- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-EVPN VXLAN configuration | 347.48 KB |
Assignment of traffic to VXLANs
Restrictions and guidelines: EVPN VXLAN configuration
Restrictions and guidelines for VXLAN configuration on a VSI
Restrictions and guidelines for EVPN multihoming
Assigning an ESI to an interface
Disabling advertisement of EVPN multihoming routes
Configuring BGP to advertise BGP EVPN routes
Restrictions and guidelines for BGP EVPN route advertisement
Enabling BGP to advertise BGP EVPN routes
Configuring BGP EVPN route settings
Restrictions and guidelines for AC-to-VSI mapping
Mapping a static Ethernet service instance to a VSI
Mapping dynamic Ethernet service instances to VSIs
Managing remote MAC address entries and remote ARP or ND learning
Disabling remote MAC address learning and remote ARP or ND learning
Disabling MAC address advertisement
Enabling MAC mobility event suppression
Disabling learning of MAC addresses from ARP or ND information
Enabling conversational learning for remote MAC address entries
Configuring BGP EVPN route redistribution and advertisement
Redistributing MAC/IP advertisement routes into BGP unicast routing tables
Enabling BGP EVPN route advertisement to the local site
Enabling ARP flood suppression
Enabling packet statistics for VXLAN tunnels
Setting the L2VPN statistics collection interval
Testing the connectivity of a VXLAN tunnel
Software version compatibility with this feature
Pinging a VXLAN tunnel destination
Tracing the path to a VXLAN tunnel destination
Display and maintenance commands for EVPN
Configuring EVPN VXLAN
About EVPN VXLAN
EVPN VXLAN uses EVPN routes for VXLAN tunnel establishment and assignment and MAC reachability information advertisement in the control plane and uses VXLAN for forwarding in the data plane.
Network model
As shown in Figure 1, EVPN uses the VXLAN technology for traffic forwarding in the data plane. The transport edge devices assign user terminals to different VXLANs, and then forward traffic between sites for user terminals by using VXLAN tunnels. The transport edge devices are VXLAN tunnel endpoints (VTEPs).
The EVPN network sites and transport network can be IPv4 or IPv6 networks. Supported user terminals include PCs, wireless terminals, and VMs on servers.
|
NOTE: This document uses VMs as examples to describe the mechanisms of EVPN. The mechanisms do not differ between different kinds of user terminals. |
A VTEP uses ESs, VSIs, and VXLAN tunnels to provide VXLAN services:
· Ethernet segment (ES)—An ES is a link that connects a site to a VTEP. Each ES is uniquely identified by an Ethernet segment identifier (ESI).
· VSI—A virtual switch instance is a virtual Layer 2 switched domain. Each VSI provides switching services only for one VXLAN. VSIs learn MAC addresses and forward frames independently of one another. User terminals in different sites have Layer 2 connectivity if they are in the same VXLAN. A VXLAN is identified by a 24-bit VXLAN ID which is also called the virtual network identifier (VNI). A VXLAN corresponds to an EVPN instance.
· VXLAN tunnel—Logical point-to-point tunnels between VTEPs over the transport network. Each VXLAN tunnel can trunk multiple VXLANs.
All VXLAN processing is performed on VTEPs. The ingress VTEP encapsulates VXLAN traffic in the VXLAN, outer UDP, and outer IP headers, and forwards the traffic through VXLAN tunnels. The egress VTEP removes the VXLAN encapsulation and forwards the traffic to the destination. Transport network devices (for example, the P device in Figure 1) forward VXLAN traffic only based on the outer IP header of VXLAN packets.
Configuration automation
VTEPs advertise the VXLAN IDs they have through IMET routes. If two VTEPs have the same VXLAN ID, they automatically establish a VXLAN tunnel and assign the tunnel to the VXLAN.
Assignment of traffic to VXLANs
Traffic from the local site to a remote site
The VTEP uses an Ethernet service instance to match customer traffic on a site-facing interface. The VTEP assigns customer traffic to a VXLAN by mapping the Ethernet service instance to a VSI.
An Ethernet service instance is identical to an attachment circuit (AC) in L2VPN. An Ethernet service instance matches a list of VLANs on a Layer 2 Ethernet interface by using a frame match criterion. The frame match criterion specifies the characteristics of traffic from the VLANs, such as tagging status and VLAN IDs.
As shown in Figure 2, Ethernet service instance 1 matches VLAN 2 and is mapped to VSI A (VXLAN 10). When a frame from VLAN 2 arrives, the VTEP assigns the frame to VXLAN 10, and looks up VSI A's MAC address table for the outgoing interface.
Figure 2 Identifying traffic from the local site
Traffic from a remote site to the local site
When a VXLAN packet arrives at a VXLAN tunnel interface, the VTEP uses the VXLAN ID in the packet to identify its VXLAN.
Layer 2 forwarding
MAC learning
The VTEP performs Layer 2 forwarding based on a VSI's MAC address table. The VTEP learns MAC addresses by using the following methods:
· Local MAC learning—The VTEP automatically learns the source MAC addresses of frames sent from the local site. The outgoing interfaces of local MAC address entries are site-facing interfaces on which the MAC addresses are learned.
· Remote MAC learning—The VTEP uses MP-BGP to advertise local MAC reachability information to remote sites and learn MAC reachability information from remote sites. The outgoing interfaces of MAC address entries advertised from a remote site are VXLAN tunnel interfaces.
Unicast
As shown in Figure 3, the VTEP performs typical Layer 2 forwarding for known unicast traffic within the local site.
As shown in Figure 4, the following process applies to a known unicast frame between sites:
1. The source VTEP encapsulates the Ethernet frame in the VXLAN/UDP/IP header.
In the outer IP header, the source IP address is the source VTEP's VXLAN tunnel source IP address. The destination IP address is the VXLAN tunnel destination IP address.
2. The source VTEP forwards the encapsulated packet out of the outgoing VXLAN tunnel interface found in the VSI's MAC address table.
3. The intermediate transport devices (P devices) forward the packet to the destination VTEP by using the outer IP header.
4. The destination VTEP removes the headers on top of the inner Ethernet frame. It then performs MAC address table lookup in the VXLAN's VSI to forward the frame out of the matching outgoing interface.
Flood
As shown in Figure 5, a VTEP floods a broadcast, multicast, or unknown unicast frame to all site-facing interfaces and VXLAN tunnels in the VXLAN, except for the incoming interface. The source VTEP replicates the flood frame, and then sends one replica to the destination IP address of each VXLAN tunnel in the VXLAN. Each destination VTEP floods the inner Ethernet frame to all the site-facing interfaces in the VXLAN. To avoid loops, the destination VTEPs do not flood the frame to VXLAN tunnels.
Figure 5 Forwarding of flood traffic
EVPN VXLAN multihoming
IMPORTANT: EVPN multihoming supports only IPv4 underlay networks. |
About EVPN multihoming
As shown in Figure 6, EVPN supports deploying multiple VTEPs at a site for redundancy and high availability. On the redundant VTEPs, Ethernet links connected to the site form an Ethernet segment (ES) that is uniquely identified by an Ethernet segment identifier (ESI).
DF election
To prevent redundant VTEPs from sending duplicate flood traffic to a multihomed site, a designated forwarder (DF) is elected from the VTEPs for each AC to forward flood traffic to the AC. VTEPs that fail the election are assigned the backup designated forwarder (BDF) role. BDFs of an AC do not forward flood traffic to the AC.
A remote VTEP takes part in the DF election of a multihomed site. Redundant VTEPs of the site send Ethernet segment routes to the remote VTEP to advertise ES and VTEP IP mappings. Then, the VTEPs select a DF for each AC based on the ES and VTEP IP mappings by using the following procedure:
2. Divide the lowest VLAN ID permitted on an AC by the number of the redundant VTEPs, and match the reminder to the sequence numbers of IP addresses.
3. Assign the DF role to the VTEP that uses the IP address with the matching sequence number.
The following uses AC 1 in Figure 7 as an example to explain the DF election procedure:
1. VTEP 1 and VTEP 2 send Ethernet segment routes to VTEP 3.
2. Sequence numbers 0 and 1 are assigned to IP addresses 1.1.1.1 and 2.2.2.2 in the Ethernet segment routes, respectively.
3. The VTEPs divide 4 (the lowest VLAN ID permitted by AC 1) by 2 (the number of redundant VTEPs), and match the reminder 0 to the sequence numbers of the IP addresses.
4. The DF role is assigned to VTEP 1 at 1.1.1.1.
Split horizon
In a multihomed site, a VTEP forwards multicast, broadcast, and unknown unicast frames received from ACs out of all site-facing interfaces and VXLAN tunnels in the corresponding VXLAN, except for the incoming interface. As a result, the other VTEPs at the site receive these flood frames and forward them to site-facing interfaces, which causes duplicate floods and loops. EVPN introduces split horizon to resolve this issue. Split horizon disables a VTEP from forwarding flood traffic received from another local VTEP to site-facing interfaces if an ES on that local VTEP has the same ESI as these interfaces. As shown in Figure 8, both VTEP 1 and VTEP 2 have ES 1. When receiving flood traffic from VTEP 1, VTEP 2 does not forward the traffic to interfaces with ESI 1.
Redundancy mode
The device supports the all-active redundancy mode of EVPN multihoming. This mode allows all redundant VTEPs at a multihomed site to forward broadcast, multicast, and unknown unicast traffic.
· For flood frames received from remotes sites, a VTEP forwards them to the ACs of which it is the DF.
· For flood frames received from the local site, a VTEP forwards them out of all site-facing interfaces and VXLAN tunnels in the corresponding VXLAN, except for the incoming interfaces. For flood frames to be sent out of a VXLAN tunnel interface, a VTEP replicates each flood frame and sends one replica to all the other VTEPs in the corresponding VXLAN.
IP aliasing
In all-active redundancy mode, all redundant VTEPs of an ES advertise the ES to remote VTEPs through MP-BGP. IP aliasing allows a remote VTEP to add the IP addresses of all the redundant VTEPs as the next hops for the MAC or ARP information received from one of these VTEPs. This mechanism creates ECMP routes between the remote VTEP and the redundant VTEPs.
ARP flood suppression
ARP flood suppression reduces ARP request broadcasts by enabling the VTEP to reply to ARP requests on behalf of VMs.
As shown in Figure 9, this feature snoops ARP requests, ARP responses, and BGP EVPN routes to populate the ARP flood suppression table with local and remote MAC addresses. If an ARP request has a matching entry, the VTEP replies to the request on behalf of the VM. If no match is found, the VTEP floods the request to both local and remote sites.
Figure 9 ARP flood suppression
The following is the ARP flood suppression workflow:
1. VM 1 sends an ARP request to obtain the MAC address of VM 7.
2. VTEP 1 creates a suppression entry for VM 1, floods the ARP request in the VXLAN, and sends the suppression entry to VTEP 2 and VTEP 3 through BGP EVPN.
3. VTEP 2 and VTEP 3 de-encapsulate the ARP request and broadcast the request in the local site.
4. VM 7 sends an ARP reply.
5. VTEP 2 creates a suppression entry for VM 7, forwards the ARP reply to VTEP 1, and sends the suppression entry to VTEP 1 and VTEP 3 through BGP EVPN.
6. VTEP 1 de-encapsulates the ARP reply and forwards the ARP reply to VM 1.
7. VM 4 sends an ARP request to obtain the MAC address of VM 1.
8. VTEP 1 creates a suppression entry for VM 4 and replies to the ARP request.
9. VM 10 sends an ARP request to obtain the MAC address of VM 1.
10. VTEP 3 creates a suppression entry for VM 10 and replies to the ARP request.
MAC mobility
MAC mobility refers to that a VM or host moves from one ES to another. The source VTEP is unaware of the MAC move event. To notify other VTEPs of the change, the destination VTEP advertises a MAC/IP advertisement route for the MAC address. The source VTEP withdraws the old route for the MAC address after receiving the new route. The MAC/IP advertisement route has a sequence number that increases when the MAC address moves. The sequence number identifies the most recent move if the MAC address moves multiple times.
Restrictions and guidelines: EVPN VXLAN configuration
Make sure the following VXLAN tunnels are not associated with the same VXLAN when they have the same tunnel destination IP address:
· A VXLAN tunnel automatically created by EVPN.
· A manually created VXLAN tunnel.
For more information about manual tunnel configuration, see VXLAN Configuration Guide.
If two tiers of spine devices act as RRs in the transport network, execute the peer route-update-interval command to speed up network convergence after device or link failure occurs. For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
EVPN VXLAN tasks at a glance
To configure EVPN VXLAN, perform the following tasks:
1. Configuring a VXLAN on a VSI
b. (Optional.) Configuring VSI parameters
2. Configuring an EVPN instance
3. (Optional.) Configuring EVPN multihoming
a. Assigning an ESI to an interface
b. (Optional.) Setting the DF election delay
c. Disabling advertisement of EVPN multihoming routes
4. Configuring BGP to advertise BGP EVPN routes
6. (Optional.) Managing remote MAC address entries and remote ARP or ND learning
¡ Disabling remote MAC address learning and remote ARP or ND learning
¡ Disabling MAC address advertisement
¡ Enabling MAC mobility event suppression
¡ Disabling learning of MAC addresses from ARP or ND information
7. (Optional.) Enabling conversational learning for remote MAC address entries
To save device hardware resources, remote MAC entries are issued to the hardware only when the entries are required for packet forwarding.
8. (Optional.) Configuring BGP EVPN route redistribution and advertisement
¡ Redistributing MAC/IP advertisement routes into BGP unicast routing tables
¡ Enabling BGP EVPN route advertisement to the local site
9. (Optional.) Maintaining and optimizing an EVPN network
¡ Disabling flooding for a VSI
¡ Enabling ARP flood suppression
¡ Enabling packet statistics for VXLAN tunnels
¡ Setting the L2VPN statistics collection interval
¡ Testing the connectivity of a VXLAN tunnel
Configuring a VXLAN on a VSI
Restrictions and guidelines for VXLAN configuration on a VSI
For more information about the VXLAN commands in this task, see VXLAN Command Reference.
Creating a VXLAN on a VSI
1. Enter system view.
system-view
2. Enable L2VPN.
l2vpn enable
By default, L2VPN is disabled.
3. Create a VSI and enter VSI view.
vsi vsi-name
4. Enable the VSI.
undo shutdown
By default, a VSI is enabled.
5. Create a VXLAN and enter VXLAN view.
vxlan vxlan-id
You can create only one VXLAN on a VSI. The VXLAN ID must be unique for each VSI.
Configuring VSI parameters
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Configure a VSI description.
description text
By default, a VSI does not have a description.
4. Set the MTU for the VSI.
mtu size
The default MTU is 1500 bytes for a VSI.
5. Set the maximum bandwidth for known unicast traffic of the VSI.
bandwidth bandwidth
By default, the maximum bandwidth is not limited for known unicast traffic of a VSI.
6. Set the broadcast, unknown multicast, or unknown unicast restraint bandwidth for the VSI.
restrain { broadcast | multicast | unknown-unicast } bandwidth
By default, a VSI's broadcast restraint bandwidth, unknown multicast restraint bandwidth, and unknown unicast restraint bandwidth are not set.
7. Enable MAC address learning for the VSI.
mac-learning enable
By default, MAC address learning is enabled for a VSI.
Configuring an EVPN instance
About this task
If a VXLAN requires only Layer 2 connectivity, you do not need to associate a VPN instance with it. The BGP EVPN routes advertised by a VTEP carry the RD and route targets configured for the EVPN instance associated with the VXLAN.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Create an EVPN instance and enter EVPN instance view.
evpn encapsulation vxlan
4. Configure an RD for the EVPN instance.
route-distinguisher { route-distinguisher | auto [ router-id ] }
By default, no RD is configured for an EVPN instance.
5. Configure route targets for the EVPN instance.
vpn-target { vpn-target&<1-8> | auto } [ both | export-extcommunity | import-extcommunity ]
By default, an EVPN instance does not have route targets.
Configuring EVPN multihoming
Restrictions and guidelines for EVPN multihoming
In a multihomed site, AC configuration and VXLAN IDs must be consistent on redundant VTEPs of the same ES. For each VXLAN ID, you must configure unique RDs for the EVPN instance of VSIs on the redundant VTEPs.
Assigning an ESI to an interface
About this task
An ESI uniquely identifies an ES. The links on interfaces with the same ESI belong to the same ES. Traffic of the ES can be distributed among the links for load sharing.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Assign an ESI to the interface.
esi esi-id
By default, no ESI is assigned to an interface.
Setting the DF election delay
About this task
The DF election can be triggered by site-facing interface status changes, redundant VTEP membership changes, and interface ESI changes. To prevent frequent DF elections from degrading network performance, set the DF election delay. The DF election delay defines the minimum interval allowed between two DF elections.
Procedure
1. Enter system view.
system-view
2. Set the DF election delay.
evpn multihoming timer df-delay delay-value
By default, the DF election delay is 3 seconds.
Disabling advertisement of EVPN multihoming routes
About this task
EVPN multihoming routes include Ethernet auto-discovery routes and Ethernet segment routes.
In a multihomed EVPN network, perform this task on a redundant VTEP before you reboot it. This operation allows other VTEPs to refresh their EVPN routing table to prevent traffic interruption caused by the reboot.
Procedure
1. Enter system view.
system-view
2. Disable advertisement of EVPN multihoming routes and withdraw the EVPN multihoming routes that have been advertised to remote sites.
evpn multihoming advertise disable
By default, the device advertises EVPN multihoming routes.
Configuring BGP to advertise BGP EVPN routes
Restrictions and guidelines for BGP EVPN route advertisement
For more information about BGP commands in this task, see Layer 3—IP Routing Command Reference.
Enabling BGP to advertise BGP EVPN routes
1. Enter system view.
system-view
2. Configure a global router ID.
router id router-id
By default, no global router ID is configured.
3. Enable a BGP instance and enter BGP instance view.
bgp as-number [ instance instance-name ]
By default, BGP is disabled and no BGP instances exist.
4. Specify remote VTEPs as BGP peers.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
5. Create the BGP EVPN address family and enter BGP EVPN address family view.
address-family l2vpn evpn
6. Enable BGP to exchange BGP EVPN routes with a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, BGP does not exchange BGP EVPN routes with peers.
Configuring BGP EVPN route settings
Configuring BGP EVPN to advertise default routes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP EVPN address family view.
address-family l2vpn evpn
4. Advertise a default route to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } default-route-advertise { ipv4 | ipv6 } vpn-instance vpn-instance-name
By default, no default route is advertised to any peers or peer groups.
Configuring attributes of BGP EVPN routes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP EVPN address family view.
address-family l2vpn evpn
4. Permit the local AS number to appear in routes from a peer or peer group and set the number of appearances.
peer { group-name | ipv4-address [ mask-length ] } allow-as-loop [ number ]
By default, the local AS number is not allowed in routes from peers.
5. Advertise the COMMUNITY attribute to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } advertise-community
By default, the device does not advertise the COMMUNITY attribute to peers or peer groups.
Configuring optimal BGP EVPN route selection
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP EVPN address family view.
address-family l2vpn evpn
4. Configure BGP to prefer routes with an IPv6 next hop during optimal route selection.
bestroute ipv6-nexthop
By default, BGP prefer routes with an IPv4 next hop during optimal route selection.
5. (Optional.) Set the optimal route selection delay timer.
route-select delay delay-value
By default, the optimal route selection delay timer is 0 seconds, which means optimal route selection is not delayed.
Configuring BGP route reflection
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP EVPN address family view.
address-family l2vpn evpn
4. Configure the device as an RR and specify a peer or peer group as its client.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } reflect-client
By default, no RR or client is configured.
5. (Optional.) Enable BGP EVPN route reflection between clients.
reflect between-clients
By default, BGP EVPN route reflection between clients is enabled.
6. (Optional.) Configure the cluster ID of the RR.
reflector cluster-id { cluster-id | ipv4-address }
By default, an RR uses its own router ID as the cluster ID.
7. (Optional.) Create a reflection policy for the RR to filter reflected BGP EVPN routes.
rr-filter ext-comm-list-number
By default, an RR does not filter reflected BGP EVPN routes.
8. (Optional.) Enable the RR to change the attributes of routes to be reflected.
reflect change-path-attribute
By default, an RR cannot change the attributes of routes to be reflected.
Filtering BGP EVPN routes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP EVPN address family view.
address-family l2vpn evpn
4. Apply a routing policy to routes received from or advertised to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } route-policy route-policy-name { export | import }
By default, no routing policies are applied to routes received from or advertised to peers or peer groups.
5. Enable route target filtering for BGP EVPN routes.
policy vpn-target
By default, route target filtering is enabled for BGP EVPN routes.
Maintaining BGP sessions
Perform the following tasks in user view:
· Reset BGP sessions of the BGP EVPN address family.
reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | all | external | group group-name | internal } l2vpn evpn
· Soft-reset BGP sessions of the BGP EVPN address family.
refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | all | external | group group-name | internal } { export | import } l2vpn evpn
Mapping ACs to a VSI
Restrictions and guidelines for AC-to-VSI mapping
An Ethernet interface might reflect back the ARP, ND, DHCP, and DHCPv6 packets that do not match the Ethernet service instances on the interface. To resolve this issue, assign the Ethernet interface to a port isolation group to disable it from reflecting packets back.
Mapping a static Ethernet service instance to a VSI
About this task
A static Ethernet service instance matches a list of VLANs on a site-facing interface by using a frame match criterion. The VTEP assigns traffic from the VLANs to a VXLAN by mapping the Ethernet service instance to a VSI. The VSI performs Layer 2 forwarding for the VLANs based on its MAC address table.
For more information about the VXLAN commands in this task, see VXLAN Command Reference.
Restrictions and guidelines
Ethernet service instance bindings of VSIs are mutually exclusive with port security, port bridging, QinQ, and VLAN mapping on a Layer 2 Ethernet interface or Layer 2 aggregate interface. Do not configure these features simultaneously on the same interface. Otherwise, the features cannot take effect.
Do not configure an aggregate interface as an edge aggregate interface if it has Ethernet service instances. If you have to create Ethernet service instances on an edge aggregate interface, also configure the interface and its subinterfaces as ACs.
If an Ethernet service instance matches both inner and outer VLAN IDs on an interface, do not configure other Ethernet service instances to match the same outer VLAN ID on that interface.
Make sure the VLANs that Ethernet service instances match have been created on the device, and the interfaces where the Ethernet service instances are have been assigned to these VLANs.
For information about the frame match criterion configuration restrictions and guidelines of Ethernet service instances, see VXLAN Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Create an Ethernet service instance and enter Ethernet service instance view.
service-instance instance-id
4. Choose one option to configure a frame match criterion.
¡ Match frames with the specified outer VLAN tags.
encapsulation s-vid vlan-id [ only-tagged ]
encapsulation s-vid vlan-id-list
¡ Match frames with the specified inner and outer VLAN tags.
encapsulation s-vid vlan-id-list c-vid vlan-id
encapsulation s-vid vlan-id c-vid { vlan-id | all }
¡ Match any VLAN tagged or untagged frames.
encapsulation { tagged | untagged }
¡ Match frames that do not match any other service instance on the interface.
encapsulation default
An interface can contain only one Ethernet service instance that uses the encapsulation default criterion.
An Ethernet service instance that uses the encapsulation default criterion matches any frames if it is the only instance on the interface.
By default, an Ethernet service instance does not contain a frame match criterion.
5. Map the Ethernet service instance to a VSI.
xconnect vsi vsi-name [ access-mode { ethernet | vlan } ] [ track track-entry-number&<1-3> ]
By default, an Ethernet service instance is not mapped to any VSI.
Mapping dynamic Ethernet service instances to VSIs
About this task
The 802.1X or MAC authentication feature can use the authorization VSI, the guest VSI, the Auth-Fail VSI, and the critical VSI to control the access of users to network resources. When assigning a user to a VSI, 802.1X or MAC authentication sends the VXLAN feature the VSI information and the user's access information, including access interface, VLAN, and MAC address. Then the VXLAN feature creates a dynamic Ethernet service instance for the user and maps it to the VSI. For more information about 802.1X authentication and MAC authentication, see Security Configuration Guide.
A dynamic Ethernet service instance supports the following traffic match modes:
· VLAN-based mode—Matches frames by VLAN ID.
· MAC-based mode—Matches frames by VLAN ID and source MAC address.
By default, dynamic Ethernet service instances use VLAN-based traffic match mode. To use MAC-based traffic match mode for dynamic Ethernet service instances, you must enable MAC authentication or 802.1X authentication that uses MAC-based access control.
Restrictions and guidelines for dynamic Ethernet service instance mappings
Dynamic Ethernet service instances cannot be created on member ports of a Layer 2 aggregation group.
Configuring the VLAN-based traffic match mode
To use the VLAN-based traffic match mode, configure 802.1X authentication or MAC authentication and perform one of the following tasks:
· Configure the guest VSI, Auth-Fail VSI, or critical VSI on the 802.1X- or MAC authentication-enabled interface.
· Issue an authorization VSI to an 802.1X or MAC authentication user from a remote AAA server.
Then, the device will automatically create a dynamic Ethernet service instance for the 802.1X or MAC authentication user and map the Ethernet service instance to a VSI.
For more information about configuring 802.1X authentication and MAC authentication, see Security Configuration Guide.
Configuring the MAC-based traffic match mode
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Enable MAC-based traffic match mode for dynamic Ethernet service instances on the interface.
mac-based ac
By default, VLAN-based traffic match mode is used for dynamic Ethernet service instances.
For more information about this command, see VXLAN Command Reference.
4. Enable MAC authentication or 802.1X authentication that uses MAC-based access control.
To use the MAC-based traffic match mode, configure MAC authentication or 802.1X authentication that uses MAC-based access control and perform one of the following tasks:
¡ Configure the guest VSI, Auth-Fail VSI, or critical VSI on the 802.1X- or MAC authentication-enabled interface.
¡ Issue an authorization VSI to an 802.1X or MAC authentication user from a remote AAA server.
Then, the device will automatically create a dynamic Ethernet service instance for the 802.1X or MAC authentication user and map the Ethernet service instance to a VSI.
For more information about configuring 802.1X authentication and MAC authentication, see Security Configuration Guide.
Managing remote MAC address entries and remote ARP or ND learning
Disabling remote MAC address learning and remote ARP or ND learning
About this task
By default, the device learns MAC information, ARP information, and ND information of remote user terminals from packets received on VXLAN tunnel interfaces. The automatically learned remote MAC, ARP, and ND information might conflict with the remote MAC, ARP, and ND information advertised through BGP. As a best practice to avoid the conflicts, disable remote MAC address learning and remote ARP or ND learning on the device.
For more information about the VXLAN commands in this task, see VXLAN Command Reference.
Procedure
1. Enter system view.
system-view
2. Disable remote MAC address learning.
vxlan tunnel mac-learning disable
By default, remote MAC address learning is enabled.
3. Disable remote ARP learning.
vxlan tunnel arp-learning disable
By default, remote ARP learning is enabled.
4. Disable remote ND learning.
vxlan tunnel nd-learning disable
By default, remote ND learning is enabled.
Disabling MAC address advertisement
About this task
The MAC information and ARP or ND information advertised by the VTEP overlap. To avoid duplication, disable MAC address advertisement and withdraw the MAC addresses advertised to remote VTEPs.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enter VSI EVPN instance view.
evpn encapsulation vxlan
4. Disable MAC address advertisement and withdraw advertised MAC addresses.
mac-advertising disable
By default, MAC address advertisement is enabled.
Enabling MAC mobility event suppression
About this task
On an EVPN VXLAN network, misconfiguration of MAC addresses might cause two sites to contain the same MAC address. In this condition, VTEPs at the two sites constantly synchronize and update EVPN MAC entries and determine that MAC mobility events occur. As a result, an inter-site loop might occur, and the bandwidth is occupied by MAC entry synchronization traffic. To eliminate loops and suppress those MAC mobility events, enable MAC mobility event suppression on the VTEPs. This feature allows a MAC address to move at most four times from a site within 180 seconds. If a MAC address moves more than four times within 180 seconds, the VTEP at the site will suppress the excess MAC mobility events and will not advertise information about the MAC address.
Restrictions and guidelines
After you execute the undo evpn route mac-mobility suppression command, a VTEP acts as follows:
· Advertises MAC address entries immediately for the suppressed MAC address entries that have not aged out.
· Relearns the MAC addresses for the suppressed MAC address entries that have aged out and advertises the MAC address entries.
Procedure
1. Enter system view.
system-view
2. Enable MAC mobility event suppression.
evpn route mac-mobility suppression
By default, MAC mobility event suppression is disabled.
Disabling learning of MAC addresses from ARP or ND information
About this task
The MAC information and ARP or ND information advertised by a remote VTEP overlap. To avoid duplication, disable the learning of MAC addresses from ARP or ND information. EVPN will learn remote MAC addresses only from the MAC information advertised from remote sites.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enter VSI EVPN instance view.
evpn encapsulation vxlan
4. Disable the EVPN instance from learning MAC addresses from ARP information.
arp mac-learning disable
By default, an EVPN instance learns MAC addresses from ARP information.
5. Disable the EVPN instance from learning MAC addresses from ND information.
nd mac-learning disable
By default, an EVPN instance learns MAC addresses from ND information.
Enabling conversational learning for remote MAC address entries
About this task
By default, the device issues a remote MAC address entry to the hardware after the remote MAC address is advertised to the local site by BGP EVPN routes. This feature enables the device to issue a remote MAC address entry to the hardware only when the entry is required for packet forwarding. This feature saves hardware resources on the device.
With this feature enabled, the device generates a blackhole MAC address entry for an unknown MAC address if receiving 50 frames destined for that MAC address within the MAC aging time. For more information about the MAC aging time and blackhole MAC address entries, see MAC address table configuration in Layer 2—LAN Switching Configuration Guide.
Restrictions and guidelines
Perform this task only on an EVPN network.
Procedure
1. Enter system view.
system-view
2. Enable conversational learning for remote MAC address entries.
mac-address forwarding-conversational-learning
By default, conversational learning is disabled for remote MAC address entries.
Configuring BGP EVPN route redistribution and advertisement
Redistributing MAC/IP advertisement routes into BGP unicast routing tables
About this task
This task enables the device to redistribute received MAC/IP advertisement routes that contain ARP or ND information into a BGP unicast routing table.
· If you perform this task for the BGP IPv4 or IPv6 unicast address family, the device will redistribute the routes into the BGP IPv4 or IPv6 unicast routing table. In addition, the device will advertise the routes to the local site.
· If you perform this task for the BGP-VPN IPv4 or IPv6 unicast address family, the device will redistribute the routes into the BGP-VPN IPv4 or IPv6 unicast routing table of the corresponding VPN instance. To advertise the routes to the local site, you must configure the advertise l2vpn evpn command.
Procedure (BGP instance view)
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP IPv4 or IPv6 unicast address family view.
address-family { ipv4 | ipv6 }
4. Redistribute MAC/IP advertisement routes that contain ARP or ND information into the BGP IPv4 or IPv6 unicast routing table.
import evpn mac-ip
By default, MAC/IP advertisement routes that contain ARP or ND information are not redistributed into the BGP IPv4 or IPv6 unicast routing table.
Procedure (BGP-VPN instance view)
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Enter BGP-VPN IPv4 or IPv6 unicast address family view.
address-family { ipv4 | ipv6 }
5. Redistribute MAC/IP advertisement routes that contain ARP or ND information into the BGP-VPN IPv4 or IPv6 unicast routing table.
import evpn mac-ip
By default, MAC/IP advertisement routes that contain ARP or ND information are not redistributed into the BGP-VPN IPv4 or IPv6 unicast routing table.
Enabling BGP EVPN route advertisement to the local site
About this task
This feature enables the device to advertise BGP EVPN routes to the local site after the device adds the routes to the routing table of a VPN instance. The BGP EVPN routes here are MAC/IP advertisement routes that contain ARP or ND information.
Procedure (IPv4)
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Enter BGP-VPN IPv4 unicast address family view.
address-family ipv4 [ unicast ]
5. Enable BGP EVPN route advertisement to the local site.
advertise l2vpn evpn
By default, BGP EVPN route advertisement to the local site is enabled.
Procedure (IPv6)
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Enter BGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
5. Enable BGP EVPN route advertisement to the local site.
advertise l2vpn evpn
By default, BGP EVPN route advertisement to the local site is enabled.
Disabling flooding for a VSI
About this task
By default, the VTEP floods broadcast, unknown unicast, and unknown multicast frames received from the local site to the following interfaces in the frame's VXLAN:
· All site-facing interfaces except for the incoming interface.
· All VXLAN tunnel interfaces.
When receiving broadcast, unknown unicast, and unknown multicast frames on VXLAN tunnel interfaces, the device floods the frames to all site-facing interfaces in the frames' VXLAN.
To confine a kind of flood traffic, disable flooding for that kind of flood traffic on the VSI bound to the VXLAN.
You can use selective flood to exclude a remote MAC address from the remote flood suppression done by using the flooding disable command. The VTEP will flood the frames destined for the specified MAC address to remote sites when floods are confined to the local site.
For more information about the VXLAN commands in this task, see VXLAN Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Disable flooding for the VSI.
flooding disable { all | { broadcast | unknown-multicast | unknown-unicast } * } [ all-direction ]
By default, flooding is enabled for a VSI.
4. (Optional.) Enable selective flood for a MAC address.
selective-flooding mac-address mac-address
Enabling ARP flood suppression
About this task
Use ARP flood suppression to reduce ARP request broadcasts.
The aging timer is fixed at 25 minutes for ARP flood suppression entries. If the flooding disable command is configured, set the MAC aging timer to a higher value than the aging timer for ARP flood suppression entries on all VTEPs. This setting prevents the traffic blackhole that occurs when a MAC address entry ages out before its ARP flood suppression entry ages out. To set the MAC aging timer, use the mac-address timer command.
When remote ARP learning is disabled for VXLANs, the device does not use ARP flood suppression entries to respond to ARP requests received on VXLAN tunnels.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enable ARP flood suppression.
arp suppression enable
By default, ARP flood suppression is disabled.
For more information about this command, see VXLAN Command Reference.
Enabling packet statistics for VXLAN tunnels
About this task
Perform this task to enable packet statistics globally for automatically created VXLAN tunnels.
To display the packet statistics for a VXLAN tunnel, use the display interface tunnel command in any view.
To clear the packet statistics for a VXLAN tunnel, use the reset counters interface tunnel command in user view.
Procedure
1. Enter system view.
system-view
2. Enable packet statistics for automatically created VXLAN tunnels.
tunnel statistics vxlan auto
By default, the packet statistics feature is disabled for automatically created VXLAN tunnels.
For more information about this command, see VXLAN Command Reference.
Setting the L2VPN statistics collection interval
About this task
Perform this task to set the interval for collecting VSI, AC, and VXLAN tunnel packet statistics.
Software version and feature compatibility
This feature is supported only in Release 6635 and later.
Procedure
1. Enter system view.
system-view
2. Set the L2VPN statistics collection interval
l2vpn statistics interval interval
The default L2VPN statistics collection interval is 15 minutes.
For more information about this command, see VXLAN Command Reference.
Testing the connectivity of a VXLAN tunnel
Software version compatibility with this feature
This feature is supported only in Release 6635 and later.
Enabling overlay OAM
About this task
You must enable overlay OAM on the tunnel destination device for a VXLAN tunnel before you can use the ping vxlan or tracert vxlan command to test reachability of the VXLAN tunnel on the tunnel source device.
Restrictions and guidelines
To specify the -r 3 parameter in the ping vxlan or tracert vxlan command on the tunnel source device, you must also enable overlay OAM on the tunnel source device.
Procedure
1. Enter system view.
system-view
2. Enable overlay OAM.
overlay oam enable
By default, overlay OAM is disabled.
Pinging a VXLAN tunnel destination
About this task
Perform this task to test the connectivity of a VXLAN tunnel in an EVPN VXLAN network when the tunnel has traffic loss or interruption issues. The process of a ping VXLAN operation is as follows:
1. The tunnel source VTEP sends VXLAN-encapsulated VXLAN echo requests to the tunnel destination VTEP.
2. The tunnel destination VTEP responds with VXLAN echo replies.
3. The tunnel source VTEP outputs packet statistics and the test result based on the received VXLAN echo replies.
Restrictions and guidelines
Before you perform this task on the tunnel source device, you must enable overlay OAM on the tunnel destination device by using the overlay oam enable command.
The VTEP can distribute VXLAN echo requests among multiple paths to the destination based on the source UDP port. When a VXLAN tunnel has multiple paths on the transport network, you can configure load sharing parameters to ensure accuracy of the test result. You can use one of the following methods to configure source UDP ports for VXLAN echo requests:
· Specify a source UDP port range. The device will send VXLAN echo requests sourced from each UDP port in the UDP port range. You need to execute the ping vxlan command only once.
· Specify load balancing parameters such as source and destination MAC addresses, source and destination IP addresses, and protocol for the VTEP to calculate a source UDP port number. You need to execute the ping vxlan command multiple times to test connectivity of all paths.
The load balancing parameters change only the source UDP port number of VXLAN echo requests. Other fields of the requests will not be changed.
If you specify the vxlan-source-udpport vxlan-source-udpport [ end-vxlan-src-udpport ] parameters, the number of VXLAN echo requests sourced from each UDP port in the UDP port range is determined by the -c count parameter.
Procedure
Execute the following command in any view:
ping vxlan [ -a inner-src-address | -c count | -m interval | -r reply-mode | -t timeout | -tos tos-value ] * vxlan-id vxlan-id tunnel-source source-address tunnel-destination dest-address [ destination-udpport dest-port ] [ vxlan-source-address vxlan-source-address ] [ load-balance { vxlan-source-udpport vxlan-source-udpport [ end-vxlan-src-udpport ] | source-address lb-src-address destination-address lb-dest-address protocol { udp | lb-protocol-id } source-port lb-src-port destination-port lb-dest-port source-mac lb-source-mac destination-mac lb-destination-mac } ]
Tracing the path to a VXLAN tunnel destination
About this task
Perform this task to locate failed nodes on the path for a VXLAN tunnel that has traffic loss or interruption issues in an EVPN VXLAN network. The process of a tracert VXLAN operation is as follows:
1. The tunnel source VTEP sends VXLAN-encapsulated VXLAN echo requests to the tunnel destination VTEP. The TTL in the IP header of the requests is set to 1.
2. The first hop on the path responds to the tunnel source VTEP with a TTL-expired ICMP error message.
3. The tunnel source VTEP sends VXLAN echo requests with the TTL set to 2.
4. The second hop responds with a TTL-expired ICMP error message.
5. This process continues until a VXLAN echo request reaches the tunnel destination VTEP or the maximum TTL value is reached. If a VXLAN echo request reaches the tunnel destination VTEP, the tunnel destination VTEP sends a VXLAN echo reply to the tunnel source VTEP.
6. The tunnel source VTEP outputs packet statistics and the test result based on the received ICMP error messages and whether a VXLAN echo reply is received.
Restrictions and guidelines
Before you perform this task on the tunnel source device, you must enable overlay OAM on the tunnel destination device by using the overlay oam enable command.
The VTEP can distribute VXLAN echo requests among multiple paths to the destination based on the source UDP port. When a VXLAN tunnel has multiple paths on the transport network, you can configure load sharing parameters to ensure accuracy of the test result. You can use one of the following methods to configure source UDP ports for VXLAN echo requests:
· Specify a source UDP port range. The device will send VXLAN echo requests sourced from each UDP port in the UDP port range. You need to execute the ping vxlan command only once.
· Specify load balancing parameters such as source and destination MAC addresses, source and destination IP addresses, and protocol for the VTEP to calculate a source UDP port number. You need to execute the ping vxlan command multiple times to test connectivity of all paths.
The load balancing parameters change only the source UDP port number of VXLAN echo requests. Other fields of the requests will not be changed.
Procedure
Execute the following command in any view:
tracert vxlan [ -a inner-src-address | -h ttl-value | -r reply-mode | -t timeout ] * vxlan-id vxlan-id tunnel-source source-address tunnel-destination dest-address [ destination-udpport dest-port ] [ vxlan-source-address vxlan-source-address ] [ load-balance { vxlan-source-udpport vxlan-source-udpport | source-address lb-src-address destination-address lb-dest-address protocol { udp | lb-protocol-id } source-port lb-src-port destination-port lb-dest-port source-mac lb-source-mac destination-mac lb-destination-mac } ]
Display and maintenance commands for EVPN
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display BGP peer group information. |
display bgp [ instance instance-name ] group l2vpn evpn [ group-name group-name ] |
Display BGP EVPN routes. |
display bgp [ instance instance-name ] l2vpn evpn [ peer ipv4-address { advertised-routes | received-routes } [ statistics ] | [ route-distinguisher route-distinguisher | route-type { auto-discovery | es | imet | mac-ip } ] * [ { evpn-route route-length | evpn-prefix } [ advertise-info ] | { ipv4-address | ipv6-address | mac-address } [ verbose ] ] | statistics ] |
Display BGP peer or peer group information. |
display bgp [ instance instance-name ] peer l2vpn evpn [ ipv4-address mask-length | { ipv4-address | group-name group-name } log-info | [ ipv4-address ] verbose ] |
Display information about BGP update groups. |
display bgp [ instance instance-name ] update-group l2vpn evpn [ ipv4-address ] |
Display information about IPv4 peers that are automatically discovered through BGP. |
display evpn auto-discovery { { imet | mac-ip } [ peer ip-address ] [ vsi vsi-name ] [ count ] } |
Display EVPN ES information. |
display evpn es { local [ vsi vsi-name ] [ esi esi-id ] [ verbose ] | remote [ vsi vsi-name ] [ esi esi-id ] [ nexthop next-hop ] } |
Display EVPN MAC address entries. |
display evpn route mac [ local | remote ] [ vsi vsi-name ] [ count ] |
Display EVPN MAC mobility information. |
display evpn [ ipv6 ] route mac-mobility [ vsi vsi-name ] [ mac-address mac-address ] |
Display EVPN ND entries. |
display evpn route nd [ local | remote ] [ count ] |
Display the routing table for a VPN instance. |
display evpn routing-table [ ipv6 ] [ count ] |
Display site-facing interfaces excluded from traffic forwarding by split horizon. |
display l2vpn forwarding evpn split-horizon tunnel tunnel-number slot slot-number |
|
NOTE: For more information about the display bgp group, display bgp peer, and display bgp update-group commands, see BGP commands in Layer 3—IP Routing Command Reference. |