1、网络拓扑
2、设备配置(云杉USG的配置大家可以参考,实际用的是USG6000v的脚本)
特别注意:
①PC双网卡终端,mode 4有问题,mode 1测试ok
②云杉防火墙镜像模式下数据转发有问题,桥接到2台USG6000v,数据转发ok,由于该版本限制,一个cloud对应一个eth0,不能一个cloud对应多个eth,会造成端口起不来。
=====基线配置
#
aaa
local-aaa-user password policy administrator
local-aaa-user user-name complexity-check disable
local-user admin password irreversible-cipher Huawei@123
local-user admin privilege level 3
y
local-user admin service-type ssh
y
#
interface MEth0/0/0
ip binding vpn-instance _management_vpn_
ip address 192.168.11.1 255.255.255.0
#
lldp enable
#
stelnet server enable
ssh server-source all-interface
#
user-interface con 0
idle-timeout 1440 0
(1)DC-PE01
#
sysname DC-PE01
#
interface GE0/0/0
ip address 172.16.1.1 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE0/0/1
ip address 172.16.2.1 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface LoopBack0
ip address 88.1.1.1 255.255.255.255
ospf enable 100 area 0.0.0.0
#
ospf 100 router-id 88.1.1.1
area 0.0.0.0
(2)DC-BL01
#
sysname DC-BL01
#
dfs-group 1
consistency-check enable mode loose
dual-active detection source ip 172.16.0.1 peer 172.16.0.2
priority 150
dual-active detection delay 0
#
stp mode rstp
stp v-stp enable
#
evpn-overlay enable
#
ip vpn-instance gw_vpna
ipv4-family
route-distinguisher 1:100
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:10
vpn-target 1:10 export-extcommunity evpn
vpn-target 1:10 import-extcommunity evpn
vxlan vni 100
#
bridge-domain 100
vxlan vni 101
#
bridge-domain 200
vxlan vni 201
#
interface Vbdif100
ip binding vpn-instance vpna
ip address 172.17.1.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif200
ip binding vpn-instance gw_vpna
ip address 172.17.2.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Eth-Trunk0
mode lacp-static
peer-link 1
#
interface Eth-Trunk5
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 5
#
interface Eth-Trunk5.100 mode l2
encapsulation dot1q vid 100
bridge-domain 100
#
interface Eth-Trunk5.200 mode l2
encapsulation dot1q vid 200
bridge-domain 200
#
interface Eth-Trunk6
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 6
#
interface Eth-Trunk6.100 mode l2
encapsulation dot1q vid 100
bridge-domain 100
#
interface Eth-Trunk6.200 mode l2
encapsulation dot1q vid 200
bridge-domain 200
#
interface GE1/0/1
undo portswitch
ip binding vpn-instance gw_vpna
ip address 172.16.1.2 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip binding vpn-instance gw_vpna
ip address 172.16.3.1 255.255.255.252
ospf cost 100
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
ip address 172.16.11.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/4
undo portswitch
ip address 172.16.21.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/5
eth-trunk 5
#
interface GE1/0/6
eth-trunk 6
#
interface GE1/0/9
eth-trunk 0
#
interface GE1/0/10
undo portswitch
ip address 172.16.0.1 255.255.255.252
m-lag unpaired-port reserved
#
interface LoopBack0
ip address 11.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 10.1.1.1
pip-source 11.1.1.1 peer 11.1.1.2 bypass
y
vni 101 head-end peer-list protocol bgp
vni 201 head-end peer-list protocol bgp
mac-address 0000-5e00-0121
#
bgp 100
undo default ipv4-unicast
group spine internal
peer spine connect-interface LoopBack0
peer 21.1.1.1 group spine
peer 21.1.1.2 group spine
ipv4-family vpn-instance vpna
default-route imported
import-route static
advertise l2vpn evpn
l2vpn-family evpn
policy vpn-target
peer spine enable
peer spine advertise irb
peer 21.1.1.1 group spine
y
peer 21.1.1.2 group spine
y
#
ospf 1 router-id 11.1.1.1
area 0.0.0.0
#
ospf 100 router-id 11.1.1.1 vpn-instance gw_vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
#
ip route-static vpn-instance gw_vpna 192.168.1.0 255.255.255.0 172.17.2.2
ip route-static vpn-instance gw_vpna 192.168.2.0 255.255.255.0 172.17.2.2
ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 172.17.1.2
(3)DC-BL02
#
sysname DC-BL02
#
dfs-group 1
consistency-check enable mode loose
dual-active detection source ip 172.16.0.2 peer 172.16.0.1
priority 120
dual-active detection delay 0
#
stp mode rstp
stp v-stp enable
#
evpn-overlay enable
#
ip vpn-instance gw_vpna
ipv4-family
route-distinguisher 1:100
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:10
vpn-target 1:10 export-extcommunity evpn
vpn-target 1:10 import-extcommunity evpn
vxlan vni 100
#
bridge-domain 100
vxlan vni 101
#
bridge-domain 200
vxlan vni 201
#
interface Vbdif100
ip binding vpn-instance vpna
ip address 172.17.1.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif200
ip binding vpn-instance gw_vpna
ip address 172.17.2.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Eth-Trunk0
mode lacp-static
peer-link 1
#
interface Eth-Trunk5
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 5
#
interface Eth-Trunk5.100 mode l2
encapsulation dot1q vid 100
bridge-domain 100
#
interface Eth-Trunk5.200 mode l2
encapsulation dot1q vid 200
bridge-domain 200
#
interface Eth-Trunk6
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 6
#
interface Eth-Trunk6.100 mode l2
encapsulation dot1q vid 100
bridge-domain 100
#
interface Eth-Trunk6.200 mode l2
encapsulation dot1q vid 200
bridge-domain 200
#
interface GE1/0/1
undo portswitch
ip binding vpn-instance gw_vpna
ip address 172.16.2.2 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip binding vpn-instance gw_vpna
ip address 172.16.3.2 255.255.255.252
ospf cost 100
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
ip address 172.16.12.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/4
undo portswitch
ip address 172.16.22.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/5
eth-trunk 5
#
interface GE1/0/6
eth-trunk 6
#
interface GE1/0/9
eth-trunk 0
#
interface GE1/0/10
undo portswitch
ip address 172.16.0.2 255.255.255.252
m-lag unpaired-port reserved
#
interface LoopBack0
ip address 11.1.1.2 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 10.1.1.1
pip-source 11.1.1.2 peer 11.1.1.1 bypass
y
vni 101 head-end peer-list protocol bgp
vni 201 head-end peer-list protocol bgp
mac-address 0000-5e00-0121
#
bgp 100
undo default ipv4-unicast
group spine internal
peer spine connect-interface LoopBack0
peer 21.1.1.1 group spine
peer 21.1.1.2 group spine
ipv4-family vpn-instance vpna
default-route imported
import-route static
advertise l2vpn evpn
l2vpn-family evpn
policy vpn-target
peer spine enable
peer spine advertise irb
peer 21.1.1.1 group spine
y
peer 21.1.1.2 group spine
y
#
ospf 1 router-id 11.1.1.2
area 0.0.0.0
#
ospf 100 router-id 11.1.1.2 vpn-instance gw_vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
#
ip route-static vpn-instance gw_vpna 192.168.1.0 255.255.255.0 172.17.2.2
ip route-static vpn-instance gw_vpna 192.168.2.0 255.255.255.0 172.17.2.2
ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 172.17.1.2
(4)DC-FW01(云杉)
#
sysname DC-FW01
#
undo hrp preempt enable
hrp preempt delay 300
hrp device active
hrp standby config enable
hrp auto-sync config static-route
hrp mirror config enable
hrp mirror session enable
hrp interface GE0/0/2 remote 172.16.0.2
hrp track interface Eth-Trunk1
hrp authentication-key Huawei@123
hrp escape enable
undo hrp track trunk-member enable
hrp enable
#
interface Eth-Trunk1
mode lacp-static
#
interface Eth-Trunk1.100
ip address 172.17.1.2 255.255.255.252
dot1q termination vid 100
service-manage ping permit
#
interface Eth-Trunk1.200
ip address 172.17.2.2 255.255.255.252
dot1q termination vid 200
service-manage ping permit
#
interface GE0/0/0
eth-trunk 1
#
interface GE0/0/1
eth-trunk 1
#
interface GE0/0/2
ip address 172.16.0.1 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 172.17.2.1
ip route-static 192.168.1.0 255.255.255.0 172.17.1.1
ip route-static 192.168.2.0 255.255.255.0 172.17.1.1
#
firewall zone trust
add interface Eth-Trunk1.100
#
firewall zone untrust
add interface Eth-Trunk1.200
#
firewall zone dmz
add interface GE0/0/2
#
security-policy
default action permit
y
(5)DC-FW02(云杉)
#
sysname DC-FW02
#
undo hrp preempt enable
hrp preempt delay 300
hrp device standby
hrp standby config enable
hrp auto-sync config static-route
hrp mirror config enable
hrp mirror session enable
hrp interface GE0/0/2 remote 172.16.0.1
hrp track interface Eth-Trunk1
hrp authentication-key Huawei@123
hrp escape enable
undo hrp track trunk-member enable
hrp enable
#
interface Eth-Trunk1
mode lacp-static
#
interface Eth-Trunk1.100
ip address 172.17.1.2 255.255.255.252
dot1q termination vid 100
service-manage ping permit
#
interface Eth-Trunk1.200
ip address 172.17.2.2 255.255.255.252
dot1q termination vid 200
service-manage ping permit
#
interface GE0/0/0
eth-trunk 1
#
interface GE0/0/1
eth-trunk 1
#
interface GE0/0/2
ip address 172.16.0.2 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 172.17.2.1
ip route-static 192.168.1.0 255.255.255.0 172.17.1.1
ip route-static 192.168.2.0 255.255.255.0 172.17.1.1
#
firewall zone trust
add interface Eth-Trunk1.100
#
firewall zone untrust
add interface Eth-Trunk1.200
#
firewall zone dmz
add interface GE0/0/2
#
security-policy
default action permit
y
(6)DC-SP01
#
sysname DC-SP01
#
evpn-overlay enable
#
interface GE1/0/1
undo portswitch
ip address 172.16.11.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip address 172.16.12.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
ip address 172.16.13.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/4
undo portswitch
ip address 172.16.14.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/5
undo portswitch
ip address 172.16.15.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/6
undo portswitch
ip address 172.16.16.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface LoopBack0
ip address 21.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
bgp 100
undo default ipv4-unicast
group leaf internal
peer leaf connect-interface LoopBack0
peer 11.1.1.1 group leaf
peer 11.1.1.2 group leaf
peer 31.1.1.1 group leaf
peer 31.1.1.2 group leaf
peer 41.1.1.1 group leaf
peer 41.1.1.2 group leaf
#
l2vpn-family evpn
undo policy vpn-target
peer leaf enable
peer leaf advertise irb
peer leaf reflect-client
peer 11.1.1.1 group leaf
y
peer 11.1.1.2 group leaf
y
peer 31.1.1.1 group leaf
y
peer 31.1.1.2 group leaf
y
peer 41.1.1.1 group leaf
y
peer 41.1.1.2 group leaf
y
#
ospf 1 router-id 21.1.1.1
area 0.0.0.0
y
(7)DC-SP02
#
sysname DC-SP02
#
evpn-overlay enable
#
interface GE1/0/1
undo portswitch
ip address 172.16.21.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip address 172.16.22.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
ip address 172.16.23.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/4
undo portswitch
ip address 172.16.24.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/5
undo portswitch
ip address 172.16.25.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/6
undo portswitch
ip address 172.16.26.1 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface LoopBack0
ip address 21.1.1.2 255.255.255.255
ospf enable 1 area 0.0.0.0
#
bgp 100
undo default ipv4-unicast
group leaf internal
peer leaf connect-interface LoopBack0
peer 11.1.1.1 group leaf
peer 11.1.1.2 group leaf
peer 31.1.1.1 group leaf
peer 31.1.1.2 group leaf
peer 41.1.1.1 group leaf
peer 41.1.1.2 group leaf
#
l2vpn-family evpn
undo policy vpn-target
peer leaf enable
peer leaf advertise irb
peer leaf reflect-client
peer 11.1.1.1 group leaf
y
peer 11.1.1.2 group leaf
y
peer 31.1.1.1 group leaf
y
peer 31.1.1.2 group leaf
y
peer 41.1.1.1 group leaf
y
peer 41.1.1.2 group leaf
y
#
ospf 1 router-id 21.1.1.2
area 0.0.0.0
(8)DC-SL01-M
#
sysname DC-SL01-M
#
dfs-group 1
consistency-check enable mode loose
dual-active detection source ip 172.16.0.1 peer 172.16.0.2
priority 150
dual-active detection delay 0
#
stp mode rstp
stp v-stp enable
#
evpn-overlay enable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:10
vpn-target 1:10 export-extcommunity evpn
vpn-target 1:10 import-extcommunity evpn
vxlan vni 100
#
bridge-domain 10
vxlan vni 10
#
evpn
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:1 import-extcommunity
#
bridge-domain 20
vxlan vni 20
#
evpn
route-distinguisher 1:2
vpn-target 1:2 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:2 import-extcommunity
#
interface Vbdif10
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance vpna
ip address 192.168.2.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Eth-Trunk0
mode lacp-static
peer-link 1
#
interface GE1/0/1
undo portswitch
ip address 172.16.13.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip address 172.16.23.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3.1 mode l2
encapsulation untag
bridge-domain 10
#
interface GE1/0/4.1 mode l2
encapsulation untag
bridge-domain 20#
interface GE1/0/9
eth-trunk 0
#
interface GE1/0/10
undo portswitch
ip address 172.16.0.1 255.255.255.252
m-lag unpaired-port reserved
#
interface LoopBack0
ip address 31.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface LoopBack1
ip address 30.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 30.1.1.1
pip-source 31.1.1.1 peer 31.1.1.2 bypass
y
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
mac-address 0000-5e00-0111
#
bgp 100
undo default ipv4-unicast
group spine internal
peer spine connect-interface LoopBack0
peer 21.1.1.1 group spine
peer 21.1.1.2 group spine
l2vpn-family evpn
policy vpn-target
peer spine enable
peer spine advertise irb
peer 21.1.1.1 group spine
y
peer 21.1.1.2 group spine
y
#
ospf 1 router-id 31.1.1.1
area 0.0.0.0
(9)DC-SL01-S
#
sysname DC-SL01-S
#
dfs-group 1
consistency-check enable mode loose
dual-active detection source ip 172.16.0.2 peer 172.16.0.1
priority 120
dual-active detection delay 0
#
stp mode rstp
stp v-stp enable
#
evpn-overlay enable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:10
vpn-target 1:10 export-extcommunity evpn
vpn-target 1:10 import-extcommunity evpn
vxlan vni 100
#
bridge-domain 10
vxlan vni 10
#
evpn
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:1 import-extcommunity
#
bridge-domain 20
vxlan vni 20
#
evpn
route-distinguisher 1:2
vpn-target 1:2 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:2 import-extcommunity
#
interface Vbdif10
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance vpna
ip address 192.168.2.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Eth-Trunk0
mode lacp-static
peer-link 1
#
interface GE1/0/1
undo portswitch
ip address 172.16.14.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip address 172.16.24.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3.1 mode l2
encapsulation untag
bridge-domain 10
#
interface GE1/0/4.1 mode l2
encapsulation untag
bridge-domain 20#
interface GE1/0/9
eth-trunk 0
#
interface GE1/0/10
undo portswitch
ip address 172.16.0.2 255.255.255.252
m-lag unpaired-port reserved
#
interface LoopBack0
ip address 31.1.1.2 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface LoopBack1
ip address 30.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 30.1.1.1
pip-source 31.1.1.2 peer 31.1.1.1 bypass
y
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
mac-address 0000-5e00-0111
#
bgp 100
undo default ipv4-unicast
group spine internal
peer spine connect-interface LoopBack0
peer 21.1.1.1 group spine
peer 21.1.1.2 group spine
l2vpn-family evpn
policy vpn-target
peer spine enable
peer spine advertise irb
peer 21.1.1.1 group spine
y
peer 21.1.1.2 group spine
y
#
ospf 1 router-id 31.1.1.2
area 0.0.0.0
(10)DC-SL02-M
#
sysname DC-SL02-M
#
dfs-group 1
consistency-check enable mode loose
dual-active detection source ip 172.16.0.1 peer 172.16.0.2
priority 150
dual-active detection delay 0
#
stp mode rstp
stp v-stp enable
#
evpn-overlay enable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:10
vpn-target 1:10 export-extcommunity evpn
vpn-target 1:10 import-extcommunity evpn
vxlan vni 100
#
bridge-domain 10
vxlan vni 10
#
evpn
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:1 import-extcommunity
#
bridge-domain 20
vxlan vni 20
#
evpn
route-distinguisher 1:2
vpn-target 1:2 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:2 import-extcommunity
#
interface Vbdif10
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance vpna
ip address 192.168.2.1 255.255.255.0
arp broadcast-detect enable
mac-address 0000-5e00-0102
vxlan anycast-gateway enable
arp collect host enable
#
interface Eth-Trunk0
mode lacp-static
peer-link 1
#
interface Eth-Trunk3
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 3
#
interface Eth-Trunk3.1 mode l2
encapsulation untag
bridge-domain 10
#
interface Eth-Trunk4
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 4
#
interface Eth-Trunk4.1 mode l2
encapsulation untag
bridge-domain 20
#
interface GE1/0/1
undo portswitch
ip address 172.16.15.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip address 172.16.25.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3
eth-trunk 3
#
interface GE1/0/4
eth-trunk 4
#
interface GE1/0/9
eth-trunk 0
#
interface GE1/0/10
undo portswitch
ip address 172.16.0.1 255.255.255.252
m-lag unpaired-port reserved
#
interface LoopBack0
ip address 41.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface LoopBack1
ip address 40.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 40.1.1.1
pip-source 41.1.1.1 peer 41.1.1.2 bypass
y
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
mac-address 0000-5e00-0111
#
bgp 100
undo default ipv4-unicast
group spine internal
peer spine connect-interface LoopBack0
peer 21.1.1.1 group spine
peer 21.1.1.2 group spine
l2vpn-family evpn
policy vpn-target
peer spine enable
peer spine advertise irb
peer 21.1.1.1 group spine
y
peer 21.1.1.2 group spine
y
#
ospf 1 router-id 41.1.1.1
area 0.0.0.0
(11)DC-SL02-S
#
sysname DC-SL02-S
#
dfs-group 1
consistency-check enable mode loose
dual-active detection source ip 172.16.0.2 peer 172.16.0.1
priority 120
dual-active detection delay 0
#
stp mode rstp
stp v-stp enable
#
evpn-overlay enable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:10
vpn-target 1:10 export-extcommunity evpn
vpn-target 1:10 import-extcommunity evpn
vxlan vni 100
#
bridge-domain 10
vxlan vni 10
#
evpn
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:1 import-extcommunity
#
bridge-domain 20
vxlan vni 20
#
evpn
route-distinguisher 1:2
vpn-target 1:2 export-extcommunity
vpn-target 1:10 export-extcommunity
vpn-target 1:2 import-extcommunity
#
interface MEth0/0/0
ip binding vpn-instance _management_vpn_
ip address 192.168.11.9 255.255.255.0
#
interface Eth-Trunk0
mode lacp-static
peer-link 1
#
interface Eth-Trunk3
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 3
#
interface Eth-Trunk3.1 mode l2
encapsulation untag
bridge-domain 10
#
interface Eth-Trunk4
stp edged-port enable
mode lacp-static
dfs-group 1 m-lag 4
#
interface Eth-Trunk4.1 mode l2
encapsulation untag
bridge-domain 20
#
interface GE1/0/1
undo portswitch
ip address 172.16.16.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
ip address 172.16.26.2 255.255.255.252
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/3
eth-trunk 3
#
interface GE1/0/4
eth-trunk 4
#
interface GE1/0/9
eth-trunk 0
#
interface GE1/0/10
undo portswitch
ip address 172.16.0.2 255.255.255.252
m-lag unpaired-port reserved
#
interface LoopBack0
ip address 41.1.1.2 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface LoopBack1
ip address 40.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
interface Nve1
source 40.1.1.1
pip-source 41.1.1.2 peer 41.1.1.1 bypass
y
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
mac-address 0000-5e00-0111
#
bgp 100
undo default ipv4-unicast
group spine internal
peer spine connect-interface LoopBack0
peer 21.1.1.1 group spine
peer 21.1.1.2 group spine
l2vpn-family evpn
policy vpn-target
peer spine enable
peer spine advertise irb
peer 21.1.1.1 group spine
y
peer 21.1.1.2 group spine
y
#
ospf 1 router-id 41.1.1.2
area 0.0.0.0
(13)DC-FW01(USG6000v)
#
sysname fw01
#
info-center source default channel 0 trap state off
#
hrp mirror config enable
hrp interface GigabitEthernet1/0/2 remote 172.16.0.2
hrp base config enable
hrp mirror session enable
hrp auto-sync config static-route
undo hrp preempt
undo hrp track trunk-member enable
#
interface Eth-Trunk1
description to DC-BL01&BL02 eth-trunk 5
mode lacp-static
#
interface Eth-Trunk1.100
vlan-type dot1q 100
ip address 172.17.1.2 255.255.255.252
service-manage ping permit
#
interface Eth-Trunk1.200
vlan-type dot1q 200
ip address 172.17.2.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
hrp track interface Eth-Trunk1
hrp enable
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.0.1 255.255.255.252
service-manage ping permit
#
firewall zone trust
add interface Eth-Trunk1.100
#
firewall zone untrust
add interface Eth-Trunk1.200
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.17.2.1
ip route-static 192.168.1.0 255.255.255.0 172.17.1.1
ip route-static 192.168.2.0 255.255.255.0 172.17.1.1
#
security-policy
default action permit
y
(14)DC-FW02(USG6000v)
#
sysname fw02
#
info-center source default channel 0 trap state off
#
hrp mirror config enable
hrp standby-device
hrp interface GigabitEthernet1/0/2 remote 172.16.0.1
hrp base config enable
hrp mirror session enable
hrp auto-sync config static-route
undo hrp preempt
undo hrp track trunk-member enable
#
interface Eth-Trunk1
description to DC-BL01&BL02 eth-trunk 5
mode lacp-static
#
interface Eth-Trunk1.100
vlan-type dot1q 100
ip address 172.17.1.2 255.255.255.252
service-manage ping permit
#
interface Eth-Trunk1.200
vlan-type dot1q 200
ip address 172.17.2.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
hrp track interface Eth-Trunk1
hrp enable
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.0.2 255.255.255.252
service-manage ping permit
#
firewall zone trust
add interface Eth-Trunk1.100
#
firewall zone untrust
add interface Eth-Trunk1.200
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.17.2.1
ip route-static 192.168.1.0 255.255.255.0 172.17.1.1
ip route-static 192.168.2.0 255.255.255.0 172.17.1.1
#
security-policy
default action permit
y
3、实验结果
(1)SP01和SP02的ospf邻居,bgp evpn邻居正常
(2)BL的M-LAG,这里要说明一下,由于SL和PC的mode 4数据转发有问题,这里做了一点调整,SL01-M和SL01-S采用mode 1对接,SL02-M和SL02-S采用mode 4对接
(3)路由学习,SL能学习到BL的缺省路由,BL能学习到SL的主机路由,路由层面学习ok
(4)EVPN的二层和三层测试
PC1-1 ping PC1-2,并进行抓包
PC1-1到外网PE测试
发表于 2025-4-8 13:06:00
楼主