaces are up on Switch A.
[SwitchA] display interface tunnel 2
Tunnel2
Current state: UP
Line protocol state: UP
Description: Tunnel2 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 1.1.1.1, destination 3.3.3.3
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
79
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VSI interfaces are up.
[SwitchA] display interface vsi-interface 1
Vsi-interface1
Current state: UP
Line protocol state: UP
Description: Vsi-interface1 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet protocol processing: Disabled
IP packet frame type: Ethernet II, hardware address: 0011-2200-0102
IPv6 packet frame type: Ethernet II, hardware address: 0011-2200-0102
Physical: Unknown, baudrate: 1000000 kbps
Last clearing of counters: Never
Input (total):
Output (total):
0 packets, 0 bytes
0 packets, 0 bytes
# Verify that the VXLAN tunnels have been assigned to the VXLANs, and the VSI interfaces are
the gateway interfaces for the VSIs.
[SwitchA] display l2vpn vsi verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway Interface
: VSI-interface 1
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
ACs:
AC
Link ID
State
Type
XGE1/0/1 srv1000
0
Up
Manual
VSI Name: vpnb
VSI Index
: 0
VSI State
: Up
80
MTU
: 1500
Bandwidth
: -
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway Interface
: VSI-interface 2
VXLAN ID
: 20
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
# Verify that Switch A has created neighbor entries for the VMs.
[SwitchA] display ipv6 neighbors all
Type: S-Static
D-Dynamic
O-Openflow
R-Rule
I-Invalid
IPv6 address
Link layer
VID
Interface
State T
Age
1::2
3c8c-400d-867a 0
Tunnel1
STALE D
7
1::100
0001-0000-0047 0
0
STALE D
22
4::400
0002-0000-0047 1
Tunnel2
REACH D
5
FE80::201:FF:FE00:47
0001-0000-0047 0
Tunnel1
REACH D
30
FE80::202:FF:FE00:0
0002-0000-0000 1
Tunnel2
REACH D
27
FE80::202:FF:FE00:47
0002-0000-0047 0
0
DELAY D
5
# Verify that Switch A has created FIB entries for the VMs.
[SwitchA] display ipv6 fib 4::400
Destination count: 1 FIB entry count: 1
Flag:
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination: 4::400
Prefix length: 128
Nexthop
Flags: UH
: 4::400
Time stamp : 0x2c
Label: Null
Interface
Token: Invalid
: Tunnel2
[SwitchA] display ipv6 fib 3::300
Destination count: 1 FIB entry count: 1
Flag:
2.
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination: 3::
Prefix length: 40
Nexthop
: 1::2
Flags: USGR
Time stamp : 0x23
Label: Null
Interface
Token: Invalid
: Tunnel1
Verify the configuration on the border gateway Switch B:
# Verify that the VXLAN tunnel interfaces are up on Switch B.
81
[SwitchB] display interface tunnel 2
Tunnel2
Current state: UP
Line protocol state: UP
Description: Tunnel2 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 2.2.2.2, destination 1.1.1.1
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VSI interfaces are up.
[SwitchB] display interface Vsi-interface 1
Vsi-interface1
Current state: UP
Line protocol state: UP
Description: Vsi-interface1 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet protocol processing: Disabled
IP packet frame type: Ethernet II, hardware address: 0011-2200-0102
IPv6 packet frame type: Ethernet II, hardware address: 0011-2200-0102
Physical: Unknown, baudrate: 1000000 kbps
Last clearing of counters: Never
Input (total):
Output (total):
0 packets, 0 bytes
0 packets, 0 bytes
# Verify that the VXLAN tunnels have been assigned to the VXLANs, and the VSI interfaces are
the gateway interfaces for the VSIs.
[SwitchB] display l2vpn vsi name vpna verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway interface
: VSI-interface 1
82
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
# Verify that Switch B has created neighbor entries for the VMs.
[SwitchB] display ipv6 neighbors all
Type: S-Static
D-Dynamic
O-Openflow
R-Rule
I-Invalid
IPv6 address
Link layer
VID
Interface
State T
Age
3::300
0003-0000-0047 20
Vlan20
DELAY D
3
FE80::203:FF:FE00:47
0003-0000-0047 20
Vlan20
STALE D
222
1::100
0001-0000-0047 0
Tunnel2
STALE D
232
4::400
0002-0000-0047 1
Tunnel3
REACH D
3
FE80::201:FF:FE00:0
0001-0000-0000 0
Tunnel2
STALE D
237
FE80::201:FF:FE00:47
0001-0000-0047 20
Vlan20
STALE D
222
FE80::202:FF:FE00:0
0002-0000-0000 1
Tunnel3
STALE D
345
# Verify that Switch B has created FIB entries for the VMs.
[SwitchB] display ipv6 fib 1::100
Destination count: 1 FIB entry count: 1
Flag:
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination: 1::100
Prefix length: 128
Nexthop
Flags: UH
: 1::100
Time stamp : 0x21
Label: Null
Interface
Token: Invalid
: Tunnel2
[SwitchB] display ipv6 fib 4::400
Destination count: 1 FIB entry count: 1
Flag:
3.
U:Usable
G:Gateway
R:Relay
F:FRR
H:Host
B:Blackhole
D:Dynamic
S:Static
Destination: 4::
Prefix length: 64
Nexthop
Flags: U
: ::
Time stamp : 0x19
Label: Null
Interface
Token: Invalid
: Tunnel3
Verify the network connectivity for the VMs:
# Verify that VM 1 and VM 2 can ping each other. (Details not shown.)
# Verify that VM 1, VM 2, and VLAN-interface 20 (3::300) on Switch E can ping each other.
(Details not shown.)
83
Configuring VXLAN-DCI
About VXLAN-DCI
VXLAN tunnels are used only for intra-data center connection. To provide Layer 2 connectivity
between data centers over an IP transport network, you can use VXLAN data center interconnect
(VXLAN-DCI) tunnels.
VXLAN-DCI network model
As shown in Figure 22, the VXLAN-DCI network contains edge devices (EDs) located at the edge of
the transport network and VTEPs located at the data center sites. VXLAN tunnels are established
between VTEPs and EDs, and VXLAN-DCI tunnels are established between EDs. VXLAN-DCI
tunnels use VXLAN encapsulation. Each ED de-encapsulates received VXLAN packets and then
re-encapsulates them based on the destination before forwarding them through a VXLAN or
VXLAN-DCI tunnel.
VXLAN tunnel
Figure 22 VXLAN-DCI network model
Working mechanisms
In a VXLAN-DCI network, VTEPs use MAC address entries to perform Layer 2 forwarding for
VXLANs, and EDs perform Layer 3 forwarding based on ARP or ND entries.
As shown in Figure 23, a VSI interface uses the same IP address to provide gateway services for a
VXLAN on different EDs. Local proxy ARP or local ND proxy is enabled on the EDs.
84
Figure 23 VXLAN-DCI working mechanisms
Intra-VXLAN traffic forwarding between sites
As shown in Figure 23, the network uses the following process to forward traffic in a VXLAN between
sites (for example, from VM 1 to VM 4 in VXLAN 10):
1.
VM 1 sends an ARP request to obtain the MAC address of VM 4.
2.
VTEP 1 learns the MAC address of VM 1 and floods the ARP request in VXLAN 10.
3.
ED 1 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP request.
b. Creates an ARP entry for VM 1 and replies with the MAC address of VSI-interface 10 (the
gateway interface for VXLAN 10). The ARP reply is sent to VTEP 1.
4.
VTEP 1 removes the VXLAN encapsulation of the ARP reply, learns the MAC address of ED 1,
and forwards the ARP reply to VM 1.
5.
VM 1 creates an ARP entry for VM 4. The MAC address in the entry is the MAC address of
VSI-interface 10 on ED 1.
6.
ED 1 replaces the sender MAC address of the request with the MAC address of VSI-interface
10 on ED 1, and then floods the request to the remote EDs in VXLAN 10.
7.
ED 2 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP request.
b. Creates an ARP entry for VM 1. The entry contains VM 1's IP address (10.1.1.100), the
MAC address of VSI-interface 10 on ED 1, and the incoming VXLAN-DCI tunnel interface.
c. Replaces the sender MAC address of the request with the MAC address of VSI-interface 10
on ED 2, and then floods the request on all VXLAN tunnels of VXLAN 10.
8.
VTEP 2 removes the VXLAN encapsulation of the ARP request, learns the MAC address of ED
2, and floods the ARP request to the local site.
9.
VM 4 creates an ARP entry for VM 1, and then sends a reply to VTEP 2. The MAC address in
the ARP entry is the MAC address of VSI-interface 10 on ED 2.
10. VTEP 2 looks up the MAC address table and forwards the ARP reply to ED 2.
11. ED 2 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP reply.
b. Creates an ARP entry for VM 4
85
c. Replaces the sender MAC address of the ARP reply with the MAC address of VSI-interface
10 on ED 2, and sends the reply to ED 1.
12. ED 1 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP reply.
b. Creates an ARP entry for VM 4. The entry contains VM 4's IP address (10.1.1.200), the
MAC address of VSI-interface 10 on ED 2, and the incoming VXLAN-DCI tunnel interface.
13. For subsequent traffic between VM 1 and VM 4, the VTEPs and EDs use their respective MAC
address tables and ARP tables to make the forwarding decision.
Inter-VXLAN traffic forwarding between sites
As shown in Figure 23, the network uses the following process to forward traffic between VXLANs
(for example, from VM 1 in VXLAN 10 to VM 5 in VXLAN 20):
1.
VM 1 sends an ARP request to obtain the MAC address of the gateway at 10.1.1.1.
2.
VTEP 1 learns the MAC address of VM 1 and floods the ARP request in VXLAN 10.
3.
ED 1 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP request.
b. Creates an ARP entry for VM 1 and replies with the MAC address of VSI-interface 10 (the
gateway interface for VXLAN 10). The ARP reply is sent to VTEP 1.
4.
VTEP 1 removes the VXLAN encapsulation of the ARP reply, learns the MAC address of ED 1,
and forwards the ARP reply to VM 1.
5.
VM 1 creates an ARP entry for the gateway and sends the packet destined for VM 5 to VTEP 1.
6.
VTEP 1 looks up the MAC address table and forwards the packet to ED 1.
7.
ED 1 performs the following operations:
a. Removes the VXLAN encapsulation of the packet and looks up the routing table based on
the destination IP address.
b. Sends an ARP request to the local VTEP and remote ED of VXLAN 20 to obtain the MAC
address of VM 5. In the ARP request, the sender IP address is 20.1.1.1, and the sender
MAC address is the MAC address of VSI-interface 20 on ED 1.
8.
ED 2 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP request.
b. Replaces the sender MAC address of the request with the MAC address of VSI-interface 20
on ED 2, and then floods the request on all VXLAN tunnels of VXLAN 20.
9.
VTEP 2 removes the VXLAN encapsulation of the ARP request, learns the MAC address of ED
2, and floods the ARP request to the local site.
10. VM 5 creates an ARP entry for ED 2 and sends a reply to VTEP 2. The MAC address in the ARP
entry is the MAC address of VSI-interface 20 on ED 2.
11. VTEP 2 looks up the MAC address table and forwards the ARP reply to ED 2.
12. ED 2 performs the following operations:
a. Removes the VXLAN encapsulation of the ARP reply.
b. Creates an ARP entry for VM 5.
c. Sends a gratuitous ARP packet to ED 1. In the packet, the sender and target IP address is
20.1.1.200, and the sender MAC address is the MAC address of VSI-interface 20 on ED 2.
13. ED 1 performs the following operations:
a. Removes the VXLAN encapsulation of the packet.
b. Creates an ARP entry for VM 5. The entry contains VM 5's IP address (20.1.1.200), the
MAC address of VSI-interface 20 on ED 2, and the incoming VXLAN-DCI tunnel interface.
86
14. For subsequent traffic between VM 1 and VM 5, the VTEPs and EDs use their respective MAC
address tables and ARP tables to make the forwarding decision.
VXLAN-DCI tasks at a glance
To configure a VXLAN-DCI network, perform the following tasks:
•
Configure routing protocols on the transport network for EDs to reach one another.
•
Configure routing protocols on EDs and VTEPs for them to reach one another.
•
Configure VXLANs on EDs and VTEPs, and set up VXLAN tunnels between EDs and VTEPs.
•
Configure VXLAN-DCI on EDs, and set up VXLAN-DCI tunnels between EDs.
To configure VXLAN-DCI on an ED, perform the following tasks:
1.
Configuring the VXLAN hardware resource mode
For more information, see "Setting the VXLAN hardware resource mode."
2.
Creating a VXLAN on a VSI
3.
Configuring a VXLAN-DCI tunnel
4.
Assigning VXLAN-DCI tunnels to a VXLAN
5.
Configuring a gateway interface on an ED
6.
Configuring optional parameters for a VSI interface
For more information, see "Creating a VXLAN on a VSI."
For more information, see "Configuring a VSI interface."
7.
Setting the VXLAN-DCI Layer 2 forwarding mode and the MAC learning mode
8.
Configuring VXLAN packet parameters
{
Setting the destination UDP port number of VXLAN packets
For more information, see "Setting the destination UDP port number of VXLAN packets."
{
Configuring VXLAN packet check
For more information, see "Configuring VXLAN packet check."
9.
Enabling packet statistics for VXLAN-DCI
{
Enabling packet statistics for a VSI
For more information, see "Enabling packet statistics for a VSI."
{
Enabling packet statistics for manually created VXLAN-DCI tunnels
NOTE:
This chapter covers only the VXLAN-DCI configuration tasks available on an ED. For more
information about basic VXLAN configuration and VXLAN IP gateway configuration, see
"Configuring basic VXLAN features" and "Configuring VXLAN IP gateways."
Configuring a VXLAN-DCI tunnel
Restrictions and guidelines
You must specify the tunnel source and destination IP addresses when you manually set up a
VXLAN-DCI tunnel between EDs. As a best practice, do not configure the same tunnel source and
destination addresses for different VXLAN-DCI tunnels on an ED.
This task provides basic VXLAN-DCI tunnel configuration. For more information about tunnel
configuration and commands, see Layer 3—IP Services Configuration Guide and Layer 3—IP
Services Command Reference.
87
Procedure
1.
Enter system view.
system-view
2.
Create a VXLAN-DCI tunnel interface and enter tunnel interface view.
interface tunnel tunnel-number mode vxlan-dci
The endpoints of a tunnel must use the same tunnel mode.
3.
Specify a source address for the tunnel. Choose one of the following tasks:
{
Specify a source IP address.
source ipv4-address | interface-type interface-number }
The specified IP address is used as the source IP address in the outer IP header of tunneled
VXLAN packets.
{
Specify a source interface.
source interface-type interface-number
The primary IP address is used as the source IP address in the outer IP header of tunneled
VXLAN packets.
By default, no source address is specified for a tunnel.
4.
Specify a destination IP address for the tunnel.
destination ipv4-address
By default, no destination IP address is specified for a tunnel.
Specify the remote ED's IP address. This IP address will be the destination IP address in the
outer IP header of tunneled VXLAN packets.
Assigning VXLAN-DCI tunnels to a VXLAN
About VXLAN-DCI tunnel assignment
To provide connectivity for a VXLAN between two EDs, you must assign the VXLAN-DCI tunnel
between the EDs to the VXLAN.
You can assign multiple VXLAN-DCI tunnels to a VXLAN, and configure a VXLAN-DCI tunnel to
trunk multiple VXLANs. EDs use the VXLAN ID in VXLAN packets to identify the VXLAN. For a
unicast-mode VXLAN, the system floods unknown unicast, multicast, and broadcast traffic to each
VXLAN-DCI tunnel associated with the VXLAN.
Restrictions and guidelines
For full connectivity in the VXLAN, make sure the VXLAN contains the VXLAN-DCI tunnel between
each pair of EDs in the VXLAN.
Procedure
1.
Enter system view.
system-view
2.
Enter VSI view.
vsi vsi-name
3.
Enter VXLAN view.
vxlan vxlan-id
4.
Assign VXLAN-DCI tunnels to the VXLAN.
tunnel { tunnel-number | all }
By default, a VXLAN does not contain any VXLAN-DCI tunnels.
88
Configuring a gateway interface on an ED
1.
Enter system view.
system-view
2.
Create a VSI interface and enter VSI interface view.
interface vsi-interface vsi-interface-id
3.
Assign an IP address to the VSI interface.
IPv4:
ip address ip-address { mask | mask-length } [ sub ]
IPv6:
See IPv6 basics in Layer 3—IP Services Configuration Guide.
By default, no IP address is assigned to a VSI interface.
4.
Specify the VSI interface as a distributed gateway.
distributed-gateway local
By default, a VSI interface is not a distributed gateway.
5.
Enable local proxy ARP or local ND proxy.
IPv4:
local-proxy-arp enable [ ip-range startIP to endIP ]
By default, local proxy ARP is disabled.
For more information about this command, see proxy ARP commands in Layer 3—IP Services
Command Reference.
IPv6:
local-proxy-nd enable
By default, local ND proxy is disabled.
For more information about this command, see IPv6 basics commands in Layer 3—IP Services
Command Reference.
6.
Bring up the VSI interface.
undo shutdown
By default, a VSI interface is up.
7.
Return to system view.
quit
8.
Enter VSI view.
vsi vsi-name
9.
Specify the VSI interface as the gateway interface for the VSI.
gateway vsi-interface vsi-interface-id
By default, no gateway interface is specified for a VSI.
Setting the VXLAN-DCI Layer 2 forwarding mode
and the MAC learning mode
About the VXLAN-DCI Layer 2 forwarding mode and the MAC learning mode
By default, an ED uses MAC forwarding mode, which means forwarding Layer 2 traffic based on the
destination MAC address. If the network contains a large number of user terminals, use double-VID
89
or SVID-only forwarding mode to reduce the MAC address table size and avoid forwarding failure
caused by MAC address conflicts. For correct forwarding, make sure the traffic of a VLAN is
forwarded along the same path.
In double-VID or SVID-only forwarding mode, an ED forwards the traffic received from a VXLAN
tunnel based on the VLAN information. The ED can perform MAC address table lookup based on the
outer VLAN ID or both the inner and outer VLAN IDs. If double-VID or SVID-only forwarding mode is
used, make sure the VSI's MAC address table contains VLAN-based MAC address entries. The
entries can be manually created or dynamically learned.
An ED supports the following MAC learning modes for VXLAN tunnels:
•
Source MAC learning mode—The ED generates MAC address entries based on the
source MAC addresses of data frames.
•
SVID-only learning mode—The ED generates MAC address entries based on the outer
VLAN IDs (SVLAN tags) of data frames. The MAC address in a MAC address entry uses the
0-SVLAN tag-0 format.
•
Double-VID learning mode—The ED generates MAC address entries based on the inner
and outer VLAN IDs (CVLAN and SVLAN tags) of data frames. The MAC address in a MAC
address entry uses the 0-SVLAN tag-CVLAN tag format.
In any of the learning modes, the outgoing interface in a MAC address entry is the VXLAN tunnel
interface where the entry is learned.
Both VXLAN tunnels and VXLAN-DCI tunnels support the Layer 2 forwarding mode and the MAC
learning mode. For information about VXLAN tunnel configuration, see "Setting the VXLAN Layer 2
forwarding mode and the MAC learning mode."
For correct forwarding, the VXLAN tunnels and VXLAN-DCI tunnels of a VSI must use matching
MAC learning modes and Layer 2 forwarding modes. For example, if a VSI has a VXLAN tunnel and
a VXLAN-DCI tunnel, the following requirements must be met:
•
If the VXLAN tunnel uses MAC forwarding mode, the VXLAN-DCI tunnel must use source MAC
learning mode. If the VXLAN-DCI tunnel uses MAC forwarding mode, the VXLAN tunnel must
use source MAC learning mode.
•
If the VXLAN tunnel uses SVID-only forwarding mode, the VXLAN-DCI tunnel must use
SVID-only learning mode. If the VXLAN-DCI tunnel uses SVID-only forwarding mode, the
VXLAN tunnel must use SVID-only learning mode.
•
If the VXLAN tunnel uses double-VID forwarding mode, the VXLAN-DCI tunnel must use
double-VID learning mode. If the VXLAN-DCI tunnel uses double-VID forwarding mode, the
VXLAN tunnel must use double-VID learning mode.
Prerequisites for the VXLAN-DCI Layer 2 forwarding mode and the MAC learning mode
configuration
Before you set the VXLAN-DCI Layer 2 forwarding mode, execute the mac-address
mac-learning ingress command in system view. For more information about the command,
see MAC address table commands in Layer 2—LAN Switching Command Reference.
Procedure
1.
Enter system view.
system-view
2.
Enter VXLAN-DCI tunnel interface view.
interface tunnel tunnel-number [ mode vxlan-dci ]
3.
Set the VXLAN-DCI Layer 2 forwarding mode.
forwarding mode { double-vid | mac | svid-only }
By default, MAC forwarding mode is used.
4.
Configure static or dynamic MAC address entry settings.
90
{
Execute the following commands in sequence to configure a static VLAN-based MAC
address entry.
quit
mac-address static mac-address interface tunnel tunnel-number vsi
vsi-name
The MAC address in a static VLAN-based MAC address entry uses the 0-SVLAN
tag-CVLAN tag or 0-SVLAN tag-0 format.
{
Set the MAC learning mode.
learning mode { disable | double-vid | mac | svid-only }
By default, source MAC learning mode is enabled.
If a VXLAN-DCI tunnel uses the source MAC, double-VID, or SVID-only learning mode,
remote-MAC address learning must be enabled on the tunnel.
Enabling packet statistics for manually created
VXLAN-DCI tunnels
About packet statistics of VXLAN-DCI tunnels
Perform this task to enable packet statistics for manually created VXLAN-DCI tunnels on a
per-tunnel interface basis. To display the packet statistics for a VXLAN-DCI tunnel, use the
display interface tunnel command in any view. To clear the packet statistics for a
VXLAN-DCI tunnel, use the reset counters interface tunnel command in user view.
Procedure
1.
Enter system view.
system-view
2.
Enter VXLAN-DCI tunnel interface view.
interface tunnel tunnel-number [ mode vxlan-dci ]
3.
Enable packet statistics for the tunnel.
statistics enable
By default, the packet statistics feature is disabled for manually created VXLAN-DCI tunnels.
Display and maintenance commands for
VXLAN-DCI
Execute display commands in any view and reset commands in user view.
Task
Command
Display information about VSIs.
display l2vpn vsi [ name vsi-name ]
[ verbose ]
Display information about tunnel
interfaces.
display interface [ tunnel [ number ] ]
[ brief [ description | down ] ]
Display VXLAN-DCI tunnel information
for VXLANs.
display vxlan tunnel [ vxlan-id vxlan-id ]
Clear packet statistics on VSIs.
reset l2vpn statistics vsi [ name
vsi-name ]
91
NOTE:
For more information about the display interface tunnel command, see tunneling
commands in Layer 3—IP Services Command Reference.
VXLAN-DCI configuration examples
Example: Configuring a basic VXLAN-DCI network
Network configuration
As shown in Figure 24:
•
Configure VXLAN 10 and VXLAN 20 as unicast-mode VXLANs on Switch A, Switch B, Switch D,
and Switch E to provide connectivity for the VMs across the data center sites.
•
Configure Switch A and Switch E as VTEPs, and Switch B and Switch D as EDs.
•
Manually establish VXLAN tunnels and VXLAN-DCI tunnels, and assign the tunnels to the
VXLANs.
Figure 24 Network diagram
Procedure
1.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 24. (Details not shown.)
# Configure OSPF on Switches A through E. (Details not shown.)
# Configure OSPF to advertise routes to networks 10.1.1.0/24 and 10.1.2.0/24 on Switch B and
Switch D. (Details not shown.)
2.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
92
# Create VSI vpnb and VXLAN 20.
[SwitchA] vsi vpnb
[SwitchA-vsi-vpnb] vxlan 20
[SwitchA-vsi-vpnb-vxlan-20] quit
[SwitchA-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnel to Switch B.
[SwitchA] interface loopback 0
[SwitchA-Loopback0] ip address 1.1.1.1 255.255.255.255
[SwitchA-Loopback0] quit
# Create a VXLAN tunnel to Switch B. The tunnel interface name is Tunnel 1.
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 1.1.1.1
[SwitchA-Tunnel1] destination 2.2.2.2
[SwitchA-Tunnel1] quit
# Assign Tunnel 1 to VXLAN 10.
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 10
[SwitchA-vsi-vpna-vxlan-10] tunnel 1
[SwitchA-vsi-vpna-vxlan-10] quit
[SwitchA-vsi-vpna] quit
# Assign Tunnel 1 to VXLAN 20.
[SwitchA] vsi vpnb
[SwitchA-vsi-vpnb] vxlan 20
[SwitchA-vsi-vpnb-vxlan-20] tunnel 1
[SwitchA-vsi-vpnb-vxlan-20] quit
[SwitchA-vsi-vpnb] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 100.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 100
# Map Ethernet service instance 1000 on Twenty-FiveGigE 1/0/1 to VSI vpna.
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchA-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/1] quit
# On Twenty-FiveGigE 1/0/2, create Ethernet service instance 1000 to match VLAN 200.
[SwitchA] interface twenty-fivegige 1/0/2
[SwitchA-Twenty-FiveGigE1/0/2] service-instance 1000
[SwitchA-Twenty-FiveGigE1/0/2-srv1000] encapsulation s-vid 200
# Map Ethernet service instance 1000 on Twenty-FiveGigE 1/0/2 to VSI vpnb.
[SwitchA-Twenty-FiveGigE1/0/2-srv1000] xconnect vsi vpnb
[SwitchA-Twenty-FiveGigE1/0/2-srv1000] quit
[SwitchA-Twenty-FiveGigE1/0/2] quit
3.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
93
# Set the VXLAN hardware resource mode.
[SwitchB] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Create VSI vpnb and VXLAN 20.
[SwitchB] vsi vpnb
[SwitchB-vsi-vpnb] vxlan 20
[SwitchB-vsi-vpnb-vxlan-20] quit
[SwitchB-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnel to Switch A and the VXLAN-DCI tunnel to Switch D.
[SwitchB] interface loopback 0
[SwitchB-Loopback0] ip address 2.2.2.2 255.255.255.255
[SwitchB-Loopback0] quit
# Create a VXLAN tunnel to Switch A. The tunnel interface name is Tunnel 1.
[SwitchB] interface tunnel 1 mode vxlan
[SwitchB-Tunnel1] source 2.2.2.2
[SwitchB-Tunnel1] destination 1.1.1.1
[SwitchB-Tunnel1] quit
# Create a VXLAN-DCI tunnel to Switch D. The tunnel interface name is Tunnel 2.
[SwitchB] interface tunnel 2 mode vxlan-dci
[SwitchB-Tunnel2] source 2.2.2.2
[SwitchB-Tunnel2] destination 3.3.3.3
[SwitchB-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] vxlan 10
[SwitchB-vsi-vpna-vxlan-10] tunnel 1
[SwitchB-vsi-vpna-vxlan-10] tunnel 2
[SwitchB-vsi-vpna-vxlan-10] quit
[SwitchB-vsi-vpna] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 20.
[SwitchB] vsi vpnb
[SwitchB-vsi-vpnb] vxlan 20
[SwitchB-vsi-vpnb-vxlan-20] tunnel 1
[SwitchB-vsi-vpnb-vxlan-20] tunnel 2
[SwitchB-vsi-vpnb-vxlan-20] quit
[SwitchB-vsi-vpnb] quit
# Create VSI-interface 1 and assign the interface an IP address. The IP address will be used as
the gateway address for VXLAN 10.
[SwitchB] interface vsi-interface 1
[SwitchB-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
# Specify VSI-interface 1 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchB-Vsi-interface1] distributed-gateway local
[SwitchB-Vsi-interface1] local-proxy-arp enable
94
[SwitchB-Vsi-interface1] quit
# Create VSI-interface 2 and assign the interface an IP address. The IP address will be used as
the gateway address for VXLAN 20.
[SwitchB] interface vsi-interface 2
[SwitchB-Vsi-interface2] ip address 10.1.2.1 255.255.255.0
# Specify VSI-interface 2 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchB-Vsi-interface2] distributed-gateway local
[SwitchB-Vsi-interface2] local-proxy-arp enable
[SwitchB-Vsi-interface2] quit
# Enable dynamic ARP entry synchronization for distributed VXLAN IP gateways.
[SwitchB] arp distributed-gateway dynamic-entry synchronize
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchB] vsi vpna
[SwitchB-vsi-vpna] gateway vsi-interface 1
[SwitchB-vsi-vpna] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnb.
[SwitchB] vsi vpnb
[SwitchB-vsi-vpnb] gateway vsi-interface 2
[SwitchB-vsi-vpnb] quit
4.
Configure Switch D:
# Enable L2VPN.
<SwitchD> system-view
[SwitchD] l2vpn enable
# Set the VXLAN hardware resource mode.
[SwitchD] hardware-resource vxlan l3gw
# Create VSI vpna and VXLAN 10.
[SwitchD] vsi vpna
[SwitchD-vsi-vpna] vxlan 10
[SwitchD-vsi-vpna-vxlan-10] quit
[SwitchD-vsi-vpna] quit
# Create VSI vpnb and VXLAN 20.
[SwitchD] vsi vpnb
[SwitchD-vsi-vpnb] vxlan 20
[SwitchD-vsi-vpnb-vxlan-20] quit
[SwitchD-vsi-vpnb] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN-DCI tunnel to Switch B and the VXLAN tunnel to Switch E.
[SwitchD] interface loopback 0
[SwitchD-Loopback0] ip address 3.3.3.3 255.255.255.255
[SwitchD-Loopback0] quit
# Create a VXLAN tunnel to Switch E. The tunnel interface name is Tunnel 1.
[SwitchD] interface tunnel 1 mode vxlan
[SwitchD-Tunnel1] source 3.3.3.3
[SwitchD-Tunnel1] destination 4.4.4.4
[SwitchD-Tunnel1] quit
# Create a VXLAN-DCI tunnel to Switch B. The tunnel interface name is Tunnel 2.
[SwitchD] interface tunnel 2 mode vxlan-dci
95
[SwitchD-Tunnel2] source 3.3.3.3
[SwitchD-Tunnel2] destination 2.2.2.2
[SwitchD-Tunnel2] quit
#Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[SwitchD] vsi vpna
[SwitchD-vsi-vpna] vxlan 10
[SwitchD-vsi-vpna-vxlan-10] tunnel 1
[SwitchD-vsi-vpna-vxlan-10] tunnel 2
[SwitchD-vsi-vpna-vxlan-10] quit
[SwitchD-vsi-vpna] quit
# Assign Tunnel 2 to VXLAN 20.
[SwitchD] vsi vpnb
[SwitchD-vsi-vpnb] vxlan 20
[SwitchD-vsi-vpnb-vxlan-20] tunnel 2
[SwitchD-vsi-vpnb-vxlan-20] quit
[SwitchD-vsi-vpnb] quit
# Create VSI-interface 1 and assign the interface an IP address. The IP address will be used as
the gateway address for VXLAN 10.
[SwitchD] interface vsi-interface 1
[SwitchD-Vsi-interface1] ip address 10.1.1.1 255.255.255.0
# Specify VSI-interface 1 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchD-Vsi-interface1] distributed-gateway local
[SwitchD-Vsi-interface1] local-proxy-arp enable
[SwitchD-Vsi-interface1] quit
# Create VSI-interface 2 and assign the interface an IP address. The IP address will be used as
the gateway address for VXLAN 20.
[SwitchD] interface vsi-interface 2
[SwitchD-Vsi-interface2] ip address 10.1.2.1 255.255.255.0
# Specify VSI-interface 2 as a distributed gateway and enable local proxy ARP on the interface.
[SwitchD-Vsi-interface2] distributed-gateway local
[SwitchD-Vsi-interface2] local-proxy-arp enable
[SwitchD-Vsi-interface2] quit
# Enable dynamic ARP entry synchronization for distributed VXLAN IP gateways.
[SwitchD] arp distributed-gateway dynamic-entry synchronize
# Specify VSI-interface 1 as the gateway interface for VSI vpna.
[SwitchD] vsi vpna
[SwitchD-vsi-vpna] gateway vsi-interface 1
[SwitchD-vsi-vpna] quit
# Specify VSI-interface 2 as the gateway interface for VSI vpnb.
[SwitchD] vsi vpnb
[SwitchD-vsi-vpnb] gateway vsi-interface 2
[SwitchD-vsi-vpnb] quit
5.
Configure Switch E:
# Enable L2VPN.
<SwitchE> system-view
[SwitchE] l2vpn enable
# Create VSI vpna and VXLAN 10.
[SwitchE] vsi vpna
96
[SwitchE-vsi-vpna] vxlan 10
[SwitchE-vsi-vpna-vxlan-10] quit
[SwitchE-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of
the VXLAN tunnel to Switch D.
[SwitchE] interface loopback 0
[SwitchE-Loopback0] ip address 4.4.4.4 255.255.255.255
[SwitchE-Loopback0] quit
# Create a VXLAN tunnel to Switch D. The tunnel interface name is Tunnel 1.
[SwitchE] interface tunnel 1 mode vxlan
[SwitchE-Tunnel1] source 4.4.4.4
[SwitchE-Tunnel1] destination 3.3.3.3
[SwitchE-Tunnel1] quit
# Assign Tunnel 1 to VXLAN 10.
[SwitchE] vsi vpna
[SwitchE-vsi-vpna] vxlan 10
[SwitchE-vsi-vpna-vxlan-10] tunnel 1
[SwitchE-vsi-vpna-vxlan-10] quit
[SwitchE-vsi-vpna] quit
# On Twenty-FiveGigE 1/0/1, create Ethernet service instance 1000 to match VLAN 100.
[SwitchE] interface twenty-fivegige 1/0/1
[SwitchE-Twenty-FiveGigE1/0/1] service-instance 1000
[SwitchE-Twenty-FiveGigE1/0/1-srv1000] encapsulation s-vid 100
# Map Ethernet service instance 1000 to VSI vpna.
[SwitchE-Twenty-FiveGigE1/0/1-srv1000] xconnect vsi vpna
[SwitchE-Twenty-FiveGigE1/0/1-srv1000] quit
[SwitchE-Twenty-FiveGigE1/0/1] quit
Verifying the configuration
1.
Verify the VXLAN-DCI settings on the EDs. This example uses Switch B.
# Verify that the VXLAN and VXLAN-DCI tunnel interfaces are up on Switch B.
[SwitchB] display interface tunnel
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 2.2.2.2, destination 1.1.1.1
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
Tunnel2
97
Current state: UP
Line protocol state: UP
Description: Tunnel2 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 2.2.2.2, destination 3.3.3.3
Tunnel protocol/transport UDP_VXLAN_DCI/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that VSI-interface 1 and VSI-interface 2 are up.
[SwitchB] display interface vsi-interface
Vsi-interface1
Current state: UP
Line protocol state: UP
Description: Vsi-interface1 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet address: 10.1.1.1/24 (primary)
IP packet frame type:PKTFMT_ETHNT_2, hardware address: 0011-2200-0102
IPv6 packet frame type:PKTFMT_ETHNT_2, hardware address: 0011-2200-0102
Physical: Unknown, baudrate: 1000000 kbps
Last clearing of counters: Never
Input (total):
Output (total):
0 packets, 0 bytes
0 packets, 0 bytes
Vsi-interface2
Current state: UP
Line protocol state: UP
Description: Vsi-interface2 Interface
Bandwidth: 1000000 kbps
Maximum transmission unit: 1444
Internet address: 10.1.2.1/24 (primary)
IP packet frame type:PKTFMT_ETHNT_2, hardware address: 0011-3300-0102
IPv6 packet frame type:PKTFMT_ETHNT_2, hardware address: 0011-3300-0102
Physical: Unknown, baudrate: 1000000 kbps
Last clearing of counters: Never
Input (total):
Output (total):
0 packets, 0 bytes
0 packets, 0 bytes
# Verify that the VXLAN and VXLAN-DCI tunnels have been assigned to VXLAN 10 and VXLAN
20, and the VSI interfaces are the gateway interfaces for their respective VSIs.
[SwitchB] display l2vpn vsi verbose
VSI Name: vpna
VSI Index
: 0
VSI State
: Up
98
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway interface
: VSI-interface 1
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
VSI Name: vpnb
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
Gateway interface
: VSI-interface 2
VXLAN ID
: 20
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
# Verify that Switch B has created ARP entries for the VMs.
[SwitchB] display arp
Type: S-Static
2.
D-Dynamic
IP address
MAC address
11.1.1.4
10.1.1.11
O-Openflow
VLAN/VSI
R-Rule
M-Multiport
I-Invalid
Interface/Link ID
Aging Type
000c-29c1-5e46 11
Vlan11
19
D
0cda-41b5-cf09 0
Tunnel1
20
D
10.1.1.12
0011-4400-0102 0
Tunnel2
20
D
10.1.2.11
0cda-41b5-cf89 1
Tunnel1
20
D
Verify that VM 1, VM 2, and VM 3 can ping each other. (Details not shown.)
99
Configuring the VTEP as an OVSDB VTEP
About OVSDB VTEP
An HPE network virtualization controller can use the Open vSwitch Database (OVSDB)
management protocol to deploy and manage VXLANs on VTEPs. To work with a controller, you must
configure the VTEP as an OVSDB VTEP.
Working mechanisms
As shown in Figure 25, an OVSDB VTEP stores all of its VXLAN settings in the form of entries in an
OVSDB database. The OVSDB database, OVSDB VTEP service, and the controller interact through
the OVSDB server. The controller communicates with the OVSDB server through the OVSDB
protocol to manage the OVSDB database. The OVSDB VTEP service reads and writes data in the
OVSDB database through the OVSDB server.
The OVSDB VTEP service performs the following operations to manage the VXLAN settings on the
VTEP:
•
Converts data in the OVSDB database into VXLAN configuration and deploys the configuration
to the VTEP. For example, create or remove a VXLAN or VXLAN tunnel.
•
Adds site-facing interface information and the global source address of VXLAN tunnels to the
OVSDB database. The information is reported to the controller by the OVSDB server.
Figure 25 OVSDB network model
Protocols and standards
RFC 7047, The Open vSwitch Database Management Protocol
Restrictions and guidelines: OVSDB VTEP
configuration
You can configure a VTEP both at the CLI and through a controller. As a best practice, do not
manually remove the VXLAN configuration issued by the controller.
OVSDB VTEP tasks at a glance
To configure OVSDB VTEPs, perform the following tasks:
1.
Setting up an OVSDB connection to a controller
100
{
Configuring active SSL connection settings
{
Configuring passive SSL connection settings
{
Configuring active TCP connection settings
{
Configuring passive TCP connection settings
2.
Enabling the OVSDB server
3.
Enabling the OVSDB VTEP service
4.
Specifying a global source address for VXLAN tunnels
5.
Specifying a VTEP access port
6.
Enabling flood proxy on multicast VXLAN tunnels
If you use a flood proxy server, you must enable flood proxy globally on multicast tunnels.
Prerequisites for OVSDB VTEP configuration
Before you configure the VTEP as an OVSDB VTEP, enable L2VPN by using the l2vpn enable
command.
Before you set up SSL connections to controllers, you must configure SSL as described in Security
Configuration Guide.
Setting up an OVSDB connection to a controller
About OVSDB connection types
The OVSDB server supports the following types of OVSDB connections:
•
Active SSL connection—The OVSDB server initiates an SSL connection to the controller.
•
Passive SSL connection—The OVSDB server accepts the SSL connection from the
controller.
•
Active TCP connection—The OVSDB server initiates a TCP connection to the controller.
•
Passive TCP connection—The OVSDB server accepts the TCP connection from the
controller.
Restrictions and guidelines for OVSDB controller connection
setup
When you set up OVSDB connections, follow these restrictions and guidelines:
•
You can set up multiple OVSDB connections. For the device to establish the connections, you
must enable the OVSDB server. You must disable and then re-enable the OVSDB server if it
has been enabled.
•
You must specify the same PKI domain and CA certificate file for all active and passive SSL
connections.
Prerequisites for OVSDB controller connection setup
Make sure you have configured a PKI domain before specifying it for SSL. For more information
about configuring a PKI domain, see Security Configuration Guide.
101
Configuring active SSL connection settings
1.
Enter system view.
system-view
2.
Specify a PKI domain for SSL.
ovsdb server pki domain domain-name
By default, no PKI domain is specified for SSL.
3.
(Optional.) Specify a CA certificate file for SSL.
ovsdb server bootstrap ca-certificate ca-filename
By default, SSL uses the CA certificate file in the PKI domain.
If the specified CA certificate file does not exist, the device obtains a self-signed certificate from
the controller. The obtained file uses the name specified for the ca-filename argument.
4.
Set up an active SSL connection.
ovsdb server ssl ip ip-address port port-number
By default, the device does not have active OVSDB SSL connections.
You can set up a maximum of eight OVSDB SSL connections.
Configuring passive SSL connection settings
1.
Enter system view.
system-view
2.
Specify a PKI domain for SSL.
ovsdb server pki domain domain-name
By default, no PKI domain is specified for SSL.
3.
(Optional.) Specify a CA certificate file for SSL.
ovsdb server bootstrap ca-certificate ca-filename
By default, SSL uses the CA certificate file in the PKI domain.
If the specified CA certificate file does not exist, the device obtains a self-signed certificate from
the controller. The obtained file uses the name specified for the ca-filename argument.
4.
Enable the device to listen for SSL connection requests.
ovsdb server pssl [ port port-number ]
By default, the device does not listen for SSL connection requests.
You can specify only one port to listen for OVSDB SSL connection requests.
Configuring active TCP connection settings
1.
Enter system view.
system-view
2.
Set up an active TCP connection.
ovsdb server tcp ip ip-address port port-number
By default, the device does not have active OVSDB TCP connections.
You can set up a maximum of eight active OVSDB TCP connections.
102
Configuring passive TCP connection settings
1.
Enter system view.
system-view
2.
Enable the device to listen for TCP connection requests.
ovsdb server ptcp [ port port-number ]
By default, the device does not listen for TCP connection requests.
You can specify only one port to listen for OVSDB TCP connection requests.
Enabling the OVSDB server
Prerequisites
Make sure you have complete OVSDB connection setup before you enable the OVSDB server. If
you change OVSDB connection settings after the OVSDB server is enabled, you must disable and
then re-enable the OVSDB server for the change to take effect.
Procedure
1.
Enter system view.
system-view
2.
Enable the OVSDB server.
ovsdb server enable
By default, the OVSDB server is disabled.
Enabling the OVSDB VTEP service
1.
Enter system view.
system-view
2.
Enable the OVSDB VTEP service.
vtep enable
By default, the OVSDB VTEP service is disabled.
Specifying a global source address for VXLAN
tunnels
About the global VXLAN tunnel source address
The VTEP reports the global VXLAN tunnel source address to the controller for VXLAN tunnel setup.
Restrictions and guidelines
For correct VXLAN deployment and VTEP management, do not manually specify tunnel-specific
source addresses for VXLAN tunnels if OVSDB is used.
Procedure
1.
Enter system view.
system-view
2.
Specify a global source address for VXLAN tunnels.
tunnel global source-address ip-address
103
By default, no global source address is specified for VXLAN tunnels.
Specifying a VTEP access port
About specifying a VTEP access port
For the controller to manage a site-facing interface, you must specify the interface as a VTEP access
port.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type interface-number
3.
Specify the interface as a VTEP access port.
vtep access port
By default, an interface is not a VTEP access port.
Enabling flood proxy on multicast VXLAN tunnels
About flood proxy on multicast VXLAN tunnels
If you use a flood proxy server, you must enable flood proxy globally on multicast tunnels. Then the
multicast tunnels are converted into flood proxy tunnels. The VTEP sends broadcast, multicast, and
unknown unicast traffic for a VXLAN to the flood proxy server through the tunnels. The flood proxy
server then replicates and forwards flood traffic to remote VTEPs.
Restrictions and guidelines
Flood proxy is supported on multicast VXLAN tunnels only when the OVSDB controller is a NSX
controller from VMware.
Procedure
1.
Enter system view.
system-view
2.
Enable flood proxy on multicast VXLAN tunnels.
vxlan tunnel flooding-proxy
By default, flood proxy is disabled on multicast VXLAN tunnels.
OVSDB VTEP configuration examples
Example: Configuring a unicast-mode VXLAN
Network configuration
As shown in Figure 26, configure the controller cluster to deploy unicast-mode VXLAN 10 to Switch A,
Switch B, and Switch C to provide Layer 2 connectivity for the VMs across the network sites.
104
Figure 26 Network diagram
Procedure
1.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 26. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through D). (Details not
shown.)
2.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Configure active TCP connection settings.
[SwitchA] ovsdb server tcp ip 10.0.2.15 port 6632
# Enable the OVSDB server.
[SwitchA] ovsdb server enable
# Enable the OVSDB VTEP service.
[SwitchA] vtep enable
# Assign an IP address to Loopback 0. Specify the IP address as the global source address for
VXLAN tunnels.
[SwitchA] interface loopback 0
[SwitchA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchA-LoopBack0] quit
[SwitchA] tunnel global source-address 1.1.1.1
# Specify site-facing interface Twenty-FiveGigE 1/0/1 as a VTEP access port.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] vtep access port
[SwitchA-Twenty-FiveGigE1/0/1] quit
3.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
105
# Configure active TCP connection settings.
[SwitchB] ovsdb server tcp 10.0.2.15 port 6632
# Enable the OVSDB server.
[SwitchB] ovsdb server enable
# Enable the OVSDB VTEP service.
[SwitchB] vtep enable
# Assign an IP address to Loopback 0. Specify the IP address as the global source address for
VXLAN tunnels.
[SwitchB] interface loopback 0
[SwitchB-LoopBack0] ip address 2.2.2.2 255.255.255.255
[SwitchB-LoopBack0] quit
[SwitchB] tunnel global source-address 2.2.2.2
# Specify site-facing interface Twenty-FiveGigE 1/0/1 as a VTEP access port.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] vtep access port
[SwitchB-Twenty-FiveGigE1/0/1] quit
4.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Configure active TCP connection settings.
[SwitchC] ovsdb server tcp ip 10.0.2.15 port 6632
# Enable the OVSDB server.
[SwitchC] ovsdb server enable
# Enable the OVSDB VTEP service.
[SwitchC] vtep enable
# Assign an IP address to Loopback 0. Specify the IP address as the global source address for
VXLAN tunnels.
[SwitchC] interface loopback 0
[SwitchC-LoopBack0] ip address 3.3.3.3 255.255.255.255
[SwitchC-LoopBack0] quit
[SwitchC] tunnel global source-address 3.3.3.3
# Specify site-facing interface Twenty-FiveGigE 1/0/1 as a VTEP access port.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] vtep access port
[SwitchC-Twenty-FiveGigE1/0/1] quit
5.
Configure VXLAN settings on the controller. (Details not shown.)
Verifying the configuration
1.
Verify the VXLAN settings on the VTEPs. This example uses Switch A.
# Verify that the VXLAN tunnel interfaces on the VTEP are up.
[SwitchA] display interface tunnel 1
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1464
106
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VXLAN tunnels have been assigned to the VXLAN.
[SwitchA] display l2vpn vsi verbose
VSI Name: evpn2014
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
ACs:
AC
Link ID
State
Type
WGE1/0/1 srv2
0
Up
Manual
# Verify that the VTEP has learned the MAC addresses of remote VMs.
<SwitchA> display l2vpn mac-address
MAC Address
State
VSI Name
Link ID/Name
Aging
cc3e-5f9c-6cdb
Dynamic
evpn2014
Tunnel1
Aging
cc3e-5f9c-23dc
Dynamic
evpn2014
Tunnel2
Aging
--- 2 mac address(es) found
2.
---
Verify that VM 1, VM 2, and VM 3 can ping each other. (Details not shown.)
Example: Configuring flood proxy for a VXLAN
Network configuration
As shown in Figure 27:
•
Configure the controller cluster to deploy VXLAN 10 to Switch A, Switch B, and Switch C to
provide Layer 2 connectivity for the VMs across the network sites.
•
Enable flood proxy for VXLAN 10.
107
•
Use the MAC address entries issued by the controller to direct traffic forwarding on Switch A,
Switch B, and Switch C.
Figure 27 Network diagram
Procedure
1.
Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 27. (Details not shown.)
# Configure OSPF on all transport network switches (Switches A through D). (Details not
shown.)
2.
Configure Switch A:
# Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
# Configure active TCP connection settings.
[SwitchA] ovsdb server tcp ip 10.0.2.15 port 6632
# Enable the OVSDB server.
[SwitchA] ovsdb server enable
# Enable the OVSDB VTEP service.
[SwitchA] vtep enable
# Assign an IP address to Loopback 0.
[SwitchA] interface loopback 0
[SwitchA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchA-LoopBack0] quit
# Specify the IP address of Loopback 0 as the global source address for VXLAN tunnels.
[SwitchA] tunnel global source-address 1.1.1.1
# Specify site-facing interface Twenty-FiveGigE 1/0/1 as a VTEP access port.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] vtep access port
[SwitchA-Twenty-FiveGigE1/0/1] quit
# Disable source MAC check on transport-facing interface Twenty-FiveGigE 1/0/2.
108
[SwitchA] interface twenty-fivegige 1/0/2
[SwitchA-Twenty-FiveGigE1/0/2] undo mac-address static source-check enable
[SwitchA-Twenty-FiveGigE1/0/2] quit
# Disable remote-MAC address learning.
[SwitchA] vxlan tunnel mac-learning disable
# Enable flood proxy on multicast VXLAN tunnels.
[SwitchA] vxlan tunnel flooding-proxy
3.
Configure Switch B:
# Enable L2VPN.
<SwitchB> system-view
[SwitchB] l2vpn enable
# Configure active TCP connection settings.
[SwitchB] ovsdb server tcp ip 10.0.2.15 port 6632
# Enable the OVSDB server.
[SwitchB] ovsdb server enable
# Enable the OVSDB VTEP service.
[SwitchB] vtep enable
# Assign an IP address to Loopback 0.
[SwitchB] interface loopback 0
[SwitchB-LoopBack0] ip address 2.2.2.2 255.255.255.255
[SwitchB-LoopBack0] quit
# Specify the IP address of Loopback 0 as the global source address for VXLAN tunnels.
[SwitchB] tunnel global source-address 2.2.2.2
# Specify site-facing interface Twenty-FiveGigE 1/0/1 as a VTEP access port.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] vtep access port
[SwitchB-Twenty-FiveGigE1/0/1] quit
# Disable source MAC check on transport-facing interface Twenty-FiveGigE 1/0/2.
[SwitchB] interface twenty-fivegige 1/0/2
[SwitchB-Twenty-FiveGigE1/0/2] undo mac-address static source-check enable
[SwitchB-Twenty-FiveGigE1/0/2] quit
# Disable remote-MAC address learning.
[SwitchB] vxlan tunnel mac-learning disable
# Enable flood proxy on multicast VXLAN tunnels.
[SwitchB] vxlan tunnel flooding-proxy
4.
Configure Switch C:
# Enable L2VPN.
<SwitchC> system-view
[SwitchC] l2vpn enable
# Configure active TCP connection settings.
[SwitchC] ovsdb server tcp 10.0.2.15 port 6632
# Enable the OVSDB server.
[SwitchC] ovsdb server enable
# Enable the OVSDB VTEP service.
[SwitchC] vtep enable
# Assign an IP address to Loopback 0.
109
[SwitchC] interface loopback 0
[SwitchC-LoopBack0] ip address 3.3.3.3 255.255.255.255
[SwitchC-LoopBack0] quit
# Specify the IP address of Loopback 0 as the global source address for VXLAN tunnels.
[SwitchC] tunnel global source-address 3.3.3.3
# Specify site-facing interface Twenty-FiveGigE 1/0/1 as a VTEP access port.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] vtep access port
[SwitchC-Twenty-FiveGigE1/0/1] quit
# Disable source MAC check on transport-facing interface Twenty-FiveGigE 1/0/2.
[SwitchC] interface twenty-fivegige 1/0/2
[SwitchC-Twenty-FiveGigE1/0/2] undo mac-address static source-check enable
[SwitchC-Twenty-FiveGigE1/0/2] quit
# Disable remote-MAC address learning.
[SwitchC] vxlan tunnel mac-learning disable
# Enable flood proxy on multicast VXLAN tunnels.
[SwitchC] vxlan tunnel flooding-proxy
5.
Configure VXLAN settings on the controller, and configure the flood proxy server. (Details not
shown.)
Verifying the configuration
1.
Verify the VXLAN settings on the VTEPs. This example uses Switch A.
# Verify that the VXLAN tunnel interfaces on the VTEP are up.
[SwitchA] display interface tunnel
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum Transmission Unit: 1464
Internet protocol processing: disabled
Last clearing of counters: Never
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VXLAN tunnels have been assigned to the VXLAN, and flood proxy has been
enabled on the multicast VXLAN tunnel.
[SwitchA] display l2vpn vsi verbose
VSI Name: evpn2014
VSI Index
: 0
VSI State
: Up
MTU
: 1500
Bandwidth
: Unlimited
Broadcast Restrain
: Unlimited
Multicast Restrain
: Unlimited
110
Unknown Unicast Restrain: Unlimited
MAC Learning
: Enabled
MAC Table Limit
: -
MAC Learning rate
: -
Drop Unknown
: -
Flooding
: Enabled
Statistics
: Disabled
VXLAN ID
: 10
Tunnels:
Tunnel Name
Link ID
State
Type
Flood proxy
Tunnel1
0x5000001
Up
Manual
Disabled
Tunnel2
0x5000002
Up
Manual
Disabled
Tunnel3
0x5000003
Up
Manual
Enabled
ACs:
AC
Link ID
State
Type
WGE1/0/1 srv2
0
Up
Manual
# Verify that the VTEP has obtained the MAC addresses of remote VMs from the controller.
<SwitchA> display l2vpn mac-address
MAC Address
State
VSI Name
Link ID/Name
Aging
cc3e-5f9c-6cdb
OVSDB
evpn2014
Tunnel1
NotAging
cc3e-5f9c-23dc
OVSDB
evpn2014
Tunnel2
NotAging
--- 2 mac address(es) found
2.
---
Verify that VM 1, VM 2, and VM 3 can ping each other. (Details not shown.)
111
Document conventions and icons
Conventions
This section describes the conventions used in the documentation.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars,
from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign
can be entered 1 to n times.
#
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window opens; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create >
Folder.
Convention
Description
Symbols
WARNING!
An alert that calls attention to important information that if not understood or followed
can result in personal injury.
CAUTION:
An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT:
An alert that calls attention to essential information.
NOTE:
TIP:
An alert that contains additional or supplementary information.
An alert that provides helpful information.
112
Network topology icons
Convention
Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that
supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access
controller engine on a unified wired-WLAN switch.
Represents an access point.
T
Represents a wireless terminator unit.
T
Represents a wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security
gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
113
Support and other resources
Accessing Hewlett Packard Enterprise Support
•
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
www.hpe.com/assistance
•
To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website:
www.hpe.com/support/hpesc
Information to collect
•
Technical support registration number (if applicable)
•
Product name, model or version, and serial number
•
Operating system name and version
•
Firmware version
•
Error messages
•
Product-specific reports and logs
•
Add-on products or components
•
Third-party products or components
Accessing updates
•
Some software products provide a mechanism for accessing software updates through the
product interface. Review your product documentation to identify the recommended software
update method.
•
To download product updates, go to either of the following:
{
Hewlett Packard Enterprise Support Center Get connected with updates page:
www.hpe.com/support/e-updates
{
Software Depot website:
www.hpe.com/support/softwaredepot
•
To view and update your entitlements, and to link your contracts, Care Packs, and warranties
with your profile, go to the Hewlett Packard Enterprise Support Center More Information on
Access to Support Materials page:
www.hpe.com/support/AccessToSupportMaterials
IMPORTANT:
Access to some updates might require product entitlement when accessed through the Hewlett
Packard Enterprise Support Center. You must have an HP Passport set up with relevant
entitlements.
114
Websites
Website
Link
Networking websites
Hewlett Packard Enterprise Information Library for
Networking
www.hpe.com/networking/resourcefinder
Hewlett Packard Enterprise Networking website
www.hpe.com/info/networking
Hewlett Packard Enterprise My Networking website
www.hpe.com/networking/support
Hewlett Packard Enterprise My Networking Portal
www.hpe.com/networking/mynetworking
Hewlett Packard Enterprise Networking Warranty
www.hpe.com/networking/warranty
General websites
Hewlett Packard Enterprise Information Library
www.hpe.com/info/enterprise/docs
Hewlett Packard Enterprise Support Center
www.hpe.com/support/hpesc
Hewlett Packard Enterprise Support Services Central
ssc.hpe.com/portal/site/ssc/
Contact Hewlett Packard Enterprise Worldwide
www.hpe.com/assistance
Subscription Service/Support Alerts
www.hpe.com/support/e-updates
Software Depot
www.hpe.com/support/softwaredepot
Customer Self Repair (not applicable to all devices)
www.hpe.com/support/selfrepair
Insight Remote Support (not applicable to all devices)
www.hpe.com/info/insightremotesupport/docs
Customer self repair
Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If
a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your
convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized
service provider will determine whether a repair can be accomplished by CSR.
For more information about CSR, contact your local service provider or go to the CSR website:
www.hpe.com/support/selfrepair
Remote support
Remote support is available with supported devices as part of your warranty, Care Pack Service, or
contractual support agreement. It provides intelligent event diagnosis, and automatic, secure
submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast
and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly
recommends that you register your device for remote support.
For more information and device support details, go to the following website:
www.hpe.com/info/insightremotesupport/docs
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help
us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,
115
part number, edition, and publication date located on the front cover of the document. For online help
content, include the product name, product version, help edition, and publication date located on the
legal
notices
page.
116
Index
A
AC
Layer 2 forwarding mode, 19
MAC learning mode, 19
access port
VXLAN VTEP access port, 104
active
VXLAN OVSDB SSL connection, 102
VXLAN OVSDB TCP connection, 102
address
MAC learning priority of Ethernet service
instance, 19
VXLAN MAC address entry management, 17
ARP
ARP entry management, 53
static ARP entry, 53
VXLAN ARP flood suppression, 9, 26
VXLAN local flood confine, 25
assigning
VXLAN customer frame > VSI, 15
VXLAN traffic assignment, 3
VXLAN tunnel assignment, 3
VXLAN tunnel manual assignment, 14
VXLAN-DCI tunnel, 88
C
changing
VXLAN local MAC logging, 18
checking
VXLAN packet check, 24
configuring
basic VXLAN-DCI, 92
MAC learning priority of Ethernet service
instance, 19
static ARP entry, 53
VLAN-based VXLAN assignment, 17
VXLAN (multicast mode), 22, 34
VXLAN (unicast mode), 29
VXLAN basics, 11, 29
VXLAN IP gateway, 41, 56
VXLAN IP gateway (centralized), 48, 56
VXLAN IP gateway (distributed), 51
VXLAN IP gateway group (centralized), 61
VXLAN IP gateway VTEP group
(centralized), 49
VXLAN IPv4 gateway (distributed), 64
VXLAN IPv6 gateway (distributed), 74
VXLAN OVSDB SSL connection (active), 102
VXLAN OVSDB SSL connection (passive), 102
VXLAN OVSDB TCP connection (active), 102
VXLAN OVSDB TCP connection (passive), 103
VXLAN OVSDB VTEP, 100, 100, 104
VXLAN OVSDB VTEP (flood proxy), 107
VXLAN OVSDB VTEP (unicast mode), 104
VXLAN packet check, 24
VXLAN packet statistics, 26
VXLAN static MAC address entry, 18
VXLAN tunnel, 13
VXLAN VSI interface, 54
VXLAN VSI interface optional parameter, 54
VXLAN VTEP (IGMP host method), 23
VXLAN VTEP (PIM method), 23
VXLAN-DCI, 84, 87, 92
VXLAN-DCI gateway interface, 89
VXLAN-DCI tunnel, 87
confining
VXLAN local flood, 25
connecting
VXLAN OVSDB controller connection, 101
VXLAN OVSDB SSL connection (active), 102
VXLAN OVSDB SSL connection (passive), 102
VXLAN OVSDB TCP connection (active), 102
VXLAN OVSDB TCP connection (passive), 103
creating
VXLAN on VSI, 12
D
disabling
VXLAN remote ARP learning, 53
VXLAN remote ND learning, 53
VXLAN remote-MAC address learning, 18
displaying
VXLAN, 28
VXLAN IP gateway, 55
VXLAN-DCI, 91
E
enabling
multicast VXLAN tunnel flood proxy, 104
VXLAN ARP flood suppression, 26
VXLAN local MAC logging, 18
VXLAN over VXLAN, 22
VXLAN OVSDB service, 103
VXLAN OVSDB VTEP service, 103
117
VXLAN packet statistics (AC), 27
VXLAN packet statistics (Ethernet service
instance), 27
VXLAN packet statistics (VSI), 26
VXLAN packet statistics (VXLAN tunnel), 27
VXLAN packet statistics (VXLAN-DCI
tunnel), 91
VXLAN VSI interface packet statistics, 55
establishing
VXLAN tunnel, 3
Ethernet
VLAN-based VXLAN assignment, 17
VXLAN network model, 1
VXLAN overview, 1
VXLAN packet statistics (Ethernet service
instance), 27
VXLAN static Ethernet service instance > VSI
mapping, 15
VXLAN VSI access mode, 8
F
flooding
multicast VXLAN tunnel flood proxy, 104
VXLAN ARP flood suppression, 9, 26
VXLAN local flood confine, 25
VXLAN OVSDB VTEP configuration (flood
proxy), 107
VXLAN traffic forwarding flood process, 6
format
VXLAN packet format, 2
forwarding
Layer 2 forwarding mode, 19
VXLAN tunnel manual assignment, 14
VXLAN-DCI Layer 2 forwarding mode, 89
VXLAN-DCI tunnel assignment, 88
frame
VXLAN customer frame > VSI assignment, 15
VXLAN local flood confine, 25, 25
G
gateway
static ARP entry, 53
VXLAN IP gateway, 10
VXLAN IP gateway configuration, 41, 56
VXLAN IP gateway configuration
(centralized), 48, 56
VXLAN IP gateway configuration
(distributed), 51
VXLAN IP gateway group configuration
(centralized), 61
VXLAN IPv4 gateway configuration
(distributed), 64
VXLAN IPv6 gateway configuration
(distributed), 74
VXLAN-DCI gateway interface configuration, 89
global
VXLAN tunnel global source address, 103
I
IGMP
VXLAN multicast mode configuration, 22
VXLAN VTEP configuration (IGMP host
method), 23
IP
basic VXLAN-DCI configuration, 92
VXLAN-DCI configuration, 84, 87, 92
IP addressing
VXLAN data center interconnect (DCI) tunnel
configuration, 87
IP routing
VXLAN ARP flood suppression, 9
VXLAN IP gateway, 10
VXLAN IP gateway (separated from VTEP), 41
VXLAN IP gateway configuration, 41, 56
VXLAN IP gateway configuration
(centralized), 48, 56
VXLAN IP gateway configuration (distributed), 51
VXLAN IP gateway deployment (centralized), 42
VXLAN IP gateway deployment (distributed), 44
VXLAN IP gateway group configuration
(centralized), 61
VXLAN IPv4 gateway configuration
(distributed), 64
VXLAN IPv6 gateway configuration
(distributed), 74
VXLAN VSI interface configuration, 54
VXLAN VSI interface optional parameter
configuration, 54
VXLAN VTEP IP gateway group deployment
(centralized), 43
VXLAN-DCI gateway interface configuration, 89
IPv4
VXLAN IPv4 gateway configuration
(distributed), 64
VXLAN network model, 1
VXLAN overview, 1
IPv6
VXLAN IPv6 gateway configuration
(distributed), 74
L
Layer 2
basic VXLAN-DCI configuration, 92
VXLAN network model, 1
VXLAN overview, 1
118
VXLAN-DCI configuration, 84, 87, 92
VXLAN-DCI tunnel assignment, 88
Layer 3
ARP entry management, 53
ND entry management, 53
static ARP entry, 53
VXLAN IP gateway (separated from
VTEP), 41
VXLAN IP gateway configuration, 41, 56
VXLAN IP gateway configuration
(centralized), 48, 56
VXLAN IP gateway configuration
(distributed), 51
VXLAN IP gateway deployment
(centralized), 42
VXLAN IP gateway deployment
(distributed), 44
VXLAN IP gateway group configuration
(centralized), 61
VXLAN IPv4 gateway configuration
(distributed), 64
VXLAN IPv6 gateway configuration
(distributed), 74
VXLAN packet statistics (VXLAN tunnel), 27
VXLAN packet statistics (VXLAN-DCI
tunnel), 91
VXLAN VSI interface configuration, 54
VXLAN VSI interface optional parameter
configuration, 54
VXLAN VTEP IP gateway group deployment
(centralized), 43
VXLAN-DCI gateway interface
configuration, 89
learning
MAC learning priority of Ethernet service
instance, 19
VXLAN MAC address learning, 4
VXLAN remote ARP learning, 53
VXLAN remote ND learning, 53
VXLAN remote-MAC address learning, 18
local
VXLAN local MAC logging, 18
VXLAN static MAC address entry, 18
logging
VXLAN local MAC logging, 18
M
MAC
MAC learning mode, 19
MAC learning priority of Ethernet service
instance, 19
VXLAN remote ARP learning, 53
VXLAN remote ND learning, 53
VXLAN-DCI MAC learning mode, 89
MAC addressing
VXLAN local MAC logging, 18
VXLAN MAC address entry management, 17
VXLAN MAC address learning, 4
VXLAN remote-MAC address learning, 18
VXLAN static MAC address entry, 18
MAC-in-UDP
basic VXLAN-DCI configuration, 92
VXLAN ARP flood suppression, 9
VXLAN basic configuration, 11, 29
VXLAN configuration (multicast mode), 34
VXLAN configuration (unicast mode), 29
VXLAN local flood confine, 25
VXLAN network model, 1
VXLAN overview, 1
VXLAN OVSDB VTEP
configuration, 100, 100, 104
VXLAN-DCI configuration, 84, 87, 92
maintaining
VXLAN, 28
VXLAN IP gateway, 55
VXLAN-DCI, 91
managing
VXLAN MAC address entries, 17
VXLAN packet statistics (AC), 27
VXLAN packet statistics (VSI), 26
manual
VXLAN tunnel assignment, 14
VXLAN tunnel configuration, 13
VXLAN-DCI tunnel configuration, 87
mapping
VXLAN static Ethernet service instance > VSI, 15
mode
VXLAN configuration (multicast), 22
VXLAN hardware resource mode, 11
VXLAN OVSDB VTEP configuration (unicast
mode), 104
VXLAN VSI access, 8
model
VXLAN-DCI, 84
multicast
VXLAN configuration (multicast mode), 34
VXLAN mode configuration, 22
VXLAN traffic forwarding flood process, 6
VXLAN tunnel flood proxy, 104
N
ND
ND entry management, 53
network
119
multicast VXLAN tunnel flood proxy, 104
VLAN-based VXLAN assignment, 17
VXLAN ARP flood suppression, 9, 26
VXLAN basic configuration, 11, 29
VXLAN configuration (multicast mode), 22, 34
VXLAN configuration (unicast mode), 29
VXLAN creation on VSI, 12
VXLAN customer frame > VSI assignment, 15
VXLAN IP gateway, 10
VXLAN IP gateway (separated from
VTEP), 41
VXLAN IP gateway configuration, 56
VXLAN IP gateway configuration
(centralized), 48, 56
VXLAN IP gateway configuration
(distributed), 51
VXLAN IP gateway deployment
(centralized), 42
VXLAN IP gateway deployment
(distributed), 44
VXLAN IP gateway group configuration
(centralized), 61
VXLAN IPv4 gateway configuration
(distributed), 64
VXLAN IPv6 gateway configuration
(distributed), 74
VXLAN local flood confine, 25
VXLAN MAC address entry management, 17
VXLAN model, 1
VXLAN OVSDB server enable, 103
VXLAN OVSDB VTEP
configuration, 100, 100, 104
VXLAN OVSDB VTEP configuration (flood
proxy), 107
VXLAN OVSDB VTEP configuration (unicast
mode), 104
VXLAN packet statistics, 26
VXLAN remote VM reachability test, 28
VXLAN static Ethernet service instance > VSI
mapping, 15
VXLAN tunnel configuration, 13
VXLAN tunnel global source address, 103
VXLAN tunnel manual assignment, 14
VXLAN VSI interface configuration, 54
VXLAN VSI interface optional parameter
configuration, 54
VXLAN VSI interface packet statistics, 55
VXLAN VTEP configuration (IGMP host
method), 23
VXLAN VTEP configuration (PIM method), 23
VXLAN VTEP IP gateway group deployment
(centralized), 43
VXLAN-DCI gateway interface configuration, 89
VXLAN-DCI model, 84
VXLAN-DCI tunnel assignment, 88
VXLAN-DCI tunnel configuration, 87
network management
basic VXLAN-DCI configuration, 92
VXLAN IP gateway configuration, 41
VXLAN overview, 1
VXLAN OVSDB VTEP
configuration, 100, 100, 104
VXLAN-DCI configuration, 84, 87, 92
NMM
VXLAN basic configuration, 11, 29
O
Open vSwitch Database. Use OVSDB
OVSDB
controller connection setup, 101
controller connection setup restrictions, 101
protocols and standards, 100
server enable, 103
SSL connection (active), 102
SSL connection (passive), 102
TCP connection (active), 102
TCP connection (passive), 103
VTEP access port, 104
VTEP configuration, 100, 100, 104
VTEP configuration (flood proxy), 107
VTEP configuration (unicast mode), 104
VTEP service enable, 103
P
packet
VXLAN packet check, 24
VXLAN packet destination UDP port, 24
VXLAN packet format, 2
VXLAN packet statistics, 26
VXLAN packet statistics (AC), 27
VXLAN packet statistics (VSI), 26
VXLAN VSI access mode, 8
VXLAN VSI interface packet statistics, 55
passive
VXLAN OVSDB SSL connection, 102
VXLAN OVSDB TCP connection, 103
PIM
VXLAN multicast mode configuration, 22
VXLAN VTEP configuration (PIM method), 23
port
VXLAN packet destination UDP port, 24
VXLAN VTEP access port, 104
procedure
120
adding static ARP entry, 53
assigning VXLAN customer frame > VSI, 15
assigning VXLAN-DCI tunnel, 88
configuring basic VXLAN-DCI, 92
configuring VLAN-based VXLAN
assignment, 17
configuring VXLAN (multicast mode), 22, 34
configuring VXLAN (unicast mode), 29
configuring VXLAN basics, 11
configuring VXLAN IP gateway
(centralized), 48, 56
configuring VXLAN IP gateway
(distributed), 51
configuring VXLAN IP gateway group
(centralized), 61
configuring VXLAN IP gateway tasks, 48
configuring VXLAN IP gateway VTEP group
(centralized), 49
configuring VXLAN IPv4 gateway
(distributed), 64
configuring VXLAN IPv6 gateway
(distributed), 74
configuring VXLAN OVSDB SSL connection
(active), 102
configuring VXLAN OVSDB SSL connection
(passive), 102
configuring VXLAN OVSDB TCP connection
(active), 102
configuring VXLAN OVSDB TCP connection
(passive), 103
configuring VXLAN OVSDB
VTEP, 100, 100, 100
configuring VXLAN OVSDB VTEP (flood
proxy), 107
configuring VXLAN OVSDB VTEP (unicast
mode), 104
configuring VXLAN packet check, 24
configuring VXLAN packet statistics, 26
configuring VXLAN static MAC address
entry, 18
configuring VXLAN tunnel, 13
configuring VXLAN VSI interface, 54
configuring VXLAN VSI interface optional
parameter, 54
configuring VXLAN VTEP (IGMP host
method), 23
configuring VXLAN VTEP (PIM method), 23
configuring VXLAN-DCI, 87, 92
configuring VXLAN-DCI gateway interface, 89
configuring VXLAN-DCI tunnel, 87
confining VXLAN local flood, 25
creating VXLAN on VSI, 12
disabling VXLAN remote ARP learning, 53
disabling VXLAN remote ND learning, 53
disabling VXLAN remote-MAC address
learning, 18
displaying VXLAN, 28
displaying VXLAN IP gateway, 55
displaying VXLAN-DCI, 91
enabling multicast VXLAN tunnel flood proxy, 104
enabling VXLAN ARP flood suppression, 26
enabling VXLAN local MAC logging, 18
enabling VXLAN over VXLAN, 22
enabling VXLAN OVSDB service, 103
enabling VXLAN OVSDB VTEP service, 103
enabling VXLAN packet statistics (AC), 27
enabling VXLAN packet statistics (Ethernet
service instance), 27
enabling VXLAN packet statistics (VSI), 26
enabling VXLAN packet statistics (VXLAN
tunnel), 27
enabling VXLAN packet statistics (VXLAN-DCI
tunnel), 91
enabling VXLAN VSI interface packet
statistics, 55
maintaining VXLAN, 28
maintaining VXLAN IP gateway, 55
maintaining VXLAN-DCI, 91
managing VXLAN MAC address entries, 17
manually assigning VXLAN tunnel, 14
mapping VXLAN static Ethernet service instance >
VSI, 15
setting Layer 2 forwarding mode, 19
setting MAC learning mode, 19
setting MAC learning priority of Ethernet service
instance, 19
setting up VXLAN OVSDB controller
connection, 101
setting VXLAN hardware resource mode, 11
setting VXLAN packet destination UDP port, 24
setting VXLAN-DCI Layer 2 forwarding mode, 89
setting VXLAN-DCI MAC learning mode, 89
specifying VXLAN tunnel global source
address, 103
specifying VXLAN VTEP access port, 104
specifying VXLAN VTEP group IP gateway
(centralized), 50
testing VXLAN remote VM reachability, 28
protocols and standards
OVSDB, 100
VXLAN, 10
proxying
multicast VXLAN tunnel flood proxy, 104
VXLAN OVSDB VTEP configuration (flood
proxy), 107
121
VXLAN traffic forwarding flood proxy mode, 6
R
reachability
VXLAN remote VM reachability test, 28
remote
VXLAN remote-MAC address learning, 18
VXLAN static MAC address entry, 18
restrictions
OVSDB controller connection setup, 101
S
server
VXLAN OVSDB server enable, 103
service instance
MAC learning priority of Ethernet service
instance, 19
VLAN-based VXLAN assignment, 17
VXLAN static Ethernet service instance > VSI
mapping, 15
setting
Layer 2 forwarding mode, 19
MAC learning mode, 19
MAC learning priority of Ethernet service
instance, 19
VXLAN hardware resource mode, 11
VXLAN packet destination UDP port, 24
VXLAN-DCI Layer 2 forwarding mode, 89
VXLAN-DCI MAC learning mode, 89
setting up
VXLAN OVSDB controller connection, 101
specifying
VXLAN tunnel global source address, 103
VXLAN VTEP access port, 104
VXLAN VTEP group IP gateway
(centralized), 50
SSL
VXLAN OVSDB SSL connection (active), 102
VXLAN OVSDB SSL connection
(passive), 102
static
VXLAN static MAC address entry, 18
statistics
VXLAN packet statistics, 26
VXLAN packet statistics (AC), 27
VXLAN packet statistics (VSI), 26
VXLAN VSI interface packet statistics, 55
suppressing
VXLAN ARP flood suppression, 9, 26
T
VXLAN OVSDB TCP connection (active), 102
VXLAN OVSDB TCP connection (passive), 103
testing
VXLAN remote VM reachability, 28
traffic
VXLAN basic configuration, 11, 29
VXLAN MAC address learning, 4
VXLAN traffic assignment, 3
tunnel
VXLAN-DCI Layer 2 forwarding mode, 89
VXLAN-DCI MAC learning mode, 89
tunneling
basic VXLAN-DCI configuration, 92
VXLAN basic configuration, 11, 29
VXLAN network model, 1
VXLAN tunnel assignment, 3
VXLAN tunnel configuration, 13
VXLAN tunnel establishment, 3
VXLAN tunnel global source address, 103
VXLAN tunnel manual assignment, 14
VXLAN-DCI configuration, 84, 87, 92
VXLAN-DCI network model, 84
VXLAN-DCI tunnel assignment, 88
VXLAN-DCI tunnel configuration, 87
U
UDP
VXLAN packet check, 24
VXLAN packet destination UDP port, 24
unicast
VXLAN configuration (unicast mode), 29
VXLAN OVSDB VTEP configuration (unicast
mode), 104
VXLAN traffic forwarding, 5
VXLAN traffic forwarding flood process, 6
V
virtual
Virtual eXtensible LAN. Use VXLAN
virtual machine (VM)
VXLAN remote VM reachability test, 28
VLAN
VLAN-based VXLAN assignment, 17
VXLAN packet check, 24
VXLAN VSI access mode, 8
VSI
VLAN-based VXLAN assignment, 17
VXLAN creation on VSI, 12
VXLAN customer frame > VSI assignment, 15
VXLAN network model, 1
TCP
122
data center interconnect (DCI)
configuration, 84, 87, 92
data center interconnect (DCI) display, 91
data center interconnect (DCI) gateway interface
configuration, 89
data center interconnect (DCI) maintain, 91
data center interconnect (DCI) network model, 84
data center interconnect (DCI) tunnel
assignment, 88
data center interconnect (DCI) tunnel
configuration, 87
display, 28
how data center interconnect (DCI) works, 84
how it works, 3
IP gateway, 10
IP gateway (separated from VTEP), 41
IP gateway configuration, 41, 56
IP gateway configuration (centralized), 48, 56
IP gateway configuration (distributed), 51
IP gateway deployment (centralized), 42
IP gateway deployment (distributed), 44
IP gateway display, 55
IP gateway group configuration (centralized), 61
IP gateway maintain, 55
IP gateway VTEP group configuration
(centralized), 49
IPv4 gateway configuration (distributed), 64
IPv6 gateway configuration (distributed), 74
local flood confine, 25
local MAC logging, 18
MAC address entry management, 17
MAC address learning, 4
maintain, 28
multicast tunnel flood proxy, 104
network model, 1
overview, 1
OVSDB controller connection, 101
OVSDB controller connection setup
restrictions, 101
OVSDB protocols and standards, 100
OVSDB server enable, 103
OVSDB SSL connection (active), 102
OVSDB SSL connection (passive), 102
OVSDB TCP connection (active), 102
OVSDB TCP connection (passive), 103
OVSDB VTEP configuration, 100, 100, 104
OVSDB VTEP configuration (flood proxy), 107
OVSDB VTEP configuration (unicast mode), 104
OVSDB VTEP service enable, 103
packet check configuration, 24
packet destination UDP port, 24
VXLAN static Ethernet service instance > VSI
mapping, 15
VXLAN VSI access mode, 8
VXLAN VSI interface configuration, 54
VXLAN VSI interface optional parameter
configuration, 54
VXLAN VSI interface packet statistics, 55
VXLAN-DCI gateway interface
configuration, 89
VTEP
access port, 104
VXLAN IP gateway (separated from
VTEP), 41
VXLAN IP gateway configuration, 56
VXLAN IP gateway configuration
(centralized), 48, 56
VXLAN IP gateway configuration
(distributed), 51
VXLAN IP gateway deployment
(centralized), 42
VXLAN IP gateway deployment
(distributed), 44
VXLAN IP gateway group configuration
(centralized), 61
VXLAN IP gateway VTEP group configuration
(centralized), 49
VXLAN IPv4 gateway configuration
(distributed), 64
VXLAN IPv6 gateway configuration
(distributed), 74
VXLAN OVSDB controller connection, 101
VXLAN OVSDB VTEP
configuration, 100, 100, 104
VXLAN OVSDB VTEP service enable, 103
VXLAN VTEP configuration (IGMP host
method), 23
VXLAN VTEP configuration (PIM method), 23
VXLAN VTEP group IP gateway
(centralized), 50
VXLAN VTEP IP gateway group deployment
(centralized), 43
VXLAN-DCI gateway interface
configuration, 89
VXLAN
ARP flood suppression, 9
ARP flood suppression enable, 26
basic configuration, 11, 29
basic data center interconnect (DCI)
configuration, 92
configuration (multicast mode), 22, 34
configuration (unicast mode), 29
creation on VSI, 12
customer frame > VSI assignment, 15
123
packet format, 2
packet statistics (AC), 27
packet statistics (Ethernet service
instance), 27
packet statistics (VSI), 26
packet statistics (VXLAN tunnel), 27
packet statistics (VXLAN-DCI tunnel), 91
packet statistics configuration, 26
protocols and standards, 10
remote VM reachability test, 28
remote-MAC address learning, 18
static Ethernet service instance > VSI
mapping, 15
static MAC address entry, 18
traffic assignment, 3
tunnel assignment, 3
tunnel configuration, 13
tunnel establishment, 3
tunnel global source address, 103
tunnel manual assignment, 14
VLAN-based VXLAN assignment, 17
VSI access mode, 8
VSI interface configuration, 54
VSI interface optional parameter
configuration, 54
VTEP access port, 104
VTEP configuration (IGMP host method), 23
VTEP configuration (PIM method), 23
VTEP group IP gateway (centralized), 50
VTEP IP gateway group deployment
(centralized), 43
VXLAN over VXLAN, 22
VXLAN IP gateway
ARP entry management, 53
ND entry management, 53
static ARP entry, 53
124
Download