Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Basic VXLAN configuration | 283.22 KB |
Generic VXLAN network establishment and forwarding process
VXLAN tunnel establishment and assignment
Assignment of traffic to VXLANs
Configuring basic VXLAN features
Manually creating a VXLAN tunnel
Enabling BFD on a VXLAN tunnel
Manually assigning VXLAN tunnels to a VXLAN
Assigning customer frames to a VSI
Mapping a Layer 3 interface to a VSI
About MAC address entry management
Configuring static MAC address entries
Disabling remote-MAC address learning
Setting the destination UDP port number of VXLAN packets
Configuring VXLAN packet check
Enabling ARP flood suppression
Enabling VXLAN packet statistics
Enabling packet statistics for a VSI
Enable packet statistics for all VXLAN tunnels of a VSI
Setting the VXLAN statistics collection interval
Verifying and maintaining VXLANs
Verifying VXLAN tunnel configuration and running status
VXLAN overview
Virtual eXtensible LAN (VXLAN) is a MAC-in-UDP technology that provides Layer 2 connectivity between distant network sites across an IP network. VXLAN is typically used in data centers and the access layer of campus networks for multitenant services.
The device supports only IPv4-based VXLAN. IPv6-based VXLAN is not supported.
VXLAN benefits
VXLAN provides the following benefits:
· Support for more virtual switched domains than VLANs—Each VXLAN is uniquely identified by a 24-bit VXLAN ID. The total number of VXLANs can reach 16777216 (224). This specification makes VXLAN a better choice than 802.1Q VLAN to isolate traffic for user terminals.
· Easy deployment and maintenance—VXLAN requires deployment only on the edge devices of the transport network. Devices in the transport network perform typical Layer 3 forwarding.
VXLAN network model
As shown in Figure 1, a VXLAN is a virtual Layer 2 network (known as the overlay network) built on top of an existing physical Layer 3 network (known as the underlay network). The overlay network encapsulates inter-site Layer 2 frames into VXLAN packets and forwards the packets to the destination along the Layer 3 forwarding paths provided by the underlay network. The underlay network is transparent to tenants, and geographically dispersed sites of a tenant are merged into a Layer 2 network.
The transport edge devices assign user terminals to different VXLANs, and then forward traffic between sites for user terminals by using VXLAN tunnels. Supported user terminals include PCs, wireless terminals, and VMs on servers.
|
|
NOTE: This document uses VMs as examples to describe the mechanisms of VXLAN. The mechanisms do not differ between different kinds of user terminals. |
The transport edge devices are VXLAN tunnel endpoints (VTEP). The VTEP implementation of the device uses ACs, VSIs, and VXLAN tunnels to provide VXLAN services.
· VSI—A virtual switch instance is a virtual Layer 2 switched domain. Each VSI provides switching services only for one VXLAN. VSIs learn MAC addresses and forward frames independently of one another. VMs in different sites have Layer 2 connectivity if they are in the same VXLAN.
· Attachment circuit (AC)—An AC is a physical or virtual link that connects a VTEP to a local site. Typically, ACs are site-facing Layer 3 interfaces that are associated with the VSI of a VXLAN. Traffic received from an AC is assigned to the VSI associated with the AC.
· VXLAN tunnel—Logical point-to-point tunnels between VTEPs over the transport network. Each VXLAN tunnel can trunk multiple VXLANs.
VTEPs encapsulate VXLAN traffic in the VXLAN, outer UDP, and outer IP headers. The devices in the transport network forward VXLAN traffic only based on the outer IP header.
Figure 1 VXLAN network model
VXLAN packet format
As shown in Figure 2, a VTEP encapsulates a frame in the following headers:
· 8-byte VXLAN header—VXLAN information for the frame.
¡ Flags—If the I bit is 1, the VXLAN ID is valid. If the I bit is 0, the VXLAN ID is invalid. All other bits are reserved and set to 0.
¡ 24-bit VXLAN ID—Identifies the VXLAN of the frame. It is also called the virtual network identifier (VNI).
· 8-byte outer UDP header for VXLAN—The default VXLAN destination UDP port number is 4789.
· 20-byte outer IP header—Valid addresses of VTEPs or VXLAN multicast groups on the transport network. Devices in the transport network forward VXLAN packets based on the outer IP header.
Figure 2 VXLAN packet format
VXLAN working mechanisms
Generic VXLAN network establishment and forwarding process
The VTEP uses the following process to establish the VXLAN network and forward an inter-site frame:
1. Discovers remote VTEPs, establishes VXLAN tunnels, and assigns the VXLAN tunnels to VXLANs.
2. Assigns the frame to its matching VXLAN if the frame is sent between sites.
3. Performs MAC learning on the VXLAN's VSI.
4. Forwards the frame through VXLAN tunnels.
This section describes this process in detail. For intra-site frames in a VSI, the system performs typical Layer 2 forwarding, and it processes 802.1Q VLAN tags as described in "Access modes of VSIs."
VXLAN tunnel establishment and assignment
To provide Layer 2 connectivity for a VXLAN between two sites, you must create a VXLAN tunnel between the sites and assign the tunnel to the VXLAN.
VXLAN tunnel establishment
VXLAN supports manual and automatic VXLAN tunnel establishment.
· Manual creation—Manually create a VXLAN tunnel interface, and specify the tunnel source and destination IP addresses on the peer VTEPs.
· Automatic creation—Configure Ethernet Virtual Private Network (EVPN) to automatically discover VTEPs and set up VXLAN tunnels. For more information about EVPN, see EVPN Configuration Guide.
VXLAN tunnel assignment
VXLAN supports manual and automatic VXLAN tunnel assignment.
· Manual assignment—Manually assign VXLAN tunnels to VXLANs.
· Automatic assignment—Run EVPN to automatically assign VXLAN tunnels to VXLANs. For more information about EVPN, see EVPN Configuration Guide.
Assignment of traffic to VXLANs
Traffic from the local site to a remote site
The VTEP uses the following methods to assign customer frames to a VXLAN:
· Layer 3 interface-to-VSI mapping—This method maps a site-facing Layer 3 interface to a VSI. The VTEP assigns all frames received from the interface to the VXLAN of the VSI.
· Ethernet service instance-to-VSI mapping—This method uses the frame match criterion of an Ethernet service instance to match a list of VLANs on a site-facing Layer 2 interface. The frame match criterion specifies the characteristics of traffic from the VLANs, such as tagging status and VLAN IDs. The VTEP assigns customer traffic to a VXLAN by mapping the Ethernet service instance to a VSI.
As shown in Figure 3, Ethernet service instance 1 matches VLAN 2 and is mapped to VSI A (VXLAN 10). When a frame from VLAN 2 arrives, the VTEP assigns the frame to VXLAN 10, and looks up VSI A's MAC address table for the outgoing interface.
Figure 3 Identifying traffic from the local site
Traffic from a remote site to the local site
When a frame arrives at a VXLAN tunnel, the VTEP uses the VXLAN ID in the frame to identify its VXLAN.
MAC learning
The VTEP performs source MAC learning on the VSI as a Layer 2 switch.
· For traffic from the local site to the remote site, the VTEP learns the source MAC address before VXLAN encapsulation.
· For traffic from the remote site to the local site, the VTEP learns the source MAC address after removing the VXLAN header.
A VSI's MAC address table includes the following types of MAC address entries:
· Local MAC—MAC entries learned from the local site. The outgoing interfaces for the MAC address entries are site-facing interfaces.
¡ Static—Manually added MAC entries.
¡ Dynamic—Dynamically learned MAC entries.
· Remote MAC—MAC entries learned from a remote site, including static and dynamic MAC entries. The outgoing interfaces for the MAC addresses are VXLAN tunnel interfaces.
¡ Static—Manually added MAC entries.
¡ Dynamic—MAC entries learned in the data plane from incoming traffic on VXLAN tunnels. The learned MAC addresses are contained in the inner Ethernet header.
¡ BGP EVPN—MAC entries advertised through BGP EVPN. For more information, see EVPN Configuration Guide.
¡ OpenFlow—MAC entries issued by a remote controller through OpenFlow. For more information, see OpenFlow Configuration Guide.
The following shows the priority order of different types of remote MAC address entries:
a. Static MAC address entries and MAC address entries issued by a remote controller through OpenFlow. These types of entries have the same priority and overwrite each other.
b. MAC address entries advertised through BGP EVPN.
c. Dynamic MAC address entries.
Unicast forwarding
Intra-site unicast forwarding
The VTEP uses the following process to forward a known unicast frame within a site:
1. Identifies the VSI of the frame.
2. Looks up the destination MAC address in the VSI's MAC address table for the outgoing interface.
3. Sends the frame out of the matching outgoing interface.
As shown in Figure 4, VTEP 1 forwards a frame from VM 1 to VM 4 within the local site in VLAN 10 as follows:
4. Identifies that the frame belongs to VSI A when the frame arrives at Interface A.
5. Looks up the destination MAC address (MAC 4) in the MAC address table of VSI A for the outgoing interface.
6. Sends the frame out of the matching outgoing interface (Interface B) to VM 4 in VLAN 10.
Inter-site unicast forwarding
The following process (see Figure 5) applies to a known unicast frame between sites:
1. The source VTEP encapsulates the Ethernet frame in the VXLAN/UDP/IP header.
In the outer IP header, the source IP address is the source VTEP's VXLAN tunnel source IP address. The destination IP address is the VXLAN tunnel destination IP address.
2. The source VTEP forwards the encapsulated packet out of the outgoing VXLAN tunnel interface found in the VSI's MAC address table.
3. The intermediate transport devices (P devices) forward the frame to the destination VTEP by using the outer IP header.
4. The destination VTEP removes the headers on top of the inner Ethernet frame. It then performs MAC address table lookup in the VXLAN's VSI to forward the frame out of the matching outgoing interface.
Flood
The source VTEP floods a broadcast, multicast, or unknown unicast frame to all site-facing interfaces and VXLAN tunnels in the VXLAN, except for the incoming interface. Each destination VTEP floods the inner Ethernet frame to all site-facing interfaces in the VXLAN. To avoid loops, the destination VTEPs do not flood the frame back to VXLAN tunnels.
VXLAN supports unicast mode (also called head-end replication) and flood proxy mode for flood traffic.
Unicast mode (head-end replication)
As shown in Figure 6, the source VTEP replicates the flood frame, and then sends one replica to the destination IP address of each VXLAN tunnel in the VXLAN.
Flood proxy mode (proxy server replication)
As shown in Figure 7, the source VTEP sends the flood frame in a VXLAN packet over a VXLAN tunnel to a flood proxy server. The flood proxy server replicates and forwards the packet to each remote VTEP through its VXLAN tunnels.
The flood proxy mode applies to VXLANs that have many sites. This mode reduces flood traffic in the transport network without using a multicast protocol. To use a flood proxy server, you must set up a VXLAN tunnel to the server on each VTEP.
The flood proxy mode is typically used in SDN transport networks that have a flood proxy server. For VTEPs to forward packets based on the MAC address table issued by an SDN controller, you must disable remote-MAC address learning by using the vxlan tunnel mac-learning disable command.
Access modes of VSIs
The access mode of a VSI determines how the VTEP processes the 802.1Q VLAN tags in the Ethernet frames.
VLAN access mode
In this mode, Ethernet frames received from or sent to the local site must contain 802.1Q VLAN tags.
· For an Ethernet frame received from the local site, the VTEP removes all its 802.1Q VLAN tags before forwarding the frame.
· For an Ethernet frame destined for the local site, the VTEP adds 802.1Q VLAN tags to the frame before forwarding the frame.
In VLAN access mode, VXLAN packets sent between sites do not contain 802.1Q VLAN tags. You can use different 802.1Q VLANs to provide the same service in different sites.
Ethernet access mode
The VTEP does not process the 802.1Q VLAN tags of Ethernet frames received from or sent to the local site.
· For an Ethernet frame received from the local site, the VTEP forwards the frame with the 802.1Q VLAN tags intact.
· For an Ethernet frame destined for the local site, the VTEP forwards the frame without adding 802.1Q VLAN tags.
In Ethernet access mode, VXLAN packets sent between VXLAN sites contain 802.1Q VLAN tags. You must use the same VLAN to provide the same service between sites.
ARP flood suppression
ARP flood suppression reduces ARP request broadcasts by enabling the VTEP to reply to ARP requests on behalf of VMs.
As shown in Figure 8, this feature snoops ARP packets to populate the ARP flood suppression table with local and remote MAC addresses. If an ARP request has a matching entry, the VTEP replies to the request on behalf of the VM. If no match is found, the VTEP floods the request to both local and remote sites.
Figure 8 ARP and ND flood suppression
The following uses ARP flood suppression as an example to explain the flood suppression workflow:
1. VM 1 sends an ARP request to obtain the MAC address of VM 7.
2. VTEP 1 creates a suppression entry for VM 1, and floods the ARP request in the VXLAN.
3. VTEP 2 and VTEP 3 de-encapsulate the ARP request. The VTEPs create a suppression entry for VM 1, and broadcast the request in the local site.
4. VM 7 sends an ARP reply.
5. VTEP 2 creates a suppression entry for VM 7 and forwards the ARP reply to VTEP 1.
6. VTEP 1 de-encapsulates the ARP reply, creates a suppression entry for VM 7, and forwards the ARP reply to VM 1.
7. VM 4 sends an ARP request to obtain the MAC address of VM 1 or VM 7.
8. VTEP 1 creates a suppression entry for VM 4 and replies to the ARP request.
9. VM 10 sends an ARP request to obtain the MAC address of VM 1.
10. VTEP 3 creates a suppression entry for VM 10 and replies to the ARP request.
VXLAN IP gateways
A VXLAN IP gateway provides Layer 3 forwarding services for VMs in VXLANs. A VXLAN IP gateway can be an independent device or be collocated with a VTEP. For more information about VXLAN IP gateway placement, see "Configuring VXLAN IP gateways."
Protocols and standards
RFC 7348, Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks
Configuring basic VXLAN features
VXLAN tasks at a glance
To configure basic VXLAN settings, perform the following tasks on VTEPs:
3. Manually assigning VXLAN tunnels to a VXLAN
4. Assigning customer frames to a VSI
5. (Optional.) Managing MAC address entries
¡ Configuring static MAC address entries
¡ Disabling remote-MAC address learning
6. (Optional.) Configuring VXLAN packet parameters
¡ Setting the destination UDP port number of VXLAN packets
¡ Configuring VXLAN packet check
7. (Optional.) Reducing flood traffic in the transport network
¡ Disabling flooding for a VSI
¡ Enabling ARP flood suppression
Prerequisites for VXLAN
Configure a routing protocol on the devices in the transport network to make sure the VTEPs can reach one another.
Creating a VXLAN on a VSI
1. Enter system view.
system-view
2. Enable L2VPN.
l2vpn enable
By default, L2VPN is disabled.
3. Create a VSI and enter VSI view.
vsi vsi-name
4. Configure a description for the VSI.
description text
By default, a VSI does not have a description.
5. Enable the VSI.
undo shutdown
By default, a VSI is enabled.
6. Create a VXLAN and enter VXLAN view.
vxlan vxlan-id
You can create only one VXLAN on a VSI.
The VXLAN ID must be unique for each VSI.
7. (Optional.) Configure VSI parameters:
a. Return to VSI view.
quit
b. Configure a VSI description.
description text
By default, a VSI does not have a description.
c. Set the MTU for the VSI.
mtu mtu
The default MTU for a VSI is 1500 bytes.
d. Set the maximum bandwidth for known unicast traffic of the VSI.
bandwidth bandwidth
By default, the maximum bandwidth is not limited for known unicast traffic of a VSI.
e. Enable MAC address learning for the VSI.
mac-learning enable
By default, MAC address learning is enabled for a VSI.
f. Set a limit for the VSI's MAC address table.
mac-table limit mac-limit
By default, no limit is set for a VSI's MAC address table.
g. Enable the VSI to drop source-unknown unicast frames if the MAC address table is full.
mac-table limit drop-unknown
By default, the VSI forwards source-unknown unicast frames without learning the source MAC address if the MAC address table is full.
Configuring a VXLAN tunnel
Manually creating a VXLAN tunnel
About this task
When you manually create a VXLAN tunnel, specify addresses on the local VTEP and the remote VTEP as the tunnel source and destination addresses, respectively.
Restrictions and guidelines
As a best practice, do not configure multiple VXLAN tunnels to use the same source and destination IP addresses.
Make sure the following VXLAN tunnels are not associated with the same VXLAN when they have the same tunnel destination IP address:
· A VXLAN tunnel automatically created by EVPN.
· A manually created VXLAN tunnel.
For more information about EVPN, see EVPN Configuration Guide.
This task provides basic VXLAN tunnel configuration. For more information about tunnel interface configuration and commands, see Interface Configuration Guide and Interface Command Reference.
Procedure
1. Enter system view.
system-view
2. (Optional.) Specify a global source IP address for VXLAN tunnels.
tunnel global source-address ip-address
By default, no global source IP address is specified for VXLAN tunnels.
A VXLAN tunnel uses the global source address if you do not specify a source interface or source address for the tunnel.
3. Create a VXLAN tunnel interface and enter tunnel interface view.
interface tunnel tunnel-number mode vxlan
The endpoints of a tunnel must use the same tunnel mode.
4. Specify a source address for the tunnel. Choose one of the following methods:
¡ Specify a source IP address for the tunnel.
source ipv4-address
The specified IP address is used in the outer IP header of tunneled VXLAN packets.
¡ Specify a source interface for the tunnel.
source interface-type interface-number
The primary IP address of the specified interface is used in the outer IP header of tunneled VXLAN packets.
By default, no source IP address or source interface is specified for a tunnel.
5. Specify a destination IP address for the tunnel.
destination ipv4-address
By default, no destination IP address is specified for a tunnel.
Specify the remote VTEP's IP address. This IP address will be the destination IP address in the outer IP header of tunneled VXLAN packets.
Enabling BFD on a VXLAN tunnel
About this task
Enable BFD on both ends of a VXLAN tunnel for quick link connectivity detection. The VTEPs periodically send BFD single-hop control packets to each other through the VXLAN tunnel. A VTEP sets the tunnel state to Defect if it has not received control packets from the remote end for 5 seconds. In this situation, the tunnel interface state is still Up. The tunnel state will change from Defect to Up if the VTEP can receive BFD control packets again.
Restrictions and guidelines
You must enable BFD on both ends of a VXLAN tunnel.
Procedure
1. Enter system view.
system-view
2. Specify the reserved VXLAN.
reserved vxlan vxlan-id
By default, no VXLAN has been reserved.
For BFD sessions to come up, you must reserve a VXLAN.
You can specify only one reserved VXLAN on the VTEP. The reserved VXLAN cannot be the VXLAN created on any VSI.
The reserved VXLAN ID cannot be the same as the remote VXLAN ID specified by using the mapping vni command. For more information about the mapping vni command, see EVPN Command Reference.
3. Enter VXLAN tunnel interface view.
interface tunnel tunnel-number
4. Enable BFD on the tunnel.
tunnel bfd enable destination-mac mac-address
By default, BFD is disabled on a tunnel.
Manually assigning VXLAN tunnels to a VXLAN
About this task
To provide Layer 2 connectivity for a VXLAN between two sites, you must assign the VXLAN tunnel between the sites to the VXLAN.
You can assign multiple VXLAN tunnels to a VXLAN, and configure a VXLAN tunnel to trunk multiple VXLANs. For a unicast-mode VXLAN, the system floods unknown unicast, multicast, and broadcast traffic to each tunnel associated with the VXLAN. If a flood proxy server is used, the VTEP sends flood traffic to the server through the flood proxy tunnel. The flood proxy server replicates and forwards flood traffic to remote VTEPs.
Restrictions and guidelines
For full Layer 2 connectivity in the VXLAN, make sure the VXLAN contains the VXLAN tunnel between each pair of sites in the VXLAN.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enter VXLAN view.
vxlan vxlan-id
4. Assign VXLAN tunnels to the VXLAN.
tunnel { tunnel-number [ flooding-proxy ] }
By default, a VXLAN does not contain any VXLAN tunnels.
|
Parameter |
Description |
|
flooding-proxy |
Enables flood proxy on a tunnel for it to send flood traffic to the flood proxy server. The flood proxy server replicates and forwards flood traffic to remote VTEPs. |
Assigning customer frames to a VSI
Mapping a Layer 3 interface to a VSI
About this task
To assign the customer traffic on a Layer 3 interface to a VXLAN, map the interface to the VXLAN's VSI. The VSI uses its MAC address table to forward the customer traffic.
Restrictions and guidelines
Link aggregation group membership is mutually exclusive with VSI mappings on a Layer 3 interface. Do not map a VSI to a Layer 3 interface that is in a Layer 3 aggregation group.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Map the Layer 3 interface to a VSI.
xconnect vsi vsi-name [ track track-entry-number&<1-3> ]
By default, a Layer 3 interface is not mapped to any VSI.
Managing MAC address entries
About MAC address entry management
Local-MAC address entries can be manually added or dynamically learned. You can log local MAC addresses and local-MAC changes.
Remote-MAC address entries have a variety of types, including manually added entries and dynamically learned entries.
Configuring static MAC address entries
Restrictions and guidelines
Do not configure static remote-MAC entries for VXLAN tunnels that are automatically established by using EVPN.
· EVPN re-establishes VXLAN tunnels if the transport-facing interface goes down and then comes up. If you have configured static remote-MAC entries, the entries are deleted when the tunnels are re-established.
· EVPN re-establishes VXLAN tunnels if you perform configuration rollback. If the tunnel IDs change during tunnel re-establishment, configuration rollback fails, and static remote-MAC entries on the tunnels cannot be restored.
For more information about EVPN, see EVPN Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Add a static remote-MAC address entry.
mac-address static mac-address interface tunnel tunnel-number vsi vsi-name
For the setting to take effect, make sure the VSI's VXLAN has been specified on the VXLAN tunnel.
Disabling remote-MAC address learning
About this task
When network attacks occur, disable remote-MAC address learning to prevent the device from learning incorrect remote MAC addresses. You can manually add static remote-MAC address entries.
Procedure
1. Enter system view.
system-view
2. Disable remote-MAC address learning.
vxlan tunnel mac-learning disable
By default, remote-MAC address learning is enabled.
Enabling local-MAC logging
About this task
When the local-MAC logging feature is enabled, the VXLAN module immediately sends a log message with its local MAC addresses to the information center. When a local MAC address is added or removed, a log message is also sent to the information center to notify the local-MAC change.
With the information center, you can set log message filtering and output rules, including output destinations. For more information about configuring the information center, see System Management Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable local-MAC logging.
vxlan local-mac report
By default, local-MAC logging is disabled.
Setting the destination UDP port number of VXLAN packets
1. Enter system view.
system-view
2. Set a destination UDP port for VXLAN packets.
vxlan udp-port port-number
By default, the destination UDP port number is 4789 for VXLAN packets.
You must configure the same destination UDP port number on all VTEPs in a VXLAN.
Configuring VXLAN packet check
About this task
The device can check the UDP checksum of each received VXLAN packet. The device always sets the UDP checksum of VXLAN packets to zero. For compatibility with third-party devices, a VXLAN packet can pass the check if its UDP checksum is zero or correct. If its UDP checksum is incorrect, the VXLAN packet fails the check and is dropped.
Procedure
1. Enter system view.
system-view
2. Enable the VTEP to drop VXLAN packets that fail UDP checksum check.
vxlan invalid-udp-checksum discard
By default, the VTEP does not check the UDP checksum of VXLAN packets.
Disabling flooding for a VSI
About this task
By default, the VTEP floods broadcast, unknown unicast, and unknown multicast frames received from the local site to the following interfaces in the frame's VXLAN:
· All site-facing interfaces except for the incoming interface.
· All VXLAN tunnel interfaces.
When receiving broadcast, unknown unicast, and unknown multicast frames on VXLAN tunnel interfaces, the device floods the frames to all site-facing interfaces in the frames' VXLAN.
To confine a kind of flood traffic, disable flooding for that kind of flood traffic on the VSI bound to the VXLAN.
To exclude a remote MAC address from the remote flood suppression done by using this feature, enable selective flood for the MAC address. The VTEP will flood the frames destined for the MAC address to remote sites.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Disable flooding for the VSI.
flooding disable { all | { broadcast | unknown-multicast | unknown-unicast } * }
By default, flooding is enabled for a VSI.
4. (Optional.) Enable selective flood for a MAC address.
selective-flooding mac-address mac-address
Enabling ARP flood suppression
Restrictions and guidelines
The aging timer is fixed at 25 minutes for ARP flood suppression entries. If the suppression table is full, the VTEP stops learning new entries. For the VTEP to learn new entries, you must wait for old entries to age out, or use the reset arp suppression vsi command to clear the table.
If the flooding disable command is configured, set the MAC aging timer to a higher value than the aging timer for ARP flood suppression entries on all VTEPs. This setting prevents the traffic blackhole that occurs when a MAC address entry ages out before its ARP flood suppression entry ages out. To set the MAC aging timer, use the mac-address timer command.
When remote ARP learning is disabled for VXLANs, the device does not use ARP flood suppression entries to respond to ARP requests received on VXLAN tunnels.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enable ARP flood suppression.
arp suppression enable
By default, ARP flood suppression is disabled.
Enabling VXLAN packet statistics
Enabling packet statistics for a VSI
Restrictions and guidelines
To display the packet statistics for a VSI, use the display l2vpn vsi verbose command in any view.
To clear the packet statistics for a VSI, use the reset l2vpn statistics vsi command in user view.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enable packet statistics for the VSI.
statistics enable
By default, the packet statistics feature is disabled for all VSIs.
Enable packet statistics for all VXLAN tunnels of a VSI
About this task
If you enable packet statistics in VSI view, follow these guidelines:
· To display the packet statistics for VXLAN tunnels, use the display vxlan tunnel command in any view.
· To clear the packet statistics for VXLAN tunnels, use the reset counters interface tunnel command in user view.
Procedure
1. Enter system view.
system-view
2. Enter VSI view.
vsi vsi-name
3. Enable packet statistics for all VXLAN tunnels associated with the VSI.
tunnel statistics enable
By default, the packet statistics feature is disabled for the VXLAN tunnels associated with a VSI.
This command enables packet statistics only for VXLAN tunnels. It does not take effect on VXLAN-DCI tunnels.
Setting the VXLAN statistics collection interval
About this task
Perform this task to set the interval for collecting VSI, AC, and VXLAN tunnel statistics.
Procedure
1. Enter system view.
system-view
2. Set the VXLAN statistics collection interval.
l2vpn statistics interval interval
By default, the VXLAN statistics collection interval is 15 minutes.
Verifying and maintaining VXLANs
Verifying VXLAN tunnel configuration and running status
Perform display tasks in any view.
· Display information about tunnel interfaces.
display interface [ tunnel [ number ] ] [ brief [ description | down ] ]
For more information about this command, see tunnel interface commands in Interface Command Reference.
· Display VXLAN tunnel information for VXLANs.
display vxlan tunnel [ vxlan vxlan-id ]
Verifying and maintaining VSIs
Verifying VSI configuration
Perform display tasks in any view.
· Display information about VSIs.
display l2vpn vsi [ name vsi-name ] [ verbose ]
· Display L2VPN information for Layer 3 interfaces that are mapped to VSIs.
display l2vpn interface [ vsi vsi-name | interface-type interface-number ] [ verbose ]
Displaying and clearing MAC address entries on VSIs
To display MAC address entries for VSIs, execute the following command in any view:
display l2vpn mac-address [ vsi vsi-name ] [ dynamic ] [ count | verbose ]
To clear dynamic MAC address entries on VSIs, execute the following command in user view:
reset l2vpn mac-address [ vsi vsi-name ]
Displaying and clearing ARP flood suppression entries on VSIs
To display ARP flood suppression entries on VSIs, execute the following command in any view:
display arp suppression vsi [ name vsi-name ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
To clear ARP flood suppression entries on VSIs, execute the following command in user view:
reset arp suppression vsi [ name vsi-name ]
VXLAN configuration examples
Example: Configuring a unicast-mode VXLAN
Network configuration
As shown in Figure 9:
· Configure VXLAN 10 as a unicast-mode VXLAN on Router A, Router B, and Router C to provide Layer 2 connectivity for the VMs across the network sites.
· Manually establish VXLAN tunnels and assign the tunnels to VXLAN 10.
· Enable remote-MAC address learning.
Procedure
1. Configure IP addresses and unicast routing settings:
# Assign IP addresses to interfaces, as shown in Figure 9. (Details not shown.)
# Configure OSPF on all transport network routers (Routers A through D). (Details not shown.)
2. Configure Router A:
# Enable L2VPN.
<RouterA> system-view
[RouterA] l2vpn enable
# Create VSI vpna and VXLAN 10.
[RouterA] vsi vpna
[RouterA-vsi-vpna] vxlan 10
[RouterA-vsi-vpna-vxlan-10] quit
[RouterA-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of the VXLAN tunnels to Router B and Router C.
[RouterA] interface loopback 0
[RouterA-Loopback0] ip address 1.1.1.1 255.255.255.255
[RouterA-Loopback0] quit
# Create a VXLAN tunnel to Router B. The tunnel interface name is Tunnel 1.
[RouterA] interface tunnel 1 mode vxlan
[RouterA-Tunnel1] source 1.1.1.1
[RouterA-Tunnel1] destination 2.2.2.2
[RouterA-Tunnel1] quit
# Create a VXLAN tunnel to Router C. The tunnel interface name is Tunnel 2.
[RouterA] interface tunnel 2 mode vxlan
[RouterA-Tunnel2] source 1.1.1.1
[RouterA-Tunnel2] destination 3.3.3.3
[RouterA-Tunnel2] quit
# Assign Tunnel 1 and Tunnel 2 to VXLAN 10.
[RouterA] vsi vpna
[RouterA-vsi-vpna] vxlan 10
[RouterA-vsi-vpna-vxlan-10] tunnel 1
[RouterA-vsi-vpna-vxlan-10] tunnel 2
[RouterA-vsi-vpna-vxlan-10] quit
[RouterA-vsi-vpna] quit
# Map Ten-GigabitEthernet 0/0/6 to VSI vpna.
[RouterA] interface ten-gigabitethernet 0/0/6
[RouterA-Ten-GigabitEthernet0/0/6] xconnect vsi vpna
[RouterA-Ten-GigabitEthernet0/0/6] quit
3. Configure Router B:
# Enable L2VPN.
<RouterB> system-view
[RouterB] l2vpn enable
# Create VSI vpna and VXLAN 10.
[RouterB] vsi vpna
[RouterB-vsi-vpna] vxlan 10
[RouterB-vsi-vpna-vxlan-10] quit
[RouterB-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of the VXLAN tunnels to Router A and Router C.
[RouterB] interface loopback 0
[RouterB-Loopback0] ip address 2.2.2.2 255.255.255.255
[RouterB-Loopback0] quit
# Create a VXLAN tunnel to Router A. The tunnel interface name is Tunnel 2.
[RouterB] interface tunnel 2 mode vxlan
[RouterB-Tunnel2] source 2.2.2.2
[RouterB-Tunnel2] destination 1.1.1.1
[RouterB-Tunnel2] quit
# Create a VXLAN tunnel to Router C. The tunnel interface name is Tunnel 3.
[RouterB] interface tunnel 3 mode vxlan
[RouterB-Tunnel3] source 2.2.2.2
[RouterB-Tunnel3] destination 3.3.3.3
[RouterB-Tunnel3] quit
# Assign Tunnel 2 and Tunnel 3 to VXLAN 10.
[RouterB] vsi vpna
[RouterB-vsi-vpna] vxlan 10
[RouterB-vsi-vpna-vxlan-10] tunnel 2
[RouterB-vsi-vpna-vxlan-10] tunnel 3
[RouterB-vsi-vpna-vxlan-10] quit
[RouterB-vsi-vpna] quit
# Map Ten-GigabitEthernet 0/0/6 to VSI vpna.
[RouterB] interface ten-gigabitethernet 0/0/6
[RouterB-Ten-GigabitEthernet0/0/6] xconnect vsi vpna
[RouterB-Ten-GigabitEthernet0/0/6] quit
4. Configure Router C:
# Enable L2VPN.
<RouterC> system-view
[RouterC] l2vpn enable
# Create VSI vpna and VXLAN 10.
[RouterC] vsi vpna
[RouterC-vsi-vpna] vxlan 10
[RouterC-vsi-vpna-vxlan-10] quit
[RouterC-vsi-vpna] quit
# Assign an IP address to Loopback 0. The IP address will be used as the source IP address of the VXLAN tunnels to Router A and Router B.
[RouterC] interface loopback 0
[RouterC-Loopback0] ip address 3.3.3.3 255.255.255.255
[RouterC-Loopback0] quit
# Create a VXLAN tunnel to Router A. The tunnel interface name is Tunnel 1.
[RouterC] interface tunnel 1 mode vxlan
[RouterC-Tunnel1] source 3.3.3.3
[RouterC-Tunnel1] destination 1.1.1.1
[RouterC-Tunnel1] quit
# Create a VXLAN tunnel to Router B. The tunnel interface name is Tunnel 3.
[RouterC] interface tunnel 3 mode vxlan
[RouterC-Tunnel3] source 3.3.3.3
[RouterC-Tunnel3] destination 2.2.2.2
[RouterC-Tunnel3] quit
# Assign Tunnel 1 and Tunnel 3 to VXLAN 10.
[RouterC] vsi vpna
[RouterC-vsi-vpna] vxlan 10
[RouterC-vsi-vpna-vxlan-10] tunnel 1
[RouterC-vsi-vpna-vxlan-10] tunnel 3
[RouterC-vsi-vpna-vxlan-10] quit
[RouterC-vsi-vpna] quit
# Map Ten-GigabitEthernet 0/0/6 to VSI vpna.
[RouterC] interface ten-gigabitethernet 0/0/6
[RouterC-Ten-GigabitEthernet0/0/6] xconnect vsi vpna
[RouterC-Ten-GigabitEthernet0/0/6] quit
Verifying the configuration
1. Verify the VXLAN settings on the VTEPs. This example uses Router A.
# Verify that the VXLAN tunnel interfaces on the VTEP are up.
[RouterA] display interface tunnel 1
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 64000
Internet protocol processing: Disabled
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel protocol/transport UDP_VXLAN/IP
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Verify that the VXLAN tunnels have been assigned to the VXLAN.
[RouterA] display l2vpn vsi verbose
VSI Name: vpna
VSI Index : 0
VSI State : Up
MTU : -
Bandwidth : -
Broadcast Restrain : -
Multicast Restrain : -
Unknown Unicast Restrain: -
MAC Learning : -
MAC Table Limit : -
MAC Learning rate : -
Drop Unknown : -
Flooding : Enabled
Statistics : Disabled
VXLAN ID : 10
Tunnels:
Tunnel Name Link ID State Type Flood proxy
Tunnel1 0x5000001 Up Manual Disabled
Tunnel2 0x5000002 Up Manual Disabled
ACs:
AC Link ID State Type
XGE1/0/1 0 Up Manual
# Verify that the VTEP has learned the MAC addresses of remote VMs.
<RouterA> display l2vpn mac-address
MAC Address State VSI Name Link ID/Name Aging
cc3e-5f9c-6cdb Dynamic vpna Tunnel1 Aging
cc3e-5f9c-23dc Dynamic vpna Tunnel2 Aging
--- 2 mac address(es) found ---
2. Verify that VM 1, VM 2, and VM 3 can ping each other. (Details not shown.)
