Login
- Table of Contents
-
- H3C Data Center Switches DRNI Configuration Guide-6W103
- 00-DRNI network planning
- 01-DRNI+IPv4 and IPv6 Dual-Active VLAN Gateway Configuration Example
- 02-Multi-Layer DRNI+STP+Dual-Active VLAN Gateway Configuration Examples
- 03-Multi-Layer DRNI+Dual-Active VLAN Gateway+OSPF Configuration Examples
- 04-Multi-tier DRNI+Spine Gateways+ECMP Paths to External Network Configuration Example
- 05-DRNI and VRRP Configuration Example
- 06-DRNI+RDMA Configuration Example
- 07-DRNI and EVPN Distributed Gateway (IS-IS for underlay routing) Configuration Example
- 08-DRNI and EVPN Distributed Gateway (BGP for Underlay Routing) Configuration Example
- 09-DRNI+EVPN Distributed Gateway (OSPF on Underlay Network)+DHCP Relay+Microsegmentation+Service Chain Configuration Example
- 10-DRNI+EVPN Centralized Gateway Configuration Example
- 11-Access to DRNI Through Dynamic Routing and Distributed EVPN Gateways Configuration Example
- 12-DRNI+EVPN+Monitor Link Configuration Examples
- 13-DRNI and MVXLAN Configuration Example
- 14-DRNI and DCI Configuration Example
- 15-DRNI+EVPN DC Switchover Upon Border Failure Configuration Examples
- Related Documents
-
Configuring DRNI, EVPN distributed gateway (OSPF on the underlay network), DHCP relay, microsegmentation, and service chain
Network configuration
As shown in Figure 1:
· Deploy DR systems at the leaf tier on a leaf-spine network to provide node redundancy.
· Place EVPN gateways at the leaf tier. Configure the members in each DR system to provide distributed EVPN gateway services.
· Use DHCP for dynamic assignment of IP addresses. This example deploys DHCP clients in a different VXLAN than the DHCP server.
· For the DHCP clients to obtain IP services from the DHCP server, configure DHCP relay between them.
The following information describes the deployment in detail:
· At the leaf tier, set up DR systems A, B, and C.
¡ DR system A—Contains nodes Leaf 1 and Leaf 2.
¡ DR system B—Contains nodes Leaf 3 and Leaf 4.
¡ DR system C—Contains nodes Leaf 5 and Leaf 6.
· Leaf 1 and Leaf 2 act as service leaf nodes and connect to the firewall devices.
¡ Configure two DR interfaces on each of the two nodes. On each node, connect one DR interface to firewall EW for east-west protection and connect the other to firewall NS for north-south protection.
¡ All east-west flows (traffic between servers on the internal network) except for DHCP messages must be forwarded to firewall EW before they can reach their destination.
¡ All north-south flows (traffic from the internal network to the external network) must be forwarded to firewall NS before they can reach their destination.
¡ Use VXLANs 10999 and 11000 to accommodate traffic sent towards and received from firewall EW, respectively. Use VXLANs 10997 and 10998 to accommodate traffic sent towards and received from firewall NS, respectively.
· DR system B (Leaf 3 and Leaf 4) and DR system C (Leaf 5 and Leaf 6) connect to the servers. The physical server that hosts the DHCP clients (VMs) is singled homed to node Leaf 3. The physical device that hosts the DHCP server (a VM) is single homed to node Leaf 5.
· The DHCP clients belong to VXLAN 13313 and the DHCP server belongs to VXLAN 13342. Place EVPN distributed gateways at the leaf tier to provide Layer 3 connectivity between the DHCP clients and server. Configure the DR systems at the leaf tier to provide DHCP relay services between the DHCP clients and server.
· At the border tier, set up a DR system with Border 1 and Border 2, and use DR interfaces to connect the DR system to external devices and downstream Spine A and Spine B.
· Deploy nodes Spine A and Spine B as route reflectors (RRs) to reflect routes between the leaf nodes and forward underlay traffic.
· Run OSPF on the underlay network to establish L3 connectivity between the devices.
· Deploy service chains to direct service traffic to the firewalls for filtering and protection.
· Configure the following VPN instances:
¡ Assign VPN ZHTESTCTVRF to accommodate all business services.
¡ Assign VPN ZHTESTCTFWEW01VRF to accommodate EW firewall services.
¡ Assign VPN ZHTESTCTFWNS01VRF to accommodate NS firewall services.
· Deploy both IPv4 and IPv6 services. IPv6 traffic is forwarded through IPv6 over IPv4 tunnels.
Configure ACs for the servers to access the leaf devices, and configure the leaf devices to assign VMs to microsegments based on the IP address. Configure microsegmentation as follows:
· Assign the business subnets to microsegment EPG 10001.
· Assign the subnet accomodating common servers, such as the FTP server, to microsegment EPG 10002.
· Assign the subnet accomodating the default route to the external network to microsegment EPG 10001.
· Assign the subnet accomodating the DHCP server to microsegment EPG 10001.
· Permit communication between microsegments EPG 10001 and EPG 10001.
· Direct the traffic sent between microsegments EPG 10001 and EPG 10002 to firewall EW.
· Direct the traffic sent between microsegments EPG 10001 and EPG 10003 to firewall NS.
· Direct the traffic sent between microsegments EPG 10001 and EPG 10004 to firewall EW, except for DHCP messages.
· Permit communication between microsegments EPG 10002 and EPG 10002.
· Direct the traffic sent between microsegments EPG 10002 and EPG 10003 to firewall NS.
· Permit communication between microsegments EPG 10002 and EPG 10004.
· Permit communication within microsegment EPG 10004.
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image001.png)
|
Device |
Interface |
IP address |
Description |
|
Spine A |
Loopback0 |
197.32.241.37 |
None. |
|
HGE1/0/1 |
Borrowed from Loopback 0 |
Connected to Leaf 1. |
|
|
HGE1/0/2 |
Borrowed from Loopback 0 |
Connected to Leaf 2. |
|
|
HGE1/0/3 |
Borrowed from Loopback 0 |
Connected to Leaf 3. |
|
|
HGE1/0/4 |
Borrowed from Loopback 0 |
Connected to Leaf 4. |
|
|
HGE1/0/5 |
Borrowed from Loopback 0 |
Connected to Leaf 5. |
|
|
HGE1/0/6 |
Borrowed from Loopback 0 |
Connected to Leaf 6. |
|
|
HGE1/0/7 |
Borrowed from Loopback 0 |
Connected to Border 1. |
|
|
HGE1/0/8 |
Borrowed from Loopback 0 |
Connected to Border 2. |
|
|
Spine B |
Loopback0 |
197.32.241.38 |
None. |
|
HGE1/0/1 |
Borrowed from Loopback 0 |
Connected to Leaf 1. |
|
|
HGE1/0/2 |
Borrowed from Loopback 0 |
Connected to Leaf 2. |
|
|
HGE1/0/3 |
Borrowed from Loopback 0 |
Connected to Leaf 3. |
|
|
HGE1/0/4 |
Borrowed from Loopback 0 |
Connected to Leaf 4. |
|
|
HGE1/0/5 |
Borrowed from Loopback 0 |
Connected to Leaf 5. |
|
|
HGE1/0/6 |
Borrowed from Loopback 0 |
Connected to Leaf 6. |
|
|
HGE1/0/7 |
Borrowed from Loopback 0 |
Connected to Border 1. |
|
|
HGE1/0/8 |
Borrowed from Loopback 0 |
Connected to Border 2. |
|
|
Leaf 1 |
Loopback0 |
197.32.241.41 |
None. |
|
Loopback2 |
197.32.241.55 |
None. |
|
|
VSI-interface10997 |
197.32.224.21 |
Gateway of VXLAN 10997. |
|
|
VSI-interface10998 |
197.32.224.25 |
Gateway of VXLAN 10998. |
|
|
VSI-interface10999 |
197.32.224.29 |
Gateway of VXLAN 10999. |
|
|
VSI-interface11000 |
197.32.224.33 |
Gateway of VXLAN 11000. |
|
|
VSI-interface13313 |
197.32.13.254 |
Gateway of VXLAN 13313. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
N/A |
Connected to Leaf 2, member port of the IPL. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.57 |
Connected to Leaf 2, member port of the keepalive link. |
|
|
HGE1/0/51 |
N/A |
Connected to the EW firewall, member port of DR group member interface Bridge-Aggregation 257. |
|
|
HGE1/0/52 |
N/A |
Connected to firewall NS, member port of DR group member interface Bridge-Aggregation 258. |
|
|
Leaf 2 |
Loopback0 |
197.32.241.42 |
None. |
|
Loopback2 |
197.32.241.55 |
None. |
|
|
VSI-interface10997 |
197.32.224.21 |
Gateway of VXLAN 10997. |
|
|
VSI-interface10998 |
197.32.224.25 |
Gateway of VXLAN 10998. |
|
|
VSI-interface10999 |
197.32.224.29 |
Gateway of VXLAN 10999. |
|
|
VSI-interface11000 |
197.32.224.33 |
Gateway of VXLAN 11000. |
|
|
VSI-interface13313 |
197.32.13.254 |
Gateway of VXLAN 13313. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
N/A |
Connected to Leaf 1, member port of the IPL. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.58 |
Connected to Leaf 1, member port of the keepalive link. |
|
|
HGE1/0/51 |
N/A |
Connected to firewall EW, member port of DR group member interface Bridge-Aggregation 257. |
|
|
HGE1/0/52 |
N/A |
Connected to firewall NS, member port of DR group member interface Bridge-Aggregation 258. |
|
|
Leaf 3 |
Loopback0 |
197.32.241.43 |
None. |
|
Loopback2 |
197.32.241.64 |
None. |
|
|
VSI-interface13313 |
197.32.13.254 |
Gateway of VXLAN 13313. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
N/A |
Connected to Leaf 4, member port of the IPL. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.61 |
Connected to Leaf 4, member port of the keepalive link. |
|
|
Twenty-FiveGigE1/0/2 |
N/A |
Connected to DHCP clients. |
|
|
Leaf 4 |
Loopback0 |
197.32.241.44 |
None. |
|
Loopback2 |
197.32.241.64 |
None. |
|
|
VSI-interface13313 |
197.32.13.254 |
Gateway of VXLAN 13313. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
N/A |
Connected to Leaf 3, member port of the IPL. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.62 |
Connected to Leaf 3, member port of the keepalive link. |
|
|
Leaf 5 |
Loopback0 |
197.32.241.45 |
None. |
|
Loopback2 |
197.32.241.67 |
None. |
|
|
VSI-interface13342 |
197.32.42.254 |
Gateway of VXLAN 13342. |
|
|
VSI-interface13316 |
197.32.162.54 |
Gateway of VXLAN 13316. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
N/A |
Connected to Leaf 6, member port of the IPL. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.77 |
Connected to Leaf 6, member port of the keepalive link. |
|
|
Twenty-FiveGigE1/0/2 |
N/A |
Connected to the DHCP server. |
|
|
Leaf 6 |
Loopback0 |
197.32.241.46 |
None. |
|
Loopback2 |
197.32.241.67 |
None. |
|
|
VSI-interface13342 |
197.32.42.254 |
Gateway of VXLAN 13342. |
|
|
VSI-interface13316 |
197.32.162.54 |
Gateway of VXLAN 13316. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
N/A |
Connected to Leaf 5, member port of the IPL. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.78 |
Connected to Leaf 5, member port of the keepalive link. |
|
|
Border 1 |
Loopback0 |
197.32.241.47 |
None. |
|
Loopback2 |
197.32.241.86 |
None. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
Borrowed from Loopback 0 |
Connected to Border 2, member port of the IPL. |
|
|
HGE1/0/51 |
Borrowed from Loopback 0 |
Connected to L3switch. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.93 |
Connected to Border 2, member port of the keepalive link. |
|
|
Border 2 |
Loopback0 |
197.32.241.48 |
None. |
|
Loopback2 |
197.32.241.86 |
None. |
|
|
HGE1/0/25 |
Borrowed from Loopback 0 |
Connected to Spine A. |
|
|
HGE1/0/26 |
Borrowed from Loopback 0 |
Connected to Spine B. |
|
|
HGE1/0/31 |
Borrowed from Loopback 0 |
Connected to Border 1, member port of the IPL. |
|
|
HGE1/0/51 |
Borrowed from Loopback 0 |
Connected to L3switch. |
|
|
Twenty-FiveGigE1/0/54 |
197.32.241.94 |
Connected to Border 1, member port of the keepalive link. |
|
|
EW firewall |
Vlan-interface999 |
197.32.224.30 |
None. |
|
Vlan-interface1000 |
197.32.224.34 |
None. |
|
|
HGE2/0/29 |
N/A |
Connected to Leaf 1, member port of DR group member interface Bridge-Aggregation 257. |
|
|
HGE2/0/30 |
N/A |
Connected to Leaf 2, member port of DR group member interface Bridge-Aggregation 257. |
|
|
NS firewall |
Vlan-interface997 |
197.32.224.22 |
None. |
|
Vlan-interface998 |
197.32.224.26 |
None. |
|
|
HGE3/0/29 |
N/A |
Connected to Leaf 1, member port of DR group member interface Bridge-Aggregation 258. |
|
|
HGE3/0/30 |
N/A |
Connected to Leaf 2, member port of DR group member interface Bridge-Aggregation 258. |
|
|
DHCP server |
N/A |
197.32.42.9 |
None. |
Applicable product matrix
|
|
IMPORTANT: In addition to running an applicable software version, you must also install the most recent patch, if any. Microsegmentation and service chain are supported only by S6805, S6825, S6850, and S9850 switches. For configuration of other device models, see DRNI+EVPN Distributed Gateway+DHCP Relay Configuration Example. |
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image002.png){kind=small}
|
Role |
Device |
Software version |
|
Spine |
S12500X-AF |
F2809 and higher F28xx or R28xx versions |
|
S12500G-AF |
R7624P12 |
|
|
Border/Leaf |
S6800, S6860 |
F2717 and higher F27xx or R27xx versions Do not use F28xx or R28xx versions. |
|
S6805, S6825, S6850, S9850 S6850 switches are used in this configuration example. |
F6632 and higher F66xx or R66xx versions |
|
|
S6890 |
F2809 and higher F28xx or R28xx versions |
|
|
S6812, S6813 |
Under development. To obtain the latest images, contact Technical Support. |
|
|
S9820-64H (EVPN gateway not supported) S9820-8C (EVPN not supported) |
Not supported |
|
|
SDN controller |
N/A |
E3610P12H02, or contact Technical Support to obtain a higher version |
Restrictions and guidelines
· The member devices in a DR system must use the same DR system MAC address. Different DR systems must each have a unique DR system MAC address on the network.
· As a best practice, run a dynamic routing protocol between the spine devices and the external network.
· If leaf devices provide both distributed EVPN gateway and DHCP relay services, you must perform the following steps:
¡ Execute the dhcp relay mac-forward enable command to enable MAC address table lookup for DHCP replies that do not have request forwarding information.
¡ Execute the dhcp relay request-from-tunnel discard command on the VSI interfaces that act as DHCP relay agents to discard the DHCP requests received from VXLAN tunnels. This feature prevents the DHCP server from receiving the same DHCP request from the relay agents on different leaf devices.
Configuring the service leaf nodes (Leaf 1 and Leaf 2)
Procedure summary
· Configuring the device modes
· Configuring the underlay routing protocol
· Setting up the DR system and the IPL link
· Configuring the firewall-attached DR interfaces on the leaf devices
· Configuring the links towards the spine tier
· Configuring distributed EVPN gateways
Configuring the device modes
For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:
· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).
· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).
· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).
Configuring the underlay routing protocol
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
router id 197.32.241.41 |
router id 197.32.241.42 |
Manual or controller-based |
Configure a router ID. |
|
ospf 65530 |
ospf 65530 |
Manual or controller-based |
Run OSPF process 65530. |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable OSPF NSR. |
|
stub-router include-stub on-startup 900 |
stub-router include-stub on-startup 900 |
Manual or controller-based |
Specify the cost of the stub links (link type 3) in Router LSAs to the maximum value 65535 to accelerate network convergence. |
|
area 0.0.0.0 |
area 0.0.0.0 |
Manual or controller-based |
Create OSPF area 0.0.0.0. |
|
interface LoopBack0 |
interface LoopBack0 |
Manual or controller-based |
Enter the view of Loopback 0. |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on Loopback 0. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface LoopBack2 |
interface LoopBack2 |
Manual or controller-based |
Enter the view of Loopback 2. |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on Loopback 2. |
Configuring L3VPN
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
interface LoopBack0 |
interface LoopBack0 |
Manual or controller-based |
Configure Loopback 0. |
|
ip address 197.32.241.41 255.255.255.255 |
ip address 197.32.241.42 255.255.255.255 |
Manual or controller-based |
Assign an IP address to Loopback 0. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface LoopBack2 |
interface LoopBack2 |
Manual or controller-based |
Configure Loopback 2. |
|
ip address 197.32.241.55 255.255.255.255 |
ip address 197.32.241.55 255.255.255.255 |
Manual or controller-based |
Assign an IP address to Loopback 2. |
|
ip vpn-instance auto-online-mlag |
ip vpn-instance auto-online-mlag |
Manual or controller-based |
Configure the VPN instance where the keepalive link belongs. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
ip vpn-instance mgmt |
ip vpn-instance mgmt |
Manual or controller-based |
Configure the VPN instance where the management interface belongs. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
ip vpn-instance ZHTESTCTVRF |
ip vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Configure the service VPN instance where the servers belong. To ensure correct route learning, configure consistent route targets for the service VPN instance on different devices. |
|
route-distinguisher 1:10000 |
route-distinguisher 2:10000 |
Manual or controller-based |
Configure an RD for the VPN instance. |
|
address-family ipv4 |
address-family ipv4 |
Manual or controller-based |
Enter VPN instance IPv4 address family view. |
|
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity |
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance IPv4 address family view. |
|
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity |
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance IPv4 address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
address-family ipv6 |
address-family ipv6 |
Manual or controller-based |
Enter VPN instance IPv6 address family view. |
|
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity |
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance IPv6 address family view. |
|
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity |
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance IPv6 address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
address-family evpn |
address-family evpn |
Manual or controller-based |
Enter VPN instance EVPN address family view. |
|
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity |
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance EVPN address family view. |
|
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity |
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance EVPN address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
ip vpn-instance ZHTESTCTFWNS01VRF |
ip vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Configure the VPN instance where firewall NS belongs. To ensure correct route learning, configure consistent route targets for the NS firewall VPN instance on different devices. |
|
route-distinguisher 1:10001 |
route-distinguisher 2:10001 |
Manual or controller-based |
Configure an RD for the VPN instance. |
|
address-family ipv4 |
address-family ipv4 |
Manual or controller-based |
Enter VPN instance IPv4 address family view. |
|
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity |
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance IPv4 address family view. |
|
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity |
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance IPv4 address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
address-family ipv6 |
address-family ipv6 |
Manual or controller-based |
Enter VPN instance IPv6 address family view. |
|
route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct |
route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct |
Manual or controller-based |
Redistribute the IPv6 VLINK direct routes of VPN instance ZHTESTCTVRF to the current VPN instance. |
|
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity |
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance IPv6 address family view. |
|
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity |
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance IPv6 address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
address-family evpn |
address-family evpn |
Manual or controller-based |
Enter VPN instance EVPN address family view. |
|
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity |
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance EVPN address family view. |
|
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity |
vpn-target0:10001 1:10001 0.39.17.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance EVPN address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
ip vpn-instance ZHTESTCTFWEW01VRF |
ip vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Configure the VPN instance where firewall EW belongs. To ensure correct route learning, configure consistent route targets for firewall EW VPN instance on different devices. |
|
route-distinguisher 1:10002 |
route-distinguisher 2:10002 |
Manual or controller-based |
Configure an RD for the VPN instance. |
|
address-family ipv4 |
address-family ipv4 |
Manual or controller-based |
Enter VPN instance IPv4 address family view. |
|
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity |
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance IPv4 address family view. |
|
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance IPv4 address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
address-family ipv6 |
address-family ipv6 |
Manual or controller-based |
Enter VPN instance IPv6 address family view. |
|
route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct |
route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct |
Manual or controller-based |
Redistribute the IPv6 VLINK direct routes of VPN instance ZHTESTCTVRF to the current VPN instance. |
|
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity |
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance IPv6 address family view. |
|
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance IPv6 address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
address-family evpn |
address-family evpn |
Manual or controller-based |
Enter VPN instance EVPN address family view. |
|
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity |
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity |
Manual or controller-based |
Configure import targets in VPN instance EVPN address family view. |
|
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
Manual or controller-based |
Configure export targets in VPN instance EVPN address family view. |
|
quit |
quit |
Manual or controller-based |
Return to VPN instance view. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
ip route-static vpn-instance ZHTESTCTFWNS01VRF 0.0.0.0 0 vpn-instance ZHTESTCTVRF 197.32.224.18 description SDN_ROUTE |
ip route-static vpn-instance ZHTESTCTFWNS01VRF 0.0.0.0 0 vpn-instance ZHTESTCTVRF 197.32.224.18 description SDN_ROUTE |
Manual or controller-based |
Direct the traffic matching the IPv4 default route of the NS firewall VPN instance to the external network address configured on the border devices in the user VPN instance. This configuration ensures correct forwarding of south-to-north traffic returned from firewall NS. |
|
ipv6 route-static vpn-instance ZHTESTCTFWNS01VRF :: 0 vpn-instance ZHTESTCTVRF FD00:0:97B0:2::F description SDN_ROUTE |
ipv6 route-static vpn-instance ZHTESTCTFWNS01VRF :: 0 vpn-instance ZHTESTCTVRF FD00:0:97B0:2::F description SDN_ROUTE |
Manual or controller-based |
Direct the traffic matching the IPv6 default route of the NS firewall VPN instance to the external network address configured on the border devices in the user VPN instance. This configuration ensures correct forwarding of south-to-north traffic returned from firewall NS. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
Setting up the DR system and the IPL link
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
drni system-mac 0c3a-fa36-ef49 |
drni system-mac 0c3a-fa36-ef49 |
Manual or controller-based |
Set the MAC address of the DR system. You must assign the same DR system MAC address to the member devices in a DR system. |
|
drni system-number 1 |
drni system-number 2 |
Manual or controller-based |
Set the DR system number. You must assign different DR system numbers to the member devices in a DR system. |
|
drni system-priority 10 |
drni system-priority 10 |
Manual or controller-based |
Set the DR system priority. You must set the same DR system priority on the member devices in a DR system. |
|
drni keepalive ip destination 197.32.241.58 source 197.32.241.57 vpn-instance auto-online-mlag |
drni keepalive ip destination 197.32.241.57 source 197.32.241.58 vpn-instance auto-online-mlag |
Manual or controller-based |
Configure the source and destination IP addresses of keepalive packets. The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively. |
|
drni restore-delay 300 |
drni restore-delay 300 |
Manual or controller-based |
Set the data restoration interval. To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces. |
|
drni mad default-action none |
drni mad default-action none |
Manual or controller-based |
Set the DRNI MAD action to none. When the DR system splits, DRNI MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by DRNI MAD. |
|
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 drni mad include interface HundredGigE1/0/51 drni mad include interface HundredGigE1/0/52 |
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 drni mad include interface HundredGigE1/0/51 drni mad include interface HundredGigE1/0/52 |
Manual or controller-based |
Configure DRNI MAD to shut down the uplink interfaces and firewall-attached physical interfaces. |
|
interface Twenty-FiveGigE 1/0/54 |
interface Twenty-FiveGigE 1/0/54 |
Manual or controller-based |
Enter the interface view for the keepalive link. |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface for keepalive detection to operate in route mode as a Layer 3 interface. |
|
ip binding vpn-instance auto-online-mlag |
ip binding vpn-instance auto-online-mlag |
Manual or controller-based |
Associate the interface with VPN instance auto-online-mlag, the VPN instance for DRNI keepalive detection. |
|
ip address 197.32.241.57 255.255.255.252 |
ip address 197.32.241.58 255.255.255.252 |
Manual or controller-based |
Assign an IP address to the interface as planned. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as IPP, and enter interface view. |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface to operate in dynamic mode. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface HundredGigE1/0/31 |
interface HundredGigE1/0/31 |
Manual or controller-based |
Enter the view of the physical port for the IPL. |
|
port link-aggregation group 256 |
port link-aggregation group 256 |
Manual or controller-based |
Assign the physical port to the aggregation group for the IPL (aggregation group 256). |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Enter aggregate interface view. |
|
port drni intra-portal-port 1 |
port drni intra-portal-port 1 |
Manual or controller-based |
Specify Bridge-Aggregation 256 as the IPP. |
|
port trunk pvid vlan 4094 |
port trunk pvid vlan 4094 |
Manual or controller-based |
Set the PVID of the physical port to 4094. |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on Bridge-Aggregation 256. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface Vlan-interface 4094 |
interface Vlan-interface 4094 |
Manual or controller-based |
Create a VLAN interface on each of the DR member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one DR interface. This example uses VLAN-interface 4094. |
|
ip address 197.32.241.141 255.255.255.0 |
ip address 197.32.241.142 255.255.255.0 |
Manual or controller-based |
Assign an IP address to VLAN-interface 4094. |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Configure OSPF on VLAN-interface 4094. |
Configuring the firewall-attached DR interfaces on the leaf devices
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
interface bridge-aggregation 257 |
interface bridge-aggregation 257 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as the DR interface connected to firewall EW. |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface to operate in dynamic mode. |
|
port drni group 1 |
port drni group 1 |
Manual or controller-based |
Assign the aggregate interface (Bridge-Aggregation 257) to DR group 1. |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of DR interface Bridge-Aggregation 257 to trunk. |
|
port trunk permit vlan 1 997 to 1000 |
port trunk permit vlan 1 997 to 1000 |
Manual or controller-based |
Assign DR interface Bridge-Aggregation 257 to VLANs 997 through 1000. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface HundredGigE1/0/51 |
interface HundredGigE1/0/51 |
Manual or controller-based |
Enter the view of the physical port connected to firewall EW. |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of the physical port to trunk. |
|
port trunk permit vlan 1 997 to 1000 |
port trunk permit vlan 1 997 to 1000 |
Manual or controller-based |
Assign the physical port to VLANs 997 through 1000. |
|
port link-aggregation group 257 |
port link-aggregation group 257 |
Manual or controller-based |
Assign the physical port to aggregation group 257. This is the aggregation group for the aggregate interface connected to firewall EW. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface bridge-aggregation 258 |
interface bridge-aggregation 258 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as the DR interface connected to firewall NS. |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface to operate in dynamic mode. |
|
port drni group 2 |
port drni group 2 |
Manual or controller-based |
Assign the aggregate interface (Bridge-Aggregation 258) to DR group 2. |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of DR interface Bridge-Aggregation 258 to trunk. |
|
port trunk permit vlan 1 997 to 1000 |
port trunk permit vlan 1 997 to 1000 |
Manual or controller-based |
Assign DR interface Bridge-Aggregation 258 to VLANs 997 through 1000. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface HundredGigE1/0/52 |
interface HundredGigE1/0/52 |
Manual or controller-based |
Enter the view of the physical port connected to firewall NS. |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of the physical port to trunk. |
|
port trunk permit vlan 1 997 to 1000 |
port trunk permit vlan 1 997 to 1000 |
Manual or controller-based |
Assign the physical port to VLANs 997 through 1000. |
|
port link-aggregation group 258 |
port link-aggregation group 258 |
Manual or controller-based |
Assign the physical port to aggregation group 258. This is the aggregation group for the aggregate interface connected to firewall NS. |
Configuring the links towards the spine tier
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
interface HundredGigE1/0/25 |
interface HundredGigE1/0/25 |
Manual or controller-based |
Enter the view of the physical interface connected to Spine A. |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface to operate in route mode as a Layer 3 interface. |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the interface to borrow the IP address of Loopback 0. |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the interface. |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets. |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
|
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
Manual or controller-based |
Specify advertisable TLVs on the interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface HundredGigE1/0/26 |
interface HundredGigE1/0/26 |
Manual or controller-based |
Enter the view of the physical interface connected to Spine B. |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface to operate in route mode as a Layer 3 interface. |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the interface to borrow the IP address of Loopback 0. |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the interface. |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets. |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
|
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
Manual or controller-based |
Specify advertisable TLVs on the interface. |
Configuring distributed EVPN gateways
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
l2vpn enable |
l2vpn enable |
Manual or controller-based |
Enable L2VPN. |
|
l2vpn drni peer-link ac-match-rule vxlan-mapping |
l2vpn drni peer-link ac-match-rule vxlan-mapping |
Manual or controller-based |
Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL. |
|
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
Manual or controller-based |
Disable remote ARP learning. This setting avoids the conflict between automatically learned ARP entries and ARP entries advertised through BGP EVPN. |
|
vxlan tunnel mac-learning disable |
vxlan tunnel mac-learning disable |
Manual or controller-based |
Disable remote MAC address learning. This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through BGP EVPN. |
|
vxlan default-decapsulation source interface LoopBack0 |
vxlan default-decapsulation source interface LoopBack0 |
Manual or controller-based |
Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them. |
|
vlan all |
vlan all |
Manual or controller-based |
Create VLANs 1 through 4094. |
|
evpn drni group 197.32.241.55 |
evpn drni group 197.32.241.55 |
Manual or controller-based |
Enable EVPN DRNI and set the virtual VTEP address. |
|
evpn drni local 197.32.241.41 remote 197.32.241.42 |
evpn drni local 197.32.241.42 remote 197.32.241.41 |
Manual or controller-based |
Specify the IP addresses of the local and peer VTEPs in the DR system. This step is required if the DR system uses an Ethernet aggregate link as the IPL and has ACs attached to only one of the member devices. |
|
evpn global-mac 0c3a-fa38-4695 |
evpn global-mac 0c3a-fa38-4695 |
Manual or controller-based |
Configure an EVPN global MAC address. |
|
interface Vsi-interface10997 |
interface Vsi-interface10997 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for routing traffic to firewall NS. |
|
ip binding vpn-instance ZHTESTCTFWNS01VRF |
ip binding vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall NS. |
|
ip address 197.32.224.21 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:100::/64 no-advertise ipv6 address FD00:0:97B0:100::1/64 |
ip address 197.32.224.21 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:100::/64 no-advertise ipv6 address FD00:0:97B0:100::1/64 |
Manual or controller-based |
Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
arp route-direct advertise |
arp route-direct advertise |
Manual or controller-based |
Enable ARP direct route advertisement. |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface Vsi-interface10998 |
interface Vsi-interface10998 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for receiving traffic returned from firewall NS. |
|
ip binding vpn-instance ZHTESTCTFWNS01VRF |
ip binding vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall NS. |
|
ip address 197.32.224.25 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:101::/64 no-advertise ipv6 address FD00:0:97B0:101::1/64 |
ip address 197.32.224.25 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:101::/64 no-advertise ipv6 address FD00:0:97B0:101::1/64 |
Manual or controller-based |
Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
arp route-direct advertise |
arp route-direct advertise |
Manual or controller-based |
Enable ARP direct route advertisement. |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface Vsi-interface10999 |
interface Vsi-interface10999 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for routing traffic to firewall EW. |
|
ip binding vpn-instance ZHTESTCTFWEW01VRF |
ip binding vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall EW. |
|
ip address 197.32.224.29 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:102::/64 no-advertise ipv6 address FD00:0:97B0:102::1/64 |
ip address 197.32.224.29 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:102::/64 no-advertise ipv6 address FD00:0:97B0:102::1/64 |
Manual or controller-based |
Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
arp route-direct advertise |
arp route-direct advertise |
Manual or controller-based |
Enable ARP direct route advertisement. |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface Vsi-interface11000 |
interface Vsi-interface11000 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for receiving traffic returned from firewall EW. |
|
ip binding vpn-instance ZHTESTCTFWEW01VRF |
ip binding vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall EW. |
|
ip address 197.32.224.33 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:103::/64 no-advertise ipv6 address FD00:0:97B0:103::1/64 |
ip address 197.32.224.33 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:103::/64 no-advertise ipv6 address FD00:0:97B0:103::1/64 |
Manual or controller-based |
Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices. |
|
arp route-direct advertise |
arp route-direct advertise |
Manual or controller-based |
Enable ARP direct route advertisement. |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
vsi SDN_VSI_10997 |
vsi SDN_VSI_10997 |
Manual or controller-based |
Create the VSI for sending traffic to firewall NS. |
|
gateway vsi-interface 10997 |
gateway vsi-interface 10997 |
Manual or controller-based |
Specify a gateway interface for the VSI. |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP flood suppression and ND flood suppression. |
|
vxlan 10997 |
vxlan 10997 |
Manual or controller-based |
Create VXLAN 10997. |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
|
vsi SDN_VSI_10998 |
vsi SDN_VSI_10998 |
Manual or controller-based |
Create the VSI for receiving traffic from firewall NS. |
|
gateway vsi-interface 10998 |
gateway vsi-interface 10998 |
Manual or controller-based |
Specify a gateway interface for the VSI. |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP flood suppression and ND flood suppression. |
|
vxlan 10998 |
vxlan 10998 |
Manual or controller-based |
Create VXLAN 10998. |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
|
vsi SDN_VSI_10999 |
vsi SDN_VSI_10999 |
Manual or controller-based |
Create the VSI for sending traffic to firewall EW. |
|
gateway vsi-interface 10999 |
gateway vsi-interface 10999 |
Manual or controller-based |
Specify a gateway interface for the VSI. |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP flood suppression and ND flood suppression. |
|
vxlan 10999 |
vxlan 10999 |
Manual or controller-based |
Create VXLAN 10999. |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
|
vsi SDN_VSI_11000 |
vsi SDN_VSI_11000 |
Manual or controller-based |
Create the VSI for receiving traffic from firewall EW. |
|
gateway vsi-interface 11000 |
gateway vsi-interface 11000 |
Manual or controller-based |
Specify a gateway interface for the VSI. |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP flood suppression and ND flood suppression. |
|
vxlan 11000 |
vxlan 11000 |
Manual or controller-based |
Create VXLAN 11000. |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
|
interface Vsi-interface10001 |
interface Vsi-interface10001 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall NS. |
|
ip binding vpn-instance ZHTESTCTFWNS01VRF |
ip binding vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall NS. |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
|
l3-vni 10001 |
l3-vni 10001 |
Manual or controller-based |
Assign an L3VNI to the interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface Vsi-interface10002 |
interface Vsi-interface10002 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall EW. |
|
ip binding vpn-instance ZHTESTCTFWEW01VRF |
ip binding vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall EW. |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
|
l3-vni 10002 |
l3-vni 10002 |
Manual or controller-based |
Assign an L3VNI to the interface. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
|
interface Vsi-interface10000 |
interface Vsi-interface10000 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to servers. |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for servers. |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
|
l3-vni 10000 |
l3-vni 10000 |
Manual or controller-based |
Assign an L3VNI to the interface. |
|
bgp 65530 |
bgp 65530 |
Manual or controller-based |
Enable the specified BGP instance and enter its view. |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable BGP nonstop routing (NSR). |
|
router-id 197.32.241.41 |
router-id 197.32.241.42 |
Manual or controller-based |
Specify a unique router ID for the BGP instance on each BGP device. |
|
group evpn internal |
group evpn internal |
Manual or controller-based |
Create an IBGP peer group named evpn. |
|
peer evpn connect-interface LoopBack0 |
peer evpn connect-interface LoopBack0 |
Manual or controller-based |
Specify a source interface for establishing TCP connections to a peer or peer group. |
|
peer 197.32.241.37 group evpn |
peer 197.32.241.37 group evpn |
Manual or controller-based |
Add node Spine A to IBGP group evpn. |
|
peer 197.32.241.38 group evpn |
peer 197.32.241.38 group evpn |
Manual or controller-based |
Add node Spine B to IBGP group evpn. |
|
address-family l2vpn evpn |
address-family l2vpn evpn |
Manual or controller-based |
Create the BGP EVPN address family and enter its view. |
|
peer evpn enable |
peer evpn enable |
Manual or controller-based |
Enable BGP to exchange BGP EVPN routes with IBGP peer group evpn. |
|
quit |
quit |
Manual or controller-based |
Return to BGP instance view. |
|
ip vpn-instance ZHTESTCTFWEW01VRF |
ip vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains firewall EW, and enter BGP-VPN instance view. |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
|
network 197.32.224.28 255.255.255.252 network 197.32.224.29 255.255.255.255 network 197.32.224.30 255.255.255.255 network 197.32.224.32 255.255.255.252 network 197.32.224.33 255.255.255.255 network 197.32.224.34 255.255.255.255 |
network 197.32.224.28 255.255.255.252 network 197.32.224.29 255.255.255.255 network 197.32.224.30 255.255.255.255 network 197.32.224.32 255.255.255.252 network 197.32.224.33 255.255.255.255 network 197.32.224.34 255.255.255.255 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to BGP instance view. |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Create the BGP-VPN IPv6 unicast address family and enter its view. |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
|
network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128 |
network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to BGP instance view. |
|
ip vpn-instance ZHTESTCTFWNS01VRF |
ip vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains firewall NS, and enter BGP-VPN instance view. |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
|
network 197.32.224.20 255.255.255.252 network 197.32.224.21 255.255.255.255 network 197.32.224.22 255.255.255.255 network 197.32.224.24 255.255.255.252 network 197.32.224.25 255.255.255.255 network 197.32.224.26 255.255.255.255 |
network 197.32.224.20 255.255.255.252 network 197.32.224.21 255.255.255.255 network 197.32.224.22 255.255.255.255 network 197.32.224.24 255.255.255.252 network 197.32.224.25 255.255.255.255 network 197.32.224.26 255.255.255.255 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to BGP instance view. |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Create the BGP-VPN IPv6 unicast address family and enter its view. |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
|
network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128 |
network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to BGP instance view. |
|
ip vpn-instance ZHTESTCTVRF |
ip vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains servers, and enter BGP-VPN instance view. |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
|
network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255 network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255 |
network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255 network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Create the BGP-VPN IPv6 unicast address family and enter its view. |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
|
network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128 network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128 |
network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128 network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
Configuring ACs
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
interface Bridge-Aggregation257 |
interface Bridge-Aggregation257 |
Manual or controller-based |
Enter the view of the aggregate interface connected to firewall EW. |
|
service-instance 997 |
service-instance 997 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid 997 |
encapsulation s-vid 997 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_10997 |
xconnect vsi SDN_VSI_10997 |
Manual or controller-based |
Map the AC to a VSI. |
|
service-instance 998 |
service-instance 998 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid 998 |
encapsulation s-vid 998 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_10998 |
xconnect vsi SDN_VSI_10998 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit |
quit |
Manual or controller-based |
Return to interface view. |
|
service-instance 999 |
service-instance 999 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid 999 |
encapsulation s-vid 999 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_10999 |
xconnect vsi SDN_VSI_10999 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit |
quit |
Manual or controller-based |
Return to interface view. |
|
service-instance 1000 |
service-instance 1000 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid1000 |
encapsulation s-vid 1000 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_11000 |
xconnect vsi SDN_VSI_11000 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
|
interface Bridge-Aggregation258 |
interface Bridge-Aggregation258 |
Manual or controller-based |
Enter the view of the aggregate interface connected to firewall NS. |
|
service-instance 997 |
service-instance 997 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid 997 |
encapsulation s-vid 997 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_10997 |
xconnect vsi SDN_VSI_10997 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit |
quit |
Manual or controller-based |
Return to interface view. |
|
service-instance 998 |
service-instance 998 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid 998 |
encapsulation s-vid 998 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_10998 |
xconnect vsi SDN_VSI_10998 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit |
quit |
Manual or controller-based |
Return to interface view. |
|
service-instance 999 |
service-instance 999 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid 999 |
encapsulation s-vid 999 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_10999 |
xconnect vsi SDN_VSI_10999 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit |
quit |
Manual or controller-based |
Return to interface view. |
|
service-instance 1000 |
service-instance 1000 |
Manual or controller-based |
Create an Ethernet service instance. |
|
encapsulation s-vid1000 |
encapsulation s-vid 1000 |
Manual or controller-based |
Specify the outer VLAN IDs to match. |
|
xconnect vsi SDN_VSI_11000 |
xconnect vsi SDN_VSI_11000 |
Manual or controller-based |
Map the AC to a VSI. |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
Configuring leaf nodes (Leaf 3 and Leaf 4)
Procedure summary
· Configuring the device modes
· Configuring the underlay routing protocol
· Setting up the DR system and the IPL link
· Configuring the links towards the spine tier
· Configuring the distributed EVPN gateway
Configuring the device modes
For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:
· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).
· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).
· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).
Configuring the underlay routing protocol
|
Leaf 3 (S6850) |
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
router id 197.32.241.43 |
router id 197.32.241.44 |
Manual or controller-based |
Specify a unique global router ID for each device. |
N/A |
|
ospf 65530 |
ospf 65530 |
Manual or controller-based |
Create OSPF process 65530. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable non-stop routing (NSR) for OSPF. |
N/A |
|
stub-router include-stub on-startup 900 |
stub-router include-stub on-startup 900 |
Manual or controller-based |
To accelerate network convergence, specify the router as a stub router during reboot for the specified period of time. |
This command sets the cost of stub links to the maximum value (65535). Neighbors on such links will not send packets to the stub router as long as they have a route with a smaller cost. |
|
area 0.0.0.0 |
area 0.0.0.0 |
Manual or controller-based |
Create OSPF area 0.0.0.0. |
N/A |
|
interface loopback 0 |
interface loopback 0 |
Manual or controller-based |
Enter the interface view of Loopback 0. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface loopback 2 |
interface loopback 2 |
Manual or controller-based |
Enter the interface view of Loopback 2. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 2. |
N/A |
Configuring L3VPN
|
Leaf 3 (S6850) |
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
interface loopback 0 |
interface loopback 0 |
Manual or controller-based |
Configure interface Loopback 0. |
N/A |
|
ip address 197.32.241.43 255.255.255.255 |
ip address 197.32.241.44 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface loopback 2 |
interface loopback 2 |
Manual or controller-based |
Configure interface Loopback 2. |
N/A |
|
ip address 197.32.241.64 255.255.255.255 |
ip address 197.32.241.64 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 2. |
N/A |
|
ip vpn-instance auto-online-mlag |
ip vpn-instance auto-online-mlag |
Manual or controller-based |
Create a VPN instance for the DRNI keepalive link. In this example, the VPN instance name is auto-online-mlag. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance mgmt |
ip vpn-instance mgmt |
Manual or controller-based |
Create a VPN instance for the management port. In this example, the VPN instance name is mgmt. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTVRF route-distinguisher3:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTVRF route-distinguisher 4:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for user services. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 3:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 4:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for the north-south firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 3:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 4:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity |
Manual or controller-based |
Configure the VPN instance for the east-west firewall service. Set a route distinguisher (RD) for the VPN instance, and set the import and export route targets (RTs) for the VPN instance IPv4/IPv6 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
Setting up the DR system and the IPL link
|
Leaf 3 (S6850) |
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
drni system-mac 0c3a-fa36-acef |
drni system-mac 0c3a-fa36-acef |
Manual or controller-based |
Set the MAC address of the DR system. |
You must assign the same DR system MAC address to the member devices in a DR system. |
|
drni system-number 1 |
drni system-number 2 |
Manual or controller-based |
Set the DR system number. |
You must assign different DR system numbers to the member devices in a DR system. |
|
drni system-priority 10 |
drni system-priority 10 |
Manual or controller-based |
Set the DR system priority. |
You must set the same DR system priority on the member devices in a DR system. |
|
drni keepalive ip destination 197.32.241.62 source 197.32.241.61 vpn-instance auto-online-mlag |
drni keepalive ip destination 197.32.241.61 source 197.32.241.62 vpn-instance auto-online-mlag |
Manual or controller-based |
Configure the source and destination IP addresses of keepalive packets. |
The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively. |
|
drni restore-delay 300 |
drni restore-delay 300 |
Manual or controller-based |
Set the data restoration interval. This parameter specifies the maximum amount of time for the secondary DR member device to synchronize data with the primary DR member device during DR system setup. |
To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces. |
|
drni mad default-action none |
drni mad default-action none |
Manual or controller-based |
Set the DRNI MAD action to none. When the DR system splits, DRNI MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by DRNI MAD. |
N/A |
|
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 |
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 |
Manual or controller-based |
Configure DRNI MAD to shut down the uplink interfaces. |
N/A |
|
interface Twenty-FiveGigE 1/0/54 |
interface Twenty-FiveGigE 1/0/54 |
Manual or controller-based |
Enter the interface view for the keepalive link. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface for keepalive detection to operate in route mode as a Layer 3 interface. |
N/A |
|
ip binding vpn-instance auto-online-mlag |
ip binding vpn-instance auto-online-mlag |
Manual or controller-based |
Associate the interface with VPN instance auto-online-mlag, the VPN instance for DRNI keepalive detection. |
N/A |
|
ip address 197.32.241.61 255.255.255.252 |
ip address 197.32.241.62 255.255.255.252 |
Manual or controller-based |
Assign an IP address to the interface as planned. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as the IPP, and enter interface view. |
N/A |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface to operate in dynamic mode. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/31 |
interface HundredGigE1/0/31 |
Manual or controller-based |
Enter the view of the physical port for the IPL. |
N/A |
|
port link-aggregation group 256 |
port link-aggregation group 256 |
Manual or controller-based |
Assign the physical port to the aggregation group for the IPL (aggregation group 256). |
N/A |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Enter aggregate interface view. |
N/A |
|
port drni intra-portal-port 1 |
port drni intra-portal-port 1 |
Manual or controller-based |
Specify the aggregate interface (Bridge-Aggregation 256) as the IPP. |
N/A |
|
port trunk pvid vlan 4094 |
port trunk pvid vlan 4094 |
Manual or controller-based |
Set the PVID of the physical port to 4094. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on Bridge-Aggregation 256. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vlan-interface 4094 |
interface Vlan-interface 4094 |
Manual or controller-based |
Create a VLAN interface on each of the DR member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one DR interface. This example uses VLAN-interface 4094. |
N/A |
|
ip address 197.32.241.143 255.255.255.0 |
ip address 197.32.241.144 255.255.255.0 |
Manual or controller-based |
Assign an IP address to VLAN-interface 4094. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Configure OSPF on VLAN-interface 4094. |
N/A |
Configuring the links towards the spine tier
|
Leaf 3 (S6850) |
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
interface HundredGigE1/0/25 |
interface HundredGigE1/0/25 |
Manual or controller-based |
Enter the view of the physical interface connected to Spine A. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface loopback 0 |
ip address unnumbered interface loopback 0 |
Manual or controller-based |
Configure the interface to borrow the IP address of Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the interface. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets. |
N/A |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
Manual or controller-based |
Specify advertisable TLVs on the interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/26 |
interface HundredGigE1/0/26 |
Manual or controller-based |
Enter the view of the physical interface connected to Spine B. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface loopback 0 |
ip address unnumbered interface loopback 0 |
Manual or controller-based |
Configure the interface to borrow the IP address of Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the interface. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets. |
N/A |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
Manual or controller-based |
Specify advertisable TLVs on the interface. |
N/A |
Configuring the distributed EVPN gateway
|
Leaf 3 (S6850) |
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
l2vpn enable |
l2vpn enable |
Manual or controller-based |
Enable L2VPN. |
N/A |
|
l2vpn drni peer-link ac-match-rule vxlan-mapping |
l2vpn drni peer-link ac-match-rule vxlan-mapping |
Manual or controller-based |
Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL. |
N/A |
|
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
Manual or controller-based |
Disable remote ARP/ND learning. This setting avoids the conflict between automatically learned ARP/ND entries and ARP/ND entries advertised through BGP EVPN. |
N/A |
|
vxlan tunnel mac-learning disable |
vxlan tunnel mac-learning disable |
Manual or controller-based |
Disable remote MAC address learning. This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through BGP EVPN. |
N/A |
|
vxlan default-decapsulation source interface loopback 0 |
vxlan default-decapsulation source interface loopback 0 |
Manual or controller-based |
Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them. |
N/A |
|
vlan all |
vlan all |
Manual or controller-based |
Create VLANs 1 through 4094. |
N/A |
|
evpn drni group 197.32.241.64 |
evpn drni group 197.32.241.64 |
Manual or controller-based |
Enable EVPN distributed relay and set the virtual VTEP address. |
N/A |
|
evpn drni local 197.32.241.43 remote 197.32.241.44 |
evpn drni local 197.32.241.44 remote 197.32.241.43 |
Manual or controller-based |
Specify the IP addresses of the local and peer VTEPs in the DR system. |
This step is required if the DR system uses an Ethernet aggregate link as the IPL and has ACs attached to only one of the member devices. |
|
evpn global-mac 0c3a-fa38-3d3b |
evpn global-mac 0c3a-fa38-3d3b |
Manual or controller-based |
Configure an EVPN global MAC address. |
N/A |
|
interface Vsi-interface13313 |
interface Vsi-interface13313 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for compute servers. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for compute servers. |
N/A |
|
ip address 197.32.13.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1013::/64 no-advertise ipv6 address FD00:0:97B0:1013::FFFF/64 |
ip address 197.32.13.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1013::/64 no-advertise ipv6 address FD00:0:97B0:1013::FFFF/64 |
Manual or controller-based |
Assign an IPv4 address and an IPv6 address to the VSI interface. |
N/A |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. |
N/A |
|
arp route-direct advertise ipv6 nd route-direct advertise |
arp route-direct advertise ipv6 nd route-direct advertise |
Manual or controller-based |
Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes. |
N/A |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
vsi SDN_VSI_13313 |
vsi SDN_VSI_13313 |
Manual or controller-based |
Create a VSI to provide access services for the attached compute servers. |
N/A |
|
gateway vsi-interface 13313 |
gateway vsi-interface 13313 |
Manual or controller-based |
Specify the gateway interface for the VSI. |
N/A |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP/ND flood suppression. |
N/A |
|
vxlan 13313 |
vxlan 13313 |
Manual or controller-based |
Create VXLAN 13313. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
N/A |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
N/A |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
N/A |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
N/A |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vsi-interface 13314 |
interface Vsi-interface 13314 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for compute servers. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for compute servers. |
N/A |
|
ip address 197.32.14.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1014::/64 no-advertise ipv6 address FD00:0:97B0:1014::FFFF/64 |
ip address 197.32.14.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1014::/64 no-advertise ipv6 address FD00:0:97B0:1014::FFFF/64 |
Manual or controller-based |
Assign an IPv4 address and an IPv6 address to the VSI interface. |
N/A |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. |
N/A |
|
arp route-direct advertise ipv6 nd route-direct advertise |
arp route-direct advertise ipv6 nd route-direct advertise |
Manual or controller-based |
Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes. |
N/A |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
vsi SDN_VSI_13314 |
vsi SDN_VSI_13314 |
Manual or controller-based |
Create a VSI to provide access services for the attached compute servers. |
N/A |
|
gateway vsi-interface 13314 |
gateway vsi-interface 13314 |
Manual or controller-based |
Specify the gateway interface for the VSI. |
N/A |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP/ND flood suppression. |
N/A |
|
vxlan 13314 |
vxlan 13314 |
Manual or controller-based |
Create VXLAN 13314. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
N/A |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
N/A |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
N/A |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
N/A |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vsi-interface10001 |
interface Vsi-interface10001 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall NS. |
N/A |
|
ip binding vpn-instance ZHTESTCTFWNS01VRF |
ip binding vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall NS. |
N/A |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
N/A |
|
l3-vni 10001 |
l3-vni 10001 |
Manual or controller-based |
Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface. |
N/A |
|
interface Vsi-interface10002 |
interface Vsi-interface10002 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall EW. |
N/A |
|
ip binding vpn-instance ZHTESTCTFWEW01VRF |
ip binding vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall EW. |
N/A |
|
l3-vni 10002 |
l3-vni 10002 |
Manual or controller-based |
Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface. |
N/A |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
N/A |
|
interface Vsi-interface10000 |
interface Vsi-interface10000 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to compute servers. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for compute servers. |
N/A |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
N/A |
|
l3-vni 10000 |
l3-vni 10000 |
Manual or controller-based |
Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface. |
N/A |
|
bgp 65530 |
bgp 65530 |
Manual or controller-based |
Enable the specified BGP instance and enter its view. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable BGP non-stop routing (NSR). |
N/A |
|
router-id 197.32.241.43 |
router-id 197.32.241.44 |
Manual or controller-based |
Specify a unique router ID for the BGP instance on each BGP device. |
N/A |
|
group evpn internal |
group evpn internal |
Manual or controller-based |
Create an IBGP peer group named evpn. |
N/A |
|
peer evpn connect-interface loopback 0 |
peer evpn connect-interface loopback 0 |
Manual or controller-based |
Specify a source interface for establishing TCP connections to a peer or peer group. |
N/A |
|
peer 197.32.241.37 group evpn |
peer 197.32.241.37 group evpn |
Manual or controller-based |
Add node Spine A to IBGP group evpn. |
N/A |
|
peer 197.32.241.38 group evpn |
peer 197.32.241.38 group evpn |
Manual or controller-based |
Add node Spine B to IBGP group evpn. |
N/A |
|
address-family l2vpn evpn |
address-family l2vpn evpn |
Manual or controller-based |
Create the BGP EVPN address family and enter its view. |
N/A |
|
peer evpn enable |
peer evpn enable |
Manual or controller-based |
Enable BGP to exchange BGP EVPN routes with IBGP peer group evpn. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to BGP instance view. |
N/A |
|
ip vpn-instance ZHTESTCTFWEW01VRF |
ip vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains firewall EW, and enter BGP-VPN instance view. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to BGP instance view. |
N/A |
|
ip vpn-instance ZHTESTCTFWNS01VRF |
ip vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains firewall NS, and enter BGP-VPN instance view. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to BGP instance view. |
N/A |
|
ip vpn-instance ZHTESTCTVRF |
ip vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains compute servers, and enter BGP-VPN instance view. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255 |
network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
N/A |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Create the BGP-VPN IPv6 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128 |
network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
N/A |
Configuring ACs
|
Leaf 3 (S6850) |
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
interface Twenty-FiveGigE 1/0/2 |
interface Twenty-FiveGigE 1/0/4 |
Manual or controller-based |
Enter the view of the physical port connected to compute servers. |
N/A |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of the physical port to trunk. |
N/A |
|
undo port trunk permit vlan 1 |
undo port trunk permit vlan 1 |
Manual or controller-based |
Remove the port from VLAN 1. |
N/A |
|
port trunk permit vlan 3313 |
port trunk permit vlan 3314 |
Manual or controller-based |
Assign the port to a VLAN. |
N/A |
|
port trunk pvid vlan 3313 |
port trunk pvid vlan 3314 |
Manual or controller-based |
Set the PVID of the port. |
N/A |
|
service-instance 3313 |
service-instance 3314 |
Manual or controller-based |
Create an Ethernet service instance. |
N/A |
|
encapsulation untagged |
encapsulation untagged |
Manual or controller-based |
Configure the Ethernet service instance to match any frames that do not have an 802.1Q VLAN tag. |
N/A |
|
xconnect vsi SDN_VSI_13313 access-mode ethernet |
xconnect vsi SDN_VSI_13314 access-mode ethernet |
Manual or controller-based |
Map the Ethernet service instance to the specified VSI. |
N/A |
Configuring leaf nodes (Leaf 5 and Leaf 6)
Procedure summary
· Configuring the device modes
· Configuring the underlay routing protocol
· Setting up the DR system and the IPL link
· Configuring the links towards the spine tier
· Configuring the distributed EVPN gateway
Configuring the device modes
For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:
· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).
· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).
· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).
Configuring the underlay routing protocol
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
router id 197.32.241.45 |
router id 197.32.241.46 |
Manual or controller-based |
Specify a unique global router ID for each device. |
N/A |
|
ospf 65530 |
ospf 65530 |
Manual or controller-based |
Create OSPF process 65530. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable non-stop routing (NSR) for OSPF. |
N/A |
|
stub-router include-stub on-startup 900 |
stub-router include-stub on-startup 900 |
Manual or controller-based |
To accelerate network convergence, specify the router as a stub router during reboot for the specified period of time. |
This command sets the cost of stub links to the maximum value (65535). Neighbors on such links will not send packets to the stub router as long as they have a route with a smaller cost. |
|
area 0.0.0.0 |
area 0.0.0.0 |
Manual or controller-based |
Create OSPF area 0.0.0.0. |
N/A |
|
interface loopback0 |
interface loopback0 |
Manual or controller-based |
Enter the interface view of Loopback 0. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface loopback 2 |
interface loopback 2 |
Manual or controller-based |
Enter the interface view of Loopback 2. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 2. |
N/A |
Configuring L3VPN
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
interface loopback 0 |
interface loopback 0 |
Manual or controller-based |
Configure interface Loopback 0. |
N/A |
|
ip address 197.32.241.45 255.255.255.255 |
ip address 197.32.241.46 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface loopback 2 |
interface loopback 2 |
Manual or controller-based |
Configure interface Loopback 2. |
N/A |
|
ip address 197.32.241.67 255.255.255.255 |
ip address 197.32.241.67 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 2. |
N/A |
|
ip vpn-instance auto-online-mlag |
ip vpn-instance auto-online-mlag |
Manual or controller-based |
Create a VPN instance for the DRNI keepalive link. In this example, the VPN instance name is auto-online-mlag. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance mgmt |
ip vpn-instance mgmt |
Manual or controller-based |
Create a VPN instance for the management port. In this example, the VPN instance name is mgmt. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTVRF route-distinguisher 5:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTVRF route-distinguisher 6:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for user services. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 5:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 6:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for the north-south firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 5:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 6:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for the east-west firewall service. Set a route distinguisher (RD) for the VPN instance, and set the import and export route targets (RTs) for the VPN instance IPv4/IPv6 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
Setting up the DR system and the IPL link
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
drni system-mac 0c3a-fa36-b811 |
drni system-mac 0c3a-fa36-b811 |
Manual or controller-based |
Set the MAC address of the DR system. |
You must assign the same DR system MAC address to the member devices in a DR system. |
|
drni system-number 1 |
drni system-number 2 |
Manual or controller-based |
Set the DR system number. |
You must assign different DR system numbers to the member devices in a DR system. |
|
drni system-priority 10 |
drni system-priority 10 |
Manual or controller-based |
Set the DR system priority. |
You must set the same DR system priority on the member devices in a DR system. |
|
drni keepalive ip destination 197.32.241.78 source 197.32.241.77 vpn-instance auto-online-mlag |
drni keepalive ip destination 197.32.241.77 source 197.32.241.78 vpn-instance auto-online-mlag |
Manual or controller-based |
Configure the source and destination IP addresses of keepalive packets. |
The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively. |
|
drni restore-delay 300 |
drni restore-delay 300 |
Manual or controller-based |
Set the data restoration interval. This parameter specifies the maximum amount of time for the secondary DR member device to synchronize data with the primary DR member device during DR system setup. |
To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces. |
|
drni mad default-action none |
drni mad default-action none |
Manual or controller-based |
Set the DRNI MAD action to none. When the DR system splits, DRNI MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by DRNI MAD. |
N/A |
|
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 |
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 |
Manual or controller-based |
Configure DRNI MAD to shut down the uplink interfaces. |
N/A |
|
interface Twenty-FiveGigE 1/0/54 |
interface Twenty-FiveGigE 1/0/54 |
Manual or controller-based |
Enter the interface view for the keepalive link. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface for keepalive detection to operate in route mode as a Layer 3 interface. |
N/A |
|
ip binding vpn-instance auto-online-mlag |
ip binding vpn-instance auto-online-mlag |
Manual or controller-based |
Associate the interface with VPN instance auto-online-mlag, the VPN instance for DRNI keepalive detection. |
N/A |
|
ip address 197.32.241.77 255.255.255.252 |
ip address 197.32.241.78 255.255.255.252 |
Manual or controller-based |
Assign an IP address to the interface as planned. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as the IPP, and enter interface view. |
N/A |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface to operate in dynamic mode. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/31 |
interface HundredGigE1/0/31 |
Manual or controller-based |
Enter the view of the physical port for the IPL. |
N/A |
|
port link-aggregation group 256 |
port link-aggregation group 256 |
Manual or controller-based |
Assign the physical port to the aggregation group for the IPL (aggregation group 256). |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as the IPP, and enter interface view. |
N/A |
|
port drni intra-portal-port 1 |
port drni intra-portal-port 1 |
Manual or controller-based |
Specify the aggregate interface (Bridge-Aggregation 256) as the IPP. |
N/A |
|
port trunk pvid vlan 4094 |
port trunk pvid vlan 4094 |
Manual or controller-based |
Set the PVID of the physical port to 4094. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on Bridge-Aggregation 256. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vlan-interface 4094 |
interface Vlan-interface 4094 |
Manual or controller-based |
Create a VLAN interface on each of the DR member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one DR interface. This example uses VLAN-interface 4094. |
N/A |
|
ip address 197.32.241.145 255.255.255.0 |
ip address 197.32.241.146 255.255.255.0 |
Manual or controller-based |
Assign an IP address to VLAN-interface 4094. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Configure OSPF on VLAN-interface 4094. |
N/A |
Configuring the links towards the spine tier
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
interface HundredGigE1/0/25 |
interface HundredGigE1/0/25 |
Manual or controller-based |
Enter the view of the physical interface connected to Spine A. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface loopback 0 |
ip address unnumbered interface loopback 0 |
Manual or controller-based |
Configure the interface to borrow the IP address of Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the interface. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets. |
N/A |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
Manual or controller-based |
Specify advertisable TLVs on the interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/26 |
interface HundredGigE1/0/26 |
Manual or controller-based |
Enter the view of the physical interface connected to Spine B. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface loopback 0 |
ip address unnumbered interface loopback 0 |
Manual or controller-based |
Configure the interface to borrow the IP address of Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the interface. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets. |
N/A |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0 |
Manual or controller-based |
Specify advertisable TLVs on the interface. |
N/A |
Configuring the distributed EVPN gateway
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
l2vpn enable |
l2vpn enable |
Manual or controller-based |
Enable L2VPN. |
N/A |
|
l2vpn drni peer-link ac-match-rule vxlan-mapping |
l2vpn drni peer-link ac-match-rule vxlan-mapping |
Manual or controller-based |
Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL. |
N/A |
|
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
Manual or controller-based |
Disable remote ARP/ND learning. This setting avoids the conflict between automatically learned ARP/ND entries and ARP/ND entries advertised through BGP EVPN. |
N/A |
|
vxlan tunnel mac-learning disable |
vxlan tunnel mac-learning disable |
Manual or controller-based |
Disable remote MAC address learning. This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through BGP EVPN. |
N/A |
|
vxlan default-decapsulation source interface loopback 0 |
vxlan default-decapsulation source interface loopback 0 |
Manual or controller-based |
Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them. |
N/A |
|
vlan all |
vlan all |
Manual or controller-based |
Create VLANs 1 through 4094. |
N/A |
|
evpn drni group 197.32.241.67 |
evpn drni group 197.32.241.67 |
Manual or controller-based |
Enable EVPN distributed relay and set the virtual VTEP address. |
N/A |
|
evpn drni local 197.32.241.45 remote 197.32.241.46 |
evpn drni local 197.32.241.46 remote 197.32.241.45 |
Manual or controller-based |
Specify the IP addresses of the local and peer VTEPs in the DR system. |
This step is required if the DR system uses an Ethernet aggregate link as the IPL and has ACs attached to only one of the member devices. |
|
evpn global-mac 0c3a-fa36-b035 |
evpn global-mac 0c3a-fa36-b035 |
Manual or controller-based |
Configure an EVPN global MAC address. |
N/A |
|
interface Vsi-interface13342 |
interface Vsi-interface13342 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for compute servers. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for compute servers. |
N/A |
|
ip address 197.32.42.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1042::/64 no-advertise ipv6 address FD00:0:97B0:1042::FFFF/64 |
ip address 197.32.42.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1042::/64 no-advertise ipv6 address FD00:0:97B0:1042::FFFF/64 |
Manual or controller-based |
Assign an IPv4 address and an IPv6 address to the VSI interface. |
N/A |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. |
N/A |
|
arp route-direct advertise ipv6 nd route-direct advertise |
arp route-direct advertise ipv6 nd route-direct advertise |
Manual or controller-based |
Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes. |
N/A |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
vsi SDN_VSI_13342 |
vsi SDN_VSI_13342 |
Manual or controller-based |
Create a VSI to provide access services for the attached compute servers. |
N/A |
|
gateway vsi-interface 13342 |
gateway vsi-interface 13342 |
Manual or controller-based |
Specify the gateway interface for the VSI. |
N/A |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP/ND flood suppression. |
N/A |
|
vxlan 13342 |
vxlan 13342 |
Manual or controller-based |
Create VXLAN 13342. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
N/A |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
N/A |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
N/A |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
N/A |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vsi-interface13316 |
interface Vsi-interface13316 |
Manual or controller-based |
Create the VSI interface to be used as a distributed EVPN gateway member for compute servers. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for compute servers. |
N/A |
|
ip address 197.32.162 54 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1016::/64 no-advertise ipv6 address FD00:0:97B0:1016::FFFF/64 |
ip address 197.32.16.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1016::/64 no-advertise ipv6 address FD00:0:97B0:1016::FFFF/64 |
Manual or controller-based |
Assign an IPv4 address and an IPv6 address to the VSI interface. |
N/A |
|
mac-address 6805-ca21-d6e5 |
mac-address 6805-ca21-d6e5 |
Manual or controller-based |
Assign a MAC address to the distributed EVPN gateway. |
N/A |
|
arp route-direct advertise ipv6 nd route-direct advertise |
arp route-direct advertise ipv6 nd route-direct advertise |
Manual or controller-based |
Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes. |
N/A |
|
distributed-gateway local |
distributed-gateway local |
Manual or controller-based |
Enable distributed gateway service on the VSI interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
vsi SDN_VSI_13316 |
vsi SDN_VSI_13316 |
Manual or controller-based |
Create a VSI to provide access services for the attached compute servers. |
N/A |
|
gateway vsi-interface 13316 |
gateway vsi-interface 13316 |
Manual or controller-based |
Specify the gateway interface for the VSI. |
N/A |
|
arp suppression enable ipv6 nd suppression enable |
arp suppression enable ipv6 nd suppression enable |
Manual or controller-based |
Enable ARP/ND flood suppression. |
N/A |
|
vxlan 13316 |
vxlan 13316 |
Manual or controller-based |
Create VXLAN 13313. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to VSI view. |
N/A |
|
evpn encapsulation vxlan |
evpn encapsulation vxlan |
Manual or controller-based |
Create a VXLAN EVPN instance on the VSI. |
N/A |
|
route-distinguisher auto |
route-distinguisher auto |
Manual or controller-based |
Configure the device to automatically generate an RD for the EVPN instance. |
N/A |
|
vpn-target auto export-extcommunity |
vpn-target auto export-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an export RT for the EVPN instance. |
N/A |
|
vpn-target auto import-extcommunity |
vpn-target auto import-extcommunity |
Manual or controller-based |
Configure the device to automatically generate an import RT for the EVPN instance. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vsi-interface10001 |
interface Vsi-interface10001 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall NS. |
N/A |
|
ip binding vpn-instance ZHTESTCTFWNS01VRF |
ip binding vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall NS. |
N/A |
|
l3-vni 10001 |
l3-vni 10001 |
Manual or controller-based |
Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface. |
N/A |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
N/A |
|
interface Vsi-interface10002 |
interface Vsi-interface10002 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall EW. |
N/A |
|
ip binding vpn-instance ZHTESTCTFWEW01VRF |
ip binding vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for firewall EW. |
N/A |
|
l3-vni 10002 |
l3-vni 10002 |
Manual or controller-based |
Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface. |
N/A |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
N/A |
|
interface Vsi-interface10000 |
interface Vsi-interface10000 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to compute servers. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Associate the VSI interface with the VPN instance for compute servers. |
N/A |
|
l3-vni 10000 |
l3-vni 10000 |
Manual or controller-based |
Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface. |
N/A |
|
ipv6 address auto link-local |
ipv6 address auto link-local |
Manual or controller-based |
Automatically generate a link-local address for the VSI interface. |
N/A |
|
bgp 65530 |
bgp 65530 |
Manual or controller-based |
Enable the specified BGP instance and enter its view. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable BGP non-stop routing (NSR). |
N/A |
|
router-id 197.32.241.45 |
router-id 197.32.241.46 |
Manual or controller-based |
Specify a unique router ID for the BGP instance on each BGP device. |
N/A |
|
group evpn internal |
group evpn internal |
Manual or controller-based |
Create an IBGP peer group named evpn. |
N/A |
|
peer evpn connect-interface loopback 0 |
peer evpn connect-interface loopback 0 |
Manual or controller-based |
Specify a source interface for establishing TCP connections to a peer or peer group. |
N/A |
|
peer 197.32.241.37 group evpn |
peer 197.32.241.37 group evpn |
Manual or controller-based |
Add node Spine A to IBGP group evpn. |
N/A |
|
peer 197.32.241.38 group evpn |
peer 197.32.241.38 group evpn |
Manual or controller-based |
Add node Spine B to IBGP group evpn. |
N/A |
|
address-family l2vpn evpn |
address-family l2vpn evpn |
Manual or controller-based |
Create the BGP EVPN address family and enter its view. |
N/A |
|
peer evpn enable |
peer evpn enable |
Manual or controller-based |
Enable BGP to exchange BGP EVPN routes with IBGP peer group evpn. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to BGP instance view. |
N/A |
|
ip vpn-instance ZHTESTCTFWEW01VRF |
ip vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains firewall EW, and enter BGP-VPN instance view. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to BGP instance view. |
N/A |
|
ip vpn-instance ZHTESTCTFWNS01VRF |
ip vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains firewall NS, and enter BGP-VPN instance view. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to BGP instance view. |
N/A |
|
ip vpn-instance ZHTESTCTVRF |
ip vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Create a BGP-VPN instance for the VPN instance that contains compute servers, and enter BGP-VPN instance view. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Create the BGP-VPN IPv4 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255 network 197.32.42.9 255.255.255.255 |
network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255 network 197.32.42.9 255.255.255.255 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
N/A |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Create the BGP-VPN IPv6 unicast address family and enter its view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128 |
network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128 |
Manual or controller-based |
Specify the local networks to be advertised by BGP. |
N/A |
Configuring ACs
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
interface Twenty-FiveGigE 1/0/2 |
interface Twenty-FiveGigE 1/0/6 |
Manual or controller-based |
Enter the view of the physical port connected to compute servers. |
N/A |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of the physical port to trunk. |
N/A |
|
undo port trunk permit vlan 1 |
undo port trunk permit vlan 1 |
Manual or controller-based |
Remove the port from VLAN 1. |
N/A |
|
port trunk permit vlan 3342 |
port trunk permit vlan 3316 |
Manual or controller-based |
Assign the port to a VLAN. |
N/A |
|
port trunk pvid vlan 3342 |
port trunk pvid vlan 3316 |
Manual or controller-based |
Set the PVID of the port. |
N/A |
|
service-instance 3342 |
service-instance 3316 |
Manual or controller-based |
Create an Ethernet service instance. |
N/A |
|
encapsulation untagged |
encapsulation untagged |
Manual or controller-based |
Configure the Ethernet service instance to match any frames that do not have an 802.1Q VLAN tag. |
N/A |
|
xconnect vsi SDN_VSI_13342 access-mode ethernet |
xconnect vsi SDN_VSI_13316 access-mode ethernet |
Manual or controller-based |
Map the Ethernet service instance to the specified VSI. |
N/A |
Configuring border devices (Border1 and Border2)
Procedure summary
· Configuring the device modes
· Configuring the routing protocols on the underlay network
· Setting up the DR system and the IPL link
· Configuring the links connecting border devices to spine devices
· Configuring the EVPN distributed gateways
Configuring the device modes
For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:
· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).
· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).
· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).
Configuring the routing protocols on the underlay network
|
Border1 (S6850) |
Border2 (S6850) |
Configuration method |
Description |
Remarks |
|
router id 197.32.241.47 |
router id 197.32.241.48 |
Manual or controller-based |
Configure a router ID. |
N/A |
|
ospf 65530 |
ospf 65530 |
Manual or controller-based |
Enable OSPF process 65530. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable OSPF NSR. |
N/A |
|
stub-router include-stub on-startup 900 |
stub-router include-stub on-startup 900 |
Manual or controller-based |
Configure the router as a stub router during reboot and specify the timeout time. Specify the cost of the stub links (link type 3) in Router LSAs to the maximum value 65535. |
Execute this command to accelerate network convergence. |
|
area 0.0.0.0 |
area 0.0.0.0 |
Manual or controller-based |
Create OSPF area 0.0.0.0. |
N/A |
|
interface LoopBack0 |
interface LoopBack0 |
Manual or controller-based |
Create interface Loopback 0 and enter its view. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface LoopBack2 |
interface LoopBack2 |
Manual or controller-based |
Create interface Loopback 2 and enter its view. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 2. |
N/A |
Configuring L3VPNs
|
Border1 (S6850) |
Border2 (S6850) |
Configuration method |
Description |
Remarks |
|
interface LoopBack0 |
interface LoopBack0 |
Manual or controller-based |
Configure interface Loopback 0. |
N/A |
|
ip address 197.32.241.47 255,255,255,255 |
ip address 197.32.241.48 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface LoopBack2 |
interface LoopBack2 |
Manual or controller-based |
Configure interface Loopback 2. |
N/A |
|
ip address 197.32.241.86 255,255,255,255 |
ip address 197.32.241.86 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 2. |
N/A |
|
ip vpn-instance auto-online-mlag |
ip vpn-instance auto-online-mlag |
Manual or controller-based |
Create a VPN instance for the DRNI keepalive link. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance mgmt |
ip vpn-instance mgmt |
Manual or controller-based |
Create a VPN instance for the management port. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTVRF route-distinguisher 7:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTVRF route-distinguisher 8:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for user services. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 7:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 8:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for the north-south firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 7:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit |
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 8:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit |
Manual or controller-based |
Configure the VPN instance for the east-west firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family. |
For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other. |
|
ip vpn-instance external_vpn_1001 route-distinguisher 1:1001 address-family ipv4 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family ipv6 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family evpn vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity |
ip vpn-instance external_vpn_1001 route-distinguisher 2:1001 address-family ipv4 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family ipv6 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family evpn vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity |
Manual or controller-based |
Configure the VPN instance for the external network users. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family. |
N/A |
|
ip route-static vpn-instance ZHTESTCTVRF 0.0.0.0 0 vpn-instance external_vpn_1001 197.32.224.18 |
ip route-static vpn-instance ZHTESTCTVRF 0.0.0.0 0 vpn-instance external_vpn_1001 197.32.224.18 |
Manual or controller-based |
Configure the default IPv4 route from the VPN instance of the user services to the Layer 3 devices in the VPN instance of the external network. |
N/A |
|
ipv6 route-static vpn-instance ZHTESTCTVRF :: 0 vpn-instance external_vpn_1001 FD00:0:97B0:2::F description SDN_ROUTE |
ipv6 route-static vpn-instance ZHTESTCTVRF :: 0 vpn-instance external_vpn_1001 FD00:0:97B0:2::F description SDN_ROUTE |
Manual or controller-based |
Configure the default IPv6 route from the VPN instance of the user services to the Layer 3 devices in the VPN instance of the external network. |
N/A |
Setting up the DR system and the IPL link
|
Border1 (S6850) |
Border2 (S6850) |
Configuration method |
Description |
Remarks |
|
drni system-mac 0c3a-fa38-9c5f |
drni system-mac 0c3a-fa38-9c5f |
Manual or controller-based |
Set the MAC address of the DR system. |
You must assign the same DR system MAC address to the member devices in a DR system. |
|
drni system-number 1 |
drni system-number 2 |
Manual or controller-based |
Set the DR system number. |
You must assign different DR system numbers to the member devices in a DR system. |
|
drni system-priority 10 |
drni system-priority 10 |
Manual or controller-based |
Set the DR system priority. |
You must set the same DR system priority on the member devices in a DR system. |
|
drni keepalive ip destination 197.32.241.94 source 197.32.241.93 vpn-instance auto-online-mlag |
drni keepalive ip destination 197.32.241.93 source 197.32.241.94 vpn-instance auto-online-mlag |
Manual or controller-based |
Configure the destination and source IP addresses of keepalive packets. |
The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively. |
|
drni restore-delay 300 |
drni restore-delay 300 |
Manual or controller-based |
Set the data restoration interval. This parameter specifies the maximum amount of time for the secondary DR member device to synchronize data with the primary DR member device during DR system setup. |
To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces. |
|
drni mad default-action none |
drni mad default-action none |
Manual or controller-based |
Set the DRNI MAD action to none. |
When the DR system splits, DRNI MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by DRNI MAD. |
|
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 |
drni mad include interface HundredGigE1/0/25 drni mad include interface HundredGigE1/0/26 |
Manual or controller-based |
Configure DRNI MAD to shut down the uplink interfaces when the DR system splits. |
N/A |
|
interface Twenty-FiveGigE 1/0/54 |
interface Twenty-FiveGigE 1/0/54 |
Manual or controller-based |
Enter the interface view for the keepalive link. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the interface for the keepalive link to operate in route mode as a Layer 3 interface. |
N/A |
|
ip binding vpn-instance auto-online-mlag |
ip binding vpn-instance auto-online-mlag |
Manual or controller-based |
Associate the interface for the keepalive link with a VPN instance. |
N/A |
|
ip address 197.32.241.93 255,255,255,252 |
ip address 197.32.241.94 255.255.255.252 |
Manual or controller-based |
Assign an IP address to the interface for the keepalive link. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as IPP, and enter interface view. |
N/A |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface to operate in dynamic aggregation mode. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/31 |
interface HundredGigE1/0/31 |
Manual or controller-based |
Enter the view of the physical port for the IPL. |
N/A |
|
port link-aggregation group 256 |
port link-aggregation group 256 |
Manual or controller-based |
Assign the physical port for the IPL to the aggregation group (aggregation group 256). |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface bridge-aggregation 256 |
interface bridge-aggregation 256 |
Manual or controller-based |
Create the Layer 2 aggregate interface to be used as IPP, and enter interface view. |
N/A |
|
port drni intra-portal-port 1 |
port drni intra-portal-port 1 |
Manual or controller-based |
Specify the aggregate interface (Bridge-Aggregation 256) as the IPP. |
N/A |
|
port trunk pvid vlan 4094 |
port trunk pvid vlan 4094 |
Manual or controller-based |
Set the PVID of the trunk port to 4094. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable the static source check feature on the interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vlan-interface 4094 |
interface Vlan-interface 4094 |
Manual or controller-based |
Create a VLAN interface on each of the DR member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one DR interface. This example uses VLAN-interface 4094. |
N/A |
|
ip address 197.32.241.147 255.255.255.0 |
ip address 197.32.241.148 255.255.255.0 |
Manual or controller-based |
Assign an IP address to VLAN-interface 4094. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Configure OSPF on VLAN-interface 4094. |
N/A |
Configuring the DR aggregate links connecting border devices to the Layer 3 device on the external network
|
Border1 (S6850) |
Border2 (S6850) |
Configuration method |
Description |
Remarks |
|
interface bridge-aggregation 257 |
interface bridge-aggregation 257 |
Manual or controller-based |
Create a DR aggregate interface connecting to the Layer 3 device on the external network. |
N/A |
|
link-aggregation mode dynamic |
link-aggregation mode dynamic |
Manual or controller-based |
Configure the aggregate interface connecting to the Layer 3 device on the external network to operate in dynamic aggregation mode. |
N/A |
|
port drni group 1 |
port drni group 1 |
Manual or controller-based |
Assign the aggregate interface (Bridge-Aggregation 257) to DR group 1. |
N/A |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type of DR aggregate interface 257 to trunk. |
N/A |
|
port trunk permit vlan 1 1001 |
port trunk permit vlan 1 1001 |
Manual or controller-based |
Assign DR aggregate interface 257 to VLAN 1001. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/51 |
interface HundredGigE1/0/51 |
Manual or controller-based |
Enter the view of the physical interface connecting to the Layer 3 device on the external network. |
N/A |
|
port link-type trunk |
port link-type trunk |
Manual or controller-based |
Set the link type to trunk for the physical interface connecting to the Layer 3 device on the external network. |
N/A |
|
port trunk permit vlan 1 1001 |
port trunk permit vlan 1 1001 |
Manual or controller-based |
Assign the physical interface connecting to the Layer 3 device on the external network to VLAN 1001. |
N/A |
|
port link-aggregation group 257 |
port link-aggregation group 257 |
Manual or controller-based |
Assign the physical interface connecting to the Layer 3 device on the external network to aggregation group 257. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vlan-interface1001 |
interface Vlan-interface1001 |
N/A |
Configure the VLAN interface connecting to the Layer 3 device on the external network. |
N/A |
|
ip binding vpn-instance external_vpn_1001 |
ip binding vpn-instance external_vpn_1001 |
N/A |
Associate the VLAN interface connecting to the Layer 3 device on the external network with a VPN instance, which is different from the VPN instance of user services. |
N/A |
|
ip address 197.32.224.17 255.255.255.252 sub |
ip address 197.32.224.17 255.255.255.252 sub |
N/A |
Configure the IP address for connecting to the Layer 3 device on the external network to implement a dual-active gateway. |
N/A |
|
mac-address 3c8c-404e-dd46 |
mac-address 3c8c-404e-dd46 |
N/A |
Assign a MAC address to the interface connecting to the Layer 3 device on the external network. |
N/A |
|
ipv6 address FD00:0:97B0:2::1/64 |
ipv6 address FD00:0:97B0:2::1/64 |
N/A |
Assign an IPv6 address to the interface connecting to the Layer 3 device on the external network. |
N/A |
Configuring the links connecting border devices to spine devices
|
Border1 (S6850) |
Border2 (S6850) |
Configuration method |
Description |
Remarks |
|
interface HundredGigE1/0/25 |
interface HundredGigE1/0/25 |
Manual or controller-based |
Enter the view of the uplink interface, the physical interface connecting to Spine A. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the uplink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the uplink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the uplink interface. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable source MAC check on the uplink interface. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. |
In this mode, LLDP both sends and receives CDP packets. |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
Manual or controller-based |
Configure advertisable TLVs on the interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/26 |
interface HundredGigE1/0/26 |
Manual or controller-based |
Enter the view of the uplink interface, the physical interface connecting to Spine B. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the uplink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the uplink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the uplink interface. |
N/A |
|
undo mac-address static source-check enable |
undo mac-address static source-check enable |
Manual or controller-based |
Disable source MAC check on the uplink interface. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. |
In this mode, LLDP both sends and receives CDP packets. |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
Manual or controller-based |
Configure advertisable TLVs on the interface. |
N/A |
Configuring the EVPN distributed gateways
|
Border1 (S6850) |
Border2 (S6850) |
Configuration method |
Description |
Remarks |
|
l2vpn enable |
l2vpn enable |
Manual or controller-based |
Enable L2VPN. |
N/A |
|
l2vpn drni peer-link ac-match-rule vxlan-mapping |
l2vpn drni peer-link ac-match-rule vxlan-mapping |
Manual or controller-based |
Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the Ethernet aggregate link IPL. |
N/A |
|
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable |
Manual or controller-based |
Disable remote ARP/ND learning. |
This setting avoids the conflict between automatically learned ARP/ND entries and ARP/ND entries advertised through EVPN. |
|
vxlan tunnel mac-learning disable |
vxlan tunnel mac-learning disable |
Manual or controller-based |
Disable remote MAC address learning. |
This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through EVPN. |
|
vxlan default-decapsulation source interface LoopBack0 |
vxlan default-decapsulation source interface LoopBack0 |
Manual or controller-based |
Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them. |
N/A |
|
vlan all |
vlan all |
Manual or controller-based |
Bulk create VLANs 1 through 4094. |
N/A |
|
evpn drni group 197.32.241.86 |
evpn drni group 197.32.241.86 |
Manual or controller-based |
Enable EVPN distributed relay and specify the virtual VTEP address. |
N/A |
|
evpn global-mac 0c3a-fa38-2211 |
evpn global-mac 0c3a-fa38-2211 |
Manual or controller-based |
Configure an EVPN global MAC address. |
N/A |
|
interface Vsi-interface1001 |
interface Vsi-interface1001 |
Manual or controller-based |
Create the VSI interface to be associated with the L3VNI of the external network device. |
N/A |
|
ip binding vpn-instance external_vpn_1001 |
ip binding vpn-instance external_vpn_1001 |
Manual or controller-based |
Bind the interface to the VPN instance of the external network device. |
N/A |
|
l3-vni 1001 |
l3-vni 1001 |
Manual or controller-based |
Associate the interface with an L3VNI. |
N/A |
|
interface Vsi-interface 10001 |
interface Vsi-interface 10001 |
Manual or controller-based |
Create the VSI interface to be associated with the L3VNI of the north-south firewall. |
N/A |
|
ip binding vpn-instance ZHTESTCTFWNS01VRF |
ip binding vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Bind the interface to the VPN instance of the north-south firewall. |
N/A |
|
l3-vni 10001 |
l3-vni 10001 |
Manual or controller-based |
Associate the interface with an L3VNI. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vsi-interface 10002 |
interface Vsi-interface 10002 |
Manual or controller-based |
Create the VSI interface to be associated with the L3VNI of the east-west firewall. |
N/A |
|
ip binding vpn-instance ZHTESTCTFWEW01VRF |
ip binding vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Bind the interface to the VPN instance of the east-west firewall. |
N/A |
|
l3-vni 10002 |
l3-vni 10002 |
Manual or controller-based |
Associate the interface with an L3VNI. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface Vsi-interface10000 |
interface Vsi-interface10000 |
Manual or controller-based |
Create the VSI interface to be associated with the L3VNI of the server. |
N/A |
|
ip binding vpn-instance ZHTESTCTVRF |
ip binding vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Bind the interface to the VPN instance of the server. |
N/A |
|
l3-vni 10000 |
l3-vni 10000 |
Manual or controller-based |
Associate the interface with an L3VNI. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
bgp 65530 |
bgp 65530 |
Manual or controller-based |
Enable the BGP instance and enter BGP instance view. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable BGP NSR. |
N/A |
|
router-id 197.32.241.47 |
router-id 197.32.241.48 |
Manual or controller-based |
Specify a router ID for the BGP instance. |
N/A |
|
group evpn internal |
group evpn internal |
Manual or controller-based |
Create an IBGP peer group named evpn. |
N/A |
|
peer evpn connect-interface LoopBack0 |
peer evpn connect-interface LoopBack0 |
Manual or controller-based |
Specify a source interface for establishing TCP connections to the peer group. |
N/A |
|
peer 197.32.241.37 group evpn |
peer 197.32.241.37 group evpn |
Manual or controller-based |
Add node Spine A to IBGP group evpn. |
N/A |
|
peer 197.32.241.38 group evpn |
peer 197.32.241.38 group evpn |
Manual or controller-based |
Add node Spine B to IBGP group evpn. |
N/A |
|
address-family l2vpn evpn |
address-family l2vpn evpn |
Manual or controller-based |
Create the BGP EVPN address family and enter its view. |
N/A |
|
peer evpn enable |
peer evpn enable |
Manual or controller-based |
Enable BGP to exchange BGP EVPN routes with peer group evpn. |
N/A |
|
nexthop evpn-drni group-address |
nexthop evpn-drni group-address |
Manual or controller-based |
Enable the device to replace the next hop in advertised BGP EVPN routes with the virtual VTEP address. |
Execute this command on the border DR system to advertise its virtual address tunnel. |
|
ip vpn-instance ZHTESTCTFWEW01VRF |
ip vpn-instance ZHTESTCTFWEW01VRF |
Manual or controller-based |
Enter the view of the BGP-VPN instance of the east-west firewall. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Enter BGP-VPN IPv4 unicast address family view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Enter BGP-VPN IPv6 unicast address family view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
ip vpn-instance ZHTESTCTFWNS01VRF |
ip vpn-instance ZHTESTCTFWNS01VRF |
Manual or controller-based |
Enter the view of the BGP-VPN instance of the north-south firewall. |
N/A |
|
address-family ipv4 unicast |
address-family ipv4 unicast |
Manual or controller-based |
Enter BGP-VPN IPv4 unicast address family view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
address-family ipv6 unicast |
address-family ipv6 unicast |
Manual or controller-based |
Enter BGP-VPN IPv6 unicast address family view. |
N/A |
|
balance 4 |
balance 4 |
Manual or controller-based |
Enable load balancing and set the maximum number of BGP ECMP routes for load balancing. |
N/A |
|
ip vpn-instance ZHTESTCTVRF |
ip vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Enter the view of the BGP-VPN instance of the server. |
N/A |
|
address-family ipv4 unicast default-route imported balance 4 import-route static |
address-family ipv4 unicast default-route imported balance 4 import-route static |
Manual or controller-based |
Enter BGP-VPN IPv4 unicast address family view and configure routes to be redistributed into BGP. |
N/A |
|
address-family ipv6 unicast default-route imported balance 4 import-route static |
address-family ipv6 unicast default-route imported balance 4 import-route static |
Manual or controller-based |
Enter BGP-VPN IPv6 unicast address family view and configure routes to be redistributed into BGP. |
N/A |
|
ip vpn-instance external_vpn_1001 address-family ipv4 unicast balance 4 network 197.32.224.16 255.255.255.252 network 197.32.224.18 255.255.255.255 address-family ipv6 unicast balance 4 network FD00:0:97B0:2:: 64 network FD00:0:97B0:2::F 128 |
ip vpn-instance external_vpn_1001 address-family ipv4 unicast balance 4 network 197.32.224.16 255.255.255.252 network 197.32.224.18 255.255.255.255 address-family ipv6 unicast balance 4 network FD00:0:97B0:2:: 64 network FD00:0:97B0:2::F 128 |
Manual or controller-based |
Enter the view of the BGP-VPN instance connecting to the Layer 3 device on the external network. Enter BGP-VPN IPv4/IPv6 unicast address family view. Inject networks to the BGP routing table and configure BGP to advertise the networks. |
N/A |
Configuring the spine devices
Procedure summary
· Configuring the routing protocols on the underlay network
· Configuring the links connecting spine devices to leaf/border devices
· Configuring the spine devices as route reflectors
Configuring the routing protocols on the underlay network
|
Spine A (S12500X) |
Spine B (S12500X) |
Configuration method |
Description |
Remarks |
|
interface LoopBack0 |
interface LoopBack0 |
Manual or controller-based |
Create interface Loopback 0 and enter its view. |
N/A |
|
ip address 197.32.241.37 255.255.255.255 |
ip address 197.32.241.38 255.255.255.255 |
Manual or controller-based |
Assign an IP address to interface Loopback 0. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
router id 197.32.241.37 |
router id 197.32.241.38 |
Manual or controller-based |
Configure a router ID. |
N/A |
|
ospf 65530 |
ospf 65530 |
Manual or controller-based |
Enable OSPF process 65530. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable OSPF NSR. |
N/A |
|
stub-router include-stub on-startup 900 |
stub-router include-stub on-startup 900 |
Manual or controller-based |
Configure the router as a stub router during reboot and specify the timeout time. Specify the cost of the stub links (link type 3) in Router LSAs to the maximum value 65535. |
Execute this command to accelerate network convergence. |
|
area 0.0.0.0 |
area 0.0.0.0 |
Manual or controller-based |
Create OSPF area 0.0.0.0. |
N/A |
|
quit quit |
quit quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface LoopBack0 |
interface LoopBack0 |
Manual or controller-based |
Create interface Loopback 0 and enter its view. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on interface Loopback 0. |
N/A |
Configuring the links connecting spine devices to leaf/border devices
|
Spine A (S12500X) |
Spine B (S12500X) |
Configuration method |
Description |
Remarks |
|
interface HundredGigE1/0/1 |
interface HundredGigE1/0/1 |
Manual or controller-based |
Enter the view of the downlink interface, the physical interface connecting to Leaf 1. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the downlink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the downlink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the downlink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/2 |
interface HundredGigE1/0/2 |
Manual or controller-based |
Enter the view of the downlink interface, the physical interface connecting to Leaf 2. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the downlink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the downlink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the downlink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/3 |
interface HundredGigE1/0/3 |
Manual or controller-based |
Enter the view of the downlink interface, the physical interface connecting to Leaf 3. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the downlink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the downlink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the downlink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/4 |
interface HundredGigE1/0/4 |
Manual or controller-based |
Enter the view of the downlink interface, the physical interface connecting to Leaf 4. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the downlink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the downlink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the downlink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/5 |
interface HundredGigE1/0/5 |
Manual or controller-based |
Enter the view of the downlink interface, the physical interface connecting to Leaf 5. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the downlink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the downlink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the downlink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/6 |
interface HundredGigE1/0/6 |
Manual or controller-based |
Enter the view of the downlink interface, the physical interface connecting to Leaf 6. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the downlink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the downlink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the downlink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
Return to system view. |
N/A |
|
interface HundredGigE1/0/7 |
interface HundredGigE1/0/7 |
Manual or controller-based |
Enter the view of the uplink interface, the physical interface connecting to Border1. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the uplink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the uplink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the uplink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
N/A |
N/A |
|
interface HundredGigE1/0/8 |
interface HundredGigE1/0/8 |
Manual or controller-based |
Enter the view of the uplink interface, the physical interface connecting to Border2. |
N/A |
|
port link-mode route |
port link-mode route |
Manual or controller-based |
Configure the uplink interface to operate in route mode as a Layer 3 interface. |
N/A |
|
ip address unnumbered interface LoopBack0 |
ip address unnumbered interface LoopBack0 |
Manual or controller-based |
Configure the uplink interface to borrow the IP address of interface Loopback 0. |
N/A |
|
ospf network-type p2p |
ospf network-type p2p |
Manual or controller-based |
Set the OSPF network type of the interface to P2P. |
N/A |
|
ospf 65530 area 0.0.0.0 |
ospf 65530 area 0.0.0.0 |
Manual or controller-based |
Enable OSPF on the uplink interface. |
N/A |
|
quit |
quit |
Manual or controller-based |
N/A |
N/A |
|
interface range HundredGigE1/0/1 to HundredGigE1/0/8 |
interface range HundredGigE1/0/1 to HundredGigE1/0/8 |
Manual or controller-based |
Enter the view of the interfaces connecting to leaf devices. |
N/A |
|
lldp compliance admin-status cdp txrx |
lldp compliance admin-status cdp txrx |
Manual or controller-based |
Configure CDP-compatible LLDP to operate in TxRx mode. |
In this mode, LLDP both sends and receives CDP packets. |
|
lldp management-address arp-learning |
lldp management-address arp-learning |
Manual or controller-based |
Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface. |
N/A |
|
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0 |
Manual or controller-based |
Configure advertisable TLVs on the interface. |
N/A |
Configuring the spine devices as route reflectors
|
Spine A (S12500X) |
Spine B (S12500X) |
Configuration method |
Description |
Remarks |
|
bgp 65530 |
bgp 65530 |
Manual or controller-based |
Enable the BGP instance and enter BGP instance view. |
N/A |
|
non-stop-routing |
non-stop-routing |
Manual or controller-based |
Enable BGP NSR. |
N/A |
|
router-id 197.32.241.37 |
router-id 197.32.241.38 |
Manual or controller-based |
Specify a router ID for the BGP instance. |
N/A |
|
group evpn internal |
group evpn internal |
Manual or controller-based |
Create an IBGP peer group named evpn. |
N/A |
|
peer evpn connect-interface LoopBack0 |
peer evpn connect-interface LoopBack0 |
Manual or controller-based |
Specify a source interface for establishing TCP connections to the peer group. |
N/A |
|
peer 197.32.241.41 group evpn |
peer 197.32.241.41 group evpn |
Manual or controller-based |
Added Leaf 1 to peer group evpn. |
N/A |
|
peer 197.32.241.42 group evpn |
peer 197.32.241.42 group evpn |
Manual or controller-based |
Added Leaf 2 to peer group evpn. |
N/A |
|
peer 197.32.241.43 group evpn |
peer 197.32.241.43 group evpn |
Manual or controller-based |
Added Leaf 3 to peer group evpn. |
N/A |
|
peer 197.32.241.44 group evpn |
peer 197.32.241.44 group evpn |
Manual or controller-based |
Added Leaf 4 to peer group evpn. |
N/A |
|
peer 197.32.241.45 group evpn |
peer 197.32.241.45 group evpn |
Manual or controller-based |
Added Leaf 5 to peer group evpn. |
N/A |
|
peer 197.32.241.46 group evpn |
peer 197.32.241.46 group evpn |
Manual or controller-based |
Added Leaf 6 to peer group evpn. |
N/A |
|
peer 197.32.241.47 group evpn |
peer 197.32.241.47 group evpn |
Manual or controller-based |
Added Border 1 to peer group evpn. |
N/A |
|
peer 197.32.241.48 group evpn |
peer 197.32.241.48 group evpn |
Manual or controller-based |
Added Border 2 to peer group evpn. |
N/A |
|
address-family l2vpn evpn |
address-family l2vpn evpn |
Manual or controller-based |
Create the BGP EVPN address family and enter its view. |
N/A |
|
undo policy vpn-target |
undo policy vpn-target |
Manual or controller-based |
Disable route target-based filtering of incoming BGP EVPN routes. |
N/A |
|
peer evpn enable |
peer evpn enable |
Manual or controller-based |
Enable BGP to exchange BGP EVPN routes with peer group evpn. |
N/A |
|
peer evpn reflect-client |
peer evpn reflect-client |
Manual or controller-based |
Configure the spine node as a route reflector and specify peer group evpn as a client. |
N/A |
Configuring the links connecting the east-west/north-south firewalls to leaf devices
|
East-west firewall |
North-south firewall |
Configuration method |
Description |
Remarks |
|
vlan 999 1000 |
vlan 997 998 |
Manual or controller-based |
Bulk create VLANs 1 through 4094. |
N/A |
|
interface Vlan-interface 999 ip address 197.32.224.30 255.255.255.252 ipv6 address FD00:0:97B0:102::F/64 quit |
interface Vlan-interface 997 ip address 197.32.224.22 255.255.255.252 ipv6 address FD00:0:97B0:100::F/64 quit |
Manual or controller-based |
Configure a VLAN interface for forwarding packets at Layer 3. |
N/A |
|
interface Vlan-interface1000 ip address 197.32.224.34 255.255.255.252 ipv6 address FD00:0:97B0:103::F/64 quit |
interface Vlan-interface 998 ip address 197.32.224.26 255.255.255.252 ipv6 address FD00:0:97B0:101::F/64 quit |
Manual or controller-based |
Configure a VLAN interface for forwarding packets at Layer 3. |
N/A |
|
interface Bridge-Aggregation257 port link-type trunk port trunk permit vlan all link-aggregation mode dynamic quit |
interface Bridge-Aggregation258 port link-type trunk port trunk permit vlan all link-aggregation mode dynamic quit |
Manual or controller-based |
Configure the firewall to access the DR system formed by leaf devices through an aggregate interface. |
N/A |
|
interface HundredGigE2/0/29 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 257 quit |
interface HundredGigE3/0/29 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 258 quit |
Manual or controller-based |
Assign the physical interface connecting to Leaf 1 to an aggregation group. |
N/A |
|
interface HundredGigE2/0/30 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 257 quit |
interface HundredGigE3/0/30 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 258 quit |
Manual or controller-based |
Assign the physical interface connecting to Leaf 2 to an aggregation group. |
N/A |
|
ip route-static 197.32.0.0 16 197.32.224.33 ipv6 route-static FD00:0:97B0::/24 FD00:0:97B0:103::1 |
ip route-static 197.32.0.0 16 197.32.224.25 ipv6 route-static FD00:0:97B0::/24 FD00:0:97B0:101::1 |
Manual or controller-based |
Create static routes for routing traffic back to the connected DR system at the leaf tier. |
This setting is for illustration only. In a real deployment, you can configure a firewall by using any method as long as the firewall can return the traffic to the VXLAN network back to the leaf device connected to it. |
Configuring the links connecting L3 devices and border devices
|
L3 device |
Configuration method |
Description |
Remarks |
|
vlan all |
Manual or controller-based |
Bulk create VLANs 1 through 4094. |
N/A |
|
interface Vlan-interface1001 |
Manual or controller-based |
Configure VLAN-interface 1001 for forwarding packets at Layer 3 to the external network. |
N/A |
|
ip address 197.32.225.18 255.255.255.252 |
Manual or controller-based |
Assign an IPv4 address to an interface. |
N/A |
|
ipv6 address FD00:1:97B0:2::F/64 |
Manual or controller-based |
Assign an IPv6 address to an interface. |
N/A |
|
interface Bridge-Aggregation257 port link-type trunk port trunk permit vlan 1001 link-aggregation mode dynamic quit |
Manual or controller-based |
Configure the aggregate interface to access the DR system formed by border devices. |
N/A |
|
interface HundredGigE4/0/29 port link-mode bridge port link-type trunk port trunk permit vlan 1001 flow-interval 5 port link-aggregation group 257 quit |
Manual or controller-based |
Assign the physical interface connecting to Border1 to an aggregation group. |
N/A |
|
interface HundredGigE4/0/30 port link-mode bridge port link-type trunk port trunk permit vlan1001 flow-interval 5 port link-aggregation group 257 quit |
Manual or controller-based |
Assign the physical interface connecting to Border2 to an aggregation group. |
N/A |
|
ip route-static 197.32.0.0 16 197.32.224.17 ipv6 route-static FD00:: 16 FD00:0:97B0:2::1 |
Manual or controller-based |
Create static routes for routing traffic back to the connected leaf devices. |
N/A |
Configuring the DHCP server (single-homed to Leaf 5)
Attach a virtual DHCP server to Twenty-FiveGigE 1/0/2 of Leaf 5. The DHCP server runs Windows Server 2012 and is assigned IP address 197.32.42.9.
To add the DHCP role on Windows Server 2012:
1. As shown in Figure 2, click Add Role and Features.
Figure 2 Server management page
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image003.jpg)
2. On the Add Role and Features Wizard page, select options as shown in Figure 3, Figure 4, and Figure 5. Click Next until the DHCP service is installed.
Figure 3 Add Role and Features Wizard (I)
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image004.jpg)
Figure 4 Add Role and Features Wizard (II)
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image005.jpg)
Figure 5 Add Role and Features Wizard (III)
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image006.jpg)
3. Enable the DHCP service, and configure the DHCP address pool to allocate IP addresses in the range of 197.32.13.50 and 197.32.13.100.
Figure 6 Configuring the DHCP address pool
+DHCP%20Relay+Microsegmentation+Service%20Chain%20Configuration%20Example.files/image007.jpg)
Configuring DHCP relay (with DHCP clients single-homed to Leaf 3)
Configuring service leaf nodes (Leaf 1 and Leaf 2)
|
Leaf 1 (S6850) |
Leaf 2 (S6850) |
Configuration method |
Description |
|
dhcp enable |
dhcp enable |
Manual or controller-based |
Enable DHCP. |
|
dhcp relay mac-forward enable |
dhcp relay mac-forward enable |
Manual or controller-based |
Enable MAC address table lookup for DHCP replies that do not have request forwarding information. |
Configuring DHCP client-attached leaf nodes (Leaf 3 and Leaf 4)
|
Leaf 4 (S6850) |
Configuration method |
Description |
Remarks |
|
|
dhcp enable |
dhcp enable |
Manual or controller-based |
Enable DHCP. |
N/A |
|
dhcp relay mac-forward enable |
dhcp relay mac-forward enable |
Manual or controller-based |
Enable MAC address table lookup for DHCP replies that do not have request forwarding information. |
This setting is required on devices that provide both distributed EVPN gateway and DHCP relay services. |
|
interface Vsi-interface13313 |
interface Vsi-interface13313 |
Manual or controller-based |
Enter the view of the VSI interface that provides distributed gateway service for attached servers. |
N/A |
|
dhcp select relay |
dhcp select relay |
Manual or controller-based |
Enable the VSI interface to operate as a DHCP relay agent. |
N/A |
|
dhcp relay server-address 197.32.42.9 |
dhcp relay server-address 197.32.42.9 |
Manual or controller-based |
Specify the IP address of the DHCP server for the DHCP relay agent. |
N/A |
|
dhcp relay request-from-tunnel discard |
dhcp relay request-from-tunnel discard |
Manual or controller-based |
Configure the DHCP relay agent to discard the DHCP requests received from VXLAN tunnels. |
N/A |
Configuring DHCP server-attached leaf nodes (Leaf 5 and Leaf 6)
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
Remarks |
|
dhcp enable |
dhcp enable |
Manual or controller-based |
Enable DHCP. |
N/A |
|
dhcp relay mac-forward enable |
dhcp relay mac-forward enable |
Manual or controller-based |
Enable MAC address table lookup for DHCP replies that do not have request forwarding information. |
This setting is required on devices that provide both distributed EVPN gateway and DHCP relay services. |
Configuring IPv4/IPv6 microsegments and service chains
Configuring service leaf nodes (Leaf 1 and Leaf 2)
|
Leaf 2 (S6850) |
Configuration method |
Description |
|
|
microsegment enable |
microsegment enable |
Manual or controller-based |
Enable microsegmentation. |
|
microsegment 10001 name SDN_EPG_10001 |
Manual or controller-based |
Create microsegment 10001 and enter its view. |
|
|
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
microsegment 10002 name SDN_EPG_10002 |
microsegment 10002 name SDN_EPG_10002 |
Manual or controller-based |
Create microsegment 10002 and enter its view. |
|
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10002. |
|
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10002. |
|
microsegment 10003 name SDN_EPG_10003 |
microsegment 10003 name SDN_EPG_10003 |
Manual or controller-based |
Create microsegment 10003 and enter its view. |
|
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10003. |
|
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10003. |
|
microsegment 10004 name SDN_EPG_10004 |
microsegment 10004 name SDN_EPG_10004 |
Manual or controller-based |
Create microsegment 10004 and enter its view. |
|
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10004. |
|
policy-based-route SDN_SC_L3_10001 permit node 0 |
policy-based-route SDN_SC_L3_10001 permit node 0 |
Manual or controller-based |
Configure an IPv4 PBR policy on VSI-interface 10001. This policy directs north-south traffic to firewall NS. |
|
if-match service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the south-to-north traffic from microsegment 10001. |
|
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
Manual or controller-based |
Redirect traffic to firewall NS. |
|
policy-based-route SDN_SC_L3_10001 permit node 1 |
policy-based-route SDN_SC_L3_10001 permit node 1 |
Manual or controller-based |
Configure an IPv4 PBR policy on VSI-interface 10001. This policy directs north-south traffic to firewall NS. |
|
if-match service-chain path-id 8388609 path-index 1 |
if-match service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the north-to-south traffic from microsegment 10003. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
Manual or controller-based |
Redirect traffic to firewall NS. |
|
policy-based-route SDN_SC_L3_10002 permit node 0 |
Manual or controller-based |
Configure an IPv4 PBR policy on VSI-interface 10002. This policy directs east-west traffic to firewall EW. |
|
|
if-match service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the east-west traffic from microsegment 10001. |
|
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
Manual or controller-based |
Redirect traffic to firewall EW. |
|
policy-based-route SDN_SC_L3_10002 permit node 1 |
policy-based-route SDN_SC_L3_10002 permit node 1 |
Manual or controller-based |
Configure an IPv4 PBR policy on VSI-interface 10002. This policy directs east-west traffic to firewall EW. |
|
if-match service-chain path-id 8388610 path-index 1 |
if-match service-chain path-id 8388610 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the east-west traffic from microsegment 10002 and microsegment 10004. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.34 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.34 |
Manual or controller-based |
Redirect traffic to firewall EW. |
|
ipv6 policy-based-route SDN_SC_L3_10001 permit node 0 |
ipv6 policy-based-route SDN_SC_L3_10001 permit node 0 |
Manual or controller-based |
Configure an IPv6 PBR policy on VSI-interface 10001. This policy directs north-south traffic to firewall NS. |
|
if-match service-chain path-id 1 path-index 1 |
if-match service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the south-to-north traffic from microsegment 10001. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
Manual or controller-based |
Redirect traffic to firewall NS. |
|
ipv6 policy-based-route SDN_SC_L3_10001 permit node 1 |
ipv6 policy-based-route SDN_SC_L3_10001 permit node 1 |
Manual or controller-based |
Configure an IPv6 PBR policy on VSI-interface 10001. This policy directs north-south traffic to firewall NS. |
|
if-match service-chain path-id 8388609 path-index 1 |
if-match service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the north-to-south traffic from microsegment 10003. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
Manual or controller-based |
Redirect traffic to firewall NS. |
|
ipv6 policy-based-route SDN_SC_L3_10002 permit node 0 |
ipv6 policy-based-route SDN_SC_L3_10002 permit node 0 |
Manual or controller-based |
Configure an IPv6 PBR policy on VSI-interface 10002. This policy directs east-west traffic to firewall EW. |
|
if-match service-chain path-id 2 path-index 1 |
if-match service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the east-west traffic from microsegment 10001. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
Manual or controller-based |
Redirect traffic to firewall EW. |
|
ipv6 policy-based-route SDN_SC_L3_10002 permit node 1 |
ipv6 policy-based-route SDN_SC_L3_10002 permit node 1 |
Manual or controller-based |
Configure an IPv6 PBR policy on VSI-interface 10002. This policy directs east-west traffic to firewall EW. |
|
if-match service-chain path-id 8388610 path-index 1 |
if-match service-chain path-id 8388610 path-index 1 |
Manual or controller-based |
Set a service chain match criterion to match the east-west traffic from microsegment 10002 and microsegment 10004. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:103::F |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:103::F |
Manual or controller-based |
Redirect traffic to firewall EW. |
|
interface Vsi-interface10001 |
interface Vsi-interface10001 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall NS and enter its view. |
|
ip policy-based-route SDN_SC_L3_10001 |
ip policy-based-route SDN_SC_L3_10001 |
Manual or controller-based |
|
|
ipv6 policy-based-route SDN_SC_L3_10001 |
ipv6 policy-based-route SDN_SC_L3_10001 |
Manual or controller-based |
Deploy the IPv6 PBR policy on VSI interface 10001. |
|
interface Vsi-interface10002 |
interface Vsi-interface10002 |
Manual or controller-based |
Create the VSI interface for L3 connectivity to firewall EW and enter its view. |
|
ip policy-based-route SDN_SC_L3_10002 |
ip policy-based-route SDN_SC_L3_10002 |
Manual or controller-based |
Deploy the IPv4 PBR policy on VSI interface 10002. |
|
ipv6 policy-based-route SDN_SC_L3_10002 |
ipv6 policy-based-route SDN_SC_L3_10002 |
Manual or controller-based |
Deploy the IPv6 PBR policy on VSI interface 10002. |
Configuring Leaf 3 and Leaf 4
|
Leaf 4 (S6850) |
Configuration method |
Description |
|
|
microsegment enable |
microsegment enable |
Manual or controller-based |
Enable microsegmentation. |
|
microsegment 10001 name SDN_EPG_10001 |
microsegment 10001 name SDN_EPG_10001 |
Manual or controller-based |
Create microsegment 10001 and enter its view. |
|
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
microsegment 10002 name SDN_EPG_10002 |
microsegment 10002 name SDN_EPG_10002 |
Manual or controller-based |
Create microsegment 10002 and enter its view. |
|
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10002. |
|
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10002. |
|
microsegment 10003 name SDN_EPG_10003 |
microsegment 10003 name SDN_EPG_10003 |
Manual or controller-based |
Create microsegment 10003 and enter its view. |
|
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10003. |
|
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10003. |
|
microsegment 10004 name SDN_EPG_10004 |
microsegment 10004 name SDN_EPG_10004 |
Manual or controller-based |
Create microsegment 10004 and enter its view. |
|
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10004. |
|
acl advanced name 13314_1 |
acl advanced name 13314_1 |
Manual or controller-based |
Create IPv4 ACL 13314_1 and enter its view. This ACL will be applied to IPv4 PBR policy node 0 in VSI 13314. |
|
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches UDP traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl advanced name 13314_2 |
acl advanced name 13314_2 |
Manual or controller-based |
Create IPv4 ACL 13314_2 and enter its view. This ACL will be applied to IPv4 PBR policy node 1 in VSI 13314. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl advanced name 13314_3 |
acl advanced name 13314_3 |
Manual or controller-based |
Create IPv4 ACL 13314_3 and enter its view. This ACL will be applied to IPv4 PBR policy node 2 in VSI 13314. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10002. |
|
acl advanced name 13314_4 |
acl advanced name 13314_4 |
Manual or controller-based |
Create IPv4 ACL 13314_4 and enter its view. This ACL will be applied to IPv4 PBR policy node 3 in VSI 13314. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10003. |
|
acl advanced name 13314_5 |
Manual or controller-based |
Create IPv4 ACL 13314_5 and enter its view. This ACL will be applied to IPv4 PBR policy node 4 in VSI 13314. |
|
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10001. |
|
acl advanced name 13314_6 |
acl advanced name 13314_6 |
Manual or controller-based |
Create IPv4 ACL 13314_6 and enter its view. This ACL will be applied to IPv4 PBR policy node 5 in VSI 13314. |
|
rule 0 permit ip |
rule 0 permit ip |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv4 traffic. |
|
acl ipv6 advanced name 13314_1 |
acl ipv6 advanced name 13314_1 |
Manual or controller-based |
Create IPv6 ACL 13314_1 and enter its view. This ACL will be applied to IPv6 PBR policy node 0 in VSI 13314. |
|
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
This rule matches UDP traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl ipv6 advanced name 13314_2 |
acl ipv6 advanced name 13314_2 |
Manual or controller-based |
Create IPv6 ACL 13314_2 and enter its view. This ACL will be applied to IPv6 PBR policy node 1 in VSI 13314. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl ipv6 advanced name 13314_3 |
acl ipv6 advanced name 13314_3 |
Manual or controller-based |
Create IPv6 ACL 13314_3 and enter its view. This ACL will be applied to IPv6 PBR policy node 2 in VSI 13314. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10002. |
|
acl ipv6 advanced name 13314_4 |
Manual or controller-based |
Create IPv6 ACL 13314_4 and enter its view. This ACL will be applied to IPv6 PBR policy node 3 in VSI 13314. |
|
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10003. |
|
acl ipv6 advanced name 13314_5 |
acl ipv6 advanced name 13314_5 |
Manual or controller-based |
Create IPv6 ACL 13314_5 and enter its view. This ACL will be applied to IPv6 PBR policy node 4 in VSI 13314. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10001. |
|
acl ipv6 advanced name 13314_6 |
acl ipv6 advanced name 13314_6 |
Manual or controller-based |
Create IPv6 ACL 13314_6 and enter its view. This ACL will be applied to IPv6 PBR policy node 5 in VSI 13314. |
|
rule 0 permit ipv6 |
rule 0 permit ipv6 |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv6 traffic. |
|
policy-based-route SDN_SC_13314 permit node 0 |
policy-based-route SDN_SC_13314 permit node 0 |
Manual or controller-based |
Create node 0 for IPv4 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_1 |
if-match acl name 13314_1 |
Manual or controller-based |
Configure IPv4 ACL 13314_1 as an ACL match criterion for IPv4 PBR policy node 0. |
|
policy-based-route SDN_SC_13314 permit node 1 |
policy-based-route SDN_SC_13314 permit node 1 |
Manual or controller-based |
Create node 1 for IPv4 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_2 |
Manual or controller-based |
Configure IPv4 ACL 13314_2 as an ACL match criterion for IPv4 PBR policy node 1. |
|
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 1. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 1. |
|
policy-based-route SDN_SC_13314 permit node 2 |
policy-based-route SDN_SC_13314 permit node 2 |
Manual or controller-based |
Create node 2 for IPv4 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_3 |
if-match acl name 13314_3 |
Manual or controller-based |
Configure IPv4 ACL 13314_3 as an ACL match criterion for IPv4 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 2. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 2. |
|
policy-based-route SDN_SC_13314 permit node 3 |
policy-based-route SDN_SC_13314 permit node 3 |
Manual or controller-based |
Create node 3 for IPv4 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_4 |
if-match acl name 13314_4 |
Manual or controller-based |
Configure IPv4 ACL 13314_4 as an ACL match criterion for IPv4 PBR policy node 3. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 3. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 3. |
|
policy-based-route SDN_SC_13314 permit node 4 |
policy-based-route SDN_SC_13314 permit node4 |
Manual or controller-based |
Create node 4 for IPv4 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_5 |
if-match acl name 13314_5 |
Manual or controller-based |
Configure IPv4 ACL 13314_5 as an ACL match criterion for IPv4 PBR policy node 4. |
|
policy-based-route SDN_SC_13314 permit node 5 |
policy-based-route SDN_SC_13314 permit node 5 |
Manual or controller-based |
Create node 5 for IPv4 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_6 |
if-match acl name 13314_6 |
Manual or controller-based |
Configure IPv4 ACL 13314_6 as an ACL match criterion for IPv4 PBR policy node 5. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv4 PBR policy node 5. These packets will be discarded. |
|
interface Vsi-interface13314 |
interface Vsi-interface13314 |
Manual or controller-based |
Create VSI interface 13314 and enter its view. |
|
ip policy-based-route SDN_SC_13314 |
ip policy-based-route SDN_SC_13314 |
Manual or controller-based |
Deploy IPv4 PBR policy SDN_SC_13314 on VSI interface 13314. |
|
ipv6 policy-based-route SDN_SC_13314 permit node 0 |
ipv6 policy-based-route SDN_SC_13314 permit node 0 |
Manual or controller-based |
Create node 0 for IPv6 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_1 |
if-match acl name 13314_1 |
Manual or controller-based |
Configure IPv6 ACL 13314_1 as an ACL match criterion for IPv6 PBR policy node 0. |
|
ipv6 policy-based-route SDN_SC_13314 permit node 1 |
ipv6 policy-based-route SDN_SC_13314 permit node 1 |
Manual or controller-based |
Create node 1 for IPv6 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_2 |
if-match acl name 13314_2 |
Manual or controller-based |
Configure IPv6 ACL 13314_2 as an ACL match criterion for IPv6 PBR policy node 1. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 1. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 1. |
|
ipv6 policy-based-route SDN_SC_13314 permit node 2 |
ipv6 policy-based-route SDN_SC_13314 permit node 2 |
Manual or controller-based |
Create node 2 for IPv6 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_3 |
if-match acl name 13314_3 |
Manual or controller-based |
Configure IPv6 ACL 13314_3 as an ACL match criterion for IPv6 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 2. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 2. |
|
ipv6 policy-based-route SDN_SC_13314 permit node 3 |
ipv6 policy-based-route SDN_SC_13314 permit node 3 |
Manual or controller-based |
Create node 3 for IPv6 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_4 |
if-match acl name 13314_4 |
Manual or controller-based |
Configure IPv6 ACL 13314_4 as an ACL match criterion for IPv6 PBR policy node 3. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 3. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 3. |
|
ipv6 policy-based-route SDN_SC_13314 permit node 4 |
ipv6 policy-based-route SDN_SC_13314 permit node 4 |
Manual or controller-based |
Create node 4 for IPv6 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_5 |
if-match acl name 13314_5 |
Manual or controller-based |
Configure IPv6 ACL 13314_5 as an ACL match criterion for IPv6 PBR policy node 4. |
|
ipv6 policy-based-route SDN_SC_13314 permit node 5 |
ipv6 policy-based-route SDN_SC_13314 permit node 5 |
Manual or controller-based |
Create node 5 for IPv6 PBR policy SDN_SC_13314 and enter its view. |
|
if-match acl name 13314_6 |
if-match acl name 13314_6 |
Manual or controller-based |
Configure IPv6 ACL 13314_6 as an ACL match criterion for IPv6 PBR policy node 5. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv6 PBR policy node 5. These packets will be discarded. |
|
interface Vsi-interface13314 |
interface Vsi-interface13314 |
Manual or controller-based |
Create VSI interface 13314 and enter its view. |
|
ipv6 policy-based-route SDN_SC_13314 |
ipv6 policy-based-route SDN_SC_13314 |
Manual or controller-based |
Deploy IPv6 PBR policy SDN_SC_13314 on VSI interface 13314. |
Configuring Leaf 5 and Leaf 6
|
Leaf 5 (S6850) |
Leaf 6 (S6850) |
Configuration method |
Description |
|
microsegment enable |
microsegment enable |
Manual or controller-based |
Enable microsegmentation. |
|
microsegment 10001 name SDN_EPG_10001 |
microsegment 10001 name SDN_EPG_10001 |
Manual or controller-based |
Create microsegment 10001 and enter its view. |
|
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
microsegment 10002 name SDN_EPG_10002 |
microsegment 10002 name SDN_EPG_10002 |
Manual or controller-based |
Create microsegment 10002 and enter its view. |
|
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10002. |
|
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10002. |
|
microsegment 10003 name SDN_EPG_10003 |
microsegment 10003 name SDN_EPG_10003 |
Manual or controller-based |
Create microsegment 10003 and enter its view. |
|
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10003. |
|
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10003. |
|
microsegment 10004 name SDN_EPG_10004 |
microsegment 10004 name SDN_EPG_10004 |
Manual or controller-based |
Create microsegment 10004 and enter its view. |
|
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10004. |
|
acl advanced name 13316_1 |
acl advanced name 13316_1 |
Manual or controller-based |
Create IPv4 ACL 13316_1 and enter its view. This ACL will be applied to IPv4 PBR policy node 0 in VSI 13316. |
|
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches UDP traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl advanced name 13316_2 |
acl advanced name 13316_2 |
Manual or controller-based |
Create IPv4 ACL 13316_2 and enter its view. This ACL will be applied to IPv4 PBR policy node 1 in VSI 13316. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl advanced name 13316_3 |
acl advanced name 13316_3 |
Manual or controller-based |
Create IPv4 ACL 13316_3 and enter its view. This ACL will be applied to IPv4 PBR policy node 2 in VSI 13316. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10002. |
|
acl advanced name 13316_4 |
acl advanced name 13316_4 |
Manual or controller-based |
Create IPv4 ACL 13316_4 and enter its view. This ACL will be applied to IPv4 PBR policy node 3 in VSI 13316. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10003. |
|
acl advanced name 13316_5 |
Manual or controller-based |
Create IPv4 ACL 13316_5 and enter its view. This ACL will be applied to IPv4 PBR policy node 4 in VSI 13316. |
|
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10001 to microsegment 10001. |
|
acl advanced name 13316_6 |
acl advanced name 13316_6 |
Manual or controller-based |
Create IPv4 ACL 13316_6 and enter its view. This ACL will be applied to IPv4 PBR policy node 5 in VSI 13316. |
|
rule 0 permit ip |
rule 0 permit ip |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv4 traffic. |
|
acl ipv6 advanced name 13316_1 |
acl ipv6 advanced name 13316_1 |
Manual or controller-based |
Create IPv6 ACL 13316_1 and enter its view. This ACL will be applied to IPv6 PBR policy node 0 in VSI 13316. |
|
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches UDP traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl ipv6 advanced name 13316_2 |
acl ipv6 advanced name 13316_2 |
Manual or controller-based |
Create IPv6 ACL 13316_2 and enter its view. This ACL will be applied to IPv6 PBR policy node 1 in VSI 13316. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10004. |
|
acl ipv6 advanced name 13316_3 |
Manual or controller-based |
Create IPv6 ACL 13316_3 and enter its view. This ACL will be applied to IPv6 PBR policy node 2 in VSI 13316. |
|
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10002. |
|
acl ipv6 advanced name 13316_4 |
acl ipv6 advanced name 13316_4 |
Manual or controller-based |
Create IPv6 ACL 13316_4 and enter its view. This ACL will be applied to IPv6 PBR policy node 3 in VSI 13316. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10003. |
|
acl ipv6 advanced name 13316_5 |
acl ipv6 advanced name 13316_5 |
Manual or controller-based |
Create IPv6 ACL 13316_5 and enter its view. This ACL will be applied to IPv6 PBR policy node 4 in VSI 13316. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10001 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10001 to microsegment 10001. |
|
acl ipv6 advanced name 13316_6 |
acl ipv6 advanced name 13316_6 |
Manual or controller-based |
Create IPv6 ACL 13316_6 and enter its view. This ACL will be applied to IPv6 PBR policy node 5 in VSI 13316. |
|
rule 0 permit ipv6 |
rule 0 permit ipv6 |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv6 traffic. |
|
policy-based-route SDN_SC_13316 permit node 0 |
Manual or controller-based |
Create node 0 for IPv4 PBR policy SDN_SC_13316 and enter its view. |
|
|
if-match acl name 13316_1 |
if-match acl name 13316_1 |
Manual or controller-based |
Configure IPv4 ACL 13316_1 as an ACL match criterion for IPv4 PBR policy node 0. |
|
policy-based-route SDN_SC_13316 permit node 1 |
policy-based-route SDN_SC_13316 permit node 1 |
Manual or controller-based |
Create node 1 for IPv4 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_2 |
if-match acl name 13316_2 |
Manual or controller-based |
Configure IPv4 ACL 13316_2 as an ACL match criterion for IPv4 PBR policy node 1. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 1. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 1. |
|
policy-based-route SDN_SC_13316 permit node 2 |
policy-based-route SDN_SC_13316 permit node 2 |
Manual or controller-based |
Create node 2 for IPv4 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_3 |
if-match acl name 13316_3 |
Manual or controller-based |
Configure IPv4 ACL 13316_3 as an ACL match criterion for IPv4 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.30 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 2. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 2. |
|
policy-based-route SDN_SC_13316 permit node 3 |
policy-based-route SDN_SC_13316 permit node 3 |
Manual or controller-based |
Create node 3 for IPv4 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_4 |
if-match acl name 13316_4 |
Manual or controller-based |
Configure IPv4 ACL 13316_4 as an ACL match criterion for IPv4 PBR policy node 3. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 3. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 3. |
|
policy-based-route SDN_SC_13316 permit node 4 |
policy-based-route SDN_SC_13316 permit node4 |
Manual or controller-based |
Create node 4 for IPv4 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_5 |
if-match acl name 13316_5 |
Manual or controller-based |
Configure IPv4 ACL 13316_5 as an ACL match criterion for IPv4 PBR policy node 4. |
|
policy-based-route SDN_SC_13316 permit node 5 |
policy-based-route SDN_SC_13316 permit node 5 |
Manual or controller-based |
Create node 5 for IPv4 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_6 |
if-match acl name 13316_6 |
Manual or controller-based |
Configure IPv4 ACL 13316_6 as an ACL match criterion for IPv4 PBR policy node 5. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv4 PBR policy node 5. These packets will be discarded. |
|
interface Vsi-interface13316 |
Manual or controller-based |
Create VSI interface 13316 and enter its view. |
|
|
ip policy-based-route SDN_SC_13316 |
ip policy-based-route SDN_SC_13316 |
Manual or controller-based |
Deploy IPv4 PBR policy SDN_SC_13316 on VSI interface 13316. |
|
ipv6 policy-based-route SDN_SC_13316 permit node 0 |
ipv6 policy-based-route SDN_SC_13316 permit node 0 |
Manual or controller-based |
Create node 0 for IPv6 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_1 |
if-match acl name 13316_1 |
Manual or controller-based |
Configure IPv6 ACL 13316_1 as an ACL match criterion for IPv6 PBR policy node 0. |
|
ipv6 policy-based-route SDN_SC_13316 permit node 1 |
ipv6 policy-based-route SDN_SC_13316 permit node 1 |
Manual or controller-based |
Create node 1 for IPv6 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_2 |
if-match acl name 13316_2 |
Manual or controller-based |
Configure IPv6 ACL 13316_2 as an ACL match criterion for IPv6 PBR policy node 1. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 1. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 1. |
|
ipv6 policy-based-route SDN_SC_13316 permit node 2 |
ipv6 policy-based-route SDN_SC_13316 permit node 2 |
Manual or controller-based |
Create node 2 for IPv6 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_3 |
if-match acl name 13316_3 |
Manual or controller-based |
Configure IPv6 ACL 13316_3 as an ACL match criterion for IPv6 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:102::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 2. |
|
apply service-chain path-id 2 path-index 1 |
apply service-chain path-id 2 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 2. |
|
ipv6 policy-based-route SDN_SC_13316 permit node 3 |
ipv6 policy-based-route SDN_SC_13316 permit node 3 |
Manual or controller-based |
Create node 3 for IPv6 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_4 |
if-match acl name 13316_4 |
Manual or controller-based |
Configure IPv6 ACL 13316_4 as an ACL match criterion for IPv6 PBR policy node 3. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 3. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 3. |
|
ipv6 policy-based-route SDN_SC_13316 permit node 4 |
ipv6 policy-based-route SDN_SC_13316 permit node 4 |
Manual or controller-based |
Create node 4 for IPv6 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_5 |
if-match acl name 13316_5 |
Manual or controller-based |
Configure IPv6 ACL 13316_5 as an ACL match criterion for IPv6 PBR policy node 4. |
|
ipv6 policy-based-route SDN_SC_13316 permit node 5 |
ipv6 policy-based-route SDN_SC_13316 permit node 5 |
Manual or controller-based |
Create node 5 for IPv6 PBR policy SDN_SC_13316 and enter its view. |
|
if-match acl name 13316_6 |
if-match acl name 13316_6 |
Manual or controller-based |
Configure IPv6 ACL 13316_6 as an ACL match criterion for IPv6 PBR policy node 5. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv6 PBR policy node 5. These packets will be discarded. |
|
interface Vsi-interface13316 |
interface Vsi-interface13316 |
Manual or controller-based |
Create VSI interface 13316 and enter its view. |
|
ipv6 policy-based-route SDN_SC_13316 |
ipv6 policy-based-route SDN_SC_13316 |
Manual or controller-based |
Deploy IPv6 PBR policy SDN_SC_13316 on VSI interface 13316. |
|
acl advanced name 13342_1 |
acl advanced name 13342_1 |
Manual or controller-based |
Create IPv4 ACL 13342_1 and enter its view. This ACL will be applied to IPv4 PBR policy node 0 in VSI 13342. |
|
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 rule 1 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10004 |
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 rule 1 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10004 |
Manual or controller-based |
Create rules for the ACL: · Rule 0 matches UDP traffic transmitted from microsegment 10004 to microsegment 10001. · Rule 1 matches IPv4 traffic transmitted from microsegment 10002 to microsegment 10004. |
|
acl advanced name 13342_2 |
acl advanced name 13342_2 |
Manual or controller-based |
Create IPv4 ACL 13342_2 and enter its view. This ACL will be applied to IPv4 PBR policy node 1 in VSI 13342. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10002 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10004 to microsegment 10002. |
|
acl advanced name 13342_3 |
acl advanced name 13342_3 |
Manual or controller-based |
Create IPv4 ACL 13342_3 and enter its view. This ACL will be applied to IPv4 PBR policy node 2 in VSI 13342. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10004 to microsegment 10001. |
|
acl advanced name 13342_4 |
acl advanced name 13342_4 |
Manual or controller-based |
Create IPv4 ACL 13342_4 and enter its view. This ACL will be applied to IPv4 PBR policy node 3 in VSI 13342. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10001 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10002 to microsegment 10001. |
|
acl advanced name 13342_5 |
acl advanced name 13342_5 |
Manual or controller-based |
Create IPv4 ACL 13342_5 and enter its view. This ACL will be applied to IPv4 PBR policy node 4 in VSI 13342. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10003 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10002 to microsegment 10003. |
|
acl advanced name 13342_6 |
Manual or controller-based |
Create IPv4 ACL 13342_6 and enter its view. This ACL will be applied to IPv4 PBR policy node 5 in VSI 13342. |
|
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10003 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10003 |
Manual or controller-based |
This rule matches IPv4 traffic transmitted from microsegment 10004 to microsegment 10003. |
|
acl advanced name 13342_7 |
acl advanced name 13342_7 |
Manual or controller-based |
Create IPv4 ACL 13342_7 and enter its view. This ACL will be applied to IPv4 PBR policy node 6 in VSI 13342. |
|
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10002 rule 1 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10004 |
rule 0 permit ip vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10002 rule 1 permit ip vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10004 |
Manual or controller-based |
Create rules for the ACL: · Rule 0 matches IPv4 traffic transmitted from microsegment 10002 to microsegment 10002. · Rule 1 matches IPv4 traffic transmitted from microsegment 10004 to microsegment 10004. |
|
acl advanced name 13342_8 |
acl advanced name 13342_8 |
Manual or controller-based |
Create IPv4 ACL 13342_8 and enter its view. This ACL will be applied to IPv4 PBR policy node 7 in VSI 13342. |
|
rule 0 permit ip |
rule 0 permit ip |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv4 traffic. |
|
acl ipv6 advanced name 13342_1 |
Manual or controller-based |
Create IPv6 ACL 13342_1 and enter its view. This ACL will be applied to IPv6 PBR policy node 0 in VSI 13342. |
|
|
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 rule 1 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10004 |
rule 0 permit udp vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 rule 1 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10004 |
Manual or controller-based |
Create rules for the ACL: · Rule 0 matches UDP traffic transmitted from microsegment 10004 to microsegment 10001. · Rule 1 matches IPv6 traffic transmitted from microsegment 10002 to microsegment 10004. |
|
acl ipv6 advanced name 13342_2 |
acl ipv6 advanced name 13342_2 |
Manual or controller-based |
Create IPv6 ACL 13342_2 and enter its view. This ACL will be applied to IPv6 PBR policy node 1 in VSI 13342. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10002 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10004 to microsegment 10002. |
|
acl ipv6 advanced name 13342_3 |
acl ipv6 advanced name 13342_3 |
Manual or controller-based |
Create IPv6 ACL 13342_3 and enter its view. This ACL will be applied to IPv6 PBR policy node 2 in VSI 13342. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10004 to microsegment 10001. |
|
acl ipv6 advanced name 13342_4 |
acl ipv6 advanced name 13342_4 |
Manual or controller-based |
Create IPv6 ACL 13342_4 and enter its view. This ACL will be applied to IPv6 PBR policy node 3 in VSI 13342. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10001 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10002 to microsegment 10001. |
|
acl ipv6 advanced name 13342_5 |
acl ipv6 advanced name 13342_5 |
Manual or controller-based |
Create IPv6 ACL 13342_5 and enter its view. This ACL will be applied to IPv6 PBR policy node 4 in VSI 13342. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10003 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10002 to microsegment 10003. |
|
acl ipv6 advanced name 13342_6 |
acl ipv6 advanced name 13342_6 |
Manual or controller-based |
Create IPv6 ACL 13342_6 and enter its view. This ACL will be applied to IPv6 PBR policy node 5 in VSI 13342. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10003 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10003 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10004 to microsegment 10003. |
|
acl ipv6 advanced name 13342_7 |
acl ipv6 advanced name 13342_7 |
Manual or controller-based |
Create IPv6 ACL 13342_7 and enter its view. This ACL will be applied to IPv6 PBR policy node 6 in VSI 13342. |
|
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10002 rule 1 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10004 |
rule 0 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10002 destination microsegment 10002 rule 1 permit ipv6 vpn-instance ZHTESTCTVRF source microsegment 10004 destination microsegment 10004 |
Manual or controller-based |
Create rules for the ACL: · Rule 0 matches IPv6 traffic transmitted from microsegment 10002 to microsegment 10002. · Rule 1 matches IPv6 traffic transmitted from microsegment 10004 to microsegment 10004. |
|
acl ipv6 advanced name 13342_8 |
acl ipv6 advanced name 13342_8 |
Manual or controller-based |
Create IPv6 ACL 13342_8 and enter its view. This ACL will be applied to IPv6 PBR policy node 7 in VSI 13342. |
|
rule 0 permit ipv6 |
rule 0 permit ipv6 |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv6 traffic. |
|
policy-based-route SDN_SC_13342 permit node 0 |
policy-based-route SDN_SC_13342 permit node 0 |
Manual or controller-based |
Create node 0 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_1 |
if-match acl name 13342_1 |
Manual or controller-based |
Configure IPv4 ACL 13342_1 as an ACL match criterion for IPv4 PBR policy node 0. |
|
policy-based-route SDN_SC_13342 permit node 1 |
policy-based-route SDN_SC_13342 permit node 1 |
Manual or controller-based |
Create node 1 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_2 |
if-match acl name 13342_2 |
Manual or controller-based |
Configure IPv4 ACL 13342_2 as an ACL match criterion for IPv4 PBR policy node 1. |
|
policy-based-route SDN_SC_13342 permit node 2 |
policy-based-route SDN_SC_13342 permit node 2 |
Manual or controller-based |
Create node 2 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_3 |
if-match acl name 13342_3 |
Manual or controller-based |
Configure IPv4 ACL 13342_3 as an ACL match criterion for IPv4 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.34 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.34 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 2. |
|
apply service-chain path-id 8388610 path-index 1 |
apply service-chain path-id 8388610 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 2. |
|
policy-based-route SDN_SC_13342 permit node 3 |
policy-based-route SDN_SC_13342 permit node 3 |
Manual or controller-based |
Create node 3 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_4 |
if-match acl name 13342_4 |
Manual or controller-based |
Configure IPv4 ACL 13342_4 as an ACL match criterion for IPv4 PBR policy node 3. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.34 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF 197.32.224.34 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 3. |
|
apply service-chain path-id 8388610 path-index 1 |
apply service-chain path-id 8388610 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 3. |
|
policy-based-route SDN_SC_13342 permit node 4 |
policy-based-route SDN_SC_13342 permit node 4 |
Manual or controller-based |
Create node 4 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_5 |
if-match acl name 13342_5 |
Manual or controller-based |
Configure IPv4 ACL 13342_5 as an ACL match criterion for IPv4 PBR policy node 4. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 4. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 4. |
|
policy-based-route SDN_SC_13342 permit node 5 |
Manual or controller-based |
Create node 5 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
|
if-match acl name 13342_6 |
if-match acl name 13342_6 |
Manual or controller-based |
Configure IPv4 ACL 13342_6 as an ACL match criterion for IPv4 PBR policy node 5. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.22 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 5. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 5. |
|
policy-based-route SDN_SC_13342 permit node 6 |
policy-based-route SDN_SC_13342 permit node 6 |
Manual or controller-based |
Create node 6 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_7 |
if-match acl name 13342_7 |
Manual or controller-based |
Configure IPv4 ACL 13342_7 as an ACL match criterion for IPv4 PBR policy node 6. |
|
policy-based-route SDN_SC_13342 permit node 7 |
policy-based-route SDN_SC_13342 permit node 7 |
Manual or controller-based |
Create node 7 for IPv4 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_8 |
if-match acl name 13342_8 |
Manual or controller-based |
Configure IPv4 ACL 13342_8 as an ACL match criterion for IPv4 PBR policy node 7. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv4 PBR policy node 7. These packets will be discarded. |
|
interface Vsi-interface13342 |
Manual or controller-based |
Create VSI interface 13342 and enter its view. |
|
|
ip policy-based-route SDN_SC_13342 |
ip policy-based-route SDN_SC_13342 |
Manual or controller-based |
Deploy IPv4 PBR policy SDN_SC_13342 on VSI interface 13342. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 0 |
ipv6 policy-based-route SDN_SC_13342 permit node 0 |
Manual or controller-based |
Create node 0 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_1 |
if-match acl name 13342_1 |
Manual or controller-based |
Configure IPv6 ACL 13342_1 as an ACL match criterion for IPv6 PBR policy node 0. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 1 |
ipv6 policy-based-route SDN_SC_13342 permit node 1 |
Manual or controller-based |
Create node 1 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_2 |
if-match acl name 13342_2 |
Manual or controller-based |
Configure IPv6 ACL 13342_2 as an ACL match criterion for IPv6 PBR policy node 1. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 2 |
ipv6 policy-based-route SDN_SC_13342 permit node 2 |
Manual or controller-based |
Create node 2 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_3 |
if-match acl name 13342_3 |
Manual or controller-based |
Configure IPv6 ACL 13342_3 as an ACL match criterion for IPv6 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:103::F 128 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:103::F 128 |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 2. |
|
apply service-chain path-id 8388610 path-index 1 |
apply service-chain path-id 8388610 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 2. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 3 |
ipv6 policy-based-route SDN_SC_13342 permit node 3 |
Manual or controller-based |
Create node 3 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_4 |
if-match acl name 13342_4 |
Manual or controller-based |
Configure IPv6 ACL 13342_4 as an ACL match criterion for IPv6 PBR policy node 3. |
|
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:103::F 128 |
apply next-hop vpn-instance ZHTESTCTFWEW01VRF FD00:0:97B0:103::F 128 |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 3. |
|
apply service-chain path-id 8388610 path-index 1 |
apply service-chain path-id 8388610 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 3. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 4 |
ipv6 policy-based-route SDN_SC_13342 permit node 4 |
Manual or controller-based |
Create node 4 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_5 |
if-match acl name 13342_5 |
Manual or controller-based |
Configure IPv6 ACL 13342_5 as an ACL match criterion for IPv6 PBR policy node 4. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 4. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 4. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 5 |
ipv6 policy-based-route SDN_SC_13342 permit node 5 |
Manual or controller-based |
Create node 5 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_6 |
if-match acl name 13342_6 |
Manual or controller-based |
Configure IPv6 ACL 13342_6 as an ACL match criterion for IPv6 PBR policy node 5. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:100::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 5. |
|
apply service-chain path-id 1 path-index 1 |
apply service-chain path-id 1 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 5. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 6 |
ipv6 policy-based-route SDN_SC_13342 permit node 6 |
Manual or controller-based |
Create node 6 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_7 |
if-match acl name 13342_7 |
Manual or controller-based |
Configure IPv6 ACL 13342_7 as an ACL match criterion for IPv6 PBR policy node 6. |
|
ipv6 policy-based-route SDN_SC_13342 permit node 7 |
ipv6 policy-based-route SDN_SC_13342 permit node 7 |
Manual or controller-based |
Create node 7 for IPv6 PBR policy SDN_SC_13342 and enter its view. |
|
if-match acl name 13342_8 |
if-match acl name 13342_8 |
Manual or controller-based |
Configure IPv6 ACL 13342_8 as an ACL match criterion for IPv6 PBR policy node 7. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv6 PBR policy node 7. These packets will be discarded. |
|
interface Vsi-interface13342 |
interface Vsi-interface13342 |
Manual or controller-based |
Create VSI interface 13342 and enter its view. |
|
ipv6 policy-based-route SDN_SC_13342 |
ipv6 policy-based-route SDN_SC_13342 |
Manual or controller-based |
Deploy IPv6 PBR policy SDN_SC_13342 on VSI interface 13342. |
Configuring border nodes (Border 1 and Border 2)
|
Border 1 (S6850) |
Border 2 (S6850) |
Configuration method |
Description |
|
microsegment enable |
microsegment enable |
Manual or controller-based |
Enable microsegmentation. |
|
microsegment 10001 name SDN_EPG_10001 |
microsegment 10001 name SDN_EPG_10001 |
Manual or controller-based |
Create microsegment 10001 and enter its view. |
|
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
|
|
member ipv4 197.32.14.0 255.255.255.0 vpn-instance external_vpn_1001 |
member ipv4 197.32.14.0 255.255.255.0 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv4 197.32.16.0 255.255.255.0 vpn-instance external_vpn_1001 |
member ipv4 197.32.16.0 255.255.255.0 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv4 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance external_vpn_1001 |
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance external_vpn_1001 |
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv6 member to microsegment 10001. |
|
microsegment 10002 name SDN_EPG_10002 |
Manual or controller-based |
Create microsegment 10002 and enter its view. |
|
|
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10002. |
|
member ipv4 197.32.42.0 255.255.255.0 vpn-instance external_vpn_1001 |
member ipv4 197.32.42.0 255.255.255.0 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv4 member to microsegment 10002. |
|
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10002. |
|
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance external_vpn_1001 |
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv6 member to microsegment 10002. |
|
microsegment 10003 name SDN_EPG_10003 |
microsegment 10003 name SDN_EPG_10003 |
Manual or controller-based |
Create microsegment 10003 and enter its view. |
|
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10003. |
|
member ipv4 0.0.0.0 0.0.0.0 vpn-instance external_vpn_1001 |
member ipv4 0.0.0.0 0.0.0.0 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv4 member to microsegment 10003. |
|
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
member ipv6 :: 0 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv6 member to microsegment 10003. |
|
member ipv6 :: 0 vpn-instance external_vpn_1001 |
member ipv6 :: 0 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv6 member to microsegment 10003. |
|
microsegment 10004 name SDN_EPG_10004 |
microsegment 10004 name SDN_EPG_10004 |
Manual or controller-based |
Create microsegment 10004 and enter its view. |
|
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF |
Manual or controller-based |
Add an IPv4 member to microsegment 10004. |
|
member ipv4 197.32.42.9 255.255.255.255 vpn-instance external_vpn_1001 |
member ipv4 197.32.42.9 255.255.255.255 vpn-instance external_vpn_1001 |
Manual or controller-based |
Add an IPv4 member to microsegment 10004. |
|
acl advanced name 1001_1 |
acl advanced name 1001_1 |
Manual or controller-based |
Create IPv4 ACL 1001_1 and enter its view. This ACL will be applied to IPv4 PBR policy node 0 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001 |
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10003 to microsegment 10001. |
|
acl advanced name 1001_2 |
Manual or controller-based |
Create IPv4 ACL 1001_2 and enter its view. This ACL will be applied to IPv4 PBR policy node 1 in VPN external_vpn_1001 VLAN 1001. |
|
|
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002 |
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10003 to microsegment 10002. |
|
acl advanced name 1001_3 |
acl advanced name 1001_3 |
Manual or controller-based |
Create IPv4 ACL 1001_3 and enter its view. This ACL will be applied to IPv4 PBR policy node 2 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004 |
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10003 to microsegment 10004. |
|
acl advanced name 1001_4 |
acl advanced name 1001_4 |
Manual or controller-based |
Create IPv4 ACL 1001_4 and enter its view. This ACL will be applied to IPv4 PBR policy node 3 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ip |
rule 0 permit ip |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv4 traffic. |
|
acl ipv6 advanced name 1001_1 |
ipv6 acl advanced name 1001_1 |
Manual or controller-based |
Create IPv6 ACL 1001_1 and enter its view. This ACL will be applied to IPv6 PBR policy node 0 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001 |
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10003 to microsegment 10001. |
|
ipv6 acl advanced name 1001_2 |
ipv6 acl advanced name 1001_2 |
Manual or controller-based |
Create IPv6 ACL 1001_2 and enter its view. This ACL will be applied to IPv6 PBR policy node 1 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002 |
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10003 to microsegment 10002. |
|
ipv6 acl advanced name 1001_3 |
ipv6 acl advanced name 1001_3 |
Manual or controller-based |
Create IPv6 ACL 1001_3 and enter its view. This ACL will be applied to IPv6 PBR policy node 2 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004 |
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004 |
Manual or controller-based |
Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10003 to microsegment 10004. |
|
ipv6 acl advanced name 1001_4 |
ipv6 acl advanced name 1001_4 |
Manual or controller-based |
Create IPv6 ACL 1001_4 and enter its view. This ACL will be applied to IPv6 PBR policy node 3 in VPN external_vpn_1001 VLAN 1001. |
|
rule 0 permit ipv6 |
rule 0 permit ipv6 |
Manual or controller-based |
Create a rule for the ACL. This rule permits all IPv6 traffic. |
|
policy-based-route SDN_SC_VLAN_1001 permit node 0 |
policy-based-route SDN_SC_VLAN_1001 permit node 0 |
Manual or controller-based |
Create node 0 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_1 |
if-match acl name 1001_1 |
Manual or controller-based |
Configure IPv4 ACL 1001_1 as an ACL match criterion for IPv4 PBR policy node 0. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 0. |
|
apply service-chain path-id 8388609 path-index 1 |
apply service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 0. |
|
policy-based-route SDN_SC_VLAN_1001 permit node 1 |
policy-based-route SDN_SC_VLAN_1001 permit node 1 |
Manual or controller-based |
Create node 1 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_2 |
if-match acl name 1001_2 |
Manual or controller-based |
Configure IPv4 ACL 1001_2 as an ACL match criterion for IPv4 PBR policy node 1. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 1. |
|
apply service-chain path-id 8388609 path-index 1 |
apply service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 1. |
|
policy-based-route SDN_SC_VLAN_1001 permit node 2 |
policy-based-route SDN_SC_VLAN_1001 permit node 2 |
Manual or controller-based |
Create node 2 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_3 |
if-match acl name 1001_3 |
Manual or controller-based |
Configure IPv4 ACL 1001_3 as an ACL match criterion for IPv4 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26 |
Manual or controller-based |
Set a next hop for packets that match IPv4 PBR policy node 2. |
|
apply service-chain path-id 8388609 path-index 1 |
apply service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv4 PBR policy node 2. |
|
policy-based-route SDN_SC_VLAN_1001 permit node 3 |
policy-based-route SDN_SC_VLAN_1001 permit node 3 |
Manual or controller-based |
Create node 3 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_4 |
if-match acl name 1001_4 |
Manual or controller-based |
Configure IPv4 ACL 1001_4 as an ACL match criterion for IPv4 PBR policy node 3. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv4 PBR policy node 3. These packets will be discarded. |
|
interface Vlan-interface1001 |
Manual or controller-based |
Create VLAN-interface 1001 for VPN external_vpn_1001 VLAN 1001 and enter its view. |
|
|
ip policy-based-route SDN_SC_VLAN_1001 |
ip policy-based-route SDN_SC_VLAN_1001 |
Manual or controller-based |
Deploy IPv4 PBR policy SDN_SC_VLAN_1001 on VLAN-interface 1001. |
|
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 0 |
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 0 |
Manual or controller-based |
Create node 0 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_1 |
if-match acl name 1001_1 |
Manual or controller-based |
Configure IPv6 ACL 1001_1 as an ACL match criterion for IPv6 PBR policy node 0. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 0. |
|
apply service-chain path-id 8388609 path-index 1 |
apply service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 0. |
|
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 1 |
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 1 |
Manual or controller-based |
Create node 1 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_2 |
if-match acl name 1001_2 |
Manual or controller-based |
Configure IPv6 ACL 1001_2 as an ACL match criterion for IPv6 PBR policy node 1. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 1. |
|
apply service-chain path-id 8388609 path-index 1 |
apply service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 1. |
|
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 2 |
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 2 |
Manual or controller-based |
Create node 2 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_3 |
if-match acl name 1001_3 |
Manual or controller-based |
Configure IPv6 ACL 1001_3 as an ACL match criterion for IPv6 PBR policy node 2. |
|
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F |
Manual or controller-based |
Set a next hop for packets that match IPv6 PBR policy node 2. |
|
apply service-chain path-id 8388609 path-index 1 |
apply service-chain path-id 8388609 path-index 1 |
Manual or controller-based |
Set service chain information for packets that match IPv6 PBR policy node 2. |
|
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 3 |
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 3 |
Manual or controller-based |
Create node 3 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view. |
|
if-match acl name 1001_4 |
if-match acl name 1001_4 |
Manual or controller-based |
Configure IPv6 ACL 1001_4 as an ACL match criterion for IPv6 PBR policy node 3. |
|
apply output-interface NULL0 |
apply output-interface NULL0 |
Manual or controller-based |
Set NULL0 as the output interface for packets that match IPv6 PBR policy node 3. These packets will be discarded. |
|
interface Vlan-interface1001 |
interface Vlan-interface1001 |
Manual or controller-based |
Create VLAN-interface 1001 for VPN external_vpn_1001 VLAN 1001 and enter its view. |
|
ipv6 policy-based-route SDN_SC_VLAN_1001 |
ipv6 policy-based-route SDN_SC_VLAN_1001 |
Manual or controller-based |
Deploy IPv6 PBR policy SDN_SC_VLAN_1001 on VLAN-interface 1001. |
Verifying the configuration
Verification commands
|
Command |
Description |
|
display drni role |
Displays DR role information. |
|
display drni summary |
Displays summary information about the IPP and DR interfaces in the DR system. |
|
display ospf peer |
Displays information about OSPF neighbors. |
|
display bgp peer l2vpn evpn |
Displays BGP EVPN peer or peer group information. |
|
display bgp l2vpn evpn |
Displays BGP EVPN routes. |
|
display l2vpn vsi |
Displays information about VSIs. |
|
display microsegment |
Displays the configuration and status of microsegments. |
Procedure
1. Verify that the DR systems at the leaf tier are operating correctly.
The following information uses node Leaf 1 for example to show the procedure.
# Verify that nodes Leaf 1 and Leaf 2 has established a DR system.
<Leaf1> display drni role
Effective role information
Factors Local Peer
Effective role Secondary Primary
Initial role None None
MAD DOWN state Yes Yes
Health level 0 0
Role priority 32768 32768
Bridge MAC 703a-a6e9-a00a 0440-a9df-98d0
Effective role trigger: IPL calculation
Effective role reason: Bridge MAC
Configured role information
Factors Local Peer
Configured role Secondary Primary
Role priority 32768 32768
Bridge MAC 703a-a6e9-a00a 0440-a9df-98d0
<Leaf1> display drni summary
Flags: A -- Aggregate interface down, B -- No peer DR interface configured
C -- Configuration consistency check failed
IPP: BAGG256
IPP state (cause): UP
Keepalive link state (cause): UP
DR interface information
DR interface DR group Local state (cause) Peer state Remaining down time(s)
BAGG256 1 UP UP -
# Verify that node Leaf 1 has established OSPF neighbor relationships and BGP EVPN peer relationships with the spine nodes.
<Leaf1> display ospf peer
OSPF Process 65530 with Router ID 197.32.241.41
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
197.32.241.37 197.32.241.37 1 38 Full/ - HGE1/0/25
197.32.241.38 197.32.241.38 1 34 Full/ - HGE1/0/26
197.32.241.42 197.32.241.142 1 31 Full/DR Vlan4094
<Leaf1> display bgp peer l2vpn evpn
BGP local router ID: 197.32.241.41
Local AS number: 65530
Total number of peers: 2 Peers in established state: 2
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
197.32.241.37 65530 6273 5374 0 340 0080h32m Established
197.32.241.38 65530 5175 5041 0 340 0080h34m Established
2. On node Leaf 1, verify that the configuration and status of microsegments are all correct.
<Leaf1>display microsegment
Microsegment status : Enabled
Total microsegments : 4
Microsegment list
Microsegment ID Members Microsegment name
10001 87 SDN_EPG_10001
10002 8 SDN_EPG_10002
10003 2 SDN_EPG_10003
10004 2 SDN_EPG_10004
3. On the DHCP client side, verify that the Windows 7 and Linux DHCP clients attached to node Leaf 3 can obtain IP addresses from the DHCP server. (Details not shown.)
4. On the DHCP server, verify that the IP addresses have been assigned to the DHCP clients. (Details not shown.)
