- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
手册下载
02-AD-DC 7.1 Underlay网络配置指导-整本手册.pdf 
(8.91 MB)
AD-DC 7.1 Underlay网络配置指导
配置指导
资料版本:5W101-20240930
Copyright © 2024 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
目 录
6 Service-Leaf安全出口场景Underlay网络自动化部署
8.3.21 连接Server 1 LACP聚合链路的M-LAG接口配置
8.4.21 连接Server 1 LACP聚合链路的M-LAG接口配置
11.1 S12500X作为边界设备时,如何配置设备组的MAC地址?
11.2 如何根据现网组网规模设置S6800的VXLAN硬件资源模式?
11.3 接入设备上线完成后,如果需要扩容M-LAG AC口,应该如何操作?
数据中心Underlay网络即承载Overlay业务的物理网络,包含Spine、Leaf等交换机设备。如需部署Overlay业务,需要首先在数据中心控制组件上纳管Underlay网络设备。本文档介绍如何在控制组件上纳管Underlay网络设备的配置步骤。
可通过两种方式配置控制组件纳管Underlay网络设备:
· Underlay网络手工配置:此方式需要手工在设备上进行预配置,预配置完成后,在控制组件上纳管Underlay网络设备。
· Underlay网络自动化部署:此方式通过在控制组件上配置相关模板,无需进行Underlay设备的预配置,只需空配置启动就可以自动被控制组件纳管。
AD-DC解决方案推荐使用M-LAG部署Underlay网络。
(1) 本文档中的地址仅作为参考,实际组网部署过程中使用到的地址请提前规划。
(2) 为方便后续Fabric扩容,建议使用三层部署模式的管理网。
(3) 使用M-LAG部署组网时,需注意以下信息:
¡ 一个M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC。
¡ 两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
¡ 两台M-LAG设备的优先级必须相同。
(4) M-LAG场景下的自动化上线必须使能白名单并配置设备清单,且只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
(5) 如果现网对M-LAG Keepalive和peer-link链路双重故障场景有高可靠要求,则需要按照以下方式配置对应M-LAG MAD DOWN模式,否则会发生M-LAG双主问题。
¡ 对于聚合接入场景,建议配置独立工作模式,可以解决双重故障的场景。配置方式如下
<Sysname> system-view
[Sysname] m-lag standalone enable
¡ 对于主备接入场景,需要配置状态保持模式。配置方式如下
<Sysname> system-view
[Sysname] m-lag mad persistent
¡ 对于配置了m-lag mad persistent场景,如果Keepalive先down而peer-link链路后down,依然存在M-LAG双主问题,这时候需要联系技术支持工程师确认手工干预。
(6) S12500X做为Border或Leaf时,请配置ip load-sharing mode per-flow tunnel all global命令,使设备同时根据内外层报文头部进行负载分担转发。
在数据中心组网中,通常使用一台独立的交换机连接各设备及SeerEngine-DC控制组件的管理网络,称之为管理交换机。管理交换机需手工配置,该设备不受SeerEngine-DC控制组件纳管。
数据中心的管理网可采用二层组网模式和三层组网模式,二层组网模式即物理设备管理网和SeerEngine-DC管理网位于同一网段;三层模式组网中,物理设备管理网和SeerEngine-DC管理网位于不同网段。
二层组网模式可用于单Fabric组网,多Fabric组网的管理网必须使用三层组网模式。在三层组网模式中,管理交换机上需要为Fabric划分VLAN,需要手动配置网关和DHCP中继命令。
为方便后续Fabric扩容,在单Fabric组网中也推荐使用三层组网模式。本章节以在多Fabric组网中部署三层组网模式的管理网为例,典型组网图如下图所示。
图1 管理网络示意图(标准组网)
图2 管理网络示意图(四层组网)
如需在设备上配置ACL策略,请务必放通控制组件的IP地址和相关端口。
在多Fabric环境下,管理交换机上连接不同Fabric的设备接口需对应不同的VLAN,如组网说明所示,连接控制组件管理网的接口属于VLAN 10,连接Fabric 1设备管理网的接口属于VLAN 20,连接Fabric2设备管理网的接口属于VLAN 30。且在相应VLAN接口下配置对应Fabric的物理管理网的网关地址。
在管理交换机上进行以下配置:
(1) 创建控制组件管理网、Fabric 1设备管理网和Fabric2设备管理网对应的VLAN,以分别为VLAN10、VLAN20和VLAN30为例。
[device] vlan 10
[device-vlan10] quit
[device] vlan 20
[device-vlan20] quit
[device] vlan 30
[device-vlan30] quit
(2) 将管理交换机上连接Fabric1设备的接口添加到VLAN 20中,以接口Ten-GigabitEthernet1/0/33为例。
[device] interface Ten-GigabitEthernet1/0/33
[device-Ten-GigabitEthernet1/0/33] port link-mode bridge
[device-Ten-GigabitEthernet1/0/33] port access vlan 20
[device-Ten-GigabitEthernet1/0/33] quit
(3) 将管理交换机上连接Fabric2设备的接口添加到VLAN 30中,以接口Ten-GigabitEthernet1/0/26为例。
[device] interface Ten-GigabitEthernet1/0/26
[device-Ten-GigabitEthernet1/0/26] port link-mode bridge
[device-Ten-GigabitEthernet1/0/26] port access vlan 30
[device-Ten-GigabitEthernet1/0/26] quit
(4) 配置控制组件管理网所在的VLAN接口。
[device] interface Vlan-interface10
[device-Vlan-interface10] ip address 192.168.10.1 255.255.255.0
[device-Vlan-interface10] ip address 192.168.12.1 255.255.255.0 sub
[device-Vlan-interface10] quit
(5) 配置Fabric1管理网的VLAN接口。
[device] interface Vlan-interface20
[device-Vlan-interface20] ip address 192.168.11.1 255.255.255.0
[device-Vlan-interface20] quit
(6) 使能DHCP服务。仅使用自动化上线业务时需要配置DHCP服务。
[device] dhcp enable
(7) 配置DHCP中继,并指定中继服务器IP为控制组件集群IP、中继源地址为设备网关IP。仅使用自动化上线业务时需要配置DHCP中继服务。
[device] interface Vlan-interface20
[device-Vlan-interface20] dhcp select relay
[device-Vlan-interface20] dhcp relay server-address 192.168.12.101
[device-Vlan-interface20] dhcp relay source-address 192.168.11.1
[device-Vlan-interface20] quit
如果管理交换机使用VRRP组网,则命令dhcp relay source-address指定的IP地址须为VRRP的虚IP地址。
(8) 配置Fabric2管理网的VLAN接口。
[device] interface Vlan-interface30
[device-Vlan-interface30] ip address 192.168.21.1 255.255.255.0
[device-Vlan-interface30] quit
(9) 使能DHCP服务。仅使用自动化上线业务时需要配置DHCP服务。
[device] dhcp enable
(10) 配置Fabric2管理网的DHCP中继,并指定中继服务器IP为控制组件集群IP。仅使用自动化上线业务时需要配置DHCP中继服务。
[device] interface Vlan-interface30
[device-Vlan-interface30] dhcp select relay
[device-Vlan-interface30] dhcp relay server-address 192.168.12.101
[device-Vlan-interface30] dhcp relay source-address 192.168.21.1
[device-Vlan-interface30] quit
如果管理交换机使用VRRP组网,则命令dhcp relay source-address指定的IP地址须为VRRP的虚IP地址。
此场景中,Spine和Border共用一台设备:且两台设备间配置M-LAG,如下图所示。
图3 Underlay网络Spine Border合一场景组网图
表1 Spine Border合一场景IP及接口说明
|
设备 |
地址规划 |
接口信息 |
|
Spine Border 1 |
管理地址:192.168.11.2/24,网关192.168.11.1 |
HGE4/0/1(连接Spine Border2 HGE4/0/1) HGE4/0/2(连接Spine Border2 HGE4/0/2) XGE6/0/48(连接Spine Border2 XGE6/0/48) XGE6/0/1(连接FW1 XGE1/2/0) XGE6/0/2(连接FW2 XGE1/2/0) XGE6/0/3(连接LB1 XGE1/2/0) XGE6/0/4(连接LB2 XGE1/2/0) XGE6/0/5(连接外网设备) HGE1/0/5(连接Server Leaf1 HGE1/0/25) HGE1/0/6(连接Server Leaf2 HGE1/0/25) HGE1/0/7(连接Service Leaf1 HGE1/0/27) HGE1/0/8(连接Service Leaf2 HGE1/0/27) |
|
VTEP地址:10.1.1.2/32 |
||
|
M-LAG虚地址:10.20.1.2/32 |
||
|
M-LAG System MAC地址:0002-0003-0001(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.1/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.1/30 |
||
|
Spine Border 2 |
管理地址:192.168.11.3/24,网关192.168.11.1 |
HGE4/0/1(连接Spine Border1 HGE4/0/1) HGE4/0/2(连接Spine Border1 HGE4/0/2) XGE6/0/48(连接Spine Border1 XGE6/0/48) XGE6/0/1(连接FW1 XGE1/2/1) XGE6/0/2(连接FW2 XGE1/2/1) XGE6/0/3(连接LB1 XGE1/2/1) XGE6/0/4(连接LB2 XGE1/2/1) XGE6/0/5(连接外网设备) HGE1/0/5(连接Server Leaf1 HGE1/0/27) HGE1/0/6(连接Server Leaf2 HGE1/0/27) HGE1/0/7(连接Service Leaf1 HGE1/0/25) HGE1/0/8(连接Service Leaf2 HGE1/0/25) |
|
VTEP地址:10.1.1.3/32 |
||
|
M-LAG虚地址:10.20.1.2/32 |
||
|
M-LAG System MAC地址:0002-0003-0001(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.2/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.2/30 |
||
|
Server Leaf 1 |
管理地址:192.168.11.4/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf2 XGE1/0/9) XGE1/0/10(连接Server Leaf2 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf2 HGE1/0/30) HGE1/0/25(连接Spine Border1 HGE1/0/5) HGE1/0/27(连接Spine Border2 HGE1/0/5) |
|
VTEP地址:10.1.1.4/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.5/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.5/30 |
||
|
Server Leaf 2 |
管理地址:192.168.11.5/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf1 XGE1/0/9) XGE1/0/10(连接Server Leaf1 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf1 HGE1/0/30) HGE1/0/25(连接Spine Border1 HGE1/0/6) HGE1/0/27(连接Spine Border2 HGE1/0/6) |
|
VTEP地址:10.1.1.5/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.6/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.6/30 |
||
|
Service Leaf 1 |
管理地址:192.168.11.6/24,网关192.168.11.1 |
XGE1/0/9(连接Service Leaf2 XGE1/0/9) XGE1/0/10(连接Service Leaf2 XGE1/0/10) XGE1/0/11(连接FW3 XGE1/2/0) XGE1/0/12(连接FW4 XGE1/2/0) HGE1/0/30(连接Service Leaf2 HGE1/0/30) HGE1/0/25(连接Spine Border1 HGE1/0/7) HGE1/0/27(连接Spine Border2 HGE1/0/7) |
|
VTEP地址:10.1.1.6/32 |
||
|
M-LAG虚地址:10.20.1.6/32 |
||
|
M-LAG System MAC地址:0002-0003-0003(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.9/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.9/30 |
||
|
Service Leaf 2 |
管理地址:192.168.11.7/24,网关192.168.11.1 |
XGE1/0/9(连接Service Leaf1 XGE1/0/9) XGE1/0/10(连接Service Leaf1 XGE1/0/10) XGE1/0/11(连接FW3 XGE1/2/1) XGE1/0/12(连接FW4 XGE1/2/1) HGE1/0/30(连接Service Leaf1 HGE1/0/30) HGE1/0/25(连接Spine Border1 HGE1/0/8) HGE1/0/27(连接Spine Border2 HGE1/0/8) |
|
VTEP地址:10.1.1.7/32 |
||
|
M-LAG虚地址:10.20.1.6/32 |
||
|
M-LAG System MAC地址:0002-0003-0003(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.10/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.10/30 |
图4 Underlay网络Spine Border分离场景组网图
表2 Spine Border分离场景IP及接口说明
|
设备 |
地址规划 |
接口信息 |
|
Border 1 |
管理地址:192.168.11.8/24,网关192.168.11.1 |
HGE4/0/1(连接Border2 HGE4/0/1) HGE4/0/2(连接Border2 HGE4/0/2) XGE6/0/48(连接Border2 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/3) HGE4/0/4(连接Spine2 HGE1/0/3) XGE6/0/1(连接FW1 XGE1/2/0) XGE6/0/2(连接FW2 XGE1/2/0) XGE6/0/3(连接LB1 XGE1/2/0) XGE6/0/4(连接LB2 XGE1/2/0) XGE6/0/5(连接外网设备) |
|
VTEP地址:10.1.1.8/32 |
||
|
M-LAG虚地址:10.20.1.8/32 |
||
|
M-LAG System MAC地址:0002-0003-0004(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.13/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.13/30 |
||
|
Border 2 |
管理地址:192.168.11.9/24,网关192.168.11.1 |
HGE4/0/1(连接Border1 HGE4/0/1) HGE4/0/2(连接Border1 HGE4/0/2) XGE6/0/48(连接Border1 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/4) HGE4/0/4(连接Spine2 HGE1/0/4) XGE6/0/1(连接FW1 XGE1/2/1) XGE6/0/2(连接FW2 XGE1/2/1) XGE6/0/3(连接LB1 XGE1/2/1) XGE6/0/4(连接LB2 XGE1/2/1) XGE6/0/5(连接外网设备) |
|
VTEP地址:10.1.1.9/32 |
||
|
M-LAG虚地址:10.20.1.8/32 |
||
|
M-LAG System MAC地址:0002-0003-0004(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.14/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.14/30 |
||
|
Spine1 |
管理地址:192.168.11.2/24,网关192.168.11.1 |
HGE1/0/3(连接Border1 HGE4/0/3) HGE1/0/4(连接Border2 HGE4/0/3) HGE1/0/5(连接Leaf1 HGE1/0/25) HGE1/0/6(连接Leaf2 HGE1/0/25) HGE1/0/7(连接Leaf3 HGE1/0/27) HGE1/0/8(连接Leaf4 HGE1/0/27) |
|
VTEP地址:10.1.1.2/32 |
||
|
Spine2 |
管理地址:192.168.11.3/24,网关192.168.11.1 |
HGE1/0/3(连接Border1 HGE4/0/4) HGE1/0/4(连接Border2 HGE4/0/4) HGE1/0/5(连接Leaf1 HGE1/0/27) HGE1/0/6(连接Leaf2 HGE1/0/27) HGE1/0/7(连接Leaf3 HGE1/0/25) HGE1/0/8(连接Leaf4 HGE1/0/25) |
|
VTEP地址:10.1.1.3/32 |
||
|
Server Leaf 1 |
管理地址:192.168.11.4/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf2 XGE1/0/9) XGE1/0/10(连接Server Leaf2 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/5) HGE1/0/27(连接Spine2 HGE1/0/5) |
|
VTEP地址:10.1.1.4/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.5/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.5/30 |
||
|
Server Leaf 2 |
管理地址:192.168.11.5/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf1 XGE1/0/9) XGE1/0/10(连接Server Leaf1 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/6) HGE1/0/27(连接Spine2 HGE1/0/6) |
|
VTEP地址:10.1.1.5/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.6/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.6/30 |
||
|
Service Leaf 1 |
管理地址:192.168.11.6/24,网关192.168.11.1 |
XGE1/0/9(连接Service Leaf2 XGE1/0/9) XGE1/0/10(连接Service Leaf2 XGE1/0/10) XGE1/0/11(连接FW3 XGE1/2/1) XGE1/0/12(连接FW4 XGE1/2/1) HGE1/0/30(连接Service Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/7) HGE1/0/27(连接Spine2 HGE1/0/7) |
|
VTEP地址:10.1.1.6/32 |
||
|
M-LAG虚地址:10.20.1.6/32 |
||
|
M-LAG System MAC地址:0002-0003-0003(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.9/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.9/30 |
||
|
Service Leaf 2 |
管理地址:192.168.11.7/24,网关192.168.11.1 |
XGE1/0/9(连接Service Leaf1 XGE1/0/9) XGE1/0/10(连接Service Leaf1 XGE1/0/10) XGE1/0/11(连接FW3 XGE1/2/1) XGE1/0/12(连接FW4 XGE1/2/1) HGE1/0/30(连接Service Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/8) HGE1/0/27(连接Spine2 HGE1/0/8) |
|
VTEP地址:10.1.1.7/32 |
||
|
M-LAG虚地址:10.20.1.6/32 |
||
|
M-LAG System MAC地址:0002-0003-0003(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.10/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.10/30 |
Service-Leaf安全出口业务使用Service-Leaf下挂防火墙实现Border与防火墙解耦,出外网的流量经过Service-Leaf下挂防火墙及Border后出外网。防火墙连接在Service-Leaf上,Border仅作为出口设备,不连接防火墙。
图5 Underlay网络Service-leaf安全出口场景组网图
表3 Service-leaf安全出口场景IP及接口说明
|
设备 |
地址规划 |
接口信息 |
|
Border 1 |
管理地址:192.168.11.8/24,网关192.168.11.1 |
HGE4/0/1(连接Border2 HGE4/0/1) HGE4/0/2(连接Border2 HGE4/0/2) XGE6/0/48(连接Border2 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/3) HGE4/0/4(连接Spine2 HGE1/0/3) XGE6/0/5(连接外网设备) |
|
VTEP地址:10.1.1.8/32 |
||
|
M-LAG虚地址:10.20.1.8/32 |
||
|
M-LAG System MAC地址:0002-0003-0004(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.13/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.13/30 |
||
|
Border 2 |
管理地址:192.168.11.9/24,网关192.168.11.1 |
HGE4/0/1(连接Border1 HGE4/0/1) HGE4/0/2(连接Border1 HGE4/0/2) XGE6/0/48(连接Border1 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/4) HGE4/0/4(连接Spine2 HGE1/0/4) XGE6/0/5(连接外网设备) |
|
VTEP地址:10.1.1.9/32 |
||
|
M-LAG虚地址:10.20.1.8/32 |
||
|
M-LAG System MAC地址:0002-0003-0004(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.14/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.14/30 |
||
|
Spine1 |
管理地址:192.168.11.2/24,网关192.168.11.1 |
HGE1/0/3(连接Border1 HGE4/0/3) HGE1/0/4(连接Border2 HGE4/0/3) HGE1/0/5(连接Leaf1 HGE1/0/25) HGE1/0/6(连接Leaf2 HGE1/0/25) HGE1/0/7(连接Leaf3 HGE1/0/27) HGE1/0/8(连接Leaf4 HGE1/0/27) |
|
VTEP地址:10.1.1.2/32 |
||
|
Spine2 |
管理地址:192.168.11.3/24,网关192.168.11.1 |
HGE1/0/3(连接Border1 HGE4/0/4) HGE1/0/4(连接Border2 HGE4/0/4) HGE1/0/5(连接Leaf1 HGE1/0/27) HGE1/0/6(连接Leaf2 HGE1/0/27) HGE1/0/7(连接Leaf3 HGE1/0/25) HGE1/0/8(连接Leaf4 HGE1/0/25) |
|
VTEP地址:10.1.1.3/32 |
||
|
Server Leaf 1 |
管理地址:192.168.11.4/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf2 XGE1/0/9) XGE1/0/10(连接Server Leaf2 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/5) HGE1/0/27(连接Spine2 HGE1/0/5) |
|
VTEP地址:10.1.1.4/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.5/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.5/30 |
||
|
Server Leaf 2 |
管理地址:192.168.11.5/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf1 XGE1/0/9) XGE1/0/10(连接Server Leaf1 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/6) HGE1/0/27(连接Spine2 HGE1/0/6) |
|
VTEP地址:10.1.1.5/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.6/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.6/30 |
||
|
Service Leaf 1 |
管理地址:192.168.11.6/24,网关192.168.11.1 |
XGE1/0/9(连接Service Leaf2 XGE1/0/9) XGE1/0/10(连接Service Leaf2 XGE1/0/10) XGE1/0/11(连接FW1 XGE1/2/1) XGE1/0/12(连接FW2 XGE1/2/1) HGE1/0/30(连接Service Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/7) HGE1/0/27(连接Spine2 HGE1/0/7) |
|
VTEP地址:10.1.1.6/32 |
||
|
M-LAG虚地址:10.20.1.6/32 |
||
|
M-LAG System MAC地址:0002-0003-0003(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.9/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.9/30 |
||
|
Service Leaf 2 |
管理地址:192.168.11.7/24,网关192.168.11.1 |
XGE1/0/9(连接Service Leaf1 XGE1/0/9) XGE1/0/10(连接Service Leaf1 XGE1/0/10) XGE1/0/11(连接FW1 XGE1/2/1) XGE1/0/12(连接FW2 XGE1/2/1) HGE1/0/30(连接Service Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/8) HGE1/0/27(连接Spine2 HGE1/0/8) |
|
VTEP地址:10.1.1.7/32 |
||
|
M-LAG虚地址:10.20.1.6/32 |
||
|
M-LAG System MAC地址:0002-0003-0003(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.10/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.10/30 |
图6 Spine Border部署流程
图7 Server Leaf部署流程
图8 Service Leaf部署流程
图9 Spine部署流程
图10 Server Leaf部署流程
图11 Service Leaf部署流程
图12 Border部署流程
图13 Spine部署流程
图14 Server Leaf部署流程
图15 Service Leaf部署流程
图16 Border部署流程
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<spine-border1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<spine-border1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[spine-border1] hardware-resource tcam normal
[spine-border1] hardware-resource routing-mode ipv6-128
[spine-border1] hardware-resource vxlan l3gw
S12500X
[spine-border1] hardware-resource tcam routing
[spine-border1] hardware-resource vxlan normal
[spine-border1] hardware-resource mcast normal
[spine-border1] hardware-resource scale-rt-prefix none
[spine-border1] hardware-resource mpls normal
[spine-border1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[spine-border1] hardware-resource switch-mode 4
[spine-border1] hardware-resource routing-mode ipv6-128
[spine-border1] hardware-resource vxlan Border40k
S6860
[spine-border1] hardware-resource switch-mode 4
[spine-border1] hardware-resource routing-mode ipv6-128
[spine-border1] hardware-resource vxlan Border24k
S6850/S9850/S6825/S6805
[spine-border1] hardware-resource switch-mode DUAL-STACK
[spine-border1] hardware-resource routing-mode ipv6-128
[spine-border1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[spine-border1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[spine-border1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[spine-border1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine-border1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine-border1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[spine-border1] hardware-resource mdb routing
[spine-border1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine-border1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine-border1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,且两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine-border1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine-border1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。VPN实例名称以mgmt为例。
[spine-border1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[spine-border1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[spine-border1] interface M-GigabitEthernet0/0/0
[spine-border1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[spine-border1-M-GigabitEthernet0/0/0] ip address 192.168.11.2 255.255.255.0
[spine-border1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine-border1] local-user admin class manage
[spine-border1-luser-manage-admin] password simple Qwert@1234
[spine-border1-luser-manage-admin] service-type https ssh
[spine-border1-luser-manage-admin] authorization-attribute user-role network-admin
[spine-border1-luser-manage-admin] authorization-attribute user-role network-operator
[spine-border1-luser-manage-admin] quit
(5) 配置VTY。
[spine-border1] line vty 0 63
[spine-border1-line-vty0-63] authentication-mode scheme
[spine-border1-line-vty0-63] user-role network-admin
[spine-border1-line-vty0-63] user-role network-operator
[spine-border1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine-border1] netconf soap https enable
[spine-border1] netconf ssh server enable
(7) 使能SSH服务。
[spine-border1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[spine-border1] ntp-service enable
[spine-border1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[spine-border1] snmp-agent
[spine-border1] snmp-agent community write private
[spine-border1] snmp-agent community read public
[spine-border1] snmp-agent sys-info version all
[spine-border1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[spine-border1] lldp global enable
(1) 开启设备的L2VPN功能。
[spine-border1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[spine-border1] vxlan tunnel mac-learning disable
[spine-border1] vxlan tunnel arp-learning disable
[spine-border1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
选择一种路由协议配置:
配置OSPF协议
[spine-border1] ospf 1 router-id 192.168.11.2
[spine-border1-ospf-1] non-stop-routing
[spine-border1-ospf-1] area 0.0.0.0
[spine-border1-ospf-1] quit
配置IS-IS协议
Network Entity以86.4713.0021.0100.0400.1002.00为例,具体配置请以实际设备为准。
[spine-border1] isis 1
[spine-border1-isis-1] non-stop-routing
[spine-border1-isis-1] is-level level-2
[spine-border1-isis-1] is-name user1
[spine-border1-isis-1] network-entity 86.4713.0021.0100.0400.1002.00
[spine-border1-isis-1] address-family ipv4 unicast
[spine-border1-isis-1-ipv4] maximum load-balancing 4
[spine-border1-isis-1-ipv4] quit
[spine-border1-isis-1] quit
配置EBGP协议
两台Spine Border设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[spine-border1] interface LoopBack1
[spine-border1-LoopBack1] ip address 4.1.1.1 255.255.255.255
[spine-border1-LoopBack1] quit
[spine-border1] bgp 500 instance Underlay
[spine-border1-bgp-Underlay] non-stop-routing
[spine-border1-bgp-Underlay] router-id 4.1.1.1
[spine-border1-bgp-Underlay] group Leaf external
[spine-border1-bgp-Underlay] peer Leaf as-number 501
[spine-border1-bgp-Underlay] peer Leaf ebgp-max-hop 2
[spine-border1-bgp-Underlay] peer Leaf connect-interface Loopback1
[spine-border1-bgp-Underlay] peer 4.1.1.3 group Leaf
[spine-border1-bgp-Underlay] peer 4.1.1.4 group Leaf
[spine-border1-bgp-Underlay] peer 4.1.1.5 group Leaf
[spine-border1-bgp-Underlay] peer 4.1.1.6 group Leaf
[spine-border1-bgp-Underlay] address-family ipv4 unicast
[spine-border1-bgp-Underlay-ipv4] balance 4
[spine-border1-bgp-Underlay-ipv4] peer Leaf enable
[spine-border1-bgp-Underlay-ipv4] peer Leaf allow-as-loop 2
[spine-border1-bgp-Underlay-ipv4] quit
[spine-border1-bgp-Underlay] quit
[spine-border1] interface LoopBack0
[spine-border1-LoopBack0] ip address 10.1.1.2 255.255.255.255
[spine-border1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[spine-border1] interface LoopBack0
[spine-border1-LoopBack0] ospf 1 area 0.0.0.0
[spine-border1-LoopBack0] quit
配置IS-IS协议
[spine-border1] interface LoopBack0
[spine-border1-LoopBack0] isis enable 1
[spine-border1-LoopBack0] quit
配置EBGP协议
[spine-border1] bgp 500 instance Underlay
[spine-border1-bgp-Underlay] address-family ipv4 unicast
[spine-border1-bgp-Underlay-ipv4] network 10.1.1.2 255.255.255.255
[spine-border1-bgp-Underlay-ipv4] quit
[spine-border1-bgp-Underlay] quit
配置IBGP RR
[spine-border1] bgp 100
[spine-border1-bgp-default] non-stop-routing
[spine-border1-bgp-default] router-id 10.1.1.2
[spine-border1-bgp-default] group evpn internal
[spine-border1-bgp-default] peer evpn source-address 10.1.1.2
[spine-border1-bgp-default] peer 10.1.1.4 group evpn
[spine-border1-bgp-default] peer 10.1.1.5 group evpn
[spine-border1-bgp-default] peer 10.1.1.6 group evpn
[spine-border1-bgp-default] peer 10.1.1.7 group evpn
[spine-border1-bgp-default] address-family l2vpn evpn
[spine-border1-bgp-default-evpn] undo policy vpn-target
[spine-border1-bgp-default-evpn] peer evpn enable
[spine-border1-bgp-default-evpn] peer evpn reflect-client
[spine-border1-bgp-default-evpn] quit
[spine-border1-bgp-default] quit
以连接 Sever Leaf 1的接口配置为例,连接其它Leaf的接口配置请参考配置。
选择一种路由协议配置:
配置OSPF协议
[spine-border1] interface HundredGigE1/0/5
[spine-border1-HundredGigE1/0/5] port link-mode route
[spine-border1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine-border1-HundredGigE1/0/5] ospf network-type p2p
[spine-border1-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[spine-border1-HundredGigE1/0/5] lldp management-address arp-learning
[spine-border1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine-border1-HundredGigE1/0/5] quit
配置IS-IS协议
[spine-border1] interface HundredGigE1/0/5
[spine-border1-HundredGigE1/0/5] port link-mode route
[spine-border1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine-border1-HundredGigE1/0/5] isis enable 1
[spine-border1-HundredGigE1/0/5] isis circuit-level level-2
[spine-border1-HundredGigE1/0/5] isis circuit-type p2p
[spine-border1-HundredGigE1/0/5] isis authentication-mode md5 simple 123456
[spine-border1-HundredGigE1/0/5] lldp management-address arp-learning
[spine-border1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine-border1-HundredGigE1/0/5] quit
配置EBGP协议
[spine-border1] interface HundredGigE1/0/5
[spine-border1-HundredGigE1/0/5] port link-mode route
[spine-border1-HundredGigE1/0/5] ip address unnumbered interface LoopBack1
[spine-border1-HundredGigE1/0/5] lldp management-address arp-learning
[spine-border1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[spine-border1-HundredGigE1/0/5] arp route-direct advertise
[spine-border1-HundredGigE1/0/5] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[spine-border1] evpn global-mac 0001-0001-0001
在Border上无需配置M-LAG实地址命令,即无需配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[spine-border1] interface LoopBack2
[spine-border1-LoopBack2] ip address 10.20.1.2 255.255.255.255
[spine-border1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[spine-border1] interface LoopBack2
[spine-border1-LoopBack2] ospf 1 area 0.0.0.0
[spine-border1-LoopBack2] quit
配置IS-IS协议
[spine-border1] interface LoopBack2
[spine-border1-LoopBack2] isis enable 1
[spine-border1-LoopBack2] quit
配置EBGP协议
[spine-border1] bgp 500 instance Underlay
[spine-border1-bgp-Underlay] address-family ipv4 unicast
[spine-border1-bgp-Underlay-ipv4] network 10.20.1.2 255.255.255.255
[spine-border1-bgp-Underlay-ipv4] quit
[spine-border1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[spine-border1] evpn m-lag group 10.20.1.2
(3) BGP路由下一跳使用M-LAG虚地址。
[spine-border1] bgp 100
[spine-border1-bgp-default] address-family l2vpn evpn
[spine-border1-bgp-default-evpn] nexthop evpn-m-lag group-address
[spine-border1-bgp-default-evpn] quit
[spine-border1-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[spine-border1] m-lag system-mac 0002-0003-0001
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[spine-border1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[spine-border1] m-lag system-priority 10
(1) 创建VLAN。
[spine-border1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[spine-border1] interface Bridge-Aggregation1
[spine-border1-Bridge-Aggregation1] port link-type trunk
[spine-border1-Bridge-Aggregation1] port trunk permit vlan all
[spine-border1-Bridge-Aggregation1] port trunk pvid vlan 4094
[spine-border1-Bridge-Aggregation1] link-aggregation mode dynamic
[spine-border1-Bridge-Aggregation1] port m-lag peer-link 1
[spine-border1-Bridge-Aggregation1] undo mac-address static source-check enable
[spine-border1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[spine-border1] interface HundredGigE4/0/1
[spine-border1-HundredGigE4/0/1] port link-mode bridge
[spine-border1-HundredGigE4/0/1] port link-type trunk
[spine-border1-HundredGigE4/0/1] port trunk permit vlan all
[spine-border1-HundredGigE4/0/1] port trunk pvid vlan 4094
[spine-border1-HundredGigE4/0/1] port link-aggregation group 1
[spine-border1-HundredGigE4/0/1] quit
(4) 配置peer-link物理口2。
[spine-border1] interface HundredGigE4/0/2
[spine-border1-HundredGigE4/0/2] port link-mode bridge
[spine-border1-HundredGigE4/0/2] port link-type trunk
[spine-border1-HundredGigE4/0/2] port trunk permit vlan all
[spine-border1-HundredGigE4/0/2] port trunk pvid vlan 4094
[spine-border1-HundredGigE4/0/2] port link-aggregation group 1
[spine-border1-HundredGigE4/0/2] quit
(1) 配置延迟恢复时间。定时器超时之前,业务口状态为M-LAG MAD DOWN。定时器超时后,业务口状态变为up。
[spine-border1] m-lag restore-delay 180
(2) 配置VPN。
[spine-border1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[spine-border1] interface Ten-GigabitEthernet6/0/48
[spine-border1-Ten-GigabitEthernet6/0/48] port link-mode route
[spine-border1-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[spine-border1-Ten-GigabitEthernet6/0/48] ip address 10.10.1.1 255.255.255.252
[spine-border1-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[spine-border1] m-lag mad default-action none
[spine-border1] m-lag keepalive ip destination 10.10.1.2 source 10.10.1.1 vpn-instance auto-online-mlag
[spine-border1] m-lag mad include interface FortyGigE4/0/1
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[spine-border1] interface Vlan-interface4094
[spine-border1-Vlan-interface4094] ip address 10.30.1.1 255.255.255.252
[spine-border1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[spine-border1] interface Vlan-interface4094
[spine-border1-Vlan-interface4094] ospf 1 area 0.0.0.0
[spine-border1-Vlan-interface4094] quit
配置ISIS协议
[spine-border1] interface Vlan-interface4094
[spine-border1-Vlan-interface4094] isis enable 1
[spine-border1-Vlan-interface4094] quit
配置EBGP协议
[spine-border1] route-policy ibgpsurvive permit node 100
[spine-border1] apply local-preference 0
[spine-border1] quit
[spine-border1] bgp 500 instance Underlay
[spine-border1] peer 10.30.1.2 as-number 500
[spine-border1-bgp-Underlay] address-family ipv4 unicast
[spine-border1-bgp-Underlay-ipv4] network 10.30.1.1 255.255.255.252
[spine-border1-bgp-Underlay-ipv4] peer 10.30.1.2 route-policy ibgpsurvive export
[spine-border1-bgp-Underlay-ipv4] peer 10.30.1.2 next-hop-local
[spine-border1-bgp-Underlay-ipv4] quit
[spine-border1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[spine-border1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[spine-border1] l2vpn m-lag peer-link tunnel source 10.1.1.2 destination 10.1.1.3
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[spine-border1] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[spine-border1] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
对于命令port m-lag group,M-LAG两设备的group号必须相同。
[spine-border1] interface Bridge-Aggregation3
[spine-border1-Bridge-Aggregation3] port link-type trunk
[spine-border1-Bridge-Aggregation3] undo port trunk permit vlan 1
[spine-border1-Bridge-Aggregation3] link-aggregation mode dynamic
[spine-border1-Bridge-Aggregation3] port m-lag group 2
[spine-border1-Bridge-Aggregation3] stp edged-port
[spine-border1-Bridge-Aggregation3] quit
[spine-border1] interface Ten-GigabitEthernet6/0/1
[spine-border1-Ten-GigabitEthernet6/0/1] port link-mode bridge
[spine-border1-Ten-GigabitEthernet6/0/1] port link-type trunk
[spine-border1-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[spine-border1-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[spine-border1-Ten-GigabitEthernet6/0/1] quit
(2) 配置连接FW设备2的接口。
[spine-border1] interface Bridge-Aggregation4
[spine-border1-Bridge-Aggregation4] port link-type trunk
[spine-border1-Bridge-Aggregation4] undo port trunk permit vlan 1
[spine-border1-Bridge-Aggregation4] link-aggregation mode dynamic
[spine-border1-Bridge-Aggregation4] port m-lag group 3
[spine-border1-Bridge-Aggregation4] stp edged-port
[spine-border1-Bridge-Aggregation4] quit
[spine-border1] interface Ten-GigabitEthernet6/0/2
[spine-border1-Ten-GigabitEthernet6/0/2] port link-mode bridge
[spine-border1-Ten-GigabitEthernet6/0/2] port link-type trunk
[spine-border1-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[spine-border1-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[spine-border1-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
对于命令port m-lag group,M-LAG两设备的group号必须相同。
[spine-border1] interface Bridge-Aggregation5
[spine-border1-Bridge-Aggregation5] port link-type trunk
[spine-border1-Bridge-Aggregation5] undo port trunk permit vlan 1
[spine-border1-Bridge-Aggregation5] link-aggregation mode dynamic
[spine-border1-Bridge-Aggregation5] port m-lag group 4
[spine-border1-Bridge-Aggregation5] stp edged-port
[spine-border1-Bridge-Aggregation5] quit
[spine-border1] interface Ten-GigabitEthernet6/0/3
[spine-border1-Ten-GigabitEthernet6/0/3] port link-mode bridge
[spine-border1-Ten-GigabitEthernet6/0/3] port link-type trunk
[spine-border1-Ten-GigabitEthernet6/0/3] undo port trunk permit vlan 1
[spine-border1-Ten-GigabitEthernet6/0/3] port link-aggregation group 5
[spine-border1-Ten-GigabitEthernet6/0/3] quit
(2) 配置连接LB设备2的接口。
[spine-border1] interface Bridge-Aggregation6
[spine-border1-Bridge-Aggregation6] port link-type trunk
[spine-border1-Bridge-Aggregation6] undo port trunk permit vlan 1
[spine-border1-Bridge-Aggregation6] link-aggregation mode dynamic
[spine-border1-Bridge-Aggregation6] port m-lag group 5
[spine-border1-Bridge-Aggregation6] stp edged-port
[spine-border1-Bridge-Aggregation6] quit
[spine-border1] interface Ten-GigabitEthernet6/0/4
[spine-border1-Ten-GigabitEthernet6/0/4] port link-mode bridge
[spine-border1-Ten-GigabitEthernet6/0/4] port link-type trunk
[spine-border1-Ten-GigabitEthernet6/0/4] undo port trunk permit vlan 1
[spine-border1-Ten-GigabitEthernet6/0/4] port link-aggregation group 6
[spine-border1-Ten-GigabitEthernet6/0/4] quit
在连接LB的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
[spine-border1] interface Bridge-Aggregation2
[spine-border1-Bridge-Aggregation2] port link-type trunk
[spine-border1-Bridge-Aggregation2] undo port trunk permit vlan 1
[spine-border1-Bridge-Aggregation2] link-aggregation mode dynamic
[spine-border1-Bridge-Aggregation2] port m-lag group 1
[spine-border1-Bridge-Aggregation2] quit
[spine-border1] interface Ten-GigabitEthernet6/0/5
[spine-border1-Ten-GigabitEthernet6/0/5] port link-mode bridge
[spine-border1-Ten-GigabitEthernet6/0/5] port link-type trunk
[spine-border1-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[spine-border1-Ten-GigabitEthernet6/0/5] port link-aggregation group 2
[spine-border1-Ten-GigabitEthernet6/0/5] quit
[spine-border1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:spine-border1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.2。
- VTEP IP:10.1.1.2。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图17 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图18 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图19 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图20 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图21 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<spine-border2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<spine-border2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[spine-border2] hardware-resource tcam normal
[spine-border2] hardware-resource routing-mode ipv6-128
[spine-border2] hardware-resource vxlan l3gw
S12500X
[spine-border2] hardware-resource tcam routing
[spine-border2] hardware-resource vxlan normal
[spine-border2] hardware-resource mcast normal
[spine-border2] hardware-resource scale-rt-prefix none
[spine-border2] hardware-resource mpls normal
[spine-border2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[spine-border2] hardware-resource switch-mode 4
[spine-border2] hardware-resource routing-mode ipv6-128
[spine-border2] hardware-resource vxlan Border40k
S6860
[spine-border2] hardware-resource switch-mode 4
[spine-border2] hardware-resource routing-mode ipv6-128
[spine-border2] hardware-resource vxlan Border24k
[spine-border2] hardware-resource switch-mode DUAL-STACK
[spine-border2] hardware-resource routing-mode ipv6-128
[spine-border2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[spine-border2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[spine-border2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[spine-border2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status 命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine-border2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine-border2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[spine-border2] hardware-resource mdb routing
[spine-border2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine-border2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine-border2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine-border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine-border2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine-border2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine-border2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[spine-border2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[spine-border2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[spine-border2] interface M-GigabitEthernet0/0/0
[spine-border2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[spine-border2-M-GigabitEthernet0/0/0] ip address 192.168.11.3 255.255.255.0
[spine-border2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine-border2] local-user admin class manage
[spine-border2-luser-manage-admin] password simple Qwert@1234
[spine-border2-luser-manage-admin] service-type https ssh
[spine-border2-luser-manage-admin] authorization-attribute user-role network-admin
[spine-border2-luser-manage-admin] authorization-attribute user-role network-operator
[spine-border2-luser-manage-admin] quit
(5) 配置VTY。
[spine-border2] line vty 0 63
[spine-border2-line-vty0-63] authentication-mode scheme
[spine-border2-line-vty0-63] user-role network-admin
[spine-border2-line-vty0-63] user-role network-operator
[spine-border2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine-border2] netconf soap https enable
[spine-border2] netconf ssh server enable
(7) 使能SSH服务。
[spine-border2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[spine-border2] ntp-service enable
[spine-border2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[spine-border2] snmp-agent
[spine-border2] snmp-agent community write private
[spine-border2] snmp-agent community read public
[spine-border2] snmp-agent sys-info version all
[spine-border2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[spine-border2] lldp global enable
(1) 开启设备的L2VPN功能。
[spine-border2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[spine-border2] vxlan tunnel mac-learning disable
[spine-border2] vxlan tunnel arp-learning disable
[spine-border2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
选择一种路由协议配置:
配置OSPF协议
[spine-border2] ospf 1 router-id 192.168.11.3
[spine-border2-ospf-1] non-stop-routing
[spine-border2-ospf-1] area 0.0.0.0
[spine-border2-ospf-1] quit
配置ISIS协议
[spine-border2] isis 1
[spine-border2-isis-1] non-stop-routing
[spine-border2-isis-1] isis enable 1
[spine-border2-isis-1] is-level level-2
[spine-border2-isis-1] is-name user1
[spine-border2-isis-1] network-entity 86.4713.0021.0100.0400.1003.00
[spine-border2-isis-1] address-family ipv4 unicast
[spine-border2-isis-1-ipv4] maximum load-balancing 4
[spine-border2-isis-1-ipv4] quit
[spine-border2-isis-1] quit
配置EBGP协议
两台Spine Border设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[spine-border2] interface LoopBack1
[spine-border2-LoopBack1] ip address 4.1.1.2 255.255.255.255
[spine-border2-LoopBack1] quit
[spine-border2] bgp 500 instance Underlay
[spine-border2-bgp-Underlay] non-stop-routing
[spine-border2-bgp-Underlay] router-id 4.1.1.2
[spine-border2-bgp-Underlay] group Leaf external
[spine-border2-bgp-Underlay] peer Leaf as-number 501
[spine-border2-bgp-Underlay] peer Leaf ebgp-max-hop 2
[spine-border2-bgp-Underlay] peer Leaf connect-interface Loopback1
[spine-border2-bgp-Underlay] peer 4.1.1.3 group Leaf
[spine-border2-bgp-Underlay] peer 4.1.1.4 group Leaf
[spine-border2-bgp-Underlay] peer 4.1.1.5 group Leaf
[spine-border2-bgp-Underlay] peer 4.1.1.6 group Leaf
[spine-border2-bgp-Underlay] address-family ipv4 unicast
[spine-border2-bgp-Underlay-ipv4] balance 4
[spine-border2-bgp-Underlay-ipv4] peer Leaf enable
[spine-border2-bgp-Underlay-ipv4] peer Leaf allow-as-loop 2
[spine-border2-bgp-Underlay-ipv4] quit
[spine-border2-bgp-Underlay] quit
[spine-border2] interface LoopBack0
[spine-border2-LoopBack0] ip address 10.1.1.3 255.255.255.255
[spine-border2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[spine-border2] interface LoopBack0
[spine-border2-LoopBack0] ospf 1 area 0.0.0.0
[spine-border2-LoopBack0] quit
配置IS-IS协议
[spine-border2] interface LoopBack0
[spine-border2-LoopBack0] isis enable 1
[spine-border2-LoopBack0] quit
配置EBGP协议
[spine-border2] bgp 500 instance Underlay
[spine-border2-bgp-Underlay] address-family ipv4 unicast
[spine-border2-bgp-Underlay-ipv4] network 10.1.1.3 255.255.255.255
[spine-border2-bgp-Underlay-ipv4] quit
[spine-border2-bgp-Underlay] quit
配置IBGP RR
[spine-border2] bgp 100
[spine-border2-bgp-default] non-stop-routing
[spine-border2-bgp-default] router-id 10.1.1.3
[spine-border2-bgp-default] group evpn internal
[spine-border2-bgp-default] peer evpn source-address 10.1.1.3
[spine-border2-bgp-default] peer 10.1.1.4 group evpn
[spine-border2-bgp-default] peer 10.1.1.5 group evpn
[spine-border2-bgp-default] peer 10.1.1.6 group evpn
[spine-border2-bgp-default] peer 10.1.1.7 group evpn
[spine-border2-bgp-default] address-family l2vpn evpn
[spine-border2-bgp-default-evpn] undo policy vpn-target
[spine-border2-bgp-default-evpn] peer evpn enable
[spine-border2-bgp-default-evpn] peer evpn reflect-client
[spine-border2-bgp-default-evpn] quit
[spine-border2-bgp-default] quit
以连接Server Leaf 1的接口配置为例,连接其它Leaf的接口配置请参考配置。
由于Underlay路由协议不同,连接Leaf的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[spine-border2] interface HundredGigE1/0/5
[spine-border2-HundredGigE1/0/5] port link-mode route
[spine-border2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine-border2-HundredGigE1/0/5] ospf network-type p2p
[spine-border2-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[spine-border2-HundredGigE1/0/5] lldp management-address arp-learning
[spine-border2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine-border2-HundredGigE1/0/5] quit
配置IS-IS协议
[spine-border2] interface HundredGigE1/0/5
[spine-border2-HundredGigE1/0/5] port link-mode route
[spine-border2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine-border2-HundredGigE1/0/5] isis enable 1
[spine-border2-HundredGigE1/0/5] isis circuit-level level-2
[spine-border2-HundredGigE1/0/5] isis circuit-type p2p
[spine-border2-HundredGigE1/0/5] isis authentication-mode md5 simple 123456
[spine-border2-HundredGigE1/0/5] lldp management-address arp-learning
[spine-border2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine-border2-HundredGigE1/0/5] quit
配置EBGP协议
[spine-border2] interface HundredGigE1/0/5
[spine-border2-HundredGigE1/0/5] port link-mode route
[spine-border2-HundredGigE1/0/5] ip address unnumbered interface LoopBack1
[spine-border2-HundredGigE1/0/5] lldp management-address arp-learning
[spine-border2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[spine-border2-HundredGigE1/0/5] arp route-direct advertise
[spine-border2-HundredGigE1/0/5] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[spine-border2] evpn global-mac 0001-0001-0001
在Border上无需配置M-LAG实地址命令,即无需配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[spine-border2] interface LoopBack2
[spine-border2-LoopBack2] ip address 10.20.1.2 255.255.255.255
[spine-border2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[spine-border2] interface LoopBack2
[spine-border2-LoopBack2] ospf 1 area 0.0.0.0
[spine-border2-LoopBack2] quit
配置IS-IS协议
[spine-border2] interface LoopBack2
[spine-border2-LoopBack2] isis enable 1
[spine-border2-LoopBack2] quit
配置EBGP协议
[spine-border2] bgp 500 instance Underlay
[spine-border2-bgp-Underlay] address-family ipv4 unicast
[spine-border2-bgp-Underlay-ipv4] network 10.20.1.2 255.255.255.255
[spine-border2-bgp-Underlay-ipv4] quit
[spine-border2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址必须相同。
[spine-border2] evpn m-lag group 10.20.1.2
(3) BGP路由下一跳使用M-LAG虚地址。
[spine-border2] bgp 100
[spine-border2-bgp-default] address-family l2vpn evpn
[spine-border2-bgp-default-evpn] nexthop evpn-m-lag group-address
[spine-border2-bgp-default-evpn] quit
[spine-border2-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[spine-border2] m-lag system-mac 0002-0003-0001
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[spine-border2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[spine-border2] m-lag system-priority 10
(1) 创建VLAN。
[spine-border2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[spine-border2] interface Bridge-Aggregation1
[spine-border2-Bridge-Aggregation1] port link-type trunk
[spine-border2-Bridge-Aggregation1] port trunk permit vlan all
[spine-border2-Bridge-Aggregation1] port trunk pvid vlan 4094
[spine-border2-Bridge-Aggregation1] link-aggregation mode dynamic
[spine-border2-Bridge-Aggregation1] port m-lag peer-link 1
[spine-border2-Bridge-Aggregation1] undo mac-address static source-check enable
[spine-border2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[spine-border2] interface HundredGigE4/0/1
[spine-border2-HundredGigE4/0/1] port link-mode bridge
[spine-border2-HundredGigE4/0/1] port link-type trunk
[spine-border2-HundredGigE4/0/1] port trunk permit vlan all
[spine-border2-HundredGigE4/0/1] port trunk pvid vlan 4094
[spine-border2-HundredGigE4/0/1] port link-aggregation group 1
[spine-border2-HundredGigE4/0/1] quit
(4) 配置peer-link物理口2。
[spine-border2] interface HundredGigE4/0/2
[spine-border2-HundredGigE4/0/2] port link-mode bridge
[spine-border2-HundredGigE4/0/2] port link-type trunk
[spine-border2-HundredGigE4/0/2] port trunk permit vlan all
[spine-border2-HundredGigE4/0/2] port trunk pvid vlan 4094
[spine-border2-HundredGigE4/0/2] port link-aggregation group 1
[spine-border2-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[spine-border2] m-lag restore-delay 180
(2) 配置VPN。
[spine-border2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[spine-border2] interface Ten-GigabitEthernet6/0/48
[spine-border2-Ten-GigabitEthernet6/0/48] port link-mode route
[spine-border2-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[spine-border2-Ten-GigabitEthernet6/0/48] ip address 10.10.1.2 255.255.255.252
[spine-border2-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[spine-border2] m-lag mad default-action none
[spine-border2] m-lag keepalive ip destination 10.10.1.1 source 10.10.1.2 vpn-instance auto-online-mlag
[spine-border2] m-lag mad include interface FortyGigE4/0/1
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN,推荐使用30位掩码的IP地址,且在全网发布。
[spine-border2] interface Vlan-interface4094
[spine-border2-Vlan-interface4094] ip address 10.30.1.2 255.255.255.252
[spine-border2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[spine-border2] interface Vlan-interface4094
[spine-border2-Vlan-interface4094] ospf 1 area 0.0.0.0
[spine-border2-Vlan-interface4094] quit
配置ISIS协议
[spine-border2] interface Vlan-interface4094
[spine-border2-Vlan-interface4094] isis enable 1
[spine-border2-Vlan-interface4094] quit
配置EBGP协议
[spine-border2] route-policy ibgpsurvive permit node 100
[spine-border2] apply local-preference 0
[spine-border2] quit
[spine-border2] bgp 500 instance Underlay
[spine-border2] peer 10.30.1.1 as-number 500
[spine-border2-bgp-Underlay] address-family ipv4 unicast
[spine-border2-bgp-Underlay-ipv4] network 10.30.1.2 255.255.255.252
[spine-border2-bgp-Underlay-ipv4] peer 10.30.1.1 route-policy ibgpsurvive export
[spine-border2-bgp-Underlay-ipv4] peer 10.30.1.1 next-hop-local
[spine-border2-bgp-Underlay-ipv4] quit
[spine-border2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[spine-border2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[spine-border2] l2vpn m-lag peer-link tunnel source 10.1.1.3 destination 10.1.1.2
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[spine-border2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[spine-border2] m-lag auto-recovery reload-delay 600
(1) 连接FW设备1的接口配置。
[spine-border2] interface Bridge-Aggregation3
[spine-border2-Bridge-Aggregation3] port link-type trunk
[spine-border2-Bridge-Aggregation3] undo port trunk permit vlan 1
[spine-border2-Bridge-Aggregation3] link-aggregation mode dynamic
[spine-border2-Bridge-Aggregation3] port m-lag group 2
[spine-border2-Bridge-Aggregation3] stp edged-port
[spine-border2-Bridge-Aggregation3] quit
[spine-border2] interface Ten-GigabitEthernet6/0/1
[spine-border2-Ten-GigabitEthernet6/0/1] port link-mode bridge
[spine-border2-Ten-GigabitEthernet6/0/1] port link-type trunk
[spine-border2-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[spine-border2-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[spine-border2-Ten-GigabitEthernet6/0/1] quit
(2) 连接FW设备2的接口配置。
[spine-border2] interface Bridge-Aggregation4
[spine-border2-Bridge-Aggregation4] port link-type trunk
[spine-border2-Bridge-Aggregation4] undo port trunk permit vlan 1
[spine-border2-Bridge-Aggregation4] link-aggregation mode dynamic
[spine-border2-Bridge-Aggregation4] port m-lag group 3
[spine-border2-Bridge-Aggregation4] stp edged-port
[spine-border2-Bridge-Aggregation4] quit
[spine-border2] interface Ten-GigabitEthernet6/0/2
[spine-border2-Ten-GigabitEthernet6/0/2] port link-mode bridge
[spine-border2-Ten-GigabitEthernet6/0/2] port link-type trunk
[spine-border2-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[spine-border2-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[spine-border2-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
[spine-border2] interface Bridge-Aggregation5
[spine-border2-Bridge-Aggregation5] port link-type trunk
[spine-border2-Bridge-Aggregation5] undo port trunk permit vlan 1
[spine-border2-Bridge-Aggregation5] link-aggregation mode dynamic
[spine-border2-Bridge-Aggregation5] port m-lag group 4
[spine-border2-Bridge-Aggregation5] stp edged-port
[spine-border2-Bridge-Aggregation5] quit
[spine-border2] interface Ten-GigabitEthernet6/0/3
[spine-border2-Ten-GigabitEthernet6/0/3] port link-mode bridge
[spine-border2-Ten-GigabitEthernet6/0/3] port link-type trunk
[spine-border2-Ten-GigabitEthernet6/0/3] undo port trunk permit vlan 1
[spine-border2-Ten-GigabitEthernet6/0/3] port link-aggregation group 5
[spine-border2-Ten-GigabitEthernet6/0/3] quit
(2) 配置连接LB设备2的接口。
[spine-border2] interface Bridge-Aggregation6
[spine-border2-Bridge-Aggregation6] port link-type trunk
[spine-border2-Bridge-Aggregation6] undo port trunk permit vlan 1
[spine-border2-Bridge-Aggregation6] link-aggregation mode dynamic
[spine-border2-Bridge-Aggregation6] port m-lag group 5
[spine-border2-Bridge-Aggregation6] stp edged-port
[spine-border2-Bridge-Aggregation6] quit
[spine-border2] interface Ten-GigabitEthernet6/0/4
[spine-border2-Ten-GigabitEthernet6/0/4] port link-mode bridge
[spine-border2-Ten-GigabitEthernet6/0/4] port link-type trunk
[spine-border2-Ten-GigabitEthernet6/0/4] undo port trunk permit vlan 1
[spine-border2-Ten-GigabitEthernet6/0/4] port link-aggregation group 6
[spine-border2-Ten-GigabitEthernet6/0/4] quit
在连接LB的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
[spine-border2] interface Bridge-Aggregation2
[spine-border2-Bridge-Aggregation2] port link-type trunk
[spine-border2-Bridge-Aggregation2] undo port trunk permit vlan 1
[spine-border2-Bridge-Aggregation2] link-aggregation mode dynamic
[spine-border2-Bridge-Aggregation2] port m-lag group 1
[spine-border2-Bridge-Aggregation2] quit
[spine-border2] interface Ten-GigabitEthernet6/0/5
[spine-border2-Ten-GigabitEthernet6/0/5] port link-mode bridge
[spine-border2-Ten-GigabitEthernet6/0/5] port link-type trunk
[spine-border2-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[spine-border2-Ten-GigabitEthernet6/0/5] port link-aggregation group 2
[spine-border2-Ten-GigabitEthernet6/0/5] quit
[spine-border2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:spine-border2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.3。
- VTEP IP:10.1.1.3。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图22 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图23 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图24 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图25 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图26 高级配置
(7) 单击<确定>按钮完成设备增加操作。
(8) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,进入增加设备组页面,在该页面的基本信息区域配置以下参数:
¡ 设备组名称:bdgroup1。
¡ MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
¡ 远端设备组:Remote leaf选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
¡ 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service Leaf。请提前做好规划。
¡ HA部署模式:M-LAG。
(9) 在增加设备组的出口网关设置区域配置以下参数:
¡ 连接方式:选择“VLAN跨网段”。此参数配置后无法修改,请提前做好规划。
¡ 地址池列表和VLAN池列表:
- 直通出口:选择默认地址池和默认VLAN池。
- 安全出口:选择“自定义地址池”和“自定义VLAN池”,需要在创建设备组之前创建虚拟设备管理网地址池、租户承载防火墙内网地址池、租户承载负载均衡内网地址池和租户承载网VLAN池等,然后从可选地址池列表和可选VLAN池列表中选择。有关自定义地址池和自定义VLAN池的配置方法,可参考《AD-DC 7.1安全服务资源配置指导》。
图27 增加设备组
(10) 在增加设备组的设备组成员区域添加已增加的边界设备spine-border1和spine-border2。
(11) 单击<确定>按钮完成设备组的增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[server-leaf1] hardware-resource tcam normal
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S12500X
[server-leaf1] hardware-resource tcam routing
[server-leaf1] hardware-resource vxlan normal
[server-leaf1] hardware-resource mcast normal
[server-leaf1] hardware-resource scale-rt-prefix none
[server-leaf1] hardware-resource mpls normal
[server-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw40k
S6860
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw24k
S6850/S9850/S6825/S6805
[server-leaf1] hardware-resource switch-mode DUAL-STACK
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf1] interface M-GigabitEthernet1/0/0/2
[server-leaf1-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf1-M-GigabitEthernet1/0/0/2] ip address 192.168.11.4 255.255.255.0
[server-leaf1-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] local-user admin class manage
[server-leaf1-luser-manage-admin] password simple Qwert@1234
[server-leaf1-luser-manage-admin] service-type https ssh
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf1] line vty 0 63
[server-leaf1-line-vty0-63] authentication-mode scheme
[server-leaf1-line-vty0-63] user-role network-admin
[server-leaf1-line-vty0-63] user-role network-operator
[server-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] netconf soap https enable
[server-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf1] ntp-service enable
[server-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf1] snmp-agent
[server-leaf1] snmp-agent community write private
[server-leaf1] snmp-agent community read public
[server-leaf1] snmp-agent sys-info version all
[server-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf1] vxlan tunnel mac-learning disable
[server-leaf1] vxlan tunnel arp-learning disable
[server-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[server-leaf1] ospf 1 router-id 192.168.11.4
[server-leaf1-ospf-1] non-stop-routing
[server-leaf1-ospf-1] area 0.0.0.0
[server-leaf1-ospf-1] quit
配置IS-IS协议
[server-leaf1] isis 1
[server-leaf1-isis-1] non-stop-routing
[server-leaf1-isis-1] is-level level-2
[server-leaf1-isis-1] is-name user1
[server-leaf1-isis-1] network-entity 86.4713.0021.0100.0400.1004.00
[server-leaf1-isis-1] address-family ipv4 unicast
[server-leaf1-isis-1-ipv4] maximum load-balancing 4
[server-leaf1-isis-1-ipv4] quit
[server-leaf1-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[server-leaf1] interface LoopBack1
[server-leaf1-LoopBack1] ip address 4.1.1.3 255.255.255.255
[server-leaf1-LoopBack1] quit
[server-leaf1] bgp 501 instance Underlay
[server-leaf1-bgp-Underlay] non-stop-routing
[server-leaf1-bgp-Underlay] router-id 4.1.1.3
[server-leaf1-bgp-Underlay] group Spine external
[server-leaf1-bgp-Underlay] peer Spine as-number 500
[server-leaf1-bgp-Underlay] peer Spine ebgp-max-hop 2
[server-leaf1-bgp-Underlay] peer Spine connect-interface Loopback1
[server-leaf1-bgp-Underlay] peer 4.1.1.1 group Spine
[server-leaf1-bgp-Underlay] peer 4.1.1.2 group Spine
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] balance 4
[server-leaf1-bgp-Underlay-ipv4] peer Spine enable
[server-leaf1-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ip address 10.1.1.4 255.255.255.255
[server-leaf1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack0] quit
配置IS-IS协议
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] isis enable 1
[server-leaf1-LoopBack0] quit
配置EBGP协议
[server-leaf1] bgp 501 instance Underlay
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.1.1.4 255.255.255.255
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
配置IBGP
[server-leaf1] bgp 100
[server-leaf1-bgp-default] non-stop-routing
[server-leaf1-bgp-default] router-id 10.1.1.4
[server-leaf1-bgp-default] group evpn internal
[server-leaf1-bgp-default] peer evpn connect-interface Loopback0
[server-leaf1-bgp-default] peer 10.1.1.2 group evpn
[server-leaf1-bgp-default] peer 10.1.1.3 group evpn
[server-leaf1-bgp-default] address-family l2vpn evpn
[server-leaf1-bgp-default-evpn] peer evpn enable
[server-leaf1-bgp-default-evpn] quit
[server-leaf1-bgp-default] quit
以连接Spine Border 1的接口配置为例,连接Spine Border 2的接口请参考配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] ospf network-type p2p
[server-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
配置IS-IS协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] isis enable 1
[server-leaf1-HundredGigE1/0/25] isis circuit-level level-2
[server-leaf1-HundredGigE1/0/25] isis circuit-type p2p
[server-leaf1-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
配置EBGP协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[server-leaf1-HundredGigE1/0/25] arp route-direct advertise
[server-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf1] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
(1) 配置M-LAG虚地址。
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack2] quit
配置ISIS协议
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] isis enable 1
[server-leaf1-LoopBack2] isis circuit-level level-2
[server-leaf1-LoopBack2] quit
配置EBGP协议
[server-leaf1] bgp 500 instance Underlay
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.20.1.4 255.255.255.255
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf1] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf1] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf1] m-lag system-priority 10
(1) 创建VLAN。
[server-leaf1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[server-leaf1] interface Bridge-Aggregation1
[server-leaf1-Bridge-Aggregation1] port link-type trunk
[server-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[server-leaf1] interface Ten-GigabitEthernet1/0/9
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/9] quit
(4) 配置peer-link物理口2。
[server-leaf1] interface Ten-GigabitEthernet1/0/30
[server-leaf1-Ten-GigabitEthernet1/0/30] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/30] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/30] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/30] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/30] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/30] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf1] interface HundredGigE1/0/30
[server-leaf1-HundredGigE1/0/30] port link-mode route
[server-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf1-HundredGigE1/0/30] ip address 10.10.1.5 255.255.255.252
[server-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf1] m-lag mad default-action none
[server-leaf1] m-lag keepalive ip destination 10.10.1.6 source 10.10.1.5 vpn-instance auto-online-mlag
[server-leaf1] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ip address 10.30.1.5 255.255.255.252
[server-leaf1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf1-Vlan-interface4094] quit
配置IS-IS协议
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] isis enable 1
[server-leaf1-Vlan-interface4094] quit
配置EBGP协议
[server-leaf1] route-policy ibgpsurvive permit node 100
[server-leaf1] apply local-preference 0
[server-leaf1] quit
[server-leaf1] bgp 501 instance Underlay
[server-leaf1] peer 10.30.1.6 as-number 501
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.30.1.5 255.255.255.252
[server-leaf1-bgp-Underlay-ipv4] peer 10.30.1.6 route-policy ibgpsurvive export
[server-leaf1-bgp-Underlay-ipv4] peer 10.30.1.6 next-hop-local
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.4 destination 10.1.1.5
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
[server-leaf1] interface Bridge-Aggregation256
[server-leaf1-Bridge-Aggregation256] port link-type trunk
[server-leaf1-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf1-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation256] port m-lag group 3
[server-leaf1-Bridge-Aggregation256] quit
[server-leaf1] interface Ten-GigabitEthernet1/0/11
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf1-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf1] interface Ten-GigabitEthernet1/0/12
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn m-lag local。由于Server Leaf连接Server 2为主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
在有单挂接入的M-LAG设备上配置MAC地址的老化时间为26分钟。
[server-leaf1] mac-address timer aging 1560
[server-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.4。
- VTEP IP:10.1.1.4。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图28 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图29 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图30 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图31 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图32 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[server-leaf2] hardware-resource tcam normal
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S12500X
[server-leaf2] hardware-resource tcam routing
[server-leaf2] hardware-resource vxlan normal
[server-leaf2] hardware-resource mcast normal
[server-leaf2] hardware-resource scale-rt-prefix none
[server-leaf2] hardware-resource mpls normal
[server-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw40k
S6860
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw24k
[server-leaf2] hardware-resource switch-mode DUAL-STACK
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf2] interface M-GigabitEthernet1/0/0/2
[server-leaf2-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf2-M-GigabitEthernet1/0/0/2] ip address 192.168.11.5 255.255.255.0
[server-leaf2-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] local-user admin class manage
[server-leaf2-luser-manage-admin] password simple Qwert@1234
[server-leaf2-luser-manage-admin] service-type https ssh
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf2] line vty 0 63
[server-leaf2-line-vty0-63] authentication-mode scheme
[server-leaf2-line-vty0-63] user-role network-admin
[server-leaf2-line-vty0-63] user-role network-operator
[server-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] netconf soap https enable
[server-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf2] ntp-service enable
[server-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf2] snmp-agent
[server-leaf2] snmp-agent community write private
[server-leaf2] snmp-agent community read public
[server-leaf2] snmp-agent sys-info version all
[server-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf2] vxlan tunnel mac-learning disable
[server-leaf2] vxlan tunnel arp-learning disable
[server-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[server-leaf2] ospf 1 router-id 192.168.11.5
[server-leaf2-ospf-1] non-stop-routing
[server-leaf2-ospf-1] area 0.0.0.0
[server-leaf2-ospf-1] quit
配置IS-IS协议
[server-leaf2] isis 1
[server-leaf2-isis-1] non-stop-routing
[server-leaf2-isis-1] is-level level-2
[server-leaf2-isis-1] is-name user1
[server-leaf2-isis-1] network-entity 86.4713.0021.0100.0400.1005.00
[server-leaf2-isis-1] address-family ipv4 unicast
[server-leaf2-isis-1-ipv4] maximum load-balancing 4
[server-leaf2-isis-1-ipv4] quit
[server-leaf2-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[server-leaf2] interface LoopBack1
[server-leaf2-LoopBack1] ip address 4.1.1.4 255.255.255.255
[server-leaf2-LoopBack1] quit
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] non-stop-routing
[server-leaf2-bgp-Underlay] router-id 4.1.1.4
[server-leaf2-bgp-Underlay] group Spine external
[server-leaf2-bgp-Underlay] peer Spine as-number 500
[server-leaf2-bgp-Underlay] peer Spine ebgp-max-hop 2
[server-leaf2-bgp-Underlay] peer Spine connect-interface Loopback1
[server-leaf2-bgp-Underlay] peer 4.1.1.1 group Spine
[server-leaf2-bgp-Underlay] peer 4.1.1.2 group Spine
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] balance 4
[server-leaf2-bgp-Underlay-ipv4] peer Spine enable
[server-leaf2-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
VTEP地址配置
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ip address 10.1.1.5 255.255.255.255
[server-leaf2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack0] quit
配置IS-IS协议
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] isis enable 1
[server-leaf2-LoopBack0] quit
配置EBGP协议
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.1.1.5 255.255.255.255
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
配置IBGP
[server-leaf2] bgp 100
[server-leaf2-bgp-default] non-stop-routing
[server-leaf2-bgp-default] router-id 10.1.1.5
[server-leaf2-bgp-default] group evpn internal
[server-leaf2-bgp-default] peer evpn connect-interface Loopback0
[server-leaf2-bgp-default] peer 10.1.1.2 group evpn
[server-leaf2-bgp-default] peer 10.1.1.3 group evpn
[server-leaf2-bgp-default] address-family l2vpn evpn
[server-leaf2-bgp-default-evpn] peer evpn enable
[server-leaf2-bgp-default-evpn] quit
[server-leaf2-bgp-default] quit
以连接 Spine Border 1的接口配置为例,连接Spine Border 2的接口请参考配置。
可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] ospf network-type p2p
[server-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
配置IS-IS协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] isis enable 1
[server-leaf2-HundredGigE1/0/25] isis circuit-level level-2
[server-leaf2-HundredGigE1/0/25] isis circuit-type p2p
[server-leaf2-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
配置EBGP协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[server-leaf2-HundredGigE1/0/25] arp route-direct advertise
[server-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf2] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
(1) 配置M-LAG虚地址。
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack2] quit
配置ISIS协议
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] isis enable 1
[server-leaf2-LoopBack2] isis circuit-level level-2
[server-leaf2-LoopBack2] quit
配置EBGP协议
[server-leaf2] bgp 500 instance Underlay
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.20.1.4 255.255.255.255
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf2] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf2] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf2] m-lag system-priority 10
(1) 创建VLAN。
[server-leaf2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[server-leaf2] interface Bridge-Aggregation1
[server-leaf2-Bridge-Aggregation1] port link-type trunk
[server-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[server-leaf2] interface Ten-GigabitEthernet1/0/9
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/9] quit
(4) 配置peer-link物理口2。
[server-leaf2] interface Ten-GigabitEthernet1/0/10
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf2] interface HundredGigE1/0/30
[server-leaf2-HundredGigE1/0/30] port link-mode route
[server-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf2-HundredGigE1/0/30] ip address 10.10.1.6 255.255.255.252
[server-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf2] m-lag mad default-action none
[server-leaf2] m-lag keepalive ip destination 10.10.1.5 source 10.10.1.6 vpn-instance auto-online-mlag
[server-leaf2] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ip address 10.30.1.6 255.255.255.252
[server-leaf2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf2-Vlan-interface4094] quit
配置IS-IS协议
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] isis enable 1
[server-leaf2-Vlan-interface4094] quit
配置EBGP协议
[server-leaf2] route-policy ibgpsurvive permit node 100
[server-leaf2] apply local-preference 0
[server-leaf2] quit
[server-leaf2] bgp 501 instance Underlay
[server-leaf2] peer 10.30.1.5 as-number 501
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.30.1.6 255.255.255.252
[server-leaf2-bgp-Underlay-ipv4] peer 10.30.1.5 route-policy ibgpsurvive export
[server-leaf2-bgp-Underlay-ipv4] peer 10.30.1.5 next-hop-local
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.5 destination 10.1.1.4
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf2] m-lag auto-recovery reload-delay 600
[server-leaf2] interface Bridge-Aggregation256
[server-leaf2-Bridge-Aggregation256] port link-type trunk
[server-leaf2-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf2-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation256] port m-lag group 3
[server-leaf2-Bridge-Aggregation256] quit
[server-leaf2] interface Ten-GigabitEthernet1/0/11
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf2-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf2] interface Ten-GigabitEthernet1/0/12
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn m-lag local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
在有单挂接入的M-LAG设备上配置MAC地址的老化时间为26分钟。
[server-leaf2] mac-address timer aging 1560
[server-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.5。
- VTEP IP:10.1.1.5。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图33 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图34 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图35 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图36 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图37 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<service-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<service-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[service-leaf1] hardware-resource tcam normal
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw
S12500X
[service-leaf1] hardware-resource tcam routing
[service-leaf1] hardware-resource vxlan normal
[service-leaf1] hardware-resource mcast normal
[service-leaf1] hardware-resource scale-rt-prefix none
[service-leaf1] hardware-resource mpls normal
[service-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[service-leaf1] hardware-resource switch-mode 4
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw40k
S6860
[service-leaf1] hardware-resource switch-mode 4
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw24k
[service-leaf1] hardware-resource switch-mode DUAL-STACK
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[service-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[service-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[service-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[service-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[service-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[service-leaf1] interface M-GigabitEthernet0/0/0
[service-leaf1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[service-leaf1-M-GigabitEthernet0/0/0] ip address 192.168.11.6 255.255.255.0
[service-leaf1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf1] local-user admin class manage
[service-leaf1-luser-manage-admin] password simple Qwert@1234
[service-leaf1-luser-manage-admin] service-type https ssh
[service-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[service-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[service-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[service-leaf1] line vty 0 63
[service-leaf1-line-vty0-63] authentication-mode scheme
[service-leaf1-line-vty0-63] user-role network-admin
[service-leaf1-line-vty0-63] user-role network-operator
[service-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf1] netconf soap https enable
[service-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[service-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[service-leaf1] ntp-service enable
[service-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[service-leaf1] snmp-agent
[service-leaf1] snmp-agent community write private
[service-leaf1] snmp-agent community read public
[service-leaf1] snmp-agent sys-info version all
[service-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[service-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[service-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[service-leaf1] vxlan tunnel mac-learning disable
[service-leaf1] vxlan tunnel arp-learning disable
[service-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[service-leaf1] ospf 1 router-id 192.168.11.6
[service-leaf1-ospf-1] non-stop-routing
[service-leaf1-ospf-1] area 0.0.0.0
[service-leaf1-ospf-1] quit
配置IS-IS协议
[service-leaf1] isis 1
[service-leaf1-isis-1] non-stop-routing
[service-leaf1-isis-1] is-level level-2
[service-leaf1-isis-1] is-name user1
[service-leaf1-isis-1] network-entity 86.4713.0021.0100.0400.1006.00
[service-leaf1-isis-1] address-family ipv4 unicast
[server-leaf1-isis-1-ipv4] maximum load-balancing 4
[server-leaf1-isis-1-ipv4] quit
[server-leaf1-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[service-leaf1] interface LoopBack1
[service-leaf1-LoopBack1] ip address 4.1.1.5 255.255.255.255
[service-leaf1-LoopBack1] quit
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] non-stop-routing
[service-leaf1-bgp-Underlay] router-id 4.1.1.5
[service-leaf1-bgp-Underlay] group Spine external
[service-leaf1-bgp-Underlay] peer Spine as-number 500
[service-leaf1-bgp-Underlay] peer Spine ebgp-max-hop 2
[service-leaf1-bgp-Underlay] peer Spine connect-interface Loopback1
[service-leaf1-bgp-Underlay] peer 4.1.1.1 group Spine
[service-leaf1-bgp-Underlay] peer 4.1.1.2 group Spine
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] balance 4
[service-leaf1-bgp-Underlay-ipv4] peer Spine enable
[service-leaf1-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] ip address 10.1.1.6 255.255.255.255
[service-leaf1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[service-leaf1-LoopBack0] quit
配置IS-IS协议
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] isis enable 1
[service-leaf1-LoopBack0] quit
配置EBGP协议
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.1.1.6 255.255.255.255
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
配置IBGP
[service-leaf1] bgp 100
[service-leaf1-bgp-default] non-stop-routing
[service-leaf1-bgp-default] router-id 10.1.1.6
[service-leaf1-bgp-default] group evpn internal
[service-leaf1-bgp-default] peer evpn connect-interface Loopback0
[service-leaf1-bgp-default] peer 10.1.1.2 group evpn
[service-leaf1-bgp-default] peer 10.1.1.3 group evpn
[service-leaf1-bgp-default] address-family l2vpn evpn
[service-leaf1-bgp-default-evpn] peer evpn enable
[service-leaf1-bgp-default-evpn] quit
[service-leaf1-bgp-default] quit
以连接 Spine Border 1的接口配置为例,连接Spine Border 2的接口请参考配置。
可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf1-HundredGigE1/0/25] ospf network-type p2p
[service-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf1-HundredGigE1/0/25] quit
配置IS-IS协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf1-HundredGigE1/0/25] isis circuit-level level-2
[service-leaf1-HundredGigE1/0/25] isis circuit-type p2p
[service-leaf1-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf1-HundredGigE1/0/25] quit
配置EBGP协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[service-leaf1-HundredGigE1/0/25] arp route-direct advertise
[service-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[service-leaf1] evpn global-mac 0001-0001-0003
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[service-leaf1] evpn m-lag local 10.1.1.6 remote 10.1.1.7
(1) 配置M-LAG虚地址。
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] ip address 10.20.1.6 255.255.255.255
[service-leaf1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[service-leaf1-LoopBack2] quit
配置ISIS协议
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] isis enable 1
[service-leaf1-LoopBack2] isis circuit-level level-2
[service-leaf1-LoopBack2] quit
配置EBGP协议
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.20.1.6 255.255.255.255
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[service-leaf1] evpn m-lag group 10.20.1.6
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[service-leaf1] m-lag system-mac 0002-0003-0003
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[service-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[service-leaf1] m-lag system-priority 10
(1) 创建VLAN。
[service-leaf1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[service-leaf1] interface Bridge-Aggregation1
[service-leaf1-Bridge-Aggregation1] port link-type trunk
[service-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[service-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[service-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[service-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[service-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[service-leaf1] interface HundredGigE1/0/9
[service-leaf1-HundredGigE1/0/9] port link-mode bridge
[service-leaf1-HundredGigE1/0/9] port link-type trunk
[service-leaf1-HundredGigE1/0/9] port trunk permit vlan all
[service-leaf1-HundredGigE1/0/9] port trunk pvid vlan 4094
[service-leaf1-HundredGigE1/0/9] port link-aggregation group 1
[service-leaf1-HundredGigE1/0/9] quit
(4) 配置peer-link物理口2。
[service-leaf1] interface HundredGigE1/0/10
[service-leaf1-HundredGigE1/0/10] port link-mode bridge
[service-leaf1-HundredGigE1/0/10] port link-type trunk
[service-leaf1-HundredGigE1/0/10] port trunk permit vlan all
[service-leaf1-HundredGigE1/0/10] port trunk pvid vlan 4094
[service-leaf1-HundredGigE1/0/10] port link-aggregation group 1
[service-leaf1-HundredGigE1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[service-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[service-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[service-leaf1] interface HundredGigE1/0/30
[service-leaf1-HundredGigE1/0/30] port link-mode route
[service-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[service-leaf1-HundredGigE1/0/30] ip address 10.10.1.9 255.255.255.252
[service-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[service-leaf1] m-lag mad default-action none
[service-leaf1] m-lag keepalive ip destination 10.10.1.10 source 10.10.1.9 vpn-instance auto-online-mlag
[service-leaf1] m-lag mad include interface HundredGigE1/0/25
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] ip address 10.30.1.9 255.255.255.252
[service-leaf1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[service-leaf1-Vlan-interface4094] quit
配置IS-IS协议
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] isis enable 1
[service-leaf1-Vlan-interface4094] quit
配置EBGP协议
[service-leaf1] route-policy ibgpsurvive permit node 100
[service-leaf1] apply local-preference 0
[service-leaf1] quit
[service-leaf1] bgp 501 instance Underlay
[service-leaf1] peer 10.30.1.10 as-number 501
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.30.1.9 255.255.255.252
[service-leaf1-bgp-Underlay-ipv4] peer 10.30.1.10 route-policy ibgpsurvive export
[service-leaf1-bgp-Underlay-ipv4] peer 10.30.1.10 next-hop-local
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[service-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[service-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.6 destination 10.1.1.7
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[service-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[service-leaf1] m-lag auto-recovery reload-delay 600
[service-leaf1] interface Bridge-Aggregation256
[service-leaf1-Bridge-Aggregation7] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation7] port m-lag group 6
[service-leaf1-Bridge-Aggregation7] stp edged-port
[service-leaf1-Bridge-Aggregation7] quit
[service-leaf1] interface Ten-GigabitEthernet1/0/11
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[service-leaf1-Ten-GigabitEthernet1/0/11] quit
[service-leaf1] interface Bridge-Aggregation257
[service-leaf1-Bridge-Aggregation8] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation8] port m-lag group 7
[service-leaf1-Bridge-Aggregation8] stp edged-port
[service-leaf1-Bridge-Aggregation8] quit
[service-leaf1] interface Ten-GigabitEthernet1/0/12
[service-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[service-leaf1-Ten-GigabitEthernet1/0/12] port link-aggregation group 257
[service-leaf1-Ten-GigabitEthernet1/0/12] quit
[service-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:Service-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.6。
- VTEP IP:10.1.1.6。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图38 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图39 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图40 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图41 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图42 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<service-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<service-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[service-leaf2] hardware-resource tcam normal
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw
S12500X
[service-leaf2] hardware-resource tcam routing
[service-leaf2] hardware-resource vxlan normal
[service-leaf2] hardware-resource mcast normal
[service-leaf2] hardware-resource scale-rt-prefix none
[service-leaf2] hardware-resource mpls normal
[service-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[service-leaf2] hardware-resource switch-mode 4
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw40k
S6860
[service-leaf2] hardware-resource switch-mode 4
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw24k
[service-leaf2] hardware-resource switch-mode DUAL-STACK
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[service-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[service-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[service-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[service-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[service-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[service-leaf2] interface M-GigabitEthernet0/0/0
[service-leaf2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[service-leaf2-M-GigabitEthernet0/0/0] ip address 192.168.11.7 255.255.255.0
[service-leaf2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf2] local-user admin class manage
[service-leaf2-luser-manage-admin] password simple Qwert@1234
[service-leaf2-luser-manage-admin] service-type https ssh
[service-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[service-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[service-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[service-leaf2] line vty 0 63
[service-leaf2-line-vty0-63] authentication-mode scheme
[service-leaf2-line-vty0-63] user-role network-admin
[service-leaf2-line-vty0-63] user-role network-operator
[service-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf2] netconf soap https enable
[service-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[service-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[service-leaf2] ntp-service enable
[service-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[service-leaf2] snmp-agent
[service-leaf2] snmp-agent community write private
[service-leaf2] snmp-agent community read public
[service-leaf2] snmp-agent sys-info version all
[service-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[service-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[service-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[service-leaf2] vxlan tunnel mac-learning disable
[service-leaf2] vxlan tunnel arp-learning disable
[service-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[service-leaf2] ospf 1 router-id 192.168.11.7
[service-leaf2-ospf-1] non-stop-routing
[service-leaf2-ospf-1] area 0.0.0.0
配置IS-IS协议
[service-leaf2] isis 1
[service-leaf2-isis-1] non-stop-routing
[service-leaf2-isis-1] is-level level-2
[service-leaf2-isis-1] is-name user1
[service-leaf2-isis-1] network-entity 86.4713.0021.0100.0400.1007.00 //每台设备有不同的network-entity
[service-leaf2-isis-1] address-family ipv4 unicast
[service-leaf2-isis-1-ipv4] maximum load-balancing 4
[service-leaf2-isis-1-ipv4] quit
[service-leaf2-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[service-leaf2] interface LoopBack1
[service-leaf2-LoopBack1] ip address 4.1.1.6 255.255.255.255
[service-leaf2-LoopBack1] quit
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] non-stop-routing
[service-leaf2-bgp-Underlay] router-id 4.1.1.6
[service-leaf2-bgp-Underlay] group Spine external
[service-leaf2-bgp-Underlay] peer Spine as-number 500
[service-leaf2-bgp-Underlay] peer Spine ebgp-max-hop 2
[service-leaf2-bgp-Underlay] peer Spine connect-interface Loopback1
[service-leaf2-bgp-Underlay] peer 4.1.1.1 group Spine
[service-leaf2-bgp-Underlay] peer 4.1.1.2 group Spine
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] balance 4
[service-leaf2-bgp-Underlay-ipv4] network 10.1.1.7 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] peer Spine enable
[service-leaf2-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] ip address 10.1.1.7 255.255.255.255
[service-leaf2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[service-leaf2-LoopBack0] quit
配置IS-IS协议
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] isis enable 1
[service-leaf2-LoopBack0] quit
配置EBGP协议
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.1.1.7 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
配置IBGP
[service-leaf2] bgp 100
[service-leaf2-bgp-default] non-stop-routing
[service-leaf2-bgp-default] router-id 10.1.1.7
[service-leaf2-bgp-default] group evpn internal
[service-leaf2-bgp-default] peer evpn connect-interface Loopback0
[service-leaf2-bgp-default] peer 10.1.1.2 group evpn
[service-leaf2-bgp-default] peer 10.1.1.3 group evpn
[service-leaf2-bgp-default] address-family l2vpn evpn
[service-leaf2-bgp-default-evpn] peer evpn enable
[service-leaf2-bgp-default-evpn] quit
[service-leaf2-bgp-default] quit
以连接 Spine Border 1的接口配置为例,连接Spine Border 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf2-HundredGigE1/0/25] ospf network-type p2p
[service-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf2-HundredGigE1/0/25] quit
配置IS-IS协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf2-HundredGigE1/0/25] isis enable 1
[service-leaf2-HundredGigE1/0/25] isis circuit-level level-2
[service-leaf2-HundredGigE1/0/25] isis circuit-type p2p
[service-leaf2-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf2-HundredGigE1/0/25] quit
配置EBGP协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[service-leaf2-HundredGigE1/0/25] arp route-direct advertise
[service-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[service-leaf2] evpn global-mac 0001-0001-0003
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[service-leaf2] evpn m-lag local 10.1.1.7 remote 10.1.1.6
(1) 配置M-LAG虚地址。
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] ip address 10.20.1.6 255.255.255.255
[service-leaf2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[service-leaf2-LoopBack2] quit
配置ISIS协议
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] isis enable 1
[service-leaf2-LoopBack2] isis circuit-level level-2
[service-leaf2-LoopBack2] quit
配置EBGP协议
[service-leaf2] bgp 500 instance Underlay
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.20.1.6 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[service-leaf2] evpn m-lag group 10.20.1.6
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[service-leaf2] m-lag system-mac 0002-0003-0003
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[service-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[service-leaf2] m-lag system-priority 10
(1) 创建VLAN。
[service-leaf2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[service-leaf2] interface Bridge-Aggregation1
[service-leaf2-Bridge-Aggregation1] port link-type trunk
[service-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[service-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[service-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[service-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[service-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[service-leaf2] interface HundredGigE1/0/9
[service-leaf2-HundredGigE1/0/9] port link-mode bridge
[service-leaf2-HundredGigE1/0/9] port link-type trunk
[service-leaf2-HundredGigE1/0/9] port trunk permit vlan all
[service-leaf2-HundredGigE1/0/9] port trunk pvid vlan 4094
[service-leaf2-HundredGigE1/0/9] port link-aggregation group 1
[service-leaf2-HundredGigE1/0/9] quit
(4) 配置peer-link物理口2。
[service-leaf2] interface HundredGigE1/0/10
[service-leaf2-HundredGigE1/0/10] port link-mode bridge
[service-leaf2-HundredGigE1/0/10] port link-type trunk
[service-leaf2-HundredGigE1/0/10] port trunk permit vlan all
[service-leaf2-HundredGigE1/0/10] port trunk pvid vlan 4094
[service-leaf2-HundredGigE1/0/10] port link-aggregation group 1
[service-leaf2-HundredGigE1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[service-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[service-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[service-leaf2] interface HundredGigE1/0/30
[service-leaf2-HundredGigE1/0/30] port link-mode route
[service-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[service-leaf2-HundredGigE1/0/30] ip address 10.10.1.10 255.255.255.252
[service-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[service-leaf2] m-lag mad default-action none
[service-leaf2] m-lag keepalive ip destination 10.10.1.9 source 10.10.1.10 vpn-instance auto-online-mlag
[service-leaf2] m-lag mad include interface HundredGigE1/0/25
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] ip address 10.30.1.10 255.255.255.252
[service-leaf2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[service-leaf2-Vlan-interface4094] quit
配置IS-IS协议
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] isis enable 1
[service-leaf2-Vlan-interface4094] quit
配置EBGP协议
[service-leaf2] route-policy ibgpsurvive permit node 100
[service-leaf2] apply local-preference 0
[service-leaf2] quit
[service-leaf2] bgp 501 instance Underlay
[service-leaf2] peer 10.30.1.9 as-number 501
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.30.1.10 255.255.255.252
[service-leaf2-bgp-Underlay-ipv4] peer 10.30.1.9 route-policy ibgpsurvive export
[service-leaf2-bgp-Underlay-ipv4] peer 10.30.1.9 next-hop-local
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[service-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[service-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.7 destination 10.1.1.6
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[service-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[service-leaf2] m-lag auto-recovery reload-delay 600
[service-leaf2] interface Bridge-Aggregation256
[service-leaf2-Bridge-Aggregation7] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation7] port m-lag group 6
[service-leaf2-Bridge-Aggregation7] stp edged-port
[service-leaf2-Bridge-Aggregation7] quit
[service-leaf2] interface Ten-GigabitEthernet1/0/11
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[service-leaf2-Ten-GigabitEthernet1/0/11] quit
[service-leaf2] interface Bridge-Aggregation257
[service-leaf2-Bridge-Aggregation8] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation8] port m-lag group 7
[service-leaf2-Bridge-Aggregation8] stp edged-port
[service-leaf2-Bridge-Aggregation8] quit
[service-leaf2] interface Ten-GigabitEthernet1/0/12
[service-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[service-leaf2-Ten-GigabitEthernet1/0/12] port link-aggregation group 257
[service-leaf2-Ten-GigabitEthernet1/0/12] quit
[service-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:service-leaf2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.7。
- VTEP IP:10.1.1.7。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图43 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图44 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图45 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图46 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图47 高级配置
(7) 单击<确定>按钮完成设备增加操作。
<spine1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<spine1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
[spine1] hardware-resource tcam normal
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw
S12500X
[spine1] hardware-resource tcam routing
[spine1] hardware-resource vxlan normal
[spine1] hardware-resource mcast normal
[spine1] hardware-resource scale-rt-prefix none
[spine1] hardware-resource mpls normal
[spine1] hardware-resource parser normal
S6800
[spine1] hardware-resource switch-mode 4
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw40k
S6860
[spine1] hardware-resource switch-mode 4
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[spine1] hardware-resource switch-mode DUAL-STACK
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[spine1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[spine1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[spine1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[spine1] hardware-resource mdb routing
[spine1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[spine1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[spine1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[spine1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[spine1] interface M-GigabitEthernet0/0/0
[spine1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[spine1-M-GigabitEthernet0/0/0] ip address 192.168.11.2 255.255.255.0
[spine1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine1] local-user admin class manage
[spine1-luser-manage-admin] password simple Qwert@1234
[spine1-luser-manage-admin] service-type https ssh
[spine1-luser-manage-admin] authorization-attribute user-role network-admin
[spine1-luser-manage-admin] authorization-attribute user-role network-operator
[spine1-luser-manage-admin] quit
(5) 配置VTY。
[spine1] line vty 0 63
[spine1-line-vty0-63] authentication-mode scheme
[spine1-line-vty0-63] user-role network-admin
[spine1-line-vty0-63] user-role network-operator
[spine1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine1] netconf soap https enable
[spine1] netconf ssh server enable
(7) 使能SSH服务。
[spine1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[spine1] ntp-service enable
[spine1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[spine1] snmp-agent
[spine1] snmp-agent community write private
[spine1] snmp-agent community read public
[spine1] snmp-agent sys-info version all
[spine1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[spine1] lldp global enable
(1) 禁止从VXLAN隧道学习MAC、ARP、ND。
[spine1] vxlan tunnel mac-learning disable
[spine1] vxlan tunnel arp-learning disable
[spine1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[spine1] ospf 1 router-id 192.168.11.2
[spine1-ospf-1] non-stop-routing
[spine1-ospf-1] area 0.0.0.0
配置IS-IS协议
[spine1] isis 1
[spine1-isis-1] non-stop-routing
[spine1-isis-1] is-level level-2
[spine1-isis-1] is-name user1
[spine1-isis-1] network-entity 86.4713.0021.0100.0400.1002.00
[spine1-isis-1]address-family ipv4 unicast
[spine1-isis-1-ipv4] maximum load-balancing 4
[spine1-isis-1-ipv4] quit
[spine1-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[spine1] interface LoopBack1
[spine1-LoopBack1] ip address 4.1.1.1 255.255.255.255
[spine1-LoopBack1] quit
[spine1] bgp 500 instance Underlay
[spine1-bgp-Underlay] non-stop-routing
[spine1-bgp-Underlay] router-id 4.1.1.1
[spine1-bgp-Underlay] group Leaf external
[spine1-bgp-Underlay] peer Leaf as-number 501
[spine1-bgp-Underlay] peer Leaf ebgp-max-hop 2
[spine1-bgp-Underlay] peer Leaf connect-interface Loopback1
[spine1-bgp-Underlay] peer 4.1.1.3 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.4 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.5 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.6 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.7 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.8 group Leaf
[spine1-bgp-Underlay] address-family ipv4 unicast
[spine1-bgp-Underlay-ipv4] balance 4
[spine1-bgp-Underlay-ipv4] peer Leaf enable
[spine1-bgp-Underlay-ipv4] quit
[spine1-bgp-Underlay] quit
[spine1] interface LoopBack0
[spine1-LoopBack0] ip address 10.1.1.2 255.255.255.255
[spine1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[spine1] interface LoopBack0
[spine1-LoopBack0] ospf 1 area 0.0.0.0
[spine1-LoopBack0] quit
配置IS-IS协议
[spine1] interface LoopBack0
[spine1-LoopBack0] isis enable 1
[spine1-LoopBack0] quit
配置EBGP协议
[spine1] bgp 500 instance Underlay
[spine1-bgp-Underlay] address-family ipv4 unicast
[spine1-bgp-Underlay-ipv4] network 10.1.1.2 255.255.255.255
[spine1-bgp-Underlay-ipv4] quit
[spine1-bgp-Underlay] quit
配置IBGP RR
[spine1] bgp 100
[spine1-bgp-default] non-stop-routing
[spine1-bgp-default] router-id 10.1.1.2
[spine1-bgp-default] group evpn internal
[spine1-bgp-default] peer evpn source-address 10.1.1.2
[spine1-bgp-default] peer 10.1.1.4 group evpn
[spine1-bgp-default] peer 10.1.1.5 group evpn
[spine1-bgp-default] peer 10.1.1.6 group evpn
[spine1-bgp-default] peer 10.1.1.7 group evpn
[spine1-bgp-default] peer 10.1.1.8 group evpn
[spine1-bgp-default] peer 10.1.1.9 group evpn
[spine1-bgp-default] address-family l2vpn evpn
[spine1-bgp-default-evpn] undo policy vpn-target
[spine1-bgp-default-evpn] peer evpn enable
[spine1-bgp-default-evpn] peer evpn reflect-client
[spine1-bgp-default-evpn] quit
[spine1-bgp-default] quit
以连接Sever Leaf 1的接口配置为例,连接其它Leaf、Border的接口请参考配置。
可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[spine1] interface HundredGigE1/0/5
[spine1-HundredGigE1/0/5] port link-mode route
[spine1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine1-HundredGigE1/0/5] ospf network-type p2p
[spine1-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[spine1-HundredGigE1/0/5] lldp management-address arp-learning
[spine1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine1-HundredGigE1/0/5] quit
配置IS-IS协议
[spine1] interface HundredGigE1/0/5
[spine1-HundredGigE1/0/5] port link-mode route
[spine1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine1-HundredGigE1/0/5] isis enable 1
[spine1-HundredGigE1/0/5] isis circuit-level level-2
[spine1-HundredGigE1/0/5] isis circuit-type p2p
[spine1-HundredGigE1/0/5] isis authentication-mode md5 simple 123456
[spine1-HundredGigE1/0/5] lldp management-address arp-learning
[spine1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine1-HundredGigE1/0/5] quit
配置EBGP协议
[spine1] interface HundredGigE1/0/5
[spine1-HundredGigE1/0/5] port link-mode route
[spine1-HundredGigE1/0/5] ip address unnumbered interface LoopBack1
[spine1-HundredGigE1/0/5] lldp management-address arp-learning
[spine1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[spine1-HundredGigE1/0/5] arp route-direct advertise
[spine1-HundredGigE1/0/5] quit
[spine1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:spine1。
¡ 基本信息:
- 设备类型:Underlay物理设备。
- 管理IP:192.168.11.2。
- VTEP IP:10.1.1.2。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图48 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图49 增加交换设备
(4) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图50 配置OpenFlow
(5) 单击<确定>按钮完成设备增加操作。
<spine2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<spine2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
[spine2] hardware-resource tcam normal
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw
S12500X
[spine2] hardware-resource tcam routing
[spine2] hardware-resource vxlan normal
[spine2] hardware-resource mcast normal
[spine2] hardware-resource scale-rt-prefix none
[spine2] hardware-resource mpls normal
[spine2] hardware-resource parser normal
S6800
[spine2] hardware-resource switch-mode 4
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw40k
S6860
[spine2] hardware-resource switch-mode 4
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[spine2] hardware-resource switch-mode DUAL-STACK
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[spine2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[spine2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[spine2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[spine2] hardware-resource mdb routing
[spine2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[spine2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[spine2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[spine2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[spine2] interface M-GigabitEthernet0/0/0
[spine2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[spine2-M-GigabitEthernet0/0/0] ip address 192.168.11.3 255.255.255.0
[spine2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine2] local-user admin class manage
[spine2-luser-manage-admin] password simple Qwert@1234
[spine2-luser-manage-admin] service-type https ssh
[spine2-luser-manage-admin] authorization-attribute user-role network-admin
[spine2-luser-manage-admin] authorization-attribute user-role network-operator
[spine2-luser-manage-admin] quit
(5) 配置VTY。
[spine2] line vty 0 63
[spine2-line-vty0-63] authentication-mode scheme
[spine2-line-vty0-63] user-role network-admin
[spine2-line-vty0-63] user-role network-operator
[spine2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine2] netconf soap https enable
[spine2] netconf ssh server enable
(7) 使能SSH服务。
[spine2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[spine2] ntp-service enable
[spine2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[spine2] snmp-agent
[spine2] snmp-agent community write private
[spine2] snmp-agent community read public
[spine2] snmp-agent sys-info version all
[spine2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[spine2] lldp global enable
(1) 禁止从VXLAN隧道学习MAC、ARP、ND。
[spine2] vxlan tunnel mac-learning disable
[spine2] vxlan tunnel arp-learning disable
[spine2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[spine2] ospf 1 router-id 192.168.11.3
[spine2-ospf-1] non-stop-routing
[spine2-ospf-1] area 0.0.0.0
[spine2-ospf-1] quit
配置ISIS协议
[spine2] isis 1
[spine2-isis-1] non-stop-routing
[spine2-isis-1] is-level level-2
[spine2-isis-1] is-name user1
[spine2-isis-1] network-entity 86.4713.0021.0100.0400.1003.00
[spine2-isis-1] address-family ipv4 unicast
[spine2-isis-1-ipv4] maximum load-balancing 4
[spine2-isis-1-ipv4] quit
[spine2-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[spine2] interface LoopBack1
[spine2-LoopBack1] ip address 4.1.1.2 255.255.255.255
[spine2-LoopBack1] quit
[spine2] bgp 500 instance Underlay
[spine2-bgp-Underlay] non-stop-routing
[spine2-bgp-Underlay] router-id 4.1.1.2
[spine2-bgp-Underlay] group Leaf external
[spine2-bgp-Underlay] peer Leaf as-number 501
[spine2-bgp-Underlay] peer Leaf ebgp-max-hop 2
[spine2-bgp-Underlay] peer Leaf connect-interface Loopback1
[spine2-bgp-Underlay] peer 4.1.1.3 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.4 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.5 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.6 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.7 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.8 group Leaf
[spine2-bgp-Underlay] address-family ipv4 unicast
[spine2-bgp-Underlay-ipv4] balance 4
[spine2-bgp-Underlay-ipv4] peer Leaf enable
[spine2-bgp-Underlay-ipv4] quit
[spine2-bgp-Underlay] quit
[spine2] interface LoopBack0
[spine2-LoopBack0] ip address 10.1.1.3 255.255.255.255
[spine2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[spine2] interface LoopBack0
[spine2-LoopBack0] ospf 1 area 0.0.0.0
[spine2-LoopBack0] quit
配置IS-IS协议
[spine2] interface LoopBack0
[spine2-LoopBack0] isis enable 1
[spine2-LoopBack0] quit
配置EBGP协议
[spine2] bgp 500 instance Underlay
[spine2-bgp-Underlay] address-family ipv4 unicast
[spine2-bgp-Underlay-ipv4] network 10.1.1.3 255.255.255.255
[spine2-bgp-Underlay-ipv4] quit
[spine2-bgp-Underlay] quit
配置IBGP RR
[spine2] bgp 100
[spine2-bgp-default] non-stop-routing
[spine2-bgp-default] router-id 10.1.1.3
[spine2-bgp-default] group evpn internal
[spine2-bgp-default] peer evpn source-address 10.1.1.3
[spine2-bgp-default] peer 10.1.1.4 group evpn
[spine2-bgp-default] peer 10.1.1.5 group evpn
[spine2-bgp-default] peer 10.1.1.6 group evpn
[spine2-bgp-default] peer 10.1.1.7 group evpn
[spine2-bgp-default] peer 10.1.1.8 group evpn
[spine2-bgp-default] peer 10.1.1.9 group evpn
[spine2-bgp-default] address-family l2vpn evpn
[spine2-bgp-default-evpn] undo policy vpn-target
[spine2-bgp-default-evpn] peer evpn enable
[spine2-bgp-default-evpn] peer evpn reflect-client
[spine2-bgp-default-evpn] quit
[spine2-bgp-default] quit
以连接Server Leaf 1的接口配置为例,连接其它Leaf和Border的接口配置,同样配置。
由于Underlay路由协议不同,连接Leaf的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[spine2] interface HundredGigE1/0/5
[spine2-HundredGigE1/0/5] port link-mode route
[spine2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine2-HundredGigE1/0/5] ospf network-type p2p
[spine2-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[spine2-HundredGigE1/0/5] lldp management-address arp-learning
[spine2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine2-HundredGigE1/0/5] quit
配置IS-IS协议
[spine2] interface HundredGigE1/0/5
[spine2-HundredGigE1/0/5] port link-mode route
[spine2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine2-HundredGigE1/0/5] isis enable 1
[spine2-HundredGigE1/0/5] isis circuit-level level-2
[spine2-HundredGigE1/0/5] isis circuit-type p2p
[spine2-HundredGigE1/0/5] isis authentication-mode md5 simple 123456
[spine2-HundredGigE1/0/5] lldp management-address arp-learning
[spine2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine2-HundredGigE1/0/5] quit
配置EBGP协议
[spine2] interface HundredGigE1/0/5
[spine2-HundredGigE1/0/5] port link-mode route
[spine2-HundredGigE1/0/5] ip address unnumbered interface LoopBack1
[spine2-HundredGigE1/0/5] lldp management-address arp-learning
[spine2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[spine2-HundredGigE1/0/5] arp route-direct advertise
[spine2-HundredGigE1/0/5] quit
[spine2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:spine2。
¡ 基本信息:
- 设备类型:Underlay物理设备。
- 管理IP:192.168.11.3。
- VTEP IP:10.1.1.3。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图51 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图52 配置设备控制协议
(4) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图53 配置OpenFlow
(5) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[server-leaf1] hardware-resource tcam normal
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S12500X
[server-leaf1] hardware-resource tcam routing
[server-leaf1] hardware-resource vxlan normal
[server-leaf1] hardware-resource mcast normal
[server-leaf1] hardware-resource scale-rt-prefix none
[server-leaf1] hardware-resource mpls normal
[server-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw40k
S6860
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[server-leaf1] hardware-resource switch-mode DUAL-STACK
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf1] interface M-GigabitEthernet1/0/0/2
[server-leaf1-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf1-M-GigabitEthernet1/0/0/2] ip address 192.168.11.4 255.255.255.0
[server-leaf1-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] local-user admin class manage
[server-leaf1-luser-manage-admin] password simple Qwert@1234
[server-leaf1-luser-manage-admin] service-type https ssh
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf1] line vty 0 63
[server-leaf1-line-vty0-63] authentication-mode scheme
[server-leaf1-line-vty0-63] user-role network-admin
[server-leaf1-line-vty0-63] user-role network-operator
[server-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] netconf soap https enable
[server-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf1] ntp-service enable
[server-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf1] snmp-agent
[server-leaf1] snmp-agent community write private
[server-leaf1] snmp-agent community read public
[server-leaf1] snmp-agent sys-info version all
[server-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf1] vxlan tunnel mac-learning disable
[server-leaf1] vxlan tunnel arp-learning disable
[server-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[server-leaf1] ospf 1 router-id 192.168.11.4
[server-leaf1-ospf-1] non-stop-routing
[server-leaf1-ospf-1] area 0.0.0.0
[server-leaf1-ospf-1] quit
配置IS-IS协议
[server-leaf1] isis 1
[server-leaf1-isis-1] non-stop-routing
[server-leaf1-isis-1] is-level level-2
[server-leaf1-isis-1] is-name user1
[server-leaf1-isis-1] network-entity 86.4713.0021.0100.0400.1004.00
[server-leaf1-isis-1] address-family ipv4 unicast
[server-leaf1-isis-1-ipv4] maximum load-balancing 4
[server-leaf1-isis-1-ipv4] quit
[server-leaf1-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[server-leaf1] interface LoopBack1
[server-leaf1-LoopBack1] ip address 4.1.1.3 255.255.255.255
[server-leaf1-LoopBack1] quit
[server-leaf1] bgp 501 instance Underlay
[server-leaf1-bgp-Underlay] non-stop-routing
[server-leaf1-bgp-Underlay] router-id 4.1.1.3
[server-leaf1-bgp-Underlay] group Spine external
[server-leaf1-bgp-Underlay] peer Spine as-number 500
[server-leaf1-bgp-Underlay] peer Spine ebgp-max-hop 2
[server-leaf1-bgp-Underlay] peer Spine connect-interface Loopback1
[server-leaf1-bgp-Underlay] peer 4.1.1.1 group Spine
[server-leaf1-bgp-Underlay] peer 4.1.1.2 group Spine
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] balance 4
[server-leaf1-bgp-Underlay-ipv4] peer Spine enable
[server-leaf1-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ip address 10.1.1.4 255.255.255.255
[server-leaf1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack0] quit
配置IS-IS协议
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] isis enable 1
[server-leaf1-LoopBack0] quit
配置EBGP协议
[server-leaf1] bgp 501 instance Underlay
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.1.1.4 255.255.255.255
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
配置IBGP
[server-leaf1] bgp 100
[server-leaf1-bgp-default] non-stop-routing
[server-leaf1-bgp-default] router-id 10.1.1.4
[server-leaf1-bgp-default] group evpn internal
[server-leaf1-bgp-default] peer evpn connect-interface Loopback0
[server-leaf1-bgp-default] peer 10.1.1.2 group evpn
[server-leaf1-bgp-default] peer 10.1.1.3 group evpn
[server-leaf1-bgp-default] address-family l2vpn evpn
[server-leaf1-bgp-default-evpn] peer evpn enable
[server-leaf1-bgp-default-evpn] quit
[server-leaf1-bgp-default] quit
以连接Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] ospf network-type p2p
[server-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
配置IS-IS协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] isis enable 1
[server-leaf1-HundredGigE1/0/25] isis circuit-level level-2
[server-leaf1-HundredGigE1/0/25] isis circuit-type p2p
[server-leaf1-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
配置EBGP协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[server-leaf1-HundredGigE1/0/25] arp route-direct advertise
[server-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X/S5900x-EI可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf1] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
(1) 配置M-LAG虚地址。
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack2] quit
配置ISIS协议
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] isis enable 1
[server-leaf1-LoopBack2] isis circuit-level level-2
[server-leaf1-LoopBack2] quit
配置EBGP协议
[server-leaf1] bgp 500 instance Underlay
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.20.1.4 255.255.255.255
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf1] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf1] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf1] m-lag system-priority 10
(1) 创建VLAN。
[server-leaf1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[server-leaf1] interface Bridge-Aggregation1
[server-leaf1-Bridge-Aggregation1] port link-type trunk
[server-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[server-leaf1] interface Ten-GigabitEthernet1/0/9
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/9] quit
(4) 配置peer-link物理口2。
[server-leaf1] interface Ten-GigabitEthernet1/0/10
[server-leaf1-Ten-GigabitEthernet1/0/10] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/10] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/10] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/10] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/10] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf1] interface HundredGigE1/0/30
[server-leaf1-HundredGigE1/0/30] port link-mode route
[server-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf1-HundredGigE1/0/30] ip address 10.10.1.5 255.255.255.252
[server-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf1] m-lag mad default-action none
[server-leaf1] m-lag keepalive ip destination 10.10.1.6 source 10.10.1.5 vpn-instance auto-online-mlag
[server-leaf1] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ip address 10.30.1.5 255.255.255.252
[server-leaf1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf1-Vlan-interface4094] quit
配置IS-IS协议
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] isis enable 1
[server-leaf1-Vlan-interface4094] quit
配置EBGP协议
[server-leaf1] route-policy ibgpsurvive permit node 100
[server-leaf1] apply local-preference 0
[server-leaf1] quit
[server-leaf1] bgp 501 instance Underlay
[server-leaf1] peer 10.30.1.6 as-number 501
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.30.1.5 255.255.255.252
[server-leaf1-bgp-Underlay-ipv4] peer 10.30.1.6 route-policy ibgpsurvive export
[server-leaf1-bgp-Underlay-ipv4] peer 10.30.1.6 next-hop-local
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.4 destination 10.1.1.5
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
连接Server 1 LACP聚合链路的M-LAG接口配置
[server-leaf1] interface Bridge-Aggregation256
[server-leaf1-Bridge-Aggregation256] port link-type trunk
[server-leaf1-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf1-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation256] port m-lag group 3
[server-leaf1-Bridge-Aggregation256] quit
[server-leaf1] interface Ten-GigabitEthernet1/0/11
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf1-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf1] interface Ten-GigabitEthernet1/0/12
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn m-lag local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
在有单挂接入的M-LAG设备上配置MAC地址的老化时间为26分钟。
[server-leaf1] mac-address timer aging 1560
[server-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.4。
- VTEP IP:10.1.1.4。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图54 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图55 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图56 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图57 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图58 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[server-leaf2] hardware-resource tcam normal
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S12500X
[server-leaf2] hardware-resource tcam routing
[server-leaf2] hardware-resource vxlan normal
[server-leaf2] hardware-resource mcast normal
[server-leaf2] hardware-resource scale-rt-prefix none
[server-leaf2] hardware-resource mpls normal
[server-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw40k
S6860
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[server-leaf2] hardware-resource switch-mode DUAL-STACK
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf2] interface M-GigabitEthernet1/0/0/2
[server-leaf2-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf2-M-GigabitEthernet1/0/0/2] ip address 192.168.11.5 255.255.255.0
[server-leaf2-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] local-user admin class manage
[server-leaf2-luser-manage-admin] password simple Qwert@1234
[server-leaf2-luser-manage-admin] service-type https ssh
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf2] line vty 0 63
[server-leaf2-line-vty0-63] authentication-mode scheme
[server-leaf2-line-vty0-63] user-role network-admin
[server-leaf2-line-vty0-63] user-role network-operator
[server-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] netconf soap https enable
[server-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf2] ntp-service enable
[server-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf2] snmp-agent
[server-leaf2] snmp-agent community write private
[server-leaf2] snmp-agent community read public
[server-leaf2] snmp-agent sys-info version all
[server-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf2] vxlan tunnel mac-learning disable
[server-leaf2] vxlan tunnel arp-learning disable
[server-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[server-leaf2] ospf 1 router-id 192.168.11.5
[server-leaf2-ospf-1] non-stop-routing
[server-leaf2-ospf-1] area 0.0.0.0
[server-leaf2-ospf-1] quit
配置IS-IS协议
[server-leaf2] isis 1
[server-leaf2-isis-1] non-stop-routing
[server-leaf2-isis-1] is-level level-2
[server-leaf2-isis-1] is-name user1
[server-leaf2-isis-1] network-entity 86.4713.0021.0100.0400.1005.00 //每台设备有不同的network-entity
[server-leaf2-isis-1] address-family ipv4 unicast
[server-leaf2-isis-1-ipv4] maximum load-balancing 4
[server-leaf2-isis-1-ipv4] quit
[server-leaf2-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[server-leaf2] interface LoopBack1
[server-leaf2-LoopBack1] ip address 4.1.1.4 255.255.255.255
[server-leaf2-LoopBack1] quit
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] non-stop-routing
[server-leaf2-bgp-Underlay] router-id 4.1.1.4
[server-leaf2-bgp-Underlay] group Spine external
[server-leaf2-bgp-Underlay] peer Spine as-number 500
[server-leaf2-bgp-Underlay] peer Spine ebgp-max-hop 2
[server-leaf2-bgp-Underlay] peer Spine connect-interface Loopback1
[server-leaf2-bgp-Underlay] peer 4.1.1.1 group Spine
[server-leaf2-bgp-Underlay] peer 4.1.1.2 group Spine
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] balance 4
[server-leaf2-bgp-Underlay-ipv4] peer Leaf enable
[server-leaf2-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
VTEP地址配置
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ip address 10.1.1.5 255.255.255.255
[server-leaf2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack0] quit
配置IS-IS协议
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] isis enable 1
[server-leaf2-LoopBack0] quit
配置EBGP协议
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.1.1.5 255.255.255.255
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
配置IBGP
[server-leaf2] bgp 100
[server-leaf2-bgp-default] non-stop-routing
[server-leaf2-bgp-default] router-id 10.1.1.5
[server-leaf2-bgp-default] group evpn internal
[server-leaf2-bgp-default] peer evpn connect-interface Loopback0
[server-leaf2-bgp-default] peer 10.1.1.2 group evpn
[server-leaf2-bgp-default] peer 10.1.1.3 group evpn
[server-leaf2-bgp-default] address-family l2vpn evpn
[server-leaf2-bgp-default-evpn] peer evpn enable
[server-leaf2-bgp-default-evpn] quit
[server-leaf2-bgp-default] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] ospf network-type p2p
[server-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
配置IS-IS协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] isis enable 1
[server-leaf2-HundredGigE1/0/25] isis circuit-level level-2
[server-leaf2-HundredGigE1/0/25] isis circuit-type p2p
[server-leaf2-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
配置EBGP协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[server-leaf2-HundredGigE1/0/25] arp route-direct advertise
[server-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf2] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
(1) 配置M-LAG虚地址。
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack2] quit
配置ISIS协议
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] isis enable 1
[server-leaf2-LoopBack2] isis circuit-level level-2
[server-leaf2-LoopBack2] quit
配置EBGP协议
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.20.1.4 255.255.255.255
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf2] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf2] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf2] m-lag system-priority 10
(1) 创建VLAN。
[server-leaf2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[server-leaf2] interface Bridge-Aggregation1
[server-leaf2-Bridge-Aggregation1] port link-type trunk
[server-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[server-leaf2] interface Ten-GigabitEthernet1/0/9
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/9] quit
(4) 配置peer-link物理口2。
[server-leaf2] interface Ten-GigabitEthernet1/0/10
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf2] interface HundredGigE1/0/30
[server-leaf2-HundredGigE1/0/30] port link-mode route
[server-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf2-HundredGigE1/0/30] ip address 10.10.1.6 255.255.255.252
[server-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf2] m-lag mad default-action none
[server-leaf2] m-lag keepalive ip destination 10.10.1.5 source 10.10.1.6 vpn-instance auto-online-mlag
[server-leaf2] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ip address 10.30.1.6 255.255.255.252
[server-leaf2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf2-Vlan-interface4094] quit
配置IS-IS协议
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] isis enable 1
[server-leaf2-Vlan-interface4094] quit
配置EBGP协议
[server-leaf2] route-policy ibgpsurvive permit node 100
[server-leaf2] apply local-preference 0
[server-leaf2] quit
[server-leaf2] bgp 501 instance Underlay
[server-leaf2] peer 10.30.1.5 as-number 501
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.30.1.6 255.255.255.252
[server-leaf2-bgp-Underlay-ipv4] peer 10.30.1.5 route-policy ibgpsurvive export
[server-leaf2-bgp-Underlay-ipv4] peer 10.30.1.5 next-hop-local
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.5 destination 10.1.1.4
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf2] m-lag auto-recovery reload-delay 600
连接Server 1 LACP聚合链路的M-LAG接口配置
[server-leaf2] interface Bridge-Aggregation256
[server-leaf2-Bridge-Aggregation256] port link-type trunk
[server-leaf2-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf2-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation256] port m-lag group 3
[server-leaf2-Bridge-Aggregation256] quit
[server-leaf2] interface Ten-GigabitEthernet1/0/11
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf2-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf2] interface Ten-GigabitEthernet1/0/12
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn M-LAG local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备对称同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
在有单挂接入的M-LAG设备上配置MAC地址的老化时间为26分钟。
[server-leaf2] mac-address timer aging 1560
[server-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.5。
- VTEP IP:10.1.1.5。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图59 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图60 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图61 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图62 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图63 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<service-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<service-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[service-leaf1] hardware-resource tcam normal
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw
S12500X
[service-leaf1] hardware-resource tcam routing
[service-leaf1] hardware-resource vxlan normal
[service-leaf1] hardware-resource mcast normal
[service-leaf1] hardware-resource scale-rt-prefix none
[service-leaf1] hardware-resource mpls normal
[service-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[service-leaf1] hardware-resource switch-mode 4
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw40k
S6860
[service-leaf1] hardware-resource switch-mode 4
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[service-leaf1] hardware-resource switch-mode DUAL-STACK
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[service-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[service-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[service-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[service-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[service-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[service-leaf1] interface M-GigabitEthernet0/0/0
[service-leaf1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[service-leaf1-M-GigabitEthernet0/0/0] ip address 192.168.11.6 255.255.255.0
[service-leaf1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf1] local-user admin class manage
[service-leaf1-luser-manage-admin] password simple Qwert@1234
[service-leaf1-luser-manage-admin] service-type https ssh
[service-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[service-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[service-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[service-leaf1] line vty 0 63
[service-leaf1-line-vty0-63] authentication-mode scheme
[service-leaf1-line-vty0-63] user-role network-admin
[service-leaf1-line-vty0-63] user-role network-operator
[service-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf1] netconf soap https enable
[service-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[service-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[service-leaf1] ntp-service enable
[service-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[service-leaf1] snmp-agent
[service-leaf1] snmp-agent community write private
[service-leaf1] snmp-agent community read public
[service-leaf1] snmp-agent sys-info version all
[service-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[service-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[service-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[service-leaf1] vxlan tunnel mac-learning disable
[service-leaf1] vxlan tunnel arp-learning disable
[service-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[service-leaf1] ospf 1 router-id 192.168.11.6
[service-leaf1-ospf-1] non-stop-routing
[service-leaf1-ospf-1] area 0.0.0.0
[service-leaf1-ospf-1] quit
配置IS-IS协议
[service-leaf1] isis 1
[service-leaf1-isis-1] non-stop-routing
[service-leaf1-isis-1] is-level level-2
[service-leaf1-isis-1] is-name user1
[service-leaf1-isis-1] network-entity 86.4713.0021.0100.0400.1006.00
[service-leaf1-isis-1] address-family ipv4 unicast
[server-leaf1-isis-1-ipv4] maximum load-balancing 4
[server-leaf1-isis-1-ipv4] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[service-leaf1] interface LoopBack1
[service-leaf1-LoopBack1] ip address 4.1.1.5 255.255.255.255
[service-leaf1-LoopBack1] quit
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] non-stop-routing
[service-leaf1-bgp-Underlay] router-id 4.1.1.5
[service-leaf1-bgp-Underlay] group Spine external
[service-leaf1-bgp-Underlay] peer Spine as-number 500
[service-leaf1-bgp-Underlay] peer Spine ebgp-max-hop 2
[service-leaf1-bgp-Underlay] peer Spine connect-interface Loopback1
[service-leaf1-bgp-Underlay] peer 4.1.1.1 group Spine
[service-leaf1-bgp-Underlay] peer 4.1.1.2 group Spine
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] balance 4
[service-leaf1-bgp-Underlay-ipv4] peer Spine enable
[service-leaf1-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] ip address 10.1.1.6 255.255.255.255
[service-leaf1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[service-leaf1-LoopBack0] quit
配置IS-IS协议
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] isis enable 1
[service-leaf1-LoopBack0] quit
配置EBGP协议
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.1.1.6 255.255.255.255
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
配置IBGP
[service-leaf1] bgp 100
[service-leaf1-bgp-default] non-stop-routing
[service-leaf1-bgp-default] router-id 10.1.1.6
[service-leaf1-bgp-default] group evpn internal
[service-leaf1-bgp-default] peer evpn connect-interface Loopback0
[service-leaf1-bgp-default] peer 10.1.1.2 group evpn
[service-leaf1-bgp-default] peer 10.1.1.3 group evpn
[service-leaf1-bgp-default] address-family l2vpn evpn
[service-leaf1-bgp-default-evpn] peer evpn enable
[service-leaf1-bgp-default-evpn] quit
[service-leaf1-bgp-default] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf1-HundredGigE1/0/25] ospf network-type p2p
[service-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf1-HundredGigE1/0/25] quit
配置IS-IS协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf1-HundredGigE1/0/25] isis circuit-level level-2
[service-leaf1-HundredGigE1/0/25] isis circuit-type p2p
[service-leaf1-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf1-HundredGigE1/0/25] quit
配置EBGP协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[service-leaf1-HundredGigE1/0/25] arp route-direct advertise
[service-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[service-leaf1] evpn global-mac 0001-0001-0003
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[service-leaf1] evpn m-lag local 10.1.1.6 remote 10.1.1.7
(1) 配置M-LAG虚地址。
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] ip address 10.20.1.6 255.255.255.255
[service-leaf1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[service-leaf1-LoopBack2] quit
配置ISIS协议
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] isis enable 1
[service-leaf1-LoopBack2] isis circuit-level level-2
[service-leaf1-LoopBack2] quit
配置EBGP协议
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.20.1.6 255.255.255.255
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[service-leaf1] evpn m-lag group 10.20.1.6
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[service-leaf1] m-lag system-mac 0002-0003-0003
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[service-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[service-leaf1] m-lag system-priority 10
(1) 创建VLAN。
[service-leaf1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[service-leaf1] interface Bridge-Aggregation1
[service-leaf1-Bridge-Aggregation1] port link-type trunk
[service-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[service-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[service-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[service-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[service-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[service-leaf1] interface HundredGigE1/0/9
[service-leaf1-HundredGigE1/0/9] port link-mode bridge
[service-leaf1-HundredGigE1/0/9] port link-type trunk
[service-leaf1-HundredGigE1/0/9] port trunk permit vlan all
[service-leaf1-HundredGigE1/0/9] port trunk pvid vlan 4094
[service-leaf1-HundredGigE1/0/9] port link-aggregation group 1
[service-leaf1-HundredGigE1/0/9] quit
(4) 配置peer-link物理口2。
[service-leaf1] interface HundredGigE1/0/10
[service-leaf1-HundredGigE1/0/10] port link-mode bridge
[service-leaf1-HundredGigE1/0/10] port link-type trunk
[service-leaf1-HundredGigE1/0/10] port trunk permit vlan all
[service-leaf1-HundredGigE1/0/10] port trunk pvid vlan 4094
[service-leaf1-HundredGigE1/0/10] port link-aggregation group 1
[service-leaf1-HundredGigE1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[service-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[service-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[service-leaf1] interface HundredGigE1/0/30
[service-leaf1-HundredGigE1/0/30] port link-mode route
[service-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[service-leaf1-HundredGigE1/0/30] ip address 10.10.1.9 255.255.255.252
[service-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[service-leaf1] m-lag mad default-action none
[service-leaf1] m-lag keepalive ip destination 10.10.1.10 source 10.10.1.9 vpn-instance auto-online-mlag
[service-leaf1] m-lag mad include interface HundredGigE1/0/25
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] ip address 10.30.1.9 255.255.255.252
[service-leaf1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[service-leaf1-Vlan-interface4094] quit
配置IS-IS协议
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] isis enable 1
[service-leaf1-Vlan-interface4094] quit
配置EBGP协议
[service-leaf1] route-policy ibgpsurvive permit node 100
[service-leaf1] apply local-preference 0
[service-leaf1] quit
[service-leaf1] bgp 501 instance Underlay
[service-leaf1] peer 10.30.1.10 as-number 501
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.30.1.9 255.255.255.252
[service-leaf1-bgp-Underlay-ipv4] peer 10.30.1.10 route-policy ibgpsurvive export
[service-leaf1-bgp-Underlay-ipv4] peer 10.30.1.10 next-hop-local [service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[service-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[service-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.6 destination 10.1.1.7
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[service-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[service-leaf1] m-lag auto-recovery reload-delay 600
连接FW设备3的LACP聚合链路的M-LAG接口配置。
[service-leaf1] interface Bridge-Aggregation256
[service-leaf1-Bridge-Aggregation7] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation7] port m-lag group 6
[service-leaf1-Bridge-Aggregation7] stp edged-port
[service-leaf1-Bridge-Aggregation7] quit
[service-leaf1] interface Ten-GigabitEthernet1/0/11
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[service-leaf1-Ten-GigabitEthernet1/0/11] quit
连接FW设备4的LACP聚合链路的M-LAG接口配置。
[service-leaf1] interface Bridge-Aggregation257
[service-leaf1-Bridge-Aggregation8] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation8] port m-lag group 7
[service-leaf1-Bridge-Aggregation8] stp edged-port
[service-leaf1-Bridge-Aggregation8] quit
[service-leaf1] interface Ten-GigabitEthernet1/0/12
[service-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[service-leaf1-Ten-GigabitEthernet1/0/12] port link-aggregation group 257
[service-leaf1-Ten-GigabitEthernet1/0/12] quit
[service-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:Service-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.6。
- VTEP IP:10.1.1.6。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图64 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图65 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图66 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图67 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图68 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<service-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<service-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[service-leaf2] hardware-resource tcam normal
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw
S12500X
[service-leaf2] hardware-resource tcam routing
[service-leaf2] hardware-resource vxlan normal
[service-leaf2] hardware-resource mcast normal
[service-leaf2] hardware-resource scale-rt-prefix none
[service-leaf2] hardware-resource mpls normal
[service-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[service-leaf2] hardware-resource switch-mode 4
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw40k
S6860
[service-leaf2] hardware-resource switch-mode 4
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[service-leaf2] hardware-resource switch-mode DUAL-STACK
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[service-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[service-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[service-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[service-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[service-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[service-leaf2] interface M-GigabitEthernet0/0/0
[service-leaf2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[service-leaf2-M-GigabitEthernet0/0/0] ip address 192.168.11.7 255.255.255.0
[service-leaf2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf2] local-user admin class manage
[service-leaf2-luser-manage-admin] password simple Qwert@1234
[service-leaf2-luser-manage-admin] service-type https ssh
[service-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[service-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[service-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[service-leaf2] line vty 0 63
[service-leaf2-line-vty0-63] authentication-mode scheme
[service-leaf2-line-vty0-63] user-role network-admin
[service-leaf2-line-vty0-63] user-role network-operator
[service-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf2] netconf soap https enable
[service-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[service-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[service-leaf2] ntp-service enable
[service-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[service-leaf2] snmp-agent
[service-leaf2] snmp-agent community write private
[service-leaf2] snmp-agent community read public
[service-leaf2] snmp-agent sys-info version all
[service-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[service-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[service-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[service-leaf2] vxlan tunnel mac-learning disable
[service-leaf2] vxlan tunnel arp-learning disable
[service-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[service-leaf2] ospf 1 router-id 192.168.11.7
[service-leaf2-ospf-1] non-stop-routing
[service-leaf2-ospf-1] area 0.0.0.0
[service-leaf2-ospf-1] quit
配置IS-IS协议
[service-leaf2] isis 1
[service-leaf2-isis-1] non-stop-routing
[service-leaf2-isis-1] is-level level-2
[service-leaf2-isis-1] is-name user1
[service-leaf2-isis-1] network-entity 86.4713.0021.0100.0400.1007.00
[service-leaf2-isis-1] address-family ipv4 unicast
[service-leaf2-isis-1-ipv4] maximum load-balancing 4
[service-leaf2-isis-1-ipv4] quit
[service-leaf2-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[service-leaf2] interface LoopBack1
[service-leaf2-LoopBack1] ip address 4.1.1.6 255.255.255.255
[service-leaf2-LoopBack1] quit
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] non-stop-routing
[service-leaf2-bgp-Underlay] router-id 4.1.1.6
[service-leaf2-bgp-Underlay] group Spine external
[service-leaf2-bgp-Underlay] peer Spine as-number 500
[service-leaf2-bgp-Underlay] peer Spine ebgp-max-hop 2
[service-leaf2-bgp-Underlay] peer Spine connect-interface Loopback1
[service-leaf2-bgp-Underlay] peer 4.1.1.1 group Spine
[service-leaf2-bgp-Underlay] peer 4.1.1.2 group Spine
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] balance 4
[service-leaf2-bgp-Underlay-ipv4] peer spine enable
[service-leaf2-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] ip address 10.1.1.7 255.255.255.255
[service-leaf2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[service-leaf2-LoopBack0] quit
配置IS-IS协议
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] isis enable 1
[service-leaf2-LoopBack0] quit
配置EBGP协议
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.1.1.7 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
配置IBGP
[service-leaf2] bgp 100
[service-leaf2-bgp-default] non-stop-routing
[service-leaf2-bgp-default] router-id 10.1.1.7
[service-leaf2-bgp-default] group evpn internal
[service-leaf2-bgp-default] peer evpn connect-interface Loopback0
[service-leaf2-bgp-default] peer 10.1.1.2 group evpn
[service-leaf2-bgp-default] peer 10.1.1.3 group evpn
[service-leaf2-bgp-default] address-family l2vpn evpn
[service-leaf2-bgp-default-evpn] peer evpn enable
[service-leaf2-bgp-default-evpn] quit
[service-leaf2-bgp-default] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf2-HundredGigE1/0/25] ospf network-type p2p
[service-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf2-HundredGigE1/0/25] quit
配置IS-IS协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf2-HundredGigE1/0/25] isis circuit-level level-2
[service-leaf2-HundredGigE1/0/25] isis circuit-type p2p
[service-leaf2-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf2-HundredGigE1/0/25] quit
配置EBGP协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[service-leaf2-HundredGigE1/0/25] arp route-direct advertise
[service-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S75X/S105X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[service-leaf2] evpn global-mac 0001-0001-0003
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[service-leaf2] evpn m-lag local 10.1.1.7 remote 10.1.1.6
(1) 配置M-LAG虚地址。
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] ip address 10.20.1.6 255.255.255.255
[service-leaf2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[service-leaf2-LoopBack2] quit
配置ISIS协议
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] isis enable 1
[service-leaf2-LoopBack2] isis circuit-level level-2
[service-leaf2-LoopBack2] quit
配置EBGP协议
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.20.1.6 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[service-leaf2] evpn m-lag group 10.20.1.6
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[service-leaf2] m-lag system-mac 0002-0003-0003
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[service-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[service-leaf2] m-lag system-priority 10
(1) 创建VLAN。
[service-leaf2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[service-leaf2] interface Bridge-Aggregation1
[service-leaf2-Bridge-Aggregation1] port link-type trunk
[service-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[service-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[service-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[service-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[service-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[service-leaf2] interface HundredGigE1/0/9
[service-leaf2-HundredGigE1/0/9] port link-mode bridge
[service-leaf2-HundredGigE1/0/9] port link-type trunk
[service-leaf2-HundredGigE1/0/9] port trunk permit vlan all
[service-leaf2-HundredGigE1/0/9] port trunk pvid vlan 4094
[service-leaf2-HundredGigE1/0/9] port link-aggregation group 1
[service-leaf2-HundredGigE1/0/9] quit
(4) 配置peer-link物理口2。
[service-leaf2] interface HundredGigE1/0/10
[service-leaf2-HundredGigE1/0/10] port link-mode bridge
[service-leaf2-HundredGigE1/0/10] port link-type trunk
[service-leaf2-HundredGigE1/0/10] port trunk permit vlan all
[service-leaf2-HundredGigE1/0/10] port trunk pvid vlan 4094
[service-leaf2-HundredGigE1/0/10] port link-aggregation group 1
[service-leaf2-HundredGigE1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[service-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[service-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[service-leaf2] interface HundredGigE1/0/30
[service-leaf2-HundredGigE1/0/30] port link-mode route
[service-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[service-leaf2-HundredGigE1/0/30] ip address 10.10.1.10 255.255.255.252
[service-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[service-leaf2] m-lag mad default-action none
[service-leaf2] m-lag keepalive ip destination 10.10.1.9 source 10.10.1.10 vpn-instance auto-online-mlag
[service-leaf2] m-lag mad include interface HundredGigE1/0/25
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] ip address 10.30.1.10 255.255.255.252
[service-leaf2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[service-leaf2-Vlan-interface4094] quit
配置IS-IS协议
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] isis enable 1
[service-leaf2-Vlan-interface4094] quit
配置EBGP协议
[service-leaf2] route-policy ibgpsurvive permit node 100
[service-leaf2] apply local-preference 0
[service-leaf2] quit
[service-leaf2] bgp 501 instance Underlay
[service-leaf2] peer 10.30.1.9 as-number 501
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.30.1.10 255.255.255.252
[service-leaf2-bgp-Underlay-ipv4] peer 10.30.1.9 route-policy ibgpsurvive export
[service-leaf2-bgp-Underlay-ipv4] peer 10.30.1.9 next-hop-local [service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[service-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[service-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.7 destination 10.1.1.6
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[service-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[service-leaf2] m-lag auto-recovery reload-delay 600
连接FW设备3的LACP聚合链路的M-LAG接口配置
[service-leaf2] interface Bridge-Aggregation256
[service-leaf2-Bridge-Aggregation7] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation7] port m-lag group 6
[service-leaf2-Bridge-Aggregation7] stp edged-port
[service-leaf2-Bridge-Aggregation7] quit
[service-leaf2] interface Ten-GigabitEthernet1/0/11
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[service-leaf2-Ten-GigabitEthernet1/0/11] quit
连接FW设备4的LACP聚合链路的M-LAG接口配置
[service-leaf2] interface Bridge-Aggregation257
[service-leaf2-Bridge-Aggregation8] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation8] port m-lag group 7
[service-leaf2-Bridge-Aggregation8] stp edged-port
[service-leaf2-Bridge-Aggregation8] quit
[service-leaf2] interface Ten-GigabitEthernet1/0/12
[service-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[service-leaf2-Ten-GigabitEthernet1/0/12] port link-aggregation group 257
[service-leaf2-Ten-GigabitEthernet1/0/12] quit
[service-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:service-leaf2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.7。
- VTEP IP:10.1.1.7。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图69 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图70 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图71 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图72 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图73 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<border1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<border1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[border1] hardware-resource tcam normal
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan l3gw
S12500X
[border1] hardware-resource tcam routing
[border1] hardware-resource vxlan normal
[border1] hardware-resource mcast normal
[border1] hardware-resource scale-rt-prefix none
[border1] hardware-resource mpls normal
[border1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[border1] hardware-resource switch-mode 4
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan Border40k
S6860
[border1] hardware-resource switch-mode 4
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[border1] hardware-resource switch-mode DUAL-STACK
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[border1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[border1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[border1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[border1] hardware-resource mdb routing
[border1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border1]switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[border1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[border1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[border1] interface M-GigabitEthernet1/0/0/2
[border1-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[border1-M-GigabitEthernet1/0/0/2] ip address 192.168.11.8 255.255.255.0
[border1-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。
[border1] local-user admin class manage
[border1-luser-manage-admin] password simple Qwert@1234
[border1-luser-manage-admin] service-type https ssh
[border1-luser-manage-admin] authorization-attribute user-role network-admin
[border1-luser-manage-admin] authorization-attribute user-role network-operator
(5) 配置VTY。
[border1] line vty 0 63
[border1-line-vty0-63] authentication-mode scheme
[border1-line-vty0-63] user-role network-admin
[border1-line-vty0-63] user-role network-operator
[border1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[border1] netconf soap https enable
[border1] netconf ssh server enable
(7) 使能SSH服务。
[border1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[border1] ntp-service enable
[border1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[border1] snmp-agent
[border1] snmp-agent community write private
[border1] snmp-agent community read public
[border1] snmp-agent sys-info version all
[border1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[border1] lldp global enable
(1) 使能L2VPN。
[border1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[border1] vxlan tunnel mac-learning disable
[border1] vxlan tunnel arp-learning disable
[border1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[border1] ospf 1 router-id 192.168.11.8
[border1-ospf-1] non-stop-routing
[border1-ospf-1] area 0.0.0.0
[border1-ospf-1] quit
配置IS-IS协议
[border1] isis 1
[border1-isis-1] non-stop-routing
[border1-isis-1] is-level level-2
[border1-isis-1] is-name user1
[border1-isis-1] network-entity 86.4713.0021.0100.0400.1008.00
[border1-isis-1] address-family ipv4 unicast
[border1-isis-1-ipv4] maximum load-balancing 4
[border1-isis-1-ipv4] quit
[border1-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[border1] interface LoopBack1
[border1-LoopBack1] ip address 4.1.1.7 255.255.255.255
[border1-LoopBack1] quit
[border1] bgp 501 instance Underlay
[border1-bgp-Underlay] non-stop-routing
[border1-bgp-Underlay] router-id 4.1.1.7
[border1-bgp-Underlay] group Spine external
[border1-bgp-Underlay] peer Spine as-number 500
[border1-bgp-Underlay] peer Spine ebgp-max-hop 2
[border1-bgp-Underlay] peer Spine connect-interface Loopback1
[border1-bgp-Underlay] peer 4.1.1.1 group Spine
[border1-bgp-Underlay] peer 4.1.1.2 group Spine
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] balance 4
[border1-bgp-Underlay-ipv4] peer Spine enable
[border1-bgp-Underlay-ipv4] peer Spine allow-as-loop 2
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
[border1] interface LoopBack0
[border1-LoopBack0] ip address 10.1.1.8 255.255.255.255
[border1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[border1] interface LoopBack0
[border1-LoopBack0] ospf 1 area 0.0.0.0
[border1-LoopBack0] quit
配置IS-IS协议
[border1] interface LoopBack0
[border1-LoopBack0] isis enable 1
[border1-LoopBack0] quit
配置EBGP协议
[border1] bgp 501 instance Underlay
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] network 10.1.1.8 255.255.255.255
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
配置IBGP
[border1] bgp 100
[border1-bgp-default] non-stop-routing
[border1-bgp-default] router-id 10.1.1.8
[border1-bgp-default] group evpn internal
[border1-bgp-default] peer evpn connect-interface Loopback0
[border1-bgp-default] peer 10.1.1.2 group evpn
[border1-bgp-default] peer 10.1.1.3 group evpn
[border1-bgp-default] address-family l2vpn evpn
[border1-bgp-default-evpn] peer evpn enable
[border1-bgp-default-evpn] quit
以连接Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[border1] interface HundredGigE4/0/3
[border1-HundredGigE4/0/3] port link-mode route
[border1-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border1-HundredGigE4/0/3] ospf network-type p2p
[border1-HundredGigE4/0/3] ospf 1 area 0.0.0.0
[border1-HundredGigE4/0/3] lldp management-address arp-learning
[border1-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border1-HundredGigE4/0/3] quit
配置IS-IS协议
[border1] interface HundredGigE4/0/3
[border1-HundredGigE4/0/3] port link-mode route
[border1-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border1-HundredGigE4/0/3] isis enable 1
[border1-HundredGigE4/0/3] isis circuit-level level-2
[border1-HundredGigE4/0/3] isis circuit-type p2p
[border1-HundredGigE4/0/3] isis authentication-mode md5 simple 123456
[border1-HundredGigE4/0/3] lldp management-address arp-learning
[border1-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border1-HundredGigE4/0/3] quit
配置EBGP协议
[border1] interface HundredGigE4/0/3
[border1-HundredGigE4/0/3] port link-mode route
[border1-HundredGigE4/0/3] ip address unnumbered interface LoopBack1
[border1-HundredGigE4/0/3] lldp management-address arp-learning
[border1-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[border1-HundredGigE4/0/3] arp route-direct advertise
[border1-HundredGigE4/0/3] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[border1] evpn global-mac 0001-0001-0004
在Border上不用配置M-LAG实地址命令,即不用配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[border1] interface LoopBack2
[border1-LoopBack2] ip address 10.20.1.8 255.255.255.255
[border1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[border1] interface LoopBack2
[border1-LoopBack2] ospf 1 area 0.0.0.0
[border1-LoopBack2] quit
配置ISIS协议
[border1] interface LoopBack2
[border1-LoopBack2] isis enable 1
[border1-LoopBack2] isis circuit-level level-2
[border1-LoopBack2] quit
配置EBGP协议
[border1] bgp 501 instance Underlay
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] network 10.20.1.8 255.255.255.255
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[border1] evpn m-lag group 10.20.1.8
(3) BGP路由下一跳使用M-LAG虚地址。
[border1] bgp 100
[border1-bgp-default] address-family l2vpn evpn
[border1-bgp-default] nexthop evpn-m-lag group-address
[border1-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[border1] m-lag system-mac 0002-0003-0004
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[border1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[border1] m-lag system-priority 10
(1) 创建VLAN。
[border1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[border1] interface Bridge-Aggregation1
[border1-Bridge-Aggregation1] port link-type trunk
[border1-Bridge-Aggregation1] port trunk permit vlan all
[border1-Bridge-Aggregation1] port trunk pvid vlan 4094
[border1-Bridge-Aggregation1] link-aggregation mode dynamic
[border1-Bridge-Aggregation1] port m-lag peer-link 1
[border1-Bridge-Aggregation1] undo mac-address static source-check enable
[border1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[border1] interface HundredGigE4/0/1
[border1-HundredGigE4/0/1] port link-mode bridge
[border1-HundredGigE4/0/1] port link-type trunk
[border1-HundredGigE4/0/1] port trunk permit vlan all
[border1-HundredGigE4/0/1] port trunk pvid vlan 4094
[border1-HundredGigE4/0/1] port link-aggregation group 1
[border1-HundredGigE4/0/1] quit
(4) 配置peer-link物理口2。
[border1] interface HundredGigE4/0/2
[border1-HundredGigE4/0/2] port link-mode bridge
[border1-HundredGigE4/0/2] port link-type trunk
[border1-HundredGigE4/0/2] port trunk permit vlan all
[border1-HundredGigE4/0/2] port trunk pvid vlan 4094
[border1-HundredGigE4/0/2] port link-aggregation group 1
[border1-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[border1] m-lag restore-delay 180
(2) 配置VPN。
[border1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[border1] interface Ten-GigabitEthernet6/0/48
[border1-Ten-GigabitEthernet6/0/48] port link-mode route
[border1-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[border1-Ten-GigabitEthernet6/0/48] ip address 10.10.1.13 255.255.255.252
[border1-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[border1] m-lag mad default-action none
[border1] m-lag keepalive ip destination 10.10.1.14 source 10.10.1.13 vpn-instance auto-online-mlag
[border1] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[border1] interface Vlan-interface4094
[border1-Vlan-interface4094] ip address 10.30.1.13 255.255.255.252
[border1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[border1] interface Vlan-interface4094
[border1-Vlan-interface4094] ospf 1 area 0.0.0.0
[border1-Vlan-interface4094] quit
配置IS-IS协议
[border1] interface Vlan-interface4094
[border1-Vlan-interface4094] isis enable 1
[border1-Vlan-interface4094] quit
配置EBGP协议
[border1] route-policy ibgpsurvive permit node 100
[border1] apply local-preference 0
[border1] quit
[border1] bgp 501 instance Underlay
[border1] peer 10.30.1.14 as-number 501
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] network 10.30.1.13 255.255.255.252
[border1-bgp-Underlay-ipv4] peer 10.30.1.14 route-policy ibgpsurvive export
[border1-bgp-Underlay-ipv4] peer 10.30.1.14 next-hop-local
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[border1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[border1] l2vpn m-lag peer-link tunnel source 10.1.1.8 destination 10.1.1.9
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[border1] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[border1] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
[border1] interface Bridge-Aggregation3
[border1-Bridge-Aggregation3] port link-type trunk
[border1-Bridge-Aggregation3] undo port trunk permit vlan 1
[border1-Bridge-Aggregation3] link-aggregation mode dynamic
[border1-Bridge-Aggregation3] port m-lag group 2
[border1-Bridge-Aggregation3] stp edged-port
[border1-Bridge-Aggregation3] quit
[border1] interface Ten-GigabitEthernet6/0/1
[border1-Ten-GigabitEthernet6/0/1] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/1] port link-type trunk
[border1-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[border1-Ten-GigabitEthernet6/0/1] quit
(2) 配置连接FW设备2的接口。
[border1] interface Bridge-Aggregation4
[border1-Bridge-Aggregation4] port link-type trunk
[border1-Bridge-Aggregation4] undo port trunk permit vlan 1
[border1-Bridge-Aggregation4] link-aggregation mode dynamic
[border1-Bridge-Aggregation4] port m-lag group 3
[border1-Bridge-Aggregation4] stp edged-port
[border1-Bridge-Aggregation4] quit
[border1] interface Ten-GigabitEthernet6/0/2
[border1-Ten-GigabitEthernet6/0/2] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/2] port link-type trunk
[border1-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[border1-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
[border1] interface Bridge-Aggregation5
[border1-Bridge-Aggregation5] port link-type trunk
[border1-Bridge-Aggregation5] undo port trunk permit vlan 1
[border1-Bridge-Aggregation5] link-aggregation mode dynamic
[border1-Bridge-Aggregation5] port m-lag group 4
[border1-Bridge-Aggregation5] stp edged-port
[border1-Bridge-Aggregation5] quit
[border1] interface Ten-GigabitEthernet6/0/3
[border1-Ten-GigabitEthernet6/0/3] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/3] port link-type trunk
[border1-Ten-GigabitEthernet6/0/3] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/3] port link-aggregation group 5
[border1-Ten-GigabitEthernet6/0/3] quit
(2) 配置连接LB设备2的接口。
[border1] interface Bridge-Aggregation6
[border1-Bridge-Aggregation6] port link-type trunk
[border1-Bridge-Aggregation6] undo port trunk permit vlan 1
[border1-Bridge-Aggregation6] link-aggregation mode dynamic
[border1-Bridge-Aggregation6] port m-lag group 5
[border1-Bridge-Aggregation6] stp edged-port
[border1-Bridge-Aggregation6] quit
[border1] interface Ten-GigabitEthernet6/0/4
[border1-Ten-GigabitEthernet6/0/4] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/4] port link-type trunk
[border1-Ten-GigabitEthernet6/0/4] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/4] port link-aggregation group 6
[border1-Ten-GigabitEthernet6/0/4] quit
在连接LB的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
[border1] interface Bridge-Aggregation2
[border1-Bridge-Aggregation2] port link-type trunk
[border1-Bridge-Aggregation2] undo port trunk permit vlan 1
[border1-Bridge-Aggregation2] link-aggregation mode dynamic
[border1-Bridge-Aggregation2] port m-lag group 1
[border1-Bridge-Aggregation2] quit
[border1] interface Ten-GigabitEthernet6/0/5
[border1-Ten-GigabitEthernet6/0/5] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/5] port link-type trunk
[border1-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/5] port link-aggregation group 2
[border1-Ten-GigabitEthernet6/0/5] quit
[border1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:border1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.8。
- VTEP IP:10.1.1.8。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图74 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图75 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图76 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图77 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图78 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<border2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<border2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[border2] hardware-resource tcam normal
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan l3gw
S12500X
[border2] hardware-resource tcam routing
[border2] hardware-resource vxlan normal
[border2] hardware-resource mcast normal
[border2] hardware-resource scale-rt-prefix none
[border2] hardware-resource mpls normal
[border2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[border2] hardware-resource switch-mode 4
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan Border40k
S6860
[border2] hardware-resource switch-mode 4
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[border2] hardware-resource switch-mode DUAL-STACK
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[border2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[border2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[border2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border2]system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[border2] hardware-resource mdb routing
[border2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[border2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[border2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[border2] interface M-GigabitEthernet1/0/0/2
[border2-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[border2-M-GigabitEthernet1/0/0/2] ip address 192.168.11.9 255.255.255.0
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[border2] local-user admin class manage
[border2-luser-manage-admin] password simple Qwert@1234
[border2-luser-manage-admin] service-type https ssh
[border2-luser-manage-admin] authorization-attribute user-role network-admin
[border2-luser-manage-admin] authorization-attribute user-role network-operator
[border2-luser-manage-admin] quit
(5) 配置VTY。
[border2] line vty 0 63
[border2-line-vty0-63] authentication-mode scheme
[border2-line-vty0-63] user-role network-admin
[border2-line-vty0-63] user-role network-operator
[border2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[border2] netconf soap https enable
[border2] netconf ssh server enable
(7) 使能SSH服务。
[border2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[border2] ntp-service enable
[border2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[border2] snmp-agent
[border2] snmp-agent community write private
[border2] snmp-agent community read public
[border2] snmp-agent sys-info version all
[border2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[border2] lldp global enable
(1) 使能L2VPN。
[border2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[border2] vxlan tunnel mac-learning disable
[border2] vxlan tunnel arp-learning disable
[border2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[border2] ospf 1 router-id 192.168.11.9
[border2-ospf-1] non-stop-routing
[border2-ospf-1] area 0.0.0.0
[border2-ospf-1] quit
配置IS-IS协议
[border2] isis 1
[border2-isis-1] non-stop-routing
[border2-isis-1] is-level level-2
[border2-isis-1] is-name user1
[border2-isis-1] network-entity 86.4713.0021.0100.0400.1009.00
[border2-isis-1] address-family ipv4 unicast
[border2-isis-1-ipv4] maximum load-balancing 4
[border2-isis-1-ipv4] quit
[border2-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine 设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[border2] interface LoopBack1
[border2-LoopBack1] ip address 4.1.1.8 255.255.255.255
[border2-LoopBack1] quit
[border2] bgp 501 instance Underlay
[border2-bgp-Underlay] non-stop-routing
[border2-bgp-Underlay] router-id 4.1.1.8
[border2-bgp-Underlay] group Spine external
[border2-bgp-Underlay] peer Spine as-number 500
[border2-bgp-Underlay] peer Spine ebgp-max-hop 2
[border2-bgp-Underlay] peer Spine connect-interface Loopback1
[border2-bgp-Underlay] peer 4.1.1.1 group Spine
[border2-bgp-Underlay] peer 4.1.1.2 group Spine
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] balance 4
[border2-bgp-Underlay-ipv4] peer Spine enable
[border2-bgp-Underlay-ipv4] peer Spine allow-as-loop 2
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
[border2] interface LoopBack0
[border2-LoopBack0] ip address 10.1.1.9 255.255.255.255
[border2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[border2] interface LoopBack0
[border2-LoopBack0] ospf 1 area 0.0.0.0
[border2-LoopBack0] quit
配置IS-IS协议
[border2] interface LoopBack0
[border2-LoopBack0] isis enable 1
[border2-LoopBack0] quit
配置EBGP协议
[border2] bgp 501 instance Underlay
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] network 10.1.1.9 255.255.255.255
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
配置IBGP
[border2] bgp 100
[border2-bgp-default] non-stop-routing
[border2-bgp-default] router-id 10.1.1.9
[border2-bgp-default] group evpn internal
[border2-bgp-default] peer evpn connect-interface Loopback0
[border2-bgp-default] peer 10.1.1.2 group evpn
[border2-bgp-default] peer 10.1.1.3 group evpn
[border2-bgp-default] address-family l2vpn evpn
[border2-bgp-default-evpn] peer evpn enable
[border2-bgp-default-evpn] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[border2] interface HundredGigE4/0/3
[border2-HundredGigE4/0/3] port link-mode route
[border2-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border2-HundredGigE4/0/3] ospf network-type p2p
[border2-HundredGigE4/0/3] ospf 1 area 0.0.0.0
[border2-HundredGigE4/0/3] lldp management-address arp-learning
[border2-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border2-HundredGigE4/0/3] quit
配置IS-IS协议
[border2] interface HundredGigE4/0/3
[border2-HundredGigE4/0/3] port link-mode route
[border2-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border2-HundredGigE4/0/3] isis circuit-level level-2
[border2-HundredGigE4/0/3] isis circuit-type p2p
[border2-HundredGigE4/0/3] isis authentication-mode md5 simple 123456
[border2-HundredGigE4/0/3] lldp management-address arp-learning
[border2-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border2-HundredGigE4/0/3] quit
配置EBGP协议
[border2] interface HundredGigE4/0/3
[border2-HundredGigE4/0/3] port link-mode route
[border2-HundredGigE4/0/3] ip address unnumbered interface LoopBack1
[border2-HundredGigE4/0/3] lldp management-address arp-learning
[border2-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[border2-HundredGigE4/0/3] arp route-direct advertise
[border2-HundredGigE4/0/3] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[border2] evpn global-mac 0001-0001-0004
在Border上不用配置M-LAG实地址命令,即不用配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[border2] interface LoopBack2
[border2-LoopBack2] ip address 10.20.1.8 255.255.255.255
[border2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[border2] interface LoopBack2
[border2-LoopBack2] ospf 1 area 0.0.0.0
[border2-LoopBack2] quit
配置ISIS协议
[border2] interface LoopBack2
[border2-LoopBack2] isis enable 1
[border2-LoopBack2] isis circuit-level level-2
[border2-LoopBack2] quit
配置EBGP协议
[border2] bgp 501 instance Underlay
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] network 10.20.1.8 255.255.255.255
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[border2] evpn m-lag group 10.20.1.8
(3) BGP路由下一跳使用M-LAG虚地址。
[border2] bgp 100
[border2-bgp-default] address-family l2vpn evpn
[border2-bgp-default] nexthop evpn-m-lag group-address
[border2-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[border2] m-lag system-mac 0002-0003-0004
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[border2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[border2] m-lag system-priority 10
(1) 创建VLAN。
[border2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[border2] interface Bridge-Aggregation1
[border2-Bridge-Aggregation1] port link-type trunk
[border2-Bridge-Aggregation1] port trunk permit vlan all
[border2-Bridge-Aggregation1] port trunk pvid vlan 4094
[border2-Bridge-Aggregation1] link-aggregation mode dynamic
[border2-Bridge-Aggregation1] port m-lag peer-link 1
[border2-Bridge-Aggregation1] undo mac-address static source-check enable
[border2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[border2] interface HundredGigE4/0/1
[border2-HundredGigE4/0/1] port link-mode bridge
[border2-HundredGigE4/0/1] port link-type trunk
[border2-HundredGigE4/0/1] port trunk permit vlan all
[border2-HundredGigE4/0/1] port trunk pvid vlan 4094
[border2-HundredGigE4/0/1] port link-aggregation group 1
[border2-HundredGigE4/0/1] quit
(4) 配置peer-link物理口2。
[border2] interface HundredGigE4/0/2
[border2-HundredGigE4/0/2] port link-mode bridge
[border2-HundredGigE4/0/2] port link-type trunk
[border2-HundredGigE4/0/2] port trunk permit vlan all
[border2-HundredGigE4/0/2] port trunk pvid vlan 4094
[border2-HundredGigE4/0/2] port link-aggregation group 1
[border2-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[border2] m-lag restore-delay 180
(2) 配置VPN。
[border2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[border2] interface Ten-GigabitEthernet6/0/48
[border2-Ten-GigabitEthernet6/0/48] port link-mode route
[border2-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[border2-Ten-GigabitEthernet6/0/48] ip address 10.10.1.14 255.255.255.252
[border2-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[border2] m-lag mad default-action none
[border2] m-lag keepalive ip destination 10.10.1.13 source 10.10.1.14 vpn-instance auto-online-mlag
[border2] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN,推荐使用30位掩码的IP地址,且在全网发布。
[border2] interface Vlan-interface4094
[border2-Vlan-interface4094] ip address 10.30.1.14 255.255.255.252
[border2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[border2] interface Vlan-interface4094
[border2-Vlan-interface4094] ospf 1 area 0.0.0.0
[border2-Vlan-interface4094] quit
配置IS-IS协议
[border2] interface Vlan-interface4094
[border2-Vlan-interface4094] isis enable 1
[border2-Vlan-interface4094] quit
配置EBGP协议
[border2] route-policy ibgpsurvive permit node 100
[border2] apply local-preference 0
[border2] quit
[border2] bgp 501 instance Underlay
[border2] peer 10.30.1.13 as-number 501
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] network 10.30.1.14 255.255.255.252
[border2-bgp-Underlay-ipv4] peer 10.30.1.13 route-policy ibgpsurvive export
[border2-bgp-Underlay-ipv4] peer 10.30.1.13 next-hop-local
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[border2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[border2] l2vpn m-lag peer-link tunnel source 10.1.1.9 destination 10.1.1.8
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[border2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[border2] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
[border2] interface Bridge-Aggregation3
[border2-Bridge-Aggregation3] port link-type trunk
[border2-Bridge-Aggregation3] undo port trunk permit vlan 1
[border2-Bridge-Aggregation3] link-aggregation mode dynamic
[border2-Bridge-Aggregation3] port m-lag group 2
[border2-Bridge-Aggregation3] stp edged-port
[border2-Bridge-Aggregation3] quit
[border2] interface Ten-GigabitEthernet6/0/1
[border2-Ten-GigabitEthernet6/0/1] port link-mode bridge
[border2-Ten-GigabitEthernet6/0/1] port link-type trunk
[border2-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[border2-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[border2-Ten-GigabitEthernet6/0/1] quit
(2) 配置连接FW设备2的接口。
[border2] interface Bridge-Aggregation4
[border2-Bridge-Aggregation4] port link-type trunk
[border2-Bridge-Aggregation4] undo port trunk permit vlan 1
[border2-Bridge-Aggregation4] link-aggregation mode dynamic
[border2-Bridge-Aggregation4] port m-lag group 3
[border2-Bridge-Aggregation4] stp edged-port
[border2-Bridge-Aggregation4] quit
[border2] interface Ten-GigabitEthernet6/0/2
[border2-Ten-GigabitEthernet6/0/2] port link-mode bridge
[border2-Ten-GigabitEthernet6/0/2] port link-type trunk
[border2-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[border2-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[border2-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
[border2] interface Bridge-Aggregation5
[border2-Bridge-Aggregation5] port link-type trunk
[border2-Bridge-Aggregation5] undo port trunk permit vlan 1
[border2-Bridge-Aggregation5] link-aggregation mode dynamic
[border2-Bridge-Aggregation5] port m-lag group 4
[border2-Bridge-Aggregation5] stp edged-port
[border2-Bridge-Aggregation5] quit
[border2] interface Ten-GigabitEthernet6/0/3
[border2-Ten-GigabitEthernet6/0/3] port link-mode bridge
[border2-Ten-GigabitEthernet6/0/3] port link-type trunk
[border2-Ten-GigabitEthernet6/0/3] undo port trunk permit vlan 1
[border2-Ten-GigabitEthernet6/0/3] port link-aggregation group 5
[border2-Ten-GigabitEthernet6/0/3] quit
(2) 配置连接LB设备2的接口。
[border2] interface Bridge-Aggregation6
[border2-Bridge-Aggregation6] port link-type trunk
[border2-Bridge-Aggregation6] undo port trunk permit vlan 1
[border2-Bridge-Aggregation6] link-aggregation mode dynamic
[border2-Bridge-Aggregation6] port m-lag group 5
[border2-Bridge-Aggregation6] stp edged-port
[border2-Bridge-Aggregation6] quit
[border2] interface Ten-GigabitEthernet6/0/4
[border2-Ten-GigabitEthernet6/0/4] port link-mode bridge
[border2-Ten-GigabitEthernet6/0/4] port link-type trunk
[border2-Ten-GigabitEthernet6/0/4] undo port trunk permit vlan 1
[border2-Ten-GigabitEthernet6/0/4] port link-aggregation group 6
[border2-Ten-GigabitEthernet6/0/4] quit
注意:在连接LB的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
[border2] interface Bridge-Aggregation2
[border2-Bridge-Aggregation2] port link-type trunk
[border2-Bridge-Aggregation2] undo port trunk permit vlan 1
[border2-Bridge-Aggregation2] link-aggregation mode dynamic
[border2-Bridge-Aggregation2] port m-lag group 1
[border2-Bridge-Aggregation2] quit
[border2] interface Ten-GigabitEthernet6/0/5
[border2-Ten-GigabitEthernet6/0/5] port link-mode bridge
[border2-Ten-GigabitEthernet6/0/5] port link-type trunk
[border2-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[border2-Ten-GigabitEthernet6/0/5] port link-aggregation group 2
[border2-Ten-GigabitEthernet6/0/5] quit
[border2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:border2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.9。
- VTEP IP:10.1.1.9。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图79 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图80 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图81 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图82 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图83 高级配置
(7) 单击<确定>按钮完成设备增加操作。
(8) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,进入增加设备组页面,在该页面的基本信息区域配置以下参数:
¡ 设备组名称:bdgroup1。
¡ MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
¡ 远端设备组:Remote leaf选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
¡ 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service Leaf。请提前做好规划。
¡ HA部署模式:M-LAG。
(9) 在设备组的出口网关设置区域配置以下参数:
¡ 连接方式:选择“VLAN跨网段”。此参数配置后无法修改,请提前做好规划。
¡ 地址池列表和VLAN池列表:
- 直通出口:选择默认地址池和默认VLAN池。
- 安全出口:选择“自定义地址池”和“自定义VLAN池”,需要在创建设备组之前创建虚拟设备管理网地址池、租户承载防火墙内网地址池、租户承载负载均衡内网地址池和租户承载网VLAN池等,然后从可选地址池列表和可选VLAN池列表中选择。有关自定义地址池和自定义VLAN池的配置方法,可参考《AD-DC 7.1安全服务资源配置指导》。
图84 增加设备组
(10) 在增加设备组的设备组成员区域添加已增加的边界设备border1和spiborder2。
(11) 单击<确定>按钮完成设备组的增加操作。
<spine1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<spine1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[spine1] hardware-resource tcam normal
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw
S12500X
[spine1] hardware-resource tcam routing
[spine1] hardware-resource vxlan normal
[spine1] hardware-resource mcast normal
[spine1] hardware-resource scale-rt-prefix none
[spine1] hardware-resource mpls normal
[spine1] hardware-resource parser normal
S6800
[spine1] hardware-resource switch-mode 4
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw40k
S6860
[spine1] hardware-resource switch-mode 4
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[spine1] hardware-resource switch-mode DUAL-STACK
[spine1] hardware-resource routing-mode ipv6-128
[spine1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[spine1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[spine1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[spine1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[spine1] hardware-resource mdb routing
[spine1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[spine1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效以槽位号1为例。
[spine1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[spine1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[spine1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[spine1] interface M-GigabitEthernet0/0/0
[spine1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[spine1-M-GigabitEthernet0/0/0] ip address 192.168.11.2 255.255.255.0
[spine1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine1] local-user admin class manage
[spine1-luser-manage-admin] password simple Qwert@1234
[spine1-luser-manage-admin] service-type https ssh
[spine1-luser-manage-admin] authorization-attribute user-role network-admin
[spine1-luser-manage-admin] authorization-attribute user-role network-operator
[spine1-luser-manage-admin] quit
(5) 配置VTY。
[spine1] line vty 0 63
[spine1-line-vty0-63] authentication-mode scheme
[spine1-line-vty0-63] user-role network-admin
[spine1-line-vty0-63] user-role network-operator
[spine1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine1] netconf soap https enable
[spine1] netconf ssh server enable
(7) 使能SSH服务。
[spine1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[spine1] ntp-service enable
[spine1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[spine1] snmp-agent
[spine1] snmp-agent community write private
[spine1] snmp-agent community read public
[spine1] snmp-agent sys-info version all
[spine1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[spine1] lldp global enable
(1) 禁止从VXLAN隧道学习MAC、ARP、ND。
[spine1] vxlan tunnel mac-learning disable
[spine1] vxlan tunnel arp-learning disable
[spine1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[spine1] ospf 1 router-id 192.168.11.2
[spine1-ospf-1] non-stop-routing
[spine1-ospf-1] area 0.0.0.0
配置IS-IS协议
[spine1] isis 1
[spine1-isis-1] non-stop-routing
[spine1-isis-1] is-level level-2
[spine1-isis-1] is-name user1
[spine1-isis-1] network-entity 86.4713.0021.0100.0400.1002.00
[spine1-isis-1]address-family ipv4 unicast
[spine1-isis-1-ipv4] maximum load-balancing 4
[spine1-isis-1-ipv4] quit
[spine1-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[spine1] interface LoopBack1
[spine1-LoopBack1] ip address 4.1.1.1 255.255.255.255
[spine1-LoopBack1] quit
[spine1] bgp 500 instance Underlay
[spine1-bgp-Underlay] non-stop-routing
[spine1-bgp-Underlay] router-id 4.1.1.1
[spine1-bgp-Underlay] group Leaf external
[spine1-bgp-Underlay] peer Leaf as-number 501
[spine1-bgp-Underlay] peer Leaf ebgp-max-hop 2
[spine1-bgp-Underlay] peer Leaf connect-interface Loopback1
[spine1-bgp-Underlay] peer 4.1.1.3 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.4 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.5 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.6 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.7 group Leaf
[spine1-bgp-Underlay] peer 4.1.1.8 group Leaf
[spine1-bgp-Underlay] address-family ipv4 unicast
[spine1-bgp-Underlay-ipv4] balance 4
[spine1-bgp-Underlay-ipv4] peer Leaf enable
[spine1-bgp-Underlay-ipv4] quit
[spine1-bgp-Underlay] quit
[spine1] interface LoopBack0
[spine1-LoopBack0] ip address 10.1.1.2 255.255.255.255
[spine1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[spine1] interface LoopBack0
[spine1-LoopBack0] ospf 1 area 0.0.0.0
[spine1-LoopBack0] quit
配置IS-IS协议
[spine1] interface LoopBack0
[spine1-LoopBack0] isis enable 1
[spine1-LoopBack0] quit
配置EBGP协议
[spine1] bgp 500 instance Underlay
[spine1-bgp-Underlay] address-family ipv4 unicast
[spine1-bgp-Underlay-ipv4] network 10.1.1.2 255.255.255.255
[spine1-bgp-Underlay-ipv4] quit
[spine1-bgp-Underlay] quit
配置IBGP RR
[spine1] bgp 100
[spine1-bgp-default] non-stop-routing
[spine1-bgp-default] router-id 10.1.1.2
[spine1-bgp-default] group evpn internal
[spine1-bgp-default] peer evpn source-address 10.1.1.2
[spine1-bgp-default] peer 10.1.1.4 group evpn
[spine1-bgp-default] peer 10.1.1.5 group evpn
[spine1-bgp-default] peer 10.1.1.6 group evpn
[spine1-bgp-default] peer 10.1.1.7 group evpn
[spine1-bgp-default] peer 10.1.1.8 group evpn
[spine1-bgp-default] peer 10.1.1.9 group evpn
[spine1-bgp-default] address-family l2vpn evpn
[spine1-bgp-default-evpn] undo policy vpn-target
[spine1-bgp-default-evpn] peer evpn enable
[spine1-bgp-default-evpn] peer evpn reflect-client
[spine1-bgp-default-evpn] quit
[spine1-bgp-default] quit
以连接Sever Leaf 1的接口配置为例,连接其它Leaf、Border的接口请参考配置。
可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[spine1] interface HundredGigE1/0/5
[spine1-HundredGigE1/0/5] port link-mode route
[spine1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine1-HundredGigE1/0/5] ospf network-type p2p
[spine1-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[spine1-HundredGigE1/0/5] lldp management-address arp-learning
[spine1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine1-HundredGigE1/0/5] quit
配置IS-IS协议
[spine1] interface HundredGigE1/0/5
[spine1-HundredGigE1/0/5] port link-mode route
[spine1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine1-HundredGigE1/0/5] isis enable 1
[spine1-HundredGigE1/0/5] isis circuit-level level-2
[spine1-HundredGigE1/0/5] isis circuit-type p2p
[spine1-HundredGigE1/0/5] isis authentication-mode md5 simple 123456
[spine1-HundredGigE1/0/5] lldp management-address arp-learning
[spine1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine1-HundredGigE1/0/5] quit
配置EBGP协议
[spine1] interface HundredGigE1/0/5
[spine1-HundredGigE1/0/5] port link-mode route
[spine1-HundredGigE1/0/5] ip address unnumbered interface LoopBack1
[spine1-HundredGigE1/0/5] lldp management-address arp-learning
[spine1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[spine1-HundredGigE1/0/5] arp route-direct advertise
[spine1-HundredGigE1/0/5] quit
[spine1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:spine1。
¡ 基本信息:
- 设备类型:Underlay物理设备。
- 管理IP:192.168.11.2。
- VTEP IP:10.1.1.2。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图85 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图86 增加交换设备
(4) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图87 配置OpenFlow
(5) 单击<确定>按钮完成设备增加操作。
<spine2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<spine2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[spine2] hardware-resource tcam normal
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw
S12500X
[spine2] hardware-resource tcam routing
[spine2] hardware-resource vxlan normal
[spine2] hardware-resource mcast normal
[spine2] hardware-resource scale-rt-prefix none
[spine2] hardware-resource mpls normal
[spine2] hardware-resource parser normal
S6800
[spine2] hardware-resource switch-mode 4
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw40k
S6860
[spine2] hardware-resource switch-mode 4
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[spine2] hardware-resource switch-mode DUAL-STACK
[spine2] hardware-resource routing-mode ipv6-128
[spine2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[spine2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[spine2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[spine2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[spine2] hardware-resource mdb routing
[spine2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[spine2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[spine2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[spine2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[spine2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[spine2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[spine2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[spine2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[spine2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[spine2] interface M-GigabitEthernet0/0/0
[spine2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[spine2-M-GigabitEthernet0/0/0] ip address 192.168.11.3 255.255.255.0
[spine2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine2] local-user admin class manage
[spine2-luser-manage-admin] password simple Qwert@1234
[spine2-luser-manage-admin] service-type https ssh
[spine2-luser-manage-admin] authorization-attribute user-role network-admin
[spine2-luser-manage-admin] authorization-attribute user-role network-operator
[spine2-luser-manage-admin] quit
(5) 配置VTY。
[spine2] line vty 0 63
[spine2-line-vty0-63] authentication-mode scheme
[spine2-line-vty0-63] user-role network-admin
[spine2-line-vty0-63] user-role network-operator
[spine2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[spine2] netconf soap https enable
[spine2] netconf ssh server enable
(7) 使能SSH服务。
[spine2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[spine2] ntp-service enable
[spine2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[spine2] snmp-agent
[spine2] snmp-agent community write private
[spine2] snmp-agent community read public
[spine2] snmp-agent sys-info version all
[spine2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[spine2] lldp global enable
(1) 禁止从VXLAN隧道学习MAC、ARP、ND。
[spine2] vxlan tunnel mac-learning disable
[spine2] vxlan tunnel arp-learning disable
[spine2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[spine2] ospf 1 router-id 192.168.11.3
[spine2-ospf-1] non-stop-routing
[spine2-ospf-1] area 0.0.0.0
[spine2-ospf-1] quit
配置ISIS协议
[spine2] isis 1
[spine2-isis-1] non-stop-routing
[spine2-isis-1] is-level level-2
[spine2-isis-1] is-name user1
[spine2-isis-1] network-entity 86.4713.0021.0100.0400.1003.00
[spine2-isis-1] address-family ipv4 unicast
[spine2-isis-1-ipv4] maximum load-balancing 4
[spine2-isis-1-ipv4] quit
[spine2-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[spine2] interface LoopBack1
[spine2-LoopBack1] ip address 4.1.1.2 255.255.255.255
[spine2-LoopBack1] quit
[spine2] bgp 500 instance Underlay
[spine2-bgp-Underlay] non-stop-routing
[spine2-bgp-Underlay] router-id 4.1.1.2
[spine2-bgp-Underlay] group Leaf external
[spine2-bgp-Underlay] peer Leaf as-number 501
[spine2-bgp-Underlay] peer Leaf ebgp-max-hop 2
[spine2-bgp-Underlay] peer Leaf connect-interface Loopback1
[spine2-bgp-Underlay] peer 4.1.1.3 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.4 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.5 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.6 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.7 group Leaf
[spine2-bgp-Underlay] peer 4.1.1.8 group Leaf
[spine2-bgp-Underlay] address-family ipv4 unicast
[spine2-bgp-Underlay-ipv4] balance 4
[spine2-bgp-Underlay-ipv4] peer Leaf enable
[spine2-bgp-Underlay-ipv4] quit
[spine2-bgp-Underlay] quit
[spine2] interface LoopBack0
[spine2-LoopBack0] ip address 10.1.1.3 255.255.255.255
[spine2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[spine2] interface LoopBack0
[spine2-LoopBack0] ospf 1 area 0.0.0.0
[spine2-LoopBack0] quit
配置IS-IS协议
[spine2] interface LoopBack0
[spine2-LoopBack0] isis enable 1
[spine2-LoopBack0] quit
配置EBGP协议
[spine2] bgp 500 instance Underlay
[spine2-bgp-Underlay] address-family ipv4 unicast
[spine2-bgp-Underlay-ipv4] network 10.1.1.3 255.255.255.255
[spine2-bgp-Underlay-ipv4] quit
[spine2-bgp-Underlay] quit
配置IBGP RR
[spine2] bgp 100
[spine2-bgp-default] non-stop-routing
[spine2-bgp-default] router-id 10.1.1.3
[spine2-bgp-default] group evpn internal
[spine2-bgp-default] peer evpn source-address 10.1.1.3
[spine2-bgp-default] peer 10.1.1.4 group evpn
[spine2-bgp-default] peer 10.1.1.5 group evpn
[spine2-bgp-default] peer 10.1.1.6 group evpn
[spine2-bgp-default] peer 10.1.1.7 group evpn
[spine2-bgp-default] peer 10.1.1.8 group evpn
[spine2-bgp-default] peer 10.1.1.9 group evpn
[spine2-bgp-default] address-family l2vpn evpn
[spine2-bgp-default-evpn] undo policy vpn-target
[spine2-bgp-default-evpn] peer evpn enable
[spine2-bgp-default-evpn] peer evpn reflect-client
[spine2-bgp-default-evpn] quit
[spine2-bgp-default] quit
以连接Server Leaf 1的接口配置为例,连接其它Leaf和Border的接口配置,同样配置。
由于Underlay路由协议不同,连接Leaf的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[spine2] interface HundredGigE1/0/5
[spine2-HundredGigE1/0/5] port link-mode route
[spine2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine2-HundredGigE1/0/5] ospf network-type p2p
[spine2-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[spine2-HundredGigE1/0/5] lldp management-address arp-learning
[spine2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine2-HundredGigE1/0/5] quit
配置IS-IS协议
[spine2] interface HundredGigE1/0/5
[spine2-HundredGigE1/0/5] port link-mode route
[spine2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[spine2-HundredGigE1/0/5] isis enable 1
[spine2-HundredGigE1/0/5] isis circuit-level level-2
[spine2-HundredGigE1/0/5] isis circuit-type p2p
[spine2-HundredGigE1/0/5] isis authentication-mode md5 simple 123456
[spine2-HundredGigE1/0/5] lldp management-address arp-learning
[spine2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[spine2-HundredGigE1/0/5] quit
配置EBGP协议
[spine2] interface HundredGigE1/0/5
[spine2-HundredGigE1/0/5] port link-mode route
[spine2-HundredGigE1/0/5] ip address unnumbered interface LoopBack1
[spine2-HundredGigE1/0/5] lldp management-address arp-learning
[spine2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[spine2-HundredGigE1/0/5] arp route-direct advertise
[spine2-HundredGigE1/0/5] quit
[spine2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:spine2。
¡ 基本信息:
- 设备类型:Underlay物理设备。
- 管理IP:192.168.11.3。
- VTEP IP:10.1.1.3。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图88 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图89 配置设备控制协议
(4) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图90 配置OpenFlow
(5) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G-AF T系列
[server-leaf1] hardware-resource tcam normal
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S12500X
[server-leaf1] hardware-resource tcam routing
[server-leaf1] hardware-resource vxlan normal
[server-leaf1] hardware-resource mcast normal
[server-leaf1] hardware-resource scale-rt-prefix none
[server-leaf1] hardware-resource mpls normal
[server-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw40k
S6860
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[server-leaf1] hardware-resource switch-mode DUAL-STACK
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G-AF S系列
S12500G-AF S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf1] interface M-GigabitEthernet1/0/0/2
[server-leaf1-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf1-M-GigabitEthernet1/0/0/2] ip address 192.168.11.4 255.255.255.0
[server-leaf1-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] local-user admin class manage
[server-leaf1-luser-manage-admin] password simple Qwert@1234
[server-leaf1-luser-manage-admin] service-type https ssh
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf1] line vty 0 63
[server-leaf1-line-vty0-63] authentication-mode scheme
[server-leaf1-line-vty0-63] user-role network-admin
[server-leaf1-line-vty0-63] user-role network-operator
[server-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] netconf soap https enable
[server-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf1] ntp-service enable
[server-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf1] snmp-agent
[server-leaf1] snmp-agent community write private
[server-leaf1] snmp-agent community read public
[server-leaf1] snmp-agent sys-info version all
[server-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf1] vxlan tunnel mac-learning disable
[server-leaf1] vxlan tunnel arp-learning disable
[server-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[server-leaf1] ospf 1 router-id 192.168.11.4
[server-leaf1-ospf-1] non-stop-routing
[server-leaf1-ospf-1] area 0.0.0.0
[server-leaf1-ospf-1] quit
配置IS-IS协议
[server-leaf1] isis 1
[server-leaf1-isis-1] non-stop-routing
[server-leaf1-isis-1] is-level level-2
[server-leaf1-isis-1] is-name user1
[server-leaf1-isis-1] network-entity 86.4713.0021.0100.0400.1004.00
[server-leaf1-isis-1] address-family ipv4 unicast
[server-leaf1-isis-1-ipv4] maximum load-balancing 4
[server-leaf1-isis-1-ipv4] quit
[server-leaf1-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[server-leaf1] interface LoopBack1
[server-leaf1-LoopBack1] ip address 4.1.1.3 255.255.255.255
[server-leaf1-LoopBack1] quit
[server-leaf1] bgp 501 instance Underlay
[server-leaf1-bgp-Underlay] non-stop-routing
[server-leaf1-bgp-Underlay] router-id 4.1.1.3
[server-leaf1-bgp-Underlay] group Spine external
[server-leaf1-bgp-Underlay] peer Spine as-number 500
[server-leaf1-bgp-Underlay] peer Spine ebgp-max-hop 2
[server-leaf1-bgp-Underlay] peer Spine connect-interface Loopback1
[server-leaf1-bgp-Underlay] peer 4.1.1.1 group Spine
[server-leaf1-bgp-Underlay] peer 4.1.1.2 group Spine
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] balance 4
[server-leaf1-bgp-Underlay-ipv4] peer Spine enable
[server-leaf1-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ip address 10.1.1.4 255.255.255.255
[server-leaf1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack0] quit
配置IS-IS协议
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] isis enable 1
[server-leaf1-LoopBack0] quit
配置EBGP协议
[server-leaf1] bgp 501 instance Underlay
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.1.1.4 255.255.255.255
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
配置IBGP
[server-leaf1] bgp 100
[server-leaf1-bgp-default] non-stop-routing
[server-leaf1-bgp-default] router-id 10.1.1.4
[server-leaf1-bgp-default] group evpn internal
[server-leaf1-bgp-default] peer evpn connect-interface Loopback0
[server-leaf1-bgp-default] peer 10.1.1.2 group evpn
[server-leaf1-bgp-default] peer 10.1.1.3 group evpn
[server-leaf1-bgp-default] address-family l2vpn evpn
[server-leaf1-bgp-default-evpn] peer evpn enable
[server-leaf1-bgp-default-evpn] quit
[server-leaf1-bgp-default] quit
以连接Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] ospf network-type p2p
[server-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
配置IS-IS协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] isis enable 1
[server-leaf1-HundredGigE1/0/25] isis circuit-level level-2
[server-leaf1-HundredGigE1/0/25] isis circuit-type p2p
[server-leaf1-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
配置EBGP协议
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[server-leaf1-HundredGigE1/0/25] arp route-direct advertise
[server-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X/S5900x-EI可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf1] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
(1) 配置M-LAG虚地址。
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack2] quit
配置ISIS协议
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] isis enable 1
[server-leaf1-LoopBack2] isis circuit-level level-2
[server-leaf1-LoopBack2] quit
配置EBGP协议
[server-leaf1] bgp 500 instance Underlay
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.20.1.4 255.255.255.255
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf1] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf1] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf1] m-lag system-priority 10
(1) 配置peer-link聚合口。
[server-leaf1] interface Bridge-Aggregation1
[server-leaf1-Bridge-Aggregation1] port link-type trunk
[server-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(2) 配置peer-link物理口1。
[server-leaf1] interface Ten-GigabitEthernet1/0/9
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/9] quit
(3) 配置peer-link物理口2。
[server-leaf1] interface Ten-GigabitEthernet1/0/10
[server-leaf1-Ten-GigabitEthernet1/0/10] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/10] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/10] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/10] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/10] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf1] interface HundredGigE1/0/30
[server-leaf1-HundredGigE1/0/30] port link-mode route
[server-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf1-HundredGigE1/0/30] ip address 10.10.1.5 255.255.255.252
[server-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf1] m-lag mad default-action none
[server-leaf1] m-lag keepalive ip destination 10.10.1.6 source 10.10.1.5 vpn-instance auto-online-mlag
[server-leaf1] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ip address 10.30.1.5 255.255.255.252
[server-leaf1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf1-Vlan-interface4094] quit
配置IS-IS协议
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] isis enable 1
[server-leaf1-Vlan-interface4094] quit
配置EBGP协议
[server-leaf1] route-policy ibgpsurvive permit node 100
[server-leaf1] apply local-preference 0
[server-leaf1] quit
[server-leaf1] bgp 501 instance Underlay
[server-leaf1] peer 10.30.1.6 as-number 501
[server-leaf1-bgp-Underlay] address-family ipv4 unicast
[server-leaf1-bgp-Underlay-ipv4] network 10.30.1.5 255.255.255.252
[server-leaf1-bgp-Underlay-ipv4] peer 10.30.1.6 route-policy ibgpsurvive export
[server-leaf1-bgp-Underlay-ipv4] peer 10.30.1.6 next-hop-local
[server-leaf1-bgp-Underlay-ipv4] quit
[server-leaf1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.4 destination 10.1.1.5
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
连接Server 1 LACP聚合链路的M-LAG接口配置
[server-leaf1] interface Bridge-Aggregation256
[server-leaf1-Bridge-Aggregation256] port link-type trunk
[server-leaf1-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf1-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation256] port m-lag group 3
[server-leaf1-Bridge-Aggregation256] quit
[server-leaf1] interface Ten-GigabitEthernet1/0/11
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf1-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf1] interface Ten-GigabitEthernet1/0/12
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn m-lag local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
在有单挂接入的M-LAG设备上配置MAC地址的老化时间为26分钟。
[server-leaf1] mac-address timer aging 1560
[server-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.4。
- VTEP IP:10.1.1.4。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图91 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图92 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图93 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图94 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图95 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[server-leaf2] hardware-resource tcam normal
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S12500X
[server-leaf2] hardware-resource tcam routing
[server-leaf2] hardware-resource vxlan normal
[server-leaf2] hardware-resource mcast normal
[server-leaf2] hardware-resource scale-rt-prefix none
[server-leaf2] hardware-resource mpls normal
[server-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw40k
S6860
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[server-leaf2] hardware-resource switch-mode DUAL-STACK
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[server-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[server-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf2] interface M-GigabitEthernet1/0/0/2
[server-leaf2-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf2-M-GigabitEthernet1/0/0/2] ip address 192.168.11.5 255.255.255.0
[server-leaf2-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] local-user admin class manage
[server-leaf2-luser-manage-admin] password simple Qwert@1234
[server-leaf2-luser-manage-admin] service-type https ssh
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf2] line vty 0 63
[server-leaf2-line-vty0-63] authentication-mode scheme
[server-leaf2-line-vty0-63] user-role network-admin
[server-leaf2-line-vty0-63] user-role network-operator
[server-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] netconf soap https enable
[server-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf2] ntp-service enable
[server-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf2] snmp-agent
[server-leaf2] snmp-agent community write private
[server-leaf2] snmp-agent community read public
[server-leaf2] snmp-agent sys-info version all
[server-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf2] vxlan tunnel mac-learning disable
[server-leaf2] vxlan tunnel arp-learning disable
[server-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[server-leaf2] ospf 1 router-id 192.168.11.5
[server-leaf2-ospf-1] non-stop-routing
[server-leaf2-ospf-1] area 0.0.0.0
[server-leaf2-ospf-1] quit
配置IS-IS协议
[server-leaf2] isis 1
[server-leaf2-isis-1] non-stop-routing
[server-leaf2-isis-1] is-level level-2
[server-leaf2-isis-1] is-name user1
[server-leaf2-isis-1] network-entity 86.4713.0021.0100.0400.1005.00 //每台设备有不同的network-entity
[server-leaf2-isis-1] address-family ipv4 unicast
[server-leaf2-isis-1-ipv4] maximum load-balancing 4
[server-leaf2-isis-1-ipv4] quit
[server-leaf2-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[server-leaf2] interface LoopBack1
[server-leaf2-LoopBack1] ip address 4.1.1.4 255.255.255.255
[server-leaf2-LoopBack1] quit
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] non-stop-routing
[server-leaf2-bgp-Underlay] router-id 4.1.1.4
[server-leaf2-bgp-Underlay] group Spine external
[server-leaf2-bgp-Underlay] peer Spine as-number 500
[server-leaf2-bgp-Underlay] peer Spine ebgp-max-hop 2
[server-leaf2-bgp-Underlay] peer Spine connect-interface Loopback1
[server-leaf2-bgp-Underlay] peer 4.1.1.1 group Spine
[server-leaf2-bgp-Underlay] peer 4.1.1.2 group Spine
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] balance 4
[server-leaf2-bgp-Underlay-ipv4] peer Leaf enable
[server-leaf2-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
VTEP地址配置
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ip address 10.1.1.5 255.255.255.255
[server-leaf2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack0] quit
配置IS-IS协议
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] isis enable 1
[server-leaf2-LoopBack0] quit
配置EBGP协议
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.1.1.5 255.255.255.255
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
配置IBGP
[server-leaf2] bgp 100
[server-leaf2-bgp-default] non-stop-routing
[server-leaf2-bgp-default] router-id 10.1.1.5
[server-leaf2-bgp-default] group evpn internal
[server-leaf2-bgp-default] peer evpn connect-interface Loopback0
[server-leaf2-bgp-default] peer 10.1.1.2 group evpn
[server-leaf2-bgp-default] peer 10.1.1.3 group evpn
[server-leaf2-bgp-default] address-family l2vpn evpn
[server-leaf2-bgp-default-evpn] peer evpn enable
[server-leaf2-bgp-default-evpn] quit
[server-leaf2-bgp-default] quit
以连接Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] ospf network-type p2p
[server-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
配置IS-IS协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] isis enable 1
[server-leaf2-HundredGigE1/0/25] isis circuit-level level-2
[server-leaf2-HundredGigE1/0/25] isis circuit-type p2p
[server-leaf2-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
配置EBGP协议
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[server-leaf2-HundredGigE1/0/25] arp route-direct advertise
[server-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf2] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
(1) 配置M-LAG虚地址。
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack2] quit
配置ISIS协议
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] isis enable 1
[server-leaf2-LoopBack2] isis circuit-level level-2
[server-leaf2-LoopBack2] quit
配置EBGP协议
[server-leaf2] bgp 501 instance Underlay
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.20.1.4 255.255.255.255
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf2] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf2] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf2] m-lag system-priority 10
(1) 配置peer-link聚合口。
[server-leaf2] interface Bridge-Aggregation1
[server-leaf2-Bridge-Aggregation1] port link-type trunk
[server-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(2) 配置peer-link物理口1。
[server-leaf2] interface Ten-GigabitEthernet1/0/9
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/9] quit
(3) 配置peer-link物理口2。
[server-leaf2] interface Ten-GigabitEthernet1/0/10
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf2] interface HundredGigE1/0/30
[server-leaf2-HundredGigE1/0/30] port link-mode route
[server-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf2-HundredGigE1/0/30] ip address 10.10.1.6 255.255.255.252
[server-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf2] m-lag mad default-action none
[server-leaf2] m-lag keepalive ip destination 10.10.1.5 source 10.10.1.6 vpn-instance auto-online-mlag
[server-leaf2] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ip address 10.30.1.6 255.255.255.252
[server-leaf2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf2-Vlan-interface4094] quit
配置IS-IS协议
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] isis enable 1
[server-leaf2-Vlan-interface4094] quit
配置EBGP协议
[server-leaf2] route-policy ibgpsurvive permit node 100
[server-leaf2] apply local-preference 0
[server-leaf2] quit
[server-leaf2] bgp 501 instance Underlay
[server-leaf2] peer 10.30.1.5 as-number 501
[server-leaf2-bgp-Underlay] address-family ipv4 unicast
[server-leaf2-bgp-Underlay-ipv4] network 10.30.1.6 255.255.255.252
[server-leaf2-bgp-Underlay-ipv4] peer 10.30.1.5 route-policy ibgpsurvive export
[server-leaf2-bgp-Underlay-ipv4] peer 10.30.1.5 next-hop-local
[server-leaf2-bgp-Underlay-ipv4] quit
[server-leaf2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.5 destination 10.1.1.4
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf2] m-lag auto-recovery reload-delay 600
连接Server 1 LACP聚合链路的M-LAG接口配置
[server-leaf2] interface Bridge-Aggregation256
[server-leaf2-Bridge-Aggregation256] port link-type trunk
[server-leaf2-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf2-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation256] port m-lag group 3
[server-leaf2-Bridge-Aggregation256] quit
[server-leaf2] interface Ten-GigabitEthernet1/0/11
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf2-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf2] interface Ten-GigabitEthernet1/0/12
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn M-LAG local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备对称同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
在有单挂接入的M-LAG设备上配置MAC地址的老化时间为26分钟。
[server-leaf2] mac-address timer aging 1560
[server-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.5。
- VTEP IP:10.1.1.5。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图96 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图97 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图98 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图99 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图100 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<service-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<service-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[service-leaf1] hardware-resource tcam normal
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw
S12500X
[service-leaf1] hardware-resource tcam routing
[service-leaf1] hardware-resource vxlan normal
[service-leaf1] hardware-resource mcast normal
[service-leaf1] hardware-resource scale-rt-prefix none
[service-leaf1] hardware-resource mpls normal
[service-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[service-leaf1] hardware-resource switch-mode 4
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan Border40k
S6860
[service-leaf1] hardware-resource switch-mode 4
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[service-leaf1] hardware-resource switch-mode DUAL-STACK
[service-leaf1] hardware-resource routing-mode ipv6-128
[service-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[service-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[service-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[service-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[service-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[service-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[service-leaf1] interface M-GigabitEthernet0/0/0
[service-leaf1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[service-leaf1-M-GigabitEthernet0/0/0] ip address 192.168.11.6 255.255.255.0
[service-leaf1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf1] local-user admin class manage
[service-leaf1-luser-manage-admin] password simple Qwert@1234
[service-leaf1-luser-manage-admin] service-type https ssh
[service-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[service-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[service-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[service-leaf1] line vty 0 63
[service-leaf1-line-vty0-63] authentication-mode scheme
[service-leaf1-line-vty0-63] user-role network-admin
[service-leaf1-line-vty0-63] user-role network-operator
[service-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf1] netconf soap https enable
[service-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[service-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[service-leaf1] ntp-service enable
[service-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[service-leaf1] snmp-agent
[service-leaf1] snmp-agent community write private
[service-leaf1] snmp-agent community read public
[service-leaf1] snmp-agent sys-info version all
[service-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[service-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[service-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[service-leaf1] vxlan tunnel mac-learning disable
[service-leaf1] vxlan tunnel arp-learning disable
[service-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[service-leaf1] ospf 1 router-id 192.168.11.6
[service-leaf1-ospf-1] non-stop-routing
[service-leaf1-ospf-1] area 0.0.0.0
[service-leaf1-ospf-1] quit
配置IS-IS协议
[service-leaf1] isis 1
[service-leaf1-isis-1] non-stop-routing
[service-leaf1-isis-1] is-level level-2
[service-leaf1-isis-1] is-name user1
[service-leaf1-isis-1] network-entity 86.4713.0021.0100.0400.1006.00
[service-leaf1-isis-1] address-family ipv4 unicast
[server-leaf1-isis-1-ipv4] maximum load-balancing 4
[server-leaf1-isis-1-ipv4] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[service-leaf1] interface LoopBack1
[service-leaf1-LoopBack1] ip address 4.1.1.5 255.255.255.255
[service-leaf1-LoopBack1] quit
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] non-stop-routing
[service-leaf1-bgp-Underlay] router-id 4.1.1.5
[service-leaf1-bgp-Underlay] group Spine external
[service-leaf1-bgp-Underlay] peer Spine as-number 500
[service-leaf1-bgp-Underlay] peer Spine ebgp-max-hop 2
[service-leaf1-bgp-Underlay] peer Spine connect-interface Loopback1
[service-leaf1-bgp-Underlay] peer 4.1.1.1 group Spine
[service-leaf1-bgp-Underlay] peer 4.1.1.2 group Spine
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] balance 4
[service-leaf1-bgp-Underlay-ipv4] peer Spine enable
[service-leaf1-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] ip address 10.1.1.6 255.255.255.255
[service-leaf1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[service-leaf1-LoopBack0] quit
配置IS-IS协议
[service-leaf1] interface LoopBack0
[service-leaf1-LoopBack0] isis enable 1
[service-leaf1-LoopBack0] quit
配置EBGP协议
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.1.1.6 255.255.255.255
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
配置IBGP
[service-leaf1] bgp 100
[service-leaf1-bgp-default] non-stop-routing
[service-leaf1-bgp-default] router-id 10.1.1.6
[service-leaf1-bgp-default] group evpn internal
[service-leaf1-bgp-default] peer evpn connect-interface Loopback0
[service-leaf1-bgp-default] peer 10.1.1.2 group evpn
[service-leaf1-bgp-default] peer 10.1.1.3 group evpn
[service-leaf1-bgp-default] address-family l2vpn evpn
[service-leaf1-bgp-default-evpn] peer evpn enable
[service-leaf1-bgp-default-evpn] quit
[service-leaf1-bgp-default] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf1-HundredGigE1/0/25] ospf network-type p2p
[service-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf1-HundredGigE1/0/25] quit
配置IS-IS协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf1-HundredGigE1/0/25] isis circuit-level level-2
[service-leaf1-HundredGigE1/0/25] isis circuit-type p2p
[service-leaf1-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf1-HundredGigE1/0/25] quit
配置EBGP协议
[service-leaf1] interface HundredGigE1/0/25
[service-leaf1-HundredGigE1/0/25] port link-mode route
[service-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[service-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[service-leaf1-HundredGigE1/0/25] arp route-direct advertise
[service-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[service-leaf1] evpn global-mac 0001-0001-0003
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[service-leaf1] evpn m-lag local 10.1.1.6 remote 10.1.1.7
(1) 配置M-LAG虚地址。
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] ip address 10.20.1.6 255.255.255.255
[service-leaf1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[service-leaf1-LoopBack2] quit
配置ISIS协议
[service-leaf1] interface LoopBack2
[service-leaf1-LoopBack2] isis enable 1
[service-leaf1-LoopBack2] isis circuit-level level-2
[service-leaf1-LoopBack2] quit
配置EBGP协议
[service-leaf1] bgp 501 instance Underlay
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.20.1.6 255.255.255.255
[service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[service-leaf1] evpn m-lag group 10.20.1.6
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[service-leaf1] m-lag system-mac 0002-0003-0003
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[service-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[service-leaf1] m-lag system-priority 10
(1) 配置peer-link聚合口。
[service-leaf1] interface Bridge-Aggregation1
[service-leaf1-Bridge-Aggregation1] port link-type trunk
[service-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[service-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[service-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[service-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[service-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(2) 配置peer-link物理口1。
[service-leaf1] interface HundredGigE1/0/9
[service-leaf1-HundredGigE1/0/9] port link-mode bridge
[service-leaf1-HundredGigE1/0/9] port link-type trunk
[service-leaf1-HundredGigE1/0/9] port trunk permit vlan all
[service-leaf1-HundredGigE1/0/9] port trunk pvid vlan 4094
[service-leaf1-HundredGigE1/0/9] port link-aggregation group 1
[service-leaf1-HundredGigE1/0/9] quit
(3) 配置peer-link物理口2。
[service-leaf1] interface HundredGigE1/0/10
[service-leaf1-HundredGigE1/0/10] port link-mode bridge
[service-leaf1-HundredGigE1/0/10] port link-type trunk
[service-leaf1-HundredGigE1/0/10] port trunk permit vlan all
[service-leaf1-HundredGigE1/0/10] port trunk pvid vlan 4094
[service-leaf1-HundredGigE1/0/10] port link-aggregation group 1
[service-leaf1-HundredGigE1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[service-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[service-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[service-leaf1] interface HundredGigE1/0/30
[service-leaf1-HundredGigE1/0/30] port link-mode route
[service-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[service-leaf1-HundredGigE1/0/30] ip address 10.10.1.9 255.255.255.252
[service-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[service-leaf1] m-lag mad default-action none
[service-leaf1] m-lag keepalive ip destination 10.10.1.10 source 10.10.1.9 vpn-instance auto-online-mlag
[service-leaf1] m-lag mad include interface HundredGigE1/0/25
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] ip address 10.30.1.9 255.255.255.252
[service-leaf1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[service-leaf1-Vlan-interface4094] quit
配置IS-IS协议
[service-leaf1] interface Vlan-interface4094
[service-leaf1-Vlan-interface4094] isis enable 1
[service-leaf1-Vlan-interface4094] quit
配置EBGP协议
[service-leaf1] route-policy ibgpsurvive permit node 100
[service-leaf1] apply local-preference 0
[service-leaf1] quit
[service-leaf1] bgp 501 instance Underlay
[service-leaf1] peer 10.30.1.10 as-number 501
[service-leaf1-bgp-Underlay] address-family ipv4 unicast
[service-leaf1-bgp-Underlay-ipv4] network 10.30.1.9 255.255.255.252
[service-leaf1-bgp-Underlay-ipv4] peer 10.30.1.10 route-policy ibgpsurvive export
[service-leaf1-bgp-Underlay-ipv4] peer 10.30.1.10 next-hop-local [service-leaf1-bgp-Underlay-ipv4] quit
[service-leaf1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[service-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[service-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.6 destination 10.1.1.7
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[service-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[service-leaf1] m-lag auto-recovery reload-delay 600
连接FW设备1的LACP聚合链路的M-LAG接口配置。
[service-leaf1] interface Bridge-Aggregation256
[service-leaf1-Bridge-Aggregation7] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation7] port m-lag group 6
[service-leaf1-Bridge-Aggregation7] stp edged-port
[service-leaf1-Bridge-Aggregation7] quit
[service-leaf1] interface Ten-GigabitEthernet1/0/11
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[service-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[service-leaf1-Ten-GigabitEthernet1/0/11] quit
连接FW设备2的LACP聚合链路的M-LAG接口配置。
[service-leaf1] interface Bridge-Aggregation257
[service-leaf1-Bridge-Aggregation8] link-aggregation mode dynamic
[service-leaf1-Bridge-Aggregation8] port m-lag group 7
[service-leaf1-Bridge-Aggregation8] stp edged-port
[service-leaf1-Bridge-Aggregation8] quit
[service-leaf1] interface Ten-GigabitEthernet1/0/12
[service-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[service-leaf1-Ten-GigabitEthernet1/0/12] port link-aggregation group 257
[service-leaf1-Ten-GigabitEthernet1/0/12] quit
[service-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:Service-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.6。
- VTEP IP:10.1.1.6。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图101 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图102 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图103 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图104 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图105 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<service-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<service-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[service-leaf2] hardware-resource tcam normal
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw
S12500X
[service-leaf2] hardware-resource tcam routing
[service-leaf2] hardware-resource vxlan normal
[service-leaf2] hardware-resource mcast normal
[service-leaf2] hardware-resource scale-rt-prefix none
[service-leaf2] hardware-resource mpls normal
[service-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[service-leaf2] hardware-resource switch-mode 4
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan Border40k
S6860
[service-leaf2] hardware-resource switch-mode 4
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[service-leaf2] hardware-resource switch-mode DUAL-STACK
[service-leaf2] hardware-resource routing-mode ipv6-128
[service-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[service-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[service-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[service-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf2]system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[service-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[service-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[service-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[service-leaf2] interface M-GigabitEthernet0/0/0
[service-leaf2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[service-leaf2-M-GigabitEthernet0/0/0] ip address 192.168.11.7 255.255.255.0
[service-leaf2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf2] local-user admin class manage
[service-leaf2-luser-manage-admin] password simple Qwert@1234
[service-leaf2-luser-manage-admin] service-type https ssh
[service-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[service-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[service-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[service-leaf2] line vty 0 63
[service-leaf2-line-vty0-63] authentication-mode scheme
[service-leaf2-line-vty0-63] user-role network-admin
[service-leaf2-line-vty0-63] user-role network-operator
[service-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[service-leaf2] netconf soap https enable
[service-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[service-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[service-leaf2] ntp-service enable
[service-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[service-leaf2] snmp-agent
[service-leaf2] snmp-agent community write private
[service-leaf2] snmp-agent community read public
[service-leaf2] snmp-agent sys-info version all
[service-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[service-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[service-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[service-leaf2] vxlan tunnel mac-learning disable
[service-leaf2] vxlan tunnel arp-learning disable
[service-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[service-leaf2] ospf 1 router-id 192.168.11.7
[service-leaf2-ospf-1] non-stop-routing
[service-leaf2-ospf-1] area 0.0.0.0
[service-leaf2-ospf-1] quit
配置IS-IS协议
[service-leaf2] isis 1
[service-leaf2-isis-1] non-stop-routing
[service-leaf2-isis-1] is-level level-2
[service-leaf2-isis-1] is-name user1
[service-leaf2-isis-1] network-entity 86.4713.0021.0100.0400.1007.00
[service-leaf2-isis-1] address-family ipv4 unicast
[service-leaf2-isis-1-ipv4] maximum load-balancing 4
[service-leaf2-isis-1-ipv4] quit
[service-leaf2-isis-1] quit
配置EBGP协议
两台Spine Border或Spine设备的AS号为500,4台Leaf角色的设备的AS号为501,Spine Border或Spine设备与Leaf角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[service-leaf2] interface LoopBack1
[service-leaf2-LoopBack1] ip address 4.1.1.6 255.255.255.255
[service-leaf2-LoopBack1] quit
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] non-stop-routing
[service-leaf2-bgp-Underlay] router-id 4.1.1.6
[service-leaf2-bgp-Underlay] group Spine external
[service-leaf2-bgp-Underlay] peer Spine as-number 500
[service-leaf2-bgp-Underlay] peer Spine ebgp-max-hop 2
[service-leaf2-bgp-Underlay] peer Spine connect-interface Loopback1
[service-leaf2-bgp-Underlay] peer 4.1.1.1 group Spine
[service-leaf2-bgp-Underlay] peer 4.1.1.2 group Spine
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] balance 4
[service-leaf2-bgp-Underlay-ipv4] peer spine enable
[service-leaf2-bgp-Underlay-ipv4] peer spine allow-as-loop 2
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] ip address 10.1.1.7 255.255.255.255
[service-leaf2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[service-leaf2-LoopBack0] quit
配置IS-IS协议
[service-leaf2] interface LoopBack0
[service-leaf2-LoopBack0] isis enable 1
[service-leaf2-LoopBack0] quit
配置EBGP协议
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.1.1.7 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
配置IBGP
[service-leaf2] bgp 100
[service-leaf2-bgp-default] non-stop-routing
[service-leaf2-bgp-default] router-id 10.1.1.7
[service-leaf2-bgp-default] group evpn internal
[service-leaf2-bgp-default] peer evpn connect-interface Loopback0
[service-leaf2-bgp-default] peer 10.1.1.2 group evpn
[service-leaf2-bgp-default] peer 10.1.1.3 group evpn
[service-leaf2-bgp-default] address-family l2vpn evpn
[service-leaf2-bgp-default-evpn] peer evpn enable
[service-leaf2-bgp-default-evpn] quit
[service-leaf2-bgp-default] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf2-HundredGigE1/0/25] ospf network-type p2p
[service-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf2-HundredGigE1/0/25] quit
配置IS-IS协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[service-leaf2-HundredGigE1/0/25] isis circuit-level level-2
[service-leaf2-HundredGigE1/0/25] isis circuit-type p2p
[service-leaf2-HundredGigE1/0/25] isis authentication-mode md5 simple 123456
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[service-leaf2-HundredGigE1/0/25] quit
配置EBGP协议
[service-leaf2] interface HundredGigE1/0/25
[service-leaf2-HundredGigE1/0/25] port link-mode route
[service-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack1
[service-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[service-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[service-leaf2-HundredGigE1/0/25] arp route-direct advertise
[service-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S75X/S105X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[service-leaf2] evpn global-mac 0001-0001-0003
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[service-leaf2] evpn m-lag local 10.1.1.7 remote 10.1.1.6
(1) 配置M-LAG虚地址。
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] ip address 10.20.1.6 255.255.255.255
[service-leaf2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[service-leaf2-LoopBack2] quit
配置ISIS协议
[service-leaf2] interface LoopBack2
[service-leaf2-LoopBack2] isis enable 1
[service-leaf2-LoopBack2] isis circuit-level level-2
[service-leaf2-LoopBack2] quit
配置EBGP协议
[service-leaf2] bgp 501 instance Underlay
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.20.1.6 255.255.255.255
[service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[service-leaf2] evpn m-lag group 10.20.1.6
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[service-leaf2] m-lag system-mac 0002-0003-0003
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[service-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[service-leaf2] m-lag system-priority 10
(1) 配置peer-link聚合口。
[service-leaf2] interface Bridge-Aggregation1
[service-leaf2-Bridge-Aggregation1] port link-type trunk
[service-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[service-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[service-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[service-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[service-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(2) 配置peer-link物理口1。
[service-leaf2] interface HundredGigE1/0/9
[service-leaf2-HundredGigE1/0/9] port link-mode bridge
[service-leaf2-HundredGigE1/0/9] port link-type trunk
[service-leaf2-HundredGigE1/0/9] port trunk permit vlan all
[service-leaf2-HundredGigE1/0/9] port trunk pvid vlan 4094
[service-leaf2-HundredGigE1/0/9] port link-aggregation group 1
[service-leaf2-HundredGigE1/0/9] quit
(3) 配置peer-link物理口2。
[service-leaf2] interface HundredGigE1/0/10
[service-leaf2-HundredGigE1/0/10] port link-mode bridge
[service-leaf2-HundredGigE1/0/10] port link-type trunk
[service-leaf2-HundredGigE1/0/10] port trunk permit vlan all
[service-leaf2-HundredGigE1/0/10] port trunk pvid vlan 4094
[service-leaf2-HundredGigE1/0/10] port link-aggregation group 1
[service-leaf2-HundredGigE1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[service-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[service-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[service-leaf2] interface HundredGigE1/0/30
[service-leaf2-HundredGigE1/0/30] port link-mode route
[service-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[service-leaf2-HundredGigE1/0/30] ip address 10.10.1.10 255.255.255.252
[service-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[service-leaf2] m-lag mad default-action none
[service-leaf2] m-lag keepalive ip destination 10.10.1.9 source 10.10.1.10 vpn-instance auto-online-mlag
[service-leaf2] m-lag mad include interface HundredGigE1/0/25
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] ip address 10.30.1.10 255.255.255.252
[service-leaf2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[service-leaf2-Vlan-interface4094] quit
配置IS-IS协议
[service-leaf2] interface Vlan-interface4094
[service-leaf2-Vlan-interface4094] isis enable 1
[service-leaf2-Vlan-interface4094] quit
配置EBGP协议
[service-leaf2] route-policy ibgpsurvive permit node 100
[service-leaf2] apply local-preference 0
[service-leaf2] quit
[service-leaf2] bgp 501 instance Underlay
[service-leaf2] peer 10.30.1.9 as-number 501
[service-leaf2-bgp-Underlay] address-family ipv4 unicast
[service-leaf2-bgp-Underlay-ipv4] network 10.30.1.10 255.255.255.252
[service-leaf2-bgp-Underlay-ipv4] peer 10.30.1.9 route-policy ibgpsurvive export
[service-leaf2-bgp-Underlay-ipv4] peer 10.30.1.9 next-hop-local [service-leaf2-bgp-Underlay-ipv4] quit
[service-leaf2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[service-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[service-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.7 destination 10.1.1.6
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[service-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[service-leaf2] m-lag auto-recovery reload-delay 600
连接FW设备1的LACP聚合链路的M-LAG接口配置
[service-leaf2] interface Bridge-Aggregation256
[service-leaf2-Bridge-Aggregation7] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation7] port m-lag group 6
[service-leaf2-Bridge-Aggregation7] stp edged-port
[service-leaf2-Bridge-Aggregation7] quit
[service-leaf2] interface Ten-GigabitEthernet1/0/11
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[service-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[service-leaf2-Ten-GigabitEthernet1/0/11] quit
连接FW设备2的LACP聚合链路的M-LAG接口配置
[service-leaf2] interface Bridge-Aggregation257
[service-leaf2-Bridge-Aggregation8] link-aggregation mode dynamic
[service-leaf2-Bridge-Aggregation8] port m-lag group 7
[service-leaf2-Bridge-Aggregation8] stp edged-port
[service-leaf2-Bridge-Aggregation8] quit
[service-leaf2] interface Ten-GigabitEthernet1/0/12
[service-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[service-leaf2-Ten-GigabitEthernet1/0/12] port link-aggregation group 257
[service-leaf2-Ten-GigabitEthernet1/0/12] quit
[service-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:Service-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.7。
- VTEP IP:10.1.1.7。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图106 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图107 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图108 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图109 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图110 高级配置
(7) 单击<确定>按钮完成设备增加操作。
(8) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,进入增加设备组页面,在该页面的基本信息区域配置以下参数:
¡ 设备组名称:slgroup1。
¡ MAC地址:3C:8C:40:4E:DD:46。
¡ 远端设备组:否
¡ 网络位置:Service Leaf
¡ HA部署模式:M-LAG。
图111 增加设备组
(9) 在增加设备组的设备组成员区域添加已增加的边界设备service-leaf1和service-leaf2。
(10) 单击<确定>按钮完成设备组的增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<border1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<border1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[border1] hardware-resource tcam normal
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan l3gw
S12500X
[border1] hardware-resource tcam routing
[border1] hardware-resource vxlan normal
[border1] hardware-resource mcast normal
[border1] hardware-resource scale-rt-prefix none
[border1] hardware-resource mpls normal
[border1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[border1] hardware-resource switch-mode 4
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan Border40k
S6860
[border1] hardware-resource switch-mode 4
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[border1] hardware-resource switch-mode DUAL-STACK
[border1] hardware-resource routing-mode ipv6-128
[border1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[border1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[border1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[border1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[border1] hardware-resource mdb routing
[border1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border1]switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[border1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[border1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[border1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[border1] interface M-GigabitEthernet1/0/0/2
[border1-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[border1-M-GigabitEthernet1/0/0/2] ip address 192.168.11.8 255.255.255.0
[border1-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。
[border1] local-user admin class manage
[border1-luser-manage-admin] password simple Qwert@1234
[border1-luser-manage-admin] service-type https ssh
[border1-luser-manage-admin] authorization-attribute user-role network-admin
[border1-luser-manage-admin] authorization-attribute user-role network-operator
(5) 配置VTY。
[border1] line vty 0 63
[border1-line-vty0-63] authentication-mode scheme
[border1-line-vty0-63] user-role network-admin
[border1-line-vty0-63] user-role network-operator
[border1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[border1] netconf soap https enable
[border1] netconf ssh server enable
(7) 使能SSH服务。
[border1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[border1] ntp-service enable
[border1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[border1] snmp-agent
[border1] snmp-agent community write private
[border1] snmp-agent community read public
[border1] snmp-agent sys-info version all
[border1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[border1] lldp global enable
(1) 使能L2VPN。
[border1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[border1] vxlan tunnel mac-learning disable
[border1] vxlan tunnel arp-learning disable
[border1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[border1] ospf 1 router-id 192.168.11.8
[border1-ospf-1] non-stop-routing
[border1-ospf-1] area 0.0.0.0
[border1-ospf-1] quit
配置IS-IS协议
[border1] isis 1
[border1-isis-1] non-stop-routing
[border1-isis-1] is-level level-2
[border1-isis-1] is-name user1
[border1-isis-1] network-entity 86.4713.0021.0100.0400.1008.00
[border1-isis-1] address-family ipv4 unicast
[border1-isis-1-ipv4] maximum load-balancing 4
[border1-isis-1-ipv4] quit
[border1-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[border1] interface LoopBack1
[border1-LoopBack1] ip address 4.1.1.7 255.255.255.255
[border1-LoopBack1] quit
[border1] bgp 501 instance Underlay
[border1-bgp-Underlay] non-stop-routing
[border1-bgp-Underlay] router-id 4.1.1.7
[border1-bgp-Underlay] group Spine external
[border1-bgp-Underlay] peer Spine as-number 500
[border1-bgp-Underlay] peer Spine ebgp-max-hop 2
[border1-bgp-Underlay] peer Spine connect-interface Loopback1
[border1-bgp-Underlay] peer 4.1.1.1 group Spine
[border1-bgp-Underlay] peer 4.1.1.2 group Spine
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] balance 4
[border1-bgp-Underlay-ipv4] peer Spine enable
[border1-bgp-Underlay-ipv4] peer Spine allow-as-loop 2
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
[border1] interface LoopBack0
[border1-LoopBack0] ip address 10.1.1.8 255.255.255.255
[border1-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[border1] interface LoopBack0
[border1-LoopBack0] ospf 1 area 0.0.0.0
[border1-LoopBack0] quit
配置IS-IS协议
[border1] interface LoopBack0
[border1-LoopBack0] isis enable 1
[border1-LoopBack0] quit
配置EBGP协议
[border1] bgp 501 instance Underlay
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] network 10.1.1.8 255.255.255.255
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
配置IBGP
[border1] bgp 100
[border1-bgp-default] non-stop-routing
[border1-bgp-default] router-id 10.1.1.8
[border1-bgp-default] group evpn internal
[border1-bgp-default] peer evpn connect-interface Loopback0
[border1-bgp-default] peer 10.1.1.2 group evpn
[border1-bgp-default] peer 10.1.1.3 group evpn
[border1-bgp-default] address-family l2vpn evpn
[border1-bgp-default-evpn] peer evpn enable
[border1-bgp-default-evpn] quit
以连接Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[border1] interface HundredGigE4/0/3
[border1-HundredGigE4/0/3] port link-mode route
[border1-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border1-HundredGigE4/0/3] ospf network-type p2p
[border1-HundredGigE4/0/3] ospf 1 area 0.0.0.0
[border1-HundredGigE4/0/3] lldp management-address arp-learning
[border1-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border1-HundredGigE4/0/3] quit
配置IS-IS协议
[border1] interface HundredGigE4/0/3
[border1-HundredGigE4/0/3] port link-mode route
[border1-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border1-HundredGigE4/0/3] isis enable 1
[border1-HundredGigE4/0/3] isis circuit-level level-2
[border1-HundredGigE4/0/3] isis circuit-type p2p
[border1-HundredGigE4/0/3] isis authentication-mode md5 simple 123456
[border1-HundredGigE4/0/3] lldp management-address arp-learning
[border1-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border1-HundredGigE4/0/3] quit
配置EBGP协议
[border1] interface HundredGigE4/0/3
[border1-HundredGigE4/0/3] port link-mode route
[border1-HundredGigE4/0/3] ip address unnumbered interface LoopBack1
[border1-HundredGigE4/0/3] lldp management-address arp-learning
[border1-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[border1-HundredGigE4/0/3] arp route-direct advertise
[border1-HundredGigE4/0/3] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[border1] evpn global-mac 0001-0001-0004
在Border上不用配置M-LAG实地址命令,即不用配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[border1] interface LoopBack2
[border1-LoopBack2] ip address 10.20.1.8 255.255.255.255
[border1-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[border1] interface LoopBack2
[border1-LoopBack2] ospf 1 area 0.0.0.0
[border1-LoopBack2] quit
配置ISIS协议
[border1] interface LoopBack2
[border1-LoopBack2] isis enable 1
[border1-LoopBack2] isis circuit-level level-2
[border1-LoopBack2] quit
配置EBGP协议
[border1] bgp 501 instance Underlay
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] network 10.20.1.8 255.255.255.255
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[border1] evpn m-lag group 10.20.1.8
(3) BGP路由下一跳使用M-LAG虚地址。
[border1] bgp 100
[border1-bgp-default] address-family l2vpn evpn
[border1-bgp-default] nexthop evpn-m-lag group-address
[border1-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[border1] m-lag system-mac 0002-0003-0004
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[border1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[border1] m-lag system-priority 10
(1) 配置peer-link聚合口。
[border1] interface Bridge-Aggregation1
[border1-Bridge-Aggregation1] port link-type trunk
[border1-Bridge-Aggregation1] port trunk permit vlan all
[border1-Bridge-Aggregation1] port trunk pvid vlan 4094
[border1-Bridge-Aggregation1] link-aggregation mode dynamic
[border1-Bridge-Aggregation1] port m-lag peer-link 1
[border1-Bridge-Aggregation1] undo mac-address static source-check enable
[border1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(2) 配置peer-link物理口1。
[border1] interface HundredGigE4/0/1
[border1-HundredGigE4/0/1] port link-mode bridge
[border1-HundredGigE4/0/1] port link-type trunk
[border1-HundredGigE4/0/1] port trunk permit vlan all
[border1-HundredGigE4/0/1] port trunk pvid vlan 4094
[border1-HundredGigE4/0/1] port link-aggregation group 1
[border1-HundredGigE4/0/1] quit
(3) 配置peer-link物理口2。
[border1] interface HundredGigE4/0/2
[border1-HundredGigE4/0/2] port link-mode bridge
[border1-HundredGigE4/0/2] port link-type trunk
[border1-HundredGigE4/0/2] port trunk permit vlan all
[border1-HundredGigE4/0/2] port trunk pvid vlan 4094
[border1-HundredGigE4/0/2] port link-aggregation group 1
[border1-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[border1] m-lag restore-delay 180
(2) 配置VPN。
[border1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[border1] interface Ten-GigabitEthernet6/0/48
[border1-Ten-GigabitEthernet6/0/48] port link-mode route
[border1-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[border1-Ten-GigabitEthernet6/0/48] ip address 10.10.1.13 255.255.255.252
[border1-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[border1] m-lag mad default-action none
[border1] m-lag keepalive ip destination 10.10.1.14 source 10.10.1.13 vpn-instance auto-online-mlag
[border1] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[border1] interface Vlan-interface4094
[border1-Vlan-interface4094] ip address 10.30.1.13 255.255.255.252
[border1-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[border1] interface Vlan-interface4094
[border1-Vlan-interface4094] ospf 1 area 0.0.0.0
[border1-Vlan-interface4094] quit
配置IS-IS协议
[border1] interface Vlan-interface4094
[border1-Vlan-interface4094] isis enable 1
[border1-Vlan-interface4094] quit
配置EBGP协议
[border1] route-policy ibgpsurvive permit node 100
[border1] apply local-preference 0
[border1] quit
[border1] bgp 501 instance Underlay
[border1] peer 10.30.1.14 as-number 501
[border1-bgp-Underlay] address-family ipv4 unicast
[border1-bgp-Underlay-ipv4] network 10.30.1.13 255.255.255.252
[border1-bgp-Underlay-ipv4] peer 10.30.1.14 route-policy ibgpsurvive export
[border1-bgp-Underlay-ipv4] peer 10.30.1.14 next-hop-local
[border1-bgp-Underlay-ipv4] quit
[border1-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[border1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[border1] l2vpn m-lag peer-link tunnel source 10.1.1.8 destination 10.1.1.9
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[border1] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[border1] m-lag auto-recovery reload-delay 600
[border1] interface Bridge-Aggregation2
[border1-Bridge-Aggregation2] port link-type trunk
[border1-Bridge-Aggregation2] undo port trunk permit vlan 1
[border1-Bridge-Aggregation2] link-aggregation mode dynamic
[border1-Bridge-Aggregation2] port m-lag group 1
[border1-Bridge-Aggregation2] quit
[border1] interface Ten-GigabitEthernet6/0/5
[border1-Ten-GigabitEthernet6/0/5] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/5] port link-type trunk
[border1-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/5] port link-aggregation group 2
[border1-Ten-GigabitEthernet6/0/5] quit
[border1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:border1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.8。
- VTEP IP:10.1.1.8。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图112 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图113 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图114 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图115 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图116 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<border2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<border2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[border2] hardware-resource tcam normal
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan l3gw
S12500X
[border2] hardware-resource tcam routing
[border2] hardware-resource vxlan normal
[border2] hardware-resource mcast normal
[border2] hardware-resource scale-rt-prefix none
[border2] hardware-resource mpls normal
[border2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[border2] hardware-resource switch-mode 4
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan Border40k
S6860
[border2] hardware-resource switch-mode 4
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[border2] hardware-resource switch-mode DUAL-STACK
[border2] hardware-resource routing-mode ipv6-128
[border2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[border2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[border2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[border2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border2]system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[border2] hardware-resource mdb routing
[border2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[border2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[border2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效
以槽位号1为例。
[border2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[border2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[border2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[border2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[border2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[border2] interface M-GigabitEthernet1/0/0/2
[border2-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[border2-M-GigabitEthernet1/0/0/2] ip address 192.168.11.9 255.255.255.0
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[border2] local-user admin class manage
[border2-luser-manage-admin] password simple Qwert@1234
[border2-luser-manage-admin] service-type https ssh
[border2-luser-manage-admin] authorization-attribute user-role network-admin
[border2-luser-manage-admin] authorization-attribute user-role network-operator
[border2-luser-manage-admin] quit
(5) 配置VTY。
[border2] line vty 0 63
[border2-line-vty0-63] authentication-mode scheme
[border2-line-vty0-63] user-role network-admin
[border2-line-vty0-63] user-role network-operator
[border2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[border2] netconf soap https enable
[border2] netconf ssh server enable
(7) 使能SSH服务。
[border2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[border2] ntp-service enable
[border2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[border2] snmp-agent
[border2] snmp-agent community write private
[border2] snmp-agent community read public
[border2] snmp-agent sys-info version all
[border2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[border2] lldp global enable
(1) 使能L2VPN。
[border2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[border2] vxlan tunnel mac-learning disable
[border2] vxlan tunnel arp-learning disable
[border2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
Underlay路由协议支持OSPF、IS-IS、和EBGP,选择其中一种配置即可。
配置OSPF协议
[border2] ospf 1 router-id 192.168.11.9
[border2-ospf-1] non-stop-routing
[border2-ospf-1] area 0.0.0.0
[border2-ospf-1] quit
配置IS-IS协议
[border2] isis 1
[border2-isis-1] non-stop-routing
[border2-isis-1] is-level level-2
[border2-isis-1] is-name user1
[border2-isis-1] network-entity 86.4713.0021.0100.0400.1009.00
[border2-isis-1] address-family ipv4 unicast
[border2-isis-1-ipv4] maximum load-balancing 4
[border2-isis-1-ipv4] quit
[border2-isis-1] quit
配置EBGP协议
两台Spine设备的AS号为500,4台Leaf角色和2台Border角色的设备的AS号为501,Spine 设备与Leaf和Border角色设备之间建立EBGP邻居。
Underlay EBGP使用LoopBack1口地址作为源地址。
[border2] interface LoopBack1
[border2-LoopBack1] ip address 4.1.1.8 255.255.255.255
[border2-LoopBack1] quit
[border2] bgp 501 instance Underlay
[border2-bgp-Underlay] non-stop-routing
[border2-bgp-Underlay] router-id 4.1.1.8
[border2-bgp-Underlay] group Spine external
[border2-bgp-Underlay] peer Spine as-number 500
[border2-bgp-Underlay] peer Spine ebgp-max-hop 2
[border2-bgp-Underlay] peer Spine connect-interface Loopback1
[border2-bgp-Underlay] peer 4.1.1.1 group Spine
[border2-bgp-Underlay] peer 4.1.1.2 group Spine
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] balance 4
[border2-bgp-Underlay-ipv4] peer Spine enable
[border2-bgp-Underlay-ipv4] peer Spine allow-as-loop 2
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
[border2] interface LoopBack0
[border2-LoopBack0] ip address 10.1.1.9 255.255.255.255
[border2-LoopBack0] quit
选择一种路由协议配置:
配置OSPF协议
[border2] interface LoopBack0
[border2-LoopBack0] ospf 1 area 0.0.0.0
[border2-LoopBack0] quit
配置IS-IS协议
[border2] interface LoopBack0
[border2-LoopBack0] isis enable 1
[border2-LoopBack0] quit
配置EBGP协议
[border2] bgp 501 instance Underlay
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] network 10.1.1.9 255.255.255.255
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
配置IBGP
[border2] bgp 100
[border2-bgp-default] non-stop-routing
[border2-bgp-default] router-id 10.1.1.9
[border2-bgp-default] group evpn internal
[border2-bgp-default] peer evpn connect-interface Loopback0
[border2-bgp-default] peer 10.1.1.2 group evpn
[border2-bgp-default] peer 10.1.1.3 group evpn
[border2-bgp-default] address-family l2vpn evpn
[border2-bgp-default-evpn] peer evpn enable
[border2-bgp-default-evpn] quit
以连接 Spine 1的接口配置为例,连接Spine 2的接口配置,同样配置。
由于Underlay路由协议不同,连接Spine的接口也不同,可从OSPF、IS-IS、EBGP协议中选择一种进行配置。
配置OSPF协议
[border2] interface HundredGigE4/0/3
[border2-HundredGigE4/0/3] port link-mode route
[border2-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border2-HundredGigE4/0/3] ospf network-type p2p
[border2-HundredGigE4/0/3] ospf 1 area 0.0.0.0
[border2-HundredGigE4/0/3] lldp management-address arp-learning
[border2-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border2-HundredGigE4/0/3] quit
配置IS-IS协议
[border2] interface HundredGigE4/0/3
[border2-HundredGigE4/0/3] port link-mode route
[border2-HundredGigE4/0/3] ip address unnumbered interface LoopBack0
[border2-HundredGigE4/0/3] isis circuit-level level-2
[border2-HundredGigE4/0/3] isis circuit-type p2p
[border2-HundredGigE4/0/3] isis authentication-mode md5 simple 123456
[border2-HundredGigE4/0/3] lldp management-address arp-learning
[border2-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[border2-HundredGigE4/0/3] quit
配置EBGP协议
[border2] interface HundredGigE4/0/3
[border2-HundredGigE4/0/3] port link-mode route
[border2-HundredGigE4/0/3] ip address unnumbered interface LoopBack1
[border2-HundredGigE4/0/3] lldp management-address arp-learning
[border2-HundredGigE4/0/3] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack1
[border2-HundredGigE4/0/3] arp route-direct advertise
[border2-HundredGigE4/0/3] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[border2] evpn global-mac 0001-0001-0004
在Border上不用配置M-LAG实地址命令,即不用配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[border2] interface LoopBack2
[border2-LoopBack2] ip address 10.20.1.8 255.255.255.255
[border2-LoopBack2] quit
选择一种路由协议配置:
配置OSPF协议
[border2] interface LoopBack2
[border2-LoopBack2] ospf 1 area 0.0.0.0
[border2-LoopBack2] quit
配置ISIS协议
[border2] interface LoopBack2
[border2-LoopBack2] isis enable 1
[border2-LoopBack2] isis circuit-level level-2
[border2-LoopBack2] quit
配置EBGP协议
[border2] bgp 501 instance Underlay
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] network 10.20.1.8 255.255.255.255
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[border2] evpn m-lag group 10.20.1.8
(3) BGP路由下一跳使用M-LAG虚地址。
[border2] bgp 100
[border2-bgp-default] address-family l2vpn evpn
[border2-bgp-default] nexthop evpn-m-lag group-address
[border2-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[border2] m-lag system-mac 0002-0003-0004
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[border2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[border2] m-lag system-priority 10
(1) 配置peer-link聚合口。
[border2] interface Bridge-Aggregation1
[border2-Bridge-Aggregation1] port link-type trunk
[border2-Bridge-Aggregation1] port trunk permit vlan all
[border2-Bridge-Aggregation1] port trunk pvid vlan 4094
[border2-Bridge-Aggregation1] link-aggregation mode dynamic
[border2-Bridge-Aggregation1] port m-lag peer-link 1
[border2-Bridge-Aggregation1] undo mac-address static source-check enable
[border2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(2) 配置peer-link物理口1。
[border2] interface HundredGigE4/0/1
[border2-HundredGigE4/0/1] port link-mode bridge
[border2-HundredGigE4/0/1] port link-type trunk
[border2-HundredGigE4/0/1] port trunk permit vlan all
[border2-HundredGigE4/0/1] port trunk pvid vlan 4094
[border2-HundredGigE4/0/1] port link-aggregation group 1
[border2-HundredGigE4/0/1] quit
(3) 配置peer-link物理口2。
[border2] interface HundredGigE4/0/2
[border2-HundredGigE4/0/2] port link-mode bridge
[border2-HundredGigE4/0/2] port link-type trunk
[border2-HundredGigE4/0/2] port trunk permit vlan all
[border2-HundredGigE4/0/2] port trunk pvid vlan 4094
[border2-HundredGigE4/0/2] port link-aggregation group 1
[border2-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[border2] m-lag restore-delay 180
(2) 配置VPN。
[border2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[border2] interface Ten-GigabitEthernet6/0/48
[border2-Ten-GigabitEthernet6/0/48] port link-mode route
[border2-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[border2-Ten-GigabitEthernet6/0/48] ip address 10.10.1.14 255.255.255.252
[border2-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[border2] m-lag mad default-action none
[border2] m-lag keepalive ip destination 10.10.1.13 source 10.10.1.14 vpn-instance auto-online-mlag
[border2] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN,推荐使用30位掩码的IP地址,且在全网发布。
[border2] interface Vlan-interface4094
[border2-Vlan-interface4094] ip address 10.30.1.14 255.255.255.252
[border2-Vlan-interface4094] quit
选择一种路由协议配置:
配置OSPF协议
[border2] interface Vlan-interface4094
[border2-Vlan-interface4094] ospf 1 area 0.0.0.0
[border2-Vlan-interface4094] quit
配置IS-IS协议
[border2] interface Vlan-interface4094
[border2-Vlan-interface4094] isis enable 1
[border2-Vlan-interface4094] quit
配置EBGP协议
[border2] route-policy ibgpsurvive permit node 100
[border2] apply local-preference 0
[border2] quit
[border2] bgp 501 instance Underlay
[border2] peer 10.30.1.13 as-number 501
[border2-bgp-Underlay] address-family ipv4 unicast
[border2-bgp-Underlay-ipv4] network 10.30.1.14 255.255.255.252
[border2-bgp-Underlay-ipv4] peer 10.30.1.13 route-policy ibgpsurvive export
[border2-bgp-Underlay-ipv4] peer 10.30.1.13 next-hop-local
[border2-bgp-Underlay-ipv4] quit
[border2-bgp-Underlay] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[border2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[border2] l2vpn m-lag peer-link tunnel source 10.1.1.9 destination 10.1.1.8
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[border2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[border2] m-lag auto-recovery reload-delay 600
[border2] interface Bridge-Aggregation2
[border2-Bridge-Aggregation2] port link-type trunk
[border2-Bridge-Aggregation2] undo port trunk permit vlan 1
[border2-Bridge-Aggregation2] link-aggregation mode dynamic
[border2-Bridge-Aggregation2] port m-lag group 1
[border2-Bridge-Aggregation2] quit
[border2] interface Ten-GigabitEthernet6/0/5
[border2-Ten-GigabitEthernet6/0/5] port link-mode bridge
[border2-Ten-GigabitEthernet6/0/5] port link-type trunk
[border2-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[border2-Ten-GigabitEthernet6/0/5] port link-aggregation group 2
[border2-Ten-GigabitEthernet6/0/5] quit
[border2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:border2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.9。
- VTEP IP:10.1.1.9。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图117 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图118 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图119 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图120 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图121 高级配置
(7) 单击<确定>按钮完成设备增加操作。
(8) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,进入增加设备组页面,在该页面的基本信息区域配置以下参数:
¡ 设备组名称:bdgroup1。
¡ MAC地址:3C:8C:40:4E:DD:46。
¡ 远端设备组:Remote leaf选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
¡ 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service Leaf。请提前做好规划。
¡ HA部署模式:M-LAG。
(9) 在增加设备组的出口网关设置区域配置以下参数:
¡ 防火墙接入模式:关闭。
图122 增加设备组
(10) 在增加设备组的设备组成员区域添加已增加的边界设备border1和border2。
(11) 单击<确定>按钮完成设备组的增加操作。
在本组网中,SeerEngine-DC集群内置了DHCP服务器。设备在Underlay自动化部署过程中,会向DHCP服务器请求管理口的IP地址。
本组网中,管理网采用了三层组网模式。设备通过DHCP中继与DHCP服务器进行通信。
自动化部署方式分为两种:传统自动化部署方式和向导自动化部署方式。传统自动化部署方式继承AD-DC 6.0之前版本自动化部署方式;向导自动化部署方式通过可视化引导首次使用控制组件的用户快速实现对网络的配置和部署管理。
图123 Underlay网络自动化部署组网图
表4 Spine Border分离场景IP及接口说明
|
设备 |
接口信息 |
|
|
Border 1 |
HGE4/0/1(连接Border2 HGE4/0/1) HGE4/0/2(连接Border2 HGE4/0/2) XGE6/0/48(连接Border2 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/3) HGE4/0/4(连接Spine2 HGE1/0/3) XGE6/0/1(连接FW1 XGE1/2/0) XGE6/0/2(连接FW2 XGE1/2/0) XGE6/0/3(连接LB1 XGE1/2/0) XGE6/0/4(连接LB2 XGE1/2/0) XGE6/0/5(连接外网设备) |
|
|
Border 2 |
HGE4/0/1(连接Border1 HGE4/0/1) HGE4/0/2(连接Border1 HGE4/0/2) XGE6/0/48(连接Border1 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/4) HGE4/0/4(连接Spine2 HGE1/0/4) XGE6/0/1(连接FW1 XGE1/2/1) XGE6/0/2(连接FW2 XGE1/2/1) XGE6/0/3(连接LB1 XGE1/2/1) XGE6/0/4(连接LB2 XGE1/2/1) XGE6/0/5(连接外网设备) |
|
|
Spine1 |
HGE1/0/3(连接Border1 HGE4/0/3) HGE1/0/4(连接Border2 HGE4/0/3) HGE1/0/5(连接Leaf1 HGE1/0/25) HGE1/0/6(连接Leaf2 HGE1/0/25) HGE1/0/7(连接Leaf3 HGE1/0/27) HGE1/0/8(连接Leaf4 HGE1/0/27) |
|
|
Spine2 |
HGE1/0/3(连接Border1 HGE4/0/4) HGE1/0/4(连接Border2 HGE4/0/4) HGE1/0/5(连接Leaf1 HGE1/0/27) HGE1/0/6(连接Leaf2 HGE1/0/27) HGE1/0/7(连接Leaf3 HGE1/0/25) HGE1/0/8(连接Leaf4 HGE1/0/25) |
|
|
Server Leaf 1 |
XGE1/0/9(连接Server Leaf2 XGE1/0/9) XGE1/0/10(连接Server Leaf2 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/5) HGE1/0/27(连接Spine2 HGE1/0/5) |
|
|
Server Leaf 2 |
XGE1/0/9(连接Server Leaf1 XGE1/0/9) XGE1/0/10(连接Server Leaf1 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/6) HGE1/0/27(连接Spine2 HGE1/0/6) |
|
|
Service Leaf 1 |
XGE1/0/9(连接Service Leaf2 XGE1/0/9) XGE1/0/10(连接Service Leaf2 XGE1/0/10) XGE1/0/11(连接FW3 XGE1/2/1) XGE1/0/12(连接FW4 XGE1/2/1) HGE1/0/30(连接Service Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/7) HGE1/0/27(连接Spine2 HGE1/0/7) |
|
|
Service Leaf 2 |
XGE1/0/9(连接Service Leaf1 XGE1/0/9) XGE1/0/10(连接Service Leaf1 XGE1/0/10) XGE1/0/11(连接FW3 XGE1/2/1) XGE1/0/12(连接FW4 XGE1/2/1) HGE1/0/30(连接Service Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/8) HGE1/0/27(连接Spine2 HGE1/0/8) |
|
表5 地址池规划
|
规划项 |
配置示例 |
说明 |
|
|
TFTP与Syslog服务IP地址 |
192.168.12.101 |
使用控制组件的集群IP地址 |
|
|
IP地址池 |
物理管理网络 |
· 名称:pymg-pool · 地址段: ¡ 192.168.11.2-192.168.11.100 ¡ 网关地址:192.168.11.1 |
一台交换机用一个管理地址 |
|
物理VTEP网络 |
· 名称:vtep-pool · 地址段: ¡ 10.1.1.2-10.1.1.100 |
一个M-LAG组2个交换机共占用5个VTEP地址:2个M-LAG实地址、1个M-LAG虚地址、2个peer-link链路逃生地址。 所有M-LAG组共占用2个keepalive地址 |
|
|
物理管理网络 |
· 名称:auto-pool · 地址段: ¡ 192.168.11.101-120 ¡ 网关地址:192.168.11.1 |
一台交换设备在自动化上线过程中临时占用1个地址,上线完成后释放这个地址 |
|
|
Underlay互通网络(可选) |
· 名称:underlay-pool1 · 地址段: ¡ 10.90.1.2-10.90.1.254 |
此地址池用于分配设备间物理链路两端的接口IP。一条链路需要2个地址 |
|
传统自动化部署配置流程如下图所示。
图124 传统自动化部署流程
向导自动化部署配置流程如下图所示。
图125 向导自动化部署流程
(1) 登录控制组件,进入[系统>系统维护>数据中心控制组件]页面,可以查看集群的IP地址。
图126 查看集群IP地址
(2) 进入[自动化>数据中心网络>Fabrics>参数设置]页面,在控制组件全局配置页面配置以下参数:
¡ 启用TFTP与Syslog服务:配置为开启。
¡ 请设置服务IP地址:配置为查询到的集群IP地址——192.168.12.101。
图127 启用TFTP与Syslog服务并设置服务IP地址
DHCP服务由SeerEngine-DC内置DHCP提供,DHCP服务器IP和“TFTP与Syslog服务”的IP相同,为控制组件集群IP地址。内置DHCP服务运行在SeerEngine-DC的主节点上,当主节点故障时,Master切换至其他节点,内置DHCP也随之切换。
增加如下表所示的IP地址池,以增加名称为pymg-pool的物理管理网络地址池为例。
表6 IP地址池
|
规划项 |
配置示例 |
说明 |
|
|
IP地址池 |
物理管理网络 |
· 名称:pymg-pool1 · 地址段: ¡ 192.168.11.2-192.168.11.100 ¡ 网关地址:192.168.11.1 |
此地址池用于分配设备的管理IP,一台交换机用1个管理地址 |
|
物理VTEP网络 |
· 名称:vtep-pool1 · 地址段: ¡ 10.1.1.2-10.1.1.100 |
一个M-LAG组2个交换机共占用5个VTEP地址:2个M-LAG实地址、1个M-LAG虚地址、2个peer-link链路逃生地址。 所有M-LAG组共占用2个keepalive地址 |
|
|
物理管理网络 |
· 名称:auto-pool1 · 地址段: ¡ 192.168.11.101-120 · 网关地址:192.168.11.1 |
此IP地址池用于自动化上线临时使用,包含的地址数量需大于待上线的设备数量。上线完毕后释放该地址 |
|
|
Underlay互通网络(可选) |
· 名称:underlay-pool1 · 地址段: ¡ 10.90.1.2-10.90.1.254 |
此地址池用于分配设备间物理链路两端的接口IP。一条链路需要2个地址 |
|
· 建议将pymg-pool与auto-pool规划在同一网段。
· 若pymg-pool与auto-pool不在同一网段,两个网段的网关IP需配置在同一个VLAN虚接口上,且需在管理交换机上将auto-pool地址段的网关地址配置为主地址。
(2) 进入[自动化>数据中心网络>资源池>IP地址池]页面,单击<增加>按钮。进入增加IP地址池页面。
(3) 在该页面中配置以下参数:
¡ 名称:pymg-pool1。
¡ 类型:物理管理网络。
¡ 网关地址:192.168.11.1。
¡ 单击<增加地址段>按钮,在弹出的对话框中配置以下参数:
- 起始IP:192.168.11.2。
- 结束IP:192.168.11.100。
图128 增加物理管理网络类型IP地址池
· 为指定类型的IP地址池增加地址段后,地址池将从添加的地址段中分配IP地址。当添加多个IP地址段时,地址段之间不可重叠。
· 在IP地址池配置页面,可以把指定类型的IP地址池勾选为默认地址池。每种类型的IP地址池只能配置一个默认地址池。
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击<增加>按钮,进入Fabric配置页面。
(2) 进入该页面中配置以下的参数:
¡ 名称:fabric1
¡ Overlay路由协议BGP AS号:100
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
(3) 单击<确定>按钮,完成Fabric创建。
图129 Fabric配置
(1) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击<自动化模板>页签,进入自动化模板配置页面。
(2) 点击<Underlay基础配置>标签,进入该页面中配置以下的参数:
¡ Fabric列表:fabric1。
¡ Underlay路由协议:根据需求可选择OSPF、ISIS或BGP。下文主要以Underlay协议选择OSPF为例。
图130 Underlay基础配置
(3) 单击<确定>按钮,显示操作成功。点击<地址池集>标签,进入该页面。Fabric列表选项选择相应fabric,点击<增加>按钮,进入增加地址池集页面,需配置以下参数:
¡ 名称:pool-group1
¡ 互联口地址配置方式:选择借用地址时,当Underlay路由协议为OSPF或ISIS,设备互联口借用Loopback0 IP地址;当Underlay路由协议为EBGP,设备互联口借用Loopback1 IP地址。选择独立地址时,设备互联口从Underlay互通地址池中分配IP地址。本章节以选择独立地址为例。
¡ 地址池类型:本地地址池。
¡ 管理IP地址池:pymg-pool1。
¡ VTEP IP地址池:vtep-pool1。
¡ 自动化上线地址池:auto-pool1。
¡ Underlay互通地址池:underlay-pool1。(互联口地址配置方式选择独立地址时需要配置本参数)
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图131 地址池集配置-独立地址
(4) 参数配置完成后,点击<确定>按钮,地址池集页面多一条记录。
图132 地址池集页面
(5) 点击<控制协议模板>标签,进入该页面,点击<增加>按钮,选择相应fabric,进入增加控制协议模板页面,需配置以下参数:
¡ 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
¡ 名称:template。
¡ 用户名:admin。
¡ 密码:Qwert@1234。
¡ 确认密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图133 控制协议模板配置
(6) 参数配置完成后,点击<确定>按钮,控制协议模板页面多一条记录。
图134 控制协议模板页面
(7) 单击<设备上线模板>页签,进入该页面,单击<增加>按钮,默认选择新建模板。若存在其他Fabric已创建的配置模板,可通过“选择已有模板”复制已有模板信息到当前配置页。选择相应Fabric,进入增加设备上线模板页面。
图135 高级配置
选择新建模板时可配置以下参数:
¡ 模板名:template,自定义配置。
¡ 组网形态:
- 使能IRF堆叠:选择“否”。
- 使能跨设备聚合:选择“是”。
- M-LAG组创建方式:自动。当选择“自动”时,设备自动化上线后将通过LLDP发现进行M-LAG接口自动聚合;当选择“手动”时,在M-LAG系统自动创建之后,需要手动创建设备内聚合接口和M-LAG组。服务器使用主备网卡接入(Bond1方式)时需要选择“手动”方式,但不能创建设备内聚合接口。M-LAG组创建方式选择自动时,需按照Spine、Aggregation、Leaf的角色先后顺序进行设备自动化上线。
- 接口聚合模式:Dynamic。当选择“Dynamic”时,跨设备聚合模式为动态聚合模式;当选择“Static”时,跨设备聚合模式为静态聚合模式。
- keepalive链路:选择直连链路,是通过M-LAG成员之间的直连链路作为Keepalive链路。选择管理网联路,是M-LAG成员设备的管理口组成的管理网络作为Keepalive链路。M-LAG设备间通过Keepalive链路检测邻居状态,即通过交互Keepalive报文来进行peer-link链路故障时的双主检测。该参数在设备间使用直连peer-link时才有效。
- 逃生VLAN ID:4094。用于直连peer-link的跨设备聚合逃生配置,需保证此参数值不与其他业务冲突。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图136 设备上线模板组网形态配置
盒式设备外壳上粘贴的MAC地址即为该设备的桥MAC地址,框式设备的机框上粘贴的MAC地址即为该设备的桥MAC地址。登录设备后,可使用“display lacp system-id”命令查看本端系统的设备的桥MAC。
¡ 高级配置:
- NTP服务器:用于配置网络时间服务器的IP地址。
- Border MAC:在M-LAG场景配置Border设备的桥MAC。当使用S6800设备作为Border时,必须指定本参数。
- OSPF进程ID:用于配置OSPF进程号。如不配置,系统自动配置为缺省值“1”。
- OSPF Area ID:用于配置OSPF Area号。如不配置,系统自动配置为缺省值“0.0.0.0”。
- Overlay协议BGP AS号:自动继承Fabric创建时的AS号,此处无需配置。
- BGP MD5密码:用于配置BGP MD5的密码。
- 接入设备VXLAN转发预配置:默认配置为否。
- 二层聚合接口预留编号范围:物理设备预留的二层聚合接口编号。如果需要手动在设备上配置二层聚合接口,需将手动配置的聚合接口编号范围添加至预留编号范围。设备上线后不支持修改,请提前规划。
图137 设备上线模板高级配置
(8) 根据勾选的模板角色,展开对应角色的模板(Spine/Leaf),可配置以下参数:
¡ 软件版本&软件补丁:需在[自动化>配置部署>设备维护>版本库]页面先行上传版本文件。选择版本后,控制组件会在自动化上线之初向设备推送版本并执行升级。设备自动化上线时会升级设备的版本为模板中配置的版本。当前只支持ipe格式的设备版本和bin格式的软件补丁。
¡ 使能白名单:保持缺省配置为“是”。M-LAG场景下的自动化上线必须使能白名单并配置设备清单,且只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
¡ 设备控制协议模板:可以选择在步骤(7)中创建的设备控制协议模板“template”,也可以选择新建设备控制协议模板。在设备控制协议模板中配置设备登录所用的用户名/密码、是否使能ssh等。默认控制协议模板的admin密码为Admin@123456。
¡ 命令片段:在命令片段输入框中,可以配置需要自定义下发的命令。请根据实际需求添加,必须以#作为最后一行结束。当前版本暂不支持自动下发ssh server enable和telnet server enable命令,如有需求请通过命令片段方式下发。
图138 Spine/Leaf模板
(9) Aggregation模板与Access模板中选项与Spine模板和Leaf模板部分选项重合,选择时与以上模板选项保持一致即可,如需配置Access模板,使能M-LAG连接口自动聚合需配置为否。本组网示例中不涉及。
图139 Aggregation/Access模板
(10) 参数配置完成后,点击<确定>按钮,在设备上线模板页面可以查看已创建成功的设备自动化上线模板。查看各角色模板的具体内容,可修改配置模板。
图140 设备上线模板页面
· 设备外壳上粘贴的SN即为设备的序列号,如登录设备,也可以通过display device manuinfo等命令查询获取设备序列号。盒式设备的序列号是盒式设备的SN。
· 当把框式交换机设备增加到设备清单时,请优先使用机框的序列号;如没有机框序列号,请使用各个主控板序列号增加多条设备清单信息。框式设备S105、S125的序列号是框式设备的SN。框式设备S75X/S75EXS设备的序列号是主用主控板的SN和备用主控板的SN。
· 设备清单中的设备被删除后重新自动化上线,该设备会保留原角色。如需修改默认角色,请手动修改。
· Spine/Border合一场景下,设备清单中设备角色和设备类型选择请参考下表。
|
设备类型 |
设备角色选择 |
设备类型选择 |
|
Spine Border 合一设备 |
Spine |
边界设备 |
|
Spine Borde ED三合一设备 |
Spine |
边界设备 |
|
Spine Border ED Service-Leaf四合一设备 |
Spine |
边界设备 |
|
Leaf设备 |
Leaf |
接入设备 |
· Spine/Border分离场景下,设备清单中设备角色和设备类型选择请参考下表。
|
设备类型 |
设备角色选择 |
设备类型选择 |
|
Spine设备 |
Spine |
Underlay物理设备 |
|
Border设备 |
Leaf |
边界设备 |
|
Leaf设备 |
Leaf |
接入设备 |
自动化模板中使能白名单后,必须配置设备清单,只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
增加Spine、Border和Leaf对应的设备清单,以增加Border1对应设备清单为例。
(1) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击“拓扑规划”页签,进入拓扑规划页面。在设备清单的“设备信息”页签中,单击<增加>按钮,增加设备信息。
(2) 该页面可配置以下参数:
¡ 设备索引号:选填,用于显示标识设备,可根据实际需要添加。
¡ 设备序列号:输入设备SN号,以210235A1U6H169000004为例。
¡ Fabric:fabric1。
¡ 设备名称:border1。
¡ 设备角色:Leaf。Border和Leaf设备需选择Leaf,Spine设备请选择Spine,SpineBorder合一设备请选择Spine。
¡ 设备类型:边界设备。Leaf设备请选择 接入设备、Spine请选择Underlay物理设备,Border和SpineBorder合一设备请选择边界设备。
¡ 管理IP:作为设备的管理IP,缺省时设备管理IP从地址池中获取。
¡ VTEP IP(Loopback IP):作为设备的VTEP IP地址,缺省时VTEP IP从地址池中获取。
¡ 设备标签:该项内容会下发到设备上,作为设备的自定义系统名称,优先级高于系统自动配置的“角色-IP地址”格式的名称。
¡ 网络实体名称:仅Underlay协议选择ISIS时支持,且必须配置该参数。本例为OSPF,不配置此参数。
¡ 使能DCI:否。仅边界设备支持配置该参数,当设备作为DCI时勾选“是”。本例不涉及DCI,不配置此参数。
¡ DCI VTEP IP地址:作为数据中心互联VTEP IP地址。本例不涉及DCI,不配置此参数。
图141 增加设备清单
(3) 配置完成后,单击<确定>按钮,完成设备清单的创建操作。
(1) 如需使Access设备自动组成M-LAG系统,必须配置本章节的步骤,增加M-LAG组规划或者M-LAG系统规划,两种规划配置一种即可。
(2) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击“拓扑规划”页签,进入拓扑规划页面。在设备清单的“M-LAG组规划”页签中,单击<增加>按钮,在弹出的对话框中填写以下参数:
¡ A设备序列号:输入设备SN号,以210235A1U6H166000009为例。
¡ B设备序列号:输入设备SN号,以210235A1AYRH197000027为例。
¡ A设备端口:输入设备与对端虚机互联口,以Ten-GigabitEthernet1/0/35为例。
¡ B设备端口:输入设备与对端虚机互联口,以Ten-GigabitEthernet1/0/35为例。
¡ A设备聚合接口编号:输入自定义的聚合接口编号,以35为例。
¡ B设备聚合接口编号:输入自定义的聚合接口编号,以35为例。
¡ MLAG组编号:输入自定义的MLAG组编号,以35为例。
¡ 接入功能:关闭。
图142 增加MLAG组规划
(3) 单击<确定>按钮完成配置。
(4) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击“拓扑规划”页签,进入拓扑规划页面。在设备清单的“M-LAG系统规划”页签中,单击<增加>按钮,在弹出的对话框中填写以下参数:
¡ Fabric:选择当前的fabric,以fabric1为例。
¡ A设备序列号:输入设备SN号,以210235A1U6H166000009为例。
¡ B设备序列号:输入设备SN号,以210235A1AYRH197000027为例。
¡ 场景:根据实际规划选择,以直连peer-link为例。
¡ Keepalive链路:根据实际规划选择,以直连链路为例。
¡ 虚拟VTEP IP:输入自定义的VTEP IP,以10.1.1.10为例。
¡ 高级配置:根据实际需求配置。
图143 增加MLAG系统规划
(5) 单击<确定>按钮完成配置。
· 设备系统名称的命名先后规则为:设备信息中配置的“设备标签”字段优先级最高;其次若该设备MAC与配置模板中Border_mac匹配成功,则设备系统名称为“border”;最后是在模板中加入的ROLE-X.X.X.X,设备上线后会自动以此格式命名。
· 设备清单中的配置信息,无论“使能白名单”是否开启,都生效。当模板中“使能白名单”为“是”时,只有设备清单中的设备才能上线,且以设备清单中配置的信息上线。当“使能白名单”为“否”时,所有设备都能上线,如果该设备在设备清单中存在时,会以设备清单中的配置上线,否则以默认方式上线。
· 如需进行链路信息校验,则可在设备清单模板的“批量导入链路信息模板”sheet表进行配置,导入链路信息,也可以直接在“链路信息”页签下手动添加。在自动化上线进度的拓扑规划页面,会对比规划的和真实上线的链路是否存在差异。按照规划完成上线的会显示已上线,在规划内但未上线的显示未上线,在规划外或上线与规划不一致的显示规划外。若对Remote Leaf使用自动化上线,必须要规划链路信息。具体配置方式请参考联机帮助。
· 如需提前规划自动化上线设备的跨设备聚合信息,则可在设备清单模板的“批量导入跨设备聚合信息”sheet表进行配置,导入跨设备聚合信息,也可以直接在“跨设备聚合信息”页签下手动添加。配置后的设备自动化上线只会按规划创建跨设备聚合口,不再响应对端设备的LLDP信息。当设备类型为边界设备时,不会自动创建连接FW/LB/外网的聚合口,可在该页面中进行提前规划。具体配置方式请参考联机帮助。
设备上线模板中的M-LAG组创建方式选择自动时,需按照Spine、Aggregation、Leaf的角色先后顺序进行设备自动化上线。
(1) 使用Console口连接物理设备,将各设备空配置重启。
<device> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
(2) 重启设备。
<device> reboot force
(3) 设备重启后进入自动化部署阶段,管理口通过DHCP自动获取管理IP地址,获取设备标签文件,读取设备角色,并下载对应角色的配置模板文件,进行自动配置。
控制台打印的自动配置成功的内容参考如下:
Automatic configuration attempt: 2.
Interface used: M-GigabitEthernet0/0/0.
Enable DHCP client on M-GigabitEthernet0/0/0.
Set DHCP client identifier: 00e0fc026820
Obtained an IP address for M-GigabitEthernet0/0/0: 192.168.11.2.
Obtained configuration file name ospf.template and TFTP server name 192.168.12.101.
Resolved the TFTP server name to 192.168.12.101.
INFO: Get device tag file device_tag.csv success.
INFO: Read role Leaf from tag file.
Successfully downloaded file ospf_Leaf.template.
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
(4) 自动配置完成后,设备将被控制组件纳管到对应Fabric中,设备状态为active(边界设备除外),自动部署和纳管成功。
类型为边界设备的交换设备,自动化部署后的状态为inactive。需要加入设备组,状态才会切换为active。
(1) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,增加设备组。
(2) 在该页面可配置以下参数:
¡ 基本信息
- 设备组名称:bdgroup1。
- MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
- 远端设备组:若为Remote leaf请选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
- 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service-Leaf。请提前做好规划。
- HA部署模式:M-LAG。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
¡ 出口网关设置
- 防火墙接入模式:旁挂。
- 连接方式:选择VLAN跨网段。
¡ 地址池列表和VLAN池列表
- 直通出口:选择默认地址池和默认VLAN池。
- 安全出口:选择“自定义地址池”和“自定义VLAN池”,需要在创建设备组之前创建虚拟设备管理网地址池、租户承载防火墙内网地址池、租户承载负载均衡内网地址池和租户承载网VLAN池等,然后从可选地址池列表和可选VLAN池列表中选择。有关自定义地址池和自定义VLAN池的配置方法,可参考《AD-DC 7.1安全服务资源配置指导》。
图144 增加设备组
(3) 单击<增加设备>按钮,将边界设备加入到设备组中。
图145 增加设备
(4) 单击<确定>按钮,完成设备组的配置。
(5) 进入Fabric的“交换设备”页面查看设备列表,单击<刷新>按钮,边界设备的状态变为active,表示设备被控制组件成功纳管。
(6) 设备组添加完成后,控制组件将自动部署跨设备聚合,进入[自动化>数据中心网络>Fabrics>跨设备聚合]页面,单击“M-LAG系统”页签,在M-LAG组编号范围区域可查看M-LAG组编号,在M-LAG系统区域可查看M-LAG系统信息。单击“设备内聚合接口”页签,在设备内聚合接口页面可查看peer-link聚合口,对于接入设备,可查看连接FW/LB的聚合口。对于边界设备,不能查看连接FW/LB的聚合口。
(7) 在设备内聚合接口页面,增加border1连接FW/LB/外网的聚合口,增加border2连接FW/LB/外网的聚合口,在M-LAG组页面,增加连接FW/LB/外网的M-LAG组。
(8) 直通出口场景,在border1和border2连接外网的聚合口下,放通外部网络VLAN。在安全出口场景,在border1和border2连接外网的聚合口下,放通相关业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(9) 为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上手工将默认解封装的地址修改为M-LAG Border虚地址。Border1和Border2都需要配置。
[border1] vxlan default-decapsulation source interface LoopBack2
[border2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
(1) 如果Border需要连接FW/LB设备,则需要在Border上手动配置连接FW/LB设备的聚合口。以Border1连接FW1和FW2为例。
¡ 配置连接FW设备1的接口。
[border1] interface Bridge-Aggregation257
[border1-Bridge-Aggregation257] port link-type trunk
[border1-Bridge-Aggregation257] undo port trunk permit vlan 1
[border1-Bridge-Aggregation257] link-aggregation mode dynamic
[border1-Bridge-Aggregation257] port m-lag group 2
[border1-Bridge-Aggregation257] stp edged-port
[border1-Bridge-Aggregation257] quit
[border1] interface Ten-GigabitEthernet6/0/1
[border1-Ten-GigabitEthernet6/0/1] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/1] port link-type trunk
[border1-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[border1-Ten-GigabitEthernet6/0/1] quit
¡ 配置连接FW设备2的接口。
[border1] interface Bridge-Aggregation258
[border1-Bridge-Aggregation258] port link-type trunk
[border1-Bridge-Aggregation258] undo port trunk permit vlan 1
[border1-Bridge-Aggregation258] link-aggregation mode dynamic
[border1-Bridge-Aggregation258] port m-lag group 3
[border1-Bridge-Aggregation258] stp edged-port
[border1-Bridge-Aggregation258] quit
[border1] interface Ten-GigabitEthernet6/0/2
[border1-Ten-GigabitEthernet6/0/2] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/2] port link-type trunk
[border1-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[border1-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放行业务VLAN,详见《AD-DC 7.1 安全服务资源配置指导》。
(2) 如果Leaf需要连接FW/LB设备,则需要在Leaf连接FW/LB设备的聚合口上配置STP相关命令。以service-leaf1连接FW3和FW4为例。
¡ 配置连接FW设备3的接口。
[service-leaf1] interface Bridge-Aggregation257
[service-leaf1-Bridge-Aggregation257] stp edged-port
[service-leaf1-Bridge-Aggregation257] quit
¡ 配置连接FW设备4的接口。
[service-leaf1] interface Bridge-Aggregation258
[service-leaf1-Bridge-Aggregation258] stp edged-port
[service-leaf1-Bridge-Aggregation258] quit
(1) 确认模板文件是否正常下发
空配置重启后,设备的管理口会自动获取管理IP地址和TFTP服务器地址。设备会从控制组件下载设备标签文件和对应角色的配置模板文件(模板名_设备角色.template),然后在设备上自动加载配置。
<Spine1> dir *.template
Directory of flash:
0 -rw- 5984 Jun 11 2021 09:20:56 f1auto_spine.template
1 -rw- 5716 Jul 15 2021 15:42:28 fabric1_template_spine.template
(2) 查看设备设备角色是否准确。
<Spine1> display vcf-fabric role
Default role: spine
Current role: spine
(3) 验证设备之间路由是否可达
自动化部署能够自动下发路由配置,实现Fabric内各设备路由可达。使用display bgp peer l2vpn evpn命令查询邻居状态是否正常。
<Spine1> system-view
[Spine1] display bgp peer l2vpn evpn
BGP local router ID: 10.1.1.2
Local AS number: 100
Total number of peers: 4 Peers in established state: 4
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.4 100 15937 24138 0 13 0236h38m Established
10.1.1.5 100 23221 46763 0 15 0288h26m Established
10.1.1.6 100 31753 27503 0 34 0334h14m Established
10.1.1.7 100 31573 30227 0 34 0334h14m Established
a. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG组编号范围区域可查看自动创建的M-LAG组编号。
b. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG系统区域可查看自动创建的M-LAG系统。
c. 手动在设备上,执行display m-lag summary命令,查看创建的M-LAG系统。
<Spine1> system-view
[Spine1] display bgp peer l2vpn evpn
Flags: A -- Aggregate interface down, B -- No peer M-LAG interface configured
C -- Configuration consistency check failed
Peer-link interface: BAGG256
Peer-link interface state (cause): UP
Keepalive link state (cause): UP
M-LAG interface information
M-LAG IF M-LAG group Local state (cause) Peer state Remaining down time(s)
BAGG11 11 UP UP -
(1) 登录控制组件,进入[系统>系统维护>数据中心控制组件]页面,可以查看集群的IP地址。
图146 查看集群IP地址
(2) 进入[自动化>数据中心网络>Fabrics>参数设置]页面,在控制组件全局配置页面配置以下参数:
¡ 启用TFTP与Syslog服务:配置为开启。
¡ 请设置服务IP地址:配置为查询到的集群IP地址,192.168.12.101。
图147 启用TFTP与Syslog服务并设置服务IP地址
DHCP服务由SeerEngine-DC内置DHCP提供,DHCP服务器IP和“TFTP与Syslog服务”的IP相同,为控制组件集群IP地址。内置DHCP服务运行在SeerEngine-DC的主节点上,当主节点故障时,Master切换至其他节点,内置DHCP也随之切换。
增加如下表所示的IP地址池,以增加名称为pymg-pool的物理管理网络地址池为例。
表7 IP地址池
|
规划项 |
配置示例 |
说明 |
|
|
IP地址池 |
物理管理网络 |
· 名称:pymg-pool1 · 地址段: ¡ 192.168.11.2-192.168.11.100 ¡ 网关地址:192.168.11.1 |
此地址池用于分配设备的管理IP,一台交换机用1个管理地址 |
|
物理VTEP网络 |
· 名称:vtep-pool1 · 地址段: ¡ 10.1.1.2-10.1.1.100 |
一个M-LAG组2个交换机共占用5个VTEP地址:2个M-LAG实地址、1个M-LAG虚地址、2个peer-link链路逃生地址。 所有M-LAG组共占用2个keepalive地址 |
|
|
物理管理网络 |
· 名称:auto-pool1 · 地址段: ¡ 192.168.11.101-120 ¡ 网关地址:192.168.11.1 |
此IP地址池用于自动化上线临时使用,包含的地址数量需大于待上线的设备数量。上线完毕后释放这个地址 |
|
|
Underlay互通网络(可选) |
· 名称:underlay-pool1 · 地址段: · 10.90.1.2-10.90.1.254 |
此地址池用于分配设备间物理链路两端的接口IP。一条链路需要2个地址 |
|
· 建议将pymg-pool与auto-pool规划在同一网段。
· 若pymg-pool与auto-pool不在同一网段,请在管理交换机上将auto-pool地址段的网关地址配置为主地址。
(2) 进入[自动化>数据中心网络>资源池>IP地址池]页面,单击<增加>按钮。进入增加IP地址池页面。
(3) 在该页面中配置以下参数:
¡ 名称:pymg-pool1。
¡ 类型:物理管理网络。
¡ 网关地址:192.168.11.1。
¡ 单击<增加地址段>按钮,在弹出的对话框中配置以下参数:
- 起始IP:192.168.11.2。
- 结束IP:192.168.11.100。
图148 增加物理管理网络类型IP地址池
· 为指定类型的IP地址池增加地址段后,地址池将从添加的地址段中分配IP地址。当添加多个IP地址段时,地址段之间不可重叠。
· 在IP地址池配置页面,可以把指定类型的IP地址池勾选为默认地址池。每种类型的IP地址池只能配置一个默认地址池。
(1) 进入[向导>数据中心向导>网络规建向导]页面,单击<全新开局>按钮,进入拓扑规划页面。
图149 设备自动化向导页面
(2) 单击<全新开局>按钮,进入该页面中配置以下的参数:
¡ Fabric信息
- 选择“新建”,则会新建一个新的Fabric;选择“已有”,则可以选择已创建的Fabric。以选择“新建”为例。
- 名称:fabric1。选择“新建”时,该页面根据fabric顺序自动存在名称“fabric数字”,可根据需要自行修改。
- Overlay路由协议BGP AS号:100。
- Underlay路由协议:OSPF。
¡ 拓扑规划
- 选择“按设备清单”。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
(3) 单击<下一步>按钮,完成拓扑规划配置。
图150 拓扑规划配置
(1) 拓扑规划配置完成后,单击<下一步>按钮,进入自动化模板页面,需配置以下参数:
(2) 点击<Underlay基础配置>标签,进入该页面中配置地址池信息、模板信息和模板角色等参数。
(3) 配置地址池信息,参数如下:
¡ 地址池集名称:pool-group1
¡ 互联口地址配置方式:选择借用地址时,当Underlay路由协议为OSPF或ISIS,设备互联口借用Loopback0 IP地址;当Underlay路由协议为EBGP,设备互联口借用Loopback1 IP地址。选择独立地址时,设备互联口从Underlay互通地址池中分配IP地址。本章节以选择独立地址为例。
¡ 自动化上线地址池:auto-pool1。
¡ 管理IP地址池:pymg-pool1。
¡ VTEP IP地址池:vtep-pool1。
¡ Underlay互通地址池:underlay-pool1。(互联口地址配置方式选择独立地址时需要配置本参数)
图151 地址池信息
(4) 配置模板信息,参数如下:
¡ 模板名:template,自定义配置。
¡ 组网形态
- 组网模式:选择“M-LAG”。
- M-LAG组创建方式:自动。当选择“自动”时,设备自动化上线后将通过LLDP发现进行M-LAG接口自动聚合;当选择“手动”时,在M-LAG系统自动创建之后,需要手动创建设备内聚合接口和M-LAG组。M-LAG组创建方式选择自动时,需按照Spine、Aggregation、Leaf的角色先后顺序进行设备自动化上线。
Access设备选择自动组建M-LAG无效,必须手动配置M-LAG组规划或者系统规划。
- 接口聚合模式:Dynamic。当选择“Dynamic”时,跨设备聚合模式为动态聚合模式;当选择“Static”时,跨设备聚合模式为静态聚合模式。
- keepalive链路:选择直连链路,是通过M-LAG成员之间的直连链路作为Keepalive链路,M-LAG成员之间必须有两条物理链路。选择管理网联路,是M-LAG成员设备的管理口组成的管理网络作为Keepalive链路。M-LAG设备间通过Keepalive链路检测邻居状态,即通过交互Keepalive报文来进行peer-link链路故障时的双主检测。该参数在设备间使用直连peer-link时才有效。
- 逃生VLAN ID:4094。用于直连peer-link的跨设备聚合逃生配置,需保证此参数值不与其他业务冲突。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图152 自动化模板组网形态配置
¡ 高级配置
- NTP服务器:用于配置网络时间服务器的IP地址。
- Border MAC:在M-LAG场景配置Border设备的桥MAC。当使用S6800设备作为Border时,必须指定本参数。
- OSPF进程ID:用于配置OSPF进程号。如不配置,系统自动配置为缺省值“1”。
- OSPF Area ID:用于配置OSPF Area号。如不配置,系统自动配置为缺省值“0.0.0.0”。
- Overlay协议BGP AS号:自动继承Fabric创建时的AS号,此处无需配置。
- BGP MD5密码:用于配置BGP MD5的密码。
- 接入设备VXLAN转发预配置:默认配置为是。
- 使能互联口配置自动下发:默认配置为是。
- 二层聚合接口预留编号范围:物理设备预留的二层聚合接口编号。如果需要手动在设备上配置二层聚合接口,需将手动配置的聚合接口编号范围添加至预留编号范围。设备上线后不支持修改,请提前规划。
图153 自动化模板组网高级设置
盒式设备外壳上粘贴的MAC地址即为该设备的桥MAC地址,框式设备的机框上粘贴的MAC地址即为该设备的桥MAC地址。登录设备后,可使用“display lacp system-id”命令查看本端系统的设备的桥MAC。
(5) 配置设备角色,参数如下:
¡ 根据勾选的模板角色,展开对应角色的模板(Spine/Leaf)。
¡ 软件版本&软件补丁:需在[自动化>配置部署>设备维护>版本库]页面先行上传版本文件。选择版本后,控制组件会在自动化上线之初向设备推送版本并执行升级。设备自动化上线时会升级设备的版本为模板中配置的版本。当前只支持ipe格式的设备版本和bin格式的软件补丁。
¡ 使能白名单:保持缺省配置为“是”。M-LAG场景下的自动化上线必须使能白名单并配置设备清单,且只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
¡ 设备控制协议模板:选择新建设备控制协议模板,进入增加控制协议模板页面。在设备控制协议模板中配置设备登录所用的用户名/密码、是否使能ssh等。配置参数如下,配置完成后单击<确定>按钮:
- 名称:template。
- 用户名:admin。
- 密码:Qwert@1234。
- 确认密码:Qwert@1234。
- 其他参数可根据组网需求配置,以使用缺省配置为例
图154 控制协议模板配置
¡ 命令片段:在命令片段输入框中,可以配置需要自定义下发的命令。请根据实际需求添加,必须以#作为最后一行结束。当前版本暂不支持自动下发ssh server enable和telnet server enable命令,如有需求请通过命令片段方式下发。
图155 Spine/Leaf模板
¡ Aggregation模板与Access模板中选项与Spine模板和Leaf模板部分选项重合,选择时与以上模板选项保持一致即可,如需配置Access模板,使能M-LAG连接口自动聚合需配置为否。本组网示例中不涉及。
图156 Aggregation/Access模板
· 设备外壳上粘贴的SN即为设备的序列号,如登录设备,也可以通过display device manuinfo等命令查询获取设备序列号。盒式设备的序列号是盒式设备的SN。
· 当把框式交换机设备增加到设备清单时,请优先使用机框的序列号;如没有机框序列号,请使用各个主控板序列号增加多条设备清单信息。框式设备S7500X/S75EXS设备的序列号是主用主控板的SN和备用主控板的SN,框式设备S10500、S12500的序列号是框式设备的SN。
· 设备清单中的设备被删除后重新自动化上线,该设备会保留原角色。如需修改默认角色,请手动修改。
· Spine/Border合一场景下,设备清单中设备角色和设备类型选择请参考下表。
|
设备类型 |
设备角色选择 |
设备类型选择 |
|
Spine Border 合一设备 |
Spine |
边界设备 |
|
Spine Borde ED三合一设备 |
Spine |
边界设备 |
|
Spine Border ED Service-Leaf四合一设备 |
Spine |
边界设备 |
|
Leaf设备 |
Leaf |
接入设备 |
· Spine/Border分离场景下,设备清单中设备角色和设备类型选择请参考下表。
|
设备类型 |
设备角色选择 |
设备类型选择 |
|
Spine设备 |
Spine |
Underlay物理设备 |
|
Border设备 |
Leaf |
边界设备 |
|
Leaf设备 |
Leaf |
接入设备 |
自动化模板中使能白名单后,必须配置设备清单,只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
增加Spine、Border和Leaf对应的设备清单,以增加Border1对应设备清单为例。
(1) 进入规划预览页面。单击设备清单按钮,进入设备信息页面。
(2) 在设备信息页面,单击<增加>按钮,增加设备信息。
(3) 该页面可配置以下参数:
¡ 设备索引号:选填,用于显示标识设备,可根据实际需要添加。
¡ 设备序列号:输入设备SN号,以210235A2BBH175000257为例。
¡ Fabric:fabric1。对应的Fabric,不能选择。
¡ 设备名称:border1。
¡ 设备角色:Leaf。Border和Leaf设备需选择Leaf,Spine设备请选择Spine,SpineBorder合一设备请选择Spine。
¡ 设备类型:边界设备。Leaf设备请选择 接入设备、Spine请选择Underlay物理设备,Border和SpineBorder合一设备请选择边界设备。
¡ 管理IP:作为设备的管理IP,缺省时设备管理IP从地址池中获取。
¡ VTEP IP(Loopback IP):作为设备的VTEP IP地址,缺省时设备管理IP从地址池中获取。
¡ 设备标签:该项内容会下发到设备上,作为设备的自定义系统名称,优先级高于系统自动配置的“角色-IP地址”格式的名称。
¡ 网络实体名称:仅Underlay协议选择ISIS时支持,且必须配置该参数。本例为OSPF,不配置此参数。
¡ 使能DCI:否。仅边界设备支持配置该参数,当设备作为DCI时勾选“是”。本例不涉及DCI,不配置此参数。
¡ DCI VTEP IP地址:作为数据中心互联VTEP IP地址。本例不涉及DCI,不配置此参数。
图157 增加设备清单
(4) 配置完成后,单击<确定>按钮,完成设备清单的创建操作。
(5) 单击<开始上线>按钮,开始设备自动化上线。
(6) 如需使Access设备自动组成M-LAG系统,必须配置本章节的步骤,增加M-LAG组规划或者M-LAG系统规划,两种规划配置一种即可。
M-LAG组规划方式
a. 在设备清单的“M-LAG组规划”页签中,单击<增加>按钮,在弹出的对话框中填写以下参数:
- A设备序列号:输入设备SN号,以210235A1U6H166000009为例。
- B设备序列号:输入设备SN号,以210235A1AYRH197000027为例。
- A设备端口:输入设备与对端虚机互联口,以Ten-GigabitEthernet1/0/35为例。
- B设备端口:输入设备与对端虚机互联口,以Ten-GigabitEthernet1/0/35为例。
- A设备聚合接口编号:输入自定义的聚合接口编号,以35为例。
- B设备聚合接口编号:输入自定义的聚合接口编号,以35为例。
- MLAG组编号:输入自定义的MLAG组编号,以35为例。
- 接入功能:关闭。
图158 增加MLAG组规划
b. 单击<确定>按钮完成配置。
M-LAG系统规划方式
c. 在设备清单的“M-LAG系统规划”页签中,单击<增加>按钮,在弹出的对话框中填写以下参数:
- Fabric:选择当前的fabric,以fabric1为例。
- A设备序列号:输入设备SN号,以210235A1U6H166000009为例。
- B设备序列号:输入设备SN号,以210235A1AYRH197000027为例。
- 场景:根据实际规划选择,以直连peer-link为例。
- Keepalive链路:根据实际规划选择,以直连链路为例。
- 虚拟VTEP IP:输入自定义的VTEP IP,以10.1.1.10为例。
- 高级配置:根据实际需求配置。
图159 增加MLAG系统规划
d. 单击<确定>按钮完成配置。
· 设备系统名称的命名先后规则为:设备信息中配置的“设备标签”字段优先级最高;其次若该设备MAC与配置模板中Border_mac匹配成功,则设备系统名称为“border”;最后是在模板中加入的ROLE-X.X.X.X,设备上线后会自动以此格式命名。
· 设备清单中的配置信息,无论“使能白名单”是否开启,都生效。当模板中“使能白名单”为“是”时,只有设备清单中的设备才能上线,且以设备清单中配置的信息上线。当“使能白名单”为“否”时,所有设备都能上线,如果该设备在设备清单中存在时,会以设备清单中的配置上线,否则以默认方式上线。
· 如需进行链路信息校验,则可在设备清单模板的“批量导入链路信息模板”sheet表进行配置,导入链路信息,也可以直接在“链路信息”页签下手动添加。在自动化上线进度的拓扑规划页面,会对比规划的和真实上线的链路是否存在差异。按照规划完成上线的会显示已上线,在规划内但未上线的显示未上线,在规划外或上线与规划不一致的显示规划外。若对Remote Leaf使用自动化上线,必须要规划链路信息。具体配置方式请参考联机帮助。
· 如需提前规划自动化上线设备的跨设备聚合信息,则可在设备清单模板的“批量导入跨设备聚合信息”sheet表进行配置,导入跨设备聚合信息,也可以直接在“跨设备聚合信息”页签下手动添加。配置后的设备自动化上线只会按规划创建跨设备聚合口,不再响应对端设备的LLDP信息。当设备类型为边界设备时,不会自动创建连接FW/LB/外网的聚合口,可在该页面中进行提前规划。具体配置方式请参考联机帮助。
(1) 进入设备上线页面,可查看拓扑进展和上线进度。
(2) 单击详细进展按钮,查看上线进度。
图160 拓扑进展页面
设备上线模板中的M-LAG组创建方式选择自动时,需按照Spine、Aggregation、Leaf的角色先后顺序进行设备自动化上线。
(1) 使用Console口连接物理设备,将各设备空配置重启。
<device> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
(2) 重启设备。
<device> reboot force
(3) 设备重启后进入自动化部署阶段,管理口通过DHCP自动获取管理IP地址,获取设备标签文件,读取设备角色,并下载对应角色的配置模板文件,进行自动配置。
控制台打印的自动配置成功的内容参考如下:
Automatic configuration attempt: 2.
Interface used: M-GigabitEthernet0/0/0.
Enable DHCP client on M-GigabitEthernet0/0/0.
Set DHCP client identifier: 00e0fc026820
Obtained an IP address for M-GigabitEthernet0/0/0: 192.168.11.8.
Obtained configuration file name ospf.template and TFTP server name 192.168.12.108.
Resolved the TFTP server name to 192.168.12.108.
INFO: Get device tag file device_tag.csv success.
INFO: Read role Leaf from tag file.
Successfully downloaded file ospf_Leaf.template.
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
(4) 自动配置完成后,设备将被控制组件纳管到对应Fabric中,设备状态为active(边界设备除外),自动部署和纳管成功。
(1) 设备自动化上线完成后,可进入[向导>数据中心向导>网络规建向导>设备上线]页面,查看拓扑进展和上线进度。
(2) 单击详细进展按钮,查看上线进度。
图161 上线进度信息
类型为边界设备的交换设备,自动化部署后的状态为inactive。需要加入设备组,状态才会切换为active。
(1) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,增加设备组。
(2) 在该页面可配置以下参数:
¡ 基本信息
- 设备组名称:bdgroup1。
- MAC地址:3C:8C:40:4E:DD:46。
- 远端设备组:Remote leaf选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
- 网络位置:勾选出口网关。
- HA部署模式:M-LAG。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
¡ 出口网关设置
- 防火墙接入模式:旁挂。
- 连接方式:选择VLAN跨网段。
- 直通出口: 选择默认地址池和默认VLAN池。
- 安全出口:选择“自定义地址池”和“自定义VLAN池”,需要在创建设备组之前创建虚拟设备管理网地址池、租户承载防火墙内网地址池、租户承载负载均衡内网地址池和租户承载网VLAN池等,然后从可选地址池列表和可选VLAN池列表中选择。有关自定义地址池和自定义VLAN池的配置方法,可参考《AD-DC 7.1安全服务资源配置指导》。
图162 增加设备组
(3) 单击<增加设备>按钮,将边界设备加入到设备组中。
图163 增加设备
(4) 单击<确定>按钮,完成设备组的配置。
(5) 进入Fabric的“交换设备”页面查看设备列表,单击<刷新>按钮,边界设备的状态变为active,表示设备被控制组件成功纳管。
(6) 设备组添加完成后,控制组件将自动部署跨设备聚合,进入[自动化>数据中心网络> Fabrics>跨设备聚合]页面,单击“M-LAG系统”页签,在M-LAG组编号范围区域可查看M-LAG组编号,在M-LAG系统区域可查看M-LAG系统信息。单击“设备内聚合接口”页签,在设备内聚合接口页面可查看peer-link聚合口,对于接入设备,可查看连接FW/LB的聚合口。对于边界设备,不能查看连接FW/LB的聚合口。
图164 跨设备聚合
(7) 在设备内聚合接口页面,增加border1连接FW/LB/外网的聚合口,增加border2连接FW/LB/外网的聚合口,在M-LAG组页面,增加连接FW/LB/外网的M-LAG组。
(8) 在直通出口场景,在border1和border2连接外网的聚合口下,放通外部网络VLAN。在安全出口场景,在border1和border2连接外网的聚合口下,放通相关业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(9) 为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上手工将默认解封装的地址修改为M-LAG Border虚地址。Border1和Border2都需要配置。
[border1] vxlan default-decapsulation source interface LoopBack2
[border2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
(1) 如果Border需要连接FW/LB设备,则需要在Border上手动配置连接FW/LB设备的聚合口。以Border1连接FW1和FW2为例。
¡ 配置连接FW设备1的接口。
[border1] interface Bridge-Aggregation257
[border1-Bridge-Aggregation257] port link-type trunk
[border1-Bridge-Aggregation257] undo port trunk permit vlan 1
[border1-Bridge-Aggregation257] link-aggregation mode dynamic
[border1-Bridge-Aggregation257] port m-lag group 2
[border1-Bridge-Aggregation257] stp edged-port
[border1-Bridge-Aggregation257] quit
[border1] interface Ten-GigabitEthernet6/0/1
[border1-Ten-GigabitEthernet6/0/1] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/1] port link-type trunk
[border1-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[border1-Ten-GigabitEthernet6/0/1] quit
¡ 配置连接FW设备2的接口。
[border1] interface Bridge-Aggregation258
[border1-Bridge-Aggregation258] port link-type trunk
[border1-Bridge-Aggregation258] undo port trunk permit vlan 1
[border1-Bridge-Aggregation258] link-aggregation mode dynamic
[border1-Bridge-Aggregation258] port m-lag group 3
[border1-Bridge-Aggregation258] stp edged-port
[border1-Bridge-Aggregation258] quit
[border1] interface Ten-GigabitEthernet6/0/2
[border1-Ten-GigabitEthernet6/0/2] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/2] port link-type trunk
[border1-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[border1-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放行业务VLAN,详见《AD-DC 7.1 安全服务资源配置指导》。
(2) 如果Leaf需要连接FW/LB设备,则需要在Leaf连接FW/LB设备的聚合口上配置STP相关命令。以service-leaf1连接FW3和FW4为例。
¡ 配置连接FW设备3的接口。
[service-leaf1] interface Bridge-Aggregation257
[service-leaf1-Bridge-Aggregation257] stp edged-port
[service-leaf1-Bridge-Aggregation257] quit
¡ 配置连接FW设备4的接口。
[service-leaf1] interface Bridge-Aggregation258
[service-leaf1-Bridge-Aggregation258] stp edged-port
[service-leaf1-Bridge-Aggregation258] quit
(1) 确认模板文件是否正常下发。
空配置重启后,设备的管理口会自动获取管理IP地址和TFTP服务器地址。设备会从控制组件下载设备标签文件和对应角色的配置模板文件(模板名_设备角色.template),然后在设备上自动加载配置。
<Spine1> dir *.template
Directory of flash:
0 -rw- 5984 Jun 11 2021 09:20:56 f1auto_spine.template
1 -rw- 5716 Jul 15 2021 15:42:28 fabric1_template_spine.template
(2) 查看设备设备角色是否准确。
<Spine1> display vcf-fabric role
Default role: spine
Current role: spine
(3) 验证设备之间路由是否可达。
自动化部署能够自动下发路由配置,实现Fabric内各设备路由可达。使用display bgp peer l2vpn evpn命令查询邻居状态是否正常。
<Spine1> system-view
[Spine1] display bgp peer l2vpn evpn
BGP local router ID: 10.1.1.2
Local AS number: 100
Total number of peers: 4 Peers in established state: 4
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.4 100 15937 24138 0 13 0236h38m Established
10.1.1.5 100 23221 46763 0 15 0288h26m Established
10.1.1.6 100 31753 27503 0 34 0334h14m Established
10.1.1.7 100 31573 30227 0 34 0334h14m Established
(4) 检查M-LAG系统状态是否正常。
a. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG组编号范围区域可查看自动创建的M-LAG组编号。
b. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG系统区域可查看自动创建的M-LAG系统。
c. 手动在设备上,执行display m-lag summary命令,查看创建的M-LAG系统。
<Spine1> system-view
[Spine1] display bgp peer l2vpn evpn
Flags: A -- Aggregate interface down, B -- No peer M-LAG interface configured
C -- Configuration consistency check failed
Peer-link interface: BAGG256
Peer-link interface state (cause): UP
Keepalive link state (cause): UP
M-LAG interface information
M-LAG IF M-LAG group Local state (cause) Peer state Remaining down time(s)
BAGG11 11 UP UP -
网络扩容第一步选择需要进行扩容的Fabric。下面以新增一台Border设备的相关配置举例。
(1) 进入[向导>数据中心向导>网络规建向导>经典向导]页面,单击<设备扩容>按钮,进入选择Fabric页面。
(2) 在该页面中选择需要扩容的Fabric后,单击<下一步>按钮。
¡ Fabric列表:fabric1。
图165 设备自动化网络扩容向导页面
该页面主要进行网络扩容的规划。基于上一步骤选中的Fabric,根据用户自身扩容需要,可再次增加或者导入希望进行扩容的设备以及链路信息。
下面以新增一台Border设备的相关配置举例。
(1) 在扩容规划信息页面,单击<增加>按钮,在弹出的对话框中增加如下设备信息。
¡ 设备序列号:210235A2BBH175000257。
¡ 设备名称:border1。
¡ 设备角色:Leaf。
¡ 设备类型:边界设备。
(2) 单击<确定>,完成增加设备信息的操作。
图166 增加设备信息
(3) 配置完成后单击<下一步>按钮进入扩容地址池页面。
该页面主要用于扩容开局时已规划的地址池空间。开局时用户根据自身需要可能只规划了部分地址空间,当需要进行网络扩容时,如果地址空间不足,用户可通过该页面查看各个地址池的使用情况、剩余地址空间情况以及可支持继续扩容的设备数量等信息。如果已有地址空间不能满足扩容需要,可根据实际需求,编辑对应地址池增加新的地址段,即可对各个地址池的地址空间进行修改。
下面以新增一台Border设备的相关配置举例。
(1) 根据扩容设备,选择使用的地址池。
¡ 自动化上线地址池:auto-pool1。
¡ 管理IP地址池:pymg-pool1。
¡ VTEP IP地址池:vtep-pool1。
图167 扩容设备使用地址池
(2) 配置完成后,单击<开始扩容>按钮,即开始对地址池进行扩容。
该页面用于展示网络扩容规划和实际扩容情况的对比、扩容进度等信息。用户可通过拓扑对比扩容进度,通过各类进度统计查看待上线、上线中、已上线、上线失败设备数量等。
网络扩容完成后,单击<完成>按钮,将关闭此Fabric内设备侧的自动化进程。
以新增一台Border设备的相关配置举例。
(1) 清空Border的配置文件,并重启该设备。
(2) 等待Border设备自动化上线。上线完成后,单击<完成>按钮,将关闭此Fabric内设备侧的自动化进程。
图168 网络扩容汇总
(3) 扩容设备上线完毕后,可进行如下检查。
a. 确认模板文件是否正常下发。
空配置重启后,设备的管理口会自动获取管理IP地址和TFTP服务器地址。设备会从控制组件下载设备标签文件和对应角色的配置模板文件(模板名_设备角色.template),然后在设备上自动加载配置。
<Border1> dir *.template
Directory of flash:
0 -rw- 5984 Jun 11 2021 09:20:56 f1auto_spine.template
1 -rw- 5716 Jul 15 2021 15:42:28 fabric1_template_spine.template
b. 查看设备角色是否准确。
<Border1> display vcf-fabric role
Default role: leaf
Current role: leaf
c. 验证设备之间路由是否可达。
自动化部署能够自动下发路由配置,实现Fabric内各设备路由可达。使用display bgp peer l2vpn evpn命令查询邻居状态是否正常。
<Border1> system-view
[Border1] display bgp peer l2vpn evpn
BGP local router ID: 10.1.1.2
Local AS number: 100
Total number of peers: 4 Peers in established state: 4
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.4 100 15937 24138 0 13 0236h38m Established
10.1.1.5 100 23221 46763 0 15 0288h26m Established
10.1.1.6 100 31753 27503 0 34 0334h14m Established
10.1.1.7 100 31573 30227 0 34 0334h14m Established
d. 检查M-LAG系统状态是否正常。
- 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG组编号范围区域可查看自动创建的M-LAG组编号。
- 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG系统区域可查看自动创建的M-LAG系统。
(1) 链路扩容第一步选择需要扩容的链路所在的Fabric、本端设备、对端设备及接口。下面以新增一条Spine设备与Leaf设备之间的链路进行相关配置举例。在进行Spine-Leaf链路扩容前,需提前配置underlay互通网络地址池,并确保该地址池可以分配2个30位掩码的IP地址池且与设备上已有的IP地址不冲突。
表8 IP地址池
|
规划项 |
配置示例 |
说明 |
|
|
IP地址池 |
Underlay互联网络 |
· 名称:underlay互联网络1 · 地址段: ¡ 10.90.1.1-10.90.1.254 |
此地址池用于分配到链路两端的接口。一条链路需要2个地址 |
(2) 进入[自动化>数据中心网络>资源池>IP地址池]页面,单击<增加>按钮,进入增加IP地址池页面,并配置以下参数,单击<确定>按钮,完成地址池创建。
¡ 名称:underlay互联网络1。
¡ 类型:underlay互联网络。
¡ 单击<增加地址段>按钮,在弹出的对话框中配置以下参数:
¡ 起始IP:10.90.1.1。
¡ 结束IP:10.90.1.254。
图169 增加IP地址池
(3) 进入[向导>数据中心向导>网络规建向导>经典向导]页面,单击<链路扩容>按钮,进入链路扩容规划页面。
(4) 在该页面中选择需要扩容的链路所在的Fabric和设备。
¡ Fabric列表:fabric1。
¡ 本端设备:spine1 (192.168.11.2)。
¡ 本端设备接口:FGE4/0/1。
¡ 对端设备:leaf1(192.168.11.5)。
¡ 对端设备接口:XGE1/0/1。
图170 链路扩容规划
(5) 配置完成后单击<下一步>按钮。
下面以新增一条Spine设备与Leaf设备之间的链路进行相关配置举例。
(1) 检查控制组件将在对应设备接口下发的配置,检查完成后单击<完成>按钮。
图171 链路扩容配置信息
(2) 在设备对应的接口下检查配置是否下发正确。
[spine1-FortyGigE4/0/1] dis this
#
interface FortyGigE4/0/1
port link-mode route
speed 10000
ip address 10.90.1.1 255.255.255.252
ospf 10 area 0.0.0.0
#
Return
[leaf1-Ten-GigabitEthernet1/0/1] dis this
#
interface Ten-GigabitEthernet1/0/15
port link-mode route
ip address 10.90.1.2 255.255.255.252
ospf 10 area 0.0.0.0
#
return
在本组网中,SeerEngine-DC集群内置了DHCP服务器。设备在Underlay自动化部署过程中,会向DHCP服务器请求管理口的IP地址。
本组网中,管理网采用了三层组网模式。设备通过DHCP中继与DHCP服务器进行通信。
自动化部署方式分为两种:传统自动化部署方式和向导自动化部署方式。传统自动化部署方式继承AD-DC 6.0之前版本自动化部署方式;向导自动化部署方式通过可视化引导首次使用控制组件的用户快速实现对网络的配置和部署管理。本章以传统自动化部署方式举例配置。
图172 Underlay网络自动化部署组网图
表9 Service-leaf安全出口场景IP及接口说明
|
设备 |
接口信息 |
|
|
Border 1 |
HGE4/0/1(连接Border2 HGE4/0/1) HGE4/0/2(连接Border2 HGE4/0/2) XGE6/0/48(连接Border2 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/3) HGE4/0/4(连接Spine2 HGE1/0/3) XGE6/0/5(连接外网设备) |
|
|
Border 2 |
HGE4/0/1(连接Border1 HGE4/0/1) HGE4/0/2(连接Border1 HGE4/0/2) XGE6/0/48(连接Border1 XGE6/0/48) HGE4/0/3(连接Spine1 HGE1/0/4) HGE4/0/4(连接Spine2 HGE1/0/4) XGE6/0/5(连接外网设备) |
|
|
Spine1 |
HGE1/0/3(连接Border1 HGE4/0/3) HGE1/0/4(连接Border2 HGE4/0/3) HGE1/0/5(连接Leaf1 HGE1/0/25) HGE1/0/6(连接Leaf2 HGE1/0/25) HGE1/0/7(连接Leaf3 HGE1/0/27) HGE1/0/8(连接Leaf4 HGE1/0/27) |
|
|
Spine2 |
HGE1/0/3(连接Border1 HGE4/0/4) HGE1/0/4(连接Border2 HGE4/0/4) HGE1/0/5(连接Leaf1 HGE1/0/27) HGE1/0/6(连接Leaf2 HGE1/0/27) HGE1/0/7(连接Leaf3 HGE1/0/25) HGE1/0/8(连接Leaf4 HGE1/0/25) |
|
|
Server Leaf 1 |
XGE1/0/9(连接Server Leaf2 XGE1/0/9) XGE1/0/10(连接Server Leaf2 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/5) HGE1/0/27(连接Spine2 HGE1/0/5) |
|
|
Server Leaf 2 |
XGE1/0/9(连接Server Leaf1 XGE1/0/9) XGE1/0/10(连接Server Leaf1 XGE1/0/10) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/30(连接Server Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/6) HGE1/0/27(连接Spine2 HGE1/0/6) |
|
|
Service Leaf 1 |
XGE1/0/9(连接Service Leaf2 XGE1/0/9) XGE1/0/10(连接Service Leaf2 XGE1/0/10) XGE1/0/11(连接FW1 XGE1/2/1) XGE1/0/12(连接FW2 XGE1/2/1) HGE1/0/30(连接Service Leaf2 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/7) HGE1/0/27(连接Spine2 HGE1/0/7) |
|
|
Service Leaf 2 |
XGE1/0/9(连接Service Leaf1 XGE1/0/9) XGE1/0/10(连接Service Leaf1 XGE1/0/10) XGE1/0/11(连接FW1 XGE1/2/1) XGE1/0/12(连接FW2 XGE1/2/1) HGE1/0/30(连接Service Leaf1 HGE1/0/30) HGE1/0/25(连接Spine1 HGE1/0/8) HGE1/0/27(连接Spine2 HGE1/0/8) |
|
表10 地址池规划
|
规划项 |
配置示例 |
说明 |
|
|
TFTP与Syslog服务IP地址 |
192.168.12.101 |
使用控制组件的集群IP地址 |
|
|
IP地址池 |
物理管理网络 |
· 名称:pymg-pool · 地址段: ¡ 192.168.11.2-192.168.11.100 ¡ 网关地址:192.168.11.1 |
一台交换机用一个管理地址 |
|
物理VTEP网络 |
· 名称:vtep-pool · 地址段: ¡ 10.1.1.2-10.1.1.100 |
一个M-LAG组2个交换机共占用5个VTEP地址:2个M-LAG实地址、1个M-LAG虚地址、2个peer-link链路逃生地址。 所有M-LAG组共占用2个keepalive地址 |
|
|
物理管理网络 |
· 名称:auto-pool · 地址段: ¡ 192.168.11.101-120 ¡ 网关地址:192.168.11.1 |
一台交换设备在自动化上线过程中临时占用1个地址,上线完成后释放这个地址 |
|
|
Underlay互通网络(可选) |
· 名称:underlay-pool1 · 地址段: · 10.90.1.2-10.90.1.254 |
此地址池用于分配设备间物理链路两端的接口IP。一条链路需要2个地址 |
|
图173 自动化部署流程
(1) 登录控制组件,进入[系统>系统维护>控制组件信息]页面,可以查看集群的IP地址。
图174 查看集群IP地址
(2) 进入[自动化>数据中心网络>Fabrics>参数设置]页面,在控制组件全局配置页面配置以下参数:
¡ 启用TFTP与Syslog服务:配置为开启。
¡ 请设置服务IP地址:配置为查询到的集群IP地址——192.168.12.101。
图175 启用TFTP与Syslog服务并设置服务IP地址
DHCP服务由SeerEngine-DC内置DHCP提供,DHCP服务器IP和“TFTP与Syslog服务”的IP相同,为控制组件集群IP地址。内置DHCP服务运行在SeerEngine-DC的主节点上,当主节点故障时,Master切换至其他节点,内置DHCP也随之切换。
增加如下表所示的IP地址池,以增加名称为pymg-pool的物理管理网络地址池为例。
表11 IP地址池
|
规划项 |
配置示例 |
说明 |
|
|
IP地址池 |
物理管理网络 |
· 名称:pymg-pool1 · 地址段: ¡ 192.168.11.2-192.168.11.100 ¡ 网关地址:192.168.11.1 |
此地址池用于分配设备的管理IP,一台交换机用1个管理地址 |
|
物理VTEP网络 |
· 名称:vtep-pool1 · 地址段: ¡ 10.1.1.2-10.1.1.100 |
一个M-LAG组2个交换机共占用5个VTEP地址:2个M-LAG实地址、1个M-LAG虚地址、2个peer-link链路逃生地址。 所有M-LAG组共占用2个keepalive地址 |
|
|
物理管理网络 |
· 名称:auto-pool1 · 地址段: ¡ 192.168.11.101-120 · 网关地址:192.168.11.1 |
此IP地址池用于自动化上线临时使用,包含的地址数量需大于待上线的设备数量。上线完毕后释放该地址 |
|
|
Underlay互通网络(可选) |
· 名称:underlay-pool1 · 地址段: ¡ 10.90.1.2-10.90.1.254 |
此地址池用于分配设备间物理链路两端的接口IP。一条链路需要2个地址 |
|
· 建议将pymg-pool与auto-pool规划在同一网段。
· 若pymg-pool与auto-pool不在同一网段,两个网段的网关IP需配置在同一个VLAN虚接口上,且需在管理交换机上将auto-pool地址段的网关地址配置为主地址。
(2) 进入[自动化>数据中心网络>资源池>IP地址池]页面,单击<增加>按钮。进入增加IP地址池页面。
(3) 在该页面中配置以下参数:
¡ 名称:pymg-pool1。
¡ 类型:物理管理网络。
¡ 网关地址:192.168.11.1。
¡ 单击<增加地址段>按钮,在弹出的对话框中配置以下参数:
- 起始IP:192.168.11.2。
- 结束IP:192.168.11.100。
图176 增加物理管理网络类型IP地址池
· 为指定类型的IP地址池增加地址段后,地址池将从添加的地址段中分配IP地址。当添加多个IP地址段时,地址段之间不可重叠。
· 在IP地址池配置页面,可以把指定类型的IP地址池勾选为默认地址池。每种类型的IP地址池只能配置一个默认地址池。
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击<增加>按钮,进入Fabric配置页面。
(2) 进入该页面中配置以下的参数:
¡ 名称:fabric1
¡ Overlay路由协议BGP AS号:100
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
(3) 单击<确定>按钮,完成Fabric创建。
图177 Fabric配置
(1) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击<自动化模板>页签,进入自动化模板配置页面。
(2) 点击<Underlay基础配置>标签,进入该页面中配置以下的参数:
¡ Fabric列表:fabric1。
¡ Underlay路由协议:根据需求可选择OSPF、ISIS或BGP。下文主要以Underlay协议选择OSPF为例。
图178 Underlay基础配置
(3) 单击<确定>按钮,显示操作成功。点击<地址池集>标签,进入该页面。Fabric列表选项选择相应fabric,点击<增加>按钮,进入增加地址池集页面,需配置以下参数:
¡ 名称:pool-group1
¡ 互联口地址配置方式:选择借用地址时,当Underlay路由协议为OSPF或ISIS,设备互联口借用Loopback0 IP地址;当Underlay路由协议为EBGP,设备互联口借用Loopback1 IP地址。选择独立地址时,设备互联口从Underlay互通地址池中分配IP地址。本章节以选择独立地址为例。
¡ 地址池类型:本地地址池。
¡ 管理IP地址池:pymg-pool1。
¡ VTEP IP地址池:vtep-pool1。
¡ 自动化上线地址池:auto-pool1。
¡ Underlay互通地址池:underlay-pool1。(互联口地址配置方式选择独立地址时需要配置本参数)
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图179 地址池集配置-独立地址
(4) 参数配置完成后,点击<确定>按钮,地址池集页面多一条记录。
图180 地址池集页面
(5) 点击<控制协议模板>标签,进入该页面,点击<增加>按钮,选择相应fabric,进入增加控制协议模板页面,需配置以下参数:
¡ 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
¡ 名称:template。
¡ 用户名:admin。
¡ 密码:Qwert@1234。
¡ 确认密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图181 控制协议模板配置
(6) 参数配置完成后,点击<确定>按钮,控制协议模板页面多一条记录。
图182 控制协议模板页面
(7) 单击<设备上线模板>页签,进入该页面,单击<增加>按钮,默认选择新建模板。若存在其他Fabric已创建的配置模板,可通过“选择已有模板”复制已有模板信息到当前配置页。选择相应Fabric,进入增加设备上线模板页面。
图183 高级配置
选择新建模板时可配置以下参数:
¡ 模板名:template,自定义配置。
¡ 组网形态:
- 使能IRF堆叠:选择“否”。
- 使能跨设备聚合:选择“是”。
- M-LAG组创建方式:自动。当选择“自动”时,设备自动化上线后将通过LLDP发现进行M-LAG接口自动聚合;当选择“手动”时,在M-LAG系统自动创建之后,需要手动创建设备内聚合接口和M-LAG组。服务器使用主备网卡接入(Bond1方式)时需要选择“手动”方式,但不能创建设备内聚合接口。M-LAG组创建方式选择自动时,需按照Spine、Aggregation、Leaf的角色先后顺序进行设备自动化上线。
- 接口聚合模式:Dynamic。当选择“Dynamic”时,跨设备聚合模式为动态聚合模式;当选择“Static”时,跨设备聚合模式为静态聚合模式。
- keepalive链路:选择直连链路,是通过M-LAG成员之间的直连链路作为Keepalive链路。选择管理网联路,是M-LAG成员设备的管理口组成的管理网络作为Keepalive链路。M-LAG设备间通过Keepalive链路检测邻居状态,即通过交互Keepalive报文来进行peer-link链路故障时的双主检测。该参数在设备间使用直连peer-link时才有效。
- 逃生VLAN ID:4094。用于直连peer-link的跨设备聚合逃生配置,需保证此参数值不与其他业务冲突。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图184 设备上线模板组网形态配置
盒式设备外壳上粘贴的MAC地址即为该设备的桥MAC地址,框式设备的机框上粘贴的MAC地址即为该设备的桥MAC地址。登录设备后,可使用“display lacp system-id”命令查看本端系统的设备的桥MAC。
¡ 高级配置:
- NTP服务器:用于配置网络时间服务器的IP地址。
- Border MAC:在M-LAG场景配置Border设备的桥MAC。当使用S6800设备作为Border时,必须指定本参数。
- OSPF进程ID:用于配置OSPF进程号。如不配置,系统自动配置为缺省值“1”。
- OSPF Area ID:用于配置OSPF Area号。如不配置,系统自动配置为缺省值“0.0.0.0”。
- Overlay协议BGP AS号:自动继承Fabric创建时的AS号,此处无需配置。
- BGP MD5密码:用于配置BGP MD5的密码。
- 接入设备VXLAN转发预配置:默认配置为否。
- 二层聚合接口预留编号范围:物理设备预留的二层聚合接口编号。如果需要手动在设备上配置二层聚合接口,需将手动配置的聚合接口编号范围添加至预留编号范围。设备上线后不支持修改,请提前规划。
图185 设备上线模板高级配置
(8) 根据勾选的模板角色,展开对应角色的模板(Spine/Leaf),可配置以下参数:
¡ 软件版本&软件补丁:需在[自动化>配置部署>设备维护>版本库]页面先行上传版本文件。选择版本后,控制组件会在自动化上线之初向设备推送版本并执行升级。设备自动化上线时会升级设备的版本为模板中配置的版本。当前只支持ipe格式的设备版本和bin格式的软件补丁。
¡ 使能白名单:保持缺省配置为“是”。M-LAG场景下的自动化上线必须使能白名单并配置设备清单,且只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
¡ 设备控制协议模板:可以选择在步骤(7)中创建的设备控制协议模板“template”,也可以选择新建设备控制协议模板。在设备控制协议模板中配置设备登录所用的用户名/密码、是否使能ssh等。默认控制协议模板的admin密码为Admin@123456。
¡ 命令片段:在命令片段输入框中,可以配置需要自定义下发的命令。请根据实际需求添加,必须以#作为最后一行结束。当前版本暂不支持自动下发ssh server enable和telnet server enable命令,如有需求请通过命令片段方式下发。
图186 Spine/Leaf模板
(9) Aggregation模板与Access模板中选项与Spine模板和Leaf模板部分选项重合,选择时与以上模板选项保持一致即可,如需配置Access模板,使能M-LAG连接口自动聚合需配置为否。本组网示例中不涉及。
图187 Aggregation/Access模板
(10) 参数配置完成后,点击<确定>按钮,在设备上线模板页面可以查看已创建成功的设备自动化上线模板。查看各角色模板的具体内容,可修改配置模板。
图188 设备上线模板页面
· 设备外壳上粘贴的SN即为设备的序列号,如登录设备,也可以通过display device manuinfo等命令查询获取设备序列号。盒式设备的序列号是盒式设备的SN。
· 当把框式交换机设备增加到设备清单时,请优先使用机框的序列号;如没有机框序列号,请使用各个主控板序列号增加多条设备清单信息。框式设备S105、S125的序列号是框式设备的SN。框式设备S75X/S75EXS设备的序列号是主用主控板的SN和备用主控板的SN。
· 设备清单中的设备被删除后重新自动化上线,该设备会保留原角色。如需修改默认角色,请手动修改。
· Spine/Border合一场景下,设备清单中设备角色和设备类型选择请参考下表。
|
设备类型 |
设备角色选择 |
设备类型选择 |
|
Spine Border 合一设备 |
Spine |
边界设备 |
|
Spine Borde ED三合一设备 |
Spine |
边界设备 |
|
Spine Border ED Service-Leaf四合一设备 |
Spine |
边界设备 |
|
Leaf设备 |
Leaf |
接入设备 |
|
Service-Leaf设备 |
Leaf |
边界设备 |
· Spine/Border分离场景下,设备清单中设备角色和设备类型选择请参考下表。
|
设备类型 |
设备角色选择 |
设备类型选择 |
|
Spine设备 |
Spine |
Underlay物理设备 |
|
Border设备 |
Leaf |
边界设备 |
|
Leaf设备 |
Leaf |
接入设备 |
|
Service-Leaf设备 |
Leaf |
边界设备 |
自动化模板中使能白名单后,必须配置设备清单,只有加入了设备清单的设备才能进行自动化上线,被控制组件纳管。
增加Spine、Border、Service-Leaf和Leaf对应的设备清单,以增加Border1对应设备清单为例。
(1) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击“拓扑规划”页签,进入拓扑规划页面。在设备清单的“设备信息”页签中,单击<增加>按钮,增加设备信息。
(2) 该页面可配置以下参数:
¡ 设备索引号:选填,用于显示标识设备,可根据实际需要添加。
¡ 设备序列号:输入设备SN号,以210235A1U6H169000004为例。
¡ Fabric:fabric1。
¡ 设备名称:border1。
¡ 设备角色:Leaf。Border和Leaf设备需选择Leaf,Spine设备请选择Spine,SpineBorder合一设备请选择Spine。
¡ 设备类型:边界设备。Leaf设备请选择 接入设备、Spine请选择Underlay物理设备,Border和SpineBorder合一设备请选择边界设备。Service-Leaf设备请选择边界设备。
¡ 管理IP:作为设备的管理IP,缺省时设备管理IP从地址池中获取。
¡ VTEP IP(Loopback IP):作为设备的VTEP IP地址,缺省时VTEP IP从地址池中获取。
¡ 设备标签:该项内容会下发到设备上,作为设备的自定义系统名称,优先级高于系统自动配置的“角色-IP地址”格式的名称。
¡ 网络实体名称:仅Underlay协议选择ISIS时支持,且必须配置该参数。本例为OSPF,不配置此参数。
¡ 使能DCI:否。仅边界设备支持配置该参数,当设备作为DCI时勾选“是”。本例不涉及DCI,不配置此参数。
¡ DCI VTEP IP地址:作为数据中心互联VTEP IP地址。本例不涉及DCI,不配置此参数。
图189 增加设备清单
(3) 配置完成后,单击<确定>按钮,完成设备清单的创建操作。
(1) 如需使Access设备自动组成M-LAG系统,必须配置本章节的步骤,增加M-LAG组规划或者M-LAG系统规划,两种规划配置一种即可。
(2) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击“拓扑规划”页签,进入拓扑规划页面。在设备清单的“M-LAG组规划”页签中,单击<增加>按钮,在弹出的对话框中填写以下参数:
¡ A设备序列号:输入设备SN号,以210235A1U6H166000009为例。
¡ B设备序列号:输入设备SN号,以210235A1AYRH197000027为例。
¡ A设备端口:输入设备与对端虚机互联口,以Ten-GigabitEthernet1/0/35为例。
¡ B设备端口:输入设备与对端虚机互联口,以Ten-GigabitEthernet1/0/35为例。
¡ A设备聚合接口编号:输入自定义的聚合接口编号,以35为例。
¡ B设备聚合接口编号:输入自定义的聚合接口编号,以35为例。
¡ MLAG组编号:输入自定义的MLAG组编号,以35为例。
¡ 接入功能:关闭。
图190 增加MLAG组规划
(3) 单击<确定>按钮完成配置。
(4) 进入[自动化>数据中心网络>Fabrics>自动化部署]页面,单击“拓扑规划”页签,进入拓扑规划页面。在设备清单的“M-LAG系统规划”页签中,单击<增加>按钮,在弹出的对话框中填写以下参数:
¡ Fabric:选择当前的fabric,以fabric1为例。
¡ A设备序列号:输入设备SN号,以210235A1U6H166000009为例。
¡ B设备序列号:输入设备SN号,以210235A1AYRH197000027为例。
¡ 场景:根据实际规划选择,以直连peer-link为例。
¡ Keepalive链路:根据实际规划选择,以直连链路为例。
¡ 虚拟VTEP IP:输入自定义的VTEP IP,以10.1.1.10为例。
¡ 高级配置:根据实际需求配置。
图191 增加MLAG系统规划
(5) 单击<确定>按钮完成配置。
· 设备系统名称的命名先后规则为:设备信息中配置的“设备标签”字段优先级最高;其次若该设备MAC与配置模板中Border_mac匹配成功,则设备系统名称为“border”;最后是在模板中加入的ROLE-X.X.X.X,设备上线后会自动以此格式命名。
· 设备清单中的配置信息,无论“使能白名单”是否开启,都生效。当模板中“使能白名单”为“是”时,只有设备清单中的设备才能上线,且以设备清单中配置的信息上线。当“使能白名单”为“否”时,所有设备都能上线,如果该设备在设备清单中存在时,会以设备清单中的配置上线,否则以默认方式上线。
· 如需进行链路信息校验,则可在设备清单模板的“批量导入链路信息模板”sheet表进行配置,导入链路信息,也可以直接在“链路信息”页签下手动添加。在自动化上线进度的拓扑规划页面,会对比规划的和真实上线的链路是否存在差异。按照规划完成上线的会显示已上线,在规划内但未上线的显示未上线,在规划外或上线与规划不一致的显示规划外。若对Remote Leaf使用自动化上线,必须要规划链路信息。具体配置方式请参考联机帮助。
· 如需提前规划自动化上线设备的跨设备聚合信息,则可在设备清单模板的“批量导入跨设备聚合信息”sheet表进行配置,导入跨设备聚合信息,也可以直接在“跨设备聚合信息”页签下手动添加。配置后的设备自动化上线只会按规划创建跨设备聚合口,不再响应对端设备的LLDP信息。当设备类型为边界设备时,不会自动创建连接FW/LB/外网的聚合口,可在该页面中进行提前规划。具体配置方式请参考联机帮助。
设备上线模板中的M-LAG组创建方式选择自动时,需按照Spine、Aggregation、Leaf的角色先后顺序进行设备自动化上线。
(1) 使用Console口连接物理设备,将各设备空配置重启。
<device> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
(2) 重启设备。
<device> reboot force
(3) 设备重启后进入自动化部署阶段,管理口通过DHCP自动获取管理IP地址,获取设备标签文件,读取设备角色,并下载对应角色的配置模板文件,进行自动配置。
控制台打印的自动配置成功的内容参考如下:
Automatic configuration attempt: 2.
Interface used: M-GigabitEthernet0/0/0.
Enable DHCP client on M-GigabitEthernet0/0/0.
Set DHCP client identifier: 00e0fc026820
Obtained an IP address for M-GigabitEthernet0/0/0: 192.168.11.2.
Obtained configuration file name ospf.template and TFTP server name 192.168.12.101.
Resolved the TFTP server name to 192.168.12.101.
INFO: Get device tag file device_tag.csv success.
INFO: Read role Leaf from tag file.
Successfully downloaded file ospf_Leaf.template.
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
(4) 自动配置完成后,设备将被控制组件纳管到对应Fabric中,设备状态为active(边界设备除外),自动部署和纳管成功。
类型为边界设备的交换设备,自动化部署后的状态为inactive。需要加入设备组,状态才会切换为active。
(1) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,增加设备组。
(2) 在该页面可配置以下参数:
¡ 基本信息
- 设备组名称:bdgroup1。
- MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
- 远端设备组:若为Remote leaf请选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
- 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service-Leaf。
- HA部署模式:M-LAG。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
¡ 出口网关设置
- 防火墙接入模式:关闭。
图192 增加设备组
(3) 单击<增加设备>按钮,将边界设备加入到设备组中。
图193 增加设备
(4) 单击<确定>按钮,完成设备组的配置。
(5) 进入Fabric的“交换设备”页面查看设备列表,单击<刷新>按钮,边界设备的状态变为active,表示设备被控制组件成功纳管。
(6) 设备组添加完成后,控制组件将自动部署跨设备聚合,进入[自动化>数据中心网络>Fabrics>跨设备聚合]页面,单击“M-LAG系统”页签,在M-LAG组编号范围区域可查看M-LAG组编号,在M-LAG系统区域可查看M-LAG系统信息。单击“设备内聚合接口”页签,在设备内聚合接口页面可查看peer-link聚合口,对于接入设备,可查看连接FW/LB的聚合口。对于边界设备,不能查看连接FW/LB的聚合口。
(7) 在设备内聚合接口页面,增加border1连接FW/LB/外网的聚合口,增加border2连接FW/LB/外网的聚合口,在M-LAG组页面,增加连接FW/LB/外网的M-LAG组。
(8) 直通出口场景,在border1和border2连接外网的聚合口下,放通外部网络VLAN。在安全出口场景,在border1和border2连接外网的聚合口下,放通相关业务VLAN,详见《AD-DC 7.1 安全服务资源配置指导》。
(9) 为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上手工将默认解封装的地址修改为M-LAG Border虚地址。Border1和Border2都需要配置。
[border1] vxlan default-decapsulation source interface LoopBack2
[border2] vxlan default-decapsulation source interface LoopBack2
类型为边界设备的交换设备,自动化部署后的状态为inactive。需要加入设备组,状态才会切换为active。
(1) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,增加设备组。
(2) 在该页面可配置以下参数:
¡ 基本信息
- 设备组名称:slgroup1。
- MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
- 远端设备组:若为Remote leaf请选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
- 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service Leaf。请提前做好规划。
- Service Leaf。
- HA部署模式:M-LAG。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图194 增加Service-leaf设备组
(3) 单击<增加设备>按钮,将Service-Leaf设备加入到设备组中。
图195 增加设备
(4) 单击<确定>按钮,完成设备组的配置。
(5) 进入Fabric的“交换设备”页面查看设备列表,单击<刷新>按钮,边界设备的状态变为active,表示设备被控制组件成功纳管。
(6) 设备组添加完成后,控制组件将自动部署跨设备聚合,进入[自动化>数据中心网络>Fabrics>跨设备聚合]页面,单击“M-LAG系统”页签,在M-LAG组编号范围区域可查看M-LAG组编号,在M-LAG系统区域可查看M-LAG系统信息。单击“设备内聚合接口”页签,在设备内聚合接口页面可查看peer-link聚合口,对于接入设备,可查看连接FW/LB的聚合口。对于边界设备,不能查看连接FW/LB的聚合口。
(7) 在设备内聚合接口页面,增加Service-Leaf1连接FW/LB/外网的聚合口,增加Service-Leaf2连接FW/LB/外网的聚合口,在M-LAG组页面,增加连接FW/LB/外网的M-LAG组。
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
(1) 如果Border需要连接FW/LB设备,则需要在Border上手动配置连接FW/LB设备的聚合口。以Border1连接FW1和FW2为例。
¡ 配置连接FW设备1的接口。
[border1] interface Bridge-Aggregation257
[border1-Bridge-Aggregation257] port link-type trunk
[border1-Bridge-Aggregation257] undo port trunk permit vlan 1
[border1-Bridge-Aggregation257] link-aggregation mode dynamic
[border1-Bridge-Aggregation257] port m-lag group 2
[border1-Bridge-Aggregation257] stp edged-port
[border1-Bridge-Aggregation257] quit
[border1] interface Ten-GigabitEthernet6/0/1
[border1-Ten-GigabitEthernet6/0/1] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/1] port link-type trunk
[border1-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[border1-Ten-GigabitEthernet6/0/1] quit
¡ 配置连接FW设备2的接口。
[border1] interface Bridge-Aggregation258
[border1-Bridge-Aggregation258] port link-type trunk
[border1-Bridge-Aggregation258] undo port trunk permit vlan 1
[border1-Bridge-Aggregation258] link-aggregation mode dynamic
[border1-Bridge-Aggregation258] port m-lag group 3
[border1-Bridge-Aggregation258] stp edged-port
[border1-Bridge-Aggregation258] quit
[border1] interface Ten-GigabitEthernet6/0/2
[border1-Ten-GigabitEthernet6/0/2] port link-mode bridge
[border1-Ten-GigabitEthernet6/0/2] port link-type trunk
[border1-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[border1-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[border1-Ten-GigabitEthernet6/0/2] quit
在连接FW的聚合口下需要放行业务VLAN,详见《AD-DC 7.1 安全服务资源配置指导》。
(2) 如果Leaf需要连接FW/LB设备,则需要在Leaf连接FW/LB设备的聚合口上配置STP相关命令。以service-leaf1连接FW3和FW4为例。
¡ 配置连接FW设备3的接口。
[service-leaf1] interface Bridge-Aggregation257
[service-leaf1-Bridge-Aggregation257] stp edged-port
[service-leaf1-Bridge-Aggregation257] quit
¡ 配置连接FW设备4的接口。
[service-leaf1] interface Bridge-Aggregation258
[service-leaf1-Bridge-Aggregation258] stp edged-port
[service-leaf1-Bridge-Aggregation258] quit
(1) 确认模板文件是否正常下发
空配置重启后,设备的管理口会自动获取管理IP地址和TFTP服务器地址。设备会从控制组件下载设备标签文件和对应角色的配置模板文件(模板名_设备角色.template),然后在设备上自动加载配置。
<Spine1> dir *.template
Directory of flash:
0 -rw- 5984 Jun 11 2021 09:20:56 f1auto_spine.template
1 -rw- 5716 Jul 15 2021 15:42:28 fabric1_template_spine.template
(2) 查看设备设备角色是否准确。
<Spine1> display vcf-fabric role
Default role: spine
Current role: spine
(3) 验证设备之间路由是否可达
自动化部署能够自动下发路由配置,实现Fabric内各设备路由可达。使用display bgp peer l2vpn evpn命令查询邻居状态是否正常。
<Spine1> system-view
[Spine1] display bgp peer l2vpn evpn
BGP local router ID: 10.1.1.2
Local AS number: 100
Total number of peers: 4 Peers in established state: 4
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.4 100 15937 24138 0 13 0236h38m Established
10.1.1.5 100 23221 46763 0 15 0288h26m Established
10.1.1.6 100 31753 27503 0 34 0334h14m Established
10.1.1.7 100 31573 30227 0 34 0334h14m Established
(4) 检查M-LAG系统状态是否正常
a. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG组编号范围区域可查看自动创建的M-LAG组编号。
b. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG系统]页面,在M-LAG系统区域可查看自动创建的M-LAG系统。
c. 手动在设备上,执行display m-lag summary命令,查看创建的M-LAG系统。
<Spine1> system-view
[Spine1] display bgp peer l2vpn evpn
Flags: A -- Aggregate interface down, B -- No peer M-LAG interface configured
C -- Configuration consistency check failed
Peer-link interface: BAGG256
Peer-link interface state (cause): UP
Keepalive link state (cause): UP
M-LAG interface information
M-LAG IF M-LAG group Local state (cause) Peer state Remaining down time(s)
BAGG11 11 UP UP -
四合一组网场景中,四合一交换机同时作为Spine、Border、DCI ED、service-Leaf角色,使用Peer-Link M-LAG提供高可靠性;Server-Leaf单独使用2台交换机并进行M-LAG组网。
四合一场景Underlay自动化配置可参考章节“Underlay网络自动化部署”,自动化模板中设备角色和设备类型分别填写为“Spine”和“边界设备”即可。
图196 四合一Underlay网络组网图
表12 四合一场景IP及接口说明
|
设备 |
地址规划 |
接口信息 |
|
Four-in-one 1 |
管理地址:192.168.11.2/24,网关192.168.11.1 |
HGE4/0/1(连接Four-in-one 2 HGE4/0/1) HGE4/0/2(连接Four-in-one 2 HGE4/0/2) XGE6/0/48(Four-in-one 2 XGE6/0/48) XGE6/0/1(连接FW1 XGE1/2/0) XGE6/0/2(连接FW2 XGE1/2/0) XGE6/0/3(连接FW3 XGE1/2/0) XGE6/0/4(连接FW4 XGE1/2/0) XGE6/0/5(连接LB1 XGE1/2/0) XGE6/0/6(连接LB2 XGE1/2/0) XGE6/0/7(连接外网设备) HGE1/0/5(连接Server Leaf1 HGE1/0/25) HGE1/0/6(连接Server Leaf2 HGE1/0/25) |
|
VTEP地址:10.1.1.2/32 |
||
|
M-LAG虚地址:10.20.1.2/32 |
||
|
M-LAG System MAC地址:0002-0003-0001(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.1/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.1/30 |
||
|
Four-in-one 2 |
管理地址:192.168.11.3/24,网关192.168.11.1 |
HGE4/0/1(连接Four-in-one 1 HGE4/0/1) HGE4/0/2(连接Four-in-one 1 HGE4/0/2) XGE6/0/48(连接Four-in-one 1 XGE6/0/48) XGE6/0/1(连接FW1 XGE1/2/1) XGE6/0/2(连接FW2 XGE1/2/1) XGE6/0/3(连接FW3 XGE1/2/1) XGE6/0/4(连接FW4 XGE1/2/1) XGE6/0/5(连接LB1 XGE1/2/1) XGE6/0/6(连接LB2 XGE1/2/1) HGE1/0/5(连接Server Leaf1 HGE1/0/27) HGE1/0/6(连接Server Leaf2 HGE1/0/27) |
|
VTEP地址:10.1.1.3/32 |
||
|
M-LAG虚地址:10.20.1.2/32 |
||
|
M-LAG System MAC地址:0002-0003-0001(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.2/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.2/30 |
||
|
Server Leaf 1 |
管理地址:192.168.11.4/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf2 XGE1/0/9) XGE1/0/10(连接Server Leaf2 XGE1/0/10) HGE1/0/30(连接Server Leaf2 HGE1/0/30) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/25(连接Four-in-one 1 HGE1/0/5) HGE1/0/27(连接Four-in-one 2 HGE1/0/5) |
|
VTEP地址:10.1.1.4/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.5/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.5/30 |
||
|
Server Leaf 2 |
管理地址:192.168.11.5/24,网关192.168.11.1 |
XGE1/0/9(连接Server Leaf1 XGE1/0/9) XGE1/0/10(连接Server Leaf1 XGE1/0/10) HGE1/0/30(连接Server Leaf1 HGE1/0/30) XGE1/0/11(连接Server 1) XGE1/0/12(连接Server 2) HGE1/0/25(连接Four-in-one 1 HGE1/0/6) HGE1/0/27(连接Four-in-one 2 HGE1/0/6) |
|
VTEP地址:10.1.1.5/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.6/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.6/30 |
四合一组网场景中,四合一交换机同时作为Spine、Border、DCI ED、service-Leaf角色,使用Peer-Link M-LAG提供高可靠性;Server-Leaf单独使用2台交换机并进行M-LAG组网。
· four-in-one1和 four-in-one2组成一个M-LAG系统,通过M-LAG接口与南北向FW设备、服务链FW设备、外网设备相连。
· Server Leaf 1和Server Leaf 2组成一个M-LAG系统,其中,M-LAG接口与Server 1之间通过LACP聚合链路相连;物理口与Server 2之间通过主备链路相连。
路由协议支持情况:
· Underlay路由协议支持OSPF、IS-IS、和EBGP。
· Overlay路由协议仅支持BGP。
四合一Underlay网络手动部署流程如下图所示。
图198 Server Leaf设备部署流程
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<four-in-one1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<four-in-one1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[four-in-one1] hardware-resource tcam normal
[four-in-one1] hardware-resource routing-mode ipv6-128
[four-in-one1] hardware-resource vxlan l3gw
S12500X
[four-in-one1] hardware-resource tcam routing
[four-in-one1] hardware-resource vxlan normal
[four-in-one1] hardware-resource mcast normal
[four-in-one1] hardware-resource scale-rt-prefix none
[four-in-one1] hardware-resource mpls normal
[four-in-one1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[four-in-one1] hardware-resource switch-mode 4
[four-in-one1] hardware-resource routing-mode ipv6-128
[four-in-one1] hardware-resource vxlan Border40k
S6860
[four-in-one1] hardware-resource switch-mode 4
[four-in-one1] hardware-resource routing-mode ipv6-128
[four-in-one1] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[four-in-one1] hardware-resource switch-mode DUAL-STACK
[four-in-one1] hardware-resource routing-mode ipv6-128
[four-in-one1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[four-in-one1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[four-in-one1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[four-in-one1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[four-in-one1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[four-in-one1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[four-in-one1] hardware-resource mdb routing
[four-in-one1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[four-in-one1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[four-in-one1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[four-in-one1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[four-in-one1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[four-in-one1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[four-in-one1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[four-in-one1] interface M-GigabitEthernet0/0/0
[four-in-one1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[four-in-one1-M-GigabitEthernet0/0/0] ip address 192.168.11.2 255.255.255.0
[four-in-one1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[four-in-one1] local-user admin class manage
[four-in-one1-luser-manage-admin] password simple Qwert@1234
[four-in-one1-luser-manage-admin] service-type https ssh
[four-in-one1-luser-manage-admin] authorization-attribute user-role network-admin
[four-in-one1-luser-manage-admin] authorization-attribute user-role network-operator
[four-in-one1-luser-manage-admin] quit
(5) 配置VTY。
[four-in-one1] line vty 0 63
[four-in-one1-line-vty0-63] authentication-mode scheme
[four-in-one1-line-vty0-63] user-role network-admin
[four-in-one1-line-vty0-63] user-role network-operator
[four-in-one1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[four-in-one1] netconf soap https enable
[four-in-one1] netconf ssh server enable
(7) 使能SSH服务。
[four-in-one1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[four-in-one1] ntp-service enable
[four-in-one1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[four-in-one1] snmp-agent
[four-in-one1] snmp-agent community write private
[four-in-one1] snmp-agent community read public
[four-in-one1] snmp-agent sys-info version all
[four-in-one1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[four-in-one1] lldp global enable
(1) 使能L2VPN。
[four-in-one1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[four-in-one1] vxlan tunnel mac-learning disable
[four-in-one1] vxlan tunnel arp-learning disable
[four-in-one1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
[four-in-one1] ospf 1 router-id 192.168.11.2
[four-in-one1-ospf-1] non-stop-routing
[four-in-one1-ospf-1] area 0.0.0.0
[four-in-one1-ospf-1] quit
[four-in-one1] interface LoopBack0
[four-in-one1-LoopBack0] ip address 10.1.1.2 255.255.255.255
[four-in-one1-LoopBack0] ospf 1 area 0.0.0.0
[four-in-one1-LoopBack0] quit
配置IBGP RR
[four-in-one1] bgp 100
[four-in-one1-bgp-default] non-stop-routing
[four-in-one1-bgp-default] router-id 10.1.1.2
[four-in-one1-bgp-default] group evpn internal
[four-in-one1-bgp-default] peer evpn source-address 10.1.1.2
[four-in-one1-bgp-default] peer 10.1.1.4 group evpn //IBGP邻居Server Leaf 1
[four-in-one1-bgp-default] peer 10.1.1.5 group evpn //IBGP邻居Server Leaf 2
[four-in-one1-bgp-default] address-family l2vpn evpn
[four-in-one1-bgp-default-evpn] undo policy vpn-target
[four-in-one1-bgp-default-evpn] peer evpn enable
[four-in-one1-bgp-default-evpn] peer evpn reflect-client
[four-in-one1-bgp-default-evpn] quit
[four-in-one1-bgp-default] quit
以连接Server Leaf 1的接口配置为例,连接其它Leaf的接口配置,同样配置。
[four-in-one1] interface HundredGigE1/0/5
[four-in-one1-HundredGigE1/0/5] port link-mode route
[four-in-one1-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[four-in-one1-HundredGigE1/0/5] ospf network-type p2p
[four-in-one1-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[four-in-one1-HundredGigE1/0/5] lldp management-address arp-learning
[four-in-one1-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[four-in-one1-HundredGigE1/0/5] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[four-in-one1] evpn global-mac 0001-0001-0001
在Border上不用配置M-LAG实地址命令,即不用配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[four-in-one1] interface LoopBack2
[four-in-one1-LoopBack2] ip address 10.20.1.2 255.255.255.255
[four-in-one1-LoopBack2] ospf 1 area 0.0.0.0
[four-in-one1-LoopBack2] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[four-in-one1] evpn m-lag group 10.20.1.2
(3) BGP路由下一跳使用M-LAG虚地址。
[four-in-one1] bgp 100
[four-in-one1-bgp-default] address-family l2vpn evpn
[four-in-one1-bgp-default] nexthop evpn-m-lag group-address
[four-in-one1-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[four-in-one1] m-lag system-mac 0002-0003-0001
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[four-in-one1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[four-in-one1] m-lag system-priority 10
(1) 创建VLAN。
[four-in-one1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[four-in-one1] interface Bridge-Aggregation1
[four-in-one1-Bridge-Aggregation1] port link-type trunk
[four-in-one1-Bridge-Aggregation1] port trunk permit vlan all
[four-in-one1-Bridge-Aggregation1] port trunk pvid vlan 4094
[four-in-one1-Bridge-Aggregation1] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation1] port m-lag peer-link 1
[four-in-one1-Bridge-Aggregation1] undo mac-address static source-check enable
[four-in-one1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[four-in-one1] interface HundredGigE4/0/1
[four-in-one1-HundredGigE4/0/1] port link-mode bridge
[four-in-one1-HundredGigE4/0/1] port link-type trunk
[four-in-one1-HundredGigE4/0/1] port trunk permit vlan all
[four-in-one1-HundredGigE4/0/1] port trunk pvid vlan 4094
[four-in-one1-HundredGigE4/0/1] port link-aggregation group 1
[four-in-one1-HundredGigE4/0/1] quit
(4) 配置peer-link物理口2。
[four-in-one1] interface HundredGigE4/0/2
[four-in-one1-HundredGigE4/0/2] port link-mode bridge
[four-in-one1-HundredGigE4/0/2] port link-type trunk
[four-in-one1-HundredGigE4/0/2] port trunk permit vlan all
[four-in-one1-HundredGigE4/0/2] port trunk pvid vlan 4094
[four-in-one1-HundredGigE4/0/2] port link-aggregation group 1
[four-in-one1-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[four-in-one1] m-lag restore-delay 180
(2) 配置VPN。
[four-in-one1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[four-in-one1] interface Ten-GigabitEthernet6/0/48
[four-in-one1-Ten-GigabitEthernet6/0/48] port link-mode route
[four-in-one1-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[four-in-one1-Ten-GigabitEthernet6/0/48] ip address 10.10.1.1 255.255.255.252
[four-in-one1-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[four-in-one1] m-lag mad default-action none
[four-in-one1] m-lag keepalive ip destination 10.10.1.2 source 10.10.1.1 vpn-instance auto-online-mlag
[four-in-one1] m-lag mad include interface FortyGigE4/0/1
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[four-in-one1] interface Vlan-interface4094
[four-in-one1-Vlan-interface4094] ip address 10.30.1.1 255.255.255.252
[four-in-one1-Vlan-interface4094] ospf 1 area 0.0.0.0
[four-in-one1-Vlan-interface4094] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[four-in-one1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[four-in-one1] l2vpn m-lag peer-link tunnel source 10.1.1.2 destination 10.1.1.3
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[four-in-one1] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[four-in-one1] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
[four-in-one1] interface Bridge-Aggregation3
[four-in-one1-Bridge-Aggregation3] port link-type trunk
[four-in-one1-Bridge-Aggregation3] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation3] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation3] port m-lag group 2
[four-in-one1-Bridge-Aggregation3] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/1
[four-in-one1-Ten-GigabitEthernet6/0/1] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/1] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[four-in-one1-Ten-GigabitEthernet6/0/1] quit
(2) 配置连接FW设备2的接口。
[four-in-one1] interface Bridge-Aggregation4
[four-in-one1-Bridge-Aggregation4] port link-type trunk
[four-in-one1-Bridge-Aggregation4] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation4] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation4] port m-lag group 3
[four-in-one1-Bridge-Aggregation4] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/2
[four-in-one1-Ten-GigabitEthernet6/0/2] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/2] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[four-in-one1-Ten-GigabitEthernet6/0/2] quit
(3) 配置连接FW设备3的接口。
[four-in-one1] interface Bridge-Aggregation256
[four-in-one1-Bridge-Aggregation5] port link-type trunk
[four-in-one1-Bridge-Aggregation5] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation5] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation5] port m-lag group 4
[four-in-one1-Bridge-Aggregation5] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/3
[four-in-one1-Ten-GigabitEthernet6/0/3] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/3] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/3] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/3] port link-aggregation group 256
[four-in-one1-Ten-GigabitEthernet6/0/3] quit
(4) 配置连接FW设备4的接口。
[four-in-one1] interface Bridge-Aggregation257
[four-in-one1-Bridge-Aggregation6] port link-type trunk
[four-in-one1-Bridge-Aggregation6] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation6] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation6] port m-lag group 5
[four-in-one1-Bridge-Aggregation6] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/4
[four-in-one1-Ten-GigabitEthernet6/0/4] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/4] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/4] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/4] port link-aggregation group 257
[four-in-one1-Ten-GigabitEthernet6/0/4] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
[four-in-one1] interface Bridge-Aggregation7
[four-in-one1-Bridge-Aggregation7] port link-type trunk
[four-in-one1-Bridge-Aggregation7] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation7] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation7] port m-lag group 6
[four-in-one1-Bridge-Aggregation7] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/5
[four-in-one1-Ten-GigabitEthernet6/0/5] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/5] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/5] port link-aggregation group 5
[four-in-one1-Ten-GigabitEthernet6/0/5] quit
(2) 配置连接LB设备2的接口。
[four-in-one1] interface Bridge-Aggregation8
[four-in-one1-Bridge-Aggregation8] port link-type trunk
[four-in-one1-Bridge-Aggregation8] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation8] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation8] port m-lag group 7
[four-in-one1-Bridge-Aggregation8] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/6
[four-in-one1-Ten-GigabitEthernet6/0/6] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/6] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/6] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/6] port link-aggregation group 6
[four-in-one1-Ten-GigabitEthernet6/0/6] quit
在连接LB的聚合口下需要放通业务VLAN,详见《AD-DC 7.1 安全服务资源配置指导》。
[four-in-one1] interface Bridge-Aggregation2
[four-in-one1-Bridge-Aggregation2] port link-type trunk
[four-in-one1-Bridge-Aggregation2] undo port trunk permit vlan 1
[four-in-one1-Bridge-Aggregation2] link-aggregation mode dynamic
[four-in-one1-Bridge-Aggregation2] port m-lag group 1
[four-in-one1-Bridge-Aggregation2] quit
[four-in-one1] interface Ten-GigabitEthernet6/0/7
[four-in-one1-Ten-GigabitEthernet6/0/7] port link-mode bridge
[four-in-one1-Ten-GigabitEthernet6/0/7] port link-type trunk
[four-in-one1-Ten-GigabitEthernet6/0/7] undo port trunk permit vlan 1
[four-in-one1-Ten-GigabitEthernet6/0/7] port link-aggregation group 2
[four-in-one1-Ten-GigabitEthernet6/0/7] quit
[four-in-one1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:four-in-one1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.2。
- VTEP IP:10.1.1.2。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图199 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图200 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图201 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图202 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图203 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<four-in-one2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<four-in-one2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[four-in-one2] hardware-resource tcam normal
[four-in-one2] hardware-resource routing-mode ipv6-128
[four-in-one2] hardware-resource vxlan l3gw
S12500X
[four-in-one2] hardware-resource tcam routing
[four-in-one2] hardware-resource vxlan normal
[four-in-one2] hardware-resource mcast normal
[four-in-one2] hardware-resource scale-rt-prefix none
[four-in-one2] hardware-resource mpls normal
[four-in-one2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[four-in-one2] hardware-resource switch-mode 4
[four-in-one2] hardware-resource routing-mode ipv6-128
[four-in-one2] hardware-resource vxlan Border40k
S6860
[four-in-one2] hardware-resource switch-mode 4
[four-in-one2] hardware-resource routing-mode ipv6-128
[four-in-one2] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[four-in-one2] hardware-resource switch-mode DUAL-STACK
[four-in-one2] hardware-resource routing-mode ipv6-128
[four-in-one2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[four-in-one2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[four-in-one2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[four-in-one2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[four-in-one2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[four-in-one2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[four-in-one2] hardware-resource mdb routing
[four-in-one2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[four-in-one2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[four-in-one2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[four-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[four-in-one2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[four-in-one2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[four-in-one2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[four-in-one2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[four-in-one2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[four-in-one2] interface M-GigabitEthernet0/0/0
[four-in-one2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[four-in-one2-M-GigabitEthernet0/0/0] ip address 192.168.11.3 255.255.255.0
[four-in-one2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[four-in-one2] local-user admin class manage
[four-in-one2-luser-manage-admin] password simple Qwert@1234
[four-in-one2-luser-manage-admin] service-type https ssh
[four-in-one2-luser-manage-admin] authorization-attribute user-role network-admin
[four-in-one2-luser-manage-admin] authorization-attribute user-role network-operator
[four-in-one2-luser-manage-admin] quit
(5) 配置VTY。
[four-in-one2] line vty 0 63
[four-in-one2-line-vty0-63] authentication-mode scheme
[four-in-one2-line-vty0-63] user-role network-admin
[four-in-one2-line-vty0-63] user-role network-operator
[four-in-one2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[four-in-one2] netconf soap https enable
[four-in-one2] netconf ssh server enable
(7) 使能SSH服务。
[four-in-one2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[four-in-one2] ntp-service enable
[four-in-one2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[four-in-one2] snmp-agent
[four-in-one2] snmp-agent community write private
[four-in-one2]snmp-agent community read public
[four-in-one2] snmp-agent sys-info version all
[four-in-one2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[four-in-one2] lldp global enable
(1) 使能L2VPN。
[four-in-one2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[four-in-one2] vxlan tunnel mac-learning disable
[four-in-one2] vxlan tunnel arp-learning disable
[four-in-one2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
[four-in-one2] ospf 1 router-id 192.168.11.3
[four-in-one2-ospf-1] non-stop-routing
[four-in-one2-ospf-1] area 0.0.0.0
[four-in-one2-ospf-1] quit
[four-in-one2] interface LoopBack0
[four-in-one2-LoopBack0] ip address 10.1.1.3 255.255.255.255
[four-in-one2-LoopBack0] ospf 1 area 0.0.0.0
[four-in-one2-LoopBack0] quit
配置IBGP RR
[four-in-one2] bgp 100
[four-in-one2-bgp-default] non-stop-routing
[four-in-one2-bgp-default] router-id 10.1.1.3
[four-in-one2-bgp-default] group evpn internal
[four-in-one2-bgp-default] peer evpn source-address 10.1.1.3
[four-in-one2-bgp-default] peer 10.1.1.4 group evpn
[four-in-one2-bgp-default] peer 10.1.1.5 group evpn
[four-in-one2-bgp-default] address-family l2vpn evpn
[four-in-one2-bgp-default-evpn] undo policy vpn-target
[four-in-one2-bgp-default-evpn] peer evpn enable
[four-in-one2-bgp-default-evpn] peer evpn reflect-client
[four-in-one2-bgp-default-evpn] quit
[four-in-one2-bgp-default] quit
以连接Server Leaf 1的接口配置为例,连接其它Leaf的接口请参考配置。
[four-in-one2] interface HundredGigE1/0/5
[four-in-one2-HundredGigE1/0/5] port link-mode route
[four-in-one2-HundredGigE1/0/5] ip address unnumbered interface LoopBack0
[four-in-one2-HundredGigE1/0/5] ospf network-type p2p
[four-in-one2-HundredGigE1/0/5] ospf 1 area 0.0.0.0
[four-in-one2-HundredGigE1/0/5] lldp management-address arp-learning
[four-in-one2-HundredGigE1/0/5] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[four-in-one2-HundredGigE1/0/5] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[four-in-one2] evpn global-mac 0001-0001-0001
在Border上无需配置M-LAG实地址命令,即无需配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[four-in-one2] interface LoopBack2
[four-in-one2-LoopBack2] ip address 10.20.1.2 255.255.255.255
[four-in-one2-LoopBack2] ospf 1 area 0.0.0.0
[four-in-one2-LoopBack2] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[four-in-one2] evpn m-lag group 10.20.1.2
(3) BGP路由下一跳使用M-LAG虚地址。
[four-in-one2] bgp 100
[four-in-one2-bgp-default] address-family l2vpn evpn
[four-in-one2-bgp-default-evpn] nexthop evpn-m-lag group-address
[four-in-one2-bgp-default-evpn] quit
[four-in-one2-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[four-in-one2] m-lag system-mac 0002-0003-0001
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[four-in-one2] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[four-in-one2] m-lag system-priority 10
(1) 创建VLAN。
[four-in-one2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[four-in-one2] interface Bridge-Aggregation1
[four-in-one2-Bridge-Aggregation1] port link-type trunk
[four-in-one2-Bridge-Aggregation1] port trunk permit vlan all
[four-in-one2-Bridge-Aggregation1] port trunk pvid vlan 4094
[four-in-one2-Bridge-Aggregation1] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation1] port m-lag peer-link 1
[four-in-one2-Bridge-Aggregation1] undo mac-address static source-check enable
[four-in-one2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[four-in-one2] interface HundredGigE4/0/1
[four-in-one2-HundredGigE4/0/1] port link-mode bridge
[four-in-one2-HundredGigE4/0/1] port link-type trunk
[four-in-one2-HundredGigE4/0/1] port trunk permit vlan all
[four-in-one2-HundredGigE4/0/1] port trunk pvid vlan 4094
[four-in-one2-HundredGigE4/0/1] port link-aggregation group 1
[four-in-one2-HundredGigE4/0/1] quit
(4) 配置peer-link物理口2。
[four-in-one2] interface HundredGigE4/0/2
[four-in-one2-HundredGigE4/0/2] port link-mode bridge
[four-in-one2-HundredGigE4/0/2] port link-type trunk
[four-in-one2-HundredGigE4/0/2] port trunk permit vlan all
[four-in-one2-HundredGigE4/0/2] port trunk pvid vlan 4094
[four-in-one2-HundredGigE4/0/2] port link-aggregation group 1
[four-in-one2-HundredGigE4/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[four-in-one2] m-lag restore-delay 180
(2) 配置VPN。
[four-in-one2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[four-in-one2] interface Ten-GigabitEthernet6/0/48
[four-in-one2-Ten-GigabitEthernet6/0/48] port link-mode route
[four-in-one2-Ten-GigabitEthernet6/0/48] ip binding vpn-instance auto-online-mlag
[four-in-one2-Ten-GigabitEthernet6/0/48] ip address 10.10.1.2 255.255.255.252
[four-in-one2-Ten-GigabitEthernet6/0/48] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[four-in-one2] m-lag mad default-action none
[four-in-one2] m-lag keepalive ip destination 10.10.1.1 source 10.10.1.2 vpn-instance auto-online-mlag
[four-in-one2] m-lag mad include interface FortyGigE4/0/1
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[four-in-one2] interface Vlan-interface4094
[four-in-one2-Vlan-interface4094] ip address 10.30.1.2 255.255.255.252
[four-in-one2-Vlan-interface4094] ospf 1 area 0.0.0.0
[four-in-one2-Vlan-interface4094] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[four-in-one2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[four-in-one2] l2vpn m-lag peer-link tunnel source 10.1.1.3 destination 10.1.1.2
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[four-in-one2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[four-in-one1] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
[four-in-one2] interface Bridge-Aggregation3
[four-in-one2-Bridge-Aggregation3] port link-type trunk
[four-in-one2-Bridge-Aggregation3] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation3] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation3] port m-lag group 2
[four-in-one2-Bridge-Aggregation3] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/1
[four-in-one2-Ten-GigabitEthernet6/0/1] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/1] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/1] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/1] port link-aggregation group 3
[four-in-one2-Ten-GigabitEthernet6/0/1] quit
(2) 配置连接FW设备2的接口。
[four-in-one2] interface Bridge-Aggregation4
[four-in-one2-Bridge-Aggregation4] port link-type trunk
[four-in-one2-Bridge-Aggregation4] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation4] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation4] port m-lag group 3
[four-in-one2-Bridge-Aggregation4] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/2
[four-in-one2-Ten-GigabitEthernet6/0/2] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/2] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/2] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/2] port link-aggregation group 4
[four-in-one2-Ten-GigabitEthernet6/0/2] quit
(3) 配置连接FW设备3的接口。
[four-in-one2] interface Bridge-Aggregation256
[four-in-one2-Bridge-Aggregation5] port link-type trunk
[four-in-one2-Bridge-Aggregation5] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation5] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation5] port m-lag group 4
[four-in-one2-Bridge-Aggregation5] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/3
[four-in-one2-Ten-GigabitEthernet6/0/3] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/3] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/3] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/3] port link-aggregation group 256
[four-in-one2-Ten-GigabitEthernet6/0/3] quit
(4) 配置连接FW设备4的接口。
[four-in-one2] interface Bridge-Aggregation257
[four-in-one2-Bridge-Aggregation6] port link-type trunk
[four-in-one2-Bridge-Aggregation6] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation6] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation6] port m-lag group 5
[four-in-one2-Bridge-Aggregation6] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/4
[four-in-one2-Ten-GigabitEthernet6/0/4] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/4] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/4] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/4] port link-aggregation group 257
[four-in-one2-Ten-GigabitEthernet6/0/4] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
[four-in-one2] interface Bridge-Aggregation7
[four-in-one2-Bridge-Aggregation7] port link-type trunk
[four-in-one2-Bridge-Aggregation7] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation7] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation7] port m-lag group 6
[four-in-one2-Bridge-Aggregation7] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/5
[four-in-one2-Ten-GigabitEthernet6/0/5] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/5] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/5] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/5] port link-aggregation group 7
[four-in-one2-Ten-GigabitEthernet6/0/5] quit
(2) 配置连接LB设备2的接口。
[four-in-one2] interface Bridge-Aggregation8
[four-in-one2-Bridge-Aggregation8] port link-type trunk
[four-in-one2-Bridge-Aggregation8] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation8] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation8] port m-lag group 7
[four-in-one2-Bridge-Aggregation8] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/6
[four-in-one2-Ten-GigabitEthernet6/0/6] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/6] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/6] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/6] port link-aggregation group 8
[four-in-one2-Ten-GigabitEthernet6/0/6] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
[four-in-one2] interface Bridge-Aggregation2
[four-in-one2-Bridge-Aggregation2] port link-type trunk
[four-in-one2-Bridge-Aggregation2] undo port trunk permit vlan 1
[four-in-one2-Bridge-Aggregation2] link-aggregation mode dynamic
[four-in-one2-Bridge-Aggregation2] port m-lag group 1
[four-in-one2-Bridge-Aggregation2] quit
[four-in-one2] interface Ten-GigabitEthernet6/0/7
[four-in-one2-Ten-GigabitEthernet6/0/7] port link-mode bridge
[four-in-one2-Ten-GigabitEthernet6/0/7] port link-type trunk
[four-in-one2-Ten-GigabitEthernet6/0/7] undo port trunk permit vlan 1
[four-in-one2-Ten-GigabitEthernet6/0/7] port link-aggregation group 2
[four-in-one2-Ten-GigabitEthernet6/0/7] quit
[four-in-one2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:four-in-one2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.3。
- VTEP IP:10.1.1.3。
- 优选Region:region1。
- 设备角色:Spine。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图204 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图205 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图206 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图207 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图208 高级配置
(7) 单击<确定>按钮完成设备增加操作。
(8) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,进入增加设备组页面,在该页面的基本信息区域配置以下参数:
¡ 设备组名称:bdgroup1。
¡ MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
¡ 远端设备组:Remote leaf选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
¡ 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service Leaf。请提前做好规划。
¡ HA部署模式:M-LAG。
(9) 在增加设备组的出口网关设置区域配置以下参数:
¡ 连接方式:选择“VLAN跨网段”。此参数配置后无法修改,请提前做好规划。
¡ 地址池列表和VLAN池列表:
- 直通出口:选择默认地址池和默认VLAN池。
- 安全出口:选择“自定义地址池”和“自定义VLAN池”,需要在创建设备组之前创建虚拟设备管理网地址池、租户承载防火墙内网地址池、租户承载负载均衡内网地址池和租户承载网VLAN池等,然后从可选地址池列表和可选VLAN池列表中选择。有关自定义地址池和自定义VLAN池的配置方法,可参考《AD-DC 7.1安全服务资源配置指导》。
图209 增加设备组
(10) 在增加设备组的设备组成员区域添加已增加的边界设备four-in-one1和four-in-one2。
(11) 单击<确定>按钮完成设备组的增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[server-leaf1] hardware-resource tcam normal
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S12500X
[server-leaf1] hardware-resource tcam routing
[server-leaf1] hardware-resource vxlan normal
[server-leaf1] hardware-resource mcast normal
[server-leaf1] hardware-resource scale-rt-prefix none
[server-leaf1] hardware-resource mpls normal
[server-leaf1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw40k
S6860
[server-leaf1] hardware-resource switch-mode 4
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[server-leaf1] hardware-resource switch-mode DUAL-STACK
[server-leaf1] hardware-resource routing-mode ipv6-128
[server-leaf1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf1] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[service-leaf1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[service-leaf1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[service-leaf1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf1] interface M-GigabitEthernet1/0/0/2
[server-leaf1-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf1-M-GigabitEthernet1/0/0/2] ip address 192.168.11.4 255.255.255.0
[server-leaf1-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] local-user admin class manage
[server-leaf1-luser-manage-admin] password simple Qwert@1234
[server-leaf1-luser-manage-admin] service-type https ssh
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf1-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf1-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf1] line vty 0 63
[server-leaf1-line-vty0-63] authentication-mode scheme
[server-leaf1-line-vty0-63] user-role network-admin
[server-leaf1-line-vty0-63] user-role network-operator
[server-leaf1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf1] netconf soap https enable
[server-leaf1] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf1] ntp-service enable
[server-leaf1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf1] snmp-agent
[server-leaf1] snmp-agent community write private
[server-leaf1] snmp-agent community read public
[server-leaf1] snmp-agent sys-info version all
[server-leaf1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf1] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf1] vxlan tunnel mac-learning disable
[server-leaf1] vxlan tunnel arp-learning disable
[server-leaf1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
[server-leaf1] ospf 1 router-id 192.168.11.4
[server-leaf1-ospf-1] non-stop-routing
[server-leaf1-ospf-1] area 0.0.0.0
[server-leaf1-ospf-1] quit
[server-leaf1] interface LoopBack0
[server-leaf1-LoopBack0] ip address 10.1.1.4 255.255.255.255
[server-leaf1-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack0] quit
配置IBGP
[server-leaf1] bgp 100
[server-leaf1-bgp-default] non-stop-routing
[server-leaf1-bgp-default] router-id 10.1.1.4
[server-leaf1-bgp-default] group evpn internal
[server-leaf1-bgp-default] peer evpn connect-interface Loopback0
[server-leaf1-bgp-default] peer 10.1.1.2 group evpn
[server-leaf1-bgp-default] peer 10.1.1.3 group evpn
[server-leaf1-bgp-default] address-family l2vpn evpn
[server-leaf1-bgp-default-evpn] peer evpn enable
[server-leaf1-bgp-default-evpn] quit
[server-leaf1-bgp-default] quit
以连接Spine Border 1或Spine的接口配置为例,连接Spine Border 2或Spine的接口配置,同样配置。
[server-leaf1] interface HundredGigE1/0/25
[server-leaf1-HundredGigE1/0/25] port link-mode route
[server-leaf1-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf1-HundredGigE1/0/25] ospf network-type p2p
[server-leaf1-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf1-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf1-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf1-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf1] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
(1) 配置M-LAG虚地址。
[server-leaf1] interface LoopBack2
[server-leaf1-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf1-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf1-LoopBack2] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf1] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf1] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf1] m-lag system-priority 10
(1) 创建VLAN。
[server-leaf1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[server-leaf1] interface Bridge-Aggregation1
[server-leaf1-Bridge-Aggregation1] port link-type trunk
[server-leaf1-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf1-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf1-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf1-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[server-leaf1] interface Ten-GigabitEthernet1/0/9
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/9] quit
(4) 配置peer-link物理口2。
[server-leaf1] interface Ten-GigabitEthernet1/0/30
[server-leaf1-Ten-GigabitEthernet1/0/30] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/30] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/30] port trunk permit vlan all
[server-leaf1-Ten-GigabitEthernet1/0/30] port trunk pvid vlan 4094
[server-leaf1-Ten-GigabitEthernet1/0/30] port link-aggregation group 1
[server-leaf1-Ten-GigabitEthernet1/0/30] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf1] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf1] interface HundredGigE1/0/30
[server-leaf1-HundredGigE1/0/30] port link-mode route
[server-leaf1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf1-HundredGigE1/0/30] ip address 10.10.1.5 255.255.255.252
[server-leaf1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf1] m-lag mad default-action none
[server-leaf1] m-lag keepalive ip destination 10.10.1.6 source 10.10.1.5 vpn-instance auto-online-mlag
[server-leaf1] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf1] interface Vlan-interface4094
[server-leaf1-Vlan-interface4094] ip address 10.30.1.5 255.255.255.252
[server-leaf1-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf1-Vlan-interface4094] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf1] l2vpn m-lag peer-link tunnel source 10.1.1.4 destination 10.1.1.5
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf1] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
连接Server 1 LACP聚合链路的M-LAG接口配置
[server-leaf1] interface Bridge-Aggregation256
[server-leaf1-Bridge-Aggregation256] port link-type trunk
[server-leaf1-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf1-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf1-Bridge-Aggregation256] port m-lag group 3
[server-leaf1-Bridge-Aggregation256] quit
[server-leaf1] interface Ten-GigabitEthernet1/0/11
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf1-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf1] interface Ten-GigabitEthernet1/0/12
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf1-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf1-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf1-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn M-LAG local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf1] evpn m-lag local 10.1.1.4 remote 10.1.1.5
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备对称同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
[server-leaf1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.4。
- VTEP IP:10.1.1.4。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图210 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图211 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图212 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图213 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图214 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<server-leaf2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<server-leaf2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[server-leaf2] hardware-resource tcam normal
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S12500X
[server-leaf2] hardware-resource tcam routing
[server-leaf2] hardware-resource vxlan normal
[server-leaf2] hardware-resource mcast normal
[server-leaf2] hardware-resource scale-rt-prefix none
[server-leaf2] hardware-resource mpls normal
[server-leaf2] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw40k
S6860
[server-leaf2] hardware-resource switch-mode 4
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw24k
S6850/S9850/S6805/S6825
[server-leaf2] hardware-resource switch-mode DUAL-STACK
[server-leaf2] hardware-resource routing-mode ipv6-128
[server-leaf2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[server-leaf2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[server-leaf2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[server-leaf2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S6520X/S5560X/S6812/S6813/S6880
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9820-8M
S9820-8M的硬件资源参数switch-mode需使用vxlan,可使用display switch-mode status命令查看配置值,若switch-mode值不是vxlan,可用switch-mode命令修改为vxlan,重启生效。
[server-leaf2] switch-mode 1
Reboot device to make the configuration take effect.
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[server-leaf2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[server-leaf2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[server-leaf2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[service-leaf2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[service-leaf2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[server-leaf2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[server-leaf2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[server-leaf2] interface M-GigabitEthernet1/0/0/2
[server-leaf2-M-GigabitEthernet1/0/0/2] ip binding vpn-instance mgmt
[server-leaf2-M-GigabitEthernet1/0/0/2] ip address 192.168.11.5 255.255.255.0
[server-leaf2-M-GigabitEthernet1/0/0/2] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] local-user admin class manage
[server-leaf2-luser-manage-admin] password simple Qwert@1234
[server-leaf2-luser-manage-admin] service-type https ssh
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-admin
[server-leaf2-luser-manage-admin] authorization-attribute user-role network-operator
[server-leaf2-luser-manage-admin] quit
(5) 配置VTY。
[server-leaf2] line vty 0 63
[server-leaf2-line-vty0-63] authentication-mode scheme
[server-leaf2-line-vty0-63] user-role network-admin
[server-leaf2-line-vty0-63] user-role network-operator
[server-leaf2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[server-leaf2] netconf soap https enable
[server-leaf2] netconf ssh server enable
(7) 使能SSH服务。
[server-leaf2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[server-leaf2] ntp-service enable
[server-leaf2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[server-leaf2] snmp-agent
[server-leaf2] snmp-agent community write private
[server-leaf2] snmp-agent community read public
[server-leaf2] snmp-agent sys-info version all
[server-leaf2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[server-leaf2] lldp global enable
(1) 开启设备的L2VPN功能。
[server-leaf2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[server-leaf2] vxlan tunnel mac-learning disable
[server-leaf2] vxlan tunnel arp-learning disable
[server-leaf2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
[server-leaf2] ospf 1 router-id 192.168.11.5
[server-leaf2-ospf-1] non-stop-routing
[server-leaf2-ospf-1] area 0.0.0.0
[server-leaf2-ospf-1] quit
VTEP地址配置
[server-leaf2] interface LoopBack0
[server-leaf2-LoopBack0] ip address 10.1.1.5 255.255.255.255
[server-leaf2-LoopBack0] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack0] quit
配置IBGP
[server-leaf2] bgp 100
[server-leaf2-bgp-default] non-stop-routing
[server-leaf2-bgp-default] router-id 10.1.1.5
[server-leaf2-bgp-default] group evpn internal
[server-leaf2-bgp-default] peer evpn connect-interface Loopback0
[server-leaf2-bgp-default] peer 10.1.1.2 group evpn
[server-leaf2-bgp-default] peer 10.1.1.3 group evpn
[server-leaf2-bgp-default] address-family l2vpn evpn
[server-leaf2-bgp-default-evpn] peer evpn enable
[server-leaf2-bgp-default-evpn] quit
[server-leaf2-bgp-default] quit
以连接 Spine Border 1的接口配置为例,连接Spine Border 2的接口配置,同样配置。
[server-leaf2] interface HundredGigE1/0/25
[server-leaf2-HundredGigE1/0/25] port link-mode route
[server-leaf2-HundredGigE1/0/25] ip address unnumbered interface LoopBack0
[server-leaf2-HundredGigE1/0/25] ospf network-type p2p
[server-leaf2-HundredGigE1/0/25] ospf 1 area 0.0.0.0
[server-leaf2-HundredGigE1/0/25] lldp management-address arp-learning
[server-leaf2-HundredGigE1/0/25] lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0
[server-leaf2-HundredGigE1/0/25] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[server-leaf2] evpn global-mac 0001-0001-0002
请使用LoopBack0口地址作为M-LAG实地址,M-LAG单挂接入、M-LAG单边接入、5类路由等将会使用该地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
(1) 配置M-LAG虚地址。
[server-leaf2] interface LoopBack2
[server-leaf2-LoopBack2] ip address 10.20.1.4 255.255.255.255
[server-leaf2-LoopBack2] ospf 1 area 0.0.0.0
[server-leaf2-LoopBack2] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[server-leaf2] evpn m-lag group 10.20.1.4
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[server-leaf2] m-lag system-mac 0002-0003-0002
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[server-leaf2] m-lag system-number 1
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[server-leaf2] m-lag system-priority 10
(1) 创建VLAN。
[server-leaf2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[server-leaf2] interface Bridge-Aggregation1
[server-leaf2-Bridge-Aggregation1] port link-type trunk
[server-leaf2-Bridge-Aggregation1] port trunk permit vlan all
[server-leaf2-Bridge-Aggregation1] port trunk pvid vlan 4094
[server-leaf2-Bridge-Aggregation1] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation1] port m-lag peer-link 1
[server-leaf2-Bridge-Aggregation1] undo mac-address static source-check enable
[server-leaf2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[server-leaf2] interface Ten-GigabitEthernet1/0/9
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/9] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/9] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/9] quit
(4) 配置peer-link物理口2。
[server-leaf2] interface Ten-GigabitEthernet1/0/10
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk permit vlan all
[server-leaf2-Ten-GigabitEthernet1/0/10] port trunk pvid vlan 4094
[server-leaf2-Ten-GigabitEthernet1/0/10] port link-aggregation group 1
[server-leaf2-Ten-GigabitEthernet1/0/10] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[server-leaf2] m-lag restore-delay 180
(2) 配置VPN。
[server-leaf2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[server-leaf2] interface HundredGigE1/0/30
[server-leaf2-HundredGigE1/0/30] port link-mode route
[server-leaf2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[server-leaf2-HundredGigE1/0/30] ip address 10.10.1.6 255.255.255.252
[server-leaf2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[server-leaf2] m-lag mad default-action none
[server-leaf2] m-lag keepalive ip destination 10.10.1.5 source 10.10.1.6 vpn-instance auto-online-mlag
[server-leaf2] m-lag mad include interface FortyGigE1/3/0/2
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。
推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[server-leaf2] interface Vlan-interface4094
[server-leaf2-Vlan-interface4094] ip address 10.30.1.6 255.255.255.252
[server-leaf2-Vlan-interface4094] ospf 1 area 0.0.0.0
[server-leaf2-Vlan-interface4094] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[server-leaf2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[server-leaf2] l2vpn m-lag peer-link tunnel source 10.1.1.5 destination 10.1.1.4
为了能正常转发单挂接入组网的VXLAN报文,其使用的隧道源地址是M-LAG实地址,需要配置默认解封装。
[server-leaf2] vxlan default-decapsulation source interface LoopBack0
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
连接Server 1 LACP聚合链路的M-LAG接口配置
[server-leaf2] interface Bridge-Aggregation256
[server-leaf2-Bridge-Aggregation256] port link-type trunk
[server-leaf2-Bridge-Aggregation256] undo port trunk permit vlan 1
[server-leaf2-Bridge-Aggregation256] link-aggregation mode dynamic
[server-leaf2-Bridge-Aggregation256] port m-lag group 3
[server-leaf2-Bridge-Aggregation256] quit
[server-leaf2] interface Ten-GigabitEthernet1/0/11
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/11] port link-aggregation group 256
[server-leaf2-Ten-GigabitEthernet1/0/11] quit
(1) 连接Server 2主备链路的物理接口配置。
[server-leaf2] interface Ten-GigabitEthernet1/0/12
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-leaf2-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-leaf2-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-leaf2-Ten-GigabitEthernet1/0/12] quit
(2) 配置evpn m-lag local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[server-leaf2] evpn m-lag local 10.1.1.5 remote 10.1.1.4
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备对称同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
[server-leaf2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:server-leaf2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:接入设备。
- 管理IP:192.168.11.5。
- VTEP IP:10.1.1.5。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图215 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图216 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图217 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图218 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图219 高级配置
(7) 单击<确定>按钮完成设备增加操作。
图220 五合一场景组网示意图
表13 五合一场景IP及接口说明
|
设备 |
地址规划 |
接口信息 |
|
Five-in-one 1 |
管理地址:192.168.11.2/24,网关192.168.11.1 |
XGE1/0/1(连接Five-in-one 2 XGE1/0/1) XGE1/0/2(连接Five-in-one 2 XGE1/0/2) HGE1/0/30(连接Five-in-one 2 HGE1/0/30) XGE1/0/3(连接FW1 XGE1/2/0) XGE1/0/4(连接FW2 XGE1/2/0) XGE1/0/5(连接FW3 XGE1/2/0) XGE1/0/6(连接FW4 XGE1/2/0) XGE1/0/7(连接LB1 XGE1/2/0) XGE1/0/8(连接LB2 XGE1/2/0) XGE1/0/9(连接外网设备) XGE1/0/10(连接Server1) XGE1/0/11(连接Server2) |
|
VTEP地址:10.1.1.2/32 |
||
|
M-LAG虚地址:10.20.1.2/32 |
||
|
M-LAG System MAC地址:0002-0003-0001(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.1/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.1/30 |
||
|
Five-in-one 2 |
管理地址:192.168.11.3/24,网关192.168.11.1 |
XGE1/0/1(连接Five-in-one 1 XGE1/0/1) XGE1/0/2(连接Five-in-one 1 XGE1/0/2) HGE1/0/30(连接Five-in-one 1 HGE1/0/30) XGE1/0/3(连接FW1 XGE1/2/1) XGE1/0/4(连接FW2 XGE1/2/1) XGE1/0/5(连接FW3 XGE1/2/1) XGE1/0/6(连接FW4 XGE1/2/1) XGE1/0/7(连接LB1 XGE1/2/0) XGE1/0/8(连接LB2 XGE1/2/0) XGE1/0/9(连接外网设备) XGE1/0/10(连接Server1) XGE1/0/11(连接Server2) |
|
VTEP地址:10.1.1.3/32 |
||
|
M-LAG虚地址:10.20.1.2/32 |
||
|
M-LAG System MAC地址:0002-0003-0001(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.2/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.2/30 |
||
|
VTEP地址:10.1.1.5/32 |
||
|
M-LAG虚地址:10.20.1.4/32 |
||
|
M-LAG System MAC地址:0002-0003-0002(或者用本设备的桥MAC) |
||
|
M-LAG MAD地址:10.10.1.6/30 |
||
|
M-LAG peer-link链路逃生地址:10.30.1.6/30 |
在五合一组网场景中,五合一交换机同时作为Spine、Border、DCI ED、Service-Leaf和Server-Leaf角色,使用Peer-Link M-LAG提供高可靠性。需手工配置Underlay网络,控制组件纳管后下发相应Overlay配置。
· Five-in-one 1和Five-in-one 2组成一个M-LAG系统,通过M-LAG接口与南北向FW设备、服务链FW设备、外网设备相连。通过M-LAG接口与Server 1之间通过LACP聚合链路相连;物理口与Server 2之间通过主备链路相连。
路由协议支持情况
· Underlay路由协议支持OSPF、IS-IS、和EBGP。
· Overlay路由协议仅支持BGP。
Underlay网络手动部署流程如下图所示。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<five-in-one1> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<five-in-one1> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[five-in-one1] hardware-resource tcam normal
[five-in-one1] hardware-resource routing-mode ipv6-128
[five-in-one1] hardware-resource vxlan l3gw
S12500X
[five-in-one1] hardware-resource tcam routing
[five-in-one1] hardware-resource vxlan normal
[five-in-one1] hardware-resource mcast normal
[five-in-one1] hardware-resource scale-rt-prefix none
[five-in-one1] hardware-resource mpls normal
[five-in-one1] hardware-resource parser normal
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[five-in-one1] hardware-resource switch-mode 4
[five-in-one1] hardware-resource routing-mode ipv6-128
[five-in-one1] hardware-resource vxlan Border40k
S6860
[five-in-one1] hardware-resource switch-mode 4
[five-in-one1] hardware-resource routing-mode ipv6-128
[five-in-one1] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[five-in-one1] hardware-resource switch-mode DUAL-STACK
[five-in-one1] hardware-resource routing-mode ipv6-128
[five-in-one1] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[five-in-one1] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[five-in-one1] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[five-in-one1] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[five-in-one1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[five-in-one1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[five-in-one1] hardware-resource mdb routing
[five-in-one1] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[five-in-one1] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[five-in-one1] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one1] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[five-in-one1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[five-in-one1] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one1] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one1] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[five-in-one1] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[five-in-one1] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[five-in-one1] interface M-GigabitEthernet0/0/0
[five-in-one1-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[five-in-one1-M-GigabitEthernet0/0/0] ip address 192.168.11.2 255.255.255.0
[five-in-one1-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[five-in-one1] local-user admin class manage
[five-in-one1-luser-manage-admin] password simple Qwert@1234
[five-in-one1-luser-manage-admin] service-type https ssh
[five-in-one1-luser-manage-admin] authorization-attribute user-role network-admin
[five-in-one1-luser-manage-admin] authorization-attribute user-role network-operator
[five-in-one1-luser-manage-admin] quit
(5) 配置VTY。
[five-in-one1] line vty 0 63
[five-in-one1-line-vty0-63] authentication-mode scheme
[five-in-one1-line-vty0-63] user-role network-admin
[five-in-one1-line-vty0-63] user-role network-operator
[five-in-one1-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[five-in-one1] netconf soap https enable
[five-in-one1] netconf ssh server enable
(7) 使能SSH服务。
[five-in-one1] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[five-in-one1] ntp-service enable
[five-in-one1] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[five-in-one1] snmp-agent
[five-in-one1] snmp-agent community write private
[five-in-one1] snmp-agent community read public
[five-in-one1] snmp-agent sys-info version all
[five-in-one1] snmp-agent packet max-size 4096
(10) 使能LLDP。
[five-in-one1] lldp global enable
(1) 使能L2VPN。
[five-in-one1] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[five-in-one1] vxlan tunnel mac-learning disable
[five-in-one1] vxlan tunnel arp-learning disable
[five-in-one1] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
[five-in-one1] ospf 1 router-id 192.168.11.2
[five-in-one1-ospf-1] non-stop-routing
[five-in-one1-ospf-1] area 0.0.0.0
[five-in-one1-ospf-1] quit
[five-in-one1] interface LoopBack0
[five-in-one1-LoopBack0] ip address 10.1.1.2 255.255.255.255
[five-in-one1-LoopBack0] ospf 1 area 0.0.0.0
[five-in-one1-LoopBack0] quit
配置IBGP RR
[five-in-one1] bgp 100 instance default
[five-in-one1-bgp-default] non-stop-routing
[five-in-one1-bgp-default] address-family l2vpn evpn
[five-in-one1-bgp-default-evpn] undo policy vpn-target
[five-in-one1-bgp-default-evpn] peer evpn enable
[five-in-one1-bgp-default-evpn] quit
[five-in-one1-bgp-default] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[five-in-one1] evpn global-mac 0001-0001-0001
在Border上无需配置M-LAG实地址命令,即无需配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[five-in-one1] interface LoopBack2
[five-in-one1-LoopBack2] ip address 10.20.1.2 255.255.255.255
[five-in-one1-LoopBack2] ospf 1 area 0.0.0.0
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[five-in-one1] evpn m-lag group 10.20.1.2
(3) BGP路由下一跳使用M-LAG虚地址。
[five-in-one1] bgp 100
[five-in-one1-bgp-default] address-family l2vpn evpn
[five-in-one1-bgp-default-evpn] nexthop evpn-m-lag group-address
[five-in-one1-bgp-default-evpn] quit
[five-in-one1-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[five-in-one1] m-lag system-mac 0002-0003-0001
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[five-in-one1] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[five-in-one1] m-lag system-priority 10
(1) 创建VLAN。
[five-in-one1] vlan 2 to 4094
(2) 配置peer-link聚合口。
[five-in-one1] interface Bridge-Aggregation1
[five-in-one1-Bridge-Aggregation1] port link-type trunk
[five-in-one1-Bridge-Aggregation1] port trunk permit vlan all
[five-in-one1-Bridge-Aggregation1] port trunk pvid vlan 4094
[five-in-one1-Bridge-Aggregation1] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation1] port m-lag peer-link 1
[five-in-one1-Bridge-Aggregation1] undo mac-address static source-check enable
[five-in-one1-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[five-in-one1] interface Ten-GigabitEthernet1/0/1
[five-in-one1-Ten-GigabitEthernet1/0/1] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/1] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/1] port trunk permit vlan all
[five-in-one1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 4094
[five-in-one1-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[five-in-one1-Ten-GigabitEthernet1/0/1] quit
(4) 配置peer-link物理口2。
[five-in-one1] interface Ten-GigabitEthernet1/0/2
[five-in-one1-Ten-GigabitEthernet1/0/2] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/2] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
[five-in-one1-Ten-GigabitEthernet1/0/2] port trunk pvid vlan 4094
[five-in-one1-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[five-in-one1-Ten-GigabitEthernet1/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
[five-in-one1] m-lag restore-delay 180
(2) 配置VPN。
[five-in-one1] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[five-in-one1] interface HundredGigE1/0/30
[five-in-one1-HundredGigE1/0/30] port link-mode route
[five-in-one1-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[five-in-one1-HundredGigE1/0/30] ip address 10.10.1.1 255.255.255.252
[five-in-one1-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[five-in-one1] m-lag mad default-action none
[five-in-one1] m-lag keepalive ip destination 10.10.1.2 source 10.10.1.1 vpn-instance auto-online-mlag
[five-in-one1] m-lag mad include interface FortyGigE4/0/1
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[five-in-one1] interface Vlan-interface4094
[five-in-one1-Vlan-interface4094] ip address 10.30.1.1 255.255.255.252
[five-in-one1-Vlan-interface4094] ospf 1 area 0.0.0.0
[five-in-one1-Vlan-interface4094] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[five-in-one1] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[five-in-one1] l2vpn m-lag peer-link tunnel source 10.1.1.2 destination 10.1.1.3
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[five-in-one1] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
[five-in-one1] interface Bridge-Aggregation3
[five-in-one1-Bridge-Aggregation3] port link-type trunk
[five-in-one1-Bridge-Aggregation3] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation3] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation3] port m-lag group 2
[five-in-one1-Bridge-Aggregation3] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/3
[five-in-one1-Ten-GigabitEthernet1/0/3] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/3] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/3] port link-aggregation group 3
[five-in-one1-Ten-GigabitEthernet1/0/3] quit
(2) 配置连接FW设备2的接口。
[five-in-one1] interface Bridge-Aggregation4
[five-in-one1-Bridge-Aggregation4] port link-type trunk
[five-in-one1-Bridge-Aggregation4] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation4] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation4] port m-lag group 3
[five-in-one1-Bridge-Aggregation4] quit
[five-in-one1]interface Ten-GigabitEthernet1/0/4
[five-in-one1-Ten-GigabitEthernet1/0/4] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/4] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/4] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/4] port link-aggregation group 4
[five-in-one1-Ten-GigabitEthernet1/0/4] quit
(3) 配置连接FW设备3的接口。
[five-in-one1] interface Bridge-Aggregation5
[five-in-one1-Bridge-Aggregation5] port link-type trunk
[five-in-one1-Bridge-Aggregation5] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation5] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation5] port m-lag group 4
[five-in-one1-Bridge-Aggregation5] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/5
[five-in-one1-Ten-GigabitEthernet1/0/5] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/5] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/5] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/5] port link-aggregation group 5
[five-in-one1-Ten-GigabitEthernet1/0/5] quit
(4) 配置连接FW设备4的接口。
[five-in-one1] interface Bridge-Aggregation6
[five-in-one1-Bridge-Aggregation6] port link-type trunk
[five-in-one1-Bridge-Aggregation6] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation6] link-aggregation mode dynamic
[five-in-one1-ridge-Aggregation6] port m-lag group 5
[five-in-one1-ridge-Aggregation6] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/6
[five-in-one1-Ten-GigabitEthernet1/0/6] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/6] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/6] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/6] port link-aggregation group 6
[five-in-one1-Ten-GigabitEthernet1/0/6] quit
在连接FW的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
(1) 配置连接LB设备1的接口。
[five-in-one1] interface Bridge-Aggregation7
[five-in-one1-Bridge-Aggregation7] port link-type trunk
[five-in-one1-Bridge-Aggregation7] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation7] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation7] port m-lag group 6
[five-in-one1-Bridge-Aggregation7] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/7
[five-in-one1-Ten-GigabitEthernet1/0/7] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/7] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/7] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/7] port link-aggregation group 5
[five-in-one1-Ten-GigabitEthernet1/0/7] quit
(2) 配置连接LB设备2的接口。
[five-in-one1] interface Bridge-Aggregation8
[five-in-one1-Bridge-Aggregation8] port link-type trunk
[five-in-one1-Bridge-Aggregation8] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation8] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation8] port m-lag group 7
[five-in-one1-Bridge-Aggregation8] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/8
[five-in-one1-Ten-GigabitEthernet1/0/8] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/8] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/8] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/8] port link-aggregation group 6
[five-in-one1-Ten-GigabitEthernet1/0/8] quit
在连接LB的聚合口下需要放通业务VLAN,详见《AD-DC 7.1安全服务资源配置指导》。
[five-in-one1] interface Bridge-Aggregation2
[five-in-one1-Bridge-Aggregation2] port link-type trunk
[five-in-one1-Bridge-Aggregation2] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation2] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation2] port m-lag group 1
[five-in-one1-Bridge-Aggregation2] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/9
[five-in-one1-Ten-GigabitEthernet1/0/9] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/9] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/9] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/9] port link-aggregation group 2
[five-in-one1-Ten-GigabitEthernet1/0/9] quit
连接Server 1 LACP聚合链路的M-LAG接口配置
[five-in-one1] interface Bridge-Aggregation256
[five-in-one1-Bridge-Aggregation256] port link-type trunk
[five-in-one1-Bridge-Aggregation256] undo port trunk permit vlan 1
[five-in-one1-Bridge-Aggregation256] link-aggregation mode dynamic
[five-in-one1-Bridge-Aggregation256] port m-lag group 8
[five-in-one1-Bridge-Aggregation256] quit
[five-in-one1] interface Ten-GigabitEthernet1/0/10
[five-in-one1-Ten-GigabitEthernet1/0/10] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/10] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/10] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/10] port link-aggregation group 256
[five-in-one1-Ten-GigabitEthernet1/0/10] quit
(1) 连接Server 2主备链路的物理接口配置。
[five-in-one1] interface Ten-GigabitEthernet1/0/11
[five-in-one1-Ten-GigabitEthernet1/0/11] port link-mode bridge
[five-in-one1-Ten-GigabitEthernet1/0/11] port link-type trunk
[five-in-one1-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[five-in-one1-Ten-GigabitEthernet1/0/11] quit
(2) 配置evpn m-lag local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[five-in-one1] evpn m-lag local 10.1.1.2 remote 10.1.1.3
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备对称同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
[five-in-one1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:five-in-one1。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.2。
- VTEP IP:10.1.1.2。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图222 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图223 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图224 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图225 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图226 高级配置
(7) 单击<确定>按钮完成设备增加操作。
M-LAG系统的成员设备必须配置相同的Global MAC、System MAC、System Priority和M-LAG虚IP地址,且Global MAC和System MAC必须全网唯一。
<five-in-one2> reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]: y
Configuration file in flash: is being cleared.
Please wait…
Mainboard:
Configuration file is cleared.
<five-in-one2> reboot force
硬件资源参数配置完成后,需重启设备,配置才能生效。
不同交换机的硬件资源配置命令不同,具体如下:
S12500G T系列
[five-in-one2] hardware-resource tcam normal
[five-in-one2] hardware-resource routing-mode ipv6-128
[five-in-one2] hardware-resource vxlan l3gw
S6800
S6800作为Leaf或Border时,需要根据业务情况配置硬件资源,具体配置方式请参见“如何根据现网组网规模设置S6800的VXLAN硬件资源模式?”。
[five-in-one2] hardware-resource switch-mode 4
[five-in-one2] hardware-resource routing-mode ipv6-128
[five-in-one2] hardware-resource vxlan Border40k
S6860
[five-in-one2] hardware-resource switch-mode 4
[five-in-one2] hardware-resource routing-mode ipv6-128
[five-in-one2] hardware-resource vxlan Border24k
S6850/S9850/S6805/S6825
[five-in-one2] hardware-resource switch-mode DUAL-STACK
[five-in-one2] hardware-resource routing-mode ipv6-128
[five-in-one2] hardware-resource vxlan l3gw
S6850/S9850/S6805/S6825
[five-in-one2] hardware-resource switch-mode DUAL-STACK
[five-in-one2] hardware-resource routing-mode ipv6-128
[five-in-one2] hardware-resource vxlan l3gw
S10500X
S10500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板和网板的switch-mode默认值为enhance-ipv6-route,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
(1) 修改接口板参数,以槽位号0为例。
[five-in-one2] switch-mode mix-bridging-routing slot 0
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
(2) 修改主控板参数,以槽位号6为例。
[five-in-one2] switch-mode enhance-ipv6-route slot 6
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S7500X的硬件资源参数switch-mode需使用默认值,接口板switch-mode默认值为mix-bridging-routing,主控板无需设置switch-mode,可使用display switch-mode status命令查看配置值,若switch-mode值不是默认值,可用switch-mode命令修改为默认值,重启生效。
修改接口板参数,以槽位号2为例。
[five-in-one2] switch-mode mix-bridging-routing slot 2
This command may need reboot the specified slot. Continue? [Y/N]:Y
Process OK.
S12500G S系列
S12500G S系列的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode 命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
槽位号3为例。
[five-in-one2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[five-in-one2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S12500R系列
S12500R系列的硬件资源参数hardware-resource mdb需使用routing,可使用display hardware-resource mdb命令查看配置值;hardware-resource interface需使用bridge,可使用display hardware-resource interface命令查看配置值。hardware-resource mdb和hardware-resource interface可通过以下命令修改,重启生效。
[five-in-one2] hardware-resource mdb routing
[five-in-one2] hardware-resource interface bridge
S10506X-G
S10506X-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S6850-56HF-G/S9850-32H-G
S6850-56HF-G/S9850-32H-G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S12500G S系列/S9820-4C-G/S12500CR
S12500G S系列/S9820-4C-G/S12500CR的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值;system-working-mode 需使用expert,可使用display system-working-mode命令查看配置值。switch-mode和system-working-mode可通过以下命令修改,重启生效。
以槽位号3为例。
[five-in-one2] switch-mode slot 3 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
[five-in-one2] system-working-mode expert
Do you want to change the system working mode? [Y/N]:y
System working mode changed. For the change to take effect, save the running configuration and reboot the device.
S10500XG/12500G-EF
S10500XG/12500G-EF的硬件资源参数switch-mode需使用normal,可使用display switch-mode status命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK.
S6805G/S6850G/9850G
S6805G/S6850G/9850G的硬件资源参数switch-mode需使用normal,可使用display switch-mode status slot命令查看配置值,若switch-mode值不是normal,可用switch-mode命令修改为normal,重启生效。
以槽位号1为例。
[five-in-one2] switch-mode slot 1 normal
This command may need reboot the specified slot. Continue? [Y/N]:y
Process OK
S9825/S9855
S9825/S9855的硬件资源参数hardware-resource switch-mode可以配置ROUTING和MAC,默认ROUTING,两种模式只是规格上存在差异,功能上无影响,建议保持默认值,两端模式建议保持一致,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[five-in-one2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
S9827
S9827的硬件资源参数hardware-resource switch-mode配置ROUTING,可使用display hardware-resource switch-mode命令查看配置值;hardware-resource routing-mode配置ipv6-128,可使用display hardware-resource routing-mode命令查看配置值;hardware-resource vxlan配置L3GW,可使用display hardware-resource vxlan命令查看配置值。可通过以下命令修改,重启生效。
[five-in-one2] hardware-resource switch-mode ROUTING
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one2] hardware-resource routing-mode ipv6-128
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
[five-in-one2] hardware-resource vxlan L3GW
Do you want to change the specified hardware resource working mode? [Y/N]:y
The hardware resource working mode is changed, please save the configuration and reboot the system to make it effective.
(1) 配置管理VPN。
[five-in-one2] ip vpn-instance mgmt
(2) 配置管理网默认路由,下一跳为管理交换机的网关地址。
[five-in-one2] ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.11.1
(3) 配置管理口。
[five-in-one2] interface M-GigabitEthernet0/0/0
[five-in-one2-M-GigabitEthernet0/0/0] ip binding vpn-instance mgmt
[five-in-one2-M-GigabitEthernet0/0/0] ip address 192.168.11.3 255.255.255.0
[five-in-one2-M-GigabitEthernet0/0/0] quit
(4) 配置管理用户。用户名以admin,密码以Qwert@1234为例。密码必须是复杂密码,至少包含数字、大写字母、小写字母和特殊字符中的两种类型。部分功能使用HTTPS短连接,必须配置service-type https命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[five-in-one2] local-user admin class manage
[five-in-one2-luser-manage-admin] password simple Qwert@1234
[five-in-one2-luser-manage-admin] service-type https ssh
[five-in-one2-luser-manage-admin] authorization-attribute user-role network-admin
[five-in-one2-luser-manage-admin] authorization-attribute user-role network-operator
[five-in-one2-luser-manage-admin] quit
(5) 配置VTY。
[five-in-one2] line vty 0 63
[five-in-one2-line-vty0-63] authentication-mode scheme
[five-in-one2-line-vty0-63] user-role network-admin
[five-in-one2-line-vty0-63] user-role network-operator
[five-in-one2-line-vty0-63] quit
(6) 配置NETCONF。部分功能使用HTTPS短连接,必须配置netconf soap https enable命令,否则影响功能的正常使用,使用HTTPS短连接的功能请参见“哪些功能使用HTTPS短连接?”。
[five-in-one2] netconf soap https enable
[five-in-one2] netconf ssh server enable
(7) 使能SSH服务。
[five-in-one2] ssh server enable
(8) 配置NTP。组网中有NTP Server时需配置此步骤,以NTP Server IP 192.168.10.101为例。
[five-in-one2] ntp-service enable
[five-in-one2] ntp-service unicast-server 192.168.10.101 vpn-instance mgmt
(9) 配置SNMP。
[five-in-one2] snmp-agent
[five-in-one2] snmp-agent community write private
[five-in-one2] snmp-agent community read public
[five-in-one2] snmp-agent sys-info version all
[five-in-one2] snmp-agent packet max-size 4096
(10) 使能LLDP。
[five-in-one2] lldp global enable
(1) 使能L2VPN。
[five-in-one2] l2vpn enable
(2) 禁止从VXLAN隧道学习MAC、ARP、ND。
[five-in-one2] vxlan tunnel mac-learning disable
[five-in-one2] vxlan tunnel arp-learning disable
[five-in-one2] vxlan tunnel nd-learning disable
如需使用IPv6,需要配置命令vxlan tunnel nd-learning disable,并在[自动化>数据中心网络>Fabrics>参数设置]页面启用IPv6。如果未启用IPv6,手工配置该命令,会出现配置审计差异。
[five-in-one2] ospf 1 router-id 192.168.11.3
[five-in-one2-ospf-1] non-stop-routing
[five-in-one2-ospf-1] area 0.0.0.0
[five-in-one2-ospf-1] quit
[five-in-one2] interface LoopBack0
[five-in-one2-LoopBack0] ip address 10.1.1.3 255.255.255.255
[five-in-one2-LoopBack0] ospf 1 area 0.0.0.0
[five-in-one2-LoopBack0] quit
配置IBGP RR
[five-in-one2] bgp 100 instance default
[five-in-one2-bgp-default] non-stop-routing
[five-in-one2-bgp-default] address-family l2vpn evpn
[five-in-one2-bgp-default-evpn] undo policy vpn-target
[five-in-one2-bgp-default-evpn] peer evpn enable
[five-in-one2-bgp-default-evpn] quit
[five-in-one2-bgp-default] quit
Global MAC为VXLAN三层转发时使用的Router MAC。建议Global MAC地址范围为0001-0001-0001到0001-0001-FFFE,或者从两台设备的Available Global MAC中选取一个。
S12500G/S12500X/S7500X/S10500X可使用display interface vlan-interface命令查看Available Global MAC。
S6805/S6850/S9850/S6825/S6800/S6860等设备可使用probe模式下的bcm s 1 c 0 l2/show/vlan=4095命令查看Available Global MAC。
M-LAG系统中所有M-LAG设备的Global MAC地址必须相同,且Global MAC地址必须保证全网唯一,多Fabric或数据中心互联的场景下,Global MAC地址也必须全网唯一。
[five-in-one2] evpn global-mac 0001-0001-0001
在Border上无需配置M-LAG实地址命令,即无需配置evpn m-lag local remote命令。
(1) 配置M-LAG虚地址。
[five-in-one2] interface LoopBack2
[five-in-one2-LoopBack2] ip address 10.20.1.2 255.255.255.255
[five-in-one2-LoopBack2] ospf 1 area 0.0.0.0
[five-in-one2-LoopBack2] quit
(2) M-LAG系统中所有M-LAG设备的虚地址相同。
[five-in-one2] evpn m-lag group 10.20.1.2
(3) BGP路由下一跳使用M-LAG虚地址。
[five-in-one2] bgp 100
[five-in-one2-bgp-default] address-family l2vpn evpn
[five-in-one2-bgp-default-evpn] nexthop evpn-m-lag group-address
[five-in-one2-bgp-default-evpn] quit
[five-in-one2-bgp-default] quit
(1) M-LAG系统中所有M-LAG设备的system-mac必须相同,且必须保证全网唯一。建议system-mac为任意一台M-LAG设备的桥MAC,可在设备上执行display lacp system-id命令查看设备的桥MAC。
[five-in-one2] m-lag system-mac 0002-0003-0001
(2) 配置M-LAG system-number。注意:两台M-LAG设备的system-number必须不同,例如一台M-LAG设备的system-number为1,另一台M-LAG设备的system-number为2。
[five-in-one2] m-lag system-number 2
(3) 配置M-LAG system-priority,两台M-LAG设备的优先级必须相同。
[five-in-one2] m-lag system-priority 10
(1) 创建VLAN。
[five-in-one2] vlan 2 to 4094
(2) 配置peer-link聚合口。
[five-in-one2] interface Bridge-Aggregation1
[five-in-one2-Bridge-Aggregation1] port link-type trunk
[five-in-one2-Bridge-Aggregation1] port trunk permit vlan all
[five-in-one2-Bridge-Aggregation1] port trunk pvid vlan 4094
[five-in-one2-Bridge-Aggregation1] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation1] port m-lag peer-link 1
[five-in-one2-Bridge-Aggregation1] undo mac-address static source-check enable
[five-in-one2-Bridge-Aggregation1] quit
对于S12500X设备,在peer-link聚合口下无需配置undo mac-address static source-check enable命令。
对于S6800设备,需要在peer-link聚合口下配置端口隔离组,配置方式如下:
[S6800] port-isolate group 1
[S6800-port-isolate-group1] interface Bridge-Aggregation1
[S6800-Bridge-Aggregation1] port-isolate enable group 1
(3) 配置peer-link物理口1。
[five-in-one2] interface Ten-GigabitEthernet1/0/1
[five-in-one2-Ten-GigabitEthernet1/0/1] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/1] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/1] port trunk permit vlan all
[five-in-one2-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 4094
[five-in-one2-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[five-in-one2-Ten-GigabitEthernet1/0/1] quit
(4) 配置peer-link物理口2。
[five-in-one2] interface Ten-GigabitEthernet1/0/2
[five-in-one2-Ten-GigabitEthernet1/0/2] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/2] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
[five-in-one2-Ten-GigabitEthernet1/0/2] port trunk pvid vlan 4094
[five-in-one2-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[five-in-one2-Ten-GigabitEthernet1/0/2] quit
(1) 配置M-LAG MAD恢复延迟。当peer-link链路恢复以后,需要延迟指定时间后,链路才MAD UP。
m-lag restore-delay 180
(2) 配置VPN。
[five-in-one2] ip vpn-instance auto-online-mlag
(3) 配置MAD接口。
[five-in-one2] interface HundredGigE1/0/30
[five-in-one2-HundredGigE1/0/30] port link-mode route
[five-in-one2-HundredGigE1/0/30] ip binding vpn-instance auto-online-mlag
[five-in-one2-HundredGigE1/0/30] ip address 10.10.1.2 255.255.255.252
[five-in-one2-HundredGigE1/0/30] quit
(4) 配置M-LAG MAD白名单。
除M-LAG peer-link接口、MAD接口以及要加入服务环回组的接口外,其它物理接口都需要加入白名单。
[five-in-one2] m-lag mad default-action none
[five-in-one2] m-lag keepalive ip destination 10.10.1.1 source 10.10.1.2 vpn-instance auto-online-mlag
[five-in-one2] m-lag mad include interface FortyGigE4/0/1
…略…
当设备1的上行口和设备2的下行口同时DOWN时,设备1的下行口流量通过peer-link链路逃生通道到达设备2的上行口,最终实现与其它设备互通。推荐使用peer-link口的PVID VLAN作为逃生VLAN。
[five-in-one2] interface Vlan-interface4094
[five-in-one2-Vlan-interface4094] ip address 10.30.1.2 255.255.255.252
[five-in-one2-Vlan-interface4094] ospf 1 area 0.0.0.0
[five-in-one2-Vlan-interface4094] quit
在peer-link链路上自动创建动态AC。
· 非S12500X设备,配置以下命令:
[five-in-one2] l2vpn m-lag peer-link ac-match-rule vxlan-mapping
· S12500X/S5560X/S6520X设备,配置以下命令,其中source地址为本端设备的Loopback0地址,destination地址为M-LAG对端设备的Loopback0地址:
[five-in-one2] l2vpn m-lag peer-link tunnel source 10.1.1.3 destination 10.1.1.2
为了使M-LAG Leaf转发至M-LAG Border的单挂虚机报文能够被M-LAG Border正常解封装,需要在M-LAG Border上配置默认解封装的地址为M-LAG Border虚地址。
[five-in-one2] vxlan default-decapsulation source interface LoopBack2
M-LAG设备启动后自动恢复时间应大于对端设备重启时间。S12500G/S12500X/S10500X/S7500X等框式设备,参考值为600秒,S68XX等盒式设备,参考值为300秒。配置方法如下:
[server-leaf1] m-lag auto-recovery reload-delay 600
(1) 配置连接FW设备1的接口。
[five-in-one2] interface Bridge-Aggregation3
[five-in-one2-Bridge-Aggregation3] port link-type trunk
[five-in-one2-Bridge-Aggregation3] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation3] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation3] port m-lag group 2
[five-in-one2-Bridge-Aggregation3] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/3
[five-in-one2-Ten-GigabitEthernet1/0/3] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/3] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/3] port link-aggregation group 3
[five-in-one2-Ten-GigabitEthernet1/0/3] quit
(2) 配置连接FW设备2的接口。
[five-in-one2] interface Bridge-Aggregation4
[five-in-one2-Bridge-Aggregation4] port link-type trunk
[five-in-one2-Bridge-Aggregation4] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation4] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation4] port m-lag group 3
[five-in-one2-Bridge-Aggregation4] quit
[five-in-one2-Ten-GigabitEthernet1/0/4] interface Ten-GigabitEthernet1/0/4
[five-in-one2-Ten-GigabitEthernet1/0/4] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/4] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/4] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/4] port link-aggregation group 4
[five-in-one2-Ten-GigabitEthernet1/0/4] quit
(3) 配置连接FW设备3的接口。
[five-in-one2] interface Bridge-Aggregation5
[five-in-one2-Bridge-Aggregation5] port link-type trunk
[five-in-one2-Bridge-Aggregation5] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation5] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation5] port m-lag group 4
[five-in-one2-Bridge-Aggregation5] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/5
[five-in-one2-Ten-GigabitEthernet1/0/5] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/5] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/5] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/5] port link-aggregation group 5
[five-in-one2-Ten-GigabitEthernet1/0/5] quit
(4) 配置连接FW设备4的接口。
[five-in-one2] interface Bridge-Aggregation6
[five-in-one2-Bridge-Aggregation6] port link-type trunk
[five-in-one2-Bridge-Aggregation6] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation6] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation6] port m-lag group 5
[five-in-one2-Bridge-Aggregation6] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/6
[five-in-one2-Ten-GigabitEthernet1/0/6] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/6] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/6] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/6] port link-aggregation group 6
[five-in-one2-Ten-GigabitEthernet1/0/6] quit
(1) 配置连接LB设备1的接口。
[five-in-one2] interface Bridge-Aggregation7
[five-in-one2-Bridge-Aggregation7] port link-type trunk
[five-in-one2-Bridge-Aggregation7] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation7] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation7] port m-lag group 6
[five-in-one2-Bridge-Aggregation7] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/7
[five-in-one2-Ten-GigabitEthernet1/0/7] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/7] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/7] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/7] port link-aggregation group 7
[five-in-one2-Ten-GigabitEthernet1/0/7] quit
(2) 配置连接LB设备2的接口。
[five-in-one2] interface Bridge-Aggregation8
[five-in-one2-Bridge-Aggregation8] port link-type trunk
[five-in-one2-Bridge-Aggregation8] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation8] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation8] port m-lag group 7
[five-in-one2-Bridge-Aggregation8] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/8
[five-in-one2-Ten-GigabitEthernet1/0/8] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/8] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/8] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/8] port link-aggregation group 8
[five-in-one2-Ten-GigabitEthernet1/0/8] quit
[five-in-one2] interface Bridge-Aggregation2
[five-in-one2-Bridge-Aggregation2] port link-type trunk
[five-in-one2-Bridge-Aggregation2] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation2] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation2] port m-lag group 1
[five-in-one2-Bridge-Aggregation2] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/9
[five-in-one2-Ten-GigabitEthernet1/0/9] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/9] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/9] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/9] port link-aggregation group 2
[five-in-one2-Ten-GigabitEthernet1/0/9] quit
连接Server 1 LACP聚合链路的M-LAG接口配置
[five-in-one2] interface Bridge-Aggregation256
[five-in-one2-Bridge-Aggregation256] port link-type trunk
[five-in-one2-Bridge-Aggregation256] undo port trunk permit vlan 1
[five-in-one2-Bridge-Aggregation256] link-aggregation mode dynamic
[five-in-one2-Bridge-Aggregation256] port m-lag group 8
[five-in-one2-Bridge-Aggregation256] quit
[five-in-one2] interface Ten-GigabitEthernet1/0/10
[five-in-one2-Ten-GigabitEthernet1/0/10] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/10] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/10] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/10] port link-aggregation group 256
[five-in-one2-Ten-GigabitEthernet1/0/10] quit
(1) 连接Server 2主备链路的物理接口配置。
[five-in-one2] interface Ten-GigabitEthernet1/0/11
[five-in-one2-Ten-GigabitEthernet1/0/11] port link-mode bridge
[five-in-one2-Ten-GigabitEthernet1/0/11] port link-type trunk
[five-in-one2-Ten-GigabitEthernet1/0/11] undo port trunk permit vlan 1
[five-in-one2-Ten-GigabitEthernet1/0/11] quit
(2) 配置evpn m-lag local。因为Server Leaf连接Server 2的主备链路,所以M-LAG系统中的两台设备存在不同的单挂AC,即某AC只存在于设备1上或设备2上,从单挂AC学习到的路由的下一跳使用M-LAG实地址。
[five-in-one2] evpn m-lag local 10.1.1.3 remote 10.1.1.2
· 使用M-LAG主备链路时,需要在控制组件的[自动化>数据中心网络>Fabrics>参数设置 > 控制组件全局配置]页面,开启“自动下发主备AC链路配置”,控制组件才会向M-LAG两台设备对称同时下发配置。
· 使用M-LAG主备链路时,需要在控制组件上设置LLDP报文上送控制组件,操作步骤为:进入[自动化>数据中心网络>Fabrics > Fabrics]页面,进入指定Fabric的设置页面,单击[设置]页签,在LLDP参数上勾选“LLDP上送控制组件”。
· 使用M-LAG主备链路时,需要在服务器上开启LLDP,如果在服务器上不能开启LLDP,则需要在控制组件上配置链路信息,操作步骤为:在控制组件纳管Server-Leaf后,进入[自动化>数据中心网络>Fabrics > 链路管理]页面,单击[服务器链路]页签,增加主链路信息和备链路信息,要求主备链路信息的系统名相同,且全局唯一。
[five-in-one2] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
The startup.cfg file already exists.
Compared with the startup.cfg file, The current configuration adds 0 commands and deletes 0 commands.
If you want to see the configuration differences, please cancel this operation, and then use the display diff command to show the details.
If you continue the save operation, the file will be overwritten.
Are you sure you want to continue the save operation? [Y/N]:y
Saving the current configuration to the file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 进入[自动化>数据中心网络>Fabrics>Fabrics]页面,单击fabric1操作区段的
按钮,单击“交换设备”页签,进入fabric1的交换设备配置页面。
(2) 单击<增加>按钮,进入增加交换设备页面,在该页面的“基本信息”页签中配置以下参数:
¡ 设备名称:five-in-one2。
¡ 基本信息:
- 所属Fabric:fabric1。请勿使用控制组件默认的Fabric:DEFAULTFABRIC。
- 设备类型:边界设备。
- 管理IP:192.168.11.3。
- VTEP IP:10.1.1.3。
- 优选Region:region1。
- 设备角色:Leaf。
- 其他参数可根据组网需求配置,以使用缺省配置为例。
图227 增加交换设备
(3) 单击“设备控制协议”页签,配置以下参数:
¡ NETCONF用户名:admin。
¡ NETCONF密码:Qwert@1234,必须为复杂密码,与设备上配置保持一致。
¡ 确认NETCONF密码:Qwert@1234。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图228 增加交换设备
(4) 单击“VXLAN”页签,配置VXLAN相关参数,可根据组网需求配置,以使用缺省配置为例。
图229 配置VXLAN
(5) 单击“OpenFlow”页签,配置以下参数:
¡ VRF名称:交换设备管理口所属VPN的名称,以mgmt为例。
¡ 其他参数可根据组网需求配置,以使用缺省配置为例。
图230 配置OpenFlow
(6) 单击“高级”页签,可根据组网需求配置相关高级参数,以使用缺省配置为例。
图231 高级配置
(7) 单击<确定>按钮完成设备增加操作。
(1) 进入[自动化>数据中心网络>资源池>设备资源>设备组]页面,单击<增加>按钮,进入增加设备组页面,在该页面的基本信息区域配置以下参数:
¡ 设备组名称:bdgroup1。
¡ MAC地址:3C:8C:40:4E:DD:46。S12500X设备的MAC地址的配置方式请参见“S12500X作为边界设备时,如何配置设备组的MAC地址?”。
¡ 远端设备组:Remote leaf选择是,非Remote leaf选择否。此参数配置后无法修改,请提前做好规划。
¡ 网络位置:有四个多选项,出口网关、Fabric间互通、DC间互联、Service Leaf。请提前做好规划。
¡ HA部署模式:M-LAG。
(2) 在增加设备组的出口网关设置区域配置以下参数:
¡ 连接方式:选择“VLAN跨网段。此参数配置后无法修改,请提前做好规划。
¡ 地址池列表和VLAN池列表:
- 直通出口:选择默认地址池和默认VLAN池。
- 安全出口:选择“自定义地址池”和“自定义VLAN池”,需要在创建设备组之前创建虚拟设备管理网地址池、租户承载防火墙内网地址池、租户承载负载均衡内网地址池和租户承载网VLAN池等,然后从可选地址池列表和可选VLAN池列表中选择。有关自定义地址池和自定义VLAN池的配置方法,可参考《AD-DC 7.1安全服务资源配置指导》。
图232 增加设备组
(3) 在增加设备组的设备组成员区域添加已增加的边界设备five-in-one1和five-in-one2。
(4) 单击<确定>按钮完成设备组的增加操作。
如果现网有端口报文抑制的需求,可以通过以下配置在端口下设置报文抑制。
对于广播和组播的报文抑制推荐配置如下
broadcast-suppression pps 1000
multicast-suppression pps 1000
单播报文的抑制配置根据接口速率进行区分
1GE/10GE/25GE推荐如下配置:
unicast-suppression pps 1000000
40GE/100G/200G/400G推荐如下配置:
unicast-suppression pps 4000000
配置参考如下
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] broadcast-suppression pps 1000
[Sysname-GigabitEthernet1/0/1] multicast-suppression pps 1000
[Sysname-GigabitEthernet1/0/1] unicast-suppression pps 1000000
如果现网有ARP防攻击的需求,可以通过以下配置在端口下开启报文限速功能,并设置ARP报文限速速率。
arp rate-limit 1000
配置参考如下,建议每秒钟允许每个接口处理1000pps的ARP报文。
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp rate-limit 1000
如果现网有BPDU防护的需求,可以通过以下配置开启BPDU保护功能。执行本命令后,如果设备上的边缘端口收到了BPDU报文,则系统将这些端口关闭,同时通知网管这些端口已被生成树协议关闭。
stp bpdu-protection
以H3C交换机为例,配置参考如下
<Sysname> system-view
[Sysname] stp bpdu-protection
通过本章节的操作可对设备的密码进行安全加固。可根据需求配置相应的密码加固策略。
(1) 开启全局密码管理功能。
[border1] password-control enable
(2) 关闭首次登录修改密码功能。
[border1] undo password-control change-password first-login enable
(3) 配置密码最小长度,以最小8为例。关闭首次登录修改密码并配置本命令后,在开启password-control的情况下,其他设备登录本设备时,不需要修改密码即可登录。
[border1] password-control length enable
[border1] password-control length 8
(4) 关闭密码老化时间,配置本命令后,密码永不老化。
[border1] undo password-control aging enable
(5) 修改密码更新的时间间隔为无限制。
[border1] password-control update-interval 0
(6) 关闭历史记录功能,修改密码时,可修改密码为曾经使用过的密码。
[border1] undo password-control history enable
(7) 配置最大登录次数,且登录失败后不禁止用户继续登录。
[border1] password-control login-attempt 10 exceed unlock
(8) 取消账号闲置时间检查功能。
[border1] password-control login idle-time 0
(9) 配置密码的组合策略,以2为例,表示密码至少包含2种元素。
[border1] password-control composition enable
[border1] password-control composition type-number 2
本配置指导中各组网场景的运维监控相关信息请参见《AD-DC 7.1运维监控配置指导》。
S12500X作为边界设备时,设备组的MAC地址不能使用控制组件缺省配置的3c:8c:40:4e:dd:46,需要通过以下步骤配置:
(1) 获取两台S12500X的Bridge MAC。
¡ Border1
[Border1] display lacp system-id
Actor System ID: 0x8000, 5098-b8d7-1600
¡ Border2
[Border2] display lacp system-id
Actor System ID: 0x8000, 542b-de0a-b200
(2) 配置全局Base MAC。
已获取Border1的Bridge MAC为5098-b8d7-1600,Border2的Bridge MAC为542b-de0a-b200。
在二者中选择较小的MAC,Border1:5098-b8d7-1600。将该MAC地址与0X64相加:5098-b8d7-1600+0X64=5098-b8d7-1664。然后在全局模式下配置Border1和Border2的MAC为5098-b8d7-1600和5098-b8d7-1664。
[border1] routing-interface base-mac 5098-b8d7-1600
[border2] routing-interface base-mac 5098-b8d7-1664
配置routing-interface base-mac命令时,交换机上不能预先配置evpn global-mac命令,否则交换机会报错,请配置routing-interface base-mac命令后,再配置evpn global-mac命令。
(3) 计算设备组的MAC地址。
在二者中选择较小的MAC,Border1:5098-b8d7-1600。将该MAC地址与0XC8相加:5098-b8d7-1600+0XC8=5098-b8d7-16C8。MAC地址5098-b8d7-16C8即为设备组的MAC地址。
S6800支持的模式如下:
· l3gw8k:underlay/overlay 40K/8K
· l3gw16k:underlay/overlay 32K/16K
· l3gw24k:underlay/overlay 24K/24K
· l3gw32k:underlay/overlay 16K/32K
· l3gw40k:underlay/overlay 8K/40K
不同模式的差异在于Underlay以及Overlay的资源规格差异。可根据现网组网的Underlay资源计算用于配置的资源模式。
计算公式为:a+b+6*c+2。其中,a为该设备的所有接口上配置的VLAN-VXLAN映射关系数量的总和;b为该设备上的VXLAN隧道数量;c为该组网中M-LAG Leaf的组数。
Underlay资源计算完成后,根据下表中的区间设置VXLAN硬件资源模式。
表14 VXLAN硬件资源模式
|
计算结果区间 |
hardware-resource vxlan |
|
小于8000 |
l3gw40K |
|
大于8000,小于16000 |
l3gw32K |
|
大于16000,小于24000 |
l3gw24K |
|
大于24000 |
请与技术支持工程师确认对应硬件资源模式 |
需要注意,Underlay和Overlay的资源是共用的,Underlay资源调大的同时会导致Overlay资源的减少,调整的同时也需要关注是否满足。
同时还需要注意的一点是:计算结果要考虑将来扩容的需求,否则如果将来由于扩容而导致需要调整硬件资源模式,必须重启交换机才能生效。
对于Leaf设备,或者承担接入功能的Border设备,上线完成后,扩容M-LAG AC口的操作步骤如下。
以组成M-LAG的两台设备为device1和device2为例,两个设备需要扩容的接口均为Ten-GigabitEthernet1/0/12为例。
· 设备为手动上线方式
a. 在device1上配置M-LAG接口
[server-device1] interface Bridge-Aggregation259
[server-device1-Bridge-Aggregation259] port link-type trunk
[server-device1-Bridge-Aggregation259] undo port trunk permit vlan 1
[server-device1-Bridge-Aggregation259] link-aggregation mode dynamic
[server-device1-Bridge-Aggregation259] port m-lag group 9
[server-device1-Bridge-Aggregation259] quit
[server-device1] interface Ten-GigabitEthernet1/0/12
[server-device1-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-device1-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-device1-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-device1-Ten-GigabitEthernet1/0/12] port link-aggregation group 259
[server-device1-Ten-GigabitEthernet1/0/12] quit
b. 在device2上配置M-LAG接口
[server-device2] interface Bridge-Aggregation259
[server-device2-Bridge-Aggregation259] port link-type trunk
[server-device2-Bridge-Aggregation259] undo port trunk permit vlan 1
[server-device2-Bridge-Aggregation259] link-aggregation mode dynamic
[server-device2-Bridge-Aggregation259] port m-lag group 9
[server-device2-Bridge-Aggregation259] quit
[server-device2] interface Ten-GigabitEthernet1/0/12
[server-device2-Ten-GigabitEthernet1/0/12] port link-mode bridge
[server-device2-Ten-GigabitEthernet1/0/12] port link-type trunk
[server-device2-Ten-GigabitEthernet1/0/12] undo port trunk permit vlan 1
[server-device2-Ten-GigabitEthernet1/0/12] port link-aggregation group 259
[server-device2-Ten-GigabitEthernet1/0/12] quit
c. 进入[自动化>数据中心网络>资源池>设备资源>物理设备]页面,单击<更多操作>按钮,选择配置下行口,在该页面表格中的“下行口”区段中,单击设备对应行的“下行口(num)”链接,进入批量配置下行口页面。
d. 在左侧表格选择接入设备需要扩容的AC接口,添加到右侧表格中,单击<确定>按钮保存配置。
图233 选择对应接口
· 设备为自动化上线方式
e. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>设备内聚合接口]页面,单击<增加>按钮,进入增加设备内聚合接口页面。
f. 在基本信息区域以下参数:
- M-LAG系统,选择接入设备对应的M-LAG系统。
- 设备名称:选择M-LAG系统中的接入设备,以device1为例。
- 名称:配置设备内聚合接口名称,以port1为例。
- 接口聚合模式:Dynamic。
当Border设备作为接入设备时,需要将“接入功能”配置为开启。
g. 在设备接口区域选择接入设备需要扩容的物理接口。
图234 增加设备内聚合接口
h. 单击应用按钮完成设备内聚合接口的配置。
i. 重复以上步骤,配置M-LAG系统中另一个接入设备的设备内聚合接口,在设备名称参数请选择另一个接入设备,如device2。配置名称以port2为例,其他参数配置与device1相同。
j. 进入[自动化>数据中心网络>Fabrics>跨设备聚合>M-LAG组]页面,单击<增加>按钮,进入增加M-LAG组页面。
k. 在该页面中配置以下参数:
- M-LAG系统:选择接入设备对应的M-LAG系统。
- 设备A聚合接口:选择其中一台接入设备的聚合接口,以port1为例。
- 设备B聚合接口:选择另一台接入设备的聚合接口,以port2为例。
图235 增加M-LAG组
l. 单击<确定>按钮完成M-LAG组的增加操作。
部分功能使用HTTPS短连接,必须在设备上配置service-type https和netconf soap https enable命令,否则将影响功能的正常使用。
使用HTTPS短连接的功能为:
· 链路扩容
· 环路检测
· 资源统计(OSPF详情、VNI流量统计、Tunnel信息)
· 设备维护(备份/替换/恢复/升级、一键巡检、全网一键恢复、设备端口开关)
· SSH登录设备
· VLAN接入(RoCE)
· 自动化上线
· M-LAG系统
· 故障闭环
· 获取下行口
· 裸金属上线
支持
