Слегка модифицировал схему , теперь у нас есть две подсети в двух влан , допустим нам надо чтоб хосты в этих подсетях могли общаться друг с другом, то есть настроить роутинг между этими подсетями. Так как в нашей сети используется EVPN VXLAN, то нам надо развернуть Integrated Routing and Bridging ( IRB). Cуществует два типа IRB
- Asymmetric IRB
- Symmetric IRB
Более предпочтительной является Symmteric IRB поэтому будем использовать этот тип конфигурации .
Symmetric IRB
Настройки на SPINE такие же как и в прошлой статье, их не привожу (точнее приведу в конце ) .
Leaf-1
Включаем базовый функционал
nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlayнастраиваем базовую коммутацию и маршрутизацию(и базовый мультикаст ) :
ip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidirvlan 1,110
vlan 110interface Ethernet1/1
description Linux-1
switchport access vlan 110interface Ethernet1/2
no switchport
ip address 10.0.1.1/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.11.1/24
ip pim sparse-mode
interface loopback0
ip address 62.0.0.1/32
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.1/32 area 0.0.0.0
Настраиваем VXLAN EVPN (подробнее в моей прошлой статье )
vlan 110
vn-segment 160110interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160110 mcast-group 224.2.2.10evpn
vni 160100 l2
rd auto
route-target import auto
route-target export autorouter bgp 65000
neighbor 65.0.0.10
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 65.0.0.11
remote-as 65000
log-neighbor-changes
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
Аналогичные настройки проделываем на Leaf-4
nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature lldp
feature nv overlayip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidirvlan 1,110
vlan 110
vn-segment 160110interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160110 mcast-group 224.2.2.10interface Ethernet1/1
description Linux-4
switchport access vlan 110interface Ethernet1/2
description Server-4| LS-3
no switchport
ip address 10.0.4.1/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.14.1/24
ip pim sparse-mode
no shutdowninterface loopback0
ip address 62.0.0.4/32
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.4/32 area 0.0.0.0router bgp 65000
neighbor 65.0.0.10
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 65.0.0.11
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extendedevpn
vni 160110 l2
rd auto
route-target import auto
route-target export auto
Сейчас у нас есть L2 связанность между хостами Linux-1 и Linux-4 , В такой же логике настроены Leaf -2 и Leaf -3, мы имеем следующую логическую схему :
Для настройки маршрутизации между подсетями будем использовать Symmetric IRB, логически схема будет выглядеть так :
Leaf коммутатроы будут L3 шлюзами для хостов подключенных к ним, для этого настраиваем SVI интерфейсы , для примера снова настраиваем Leaf-1 :
interface Vlan110
no shutdown
vrf member VRF_333
ip address 192.168.110.1/24_________________________________________________________________
EVPN VXLAN Distributed Anycast Gateway
у нас может быть ситуация когда хост с Linux-1 переедет на Linux-4 (vMotion), чтоб он продолжил работать бес перебоев , необходимо чтоб на Leaf-4 и Leaf-1 у SVI интерфейсов был один IP адрес и один мак адрес, такая схема когда на всех Leaf настроен SVI с одинаков мак и ip адресом называется EVPN VXLAN Distributed Anycast Gateway .
Конфигурируем мак адрес :
fabric forwarding anycast-gateway-mac 1234.1234.1234присваиваем выставленный выше мак адрес SVI интерфейсу :
interface Vlan110
no shutdown
vrf member VRF_333
ip address 192.168.110.1/24
fabric forwarding mode anycast-gateway_________________________________________________________________
создаем отельный служебный VLAN и VXLAN
vlan 333
vn-segment 160333Создаем отдельный VRF :
vrf context VRF_333
vni 160333
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpnСоздаем служебный SVI без ip адреса, и сажаем его в ранее созданный vrf :
interface Vlan333
no shutdown
vrf member VRF_333
ip forwardВ настройках nve1 дописываем :
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160110 mcast-group 224.2.2.10
member vni 160333 associate-vrfВ настройках BGP добавляем :
router bgp 65000
vrf VRF_333
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map PERMITНу и создаем роут-мап PERMIT :
route-map PERMINT permit 10так как мы используем Distributed Anycast Gateway настройки на Leaf-4 будут абсолютно аналогичны, нет смысла их приводить .
После этого появится доступ из подсети 192.168.100.0/24 в сеть 192.168.110.0/24 и наоборот :
для диагностики используем команды :
show bgp l2vpn evpn
show ip route vrf VRF_333Конфиги !
Spine -1 :
hostname SPINE-1nv overlay evpn
feature ospf
feature bgp
feature pim
feature vn-segment-vlan-based
feature lldp
feature nv overlayip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidir
ip pim ssm range 232.0.0.0/8interface Ethernet1/1
no switchport
ip address 10.0.1.2/24
ip pim sparse-mode
no shutdowninterface Ethernet1/2
no switchport
ip address 10.0.2.2/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.3.2/24
ip pim sparse-mode
no shutdowninterface Ethernet1/4
no switchport
ip address 10.0.4.2/24
ip pim sparse-mode
no shutdowninterface loopback0
ip address 65.0.0.10/32interface loopback10
ip address 10.10.10.9/30
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 65.0.0.10/32 area 0.0.0.0
router bgp 65000
neighbor 62.0.0.0/24
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
Spine-2 :
hostname SPINE-2nv overlay evpn
feature ospf
feature bgp
feature pim
feature vn-segment-vlan-based
feature lldp
feature nv overlayip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidir
ip pim ssm range 232.0.0.0/8interface Ethernet1/1
no switchport
ip address 10.0.14.2/24
ip pim sparse-mode
no shutdowninterface Ethernet1/2
no switchport
ip address 10.0.13.2/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.12.2/24
ip pim sparse-mode
no shutdowninterface Ethernet1/4
no switchport
ip address 10.0.11.2/24
ip pim sparse-mode
no shutdown
interface loopback0
ip address 65.0.0.11/32interface loopback10
ip address 10.10.10.9/29
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.11/32 area 0.0.0.0
network 65.0.0.11/32 area 0.0.0.0
router bgp 65000
neighbor 62.0.0.0/24
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
Leaf-1 :
hostname LEAF-1nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature lldp
feature nv overlayfabric forwarding anycast-gateway-mac 1234.1234.1234
ip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidirvlan 110,333
vlan 110
vn-segment 160110
vlan 333
vn-segment 160333route-map PERMINT permit 10
vrf context VRF_333
vni 160333
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context management
ip route 0.0.0.0/0 10.101.101.3interface Vlan110
no shutdown
vrf member VRF_333
ip address 192.168.110.1/24
fabric forwarding mode anycast-gatewayinterface Vlan333
no shutdown
vrf member VRF_333
ip forwardinterface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160110 mcast-group 224.2.2.10
member vni 160333 associate-vrfinterface Ethernet1/1
description Linux-1
switchport access vlan 110interface Ethernet1/2
no switchport
ip address 10.0.1.1/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.11.1/24
ip pim sparse-mode
no shutdowninterface loopback0
ip address 62.0.0.1/32
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.1/32 area 0.0.0.0router bgp 65000
neighbor 65.0.0.10
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 65.0.0.11
remote-as 65000
log-neighbor-changes
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
vrf VRF_333
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map PERMINTevpn
vni 160110 l2
rd auto
route-target import auto
route-target export auto
Leaf -4 :
hostname LEAF4
nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature lldp
feature nv overlayfabric forwarding anycast-gateway-mac 1234.1234.1234
ip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidirvlan 110,333
vlan 110
vn-segment 160110
vlan 333
vn-segment 160333route-map PERMINT permit 10
vrf context VRF_333
vni 160333
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context managementinterface Vlan110
no shutdown
vrf member VRF_333
ip address 192.168.110.1/24
fabric forwarding mode anycast-gatewayinterface Vlan333
no shutdown
vrf member VRF_333
ip forwardinterface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160110 mcast-group 224.2.2.10
member vni 160333 associate-vrfinterface Ethernet1/1
description Linux-4
switchport access vlan 110interface Ethernet1/2
no switchport
ip address 10.0.4.1/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.14.1/24
ip pim sparse-mode
no shutdowninterface loopback0
ip address 62.0.0.4/32
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.4/32 area 0.0.0.0
router bgp 65000
neighbor 65.0.0.10
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 65.0.0.11
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
vrf VRF_333
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map PERMINTevpn
vni 160110 l2
rd auto
route-target import auto
route-target export auto
Leaf-2 :
hostname SPINE-2nv overlay evpn
feature ospf
feature bgp
feature pim
feature vn-segment-vlan-based
feature lldp
feature nv overlayfabric forwarding anycast-gateway-mac 1234.1234.1234
ip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidirvlan 100,333
vlan 100
vn-segment 160100
vlan 333
vn-segment 160333route-map PERMINT permit 10vrf context VRF_333
vni 160333
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context management
ip route 0.0.0.0/0 10.101.101.3interface Vlan100
no shutdown
vrf member VRF_333
ip address 192.168.100.1/24
fabric forwarding mode anycast-gatewayinterface Vlan333
no shutdown
vrf member VRF_333
ip forwardinterface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160100 mcast-group 224.2.2.10
member vni 160333 associate-vrfinterface Ethernet1/1
switchport access vlan 100interface Ethernet1/2
no switchport
ip address 10.0.2.1/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.12.1/24
ip pim sparse-mode
no shutdowninterface loopback0
ip address 62.0.0.2/32
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.2/32 area 0.0.0.0router bgp 65000
neighbor 65.0.0.10
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 65.0.0.11
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
vrf VRF_333
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map PERMINT
evpn
vni 160100 l2
rd auto
route-target import auto
route-target export auto
Leaf-3:
hostname LEAF-3nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature lldp
feature nv overlayfabric forwarding anycast-gateway-mac 1234.1234.1234
ip pim rp-address 10.10.10.10 group-list 224.0.0.0/4 bidirvlan 100,333
vlan 100
vn-segment 160100
vlan 333
vn-segment 160333route-map PERMINT permit 10
vrf context VRF_333
vni 160333
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpninterface Vlan100
no shutdown
vrf member VRF_333
ip address 192.168.100.1/24
fabric forwarding mode anycast-gatewayinterface Vlan333
no shutdown
vrf member VRF_333
ip forwardinterface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 160100 mcast-group 224.2.2.10
member vni 160333 associate-vrfinterface Ethernet1/1
description Linux-3
switchport access vlan 100interface Ethernet1/2
no switchport
ip address 10.0.3.1/24
ip pim sparse-mode
no shutdowninterface Ethernet1/3
no switchport
ip address 10.0.13.1/24
ip pim sparse-mode
no shutdowninterface loopback0
ip address 62.0.0.3/32
ip pim sparse-moderouter ospf 1
network 10.0.0.0/16 area 0.0.0.0
network 62.0.0.3/32 area 0.0.0.0
router bgp 65000
neighbor 65.0.0.10
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
neighbor 65.0.0.11
remote-as 65000
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
vrf VRF_333
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map PERMINT
evpn
vni 160100 l2
rd auto
route-target import auto
route-target export auto
