¡ Set up one border DR system with two S12500X-AF or S12500G-AF switches. Configure SDN gateways on the border DR system to forward traffic between the data center and external network, and between PODs.

¡ Set up one leaf DR system with two S6800 or S6812 switches. Configure them as SDN ToR switches and distributed EVPN gateways for network overlay.

¡ Set up another leaf DR system with two S6850 switches. Configure them as SDN ToR switches and distributed EVPN gateways for network overlay.

· Configure two S12500X-AF or S12500G-AF switches as spine devices. Configure them as route reflectors to reflect BGP EVPN routes among border and leaf devices.

· Configure the firewalls as follows:

¡ Configure them to operate in primary/secondary mode.

¡ Attach the firewalls to the border DR system by using four aggregation links of DR groups.

¡ Assign the firewalls to the same VLAN as the border DR system.

· Configure static routes on the border DR system to direct the following traffic to the firewall for security policy-based filtering or NAT:

¡ South-to-north traffic sent from the bare metal servers and VMs to the external network.

¡ Inter-VPC east-west traffic sent between the bare metal servers and VMs.

· Configure the C-spine device to provide access to other data centers and forward Layer 3 traffic on the underlay network.

· Configure the public device to provide access to the external network.

NOTE:

This example uses IS-IS as the underlay routing protocol. Alternatively, you can use OSPF or other protocols for routing on the underlay network.

Figure 1 Network diagram

Device	Interface	IP address	Remarks
Leaf 1	XGE1/0/21	N/A	Member port of an underlay DR interface. Connected to a virtualization server.
	XGE1/0/47	N/A	Member port of a DR interface, interface with ACs configured. Connected to a bare metal server.
	FGE1/0/53	N/A	Member port of the IPP. Connected to FGE1/0/53 on Leaf 2.
	FGE1/0/54	N/A	Member port of the IPP. Connected to FGE1/0/54 on Leaf 2.
	FGE1/0/51	6.1.1.1/30	Connected to FGE3/0/16 on Spine 1.
	FGE1/0/49	6.1.1.5/30	Connected to FGE3/0/4 on Spine 2.
	Loopback0	5.1.1.1/32	VTEP IP address.
	Loopback1	5.1.1.101/32	Virtual VTEP IP address.
	Vlan-interface2	10.10.10.3/24 VRRP virtual IP: 10.10.10.254	The VRRP virtual IP address is the gateway address for virtualization servers.
	Vlan-interface10	10.1.1.1/24	Peer link.
Leaf 2	XGE1/0/21	N/A	Member port of an underlay DR interface. Connected to a virtualization server.
	XGE1/0/47	N/A	Member port of a DR interface, interface with ACs configured. Connected to a bare metal server.
	FGE1/0/53	N/A	Member port of the IPP. Connected to FGE1/0/53 on Leaf 1.
	FGE1/0/54	N/A	Member port of the IPP. Connected to FGE1/0/54 on Leaf 1.
	FGE1/0/51	6.1.1.9/30	Connected to FGE3/0/13 on Spine 1.
	FGE1/0/49	6.1.1.13/30	Connected to FGE3/0/1 on Spine 2.
	LoopBack0	5.1.1.2/32	VTEP IP address.
	LoopBack1	5.1.1.101/32	Virtual VTEP IP address.
	Vlan-interface2	10.10.10.4/24 VRRP virtual IP: 10.10.10.254	The VRRP virtual IP address is the gateway address for virtualization servers.
	Vlan-interface10	10.1.1.2/24	Peer link.
Leaf 3	WGE1/0/21	N/A	Member port of an underlay DR interface. Connected to a virtualization server.
	WGE1/0/55	N/A	Member port of a DR interface, interface with ACs configured. Connected to a bare metal server.
	HGE1/0/31	N/A	Member port of the IPP. Connected to HGE1/0/31 on Leaf 4.
	HGE1/0/32	N/A	Member port of the IPP. Connected to HGE1/0/32 on Leaf 4.
	HGE1/0/29	6.1.1.17/30	Connected to HGE2/0/3 on Spine 1.
	HGE1/0/25	6.1.1.29/30	Connected to HGE2/0/12 on Spine 2.
	LoopBack0	5.1.1.3/32	VTEP IP address.
	LoopBack1	5.1.1.102/32	Virtual VTEP IP address.
	Vlan-interface2	50.50.50.2/24 VRRP virtual IP: 50.50.50.254	The VRRP virtual IP address is the gateway address for virtualization servers.
	Vlan-interface10	10.2.1.1/24	Peer link.
Leaf 4	WGE1/0/21	N/A	Member port of an underlay DR interface. Connected to a virtualization server.
	WGE1/0/55	N/A	Member port of a DR interface, interface with ACs configured. Connected to a bare metal server.
	HGE1/0/31	N/A	Member port of the IPP. Connected to HGE1/0/31 on Leaf 3.
	HGE1/0/32	N/A	Member port of the IPP. Connected to HGE1/0/32 on Leaf 3.
	HGE1/0/29	6.1.1.25/30	Connected to HGE2/0/1 on Spine 1.
	HGE1/0/25	6.1.1.21/30	Connected to HGE2/0/11 on Spine 2.
	LoopBack0	5.1.1.4/32	VTEP IP address.
	LoopBack1	5.1.1.102/32	Virtual VTEP IP address.
	Vlan-interface2	50.50.50.3/24 VRRP virtual IP: 50.50.50.254	The VRRP virtual IP address is the gateway address for virtualization servers.
	Vlan-interface10	10.2.1.2/24	Peer link.
Spine 1	FGE3/0/16	6.1.1.2/30	Connected to FGE1/0/51 on Leaf 1.
	FGE3/0/13	6.1.1.10/30	Connected to FGE1/0/51 on Leaf 2.
	HGE2/0/3	6.1.1.18/30	Connected to HGE1/0/29 on Leaf 3.
	HGE2/0/1	6.1.1.26/30	Connected to HGE1/0/29 on Leaf 4.
	HGE2/0/5	6.1.1.33/30	Connected to HGE3/0/16 on Border 1.
	HGE2/0/7	6.1.1.37/30	Connected to HGE2/0/13 on Border 2.
	LoopBack0	5.1.1.6/32	N/A
Spine 2	FGE3/0/4	6.1.1.6/30	Connected to FGE1/0/49 on Leaf 1.
	FGE3/0/1	6.1.1.14/30	Connected to FGE1/0/49 on Leaf 2.
	HGE2/0/12	6.1.1.30/30	Connected to HGE1/0/25 on Leaf 3.
	HGE2/0/11	6.1.1.22/30	Connected to HGE1/0/25 on Leaf 4.
	HGE2/0/9	6.1.1.41/30	Connected to HGE2/0/12 on Border 1.
	HGE2/0/10	6.1.1.45/30	Connected to HGE2/0/1 on Border 2.
	LoopBack0	5.1.1.8/32	N/A
Border 1	HGE1/0/16	6.1.1.34/30	Connected to HGE2/0/5 on Spine 1.
	HGE1/0/12	6.1.1.42/30	Connected to HGE2/0/9 on Spine 2.
	HGE2/0/21	N/A	Member port of the IPP. Connected to HGE2/0/7 on Border 2.
	HGE3/0/36	N/A	Member port of the IPP. Connected to HGE3/0/36 on Border 2.
	HGE2/0/5	5.58.1.1/30	Connected to the C-spine device.
	FGE3/0/24	N/A	Member port of a DR interface. Connected to the public device.
	HGE2/0/27	N/A	Member port of a DR interface. Upstream traffic forwarding to the firewalls.
	HGE2/0/11	N/A	Member port of a DR interface. Downstream traffic forwarding to the firewalls.
	LoopBack0	5.1.1.7/32	ED IP address.
	LoopBack100	100.100.100.100/32	Virtual ED IP address.
	Vlan-interface1000	100.1.1.1/24	Peer link.
Border 2	HGE1/0/13	6.1.1.38/30	Connected to HGE2/0/7 on Spine 1.
	HGE1/0/1	6.1.1.46/30	Connected to HGE2/0/10 on Spine 2.
	HGE2/0/7	N/A	Member port of the IPP. Connected to HGE2/0/21 on Border 1.
	HGE3/0/36	N/A	Member port of the IPP. Connected to HGE3/0/36 on Border 2.
	HGE2/0/5	5.58.1.5/30	Connected to the C-spine device.
	FGE3/0/24	N/A	Member port of a DR interface. Connected to the public device.
	HGE2/0/27	N/A	Member port of a DR interface. Upstream traffic forwarding to the firewalls.
	HGE2/0/29	N/A	Member port of a DR interface. Downstream traffic forwarding to the firewalls.
	LoopBack0	5.1.1.9/32	ED IP address.
	LoopBack100	100.100.100.100/32	Virtual ED IP address.
	Vlan-interface1000	100.1.1.2/24	Peer link.

Traffic forwarding models

A VM is in a host overlay network, and a bare metal host is called a BM in network overlay. The following traffic forwarding models are available:

· Intra-VPC forwarding in the same POD (leaf > spine > leaf):

¡ VM-to-VM and VM-to-BM Layer 2 and Layer 3 communication through the same DR system at the leaf tier.

¡ BM-to-VM and BM-to-BM Layer 2 and Layer 3 communication through the same DR system at the leaf tier.

¡ VM-to-VM and VM-to-BM Layer 2 and Layer 3 communication across DR systems at the leaf tier.

¡ BM-to-VM and BM-to-BM Layer 2 and Layer 3 communication across DR systems at the leaf tier.

· Inter-VPC forwarding in the same POD (leaf > spine > border > firewall > border > spine > leaf):

¡ VM-to-VM and VM-to-BM Layer 3 communication through the same DR system at the leaf tier.

¡ BM-to-VM and BM-to-BM Layer 3 communication through the same DR system at the leaf tier.

¡ VM-to-VM and VM-to-BM Layer 3 communication across DR systems at the leaf tier.

¡ BM-to-VM and BM-to-BM Layer 3 communication across DR systems at the leaf tier.

· Inter-POD forwarding (leaf > spine > border > C-spine > border > spine > leaf):

¡ VM-remote host and BM-remote host Layer 2 communication across PODs.

¡ VM-remote host and BM-remote host Layer 3 communication across PODs.

· Forwarding between the data center and the external network (leaf > spine > border > firewall > border > public device):

¡ Layer 3 communication between BMs and the external network.

¡ Layer 3 communication between VMs and the external network.

¡ SSH, FTP, and fping operations from the external network to the data center (leaf > spine > border > LB > border > public device).

Applicable product matrix

IMPORTANT:

In addition to running an applicable software version, you must also install the most recent patch, if any.

Role	Device	Software version
Border or spine	S12500X-AF S12500X-AF switches are used in this example.	F2809 and higher F28xx versions
Border or spine	S12500G-AF	R7624P12
Leaf	S6800, S6860 S6800 switches are used in this configuration example.	F2715 and higher F27xx versions Do not use F28xx versions.
	S6812, S6813 S6812 switches are used in this configuration example.	Under development. To obtain the latest images, contact Technical Support.
	S6805, S6825, S6850, and S9850 S6850 switches are used in this configuration example.	F6632 and higher F66xx versions
	S6890	F2809 and higher F28xx versions
	S9820-64H (EVPN gateway not supported) S9820-8C	Not supported
SDN controller	N/A	SeerEngine-DC E3610 or higher versions NOTE: Before you use a higher version than E3610, contact H3C support to verify version compatibility.

Configuring S6800 or S6812 switches as leaf devices

Procedure summary

· Configuring the resource mode (only on S6800 switches)

· Creating VRRP groups

· Configuring IS-IS

· Configuring the links towards the spine tier

· Configuring L2VPN

· Configuring DRNI

· Configuring the links towards the virtualization servers

· Configuring the links towards the bare metal servers

· Configuring spanning tree

· Configuring a BGP instance

· Configuring the overlay network

Configuring the resource mode (only on S6800 switches)

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
hardware-resource switch-mode 4	hardware-resource switch-mode 4	Manual	Set the hardware resource mode for the MAC address table, ARP/ND table, and routing tables.	Adjust the capacities of the MAC address table, ARP/ND table, and routing tables.	Reboot the device for this setting to take effect.
hardware-resource routing-mode ipv6-128	hardware-resource routing-mode ipv6-128	Manual	Enable support for IPv6 routes with prefixes longer than 64 bits.	N/A	Reboot the device for this setting to take effect.
hardware-resource vxlan l3gw40k	hardware-resource vxlan l3gw40k	Manual	Set the VXLAN hardware resource mode to Layer 3 gateway mode that supports 40 K of overlay adjacency table	N/A	Reboot the device for this setting to take effect.
openflow flow-table ipv6-enhanced	openflow flow-table ipv6-enhanced	Manual	Enable support for bidirectional security groups.	N/A	N/A
openflow permit-flag ignore	openflow permit-flag ignore	Manual	Ignore the permit flag added by OpenFlow.	Enable support for bidirectional security groups and port rate limiting.	N/A

Creating VRRP groups

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
vlan 2	vlan 2	Manual	Configure the VLAN used to communicate with a virtualization server.	The switch is an underlay device to a virtualization server.	N/A
interface Vlan-interface 2	interface Vlan-interface 2	Manual	Create a VLAN interface.	N/A	N/A
ip address 10.10.10.3 255.255.255.0	ip address 10.10.10.4 255.255.255.0	Manual	Assign an IP address to the interface.	N/A	N/A
vrrp vrid 1 virtual-ip 10.10.10.254	vrrp vrid 1 virtual-ip 10.10.10.254	Manual	Configure the virtual IP address of a VRRP group.	N/A	N/A
vrrp vrid 1 priority 100	vrrp vrid 1 priority 101	Manual	Configure the priority of the device in the VRRP group.	VRRP determines the role (master or backup) of each router in a VRRP group by priority. A router with higher priority is more likely to become the master.	The larger the priority value, the higher the priority.
undo vrrp vrid 1 preempt-mode	undo vrrp vrid 1 preempt-mode	Manual	Configure the device to work in non-preemptive mode in the VRRP group.	Ensure consistency between the VRRP role and DR role.	This command is optional. Inconsistency between the VRRP role and DR role does not affect traffic forwarding.
quit	quit	Manual	N/A	N/A	N/A
ip prefix-list 1 index 10 permit 10.10.10.0 24	ip prefix-list 1 index 10 permit 10.10.10.0 24	Manual	Configure an IPv4 prefix list or an item for the list.	Create an IPv4 prefix list for the virtual IP address of the VRRP group.	N/A
route-policy 1 permit node 0	route-policy 1 permit node 0	Manual	Configure a routing policy.	Create the routing policy used in IS-IS IPv4 unicast address family view.	N/A
if-match ip address prefix-list 1	if-match ip address prefix-list 1	Manual	Match IPv4 routes with an IPv4 prefix list.	N/A	N/A
quit	quit	Manual	Exit routing policy view.	N/A	N/A

Configuring IS-IS

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
router id 5.1.1.1	router id 5.1.1.2	Manual	Configure the IP address of Loopback 0 as the router ID.	Configure the global router ID.	N/A
isis 1	isis 1	Manual	Enter IS-IS view.	N/A	N/A
is-level level-2	is-level level-2	Manual	Specify the IS level.	If the only area is an IP network, configure all the routers as Level-2 for scalability.	N/A
cost-style wide	cost-style wide	Manual	Set the cost style to wide.	Enable the device to receive wide cost style packets.	N/A
timer spf 1 10 10	timer spf 1 10 10	Manual	Set the maximum SPF calculation interval to 1 second, minimum SPF calculation interval to 10 milliseconds, and incremental SPF calculation interval to 10 milliseconds.	Reduce the interval between two SPF calculations and speed up convergence.	N/A
timer lsp-max-age 65535	timer lsp-max-age 65535	Manual	Set the LSP maximum age in the LSDB to 65535 seconds.	A large LSP maximum age reduces LSP floods. Any LSP with an age of 0 is deleted from the LSDB.	N/A
timer lsp-refresh 65000	timer lsp-refresh 65000	Manual	Set the LSP refresh interval to 65000 seconds.	A large refresh interval reduces LSP refreshes and saves bandwidth.	N/A
timer lsp-generation 1 10 10	timer lsp-generation 1 10 10	Manual	Set the maximum interval to 1 second, minimum interval to 10 milliseconds, and incremental interval to 10 milliseconds for LSP generation.	Speed up LSP generation and routing convergence upon network topology changes.	N/A
set-overload on-startup 360	set-overload on-startup 360	Manual	Set the overload bit for 360 seconds upon system startup.	Delay VRRP address advertisement after system startup to reduce traffic loss during fallback.	N/A
network-entity 51.0000.0005.0001.00	network-entity 51.0000.0005.0002.00	Manual	Configure the NET for an IS-IS process.	N/A	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual	Enter IS-IS IPv4 address family view.	N/A	N/A
fast-reroute lfa	fast-reroute lfa	Manual	Configure IS-IS FRR.	Enable IS-IS to calculate backup next hops for all Level-2 routes to reduce traffic interruption upon link or device failure.	N/A
import-route direct route-policy 1	import-route direct route-policy 1	Manual	Redistribute direct VRRP routes.	Use this command together with the set-overload command to delay VRRP route advertisement after system startup to optimize route convergence upon fallback.	N/A
quit	quit	Manual	Exit address family view.	N/A	N/A
quit	quit	Manual	Exit IS-IS view.	N/A	N/A
interface LoopBack0	interface LoopBack0	Manual	Create Loopback 0 and enter its view.	N/A	N/A
ip address 5.1.1.1 255.255.255.255	ip address 5.1.1.2 255.255.255.255	Manual	Assign an IP address to the interface.	Configure the VTEP IP address.	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
quit	quit	Manual	Exit the view of Loopback 0.	N/A	N/A
interface LoopBack1	interface LoopBack1	Manual	Create Loopback 1 and enter its view.	N/A	N/A
ip address 5.1.1.101 255.255.255.255	ip address 5.1.1.101 255.255.255.255	Manual	Assign an IP address to the interface.	Configure the virtual VTEP IP address.	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
quit	quit	Manual	Exit the view of Loopback 1.	N/A	N/A
vlan 10	vlan 10	Manual	Create a VLAN.	Create the VLAN for communicating with the DR peer.	N/A
interface Vlan-interface10	interface Vlan-interface10	Manual	Create VLAN-interface 10.	Create the VLAN interface for the VLAN used for communicating with the DR peer. When the uplink interface fails, the device forwards the packets received on the DR interfaces to the DR peer for Layer 3 forwarding.	N/A
ip address 10.1.1.1 255.255.255.0	ip address 10.1.1.2 255.255.255.0	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
quit	quit	Manual	Exit the view of VLAN-interface 10.	N/A	N/A

NOTE:

On an IS-IS network, when a link recovers from failures or the state of an interface changes, IS-IS will re-establish neighbor relationships and perform route convergence. During the route convergence process, routing loops and traffic loss might occur because the convergence speeds of the nodes are different. To address this issue, enable IS-IS to advertise the maximum link cost to neighbors within the specified period, so the traffic forwarding path remains unchanged. After the specified period, IS-IS advertises the original link cost to neighbors and performs optimal route selection again.

Configuring the links towards the spine tier

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
interface FortyGigE1/0/49	interface FortyGigE 1/0/49	Manual	Configure the interface connected to Spine 2.	N/A	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.5 255.255.255.252	ip address 6.1.1.13 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual	Disable static source check.	To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the static source check feature on the Layer 2 interfaces in the VLAN.	N/A
interface FortyGigE1/0/51	interface FortyGigE 1/0/51	Manual	Configure the interface connected to Spine 1.	N/A	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.1 255.255.255.252	ip address 6.1.1.9 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual	Disable static source check.	To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the static source check feature on the Layer 2 interfaces in the VLAN.	N/A

Configuring L2VPN

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
l2vpn enable	l2vpn enable	Manual	Enable L2VPN.	N/A	N/A
l2vpn statistics interval 30	l2vpn statistics interval 30	Manual	Set the interval for collecting L2VPN statistics to 30 seconds.	Configure this setting according to the gRPC report interval.	N/A
vxlan default-decapsulation source interface LoopBack0	vxlan default-decapsulation source interface LoopBack0	Manual	Enable default VXLAN decapsulation on the packets destined for the VTEP IP address.	N/A	This command takes effect only when the specified interface has an IP address.
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual	Disable remote-MAC address learning.	Execute this command if a controller issues forwarding entries to the device.	N/A
vxlan tunnel arp-learning disable	vxlan tunnel arp-learning disable	Manual	Disable remote ARP learning.	Execute this command if a controller issues forwarding entries to the device.	N/A
vxlan tunnel nd-learning disable	vxlan tunnel nd-learning disable	Manual	Disable remote ND learning.	Execute this command if a controller issues forwarding entries to the device.	N/A
mac-address timer aging 3600	mac-address timer aging 3600	Manual	Set the aging time to 3600 seconds for dynamic MAC address entries.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
mac-address mac-move fast-update	mac-address mac-move fast-update	Manual	Enable ARP fast update for MAC address moves.	Use this command together with gRPC.	N/A
arp timer aging 1440	arp timer aging 1440	Manual	Set the aging timer for dynamic ARP entries to 1440 minutes.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
ipv6 neighbor stale-aging 1440	ipv6 neighbor stale-aging 1440	Manual	Set the aging timer for ND entries in stale state to 1440 minutes.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.

NOTE:

If you use two border devices to set up a DR system and BMs in bond1 mode need to communicate with the external network, unidirectional tunnels exist between the ToR switches and SDN gateway. Typically, unidirectional tunnels are set up when a ToR switch is disconnected from the controller or new BMs come online. In this scenario, an online ToR switch advertises routes that contain its real IP address. The SDN will set up a tunnel to that real IP address, while the ToR switch uses the virtual VTEP IP address for tunnel setup. For the ToR switches to decapsulate the packets sent by the SDN gateway, enable default VXLAN decapsulation on the ToR switches.

Configuring DRNI

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
ip vpn-instance management	ip vpn-instance management	Manual	Create a VPN for the management Ethernet interface.	N/A	This command is optional.
interface M-GigabitEthernet0/0/0	interface M-GigabitEthernet0/0/0	Manual	Enter the view of the management Ethernet interface.	N/A	N/A
ip binding vpn-instance management	ip binding vpn-instance management	Manual	Assign the management Ethernet interface to the VPN.	N/A	Assign the management Ethernet interface to a VPN as needed.
ip address 192.1.2.66 255.255.255.0	ip address 192.1.2.67 255.255.255.0	Manual	Configure a management IP address.	N/A	N/A
quit	quit	Manual	Exit the view of the management Ethernet interface.	N/A	N/A
l2vpn drni peer-link ac-match-rule vxlan-mapping	l2vpn drni peer-link ac-match-rule vxlan-mapping	Manual	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL.	N/A	N/A
evpn drni group 5.1.1.101	evpn drni group 5.1.1.101	Manual	Enable EVPN distributed relay and specify the virtual VTEP address.	N/A	You must specify the same virtual VTEP address on both VTEPs in the same DR system.
evpn drni local 5.1.1.1 remote 5.1.1.2	evpn drni local 5.1.1.2 remote 5.1.1.1	Manual	Specify the IP addresses of the VTEPs in a DR system.	After you configure this command, each VTEP in a DR system changes the next hop of the routes for single-armed ACs to its local VTEP IP address when advertising the routes. This ensures that the traffic of a single-armed AC is forwarded to its attached VTEP.	When you execute this command, make sure the IP address of the local VTEP belongs to a local interface. Make sure the local VTEP IP address and peer VTEP IP address are reversed on the VTEPs in a DR system.
evpn global-mac 00e0-fc00-580a	evpn global-mac 00e0-fc00-580a	Manual	Configure the EVPN global MAC address.	N/A	You must specify the same EVPN global MAC address on the devices in the same DR system. Do not use a reserved MAC address as the EVPN global MAC address.
drni system-mac 00e0-fc00-5800	drni system-mac 00e0-fc00-5800	Manual	Configure the DR system MAC address.	Configure the settings required for establishing the DR system.	The DR system MAC address uniquely identifies the DR system on the network. For the DR member devices to be identified as one DR system, you must configure the same DR system MAC address on them.
drni system-number 1	drni system-number 2	Manual	Set the DR system number.	Configure the settings required for establishing the DR system.	You must assign different DR system numbers to the DR member devices in a DR system.
drni system-priority 123	drni system-priority 123	Manual	Set the DR system priority.	N/A	This command is optional. You must configure the same DR system priority for the DR member devices in a DR system. The default DR system priority is 32768. The smaller the priority value, the higher the priority.
drni keepalive ip destination 192.1.2.67 source 192.1.2.66 vpn-instance management	drni keepalive ip destination 192.1.2.66 source 192.1.2.67 vpn-instance management	Manual	Configure DR keepalive packet parameters.	Use the management Ethernet interface to set up the keepalive link. This interface is excluded from the DRNI MAD DOWN action.	You do not need to specify a VPN instance if the interface does not belong to any VPN instance. If the interface that owns the source IP address is not excluded from the DRNI MAD DOWN action, exclude it from that action.
drni mad default-action none	drni mad default-action none	Manual	Set the default DRNI MAD action to NONE.	N/A	N/A
drni mad include interface FortyGigE1/0/49	drni mad include interface FortyGigE 1/0/49	Manual	Enable DRNI to shut down an interface when the DR system splits.	Shut down the interface upon a DR system split to reduce the fallback duration after a device restart.	Execute this command on the uplink interface attached to a spine device.
drni mad include interface FortyGigE1/0/51	drni mad include interface FortyGigE 1/0/51	Manual	Enable DRNI to shut down an interface when the DR system splits.	Shut down the interface upon a DR system split to reduce the fallback duration after a device restart.	Execute this command on the uplink interface attached to a spine device.
drni restore-delay 300	drni restore-delay 300	Manual	Set the data restoration interval.	Ensure that entry synchronization is finished before interfaces are brought up.	N/A
interface Bridge-Aggregation1	interface Bridge-Aggregation1	Manual	Create Bridge-Aggregation 1 which will be the IPP.	N/A	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
port trunk permit vlan all	port trunk permit vlan all	Manual	Configure the trunk interface to permit all VLANs.	N/A	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A	N/A
port drni intra-portal-port 1	port drni intra-portal-port 1	Manual	Configure the interface as the IPP.	N/A	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual	Disable static source check.	To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the static source check feature on the Layer 2 interfaces in the VLAN.	You do not need to execute this command on S12500X-AF switches. Disable static source check on the IPP and the uplink interfaces attached to spine devices.
interface FortyGigE1/0/53	interface FortyGigE1/0/53	Manual	Configure the interface as a member port of the IPP.	N/A	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
port trunk permit vlan all	port trunk permit vlan all	Manual	Configure the trunk interface to permit all VLANs.	N/A	N/A
port link-aggregation group 1	port link-aggregation group 1	Manual	Assign the interface to link aggregation group 1.	N/A	N/A
interface FortyGigE1/0/54	interface FortyGigE1/0/54	Manual	Configure the interface as a member port of the IPP.	N/A	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
port trunk permit vlan all	port trunk permit vlan all	Manual	Configure the trunk interface to permit all VLANs.	N/A	N/A
port link-aggregation group 1	port link-aggregation group 1	Manual	Assign the interface to link aggregation group 1.	N/A	N/A
quit	quit	Manual	N/A	N/A	N/A

NOTE:

By default, if a DR system uses an Ethernet aggregate link as the IPL, each DR member device creates a dynamic AC on the IPL when an AC is configured on a site-facing interface. The dynamic AC and the site-facing AC have the same frame match criteria and VSI mapping. If two site-facing ACs on different interfaces have the same frame match criteria but different VSI mappings, the dynamic ACs created for the site-facing ACs will conflict with each other. To prevent this issue, enable the DR member devices to create frame match criteria based on VXLAN IDs for the dynamic ACs on the IPL.

If you use a VXLAN tunnel as the IPL in an EVPN environment, you must retain a large number of logical interfaces (for example, tunnel and loopback interfaces) in up state. To reduce configuration steps, set the default DRNI MAD action to NONE and execute the drni mad include interface command to specify interfaces that must be shut down by DRNI MAD in addition to those already automatically specified by the system.

Configuring the links towards the virtualization servers

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
interface Bridge-Aggregation101	interface Bridge-Aggregation101	Manual	Create an aggregate interface to be configured as a DR interface.	Create the interface to connect to the host overlay servers.	N/A
port access vlan 2	port access vlan 2	Manual	Configure the interface as an access interface and assign it to VLAN 2.	Assign the interface to the VLAN of the VRRP group.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A	N/A
port drni group 101	port drni group 101	Manual	Assign the interface to a DR group.	N/A	N/A
interface Ten-GigabitEthernet1/0/21	interface Ten-GigabitEthernet 1/0/21	Manual	Enter the view of a member port to be assigned to the DR interface.	N/A	N/A
port access vlan 2	port access vlan 2	Manual	Configure the interface as an access interface and assign it to VLAN 2.	Assign the interface to the VLAN of the VRRP group.	N/A
port link-aggregation group 101	port link-aggregation group 101	Manual	Assign the interface to the aggregation group of the DR interface.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring the links towards the bare metal servers

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
interface Bridge-Aggregation1024	interface Bridge-Aggregation1024	Manual	Create an aggregate interface to be configured as a DR interface.	Create the aggregate interface to connect to the bare metal servers.	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A	Configure the trunk interface to permit all VLANs.
port drni group 1024	port drni group 1024	Manual	Assign the aggregate interface to a DR group.	N/A	N/A
interface Ten-GigabitEthernet1/0/47	interface Ten-GigabitEthernet 1/0/47	Manual	Enter the view of a member port to be assigned to the DR interface.	N/A	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
port link-aggregation group 1024	port link-aggregation group 1024	Manual	Assign the interface to the aggregation group of the DR interface.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring spanning tree

Leaf 1	Leaf 2	Configuration method	Description	Purpose
stp global enable	stp global enable	Manual	Enable spanning tree globally.	N/A
interface Bridge-Aggregation101	interface Bridge-Aggregation101	Manual	Enter the view of the DR interface connected to the virtualization servers.	N/A
stp edged-port	stp edged-port	Manual	Configure the interface as an edge port.	Exclude the interface from spanning tree calculation.
interface Bridge-Aggregation 1024	interface Bridge-Aggregation 1024	Manual	Enter the view of the DR interface connected to the bare metal servers.	N/A
stp edged-port	stp edged-port	Manual	Configure the interface as an edge port.	Exclude the interface from spanning tree calculation.

NOTE:

Make sure the DR member devices have the same spanning tree configuration, including:

· Global spanning tree configuration.

· Spanning tree configuration on the IPP.

· Spanning tree configuration on DR interfaces.

Violation of this rule might cause network flapping. IPPs in the DR system do not participate in spanning tree calculation.

The DR member devices still use the DR system MAC address after the DR system splits, which will cause spanning tree calculation issues. To avoid the issues, enable DRNI standalone mode on the DR member devices before the DR system splits.

Configuring a BGP instance

Leaf 1	Leaf 2	Configuration method	Description	Purpose	Remarks
bgp 400	bgp 400	Manual	Enable a BGP instance.	N/A	N/A
bgp update-delay on-startup 40	bgp update-delay on-startup 40	Manual	Configure BGP to delay sending route updates on reboot.	Avoid forwarding issues during fallback after a ToR switch restarts.	N/A
router-id 5.1.1.1	router-id 5.1.1.2	Manual	Configure a router ID for the BGP instance.	To run BGP in a BGP instance, you must configure a router ID for the BGP instance. If you do not configure a router ID for the BGP instance, it uses the global router ID.	N/A
group evpn internal	group evpn internal	Manual	Create an IBGP peer group.	N/A	N/A
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual	Specify a source interface for establishing TCP links towards the peer group.	N/A	N/A
peer evpn route-update-interval 0	peer evpn route-update-interval 0	Manual	Specify an interval for sending the same update to the peer group.	Enable the device to fast send update to the peer group upon route changes to speed up route convergence after a DR primary/secondary switchover occurs.	Execute this command only for IBGP peers.
peer 5.1.1.6 group evpn	peer 5.1.1.6 group evpn	Manual	Add a spine device to the peer group.	N/A	N/A
peer 5.1.1.8 group evpn	peer 5.1.1.8 group evpn	Manual	Add a spine device to the peer group.	N/A	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual	Enter L2VPN EVPN address family view.	N/A	N/A
peer evpn enable	peer evpn enable	Manual	Enable the device to exchange routes with the peer group.	N/A	N/A
quit	quit	Manual	Exit L2VPN EVPN address family view.	N/A	N/A

Configuring the overlay network

Leaf 1	Leaf 2	Configuration method	Description	Remarks
ip vpn-instance admin_route1_50034	ip vpn-instance admin_route1_50034	Controller-based	Create a VPN instance on the private network.	N/A
route-distinguisher 1:50034	route-distinguisher 1:50034	Controller-based	Configure the RD of the VPN instance.	N/A
address-family ipv4	address-family ipv4	Controller-based	Enter IPv4 address family view of the VPN instance.	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import targets for the VPN instance.	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export targets for the VPN instance.	N/A
address-family ipv6	address-family ipv6	Controller-based	Enter IPv6 address family view of the VPN instance.	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import targets for the VPN instance.	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export targets for the VPN instance.	N/A
address-family evpn	address-family evpn	Controller-based	Enter EVPN view of the VPN instance.	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import targets for the VPN instance.	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export targets for the VPN instance.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
interface Vsi-interface22000	interface Vsi-interface22000	Controller-based	Create a VSI interface and enter its view.	N/A
mtu 1450	mtu 1450	Controller-based	Configure the MTU of the VSI interface.	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with the VPN instance.	N/A
ip address 121.1.0.1 255.255.0.0 sub	ip address 121.1.0.1 255.255.0.0 sub	Controller-based	Assign an IPv4 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
mac-address 542b-de0c-02c9	mac-address 542b-de0c-02c9	Controller-based	Assign a MAC address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 nd ra prefix 121:1::/64 no-advertise	ipv6 nd ra prefix 121:1::/64 no-advertise	Controller-based	Disable the device from advertising the prefix of the IPv6 gateway through RA messages.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 address 121:1::1/64	ipv6 address 121:1::1/64	Controller-based	Assign an IPv6 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
distributed-gateway local	distributed-gateway local	Controller-based	Specify the VSI interface as a distributed gateway to provide services for the local site.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
interface Vsi-interface 22001	interface Vsi-interface 22001	Controller-based	Create a VSI interface and enter its view.	N/A
mtu 1450	mtu 1450	Controller-based	Configure the MTU of the VSI interface.	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with a VPN instance.	N/A
ip address 121.2.0.1 255.255.0.0 sub	ip address 121.2.0.1 255.255.0.0 sub	Controller-based	Assign an IPv4 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
mac-address 542b-de0c-02c9	mac-address 542b-de0c-02c9	Controller-based	Assign a MAC address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 nd ra prefix 121:2::/64 no-advertise	ipv6 nd ra prefix 121:2::/64 no-advertise	Controller-based	Disable the device from advertising the prefix of the IPv6 gateway through RA messages.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 address 121:2::1/64	ipv6 address 121:2::1/64	Controller-based	Assign an IPv6 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
distributed-gateway local	distributed-gateway local	Controller-based	Specify the VSI interface as a distributed gateway to provide services for the local site.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
interface Vsi-interface50034	interface Vsi-interface50034	Controller-based	Create a VSI interface and enter its view.	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with the VPN instance.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Controller-based	Automatically generate a link-local address for the VSI interface.	N/A
l3-vni 50034	l3-vni 50034	Controller-based	Assign an L3VNI to the VSI interface.	The L3VNI is shared among the VSI interfaces associated with the same VPN instance.
quit	quit	Controller-based	Exit the current view.	N/A
vsi SDN_VSI_22000	vsi SDN_VSI_22000	Controller-based	Create a VSI and enter its view.	N/A
gateway vsi-interface 22000	gateway vsi-interface 22000	Controller-based	Specify a gateway interface for the VSI.	N/A
arp suppression enable	arp suppression enable	Controller-based	Enable ARP flood suppression.	N/A
ipv6 nd suppression enable	ipv6 nd suppression enable	Controller-based	Enable ND flood suppression.	N/A
flooding disable all	flooding disable all	Controller-based	Disable flooding of local broadcast, unknown unicast, and unknown multicast traffic.	N/A
vxlan 22000	vxlan 22000	Controller-based	Create a VXLAN and enter its view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD of the EVPN instance.	N/A
vpn-target auto	vpn-target auto	Controller-based	Configure import and export targets for EVPN.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
vsi SDN_VSI_22001	vsi SDN_VSI_22001	Controller-based	Create a VSI and enter its view.	N/A
gateway vsi-interface 22001	gateway vsi-interface 22001	Controller-based	Specify a gateway interface for the VSI.	N/A
arp suppression enable	arp suppression enable	Controller-based	Enable ARP flood suppression.	N/A
ipv6 nd suppression enable	ipv6 nd suppression enable	Controller-based	Enable ND flood suppression.	N/A
flooding disable all	flooding disable all	Controller-based	Disable flooding of local broadcast, unknown unicast, and unknown multicast traffic.	N/A
vxlan 22001	vxlan 22001	Controller-based	Create a VXLAN and enter its view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD of the EVPN instance.	N/A
vpn-target auto	vpn-target auto	Controller-based	Configure export targets for EVPN.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
vlan 21 to 22	vlan 21 to 22	Controller-based	Create VLANs.	N/A
interface Bridge-Aggregation1024	interface Bridge-Aggregation1024	Controller-based	Enter the view of the interface to be configured with ACs.	N/A
port link-type trunk	port link-type trunk	Controller-based	Set the link type of the interface to trunk.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Controller-based	Remove the trunk interface from VLAN 1.	N/A
port trunk permit vlan 21 to 22	port trunk permit vlan 21 to 22	Controller-based	Assign the trunk interface to VLAN 21 and VLAN 22.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Controller-based	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A
port drni group 1024	port drni group 1024	Controller-based	Assign the interface to a DR group.	N/A
service-instance 21	service-instance 21	Controller-based	Create an Ethernet service instance and enter its view.	N/A
encapsulation s-vid 21	encapsulation s-vid 21	Controller-based	Configure the Ethernet service instance to match traffic by the outer VLAN ID.	N/A
xconnect vsi SDN_VSI_22000	xconnect vsi SDN_VSI_22000	Controller-based	Map the Ethernet service instance to the VSI created previously.	N/A
service-instance 22	service-instance 22	Controller-based	Create an Ethernet service instance and enter its view.	N/A
encapsulation s-vid 22	encapsulation s-vid 22	Controller-based	Configure the Ethernet service instance to match traffic by the outer VLAN ID.	N/A
xconnect vsi SDN_VSI_22001	xconnect vsi SDN_VSI_22001	Controller-based	Map the Ethernet service instance to the VSI created previously.	N/A
quit	quit	Controller-based	Exit the current view.	N/A

Configuring S6850 switches as leaf devices

Procedure summary

· Configuring the resource mode

· Creating VRRP groups

· Configuring IS-IS

· Configuring the links towards the spine tier

· Configuring L2VPN

· Configuring DRNI

· Configuring the links towards the virtualization servers

· Configuring the links towards the bare metal servers

· Configuring spanning tree

· Configuring a BGP instance

· Configuring the overlay network

Configuring the resource mode

Leaf 3	Leaf 4	Configuration method	Description	Purpose	Remarks
hardware-resource switch-mode DUAL-STACK	hardware-resource switch-mode DUAL-STACK	Manual	Set the hardware resource mode to DUAL-STACK for the MAC address table, ARP/ND table, and routing tables	Adjust the capacities of the MAC address table, ARP/ND table, and routing tables.	Reboot the device for this setting to take effect.
hardware-resource routing-mode ipv6-128	hardware-resource routing-mode ipv6-128	Manual	Enable support for IPv6 routes with prefixes longer than 64 bits.	N/A	Reboot the device for this setting to take effect.
hardware-resource vxlan l3gw	hardware-resource vxlan l3gw	Manual	Set the VXLAN hardware resource mode to Layer 3 gateway mode that supports 40 K of overlay adjacency table	N/A	Reboot the device for this setting to take effect.
openflow permit-flag ignore	openflow permit-flag ignore	Manual	Ignore the permit flag added by OpenFlow.	Enable support for bidirectional security groups and port rate limiting.	N/A

Creating VRRP groups

Leaf 3	Leaf 4	Configuration method	Description	Purpose
vlan 2	vlan 2	Manual	Configure the VLAN used to communicate with a virtualization server.	The switch is an underlay device to a virtualization server.
interface Vlan-interface 2	interface Vlan-interface 2	Manual	Create a VLAN interface.	N/A
ip address 50.50.50.2 255.255.255.0	ip address 50.50.50.3 255.255.255.0	Manual	Assign an IP address to the interface.	N/A
vrrp vrid 2 virtual-ip 50.50.50.254	vrrp vrid 2 virtual-ip 50.50.50.254	Manual	Configure the virtual IP address of a VRRP group.	N/A
vrrp vrid 2 priority 100	vrrp vrid 2 priority 101	Manual	Configure the priority of the device in the VRRP group.	VRRP determines the role (master or backup) of each router in a VRRP group by priority. A router with higher priority is more likely to become the master. The larger the priority value, the higher the priority.
undo vrrp vrid 2 preempt-mode	undo vrrp vrid 2 preempt-mode	Manual	Configure the device to work in non-preemptive mode in the VRRP group.	Ensure consistency between the VRRP role and DR role. This command is optional. Inconsistency between the VRRP role and DR role does not affect traffic forwarding.
quit	quit	Manual	Exit the current view.	N/A
ip prefix-list 1 index 10 permit 50.50.50.0 24	ip prefix-list 1 index 10 permit 50.50.50.0 24	Manual	Configure an IPv4 prefix list or an item for the list.	Create an IPv4 prefix list for the virtual IP address of the VRRP group.
route-policy 1 permit node 0	route-policy 1 permit node 0	Manual	Configure a routing policy.	Create the routing policy used in IS-IS IPv4 unicast address family view.
if-match ip address prefix-list 1	if-match ip address prefix-list 1	Manual	Match IPv4 routes with an IPv4 prefix list.	N/A
quit	quit	Manual	Exit routing policy view.	N/A

Configuring IS-IS

Leaf 3	Leaf 4	Configuration method	Description	Purpose	Remarks
router id 5.1.1.3	router id 5.1.1.4	Manual	Configure the IP address of Loopback 0 as the router ID.	Configure the global router ID.	N/A
isis 1	isis 1	Manual	Enter IS-IS view.	-	N/A
is-level level-2	is-level level-2	Manual	Specify the IS level.	If the only area is an IP network, configure all the routers as Level-2 for scalability.	N/A
cost-style wide	cost-style wide	Manual	Set the cost style to wide.	Enable the device to receive wide cost style packets.	N/A
timer spf 1 10 10	timer spf 1 10 10	Manual	Set the maximum SPF calculation interval to 1 second, minimum SPF calculation interval to 10 milliseconds, and incremental SPF calculation interval to 10 milliseconds.	Reduce the interval between two SPF calculations and speed up convergence.	N/A
timer lsp-max-age 65535	timer lsp-max-age 65535	Manual	Set the LSP maximum age in the LSDB to 65535 seconds.	A large LSP maximum age reduces LSP floods. Any LSP with an age of 0 is deleted from the LSDB.	N/A
timer lsp-refresh 65000	timer lsp-refresh 65000	Manual	Set the LSP refresh interval to 65000 seconds.	A large refresh interval reduces LSP refreshes and saves bandwidth.	N/A
timer lsp-generation 1 10 10	timer lsp-generation 1 10 10	Manual	Set the maximum interval to 1 second, minimum interval to 10 milliseconds, and incremental interval to 10 milliseconds for LSP generation.	Speed up LSP generation and routing convergence upon network topology changes.	N/A
set-overload on-startup 360	set-overload on-startup 360	Manual	Set the overload bit for 360 seconds upon system startup.	Delay VRRP address advertisement after system startup to reduce traffic loss during fallback.	N/A
network-entity 51.0000.0005.0003.00	network-entity 51.0000.0005.0004.00	Manual	Configure the NET for an IS-IS process.	N/A	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual	Enter IS-IS IPv4 address family view.	N/A	N/A
fast-reroute lfa	fast-reroute lfa	Manual	Configure IS-IS FRR.	Enable IS-IS to calculate backup next hops for all Level-2 routes to reduce traffic interruption upon link or device failure.	N/A
import-route direct route-policy 1	import-route direct route-policy 1	Manual	Redistribute direct VRRP routes.	Use this command together with the set-overload command to delay VRRP route advertisement after system startup to optimize route convergence upon fallback.	N/A
quit	quit	Manual	Exit address family view.	N/A	N/A
quit	quit	Manual	Exit IS-IS view.	N/A	N/A
interface LoopBack0	interface LoopBack0	Manual	Create Loopback 0 and enter its view.	N/A	N/A
ip address 5.1.1.3 255.255.255.255	ip address 5.1.1.4 255.255.255.255	Manual	Assign an IP address to the interface.	Configure the VTEP IP address.	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
quit	quit	Manual	Exit the view of Loopback 0.	N/A	N/A
interface LoopBack1	interface LoopBack1	Manual	Create Loopback 1 and enter its view.	N/A	N/A
ip address 5.1.1.102 255.255.255.255	ip address 5.1.1.102 255.255.255.255	Manual	Assign an IP address to the interface.	Configure the virtual VTEP IP address.	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
quit	quit	Manual	Exit the view of Loopback 1.	N/A	N/A
vlan 10	vlan 10	Manual	Create a VLAN.	Create the VLAN for communicating with the DR peer.	N/A
interface Vlan-interface10	interface Vlan-interface10	Manual	Create VLAN-interface 10.	Create the VLAN interface for the VLAN used for communicating with the DR peer. When the uplink interface fails, the device forwards the packets received on the DR interfaces to the DR peer for Layer 3 forwarding.	N/A
ip address 10.2.1.1 255.255.255.0	ip address 10.2.1.2 255.255.255.0	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
quit	quit	Manual	Exit the current view.	N/A	N/A

NOTE:

Configuring the links towards the spine tier

Leaf 3	Leaf 4	Configuration method	Description	Purpose	Remarks
interface HundredGigE1/0/25	interface HundredGigE1/0/25	Manual	Configure the interface connected to Spine 2.	N/A	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.29 255.255.255.252	ip address 6.1.1.21 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual	Disable static source check.	To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the static source check feature on the Layer 2 interfaces in the VLAN.	N/A
interface HundredGigE1/0/29	interface HundredGigE1/0/29	Manual	Configure the interface connected to Spine 1.	N/A	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.17 255.255.255.252	ip address 6.1.1.25 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual	Disable static source check on the interface connected to Spine 2.	To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the static source check feature on the Layer 2 interfaces in the VLAN.	N/A

Configuring L2VPN

Leaf 3	Leaf 4	Configuration method	Description	Purpose	Remarks
l2vpn enable	l2vpn enable	Manual	Enable L2VPN.	N/A	N/A
l2vpn statistics interval 30	l2vpn statistics interval 30	Manual	Set the interval for collecting L2VPN statistics to 30 seconds.	Configure this setting according to the gRPC report interval.	N/A
vxlan default-decapsulation source interface LoopBack0	vxlan default-decapsulation source interface LoopBack0	Manual	Enable default VXLAN decapsulation on the packets destined for the VTEP IP address.	N/A	This command takes effect only when the specified interface has an IP address.
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual	Disable remote-MAC address learning.	Execute this command if a controller issues forwarding entries to the device.	N/A
vxlan tunnel arp-learning disable	vxlan tunnel arp-learning disable	Manual	Disable remote ARP learning.	Execute this command if a controller issues forwarding entries to the device.	N/A
vxlan tunnel nd-learning disable	vxlan tunnel nd-learning disable	Manual	Disable remote ND learning.	Execute this command if a controller issues forwarding entries to the device.	N/A
mac-address timer aging 3600	mac-address timer aging 3600	Manual	Set the aging time to 3600 seconds for dynamic MAC address entries.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
mac-address mac-move fast-update	mac-address mac-move fast-update	Manual	Enable ARP fast update for MAC address moves.	Use this command together with gRPC.	N/A
arp timer aging 1440	arp timer aging 1440	Manual	Set the aging timer for dynamic ARP entries to 1440 minutes.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
ipv6 neighbor stale-aging 1440	ipv6 neighbor stale-aging 1440	Manual	Set the aging timer for ND entries in stale state to 1440 minutes.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.

NOTE:

Configuring DRNI

Leaf 3	Leaf 4	Configuration method	Description	Purpose	Remarks
ip vpn-instance management	ip vpn-instance management	Manual	Create a VPN for the management Ethernet interface.	N/A	This command is optional.
interface M-GigabitEthernet0/0/0	interface M-GigabitEthernet0/0/0	Manual	Enter the view of the management Ethernet interface.	N/A	N/A
ip binding vpn-instance management	ip binding vpn-instance management	Manual	Assign the management Ethernet interface to the VPN.	N/A	Assign the management Ethernet interface to a VPN as needed.
ip address 192.1.2.68 255.255.255.0	ip address 192.1.2.69 255.255.255.0	Manual	Configure a management IP address.	N/A	N/A
quit	quit	Manual	Exit the view of the management Ethernet interface.	N/A	N/A
l2vpn drni peer-link ac-match-rule vxlan-mapping	l2vpn drni peer-link ac-match-rule vxlan-mapping	Manual	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL.	N/A	N/A
evpn drni group 5.1.1.102	evpn drni group 5.1.1.102	Manual	Enable EVPN distributed relay and specify the virtual VTEP address.	N/A	You must specify the same virtual VTEP address on both VTEPs in the same DR system.
evpn drni local 5.1.1.3 remote 5.1.1.4	evpn drni local 5.1.1.4 remote 5.1.1.3	Manual	Specify the IP addresses of the VTEPs in a DR system.	After you configure this command, each VTEP in a DR system changes the next hop of the routes for single-armed ACs to its local VTEP IP address when advertising the routes. This ensures that the traffic of a single-armed AC is forwarded to its attached VTEP.	When you execute this command, make sure the IP address of the local VTEP belongs to a local interface. Make sure the local VTEP IP address and peer VTEP IP address are reversed on the VTEPs in a DR system.
evpn global-mac 90e7-1060-2fe0	evpn global-mac 90e7-1060-2fe0	Manual	Configure the EVPN global MAC address.	N/A	You must specify the same EVPN global MAC address on the devices in the same DR system. Do not use a reserved MAC address as the EVPN global MAC address.
drni system-mac 90e7-1060-2faf	drni system-mac 90e7-1060-2faf	Manual	Configure the DR system MAC address.	Configure the settings required for establishing the DR system.	The DR system MAC address uniquely identifies the DR system on the network. For the DR member devices to be identified as one DR system, you must configure the same DR system MAC address on them.
drni system-number 1	drni system-number 2	Manual	Set the DR system number.	Configure the settings required for establishing the DR system.	You must assign different DR system numbers to the DR member devices in a DR system.
drni system-priority 123	drni system-priority 123	Manual	Set the DR system priority.	N/A	This command is optional. You must configure the same DR system priority for the DR member devices in a DR system. The default DR system priority is 32768. The smaller the priority value, the higher the priority.
drni keepalive ip destination 192.1.2.69 source 192.1.2.68 vpn-instance management	drni keepalive ip destination 192.1.2.68 source 192.1.2.69 vpn-instance management	Manual	Configure DR keepalive packet parameters.	Use the management Ethernet interface to set up the keepalive link. This interface is excluded from the DRNI MAD DOWN action.	You do not need to specify a VPN instance if the interface does not belong to any VPN instance. If the interface that owns the source IP address is not excluded from the DRNI MAD DOWN action, exclude it from that action.
drni mad default-action none	drni mad default-action none	Manual	Set the default DRNI MAD action to NONE.	N/A	N/A
drni mad include interface HundredGigE1/0/25	drni mad include interface HundredGigE1/0/25	Manual	Enable DRNI to shut down an interface when the DR system splits.	Shut down the interface upon a DR system split to reduce the fallback duration after a device restart.	Execute this command on the uplink interface attached to a spine device.
drni mad include interface HundredGigE1/0/29	drni mad include interface HundredGigE1/0/29	Manual	Enable DRNI to shut down an interface when the DR system splits.	Shut down the interface upon a DR system split to reduce the fallback duration after a device restart.	Execute this command on the uplink interface attached to a spine device.
drni restore-delay 300	drni restore-delay 300	Manual	Set the data restoration interval.	Ensure that entry synchronization is finished before interfaces are brought up.	N/A
interface Bridge-Aggregation1	interface Bridge-Aggregation1	Manual	Create Bridge-Aggregation 1 which will be the IPP.	N/A	N/A
quit	quit	Manual	Exit interface view.	N/A	N/A
interface HundredGigE1/0/31	interface HundredGigE1/0/31	Manual	Enter interface view.	N/A	N/A
port link-aggregation group 1	port link-aggregation group 1	Manual	Assign the interface to the aggregation group for the IPP.	N/A	N/A
interface HundredGigE1/0/32	interface HundredGigE1/0/32	Manual	Enter interface view.	N/A	N/A
port link-aggregation group 1	port link-aggregation group 1	Manual	Assign the interface to the aggregation group for the IPP.	N/A	N/A
interface Bridge-Aggregation1	interface Bridge-Aggregation1	Manual	Enter aggregate interface view.	N/A	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A	N/A
port drni intra-portal-port 1	port drni intra-portal-port 1	Manual	Configure the interface as the IPP.	N/A	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual	Disable static source check.	To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the static source check feature on the Layer 2 interfaces in the VLAN.	You do not need to execute this command on S12500X-AF switches. Disable static source check on the IPP and the uplink interfaces attached to spine devices.
quit	quit	Manual	Exit interface view.	N/A	N/A

NOTE:

If you use a VXLAN tunnel as the IPL in an EVPN environment, you must retain a large number of logical interfaces (for example, tunnel and loopback interfaces) in up state. You can set the default DRNI MAD action to NONE and execute the drni mad include interface command to specify interfaces that must be shut down by DRNI MAD in addition to those already automatically specified by the system.

Configuring the links towards the virtualization servers

Leaf 3	Leaf 4	Configuration method	Description	Purpose
interface Bridge-Aggregation101	interface Bridge-Aggregation101	Manual	Create an aggregate interface to be configured as a DR interface.	Create the interface to connect to the host overlay servers.
port access vlan 2	port access vlan 2	Manual	Configure the interface as an access interface and assign it to VLAN 2.	Assign the interface to the VLAN of the VRRP group.
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A
port drni group 101	port drni group 101	Manual	Assign the interface to a DR group.	N/A
interface Twenty-FiveGigE 1/0/21	interface Twenty-FiveGigE1/0/21	Manual	Enter interface view.	N/A
port access vlan 2	port access vlan 2	Manual	Configure the interface as an access interface and assign it to VLAN 2.	Assign the interface to the VLAN of the VRRP group.
port link-aggregation group 101	port link-aggregation group 101	Manual	Assign the interface to the aggregation group of the DR interface.	N/A
quit	quit	Manual	Exit the current view.	N/A

Configuring the links towards the bare metal servers

Leaf 3	Leaf 4	Configuration method	Description	Purpose	Remarks
interface Bridge-Aggregation1024	interface Bridge-Aggregation1024	Manual	Create an aggregate interface to be configured as a DR interface.	Connect to the bare metal servers.	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A	N/A
port drni group 1024	port drni group 1024	Manual	Assign the aggregate interface to a DR group.	N/A	N/A
interface Twenty-FiveGigE1/0/55	interface Twenty-FiveGigE1/0/55	Manual	Enter interface view.	N/A	N/A
port link-type trunk	port link-type trunk	Manual	Set the link type of the interface to trunk.	N/A	N/A
port link-aggregation group 1024	port link-aggregation group 1024	Manual	Assign the interface to the aggregation group of the DR interface.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring spanning tree

Leaf 3	Leaf 4	Configuration method	Description	Purpose
stp global enable	stp global enable	Manual	Enable spanning tree globally.	N/A
interface Bridge-Aggregation101	interface Bridge-Aggregation101	Manual	Enter the view of the DR interface connected to the virtualization servers.	N/A
stp edged-port	stp edged-port	Manual	Configure the interface as an edge port.	Exclude the interface from spanning tree calculation.
interface Bridge-Aggregation 1024	interface Bridge-Aggregation 1024	Manual	Enter the view of the DR interface connected to the bare metal servers.	N/A
stp edged-port	stp edged-port	Manual	Configure the interface as an edge port.	Exclude the interface from spanning tree calculation.

NOTE:

Make sure the DR member devices have the same spanning tree configuration, including:

· Global spanning tree configuration.

· Spanning tree configuration on the IPP.

· Spanning tree configuration on DR interfaces.

Violation of this rule might cause network flapping. IPPs in the DR system do not participate in spanning tree calculation.

Configuring a BGP instance

Leaf 3	Leaf 4	Configuration method	Description	Purpose
bgp 400	bgp 400	Manual	Enable a BGP instance.	N/A
bgp update-delay on-startup 40	bgp update-delay on-startup 40	Manual	Configure BGP to delay sending route updates on reboot.	Avoid forwarding issues during fallback after a ToR switch restarts.
router-id 5.1.1.3	router-id 5.1.1.4	Manual	Configure a router ID for the BGP instance.	To run BGP in a BGP instance, you must configure a router ID for the BGP instance. If you do not configure a router ID for the BGP instance, it uses the global router ID.
group evpn internal	group evpn internal	Manual	Create an IBGP peer group.	N/A
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual	Specify a source interface for establishing TCP links towards the peer group.	N/A
peer evpn route-update-interval 0	peer evpn route-update-interval 0	Manual	Specify an interval for sending the same update to the peer group.	Enable the device to fast send update to the peer group upon route changes to speed up route convergence after a DR primary/secondary switchover occurs.
peer 5.1.1.6 group evpn	peer 5.1.1.6 group evpn	Manual	Add a spine device to the peer group.	N/A
peer 5.1.1.8 group evpn	peer 5.1.1.8 group evpn	Manual	Add a spine device to the peer group.	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual	Enter L2VPN EVPN address family view.	N/A
peer evpn enable	peer evpn enable	Manual	Enable the device to exchange routes with the peer group.	N/A
quit	quit	Manual	Exit L2VPN EVPN address family view.	N/A
quit	quit	Manual	Exit BGP instance view.	N/A

Configuring the overlay network

Leaf 3	Leaf 4	Configuration method	Description	Remarks
ip vpn-instance admin_route1_50034	ip vpn-instance admin_route1_50034	Controller-based	Create a VPN instance on the private network.	N/A
route-distinguisher 1:50034	route-distinguisher 1:50034	Controller-based	Configure the RD of the VPN instance.	N/A
address-family ipv4	address-family ipv4	Controller-based	Enter IPv4 address family view of the VPN instance.	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import targets for the VPN instance.	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export targets for the VPN instance.	N/A
address-family ipv6	address-family ipv6	Controller-based	Enter IPv6 address family view of the VPN instance.	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import targets for the VPN instance.	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export targets for the VPN instance.	N/A
address-family evpn	address-family evpn	Controller-based	Enter EVPN view of the VPN instance.	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import targets for the VPN instance.	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export targets for the VPN instance.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
interface Vsi-interface22000	interface Vsi-interface22000	Controller-based	Create a VSI interface and enter its view.	N/A
mtu 1450	mtu 1450	Controller-based	Configure the MTU of the VSI interface.	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with the VPN instance.	N/A
ip address 121.1.0.1 255.255.0.0 sub	ip address 121.1.0.1 255.255.0.0 sub	Controller-based	Assign an IPv4 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
mac-address 542b-de0c-02c9	mac-address 542b-de0c-02c9	Controller-based	Assign a MAC address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 nd ra prefix 121:1::/64 no-advertise	ipv6 nd ra prefix 121:1::/64 no-advertise	Controller-based	Disable the device from advertising the prefix of the IPv6 gateway through RA messages.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 address 121:1::1/64	ipv6 address 121:1::1/64	Controller-based	Assign an IPv6 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
distributed-gateway local	distributed-gateway local	Controller-based	Specify the VSI interface as a distributed gateway to provide services for the local site.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
interface Vsi-interface 22001	interface Vsi-interface 22001	Controller-based	Create a VSI interface and enter its view.	N/A
mtu 1450	mtu 1450	Controller-based	Configure the MTU of the VSI interface.	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with a VPN instance.	N/A
ip address 121.2.0.1 255.255.0.0 sub	ip address 121.2.0.1 255.255.0.0 sub	Controller-based	Assign an IPv4 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
mac-address 542b-de0c-02c9	mac-address 542b-de0c-02c9	Controller-based	Assign a MAC address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 nd ra prefix 121:2::/64 no-advertise	ipv6 nd ra prefix 121:2::/64 no-advertise	Controller-based	Disable the device from advertising the prefix of the IPv6 gateway through RA messages.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 address 121:2::1/64	ipv6 address 121:2::1/64	Controller-based	Assign an IPv6 address as a gateway address to the VSI interface.	Make sure the VSI interface has the same setting for this command on all distributed gateways.
distributed-gateway local	distributed-gateway local	Controller-based	Specify the VSI interface as a distributed gateway to provide services for the local site.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
interface Vsi-interface50034	interface Vsi-interface50034	Controller-based	Create a VSI interface and enter its view.	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with the VPN instance.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Controller-based	Automatically generate a link-local address for the VSI interface.	N/A
l3-vni 50034	l3-vni 50034	Controller-based	Assign an L3VNI to the VSI interface.	The L3VNI is shared among the VSI interfaces associated with the same VPN instance.
quit	quit	Controller-based	Exit the current view.	N/A
vsi SDN_VSI_22000	vsi SDN_VSI_22000	Controller-based	Create a VSI and enter its view.	N/A
gateway vsi-interface 22000	gateway vsi-interface 22000	Controller-based	Specify a gateway interface for the VSI.	N/A
arp suppression enable	arp suppression enable	Controller-based	Enable ARP flood suppression.	N/A
ipv6 nd suppression enable	ipv6 nd suppression enable	Controller-based	Enable ND flood suppression.	N/A
flooding disable all	flooding disable all	Controller-based	Disable flooding of local broadcast, unknown unicast, and unknown multicast traffic.	N/A
vxlan 22000	vxlan 22000	Controller-based	Create a VXLAN and enter its view.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD of the EVPN instance.	N/A
vpn-target auto	vpn-target auto	Controller-based	Configure import and export targets for EVPN.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
vsi SDN_VSI_22001	vsi SDN_VSI_22001	Controller-based	Create a VSI and enter its view.	N/A
gateway vsi-interface 22001	gateway vsi-interface 22001	Controller-based	Specify a gateway interface for the VSI.	N/A
arp suppression enable	arp suppression enable	Controller-based	Enable ARP flood suppression.	N/A
ipv6 nd suppression enable	ipv6 nd suppression enable	Controller-based	Enable ND flood suppression.	N/A
flooding disable all	flooding disable all	Controller-based	Disable flooding of local broadcast, unknown unicast, and unknown multicast traffic.	N/A
vxlan 22001	vxlan 22001	Controller-based	Create a VXLAN and enter its view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD of the EVPN instance.	N/A
vpn-target auto	vpn-target auto	Controller-based	Configure export targets for EVPN.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
vlan 21 to 22	vlan 21 to 22	Controller-based	Create VLANs.	N/A
interface Bridge-Aggregation1024	interface Bridge-Aggregation1024	Controller-based	Enter the view of the interface to be configured with ACs.	N/A
port link-type trunk	port link-type trunk	Controller-based	Set the link type of the interface to trunk.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Controller-based	Remove the trunk interface from VLAN 1.	N/A
port trunk permit vlan 21 to 22	port trunk permit vlan 21 to 22	Controller-based	Assign the trunk interface to VLAN 21 and VLAN 22.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Controller-based	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A
port drni group 1024	port drni group 1024	Controller-based	Assign the interface to a DR group.	N/A
service-instance 21	service-instance 21	Controller-based	Create an Ethernet service instance and enter its view.	N/A
encapsulation s-vid 21	encapsulation s-vid 21	Controller-based	Configure the Ethernet service instance to match traffic by the outer VLAN ID.	N/A
xconnect vsi SDN_VSI_22000	xconnect vsi SDN_VSI_22000	Controller-based	Map the Ethernet service instance to the VSI created previously.	N/A
service-instance 22	service-instance 22	Controller-based	Create an Ethernet service instance and enter its view.	N/A
encapsulation s-vid 22	encapsulation s-vid 22	Controller-based	Configure the Ethernet service instance to match traffic by the outer VLAN ID.	N/A
xconnect vsi SDN_VSI_22001	xconnect vsi SDN_VSI_22001	Controller-based	Map the Ethernet service instance to the VSI created previously.	N/A

Configuring S12508X-AF or S12500G-AF switches as border devices

Procedure summary

· Configuring basic settings

· Configuring IS-IS

· Configuring STP

· Configuring the links towards the spine tier

· Configuring L2VPN

· Configuring DRNI

· Configuring the DR interfaces connected to the external network

· Configuring the DR interfaces connected to the external network firewalls

· Configuring a BGP instance

· Configuring the overlay network

Configuring basic settings

Configuring basic settings on S12500X-AF switches

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
vxlan ip-forwarding tagged	vxlan ip-forwarding tagged	Manual	Enable Layer 3 forwarding for all VXLANs.	Enable VXLAN tunnels to forward VLAN tagged packets.	You must delete all VSIs, VSI interfaces, and VXLAN tunnel interfaces before you can change the forwarding mode.
routing-interface base-mac 542b-de0c-0264	routing-interface base-mac 542b-de0c-0200	Manual	Configure the base MAC address.	Configure the start MAC address of the consecutive MAC addresses that are reserved for system use.	You must configure the base MAC address prior to the subsequent settings.

Configuring basic settings on S12500G-AF switches

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
hardware-resource vxlan L3GW	hardware-resource vxlan L3GW	Manual	Set the VXLAN hardware resource mode to Layer 3 gateway.	Enable the device to perform VXLAN Layer 2 and Layer 3 forwarding.	Save the configuration and reboot the device for this command to take effect.
hardware-resource routing-mode ipv6-128	hardware-resource routing-mode ipv6-128	Manual	Enable support for IPv6 routes with prefixes longer than 64 bits.	N/A	Save the configuration and reboot the device for this command to take effect.

Configuring IS-IS

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
vlan all	vlan all	Manual	Create a VLAN.	N/A	N/A
router id 5.1.1.7	router id 5.1.1.9	Manual	Configure the global router ID.	N/A	N/A
isis 1	isis 1	Manual	Enter IS-IS view.	N/A	N/A
non-stop-routing	non-stop-routing	Manual	Enable IS-IS NSR.	Avoid forwarding interruption on the DR system.	N/A
is-level level-2	is-level level-2	Manual	Specify the IS level.	If the only area is an IP network, configure all the routers as Level-2 for scalability.	N/A
cost-style wide	cost-style wide	Manual	Set the cost style to wide.	Enable the device to receive wide cost style packets.	N/A
timer spf 1 500 10	timer spf 1 500 10	Manual	Set the maximum SPF calculation interval to 1 second, minimum SPF calculation interval to 500 milliseconds, and incremental SPF calculation interval to 10 milliseconds.	Reduce the interval between two SPF calculations and speed up convergence.	N/A
timer lsp-max-age 65535	timer lsp-max-age 65535	Manual	Set the LSP maximum age in the LSDB to 65535 seconds.	A large LSP maximum age reduces LSP floods. Any LSP with an age of 0 is deleted from the LSDB.	N/A
timer lsp-refresh 65000	timer lsp-refresh 65000	Manual	Set the LSP refresh interval to 65000 seconds.	A large refresh interval reduces LSP refreshes and saves bandwidth.	N/A
timer lsp-generation 1 10 10	timer lsp-generation 1 10 10	Manual	Set the maximum interval to 1 second, minimum interval to 10 milliseconds, and incremental interval to 10 milliseconds for LSP generation.	Speed up LSP generation and routing convergence upon network topology changes.	N/A
set-overload on-startup 770	set-overload on-startup 770	Manual	Set the overload bit for 770 seconds upon system startup.	Delay VRRP address advertisement after system startup to reduce traffic loss during fallback.	N/A
network-entity 51.0000.0005.0007.00	network-entity 51.0000.0005.0009.00	Manual	Configure the NET for an IS-IS process.	N/A	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual	Enter IS-IS IPv4 address family view.	N/A	N/A
fast-reroute lfa	fast-reroute lfa	Manual	Configure IS-IS FRR.	Enable IS-IS to calculate backup next hops for all Level-2 routes to reduce traffic interruption upon link or device failure.	N/A
import-route direct	import-route direct	Manual	Redistribute direct VRRP routes.	Use this command together with the set-overload command to delay VRRP route advertisement after system startup to optimize route convergence upon fallback.	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A
interface LoopBack0	interface LoopBack0	Manual	Create Loopback 0 and enter its view.	N/A	N/A
ip address 5.1.1.7 255.255.255.255	ip address 5.1.1.9 255.255.255.255	Manual	Assign an IP address to the interface.	Configure the VTEP IP address.	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
quit	quit	Manual	Exit the current view.	N/A	N/A
interface LoopBack100	interface LoopBack100	Manual	Create Loopback 100 and enter its view.	N/A	N/A
ip address 100.100.100.100 255.255.255.255	ip address 100.100.100.100 255.255.255.255	Manual	Assign an IP address to the interface.	Configure the virtual VTEP IP address.	Disable IS-IS on the interface for IS-IS to redistribute direct routes to speed up fallback and convergence after a border device reboots.
quit	quit	Manual	Exit the current view.	N/A	N/A
interface Vlan-interface 1000	interface Vlan-interface 1000	Manual	Create VLAN-interface 1000.	Create the VLAN interface for the VLAN used for communicating with the DR peer. When the uplink interface fails, the device forwards the packets received on the DR interfaces to the DR peer for Layer 3 forwarding.	N/A
ip address 100.1.1.1 255.255.255.0	ip address 100.1.1.2 255.255.255.0	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
quit	quit	Manual	Exit the current view.	N/A	N/A

NOTE:

Configuring STP

Border 1	Border 2	Configuration method	Description
stp global enable	stp global enable	Manual	Enable spanning tree globally.

NOTE:

Make sure the DR member devices have the same spanning tree configuration, including:

· Global spanning tree configuration.

· Spanning tree configuration on the IPP.

· Spanning tree configuration on DR interfaces.

Violation of this rule might cause network flapping. IPPs in the DR system do not participate in spanning tree calculation.

Configuring the links towards the spine tier

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
interface HundredGigE1/0/16	interface HundredGigE1/0/13	Manual	Configure the interface connected to Spine 1.	N/A	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.34 255.255.255.252	ip address 6.1.1.38 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A
interface HundredGigE1/0/12	interface HundredGigE1/0/1	Manual	Configure the interface connected to Spine 1.	N/A	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.42 255.255.255.252	ip address 6.1.1.46 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring L2VPN

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
l2vpn enable	l2vpn enable	Manual	Enable L2VPN.	N/A	N/A
l2vpn statistics interval 30	l2vpn statistics interval 30	Manual	Set the interval for collecting L2VPN statistics to 30 seconds.	Configure this setting according to the gRPC report interval.	N/A
l2vpn drni peer-link tunnel source 5.1.1.9 destination 5.1.1.7	l2vpn drni peer-link tunnel source 5.1.1.7 destination 5.1.1.9	Manual	Enable the device to automatically set up a VXLAN tunnel with the peer DR member device.	N/A	Execute this command only on S12500X-AF switches.
vxlan tunnel arp-learning disable	vxlan tunnel arp-learning disable	Manual	Disable remote ARP learning.	Execute this command if a controller issues forwarding entries to the device to save resources.	N/A
vxlan tunnel nd-learning disable	vxlan tunnel nd-learning disable	Manual	Disable remote ND learning.	Execute this command if a controller issues forwarding entries to the device to save resources.	N/A
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual	Disable remote-MAC address learning.	Execute this command if a controller issues forwarding entries to the device to save resources.	N/A
vxlan default-decapsulation source interface LoopBack100	vxlan default-decapsulation source interface LoopBack100	Manual	Enable default VXLAN decapsulation on the packets destined for the VTEP IP address.	N/A	N/A
mac-address timer aging 900	mac-address timer aging 900	Manual	Set the aging time to 900 seconds for dynamic MAC address entries.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
mac-address mac-learning ingress	mac-address mac-learning ingress	Manual	Configure the device to learn MAC addresses at ingress.	N/A	Execute this command only on S12500X-AF switches.
ipv6 neighbor stale-aging 1440	ipv6 neighbor stale-aging 1440	Manual	Set the aging timer for ND entries in stale state to 1440 minutes.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
arp timer aging 1440	arp timer aging 1440	Manual	Set the aging timer for dynamic ARP entries to 1440 minutes.	Increase this timer to ensure forwarding entry synchronization is finished in time after the DR peer restarts.	This setting must be consistent on the DR member devices in the same DR system.
arp forwarding-conversational-learning	arp forwarding-conversational-learning	Manual	Enable conversational learning for remote ARP entries.	Save forwarding entry resources.	Execute this command only on S12500X-AF switches. Execute this command only when EVPN is configured.
ip forwarding-conversational-learning	ip forwarding-conversational-learning	Manual	Enable conversational learning for IPv4 host route FIB entries.	Save forwarding entry resources.	Execute this command only on S12500G-AF switches. Execute this command only when EVPN is configured.
ipv6 forwarding-conversational-learning	ipv6 forwarding-conversational-learning	Manual	Enable conversational learning for IPv6 host route FIB entries.	Save forwarding entry resources.	Execute this command only on S12500G-AF switches. Execute this command only when EVPN is configured.

NOTE:

An S12500X-AF or S12500G-AF switch learns MAC addresses at egress by default. If you enable the switch to learn MAC addresses at ingress, the DR peer will send the MAC addresses entries for the firewalls to that switch once the local DR interface of the switch comes up. if the member ports of the local DR interface exit DRNI MAD DOWN state, MAC address entry changes will trigger ARP migration, and ARP entries will be moved from the IPP to the DR interface.

Configuring DRNI

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
ip vpn-instance management	ip vpn-instance management	Manual	Create a VPN for the management Ethernet interface.	N/A	This command is optional.
interface M-GigabitEthernet0/0/1	interface M-GigabitEthernet0/0/1	Manual	Enter the view of the management Ethernet interface.	N/A	-
ip binding vpn-instance management	ip binding vpn-instance management	Manual	Assign the management Ethernet interface to the VPN.	N/A	Assign the management Ethernet interface to a VPN as needed.
ip address 192.1.2.74 255.255.255.0	ip address 192.1.2.100 255.255.255.0	Manual	Configure a management IP address.	N/A	N/A
quit	quit	Manual	Exit the view of the management Ethernet interface.	N/A	N/A
drni restore-delay 450	drni restore-delay 450	Manual	Set the data restoration interval.	Ensure that entry synchronization is finished before interfaces are brought up.	N/A
drni role priority 100	drni role priority 101	Manual	Set the DR role priority of the device.	N/A	A DR member device is assigned the primary or secondary role based on its DR role priority. The lower the priority value, the higher the priority.
drni system-mac 542b-de0c-0200	drni system-mac 542b-de0c-0200	Manual	Configure the DR system MAC address.	N/A	The DR system MAC address uniquely identifies the DR system on the network. For the DR member devices to be identified as one DR system, you must configure the same DR system MAC address on them.
drni system-number 2	drni system-number 1	Manual	Set the DR system number.	N/A	You must assign different DR system numbers to the DR member devices in a DR system.
drni system-priority 10000	drni system-priority 10000	Manual	Set the DR system priority.	N/A	This command is optional. You must configure the same DR system priority for the DR member devices in a DR system. The default DR system priority is 32768. The smaller the priority value, the higher the priority.
drni mad default-action none	drni mad default-action none	Manual	Set the default DRNI MAD action to NONE.	N/A	N/A
drni keepalive ip destination 192.1.2.100 source 192.1.2.74 vpn-instance management	drni keepalive ip destination 192.1.2.74 source 192.1.2.100 vpn-instance management	Manual	Configure DR keepalive packet parameters.	Use the management Ethernet interface to set up the keepalive link. This interface is excluded from the DRNI MAD DOWN action.	You do not need to specify a VPN instance if the interface does not belong to any VPN instance. If the interface that owns the source IP address is not excluded from the DRNI MAD DOWN action, exclude it from that action.
drni mad include interface HundredGigE2/0/5	drni mad include interface HundredGigE2/0/5	Manual	Enable DRNI to shut down the interface connected to the C-spine device when the DR system splits.	N/A	N/A
drni mad include interface HundredGigE1/0/12	drni mad include interface HundredGigE1/0/1	Manual	Enable DRNI to shut down the interface connected to a spine device when the DR system splits.	N/A	N/A
drni mad include interface HundredGigE1/0/16	drni mad include interface HundredGigE1/0/13	Manual	Enable DRNI to shut down an interface when the DR system splits.	N/A	N/A
evpn drni group 100.100.100.100	evpn drni group 100.100.100.100	Manual	Enable EVPN distributed relay and specify the virtual VTEP address.	N/A	N/A
evpn global-mac 542b-de0c-0201	evpn global-mac 542b-de0c-0201	Manual	Configure the EVPN global MAC address.	N/A	You must specify the same EVPN global MAC address on the devices in the same DR system. Do not use a reserved MAC address as the EVPN global MAC address.
interface Bridge-Aggregation1	interface Bridge-Aggregation1	Manual	Create Bridge-Aggregation 1 which will be the IPP.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A
interface HundredGigE2/0/21	interface HundredGigE2/0/7	Manual	Enter interface view.	N/A	N/A
port link-aggregation group 1	port link-aggregation group 1	Manual	Assign the interface to the aggregation group for the IPP.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A
interface HundredGigE3/0/36	interface HundredGigE3/0/36	Manual	Enter interface view.	N/A	N/A
port link-aggregation group 1	port link-aggregation group 1	Manual	Assign the interface to the aggregation group for the IPP.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A
interface Bridge-Aggregation1	interface Bridge-Aggregation1	Manual	Enter aggregate interface view.	N/A	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode and enable LACP.	N/A	N/A
port drni intra-portal-port 1	port drni intra-portal-port 1	Manual	Configure the interface as the IPP.	N/A	N/A
port trunk pvid vlan 4094	port trunk pvid vlan 4094	Manual	Assign the interface as a trunk port to VLAN 4094.	Prevent the IPL from forwarding the VLAN traffic that erroneously matches dynamic ACs.	N/A
l2vpn drni peer-link ac-match-rule vxlan-mapping	l2vpn drni peer-link ac-match-rule vxlan-mapping	Manual	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL.	N/A	Execute this command only on S12500G-AF switches.

NOTE:

Configuring the DR interfaces connected to the external network

Border 1	Border 2	Configuration method	Description
interface Bridge-Aggregation4	interface Bridge-Aggregation4	Manual	Create Bridge-Aggregation 4.
port link-type trunk	port link-type trunk	Manual	Configure link type as trunk.
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual	Remove the trunk interface from VLAN 1.
port trunk permit vlan 4089	port trunk permit vlan 4089	Manual	Configure the trunk interface to permit the VLAN of the external network.
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Set the aggregation mode to dynamic.
port drni group 4	port drni group 4	Manual	Assign the interface to DR group 4.
interface HundredGigE3/0/24	interface HundredGigE3/0/24	Manual	Enter the view of an aggregation member port.
port link-type trunk	port link-type trunk	Manual	Configure link type as trunk.
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual	Remove the trunk interface from VLAN 1.
port trunk permit vlan 4089	port trunk permit vlan 4089	Manual	Configure the trunk interface to permit the VLAN of the external network.
port link-aggregation group 4	port link-aggregation group 4	Manual	Assign the interface to aggregation group 4.
quit	quit	Manual	Exit the current view.

Configuring the DR interfaces connected to the external network firewalls

Border 1	Border 2	Configuration method	Description	Remarks
interface Bridge-Aggregation10	interface Bridge-Aggregation10	Manual	Create the aggregate interface to be assigned to DR group 10.	N/A
port link-type trunk	port link-type trunk	Manual	Configure the interface as a trunk interface.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual	Remove the interface from VLAN 1.	N/A
port trunk permit vlan 4089	port trunk permit vlan 4089	Manual	Configure the trunk interface to permit the VLAN of the external network.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode.	N/A
port drni group 10	port drni group 10	Manual	Assign the aggregate interface to DR group 10.	N/A
interface Bridge-Aggregation20	interface Bridge-Aggregation20	Manual	Create the aggregate interface to be assigned to DR group 20.	N/A
port link-type trunk	port link-type trunk	Manual	Configure the interface as a trunk interface.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual	Remove the interface from VLAN 1.	N/A
port trunk permit vlan 2000 to 2100	port trunk permit vlan 2000 to 2100	Manual	Configure the trunk interface to permit the VLANs of the tenant network.	Configure VLAN settings according to the planned configuration on the controller.
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual	Configure the aggregate interface to operate in dynamic mode.	N/A
port drni group 20	port drni group 20	Manual	Assign the aggregate interface to DR group 20.	N/A
interface HundredGigE2/0/27	interface HundredGigE2/0/27	Manual	Enter the view of the member port in the DR group 10.	N/A
port link-type trunk	port link-type trunk	Manual	Configure link type as trunk.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual	Remove the trunk interface from VLAN 1.	N/A
port trunk permit vlan 4089	port trunk permit vlan 4089	Manual	Configure the trunk interface to permit the VLAN of the external network.	N/A
port link-aggregation group 10	port link-aggregation group 10	Manual	Assign the aggregate interface to DR group 10.	N/A
interface HundredGigE2/0/11	interface HundredGigE2/0/29	Manual	Enter the view of the member port in the DR group 20.	N/A
port link-type trunk	port link-type trunk	Manual	Configure link type as trunk.	N/A
port trunk permit vlan 2000 to 2100	port trunk permit vlan 2000 to 2100	Manual	Remove the trunk interface from VLAN 1.	N/A
port link-aggregation group 20	port link-aggregation group 20	Manual	Assign the aggregate interface to DR group 20.	N/A
quit	quit	Manual	Exit the current view.	N/A

Configuring a BGP instance

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
route-policy 1 permit node 1	route-policy 1 permit node 1	Manual	Create a routing policy.	N/A	These settings are used for direct communication with the external network upon border device failure. You can execute these commands as needed.
apply ip-address next-hop 5.1.1.7	apply ip-address next-hop 5.1.1.9	Manual	Set the next hop to the real IP address of the device.	Set up a tunnel used for communication upon border device failure.
apply local-preference 50	apply local-preference 50	Manual	Set the local preference of advertised BGP routes to 50.	Optimize the route pointing to the DR peer upon border device failure.
quit	quit	Manual	Exit the current view.	N/A	N/A
bgp 400	bgp 400	Manual	Enable a BGP instance and enter its view.	N/A	N/A
non-stop-routing	non-stop-routing	Manual	non-stop-routing	non-stop-routing	N/A
router-id 5.1.1.7	router-id 5.1.1.9	Manual	Configure a route ID.	N/A	N/A
group evpn internal	group evpn internal	Manual	Create an IBGP peer group.	N/A	Use evpn as the name of the IBGP peer group.
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual	Specify a source interface for establishing TCP links towards the peer group.	N/A	N/A
peer evpn route-update-interval 0	peer evpn route-update-interval 0	Manual	Specify an interval for sending the same update to the peer group.	Enable the device to fast send update to the peer group upon route changes to speed up route convergence after a DR primary/secondary switchover occurs.	Execute this command only for IBGP peers.
group pod1 external	group pod1 external	Manual	Create an EBGP peer group.	N/A	Perform this task on EDs.
peer pod1 as-number 100	peer pod1 as-number 100	Manual	Configure the AS number of the peer group.	N/A	Perform this task on EDs.
peer pod1 connect-interface LoopBack0	peer pod1 connect-interface LoopBack0	Manual	Specify a source interface for establishing TCP links towards the peer group.	N/A	Perform this task on EDs.
peer pod1 ebgp-max-hop 64	peer pod1 ebgp-max-hop 64	Manual	Enable BGP to establish an EBGP session to the indirectly connected peer group and specify the maximum hop count.	N/A	Perform this task on EDs.
group taosheng internal	group taosheng internal	Manual	Configure a peer group used for permitting traffic to the DR peer upon border device failure.	N/A	N/A
peer taosheng connect-interface LoopBack0	peer taosheng connect-interface LoopBack0	Manual	Specify a source interface for establishing TCP connections to the fail-permit peer group.	N/A	N/A
peer 2.1.1.7 group pod1	peer 2.1.1.7 group pod1	Manual	Assign a peer to the peer group.	N/A	Perform this task on EDs.
peer 5.1.1.6 group evpn	peer 5.1.1.6 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 5.1.1.7 group taosheng	peer 5.1.1.9 group taosheng	Manual	Assign the peer border device to the fail-permit peer group.	N/A	N/A
peer 5.1.1.8 group evpn	peer 5.1.1.8 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 16.16.16.16 group pod1	peer 16.16.16.16 group pod1	Manual	Assign a peer to the peer group.	N/A	Perform this task on EDs.
address-family l2vpn evpn	address-family l2vpn evpn	Manual	Create BGP EVPN address family and enter its view.	N/A	N/A
nexthop evpn-drni group-address	nexthop evpn-drni group-address	Manual	Set the next hop of advertised EVPN routes to the virtual VTEP address of the DR system.	Enable the device to advertise EVPN routes whose next hop is the virtual VTEP address of the DR system.	N/A
peer evpn enable	peer evpn enable	Manual	Enable the device to exchange routes with the IBGP peer group.	N/A	N/A
peer evpn next-hop-local	peer evpn next-hop-local	Manual	Set the local router as the next hop for routes sent to the IBGP peer group.	Enable the peer group to reach the local router.	N/A
peer evpn re-originated replace-rt	peer evpn re-originated replace-rt	Manual	Replace the route targets of IP prefix advertisement routes received from the IBGP peer group.	N/A	N/A
peer evpn re-originated mac-ip replace-rt	peer evpn re-originated mac-ip replace-rt	Manual	Replace the route targets of MAC/IP advertisement routes received from the IBGP peer group.	N/A	N/A
peer evpn re-originated imet replace-rt	peer evpn re-originated imet replace-rt	Manual	Replace the route targets of IMET routes received from the IBGP peer group.	N/A	N/A
peer pod1 enable	peer pod1 enable	Manual	Enable the device to exchange routes with the EBGP peer group.	N/A	Perform this task on EDs.
peer pod1 router-mac-local dci	peer pod1 router-mac-local dci	Manual	Enable route router MAC replacement for the peer group and set up VXLAN-DCI tunnels with the EBGP peer group..	Set up VXLAN-DCI tunnels with the peer group to speed up route convergence upon public-side link flapping.	You do not need to execute the dci enable command to set up VXLAN-DCI tunnels. Perform this task on EDs.
peer pod1 re-originated replace-rt	peer pod1 re-originated replace-rt	Manual	Replace the route targets of BGP EVPN routes received from the EBGP peer group.	Enable inter-data center route exchange.	Perform this task on EDs.
peer pod1 re-originated mac-ip replace-rt	peer pod1 re-originated mac-ip replace-rt	Manual	Replace the route targets of MAC/IP advertisement routes received from the EBGP peer group.	N/A	Perform this task on EDs.
peer pod1 re-originated imet replace-rt	peer pod1 re-originated imet replace-rt	Manual	Replace the route targets of IMET routes received from the EBGP peer group.	N/A	Perform this task on EDs.
peer taosheng enable	peer taosheng enable	Manual	Enable the device to exchange routes with the fail-permit peer group.	N/A	These settings are used for direct communication with the external network upon border device failure. You can execute these commands as needed.
peer taosheng route-policy 1 export	peer taosheng route-policy 1 export	Manual	Apply the routing policy created previously to the outbound direction.	N/A
peer taosheng advertise evpn-route suppress mac-ip	peer taosheng advertise evpn-route suppress mac-ip	Manual	Disable advertising MAC/IP advertisement routes to the fail-permit peer group.	Prevent inter-data center Layer 2 traffic from being forwarded over the fail-permit tunnel.
peer taosheng advertise vpn-reoriginate ibgp	peer taosheng advertise vpn-reoriginate ibgp	Manual	Enable advertising the EVPN routes reoriginated in VPN instances to IBGP peer.	N/A

Configuring the overlay network

Border 1	Border 2	Configuration method	Description	Purpose	Remarks
ip vpn-instance external_vpn_123	ip vpn-instance external_vpn_123	Controller-based	Create a VPN instance on the private network.	N/A	These settings are used for direct communication with the external network upon border device failure. You can execute these commands as needed.
route-distinguisher 5:50035	route-distinguisher 5:50035	Controller-based	Configure an RD for the VPN instance.	N/A
bgp 400	bgp 400	Controller-based	Start a BGP instance.	N/A
ip vpn-instance external_vpn_123	ip vpn-instance external_vpn_123	Controller-based	Enter the view of the VPN instance on the private network.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Controller-based	Enter BGP-VPN IPv4 unicast address family view.	N/A
balance 4	balance 4	Controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
advertise route-reoriginate replace-rt	advertise route-reoriginate replace-rt	Controller-based	Reoriginate the BGP unicast routes from other VPN instances and change the route target attribute of reoriginated routes to that of the current VPN instance.	N/A
network 123.0.0.0 255.255.255.0	network 123.0.0.0 255.255.255.0	Controller-based	Configure BGP to advertise a local network.	N/A
network 123.0.0.1 255.255.255.255	network 123.0.0.1 255.255.255.255	Controller-based	Configure BGP to advertise a local network.	N/A
quit	quit	Controller-based	Exit the current view.	N/A
address-family ipv6 unicast	address-family ipv6 unicast	Controller-based	Enter BGP-VPN IPv6 unicast address family view.	N/A
balance 4	balance 4	Controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
advertise route-reoriginate replace-rt	advertise route-reoriginate replace-rt	Controller-based	Reoriginate the BGP unicast routes from other VPN instances and change the route target attribute of reoriginated routes to that of the current VPN instance.	N/A
network 2123:: 64	network 2123:: 64	Controller-based	Configure BGP to advertise a local network.	N/A
network 2123::1 128	network 2123::1 128	Controller-based	Configure BGP to advertise a local network.	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
ip vpn-instance admin_route1_50034	ip vpn-instance admin_route1_50034	Controller-based	Create a VPN instance on the private network.	N/A	N/A
route-distinguisher 5:50034	route-distinguisher 5:50034	Controller-based	Configure the RD of the VPN instance.	N/A	N/A
address-family ipv4	address-family ipv4	Controller-based	Enter IPv4 address family view of the VPN instance.	N/A	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import route targets for the VPN instance.	N/A	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export route targets for the VPN instance.	N/A	N/A
address-family ipv6	address-family ipv6	Controller-based	Enter IPv6 address family view of the VPN instance.	N/A	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import route targets for the VPN instance.	N/A	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export route targets for the VPN instance.	N/A	N/A
address-family evpn	address-family evpn	Controller-based	Enter EVPN address family view of the VPN instance.	N/A	N/A
vpn-target 0:50034 1:50034 import-extcommunity	vpn-target 0:50034 1:50034 import-extcommunity	Controller-based	Configure import route targets for the VPN instance.	N/A	N/A
vpn-target 1:50034 export-extcommunity	vpn-target 1:50034 export-extcommunity	Controller-based	Configure export route targets for the VPN instance.	N/A	N/A
quit	quit	Controller-based		N/A	N/A
interface Vsi-interface 22000	interface Vsi-interface 22000	Controller-based	Create a VSI interface and enter its view.	N/A	N/A
mtu 1450	mtu 1450	Controller-based	Configure the MTU.	N/A	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with the VPN instance.	N/A	N/A
ip address 121.1.0.1 255.255.0.0 sub	ip address 121.1.0.1 255.255.0.0 sub	Controller-based	Assign an IPv4 address as a gateway address to the VSI interface.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
mac-address 542b-de0c-02c9	mac-address 542b-de0c-02c9	Controller-based	Assign a MAC address to the VSI interface.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 nd ra prefix 121:1::/64 no-advertise	ipv6 nd ra prefix 121:1::/64 no-advertise	Controller-based	Disable the device from advertising the prefix of the IPv6 gateway through RA messages.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 address 121:1::1/64	ipv6 address 121:1::1/64	Controller-based	Assign an IPv6 address as a gateway address to the VSI interface.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
distributed-gateway local	distributed-gateway local	Controller-based	Specify the VSI interface as a distributed gateway to provide services for the local site.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
interface Vsi-interface 22001	interface Vsi-interface 22001	Controller-based	Create a VSI interface and enter its view.	N/A	N/A
mtu 1450	mtu 1450	Controller-based	Configure the MTU.	N/A	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Associate the VSI interface with a VPN instance.	N/A	N/A
ip address 121.2.0.1 255.255.0.0 sub	ip address 121.2.0.1 255.255.0.0 sub	Controller-based	Assign an IPv4 address as a gateway address to the VSI interface.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
mac-address 542b-de0c-02c9	mac-address 542b-de0c-02c9	Controller-based	Assign a MAC address to the VSI interface.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 nd ra prefix 121:2::/64 no-advertise	ipv6 nd ra prefix 121:2::/64 no-advertise	Controller-based	Disable the device from advertising the prefix of the IPv6 gateway through RA messages.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
ipv6 address 121:2::1/64	ipv6 address 121:2::1/64	Controller-based	Assign an IPv6 address as a gateway address to the VSI interface.	N/A	Make sure the VSI interface has the same setting for this command on all distributed gateways.
distributed-gateway local	distributed-gateway local	Controller-based	Specify the VSI interface as a distributed gateway to provide services for the local site.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
interface Vsi-interface 50034	interface Vsi-interface 50034	Controller-based	Create a VSI interface and enter its view.	N/A	N/A
ip binding vpn-instance admin_route1_50034	ip binding vpn-instance admin_route1_50034	Controller-based	Bind the VSI interface to the VPN instance.	N/A	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Controller-based	Automatically generate a link-local address for the VSI interface.	N/A	N/A
l3-vni 50034	l3-vni 50034	Controller-based	Assign an L3VNI to the VSI interface.	N/A	The L3VNI is shared among the VSI interfaces associated with the same VPN instance.
quit	quit	Controller-based	Exit the current view.	N/A	N/A
vsi SDN_VSI_22000	vsi SDN_VSI_22000	Controller-based	Create a VSI and enter its view.	N/A	N/A
gateway vsi-interface 22000	gateway vsi-interface 22000	Controller-based	Specify a gateway interface for the VSI.	N/A	N/A
arp suppression enable	arp suppression enable	Controller-based	Enable ARP flood suppression.	N/A	N/A
ipv6 nd suppression enable	ipv6 nd suppression enable	Controller-based	Enable ND flood suppression.	N/A	N/A
flooding disable all	flooding disable all	Controller-based	Disable flooding of local broadcast, unknown unicast, and unknown multicast traffic.	N/A	N/A
vxlan 22000	vxlan 22000	Controller-based	Create a VXLAN and enter its view.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A	N/A
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD of the EVPN instance.	N/A	N/A
vpn-target auto	vpn-target auto	Controller-based	Configure import and export route targets for EVPN.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
vsi SDN_VSI_22005	vsi SDN_VSI_22005	Controller-based	Create a VSI and enter its view.	N/A	N/A
gateway vsi-interface 22005	gateway vsi-interface 22005	Controller-based	Specify a gateway interface for the VSI.	N/A	N/A
arp suppression enable	arp suppression enable	Controller-based	Enable ARP flood suppression.	N/A	N/A
ipv6 nd suppression enable	ipv6 nd suppression enable	Controller-based	Enable ND flood suppression.	N/A	N/A
flooding disable all	flooding disable all	Controller-based	Disable flooding of local broadcast, unknown unicast, and unknown multicast traffic.	N/A	N/A
vxlan 22005	vxlan 22005	Controller-based	Create a VXLAN and enter its view.	N/A	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A	N/A
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD of the EVPN instance.	N/A	N/A
vpn-target auto	vpn-target auto	Controller-based	Configure import and export route targets for EVPN.	N/A	N/A
mapping vni 123123	mapping vni 123123	Controller-based	Map the local VXLAN to a remote VXLAN.	Enable Layer 2 communication between data centers.	Perform this task on EDs.
quit	quit	Controller-based	Exit the current view.	N/A	N/A
vsi SDN_VSI_123123	vsi SDN_VSI_123123	Controller-based	Create a VSI.	Enable Layer 2 communication between data centers.	Perform this task on EDs.
vxlan 123123	vxlan 123123	Controller-based	Create a VXLAN and enter its view.	N/A	Perform this task on EDs.
evpn encapsulation vxlan	evpn encapsulation vxlan	Controller-based	Create an EVPN instance and enter its view.	N/A	Perform this task on EDs.
route-distinguisher auto	route-distinguisher auto	Controller-based	Configure the RD.	N/A	Perform this task on EDs.
vpn-target 123123:1 export-extcommunity	vpn-target 123123:1 export-extcommunity	Controller-based	Configure export route targets for EVPN.	N/A	Perform this task on EDs.
vpn-target 123123:1 import-extcommunity	vpn-target 123123:1 import-extcommunity	Controller-based	Configure import route targets for EVPN.	N/A	Perform this task on EDs.
quit	quit	Controller-based	Exit the current view.	N/A	Perform this task on EDs.
ip vpn-instance 5ndrrejtf68up8h4lbkloqqh59dto8	ip vpn-instance 5ndrrejtf68up8h4lbkloqqh59dto8	Controller-based	Create a VPN instance for inter-data center communication.	Enable Layer 3 communication between data centers.	Perform this task on EDs.
route-distinguisher 5:456456	route-distinguisher 5:456456	Controller-based	Configure the RD.	N/A	Perform this task on EDs.
address-family ipv4	address-family ipv4	Controller-based	Enter IPv4 address family view of the VPN instance.	N/A	Perform this task on EDs.
route-replicate from vpn-instance admin_route4_50025 protocol direct advertise	route-replicate from vpn-instance admin_route4_50025 protocol direct advertise	Controller-based	Redistribute routes from the private VPN instance to the VPN instance for inter-data center communication.	N/A	Perform this task on EDs.
vpn-target 456456:1 1:50025 import-extcommunity	vpn-target 456456:1 1:50025 import-extcommunity	Controller-based	Configure import route targets for the private VPN instance.	Edit the private routes to reoriginate routes.	Perform this task on EDs.
vpn-target 456456:1 export-extcommunity	vpn-target 456456:1 export-extcommunity	Controller-based	Configure export route targets for the public device.	Configure the export route targets same as those of the VPN instance for inter-data center communication.	Perform this task on EDs.
address-family ipv6	address-family ipv6	Controller-based	Enter IPv6 address family view of the VPN instance.	N/A	Perform this task on EDs.
route-replicate from vpn-instance admin_route4_50025 protocol direct advertise	route-replicate from vpn-instance admin_route4_50025 protocol direct advertise	Controller-based	Redistribute routes from the private VPN instance to the VPN instance for inter-data center communication.	N/A	Perform this task on EDs.
vpn-target 456456:1 1:50025 import-extcommunity	vpn-target 456456:1 1:50025 import-extcommunity	Controller-based	Configure import route targets for the private VPN instance.	N/A	Perform this task on EDs.
vpn-target 456456:1 export-extcommunity	vpn-target 456456:1 export-extcommunity	Controller-based	Configure export route targets for the public device.	N/A	Perform this task on EDs.
address-family evpn	address-family evpn	Controller-based	Enter EVPN view of the VPN instance.	N/A	Perform this task on EDs.
vpn-target 456456:1 1:50025 import-extcommunity	vpn-target 456456:1 1:50025 import-extcommunity	Controller-based	Configure export route targets for EVPN.	N/A	Perform this task on EDs.
vpn-target 456456:1 export-extcommunity	vpn-target 456456:1 export-extcommunity	Controller-based	Configure import route targets for EVPN.	N/A	Perform this task on EDs.
quit	quit	Controller-based	Exit the current view.	N/A	N/A
ip route-static vpn-instance admin_route1_50034 0.0.0.0 0 200.3.1.3 description SDN_ROUTE	ip route-static vpn-instance admin_route1_50034 0.0.0.0 0 200.3.1.3 description SDN_ROUTE	Controller-based	Configure a static route.	Direct traffic to the firewalls.	The controller issues static routes on demand.
ip route-static vpn-instance admin_route1_50034 121.5.0.0 16 200.3.1.3 description SDN_ROUTE	ip route-static vpn-instance admin_route1_50034 121.5.0.0 16 200.3.1.3 description SDN_ROUTE	Controller-based	Configure a static route.	Direct traffic to the firewalls.	The controller issues static routes on demand.
ipv6 route-static vpn-instance admin_route1_50034 :: 0 200:3:1::2 description SDN_ROUTE	ipv6 route-static vpn-instance admin_route1_50034 :: 0 200:3:1::2 description SDN_ROUTE	Controller-based	Configure a static route.	Direct traffic to the firewalls.	The controller issues static routes on demand.
ipv6 route-static vpn-instance admin_route1_50034 121:5:: 64 200:3:1::2 description SDN_ROUTE	ipv6 route-static vpn-instance admin_route1_50034 121:5:: 64 200:3:1::2 description SDN_ROUTE	Controller-based	Configure a static route.	Direct traffic to the firewalls.	The controller issues static routes on demand.
bgp 400	bgp 400	Controller-based	Enter BGP instance view.	N/A	N/A
ip vpn-instance admin_route1_50034	ip vpn-instance admin_route1_50034	Controller-based	Create a BGP-VPN instance and enter its view.	Create a BGP-VPN instance on the private network.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Controller-based	Enter BGP-VPN IPv4 unicast address family view.	N/A	N/A
default-route imported	default-route imported	Controller-based	Import default routes.	Advertise the default routes issued by the controller.	N/A
balance 4	balance 4	Controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A	N/A
import-route static	import-route static	Controller-based	Import static routes.	Advertise the static routes issued by the controller.	N/A
address-family ipv6 unicast	address-family ipv6 unicast	Controller-based	Enter BGP-VPN IPv6 unicast address family view.	-	N/A
default-route imported	default-route imported	Controller-based	Import default routes.	Advertise the default routes issued by the controller.	N/A
balance 4	balance 4	Controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	-	N/A
import-route static	import-route static	Controller-based	Import static routes.	Advertise the static routes issued by the controller.	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
quit	quit	Controller-based	Exit the current view.	N/A	N/A
ip vpn-instance 5ndrrejtf68up8h4lbkloqqh59dto8	ip vpn-instance 5ndrrejtf68up8h4lbkloqqh59dto8	Controller-based	Create a BGP-VPN instance and enter its view.	Create a BGP-VPN instance for the VPN instance for inter-data center communication.	Perform this task on EDs.
address-family ipv4 unicast	address-family ipv4 unicast	Controller-based	Enter BGP-VPN IPv4 unicast address family view.	N/A	Perform this task on EDs.
balance 4	balance 4	Controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A	Perform this task on EDs.
import-route direct	import-route direct	Controller-based	Import direct routes.	N/A	Perform this task on EDs.
address-family ipv6 unicast	address-family ipv6 unicast	Controller-based	Enter BGP-VPN IPv6 unicast address family view.	N/A	Perform this task on EDs.
balance 4	balance 4	Controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A	Perform this task on EDs.
import-route direct	import-route direct	Controller-based	Import direct routes.	N/A	Perform this task on EDs.
quit	quit	Controller-based	Exit the current view.	N/A	Perform this task on EDs.
quit	quit	Controller-based	Exit the current view.	N/A	Perform this task on EDs.

Configuring S12508X-AF or S12500G-AF switches as spine devices

Procedure summary

· Configuring IS-IS

· Configuring the links between the spine and leaf tiers

· Configuring the links between the spine and border tiers

· Configuring BGP

Configuring IS-IS

Spine 1	Spine 2	Configuration method	Description	Purpose	Remarks
router id 5.1.1.6	router id 5.1.1.8	Manual	Configure the global router ID.	N/A	N/A
isis 1	isis 1	Manual	Enable IS-IS and enter IS-IS view.	N/A	N/A
non-stop-routing	non-stop-routing	Manual	Enable IS-IS NSR.	Avoid forwarding interruption on the DR system.	N/A
is-level level-2	is-level level-2	Manual	Specify the IS level.	If the only area is an IP network, configure all the routers as Level-2 for scalability.	N/A
cost-style wide	cost-style wide	Manual	Set the cost style to wide.	Enable the device to receive wide cost style packets.	N/A
flash-flood	flash-flood	Manual	Enable IS-IS LSP flash flooding.	Changed LSPs can trigger SPF recalculation. To advertise the changed LSPs before the router recalculates routes for faster network convergence, enable LSP flash flooding.	N/A
timer spf 1 500 10	timer spf 1 500 10	Manual	Set the maximum SPF calculation interval to 1 second, minimum SPF calculation interval to 500 milliseconds, and incremental SPF calculation interval to 10 milliseconds.	Reduce the interval between two SPF calculations and speed up convergence.	N/A
timer lsp-max-age 65535	timer lsp-max-age 65535	Manual	Set the LSP maximum age in the LSDB to 65535 seconds.	A large LSP maximum age reduces LSP floods. Any LSP with an age of 0 is deleted from the LSDB.	N/A
timer lsp-refresh 65000	timer lsp-refresh 65000	Manual	Set the LSP refresh interval to 65000 seconds.	A large refresh interval reduces LSP refreshes and saves bandwidth.	N/A
timer lsp-generation 1 10 10	timer lsp-generation 1 10 10	Manual	Set the maximum interval to 1 second, minimum interval to 10 milliseconds, and incremental interval to 10 milliseconds for LSP generation.	Speed up LSP generation and routing convergence upon network topology changes.	N/A
set-overload on-startup 770	set-overload on-startup 770	Manual	Set the overload bit for 770 seconds upon system startup.	Delay VRRP address advertisement after system startup to reduce traffic loss during fallback.	N/A
network-entity 51.0000.0005.0006.00	network-entity 51.0000.0005.0008.00	Manual	Configure the NET for an IS-IS process.	N/A	N/A
quit	quit	Manual		N/A	N/A
interface LoopBack0	interface LoopBack0	Manual	Create Loopback 0 and enter its view.	N/A	N/A
ip address 5.1.1.6 255.255.255.255	ip address 5.1.1.8 255.255.255.255	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring the links between the spine and leaf tiers

The following matrix uses an interface as an example. You can configure other interface in the same way.

Spine 1	Spine 2	Configuration method	Description	Purpose	Remarks
interface FortyGigE3/0/16	interface FortyGigE3/0/4	Manual	Enter interface view.	Configure a connection to Leaf 1.	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.2 255.255.255.252	ip address 6.1.1.6 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring the links between the spine and border tiers

The following matrix uses an interface as an example. You can configure other interface in the same way.

Spine 1	Spine 2	Configuration method	Description	Purpose	Remarks
interface HundredGigE2/0/5	interface HundredGigE2/0/9	Manual	Enter interface view.	Configure a connection to Border 1.	N/A
port link-mode route	port link-mode route	Manual	Configure the Ethernet interface to work in Layer 3 mode.	N/A	N/A
ip address 6.1.1.33 255.255.255.252	ip address 6.1.1.41 255.255.255.252	Manual	Assign an IP address to the interface.	N/A	N/A
isis enable 1	isis enable 1	Manual	Enable IS-IS on the interface.	N/A	N/A
isis circuit-level level-2	isis circuit-level level-2	Manual	Set the circuit level for the interface to Level-2.	N/A	For the Level-2 device, the circuit level can only be Level-2.
isis circuit-type p2p	isis circuit-type p2p	Manual	Set the network type of the interface to P2P.	If only two routers exist on a broadcast network, set the network type of attached interfaces to P2P to avoid DIS election and CSNP flooding. This saves network bandwidth and speeds up network convergence.	N/A
isis peer hold-max-cost duration 20000	isis peer hold-max-cost duration 20000	Manual	Enable IS-IS to advertise the maximum link cost to neighbors within 20000 milliseconds.	N/A	Execute this command at both ends of a link.
quit	quit	Manual	Exit the current view.	N/A	N/A

Configuring BGP

Spine 1	Spine 2	Configuration method	Description	Purpose	Remarks
bgp 400	bgp 400	Manual	Enable a BGP instance.	N/A	N/A
non-stop-routing	non-stop-routing	Manual	Enable BGP NSR.	If the device has two MPUs, BGP NSR ensures continuous routing by synchronizing BGP state and data information from the active BGP process to the standby BGP process. The standby BGP process can seamlessly take over all services when the active process fails.
router-id 5.1.1.6	router-id 5.1.1.8	Manual	Configure a route ID.	N/A	N/A
group evpn internal	group evpn internal	Manual	Create an IBGP peer group.	N/A	N/A
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual	Specify a source interface for establishing TCP links towards the peer group.	N/A	N/A
peer evpn route-update-interval 0	peer evpn route-update-interval 0	Manual	Specify an interval for sending the same update to the peer group.	Enable the device to fast send update to the peer group upon route changes to speed up route convergence after a DR primary/secondary switchover occurs.	Execute this command only for IBGP peers.
group vbgp internal	group vbgp internal	Manual	Create an IBGP peer group for communicating with the controller.	N/A	N/A
peer vbgp route-update-interval 0	peer vbgp route-update-interval 0	Manual	Specify an interval for sending the same update to the peer group.	Enable the device to fast send update to the peer group upon route changes to speed up route convergence after a DR primary/secondary switchover occurs.	Execute this command only for IBGP peers.
peer 5.1.1.1 group evpn	peer 5.1.1.1 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 5.1.1.2 group evpn	peer 5.1.1.2 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 5.1.1.3 group evpn	peer 5.1.1.3 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 5.1.1.4 group evpn	peer 5.1.1.4 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 5.1.1.7 group evpn	peer 5.1.1.7 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 5.1.1.9 group evpn	peer 5.1.1.9 group evpn	Manual	Assign a peer to the peer group.	N/A	N/A
peer 52.1.2.2 group vbgp	peer 52.1.2.2 group vbgp	Manual	Assign a peer to the peer group.	N/A	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual	Enter BGP EVPN view.	N/A	N/A
undo policy vpn-target	undo policy vpn-target	Manual	Disable route target filtering for BGP EVPN routes.	N/A	N/A
peer evpn enable	peer evpn enable	Manual	Enable the device to exchange routes with the peer group.	N/A	N/A
peer evpn reflect-client	peer evpn reflect-client	Manual	Configure the device as a route reflector and specify the evpn peer group as a client.	N/A	N/A
peer vbgp enable	peer vbgp enable	Manual	Enable the device to exchange routes with the peer group.	N/A	N/A
peer vbgp reflect-client	peer vbgp reflect-client	Manual	Configure the device as a route reflector and specify the vbgp peer group as a client.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A
quit	quit	Manual	Exit the current view.	N/A	N/A

NOTE:

When the TCP connection goes down, the hold timer expires, or the support for a new address family is added, BGP tears down and then re-establishes the peer sessions, which will cause traffic interruption. To avoid traffic interruption in these cases, enable BGP to reset peer sessions gracefully.

Overlay traffic forwarding models

Overlay traffic characteristics

The forwarding model matrix provides the following characteristics of overlay traffic:

· No.—Traffic number in the O-X-XXX format:

¡ O—Overlay traffic.

¡ X—Protocol number, which can be 4 (IPv4) or 6 (IPv6).

¡ XXX—Traffic sequence number starting from 001.

· Traffic type—Type of overlay traffic, which can be known unicast/IPV4 and unicast/Layer 2.

· Direction—Direction of overlay traffic.

· Forwarding path—Nodes that overlay traffic traverses.

· Traffic simulation—Traffic simulation method. Typically a tester is used to simulate server traffic.

· Load—Traffic size, which can be light (less than 1000 flows) and heavy (more than 1000 flows).

· Traffic direction to firewalls/LB—Configuration used to direct traffic to firewalls and load balancers, other than PBR, DRNI, VRRP, static routes.

Forwarding models

No.	Traffic type	Direction	Forwarding path	Traffic simulation	Load	Traffic direction to firewalls/LB	Remarks
O-4-001	Known unicast/IPv4	East to west, across leaf devices	Server 3 > Leaf 3 > Spine 2 > Leaf 2 > Server 2	Bound4+ tester	Light	N/A	BM-to-BM communication.
O-4-002	Known unicast/IPv4	East to west, across leaf devices	Server 3 > Leaf 3 > Spine 2 > Leaf 2 > Server 2	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-4-003	Known unicast/IPv4	South to north	Server 3 > Leaf 3 > Spine 2 > Border 2 > public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-external network communication.
O-4-004	Known unicast/IPv4	South to north	Server 3 > Leaf 1 > Spine 2 > Border 2 > public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-external network communication.
O-4-005	Unicast/Layer 2	East to west, across leaf devices	Server 2 > Leaf 1 > Server 1	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-4-006	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 1 > Leaf 4 > Server 4	Bound4+ tester	Light	N/A	BM-to-BM communication.
O-4-007	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 2 > Spine 1 > Leaf 3 > Server 4	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-4-008	Unicast/Layer 2	East to west, across leaf devices	Server 2 > Leaf 1 > Server 1	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-4-009	Known unicast/IPv4	East to west, across leaf devices	Server 1 > Leaf 2 > Spine 1 > Border > Spine 2 > Leaf 3 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	VM-to-BM communication.
O-4-010	Known unicast/IPv4	South to north	Server 1 > Leaf 1 > Spine 2 > Border 2 > public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	VM-to-external network communication.
O-4-011	Unicast/Layer 2	Between data centers	Server 1 > Leaf 1 > Spine 2 > Border 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	Inter-data center Layer 2 communication.
O-4-012	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 1 > Border > Spine > Leaf 2 > Server 1	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-VM communication.
O-4-013	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 2 > Border > Spine > Leaf 2 > Server 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-4-014	Known unicast/IPv4	East to west, same leaf device	Server 4 > Leaf 3 > Spine > Border > Spine > Leaf > Server 4	Bound4+ tester	Light	N/A	BM-to-BM communication.
O-4-015	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 1 > Leaf 2 > Server 1	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-4-016	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 1 > Leaf 2 > Server 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-4-017	Known unicast/IPv4	East to west, same leaf device	Server 4 > Leaf 3 > Spine > Border > Spine > Leaf > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-4-018	Known unicast/IPv4	South to north	Server 3 > Leaf 3 > Server 1	Bound4+ tester	Light	N/A	BM-to-external network communication.
O-4-019	Unicast/Layer 2	East to west, across leaf devices	Server 2 > Leaf 3 > Spine 1 > Leaf 2 > Server 1	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-4-020	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 2 > Spine 1 > Leaf 3 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-4-021	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 1 > Spine > Border > Spine > Leaf > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-4-022	Known unicast/IPv4	South to north	Server 2 > Leaf 1 > Spine 2 > Border 2 > public device	Bound4+ tester	Light	N/A	BM-to-external network communication.
O-4-023	Known unicast/IPv4	Between data centers	Server 4 > Leaf 4 > Spine 2 > Border 2	Bound4+ tester	Light	N/A	Inter-data center Layer 3 communication.
O-4-024	Unicast/Layer 2	East to west, across leaf devices	Server 3 > Leaf 4 > Spine 2 > Leaf 2 > Server 2	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-4-025	Known unicast/IPv4	East to west, across leaf devices	Server 3 > Leaf 4 > Server 4	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-4-026	Known unicast/IPv4	South to north	Server 3 > Leaf 3 > Spine 2 > Border 2 > public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	VM-to-external network communication.
O-4-027	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 1	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-VM communication.
O-4-028	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 1	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-4-029	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 3 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-4-030	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 3 > Server 3	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-VM communication.
O-4-031	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-4-032	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-4-033	Unicast/Layer 2	Between data centers	Border 2 > Spine 2 > Leaf 1 > Server 2	Bound4+ tester	Light	N/A	Inter-data center Layer 2 communication.
O-4-034	Known unicast/IPv4	Between data centers	Border 1 > Spine 1 > Leaf 4 > Server 4	Bound4+ tester	Light	N/A	Inter-data center Layer 3 communication.
O-6-035	Known unicast/IPv4	East to west, across leaf devices	Server 3 > Leaf 3 > Spine 2 > Leaf 2 > Server 2	Bound4+ tester	Light	N/A	BM-to-BM communication.
O-6-036	Known unicast/IPv4	East to west, across leaf devices	Server 3 > Leaf 3 > Spine 2 > Leaf 2 > Server 2	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-6-037	Known unicast/IPv4	South to north	Server 3 > Leaf 3 > Spine 2 > Border 2 > Public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-external network communication.
O-6-038	Known unicast/IPv4	South to north	Server 3 > Leaf 1 > Spine 2 > Border 2 > Public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-external network communication.
O-6-039	Unicast/Layer 2	East to west, across leaf devices	Server 2 > Leaf 1 > Server 1	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-6-040	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 1 > Leaf 4 > Server 4	Bound4+ tester	Light	N/A	BM-to-BM communication.
O-6-041	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 2 > Spine 1 > Leaf 3 > Server 4	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-6-042	Unicast/Layer 2	East to west, across leaf devices	Server 2 > Leaf 1 > Server 1	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-6-043	Known unicast/IPv4	East to west, across leaf devices	Server 1 > Leaf 2 > Spine 1 > Border > Spine 2 > Leaf 3 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	VM-to-BM communication.
O-6-044	Known unicast/IPv4	South to north	Server 1 > Leaf 1 > Spine 2 > Border 2 > Public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	VM-to-external network communication.
O-6-045	Unicast/Layer 2	Between data centers	Server 1 > Leaf 1 > Spine 2 > Border 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	Inter-data center Layer 2 communication.
O-6-046	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 1 > Border > Spine > Leaf 2 > Server 1	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-VM communication.
O-6-047	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 2 > Border > Spine > Leaf 2 > Server 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-6-048	Known unicast/IPv4	East to west, same leaf device	Server 4 > Leaf 3 > Spine > Border > Spine > Leaf > Server 4	Bound4+ tester	Light	N/A	BM-to-BM communication.
O-6-049	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 1 > Leaf 2 > Server 1	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-6-050	Known unicast/IPv4	East to west, across leaf devices	Server 4 > Leaf 3 > Spine 1 > Leaf 2 > Server 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-6-051	Known unicast/IPv4	East to west, same leaf device	Server 4 > Leaf 3 > Spine > Border > Spine > Leaf > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-6-052	Known unicast/IPv4	South to north	Server 3 > Leaf 3 > Server 1	Bound4+ tester	Light	N/A	BM-to-external network communication.
O-6-053	Unicast/Layer 2	East to west, across leaf devices	Server 2 > Leaf 3 > Spine 1 > Leaf 2 > Server 1	Bound4+ tester	Light	N/A	BM-to-VM communication.
O-6-054	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 2 > Spine 1 > Leaf 3 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-6-055	Known unicast/IPv4	East to west, across leaf devices	Server 2 > Leaf 1 > Spine > Border > Spine > Leaf > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	BM-to-BM communication.
O-6-056	Known unicast/IPv4	South to north	Server 2 > Leaf 1 > Spine 2 > Border 2 > Public device	Bound4+ tester	Light	N/A	BM-to-external network communication.
O-6-057	Known unicast/IPv4	Between data centers	Server 4 > Leaf 4 > Spine 2 > Border 2	Bound4+ tester	Light	N/A	Inter-data center Layer 3 communication.
O-6-058	Unicast/Layer 2	East to west, across leaf devices	Server 3 > Leaf 4 > Spine 2 > Leaf 2 > Server 2	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-6-059	Known unicast/IPv4	East to west, across leaf devices	Server 3 > Leaf 4 > Server 4	Bound4+ tester	Light	N/A	VM-to-BM communication.
O-6-060	Known unicast/IPv4	South to north	Server 3 > Leaf 3 > Spine 2 > Border 2 > Public device	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	VM-to-external network communication.
O-6-061	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 1	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-VM communication.
O-6-062	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 1	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-6-063	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 3 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-6-064	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 3 > Server 3	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-VM communication.
O-6-065	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 2	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-6-066	Known unicast/IPv4	North to south	Public device > Border 2 > Spine 2 > Leaf 1 > Server 4	Bound4+ tester	Light	Static routes. Firewall: Through a VLAN on a DR interface. LB: Through an AC on a DR interface.	External network-to-BM communication.
O-6-067	Unicast/Layer 2	Between data centers	Border 2 > Spine 2 > Leaf 1 > Server 2	Bound4+ tester	Light	N/A	Inter-data center Layer 2 communication.
O-6-068	Known unicast/IPv4	Between data centers	Border 1 > Spine 1 > Leaf 4 > Server 4	Bound4+ tester	Light	N/A	Inter-data center Layer 3 communication.

Testing network convergence upon single points of failure

Table 1 Network convergence upon single points of failure

Device	Failure type	Traffic interruption time
Leaf	Link failure when the traffic load is light.	≤ 500 ms
Leaf	Node failure when the traffic load is light.	≤ 2000 ms
Border	Link failure when the traffic load is light.	≤ 500 ms
Border	Node failure when the traffic load is light.	≤ 2000 ms
Spine	Link failure when the traffic load is light.	≤ 500 ms
Spine	Node failure when the traffic load is light.	≤ 2000 ms

Verifying the configuration

Verification commands

Leaf 1	Leaf 2	Description
display drni summary	display drni summary	Displays summary information about the IPP and DR interfaces.
display drni system	display drni system	Displays the DR system settings.
display drni keepalive	display drni keepalive	Displays DR keepalive packet statistics.
display drni role	display drni role	Displays DR role information.
display drni consistency { type1 \| type2 }	display drni consistency { type1 \| type2 }	Displays information about the configuration consistency check done by DRNI.
display drni consistency-check status	display drni consistency-check status	Displays the configuration consistency check status.
display interface Bridge-Aggregation [ brief ]	display interface Bridge-Aggregation [ brief ]	Displays information about aggregate interfaces.
display stp brief	display stp brief	Displays the brief spanning tree status and statistics.

Procedure

# Verify that nodes Border 1 and Border 2 has established a DR system.

<POD2-Border1>display drni summary

Global consistency check : SUCCESS

Inconsistent type 1 global settings: -

IPP IPP ID State

BAGG1 1 UP

DR interface DR group ID State Check result Type 1 inconsistency

BAGG4 4 UP SUCCESS -

BAGG10 10 UP SUCCESS -

BAGG20 20 UP SUCCESS -

# Verify the DR system settings on Border 1.

<POD2-Border1>display drni system

IPP: Bridge-Aggregation1

State: UP

DR System number System MAC System priority

Local 2 542b-de0c-0200 10000

Peer 1 542b-de0c-0200 10000

# Verify the keepalive packet statistics on Border 1.

<POD2-Border1>dis drni keepalive

Neighbor keepalive link status: Up

Neighbor is alive for: 192203 s 276 ms

Last keepalive packet sending status: Successful

Last keepalive packet sending time: 2021/03/12 07:22:20 278 ms

Last keepalive packet receiving status: Successful

Last keepalive packet receiving time: 2021/03/12 07:22:20 287 ms

Distributed relay keepalive parameters:

Destination IP address: 192.1.2.100

Source IP address: 192.1.2.74

Keepalive UDP port : 6400

Keepalive VPN name : management

Keepalive interval : 1000 ms

Keepalive timeout : 5 sec

Keepalive hold time: 3 sec

# Verify the DR roles on Border 1.

<POD2-Border1>display drni role

DR Role priority Bridge Mac Configured role Effective role

Local 100 7057-bff9-aa00 Primary Primary

Peer 101 542b-de0c-0200 Secondary Secondary

# View information about the configuration consistency check done by DRNI on Border 1.

<POD2-Border1>display drni consistency type2 global

VLAN consistency check: Success

Local VLAN interfaces:

123, 1000, 2000-2005

Peer VLAN interfaces:

123, 1000, 2000-2005

Passing PVID and VLANs (tagged) on local IPP:

1-22, 24-4094

Passing PVID and VLANs (tagged) on peer IPP:

1-22, 24-4094

Invalid VLANs on local IPP:

None

# View information about the aggregate interfaces on Border 1.

<POD2-Border1>display interface Bridge-Aggregation brief

Brief information on interfaces in bridge mode:

Link: ADM - administratively down; Stby - standby

Speed: (a) - auto

Duplex: (a)/A - auto; H - half; F - full

Type: A - access; T - trunk; H - hybrid

Interface Link Speed Duplex Type PVID Description

BAGG1 UP 80G(a) F(a) T 1

BAGG4 UP 80G(a) F(a) T 1

BAGG10 UP 200G(a) F(a) T 1

BAGG20 UP 200G(a) F(a) T 1

# View the brief spanning tree status and statistics.

<POD2-Border1> display stp brief

MST ID Port Role STP State Protection

0 Bridge-Aggregation4 DESI FORWARDING NONE

0 Bridge-Aggregation10 DESI FORWARDING NONE

0 Bridge-Aggregation20 DESI FORWARDING NONE

Upgrading the devices

Upgrading the leaf devices

Checking the environment

Execute the commands in "Verification commands" and the following commands to verify that the device is available for an upgrade.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Upgrading the device

See H3C Switches DR System Upgrade & Replacement & Expansion Guide.

Verifying the traffic interruption time during the upgrade

Verify that the traffic interruption time is shorter than 500 ms during a switchover and shorter than 150 ms during fallback when the traffic load is light. For more information, see "Testing network convergence upon single points of failure."

Verifying the upgrade result

Execute the commands in "Verification commands" and the following commands to verify that the device is upgraded successfully.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Upgrading the spine devices

Checking the environment

Execute the commands in "Verification commands" and the following commands to verify that the device is available for an upgrade.

Spine 1	Spine 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Upgrading the device

1. Use the display version command to verify the current BootWare image version and startup software version.

2. Use the release notes for the upgrade software version to evaluate the upgrade impact on your network and verify the following items:

¡ Software and hardware compatibility.

¡ Version and size of the upgrade software.

¡ Compatibility of the upgrade software with the current BootWare image and startup software image.

3. Use the release notes to verify whether the software images require a license. If licenses are required, register and activate licenses for each license-based software image.

4. Use the dir command to verify that the device has sufficient storage space for the upgrade images. If the storage space is not sufficient, delete unused files by using the delete command.

5. Use FTP or TFTP to transfer the upgrade image file to the root directory of a file system.

6. Upgrade the device according to the configuration guides for the device.

Verifying the traffic interruption time during the upgrade

Verifying the upgrade result

Execute the commands in "Verification commands" and the following commands to verify that the device is upgraded successfully.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Upgrading the border devices

Checking the environment

Execute the commands in "Verification commands" and the following commands to verify that the device is available for an upgrade.

Border 1	Border 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Upgrading the device

See H3C Switches DR System Upgrade & Replacement & Expansion Guide.

Verifying the traffic interruption time during the upgrade

Verifying the upgrade result

Execute the commands in "Verification commands" and the following commands to verify that the device is upgraded successfully.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Expanding the network

An expansion operation adds two leaf devices.

Adding a leaf device

Checking the environment

Execute the commands in "Verification commands" and the following commands to verify that the device is available for an expansion.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Adding the device to the leaf tier

1. Disconnect the device from network management systems.

2. Upgrade the software of the device as needed.

3. Preconfigure the device.

4. Connect the device to network management systems.

5. Incorporate the device on the controller.

Verifying the traffic interruption time

For more information, see "Testing network convergence upon single points of failure."

Verifying the expansion result

Execute the following commands to verify that the device is added successfully.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Replacing hardware

Replacing a service module

Checking the environment

Execute the commands in "Verification commands" and the following commands to verify that the target device is available for a replacement.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Replacing a service module

1. Switch service and management traffic on the target service module to other service modules.

2. Power off the device and replace the service module, or replace the service module when the device is running. For more information, see the installation guides for the service module.

For details, see H3C Switches DR System Upgrade & Replacement & Expansion Guide.

Verifying the traffic interruption time

For more information, see "Testing network convergence upon single points of failure."

Verifying the replacement result

Execute the commands in "Checking the environment."

Replacing a switching fabric module

Checking the environment

Execute the commands in "Verification commands" and the following commands to verify that the target device is available for a replacement.

Leaf 1	Leaf 2	Description
display device	display device	Displays device information.
display boot-loader	display boot-loader	Displays current software images and startup software images.
display version	display version	Displays system version information.

Replacing a switching fabric module

Power off the device and replace the switching fabric module, or replace the switching fabric module when the device is running. For more information, see the installation guides for the switching fabric module.

Verifying the traffic interruption time

For more information, see "Testing network convergence upon single points of failure."

Verifying the replacement result

Execute the commands in "Checking the environment."

H3C Data Center Switches DRNI Configuration Guide-6W103

Example: Configuring DRNI and EVPN distributed gateways (IS-IS for underlay routing)

Network configuration

Traffic forwarding models

Applicable product matrix

Configuring the resource mode (only on S6800 switches)

Configuring IS-IS

Configuring L2VPN

Configuring DRNI

Configuring the links towards the virtualization servers

Configuring a BGP instance

Configuring the overlay network

Procedure summary

Configuring the resource mode

Configuring IS-IS

Configuring the links towards the spine tier

Configuring DRNI

Configuring the links towards the virtualization servers

Configuring a BGP instance

Configuring the overlay network

Configuring S12508X-AF or S12500G-AF switches as border devices

Procedure summary

Configuring basic settings

Configuring basic settings on S12500X-AF switches

Configuring basic settings on S12500G-AF switches

Configuring the links towards the spine tier

Configuring L2VPN

Configuring DRNI

Configuring the DR interfaces connected to the external network

Procedure summary

Configuring the links between the spine and leaf tiers

Overlay traffic forwarding models

Testing network convergence upon single points of failure

Verifying the configuration

Verification commands

Checking the environment

Upgrading the device

Verifying the traffic interruption time during the upgrade

Verifying the upgrade result

Checking the environment

Upgrading the device

Verifying the traffic interruption time during the upgrade

Verifying the upgrade result

Checking the environment

Upgrading the device

Verifying the traffic interruption time during the upgrade

Verifying the upgrade result

Checking the environment

Adding the device to the leaf tier

Verifying the traffic interruption time

Verifying the expansion result

Replacing a service module

Verifying the traffic interruption time

Verifying the replacement result

Replacing a switching fabric module

Verifying the traffic interruption time

Verifying the replacement result

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us