vxlan分布式网关场景
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101225&lang=zh&idPath=24030814%7C21782165%7C21782236%7C22318638%7C7542409
实验拓扑
实验规划
互联地址规划
- CE互联地址10.1.XY.0/24网段,编号小在前,即CE1-CE3为10.1.13.0/24;
- Gateway Leaf与防火墙三个互联段如图所示,防火墙地址取小;
- CE1和CE2为RR,只需创建用于构建evpn邻居的LoopBack0地址100.1.1.0/32;
- CE3-CE6为Leaf,除了LoopBack0外还需创建LoopBack1地址10.1.1.0/32作为vtep的源地址;
- 防火墙通过主备方式部署,主备协商地址为1.1.1.0/30;
- Gateway Leaf与ISP互联地址分别为211.1.1.0/30和212.1.1.0/30;
- ISP创建LoopBack8地址8.8.8.8/32模拟外网。
业务地址规划
- 租户A为vlan10和vlan20,地址分别为10.0.10.0/24和10.0.20.0/24;
- 租户B为vlan30和vlan40,地址分别为10.0.30.0/24和10.0.40.0/24;
- AR2为telnet的server设备,地址为10.0.10.10/24;
- AR3为ftp的server设备,地址为10.0.40.10/24;
BD/VNI/RD/RT规划
- vlan10→BD10→VNI10→RD10:1→RT10:1→eRT10:100
- vlan20→BD20→VNI20→RD10:2→RT10:2→eRT10:100
- vlan30→BD30→VNI30→RD10:3→RT10:3→eRT10:200
- vlan40→BD40→VNI40→RD10:4→RT10:4→eRT10:200
- vpnA→RD10:100→eVPN RT10:100→VNI15
- vpnB→RD10:200→eVPN RT10:200→VNI25
实验需求
- Underlay使用OSPF协议互相学习路由;
- 使用100.1.1.0/32作为源地址构建iBGP eVPN邻居;
- vxlan隧道使用10.1.1.0/32作为vtep源地址;
- VPN实例/BD域/地址等相关参数按照规划配置;
- 各个租户业务地址允许访问外网8.8.8.8;
- 外网服务器8.8.8.8允许使用telnet访问AR2;
- 外网服务器8.8.8.8允许使用ftp登录AR3;
- 允许AR2通过ftp登录AR3;
- 允许AR3通过telnet访问AR2。
实验步骤
路由器
ISP
interface GigabitEthernet0/0/0
ip address 211.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 212.1.1.1 255.255.255.0
#
interface LoopBack8
ip address 8.8.8.8 255.255.255.255
#
ip route-static 202.1.1.0 255.255.255.240 211.1.1.2
ip route-static 202.1.1.0 255.255.255.240 212.1.1.2
#
AR2
interface GigabitEthernet0/0/0
ip address 10.0.10.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
AR3
ftp server enable
#
aaa
local-user ftp password cipher Admin@123
local-user ftp privilege level 15
local-user ftp ftp-directory flash:
local-user ftp service-type ftp
interface GigabitEthernet0/0/0
ip address 10.0.40.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.40.253
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
地址配置
略
OSPF配置
略 网络类型改为P2P
邻居与路由的验证
[CE1]display ospf peer brief
OSPF Process 1 with Router ID 11.1.1.1
Peer Statistic Information
Total number of peer(s): 4
Peer(s) in full state: 4
-----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GE1/0/0 33.1.1.1 Full
0.0.0.0 GE1/0/1 44.1.1.1 Full
0.0.0.0 GE1/0/2 55.1.1.1 Full
0.0.0.0 GE1/0/3 66.1.1.1 Full
-----------------------------------------------------------------------------
[CE2]display ospf peer brief
OSPF Process 1 with Router ID 22.1.1.1
Peer Statistic Information
Total number of peer(s): 4
Peer(s) in full state: 4
-----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GE1/0/0 33.1.1.1 Full
0.0.0.0 GE1/0/1 44.1.1.1 Full
0.0.0.0 GE1/0/2 55.1.1.1 Full
0.0.0.0 GE1/0/3 66.1.1.1 Full
-----------------------------------------------------------------------------
[CE3]display ospf routing
OSPF Process 1 with Router ID 33.1.1.1
Routing for Network
------------------------------------------------------------------------------
Destination Cost Type Next-Hop AdvRouter Area
10.1.1.3/32 0 Direct 10.1.1.3 33.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.23.2 44.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.13.1 44.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.23.2 55.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.13.1 55.1.1.1 0.0.0.0
10.1.1.6/32 2 Stub 10.1.23.2 66.1.1.1 0.0.0.0
10.1.1.6/32 2 Stub 10.1.13.1 66.1.1.1 0.0.0.0
10.1.13.0/24 1 Direct 10.1.13.3 33.1.1.1 0.0.0.0
10.1.14.0/24 2 Stub 10.1.13.1 11.1.1.1 0.0.0.0
10.1.15.0/24 2 Stub 10.1.13.1 11.1.1.1 0.0.0.0
10.1.16.0/24 2 Stub 10.1.13.1 11.1.1.1 0.0.0.0
10.1.23.0/24 1 Direct 10.1.23.3 33.1.1.1 0.0.0.0
10.1.24.0/24 2 Stub 10.1.23.2 22.1.1.1 0.0.0.0
10.1.25.0/24 2 Stub 10.1.23.2 22.1.1.1 0.0.0.0
10.1.26.0/24 2 Stub 10.1.23.2 22.1.1.1 0.0.0.0
100.1.1.1/32 1 Stub 10.1.13.1 11.1.1.1 0.0.0.0
100.1.1.2/32 1 Stub 10.1.23.2 22.1.1.1 0.0.0.0
100.1.1.3/32 0 Direct 100.1.1.3 33.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.23.2 44.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.13.1 44.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.23.2 55.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.13.1 55.1.1.1 0.0.0.0
100.1.1.6/32 2 Stub 10.1.23.2 66.1.1.1 0.0.0.0
100.1.1.6/32 2 Stub 10.1.13.1 66.1.1.1 0.0.0.0
Total Nets: 18
Intra Area: 18 Inter Area: 0 ASE: 0 NSSA: 0
[CE6]display ospf routing
OSPF Process 1 with Router ID 66.1.1.1
Routing for Network
------------------------------------------------------------------------------
Destination Cost Type Next-Hop AdvRouter Area
10.1.1.3/32 2 Stub 10.1.26.2 33.1.1.1 0.0.0.0
10.1.1.3/32 2 Stub 10.1.16.1 33.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.26.2 44.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.16.1 44.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.26.2 55.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.16.1 55.1.1.1 0.0.0.0
10.1.1.6/32 0 Direct 10.1.1.6 66.1.1.1 0.0.0.0
10.1.13.0/24 2 Stub 10.1.16.1 11.1.1.1 0.0.0.0
10.1.14.0/24 2 Stub 10.1.16.1 11.1.1.1 0.0.0.0
10.1.15.0/24 2 Stub 10.1.16.1 11.1.1.1 0.0.0.0
10.1.16.0/24 1 Direct 10.1.16.6 66.1.1.1 0.0.0.0
10.1.23.0/24 2 Stub 10.1.26.2 22.1.1.1 0.0.0.0
10.1.24.0/24 2 Stub 10.1.26.2 22.1.1.1 0.0.0.0
10.1.25.0/24 2 Stub 10.1.26.2 22.1.1.1 0.0.0.0
10.1.26.0/24 1 Direct 10.1.26.6 66.1.1.1 0.0.0.0
100.1.1.1/32 1 Stub 10.1.16.1 11.1.1.1 0.0.0.0
100.1.1.2/32 1 Stub 10.1.26.2 22.1.1.1 0.0.0.0
100.1.1.3/32 2 Stub 10.1.26.2 33.1.1.1 0.0.0.0
100.1.1.3/32 2 Stub 10.1.16.1 33.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.26.2 44.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.16.1 44.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.26.2 55.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.16.1 55.1.1.1 0.0.0.0
100.1.1.6/32 0 Direct 100.1.1.6 66.1.1.1 0.0.0.0
Total Nets: 18
Intra Area: 18 Inter Area: 0 ASE: 0 NSSA: 0
IBGP eVPN配置
CE1-CE6
evpn-overlay enable //全局使能EVPN作为VXLAN的控制平面
CE1
bgp 1
router-id 11.1.1.1
peer 100.1.1.3 as-number 1
peer 100.1.1.3 connect-interface LoopBack0
peer 100.1.1.4 as-number 1
peer 100.1.1.4 connect-interface LoopBack0
peer 100.1.1.5 as-number 1
peer 100.1.1.5 connect-interface LoopBack0
peer 100.1.1.6 as-number 1
peer 100.1.1.6 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.3 enable
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 reflect-client
#
l2vpn-family evpn
undo policy vpn-target //两台RR设备记得关闭对接收的VPN路由或者标签进行RT过滤
peer 100.1.1.3 enable
peer 100.1.1.3 advertise irb
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 advertise irb
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 advertise irb
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 advertise irb
peer 100.1.1.6 reflect-client
#
CE2
bgp 1
router-id 22.1.1.1
peer 100.1.1.3 as-number 1
peer 100.1.1.3 connect-interface LoopBack0
peer 100.1.1.4 as-number 1
peer 100.1.1.4 connect-interface LoopBack0
peer 100.1.1.5 as-number 1
peer 100.1.1.5 connect-interface LoopBack0
peer 100.1.1.6 as-number 1
peer 100.1.1.6 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.3 enable
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 reflect-client
#
l2vpn-family evpn
undo policy vpn-target
peer 100.1.1.3 enable
peer 100.1.1.3 advertise irb
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 advertise irb
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 advertise irb
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 advertise irb
peer 100.1.1.6 reflect-client
#
CE3
bgp 1
router-id 33.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise irb
#
CE4
bgp 1
router-id 44.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise irb
#
CE5
bgp 1
router-id 55.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise i
CE6
bgp 1
router-id 66.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise irb
#
查看eVPN邻居关系
[CE1]display bgp evpn peer
BGP local router ID : 11.1.1.1
Local AS number : 1
Total number of peers : 4
Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
100.1.1.3 4 1 4 5 0 00:00:31 Established 0
100.1.1.4 4 1 4 4 0 00:00:20 Established 0
100.1.1.5 4 1 4 4 0 00:00:09 Established 0
100.1.1.6 4 1 4 5 0 00:00:01 Established 0
[CE2]display bgp evpn peer
BGP local router ID : 22.1.1.1
Local AS number : 1
Total number of peers : 4
Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
100.1.1.3 4 1 4 5 0 00:00:46 Established 0
100.1.1.4 4 1 4 4 0 00:00:33 Established 0
100.1.1.5 4 1 4 4 0 00:00:23 Established 0
100.1.1.6 4 1 4 5 0 00:00:15 Established 0
配置BD域
CE3-CE6
bridge-domain 10
vxlan vni 10
evpn
route-distinguisher 10:1
vpn-target 10:1 export-extcommunity
vpn-target 10:100 export-extcommunity //用于把vxlan主机路由通过eVPN传递
vpn-target 10:1 import-extcommunity
#
bridge-domain 20
vxlan vni 20
evpn
route-distinguisher 10:2
vpn-target 10:2 export-extcommunity
vpn-target 10:100 export-extcommunity
vpn-target 10:2 import-extcommunity
#
bridge-domain 30
vxlan vni 30
evpn
route-distinguisher 10:3
vpn-target 10:3 export-extcommunity
vpn-target 10:200 export-extcommunity
vpn-target 10:3 import-extcommunity
#
bridge-domain 40
vxlan vni 40
evpn
route-distinguisher 10:4
vpn-target 10:4 export-extcommunity
vpn-target 10:200 export-extcommunity
vpn-target 10:4 import-extcommunity
#
配置VPN实例
CE3-CE6
ip vpn-instance A
ipv4-family
route-distinguisher 10:100
vpn-target 10:100 export-extcommunity evpn
vpn-target 10:100 import-extcommunity evpn
vxlan vni 15
#
ip vpn-instance B
ipv4-family
route-distinguisher 10:200
vpn-target 10:200 export-extcommunity evpn
vpn-target 10:200 import-extcommunity evpn
vxlan vni 25
#
配置业务接入
CE3/CE4
interface GE1/0/2
undo shutdown
#
interface GE1/0/2.10 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface GE1/0/2.20 mode l2
encapsulation dot1q vid 20
bridge-domain 20
#
interface GE1/0/2.30 mode l2
encapsulation dot1q vid 30
bridge-domain 30
#
interface GE1/0/2.40 mode l2
encapsulation dot1q vid 40
bridge-domain 40
#
配置业务网关
CE3
interface Vbdif10
ip binding vpn-instance A
ip address 10.0.10.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance A
ip address 10.0.20.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif30
ip binding vpn-instance B
ip address 10.0.30.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif40
ip binding vpn-instance B
ip address 10.0.40.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
CE4
interface Vbdif10
ip binding vpn-instance A
ip address 10.0.10.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance A
ip address 10.0.20.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif30
ip binding vpn-instance B
ip address 10.0.30.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif40
ip binding vpn-instance B
ip address 10.0.40.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
配置VXLAN隧道
CE3
interface Nve1
source 10.1.1.3
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
CE4
interface Nve1
source 10.1.1.4
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
CE5
interface Nve1
source 10.1.1.5
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
CE6
interface Nve1
source 10.1.1.6
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
查看VXLAN隧道
[CE4]display vxlan peer
Number of peers : 12
Vni ID Source Destination Type Out Vni ID
-------------------------------------------------------------------------------
10 10.1.1.4 10.1.1.3 dynamic 10
10 10.1.1.4 10.1.1.5 dynamic 10
10 10.1.1.4 10.1.1.6 dynamic 10
20 10.1.1.4 10.1.1.3 dynamic 20
20 10.1.1.4 10.1.1.5 dynamic 20
20 10.1.1.4 10.1.1.6 dynamic 20
30 10.1.1.4 10.1.1.3 dynamic 30
30 10.1.1.4 10.1.1.5 dynamic 30
30 10.1.1.4 10.1.1.6 dynamic 30
40 10.1.1.4 10.1.1.3 dynamic 40
40 10.1.1.4 10.1.1.5 dynamic 40
40 10.1.1.4 10.1.1.6 dynamic 40
[CE4]display vxlan tunnel
Number of vxlan tunnel : 3
Tunnel ID Source Destination State Type Uptime
-----------------------------------------------------------------------------------
4026531841 10.1.1.4 10.1.1.3 up dynamic 00:02:18
4026531842 10.1.1.4 10.1.1.5 up dynamic 00:02:06
4026531843 10.1.1.4 10.1.1.6 up dynamic 00:01:59
[CE5]display vxlan peer
Number of peers : 12
Vni ID Source Destination Type Out Vni ID
-------------------------------------------------------------------------------
10 10.1.1.5 10.1.1.3 dynamic 10
10 10.1.1.5 10.1.1.4 dynamic 10
10 10.1.1.5 10.1.1.6 dynamic 10
20 10.1.1.5 10.1.1.3 dynamic 20
20 10.1.1.5 10.1.1.4 dynamic 20
20 10.1.1.5 10.1.1.6 dynamic 20
30 10.1.1.5 10.1.1.3 dynamic 30
30 10.1.1.5 10.1.1.4 dynamic 30
30 10.1.1.5 10.1.1.6 dynamic 30
40 10.1.1.5 10.1.1.3 dynamic 40
40 10.1.1.5 10.1.1.4 dynamic 40
40 10.1.1.5 10.1.1.6 dynamic 40
[CE5]display vxlan tunnel
Number of vxlan tunnel : 3
Tunnel ID Source Destination State Type Uptime
-----------------------------------------------------------------------------------
4026531841 10.1.1.5 10.1.1.3 up dynamic 00:02:50
4026531842 10.1.1.5 10.1.1.4 up dynamic 00:02:42
4026531843 10.1.1.5 10.1.1.6 up dynamic 00:02:31
查看eVPN路由
[CE5]display ip routing-table vpn-instance A protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
A Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.10.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.10.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.20.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.20.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
[CE5]display ip routing-table vpn-instance B protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
B Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.30.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.30.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.40.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.40.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
[CE6]display ip routing-table vpn-instance A protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
A Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.10.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.10.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.20.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.20.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
[CE6]display ip routing-table vpn-instance B protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
B Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.30.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.30.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.40.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.40.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
配置防火墙与geteway leaf接口
fw1
vlan batch 100 200 110
#
interface Eth-Trunk1
trunkport GigabitEthernet 1/0/0
trunkport GigabitEthernet 1/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
fw2
vlan batch 100 200 110
#
interface Eth-Trunk1
trunkport GigabitEthernet 1/0/0
trunkport GigabitEthernet 1/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
CE5
vlan batch 100 200 110
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/3
undo shutdown
#
interface Eth-Trunk1
trunkport GE 1/0/2
trunkport GE 1/0/3
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
CE6
vlan batch 100 200 110
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/3
undo shutdown
#
interface Eth-Trunk1
trunkport GE 1/0/2
trunkport GE 1/0/3
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
配置主备防火墙
FW1
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.1 255.255.255.252
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
hrp mirror config enable
hrp interface GigabitEthernet1/0/2 remote 1.1.1.2
hrp base config enable
hrp mirror session enable
hrp nat resource primary-group
hrp standby config enable
undo hrp preempt
hrp track interface Eth-Trunk1
hrp enable
FW2
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.2 255.255.255.252
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
hrp mirror config enable
hrp standby-device
hrp interface GigabitEthernet1/0/2 remote 1.1.1.2
hrp base config enable
hrp mirror session enable
hrp nat resource primary-group
hrp standby config enable
undo hrp preempt
hrp track interface Eth-Trunk1
hrp enable
配置防火墙与gateway leaf互联
CE5
interface Vlanif100
ip binding vpn-instance A
ip address 10.1.100.2 255.255.255.252
#
interface Vlanif110
ip address 10.1.110.2 255.255.255.252
#
interface Vlanif200
ip binding vpn-instance B
ip address 10.1.200.2 255.255.255.252
#
CE6
interface Vlanif100
ip binding vpn-instance A
ip address 10.1.100.2 255.255.255.252
#
interface Vlanif110
ip address 10.1.110.2 255.255.255.252
#
interface Vlanif200
ip binding vpn-instance B
ip address 10.1.200.2 255.255.255.252
#
FW
vsys enable
#
vsys name A
assign vlan 100
#
vsys name B
assign vlan 200
#
interface Vlanif100
ip binding vpn-instance A
ip address 10.1.100.1 255.255.255.252
#
interface Vlanif110
ip address 10.1.110.1 255.255.255.252
service-manage ping permit
#
interface Vlanif200
ip binding vpn-instance B
ip address 10.1.200.1 255.255.255.252
#
switch vsys A
#
interface Vlanif 100
service-manage ping permit
#
switch vsys B
#
interface Vlanif 200
service-manage ping permit
#
配置防火墙与GATEWAY LEAF的路由
CE5
ip route-static 0.0.0.0 0 211.1.1.1
ip route-static vpn-instance A 0.0.0.0 0 10.1.100.1
ip route-static vpn-instance B 0.0.0.0 0 10.1.200.1
#
bgp 1
#
ipv4-family vpn-instance A
import-route static
advertise l2vpn evpn //将VPN实例IP路由发布给EVPN实例
#
ipv4-family vpn-instance B
import-route static
advertise l2vpn evpn
#
CE6
ip route-static 0.0.0.0 0.0.0.0 212.1.1.1
ip route-static vpn-instance A 0.0.0.0 0.0.0.0 10.1.100.1
ip route-static vpn-instance B 0.0.0.0 0.0.0.0 10.1.200.1
#
bgp 1
#
ipv4-family vpn-instance A
import-route static
advertise l2vpn evpn
#
ipv4-family vpn-instance B
import-route static
advertise l2vpn evpn
#
FW
ip route-static 0.0.0.0 0 10.1.110.2
配置防火墙让租户访问外网
根墙
firewall zone trust
add interface Virtual-if0
#
firewall zone untrust
add interface Vlanif110
#
security-policy
rule name trust-untrust
source-zone trust
destination-zone untrust
action permit
rule name untrust-trust
source-zone untrust
destination-zone trust
action permit
#
//把公网指派给不同虚墙
vsys name A
assign global-ip 202.1.1.1 202.1.1.6 free
#
vsys name B 2
assign global-ip 202.1.1.9 202.1.1.14 free
#
//根墙充当路由器,把NAT公网地址引流到不同虚墙
firewall import-flow public 202.1.1.0 202.1.1.7 vpn-instance A
firewall import-flow public 202.1.1.8 202.1.1.15 vpn-instance B
#
虚墙A
ip route-static 0.0.0.0 0.0.0.0 public
ip route-static 10.0.10.0 255.255.255.0 10.1.100.2
ip route-static 10.0.20.0 255.255.255.0 10.1.100.2
#
firewall zone trust
add interface Vlanif100
#
firewall zone untrust
add interface Virtual-if1
#
nat address-group net1 0
mode pat
section 0 202.1.1.1 202.1.1.2
#
nat address-group net2 1
mode pat
section 0 202.1.1.3 202.1.1.4
#
nat-policy
rule name net1
source-zone trust
destination-zone untrust
source-address range 10.0.10.1 10.0.10.5
destination-address 8.8.8.8 mask 255.255.255.255
action source-nat address-group net1
rule name net2
source-zone trust
destination-zone untrust
source-address range 10.0.20.1 10.0.20.5
destination-address 8.8.8.8 mask 255.255.255.255
action source-nat address-group net2
#
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address range 10.0.10.1 10.0.10.5
source-address range 10.0.20.1 10.0.20.5
destination-address 8.8.8.8 mask 255.255.255.255
action permit
#
虚墙B
ip route-static 0.0.0.0 0.0.0.0 public
ip route-static 10.0.30.0 255.255.255.0 10.1.200.2
ip route-static 10.0.40.0 255.255.255.0 10.1.200.2
#
firewall zone trust
add interface Vlanif200
#
firewall zone untrust
add interface Virtual-if2
#
nat address-group net3 2
mode pat
section 0 202.1.1.9 202.1.1.10
#
nat address-group net4 3
mode pat
section 0 202.1.1.11 202.1.1.12
#
nat-policy
rule name net3
source-zone trust
destination-zone untrust
source-address range 10.0.30.1 10.0.30.5
action source-nat address-group net3
rule name net4
source-zone trust
destination-zone untrust
source-address range 10.0.40.1 10.0.40.5
action source-nat address-group net4
#
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address range 10.0.30.1 10.0.30.5
source-address range 10.0.40.1 10.0.40.5
destination-address 8.8.8.8 mask 255.255.255.255
action permit
#
