【已解决】H3C数据中心标准组网测试遗留问题
<p>1、网络拓扑</p><p>网络拓扑如下图所示,标准的Spine-leaf架构,由于H3C vswith S9850特别不稳定,因此非必要网元,都用华为代替,比如PE01、SP01、SP02、DC-FW01、DC-FW02均为华为设备。</p>
<p><img src="data/attachment/forum/202504/15/114138vc52clwfmw42ck8f.png" alt="图片.png" title="图片.png" /></p>
<p>2、注意事项</p>
<p>(1)目前暂无定论,我目前使用的2个CPU,2G内存,一直在测试会不会重启,目前测试2小时10分钟都ok</p>
<p><img src="data/attachment/forum/202504/15/114350wvawllfrlarfq3lr.png" alt="a1.png" title="a1.png" /></p>
<p><img src="data/attachment/forum/202504/15/134221cokflde8ld2ecxuf.png" alt="图片.png" title="图片.png" /></p>
<p>(2)如果遇到接口起不来,可以使用undo shutdown使能接口,最长遇到的就是保持配置后,下次重新开机,就有端口会莫名down。</p>
<p><img src="data/attachment/forum/202504/15/114457csr3vsvzis6xrh65.png" alt="a2.png" title="a2.png" /></p>
<p>(3)还有一个问题是BGP EVPN邻居起不来,也有办法,就是删除BGP邻居,重新配置,华为CE12800不会有这个问题,一般是S9850删除,重新配下就好。</p>
<p>undo bgp xx</p>
<p>bgp xx</p>
<p>(4)最后一个是undo shutdown了,接口还是起不来,那只有一个大招,那就是直接wipe掉节点,重新加载,重新刷入配置。。。</p>
<p>3、设备配置,为了方便大家测试,我这里准备的脚本,都经过调整,可以直接刷入。</p>
<p>(1)DC-PE01</p>
<pre><code>#
sysname PE1
#
interface GigabitEthernet0/0/0
ip address 172.16.1.1 255.255.255.252
ospf network-type p2p
#
interface GigabitEthernet0/0/1
ip address 172.16.2.1 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 88.1.1.1 255.255.255.255
#
ospf 10 router-id 88.1.1.1
silent-interface LoopBack0
area 0.0.0.0
network 88.1.1.1 0.0.0.0
network 172.16.1.1 0.0.0.0
network 172.16.2.1 0.0.0.0
</code></pre>
<p>(2)DC-BL01</p>
<pre><code>#
sysname Border-1
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/2
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 1
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.2 source 192.168.1.1
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
ip vpn-instance gw_vpna
route-distinguisher 11:1
#
address-family ipv4
vpn-target 11:2 import-extcommunity
vpn-target 11:2 export-extcommunity
#
address-family evpn
vpn-target 11:1 import-extcommunity
vpn-target 11:1 export-extcommunity
#
interface Vsi-interface11
ip binding vpn-instance vpna
ip address 172.17.11.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface12
ip binding vpn-instance gw_vpna
ip address 172.17.12.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 201
#
vsi bd11
gateway vsi-interface 11
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 12
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 21.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 20.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip binding vpn-instance gw_vpna
ip address 172.16.1.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
description for escape
ip binding vpn-instance gw_vpna
ip address 172.16.3.1 255.255.255.252
ospf cost 100
ospf network-type p2p
#
interface HundredGigE1/0/3
port link-mode route
ip address 172.17.1.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/4
port link-mode route
ip address 172.17.2.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.1 255.255.255.252
#
interface HundredGigE1/0/5
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 1
#
interface HundredGigE1/0/6
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 20.1.1.1
evpn global-mac 0000-5e00-110a
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
nexthop evpn-m-lag group-address
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ip vpn-instance vpna
#
address-family ipv4 unicast
default-route imported
import-route static
#
ip prefix-list vpna index 10 permit 10.18.11.0 24
ip prefix-list vpna index 20 permit 10.18.12.0 24
#
route-policy vpna permit node 10
if-match ip address prefix-list vpna
#
ospf 1 router-id 21.1.1.1
area 0.0.0.0
network 20.1.1.1 0.0.0.0
network 21.1.1.1 0.0.0.0
network 172.17.1.1 0.0.0.0
network 172.17.2.1 0.0.0.0
#
ospf 10 router-id 21.1.1.1 vpn-instance gw_vpna
import-route static type 1 route-policy vpna
vpn-instance-capability simple
area 0.0.0.0
network 172.16.1.2 0.0.0.0
network 172.16.3.1 0.0.0.0
#
ip route-static vpn-instance vpna 0.0.0.0 0 172.17.11.2
ip route-static vpn-instance gw_vpna 10.18.11.0 24 172.17.12.2
ip route-static vpn-instance gw_vpna 10.18.12.0 24 172.17.12.2
</code></pre>
<p>(3)DC-BL02</p>
<pre><code> sysname Border-2
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/2
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 2
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.1 source 192.168.1.2
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
ip vpn-instance gw\_vpna
route-distinguisher 11:1
#
address-family ipv4
vpn-target 11:2 import-extcommunity
vpn-target 11:2 export-extcommunity
#
address-family evpn
vpn-target 11:1 import-extcommunity
vpn-target 11:1 export-extcommunity
#
interface Vsi-interface11
ip binding vpn-instance vpna
ip address 172.17.11.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface12
ip binding vpn-instance gw\_vpna
ip address 172.17.12.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 201
#
vsi bd11
gateway vsi-interface 11
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 12
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 21.1.1.2 255.255.255.255
#
interface LoopBack1
ip address 20.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip binding vpn-instance gw\_vpna
ip address 172.16.2.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
description for escape
ip binding vpn-instance gw\_vpna
ip address 172.16.3.2 255.255.255.252
ospf cost 100
ospf network-type p2p
#
interface HundredGigE1/0/3
port link-mode route
ip address 172.17.3.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/4
port link-mode route
ip address 172.17.4.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.2 255.255.255.252
#
interface HundredGigE1/0/5
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 1
#
interface HundredGigE1/0/6
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 20.1.1.1
evpn global-mac 0000-5e00-110a
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
nexthop evpn-m-lag group-address
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ip vpn-instance vpna
#
address-family ipv4 unicast
default-route imported
import-route static
#
ip prefix-list vpna index 10 permit 10.18.11.0 24
ip prefix-list vpna index 20 permit 10.18.12.0 24
#
route-policy vpna permit node 10
if-match ip address prefix-list vpna
#
ospf 1 router-id 21.1.1.2
area 0.0.0.0
network 20.1.1.1 0.0.0.0
network 21.1.1.2 0.0.0.0
network 172.17.3.1 0.0.0.0
network 172.17.4.1 0.0.0.0
#
ospf 10 router-id 21.1.1.2 vpn-instance gw\_vpna
import-route static type 1 route-policy vpna
vpn-instance-capability simple
area 0.0.0.0
network 172.16.2.2 0.0.0.0
network 172.16.3.2 0.0.0.0
#
ip route-static vpn-instance vpna 0.0.0.0 0 172.17.11.2
ip route-static vpn-instance gw\_vpna 10.18.11.0 24 172.17.12.2
ip route-static vpn-instance gw\_vpna 10.18.12.0 24 172.17.12.2
</code></pre>
<p>(4)DC-FW01</p>
<pre><code> #
sysname fw01
#
icmp host-unreachable send
icmp ttl-exceeded send
#
lldp enable
#
hrp mirror config enable
hrp interface GigabitEthernet1/0/2 remote 192.168.1.2
hrp base config enable
hrp mirror session enable
hrp auto-sync config static-route
undo hrp preempt
undo hrp track trunk-member enable
hrp enable
#
interface Eth-Trunk1
description hrp
mode lacp-static
#
interface Eth-Trunk1.11
vlan-type dot1q 11
ip address 172.17.11.2 255.255.255.252
service-manage ping permit
#
interface Eth-Trunk1.12
vlan-type dot1q 12
ip address 172.17.12.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.1.1 255.255.255.252
service-manage ping permit
#
hrp track interface Eth-Trunk1
#
firewall zone trust
add interface Eth-Trunk1.11
#
firewall zone untrust
add interface Eth-Trunk1.12
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.17.12.1
ip route-static 10.18.11.0 255.255.255.0 172.17.11.1
ip route-static 10.18.12.0 255.255.255.0 172.17.11.1
#
security-policy
default action permit
y
</code></pre>
<p>(5)DC-FW02</p>
<pre><code> #
sysname fw02
#
icmp host-unreachable send
icmp ttl-exceeded send
#
lldp enable
#
hrp mirror config enable
hrp standby-device
hrp interface GigabitEthernet1/0/2 remote 192.168.1.1
hrp base config enable
hrp mirror session enable
hrp auto-sync config static-route
undo hrp preempt
undo hrp track trunk-member enable
hrp enable
#
interface Eth-Trunk1
description hrp
mode lacp-static
#
interface Eth-Trunk1.11
vlan-type dot1q 11
ip address 172.17.11.2 255.255.255.252
service-manage ping permit
#
interface Eth-Trunk1.12
vlan-type dot1q 12
ip address 172.17.12.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.1.2 255.255.255.252
service-manage ping permit
#
hrp track interface Eth-Trunk1
#
firewall zone trust
add interface Eth-Trunk1.11
#
firewall zone untrust
add interface Eth-Trunk1.12
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.17.12.1
ip route-static 10.18.11.0 255.255.255.0 172.17.11.1
ip route-static 10.18.12.0 255.255.255.0 172.17.11.1
#
security-policy
default action permit
y
</code></pre>
<p>(6)DC-SP01</p>
<pre><code>#
sysname Spine-1
#
evpn-overlay enable
#
lldp enable
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 172.17.1.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 172.17.3.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 172.17.5.1 255.255.255.252
ospf network-type p2p
#
interface GE1/0/4
undo portswitch
undo shutdown
ip address 172.17.7.1 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 11.1.1.1 255.255.255.255
#
bgp 100
undo default ipv4-unicast
group leaf internal
peer 1.1.1.1 group leaf
peer 1.1.1.1 description to SL1_A
peer 1.1.1.2 group leaf
peer 1.1.1.2 description to SL1_B
peer 21.1.1.1 group leaf
peer 21.1.1.1 description to BL1
peer 21.1.1.2 group leaf
peer 21.1.1.2 description to BL2
l2vpn-family evpn
undo policy vpn-target
peer leaf enable
peer leaf advertise irb
peer leaf reflect-client
peer 1.1.1.1 group leaf
y
peer 1.1.1.2 group leaf
y
peer 21.1.1.1 group leaf
y
peer 21.1.1.2 group leaf
y
#
ospf 1 router-id 11.1.1.1
area 0.0.0.0
network 11.1.1.1 0.0.0.0
network 172.17.1.2 0.0.0.0
network 172.17.3.2 0.0.0.0
network 172.17.5.1 0.0.0.0
network 172.17.7.1 0.0.0.0
</code></pre>
<p>(7)DC-SP02</p>
<pre><code>#
sysname Spine-2
#
evpn-overlay enable
#
lldp enable
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 172.17.2.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 172.17.4.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 172.17.6.1 255.255.255.252
ospf network-type p2p
#
interface GE1/0/4
undo portswitch
undo shutdown
ip address 172.17.8.1 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 11.1.1.2 255.255.255.255
#
bgp 100
undo default ipv4-unicast
group leaf internal
peer 1.1.1.1 group leaf
peer 1.1.1.1 description to SL1_A
peer 1.1.1.2 group leaf
peer 1.1.1.2 description to SL1_B
peer 21.1.1.1 group leaf
peer 21.1.1.1 description to BL1
peer 21.1.1.2 group leaf
peer 21.1.1.2 description to BL2
l2vpn-family evpn
undo policy vpn-target
peer leaf enable
peer leaf advertise irb
peer leaf reflect-client
peer 1.1.1.1 group leaf
y
peer 1.1.1.2 group leaf
y
peer 21.1.1.1 group leaf
y
peer 21.1.1.2 group leaf
y
#
ospf 1 router-id 11.1.1.2
area 0.0.0.0
network 11.1.1.2 0.0.0.0
network 172.17.2.2 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.6.1 0.0.0.0
network 172.17.8.1 0.0.0.0
</code></pre>
<p>(8)DC-SL01</p>
<pre><code> #
sysname Leaf-1
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 1
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.2 source 192.168.1.1
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
interface Vsi-interface1
ip binding vpn-instance vpna
ip address 10.18.11.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface2
ip binding vpn-instance vpna
ip address 10.18.12.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 102
#
vsi bd11
gateway vsi-interface 1
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 2
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip address 172.17.5.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
ip address 172.17.6.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.1 255.255.255.252
#
interface HundredGigE1/0/3
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
port link-aggregation group 1
#
interface HundredGigE1/0/4
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 10.1.1.1
evpn global-mac 0000-5e00-1101
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.1 0.0.0.0
network 172.17.5.2 0.0.0.0
network 172.17.6.2 0.0.0.0
</code></pre>
<p>(9)DC-SL02</p>
<pre><code>#
sysname Leaf-2
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 2
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.1 source 192.168.1.2
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
interface Vsi-interface1
ip binding vpn-instance vpna
ip address 10.18.11.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface2
ip binding vpn-instance vpna
ip address 10.18.12.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 102
#
vsi bd11
gateway vsi-interface 1
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 2
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 1.1.1.2 255.255.255.255
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip address 172.17.7.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
ip address 172.17.8.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.2 255.255.255.252
#
interface HundredGigE1/0/3
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
port link-aggregation group 1
#
interface HundredGigE1/0/4
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 10.1.1.1
evpn global-mac 0000-5e00-1101
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ospf 1 router-id 1.1.1.2
area 0.0.0.0
network 1.1.1.2 0.0.0.0
network 10.1.1.1 0.0.0.0
network 172.17.7.2 0.0.0.0
network 172.17.8.2 0.0.0.0
</code></pre>
<p>(10)DC-PC01</p>
<pre><code> #
sysname PC01
#
vlan batch 11
#
interface Vlanif11
ip address 10.18.11.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11
mode lacp-static
#
interface GE1/0/0
undo shutdown
eth-trunk 1
#
interface GE1/0/1
undo shutdown
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.18.11.254
</code></pre>
<p>(11)DC-PC02</p>
<pre><code>#
sysname PC02
#
vlan batch 12
#
interface Vlanif12
ip address 10.18.12.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 12
mode lacp-static
#
interface GE1/0/0
undo shutdown
eth-trunk 1
#
interface GE1/0/1
undo shutdown
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.18.12.254
</code></pre>
<p>4、实验结果</p>
<p>(1)检查SP的BGP EVPN邻居,如果有active的,建议删除对端的BGP,重新配下。</p>
<p><img src="data/attachment/forum/202504/15/131240gexeggytjxzy7eo5.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/131250zqrxjyrtj535aaz0.png" alt="图片.png" title="图片.png" /></p>
<p>(2)检查BL和SL的M-LAG,如果存在down,可以通过进入端口,执行undo shutdown恢复</p>
<p><img src="data/attachment/forum/202504/15/131509kfff5h88y57t7105.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/131547c0pcptp7n0nynnpl.png" alt="图片.png" title="图片.png" /></p>
<p>(3)PC01和PC02均可以ping通外网,且在FW上可以看到会话日志</p>
<p><img src="data/attachment/forum/202504/15/131636mfmdhliyc553ywdw.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/131657vj9ytozosrc9789o.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/131843r4slffffshnuthc9.png" alt="图片.png" title="图片.png" /></p>
<p><strong>5、<a style="color: red;">遗留问题----将USG6000V缓存H3C的vFW,流量不通,原因待排查</a></strong></p>
<p><img src="data/attachment/forum/202504/15/132158t6sfj4janhhheh7a.png" alt="图片.png" title="图片.png" /></p>
<p>(1)BL01和BL02的配置变更如下,只保留一个聚合口,所有成员口加入这个聚合口</p>
<p>==================BL01</p>
<p>undo int Bridge-Aggregation 2</p>
<p>int HundredGigE1/0/6</p>
<p>port link-aggregation group 1</p>
<p>==================BL02</p>
<p>undo int Bridge-Aggregation 2</p>
<p>int HundredGigE1/0/6</p>
<p>port link-aggregation group 1</p>
<p>(2)DC-FW01的配置如下,还有个小遗憾,H3C vFW貌似不支持双主直连检测配置</p>
<pre><code>====================堆叠配置,建议主备先配好chassis convert mode irf,然后先重启FW01,再执行FW02
①主防火墙
#
sysname DC-FW01
#
irf topo-domain 100
#
irf-port
port group interface gigabitethernet 3/0
#
chassis convert mode irf
y
y
y
②备防火墙
#
irf member 2
irf topo-domain 100
#
irf-port
port group interface gigabitethernet 3/0
#
chassis convert mode irf
y
y
y
</code></pre>
<p><img src="data/attachment/forum/202504/15/133048eztpcewek7puq5tq.png" alt="图片.png" title="图片.png" /></p>
<pre><code>#
sysname DC-FW01
#
interface Reth1
member interface GigabitEthernet1/4/0 priority 100
member interface GigabitEthernet2/4/0 priority 80
#
interface Route-Aggregation1
link-aggregation mode dynamic
#
interface Route-Aggregation1.11
ip address 172.17.11.2 255.255.255.252
vlan-type dot1q vid 11
#
interface Route-Aggregation1.12
ip address 172.17.12.2 255.255.255.252
vlan-type dot1q vid 12
#
interface GigabitEthernet1/1/0
port link-aggregation group 1
#
interface GigabitEthernet1/2/0
port link-aggregation group 1
#
interface GigabitEthernet2/1/0
port link-aggregation group 1
#
interface GigabitEthernet2/2/0
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.11
#
security-zone name Untrust
import interface Route-Aggregation1.12
#
ip route-static 0.0.0.0 0 172.17.12.1
ip route-static 10.18.11.0 24 172.17.11.1
ip route-static 10.18.12.0 24 172.17.11.1
#
rule 0 name out
action pass
source-zone Trust
destination-zone Untrust
source-ip-subnet 10.18.11.0 255.255.255.0
source-ip-subnet 10.18.12.0 255.255.255.0
destination-ip-host 88.1.1.1
</code></pre>
<p>(3)检查BL的M-LAG状态</p>
<p><img src="data/attachment/forum/202504/15/133431ezz9jyzef0l20yll.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/133621ff8pkftfoofed33w.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/133647agd2b0cssyhhypzk.png" alt="图片.png" title="图片.png" /></p>
<p>(4)PC01和PC02 ping测试,奇怪的是FW上有产生会话表,但是去向和回程的包个数都为0,不知道是不是模拟器bug,进一步在BL01的HGE1/0/1进行抓包,可以看到ICMP Request和ICMP Replay包。初步怀疑是vFW数据转发有问题,暂无定论。</p>
<p><img src="data/attachment/forum/202504/15/133753kymsn67077mtdspp.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/133802aibxdjxuzgi22ivd.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/133858lns7zcttgs77drro.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/15/134023etzlfqvfwfvblbbt.png" alt="图片.png" title="图片.png" /></p>
<p>在5群的<strong>炎木之易</strong>大佬的帮助下,问题解决,给老板点个赞</p>
<p>(1)防火墙没有数据不显示,可以通过session statistics enable开启</p>
<p><img src="data/attachment/forum/202504/15/162418yttrfz25s9sbbu99.png" alt="9670b6d4818192ee478eaa66f2a6c657.png" title="9670b6d4818192ee478eaa66f2a6c657.png" /></p>
<p>(2)数据转发问题,是BL和SL缺少vxlan封装源接口地址,增补如下命令,解决</p>
<p>vxlan default-decapsulation source interface LoopBack</p>
<p><img src="data/attachment/forum/202504/15/162506n3j9kkwcu41k2juu.png" alt="b7cbac19382e1902e575f4783003d8aa.png" title="b7cbac19382e1902e575f4783003d8aa.png" /></p>
<p>拓扑真大啊,高手啊。</p>
<p>超过三台设备,我电脑就开始冒烟了</p>
<p>可以麻烦提供eve的拓扑文件吗</p>
debug看看?
页:
[1]