1、网络拓扑
网络拓扑如下图所示,标准的Spine-leaf架构,由于H3C vswith S9850特别不稳定,因此非必要网元,都用华为代替,比如PE01、SP01、SP02、DC-FW01、DC-FW02均为华为设备。
2、注意事项
(1)目前暂无定论,我目前使用的2个CPU,2G内存,一直在测试会不会重启,目前测试2小时10分钟都ok
(2)如果遇到接口起不来,可以使用undo shutdown使能接口,最长遇到的就是保持配置后,下次重新开机,就有端口会莫名down。
(3)还有一个问题是BGP EVPN邻居起不来,也有办法,就是删除BGP邻居,重新配置,华为CE12800不会有这个问题,一般是S9850删除,重新配下就好。
undo bgp xx
bgp xx
(4)最后一个是undo shutdown了,接口还是起不来,那只有一个大招,那就是直接wipe掉节点,重新加载,重新刷入配置。。。
3、设备配置,为了方便大家测试,我这里准备的脚本,都经过调整,可以直接刷入。
(1)DC-PE01
#
sysname PE1
#
interface GigabitEthernet0/0/0
ip address 172.16.1.1 255.255.255.252
ospf network-type p2p
#
interface GigabitEthernet0/0/1
ip address 172.16.2.1 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 88.1.1.1 255.255.255.255
#
ospf 10 router-id 88.1.1.1
silent-interface LoopBack0
area 0.0.0.0
network 88.1.1.1 0.0.0.0
network 172.16.1.1 0.0.0.0
network 172.16.2.1 0.0.0.0
(2)DC-BL01
#
sysname Border-1
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/2
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 1
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.2 source 192.168.1.1
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
ip vpn-instance gw_vpna
route-distinguisher 11:1
#
address-family ipv4
vpn-target 11:2 import-extcommunity
vpn-target 11:2 export-extcommunity
#
address-family evpn
vpn-target 11:1 import-extcommunity
vpn-target 11:1 export-extcommunity
#
interface Vsi-interface11
ip binding vpn-instance vpna
ip address 172.17.11.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface12
ip binding vpn-instance gw_vpna
ip address 172.17.12.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 201
#
vsi bd11
gateway vsi-interface 11
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 12
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 21.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 20.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip binding vpn-instance gw_vpna
ip address 172.16.1.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
description for escape
ip binding vpn-instance gw_vpna
ip address 172.16.3.1 255.255.255.252
ospf cost 100
ospf network-type p2p
#
interface HundredGigE1/0/3
port link-mode route
ip address 172.17.1.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/4
port link-mode route
ip address 172.17.2.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.1 255.255.255.252
#
interface HundredGigE1/0/5
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 1
#
interface HundredGigE1/0/6
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 20.1.1.1
evpn global-mac 0000-5e00-110a
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
nexthop evpn-m-lag group-address
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ip vpn-instance vpna
#
address-family ipv4 unicast
default-route imported
import-route static
#
ip prefix-list vpna index 10 permit 10.18.11.0 24
ip prefix-list vpna index 20 permit 10.18.12.0 24
#
route-policy vpna permit node 10
if-match ip address prefix-list vpna
#
ospf 1 router-id 21.1.1.1
area 0.0.0.0
network 20.1.1.1 0.0.0.0
network 21.1.1.1 0.0.0.0
network 172.17.1.1 0.0.0.0
network 172.17.2.1 0.0.0.0
#
ospf 10 router-id 21.1.1.1 vpn-instance gw_vpna
import-route static type 1 route-policy vpna
vpn-instance-capability simple
area 0.0.0.0
network 172.16.1.2 0.0.0.0
network 172.16.3.1 0.0.0.0
#
ip route-static vpn-instance vpna 0.0.0.0 0 172.17.11.2
ip route-static vpn-instance gw_vpna 10.18.11.0 24 172.17.12.2
ip route-static vpn-instance gw_vpna 10.18.12.0 24 172.17.12.2
(3)DC-BL02
sysname Border-2
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/2
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 2
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.1 source 192.168.1.2
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
ip vpn-instance gw\_vpna
route-distinguisher 11:1
#
address-family ipv4
vpn-target 11:2 import-extcommunity
vpn-target 11:2 export-extcommunity
#
address-family evpn
vpn-target 11:1 import-extcommunity
vpn-target 11:1 export-extcommunity
#
interface Vsi-interface11
ip binding vpn-instance vpna
ip address 172.17.11.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface12
ip binding vpn-instance gw\_vpna
ip address 172.17.12.1 255.255.255.252
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 201
#
vsi bd11
gateway vsi-interface 11
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 12
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
service-instance 2
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 21.1.1.2 255.255.255.255
#
interface LoopBack1
ip address 20.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip binding vpn-instance gw\_vpna
ip address 172.16.2.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
description for escape
ip binding vpn-instance gw\_vpna
ip address 172.16.3.2 255.255.255.252
ospf cost 100
ospf network-type p2p
#
interface HundredGigE1/0/3
port link-mode route
ip address 172.17.3.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/4
port link-mode route
ip address 172.17.4.1 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.2 255.255.255.252
#
interface HundredGigE1/0/5
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 1
#
interface HundredGigE1/0/6
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11 to 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 20.1.1.1
evpn global-mac 0000-5e00-110a
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
nexthop evpn-m-lag group-address
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ip vpn-instance vpna
#
address-family ipv4 unicast
default-route imported
import-route static
#
ip prefix-list vpna index 10 permit 10.18.11.0 24
ip prefix-list vpna index 20 permit 10.18.12.0 24
#
route-policy vpna permit node 10
if-match ip address prefix-list vpna
#
ospf 1 router-id 21.1.1.2
area 0.0.0.0
network 20.1.1.1 0.0.0.0
network 21.1.1.2 0.0.0.0
network 172.17.3.1 0.0.0.0
network 172.17.4.1 0.0.0.0
#
ospf 10 router-id 21.1.1.2 vpn-instance gw\_vpna
import-route static type 1 route-policy vpna
vpn-instance-capability simple
area 0.0.0.0
network 172.16.2.2 0.0.0.0
network 172.16.3.2 0.0.0.0
#
ip route-static vpn-instance vpna 0.0.0.0 0 172.17.11.2
ip route-static vpn-instance gw\_vpna 10.18.11.0 24 172.17.12.2
ip route-static vpn-instance gw\_vpna 10.18.12.0 24 172.17.12.2
(4)DC-FW01
#
sysname fw01
#
icmp host-unreachable send
icmp ttl-exceeded send
#
lldp enable
#
hrp mirror config enable
hrp interface GigabitEthernet1/0/2 remote 192.168.1.2
hrp base config enable
hrp mirror session enable
hrp auto-sync config static-route
undo hrp preempt
undo hrp track trunk-member enable
hrp enable
#
interface Eth-Trunk1
description hrp
mode lacp-static
#
interface Eth-Trunk1.11
vlan-type dot1q 11
ip address 172.17.11.2 255.255.255.252
service-manage ping permit
#
interface Eth-Trunk1.12
vlan-type dot1q 12
ip address 172.17.12.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.1.1 255.255.255.252
service-manage ping permit
#
hrp track interface Eth-Trunk1
#
firewall zone trust
add interface Eth-Trunk1.11
#
firewall zone untrust
add interface Eth-Trunk1.12
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.17.12.1
ip route-static 10.18.11.0 255.255.255.0 172.17.11.1
ip route-static 10.18.12.0 255.255.255.0 172.17.11.1
#
security-policy
default action permit
y
(5)DC-FW02
#
sysname fw02
#
icmp host-unreachable send
icmp ttl-exceeded send
#
lldp enable
#
hrp mirror config enable
hrp standby-device
hrp interface GigabitEthernet1/0/2 remote 192.168.1.1
hrp base config enable
hrp mirror session enable
hrp auto-sync config static-route
undo hrp preempt
undo hrp track trunk-member enable
hrp enable
#
interface Eth-Trunk1
description hrp
mode lacp-static
#
interface Eth-Trunk1.11
vlan-type dot1q 11
ip address 172.17.11.2 255.255.255.252
service-manage ping permit
#
interface Eth-Trunk1.12
vlan-type dot1q 12
ip address 172.17.12.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.1.2 255.255.255.252
service-manage ping permit
#
hrp track interface Eth-Trunk1
#
firewall zone trust
add interface Eth-Trunk1.11
#
firewall zone untrust
add interface Eth-Trunk1.12
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 172.17.12.1
ip route-static 10.18.11.0 255.255.255.0 172.17.11.1
ip route-static 10.18.12.0 255.255.255.0 172.17.11.1
#
security-policy
default action permit
y
(6)DC-SP01
#
sysname Spine-1
#
evpn-overlay enable
#
lldp enable
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 172.17.1.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 172.17.3.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 172.17.5.1 255.255.255.252
ospf network-type p2p
#
interface GE1/0/4
undo portswitch
undo shutdown
ip address 172.17.7.1 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 11.1.1.1 255.255.255.255
#
bgp 100
undo default ipv4-unicast
group leaf internal
peer 1.1.1.1 group leaf
peer 1.1.1.1 description to SL1_A
peer 1.1.1.2 group leaf
peer 1.1.1.2 description to SL1_B
peer 21.1.1.1 group leaf
peer 21.1.1.1 description to BL1
peer 21.1.1.2 group leaf
peer 21.1.1.2 description to BL2
l2vpn-family evpn
undo policy vpn-target
peer leaf enable
peer leaf advertise irb
peer leaf reflect-client
peer 1.1.1.1 group leaf
y
peer 1.1.1.2 group leaf
y
peer 21.1.1.1 group leaf
y
peer 21.1.1.2 group leaf
y
#
ospf 1 router-id 11.1.1.1
area 0.0.0.0
network 11.1.1.1 0.0.0.0
network 172.17.1.2 0.0.0.0
network 172.17.3.2 0.0.0.0
network 172.17.5.1 0.0.0.0
network 172.17.7.1 0.0.0.0
(7)DC-SP02
#
sysname Spine-2
#
evpn-overlay enable
#
lldp enable
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 172.17.2.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 172.17.4.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 172.17.6.1 255.255.255.252
ospf network-type p2p
#
interface GE1/0/4
undo portswitch
undo shutdown
ip address 172.17.8.1 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 11.1.1.2 255.255.255.255
#
bgp 100
undo default ipv4-unicast
group leaf internal
peer 1.1.1.1 group leaf
peer 1.1.1.1 description to SL1_A
peer 1.1.1.2 group leaf
peer 1.1.1.2 description to SL1_B
peer 21.1.1.1 group leaf
peer 21.1.1.1 description to BL1
peer 21.1.1.2 group leaf
peer 21.1.1.2 description to BL2
l2vpn-family evpn
undo policy vpn-target
peer leaf enable
peer leaf advertise irb
peer leaf reflect-client
peer 1.1.1.1 group leaf
y
peer 1.1.1.2 group leaf
y
peer 21.1.1.1 group leaf
y
peer 21.1.1.2 group leaf
y
#
ospf 1 router-id 11.1.1.2
area 0.0.0.0
network 11.1.1.2 0.0.0.0
network 172.17.2.2 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.6.1 0.0.0.0
network 172.17.8.1 0.0.0.0
(8)DC-SL01
#
sysname Leaf-1
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 1
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.2 source 192.168.1.1
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
interface Vsi-interface1
ip binding vpn-instance vpna
ip address 10.18.11.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface2
ip binding vpn-instance vpna
ip address 10.18.12.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 102
#
vsi bd11
gateway vsi-interface 1
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 2
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip address 172.17.5.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
ip address 172.17.6.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.1 255.255.255.252
#
interface HundredGigE1/0/3
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
port link-aggregation group 1
#
interface HundredGigE1/0/4
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 10.1.1.1
evpn global-mac 0000-5e00-1101
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.1 0.0.0.0
network 172.17.5.2 0.0.0.0
network 172.17.6.2 0.0.0.0
(9)DC-SL02
#
sysname Leaf-2
#
ip unreachables enable
ip ttl-expires enable
#
lldp global enable
#
vxlan tunnel mac-learning disable
#
l2vpn enable
vxlan tunnel arp-learning disable
#
vlan 11 to 12
#
m-lag mad exclude interface HundredGigE1/0/20
m-lag system-mac 0000-0000-0001
y
m-lag system-number 2
y
m-lag system-priority 100
y
m-lag keepalive ip destination 192.168.1.1 source 192.168.1.2
#
ip vpn-instance vpna
route-distinguisher 1:1
#
address-family ipv4
vpn-target 1:2 import-extcommunity
vpn-target 1:2 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
interface Vsi-interface1
ip binding vpn-instance vpna
ip address 10.18.11.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 101
#
interface Vsi-interface2
ip binding vpn-instance vpna
ip address 10.18.12.254 255.255.255.0
mac-address 0000-5e00-0102
local-proxy-arp enable
distributed-gateway local
l3-vni 102
#
vsi bd11
gateway vsi-interface 1
vxlan 11
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
vsi bd12
gateway vsi-interface 2
vxlan 12
evpn encapsulation vxlan
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
link-aggregation mode dynamic
port m-lag group 1
#
service-instance 1
encapsulation s-vid 11
xconnect vsi bd11
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
link-aggregation mode dynamic
port m-lag group 2
#
service-instance 1
encapsulation s-vid 12
xconnect vsi bd12
#
interface Bridge-Aggregation100
description for peer-link
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
port m-lag peer-link 1
#
interface LoopBack0
ip address 1.1.1.2 255.255.255.255
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
#
interface HundredGigE1/0/1
port link-mode route
ip address 172.17.7.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/2
port link-mode route
ip address 172.17.8.2 255.255.255.252
ospf network-type p2p
#
interface HundredGigE1/0/20
port link-mode route
description for keepalive
ip address 192.168.1.2 255.255.255.252
#
interface HundredGigE1/0/3
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 11
port link-aggregation group 1
#
interface HundredGigE1/0/4
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 12
port link-aggregation group 2
#
interface HundredGigE1/0/19
port link-mode bridge
y
port link-type trunk
port trunk permit vlan all
port link-aggregation group 100
#
evpn m-lag group 10.1.1.1
evpn global-mac 0000-5e00-1101
#
bgp 100
peer 11.1.1.1 as-number 100
peer 11.1.1.1 description to SP1
peer 11.1.1.1 connect-interface LoopBack0
peer 11.1.1.2 as-number 100
peer 11.1.1.2 description to SP2
peer 11.1.1.2 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 11.1.1.1 enable
peer 11.1.1.2 enable
#
ospf 1 router-id 1.1.1.2
area 0.0.0.0
network 1.1.1.2 0.0.0.0
network 10.1.1.1 0.0.0.0
network 172.17.7.2 0.0.0.0
network 172.17.8.2 0.0.0.0
(10)DC-PC01
#
sysname PC01
#
vlan batch 11
#
interface Vlanif11
ip address 10.18.11.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11
mode lacp-static
#
interface GE1/0/0
undo shutdown
eth-trunk 1
#
interface GE1/0/1
undo shutdown
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.18.11.254
(11)DC-PC02
#
sysname PC02
#
vlan batch 12
#
interface Vlanif12
ip address 10.18.12.10 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 12
mode lacp-static
#
interface GE1/0/0
undo shutdown
eth-trunk 1
#
interface GE1/0/1
undo shutdown
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.18.12.254
4、实验结果
(1)检查SP的BGP EVPN邻居,如果有active的,建议删除对端的BGP,重新配下。
(2)检查BL和SL的M-LAG,如果存在down,可以通过进入端口,执行undo shutdown恢复
(3)PC01和PC02均可以ping通外网,且在FW上可以看到会话日志
5、遗留问题----将USG6000V缓存H3C的vFW,流量不通,原因待排查
(1)BL01和BL02的配置变更如下,只保留一个聚合口,所有成员口加入这个聚合口
==================BL01
undo int Bridge-Aggregation 2
int HundredGigE1/0/6
port link-aggregation group 1
==================BL02
undo int Bridge-Aggregation 2
int HundredGigE1/0/6
port link-aggregation group 1
(2)DC-FW01的配置如下,还有个小遗憾,H3C vFW貌似不支持双主直连检测配置
====================堆叠配置,建议主备先配好chassis convert mode irf,然后先重启FW01,再执行FW02
①主防火墙
#
sysname DC-FW01
#
irf topo-domain 100
#
irf-port
port group interface gigabitethernet 3/0
#
chassis convert mode irf
y
y
y
②备防火墙
#
irf member 2
irf topo-domain 100
#
irf-port
port group interface gigabitethernet 3/0
#
chassis convert mode irf
y
y
y
#
sysname DC-FW01
#
interface Reth1
member interface GigabitEthernet1/4/0 priority 100
member interface GigabitEthernet2/4/0 priority 80
#
interface Route-Aggregation1
link-aggregation mode dynamic
#
interface Route-Aggregation1.11
ip address 172.17.11.2 255.255.255.252
vlan-type dot1q vid 11
#
interface Route-Aggregation1.12
ip address 172.17.12.2 255.255.255.252
vlan-type dot1q vid 12
#
interface GigabitEthernet1/1/0
port link-aggregation group 1
#
interface GigabitEthernet1/2/0
port link-aggregation group 1
#
interface GigabitEthernet2/1/0
port link-aggregation group 1
#
interface GigabitEthernet2/2/0
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.11
#
security-zone name Untrust
import interface Route-Aggregation1.12
#
ip route-static 0.0.0.0 0 172.17.12.1
ip route-static 10.18.11.0 24 172.17.11.1
ip route-static 10.18.12.0 24 172.17.11.1
#
rule 0 name out
action pass
source-zone Trust
destination-zone Untrust
source-ip-subnet 10.18.11.0 255.255.255.0
source-ip-subnet 10.18.12.0 255.255.255.0
destination-ip-host 88.1.1.1
(3)检查BL的M-LAG状态
(4)PC01和PC02 ping测试,奇怪的是FW上有产生会话表,但是去向和回程的包个数都为0,不知道是不是模拟器bug,进一步在BL01的HGE1/0/1进行抓包,可以看到ICMP Request和ICMP Replay包。初步怀疑是vFW数据转发有问题,暂无定论。
楼主
发表于 2025-4-15 14:03:55
