Ethernet Virtual Private Network (EVPN) is a Layer 2 VPN technology that provides both Layer 2 and Layer 3 connectivity between distant network sites across an IP network.

In the control plane, EVPN VXLAN uses MP-BGP to advertise EVPN routes for VXLAN tunnel establishment and assignment and MAC reachability information advertisement. In the data plane, EVPN VXLAN uses VXLAN for forwarding. EVPN VXLAN is typically used in data centers for multitenant services.

EVPN VXLAN provides the following benefits:

· Configuration automation—MP-BGP automates VTEP discovery, VXLAN tunnel establishment, and VXLAN tunnel assignment to ease deployment.

· Separation of the control plane and the data plane—EVPN VXLAN uses MP-BGP to advertise host reachability information in the control plane and uses VXLAN to forward traffic in the data plane.

· Integrated routing and bridging (IRB)—MP-BGP advertises both Layer 2 and Layer 3 host reachability information to provide optimal forwarding paths and minimize flooding.

Network model

As shown in Figure 1, EVPN VXLAN uses the VXLAN technology for traffic forwarding in the data plane. The transport edge devices assign user terminals to different VXLANs, and then forward traffic between sites for user terminals by using VXLAN tunnels. The transport edge devices are VXLAN tunnel endpoints (VTEPs).

The EVPN VXLAN network sites and transport network can be IPv4 or IPv6 networks.

A VTEP uses ESs, VSIs, and VXLAN tunnels to provide VXLAN services:

· Ethernet segment (ES)—An ES is a link that connects a site to a VTEP. Each ES is uniquely identified by an Ethernet segment identifier (ESI). A site can be connected to a VTEP through only one ES. The ES uses ESI 0.

· VSI—A virtual switch instance is a virtual Layer 2 switched domain. Each VSI provides switching services only for one VXLAN. VSIs learn MAC addresses and forward frames independently of one another. User terminals in different sites have Layer 2 connectivity if they are in the same VXLAN. A VXLAN is identified by a 24-bit VXLAN ID which is also called the virtual network identifier (VNI). A VXLAN corresponds to an EVPN instance.

· VXLAN tunnel—A VXLAN tunnel is a logical point-to-point tunnel between VTEPs over the transport network. Each VXLAN tunnel can trunk multiple VXLANs.

All VXLAN processing is performed on VTEPs. The ingress VTEP encapsulates VXLAN traffic in the VXLAN, outer UDP, and outer IP headers, and forwards the traffic through VXLAN tunnels. The egress VTEP removes the VXLAN encapsulation and forwards the traffic to the destination. Transport network devices (for example, the P device in Figure 1) forward VXLAN traffic only based on the outer IP header of VXLAN packets.

Figure 1 EVPN VXLAN network model

Layered transport network

As shown in Figure 2, typically the EVPN VXLAN transport network uses a layered structure. On the transport network, leaf nodes act as VTEPs to provide VXLAN services, and spine nodes perform forwarding for VXLAN traffic based on the outer IP header. If all VTEPs and transport network devices of an EVPN VXLAN network belong to the same AS, the spine nodes can act as route reflectors (RRs) to reflect routes between the VTEPs. In this scenario, the spine nodes advertise and receive BGP EVPN routes, but do not perform VXLAN encapsulation and de-encapsulation.

Figure 2 Layered transport network

MP-BGP extension for EVPN

To support EVPN, MP-BGP introduces the EVPN subsequent address family under the L2VPN address family and the following network layer reachability information (BGP EVPN routes):

· Ethernet auto-discovery route—Advertises ES information in multihomed sites.

· MAC/IP advertisement route—Advertises MAC reachability information and host route information (host ARP or ND information).

· Inclusive multicast Ethernet tag (IMET) route—Advertises VTEP and VXLAN mappings for automating VTEP discovery, VXLAN tunnel establishment, and VXLAN tunnel assignment.

· Ethernet segment route—Advertises ES and VTEP mappings.

· IP prefix advertisement route—Advertises BGP IPv4 or IPv6 unicast routes as IP prefixes.

· Selective multicast Ethernet tag (SMET) route—Advertises IGMP multicast group information among VTEPs in an EVPN VXLAN network. A VTEP advertises an SMET route only when receiving a membership report for an IGMP multicast group for the first time. The VTEP does not advertise an SMET route if subsequent membership reports for the multicast group use the same IGMP version as the first membership report.

· IGMP join synch route—Advertises IGMP membership reports among redundant VTEPs for an ES.

· IGMP leave synch route—Advertises IGMP leave group messages for withdrawal of IGMP join synch routes among redundant VTEPs for an ES.

The current software version does not support Ethernet auto-discovery routes and ES routes.

MP-BGP uses the route distinguisher (RD) field to differentiate BGP EVPN routes of different VXLANs and uses route targets to control the advertisement and acceptance of BGP EVPN routes. MP-BGP supports the following types of route targets:

· Export targets—A VTEP sets the export targets for BGP EVPN routes learned from the local site before advertising them to remote VTEPs.

· Import targets—A VTEP checks the export targets of BGP EVPN routes received from remote VTEPs. The VTEP imports the BGP EVPN routes only when their export targets match the local import targets.

Configuration automation

VTEPs use BGP EVPN routes to discover VTEP neighbors, establish VXLAN tunnels, and assign the tunnels to VXLANs.

· IMET route—VTEPs advertise their VXLAN IDs through IMET routes. If two VTEPs have the same VXLAN ID, they automatically establish a VXLAN tunnel and assign the tunnel to the VXLAN.

· MAC/IP advertisement route and IP prefix advertisement route—In the EVPN gateway deployment, VTEPs advertise MAC/IP advertisement routes or IP prefix advertisement routes which carry export targets. When a VTEP receives a route, it compares the export targets of the route with the local import targets. If the route targets match, the VTEP establishes a VXLAN tunnel with the remote VTEP and associates the tunnel with the L3 VXLAN ID of the corresponding VPN instance. For more information about the L3 VXLAN ID, see "Distributed EVPN gateway deployment."

Assignment of traffic to VXLANs

Traffic from the local site to a remote site

The VTEP uses an Ethernet service instance to match customer traffic on a site-facing interface. The VTEP assigns customer traffic to a VXLAN by mapping the Ethernet service instance to a VSI.

An Ethernet service instance is identical to an attachment circuit (AC) in L2VPN. An Ethernet service instance matches a list of VLANs on a Layer 2 Ethernet interface by using a frame match criterion. The frame match criterion specifies the characteristics of traffic from the VLANs, such as tagging status and VLAN IDs.

As shown in Figure 3, Ethernet service instance 1 matches VLAN 2 and is mapped to VSI A (VXLAN 10). When a frame from VLAN 2 arrives, the VTEP assigns the frame to VXLAN 10 and looks up VSI A's MAC address table for the outgoing interface.

Figure 3 Identifying traffic from the local site

Traffic from a remote site to the local site

When a VXLAN packet arrives at a VXLAN tunnel interface, the VTEP uses the VXLAN ID in the packet to identify its VXLAN.

Layer 2 forwarding

MAC learning

The VTEP performs Layer 2 forwarding based on a VSI's MAC address table. The VTEP learns MAC addresses by using the following methods:

· Local MAC learning—The VTEP automatically learns the source MAC addresses of frames sent from the local site. The outgoing interfaces of local MAC address entries are site-facing interfaces on which the MAC addresses are learned.

· Remote MAC learning—The VTEP uses MP-BGP to advertise local MAC reachability information to remote sites and learn MAC reachability information from remote sites. The outgoing interfaces of MAC address entries advertised from a remote site are VXLAN tunnel interfaces.

Unicast

As shown in Figure 4, the VTEP performs typical Layer 2 forwarding for known unicast traffic within the local site.

Figure 4 Intra-site unicast

As shown in Figure 5, the following process applies to a known unicast frame between sites:

1. The source VTEP encapsulates the Ethernet frame in the VXLAN/UDP/IP header.

In the outer IP header, the source IP address is the source VTEP's VXLAN tunnel source IP address. The destination IP address is the VXLAN tunnel destination IP address.

2. The source VTEP forwards the encapsulated packet out of the outgoing VXLAN tunnel interface found in the VSI's MAC address table.

3. The intermediate transport devices (P devices) forward the packet to the destination VTEP by using the outer IP header.

4. The destination VTEP removes the headers on top of the inner Ethernet frame. It then performs MAC address table lookup in the VXLAN's VSI to forward the frame out of the matching outgoing interface.

Figure 5 Inter-site unicast

Flood

As shown in Figure 6, a VTEP floods a broadcast, multicast, or unknown unicast frame to all site-facing interfaces and VXLAN tunnels in the VXLAN, except for the incoming interface. The source VTEP replicates the flood frame, and then sends one replica to the destination IP address of each VXLAN tunnel in the VXLAN. Each destination VTEP floods the inner Ethernet frame to all the site-facing interfaces in the VXLAN. To avoid loops, the destination VTEPs do not flood the frame to VXLAN tunnels.

Figure 6 Forwarding of flood traffic

Layer 3 forwarding

EVPN VXLAN uses EVPN gateways to provide Layer 3 forwarding services for hosts in VXLANs. EVPN VXLAN provides the following EVPN gateway placement designs:

· Centralized EVPN gateway deployment—Uses one VTEP to provide Layer 3 forwarding for VXLANs. Typically, the gateway-collocated VTEP connects to other VTEPs and the external network. To use this design, make sure the gateway has sufficient bandwidth and processing capability.

· Distributed EVPN gateway deployment—Deploys one EVPN gateway on each VTEP to provide Layer 3 forwarding for VXLANs at their respective sites. This design distributes the Layer 3 traffic load across VTEPs. However, its configuration is more complex than the centralized EVPN gateway design.

In either design, the gateways use virtual Layer 3 VSI interfaces as gateway interfaces for VXLANs.

NOTE:

This section uses IPv4 sites as examples to describe the Layer 3 forwarding process of EVPN VXLAN networks.

Centralized EVPN gateway deployment

As shown in Figure 7, a VTEP acts as a gateway for user terminals in the VXLANs. The VTEP both terminates the VXLANs and performs Layer 3 forwarding for the user terminals. The network uses the following process to forward Layer 3 traffic from a user terminal to the destination:

1. The user terminal sends an ARP request to obtain the MAC address of the VSI interface that acts as the gateway, and then sends the Layer 3 traffic to the centralized EVPN gateway.

2. The local VTEP looks up the matching VSI's MAC address table and forwards the traffic to the centralized EVPN gateway through a VXLAN tunnel.

3. The centralized EVPN gateway removes the VXLAN encapsulation and forwards the traffic at Layer 3.

4. The centralized EVPN gateway forwards the replies sent by the destination node to the user terminal based on the ARP entry for the user terminal.

Figure 7 Example of centralized EVPN gateway deployment

Distributed EVPN gateway deployment

As shown in Figure 8, each site's VTEP acts as a gateway to perform Layer 3 forwarding for the VXLANs of the local site. A VTEP acts as a border gateway to the Layer 3 network for the VXLANs.

Figure 8 Distributed EVPN gateway placement design

A distributed EVPN gateway supports the following traffic forwarding modes:

· Asymmetric IRB—The ingress gateway performs Layer 2 and Layer 3 lookups and the egress gateway performs only Layer 2 forwarding.

· Symmetric IRB—Both the ingress and egress gateways perform Layer 2 and Layer 3 lookups.

Symmetric IRB

Basic concepts

Symmetric IRB introduces the following concepts:

· L3 VXLAN ID—Also called L3 VNI. An L3 VXLAN ID identifies the traffic of a routing domain where devices have Layer 3 reachability. An L3 VXLAN ID is associated with one VPN instance. Distributed EVPN gateways use VPN instances to isolate traffic of different services on VXLAN tunnel interfaces.

· Router MAC address—Each distributed EVPN gateway has a unique router MAC address used for inter-gateway forwarding. The MAC addresses in the inner Ethernet header of VXLAN packets are router MAC addresses of distributed EVPN gateways.

VSI interfaces

As shown in Figure 9, each distributed EVPN gateway has the following types of VSI interfaces:

· VSI interface as a gateway interface of a VXLAN—The VSI interface acts as the gateway interface for user terminals in a VXLAN. The VSI interface is associated with a VSI and a VPN instance. On different distributed EVPN gateways, the VSI interface of a VXLAN uses the same IP address to provide services.

· VSI interface associated with an L3 VXLAN ID—The VSI interface is associated with a VPN instance and assigned an L3 VXLAN ID. VSI interfaces associated with the same VPN instance share an L3 VXLAN ID.

A border gateway only has VSI interfaces that are associated with an L3 VXLAN ID.

Figure 9 Example of distributed EVPN gateway deployment

Layer 3 forwarding entry learning

A distributed EVPN gateway forwards Layer 3 traffic based on FIB entries generated from BGP EVPN routes and ARP information.

A VTEP advertises an external route imported in the EVPN address family through MP-BGP. A remote VTEP adds the route to the FIB table of a VPN instance based on the L3 VXLAN ID carried in the route. In the FIB entry, the outgoing interface is the VXLAN tunnel interface where the route is received, and the next hop is the peer VTEP address in the NEXT_HOP attribute of the route.

A VTEP has the following types of ARP information:

· Local ARP information—ARP information of user terminals in the local site. The VTEP snoops GARP packets, RARP packets, and ARP requests for the gateway MAC address to learn the ARP information of the senders and generates ARP entries and FIB entries. In an ARP or FIB entry, the outgoing interface is the site-facing interface where the packet is received, and the VPN instance is the instance associated with the corresponding VSI interface.

· Remote ARP information—ARP information of user terminals in remote sites. Each VTEP uses MP-BGP to advertise its local ARP information with L3 VXLAN IDs in routes to remote sites. A VTEP generates only FIB entries for the remote ARP information. A FIB entry contains the following information:

¡ Outgoing interface: VSI interface associated with the L3 VXLAN ID.

¡ Next hop: Peer VTEP address in the NEXT_HOP attribute of the route.

¡ VPN instance: VPN instance associated with the L3 VXLAN ID.

The VTEP then creates an ARP entry for the next hop in the FIB entry.

Traffic forwarding

For more information about MAC address table-based Layer 2 forwarding, see "Unicast."

Figure 10 shows the intra-site Layer 3 forwarding process.

1. The source terminal sends an ARP request to obtain the MAC address of the destination terminal.

2. The gateway replies to the source terminal with the MAC address of the VSI interface associated with the source terminal's VSI.

3. The source terminal sends a Layer 3 packet to the gateway.

4. The gateway looks up the FIB table of the VPN instance associated with the source terminal's VSI and finds the matching outgoing site-facing interface.

5. The gateway processes the Ethernet header of the Layer 3 packet as follows:

¡ Replaces the destination MAC address with the destination terminal's MAC address.

¡ Replaces the source MAC address with the VSI interface's MAC address.

6. The gateway forwards the Layer 3 packet to the destination terminal.

Figure 10 Intra-site Layer 3 forwarding

Figure 11 shows the inter-site Layer 3 forwarding process.

1. The source terminal sends an ARP request to obtain the MAC address of the destination terminal.

2. The gateway replies to the source terminal with the MAC address of the VSI interface associated with the source terminal's VSI.

3. The source terminal sends a Layer 3 packet to the gateway.

4. The gateway looks up the FIB table of the VPN instance associated with the source terminal's VSI and finds the matching outgoing VSI interface.

5. The gateway processes the Ethernet header of the Layer 3 packet as follows:

¡ Replaces the destination MAC address with the destination gateway's router MAC address.

¡ Replaces the source MAC address with its own router MAC address.

6. The gateway adds VXLAN encapsulation to the Layer 3 packet and forwards the packet to the destination gateway. The encapsulated VXLAN ID is the L3 VXLAN ID of the corresponding VPN instance.

7. The destination gateway identifies the VPN instance of the packet based on the L3 VXLAN ID and removes the VXLAN encapsulation. Then the gateway forwards the packet based on the matching ARP entry.

Figure 11 Inter-site Layer 3 forwarding

Communication between private and public networks

A distributed EVPN gateway uses the public instance to perform Layer 3 forwarding for the public network and to enable communication between private and public networks. The public instance is similar to a VPN instance. A distributed EVPN gateway processes traffic of the public instance in the same way it does for a VPN instance. For the public instance to work correctly, you must configure an RD, an L3 VXLAN ID, and route targets for it. If a VSI interface is not associated with any VPN instance, the VSI interface belongs to the public instance.

Asymmetric IRB

VSI interfaces

Asymmetric IRB uses the same distributed EVPN gateway deployment as symmetric IRB.

As shown in Figure 9, each distributed EVPN gateway has the following types of VSI interfaces:

· VSI interface as a gateway interface of a VXLAN—The VSI interface is associated with a VSI and a VPN instance. On different distributed EVPN gateways, the VSI interface of a VXLAN must use different IP addresses to provide services.

· VSI interface associated with an L3 VXLAN ID—The VSI interface acts as the gateway for VMs in a VXLAN to communicate with the external network through the border gateway. The VSI interface is associated with a VPN instance and assigned an L3 VXLAN ID. VSI interfaces associated with the same VPN instance share an L3 VXLAN ID.

A border gateway only has VSI interfaces that are associated with an L3 VXLAN ID.

Layer 3 forwarding

Asymmetric IRB supports only Layer 3 forwarding in the same VXLAN on distributed EVPN gateways.

After a distributed EVPN gateway learns ARP information about local VMs, it advertises the information to other distributed EVPN gateways through MAC/IP advertisement routes. Other distributed EVPN gateways generate FIB entries based on the advertised ARP information.

As shown in Figure 12, VM 1 and VM 2 belong to VXLAN 10 and they can reach each other at Layer 3 through the distributed EVPN gateways. The distributed EVPN gateways use the following process to perform Layer 3 forwarding in asymmetric IRB mode when VM 1 sends a packet to VM 2:

1. After GW 1 receives the packet from VM 1, it finds that the destination MAC address is itself. Then, GW 1 removes the Layer 2 frame header and looks up the FIB table for the destination IP address.

2. GW 1 matches the packet to the FIB entry generated based on the ARP information of VM 2.

3. GW 1 encapsulates the packet source and destination MAC addresses as the MAC addresses of GW 1 and VM 2, respectively. Then, GW 1 adds VXLAN encapsulation to the packet and forwards the packet to GW 2 through a VXLAN tunnel.

4. GW 2 removes the VXLAN encapsulation from the packet, and performs Layer 2 forwarding in VXLAN 10 by looking up the MAC address table for the destination MAC address.

5. GW 2 forwards the packet to VM 2 based on the MAC address table lookup result.

Figure 12 Layer 3 forwarding in the same VXLAN (asymmetric IRB)

‌

RD and route target selection of BGP EVPN routes

As shown in Table 1, you can configure RDs and route targets for BGP EVPN routes in multiple views.

Table 1 Supported views for RD and route target configuration

Item	Views
RD	· VSI EVPN instance view · VPN instance view · Public instance view
Route targets	· VSI EVPN instance view · VPN instance view · VPN instance IPv4 address family view · VPN instance IPv6 address family view · VPN instance EVPN view · Public instance view · Public instance IPv4 address family view · Public instance IPv6 address family view · Public instance EVPN view NOTE: Route targets configured in VPN instance view apply to IPv4 VPN, IPv6 VPN, and EVPN. Route targets configured in IPv4 address family view apply only to IPv4 VPN. Route targets configured in IPv6 address family view apply only to IPv6 VPN. Route targets configured in VPN instance EVPN view apply only to EVPN. Route targets configured in IPv4 address family view, IPv6 address family view, or VPN instance EVPN view take precedence over those in VPN instance view. The precedence order for different views of a VPN instance also applies to the views of the public instance.

Item

Views

· VSI EVPN instance view

· VPN instance view

· Public instance view

Route targets

· VSI EVPN instance view

· VPN instance view

· VPN instance IPv4 address family view

· VPN instance IPv6 address family view

· VPN instance EVPN view

· Public instance view

· Public instance IPv4 address family view

· Public instance IPv6 address family view

· Public instance EVPN view

NOTE:

Route targets configured in VPN instance view apply to IPv4 VPN, IPv6 VPN, and EVPN. Route targets configured in IPv4 address family view apply only to IPv4 VPN. Route targets configured in IPv6 address family view apply only to IPv6 VPN. Route targets configured in VPN instance EVPN view apply only to EVPN. Route targets configured in IPv4 address family view, IPv6 address family view, or VPN instance EVPN view take precedence over those in VPN instance view. The precedence order for different views of a VPN instance also applies to the views of the public instance.

The device selects RDs and route targets for BGP EVPN routes by using the following rules:

· IMET routes and MAC/IP advertisement routes that contain only MAC addresses—The device uses the RD and route targets configured in EVPN instance view when advertising and accepting the routes.

· MAC/IP advertisement routes that contain ARP or ND information—The device uses the following settings when advertising the routes:

¡ RD and export route targets configured in EVPN instance view.

¡ Export route targets configured for EVPN on a VPN instance or the public instance (VPN instance view, and EVPN view of a VPN instance or the public instance).

The device uses the import route targets configured for EVPN on a VPN instance or the public instance when accepting the routes.

· IP prefix advertisement routes—The device uses the route targets configured for IPv4 or IPv6 VPN on a VPN instance or the public instance (VPN instance view, and IPv4 or IPv6 address family view of a VPN instance or the public instance) when advertising and accepting the routes.

ARP and ND flood suppression

ARP or ND flood suppression reduces ARP request broadcasts or ND request multicasts by enabling the VTEP to reply to ARP or ND requests on behalf of VMs.

As shown in Figure 13, this feature snoops ARP or ND requests, ARP or ND responses, and BGP EVPN routes to populate the ARP or ND flood suppression table with local and remote MAC addresses. If an ARP or ND request has a matching entry, the VTEP replies to the request on behalf of the VM. If no match is found, the VTEP floods the request to both local and remote sites.

Figure 13 ARP and ND flood suppression

The following uses ARP flood suppression as an example to explain the flood suppression workflow:

1. Terminal 1 sends an ARP request to obtain the MAC address of Terminal 7.

2. VTEP 1 creates a suppression entry for Terminal 1, floods the ARP request in the VXLAN, and sends the suppression entry to VTEP 2 and VTEP 3 through BGP EVPN.

3. VTEP 2 and VTEP 3 de-encapsulate the ARP request and broadcast the request in the local site.

4. Terminal 7 sends an ARP reply.

5. VTEP 2 creates a suppression entry for Terminal 7, forwards the ARP reply to VTEP 1, and sends the suppression entry to VTEP 1 and VTEP 3 through BGP EVPN.

6. VTEP 1 de-encapsulates the ARP reply and forwards the ARP reply to Terminal 1.

7. Terminal 4 sends an ARP request to obtain the MAC address of Terminal 1.

8. VTEP 1 creates a suppression entry for Terminal 4 and replies to the ARP request.

9. Terminal 10 sends an ARP request to obtain the MAC address of Terminal 1.

10. VTEP 3 creates a suppression entry for Terminal 10 and replies to the ARP request.

MAC mobility

MAC mobility refers to the movement of a user terminal from one ES to another. The source VTEP is unaware of the MAC move event. To notify other VTEPs of the change, the destination VTEP advertises a MAC/IP advertisement route for the MAC address. The source VTEP withdraws the old route for the MAC address after receiving the new route. The MAC/IP advertisement route has a sequence number that increases when the MAC address moves. The sequence number identifies the most recent move if the MAC address moves multiple times.

EVPN M-LAG

‌

IMPORTANT:

You can use EVPN M-LAG on IPv4 sites extended by IPv4 underlay networks or on IPv6 sites extended by IPv6 underlay networks.

‌

About EVPN M-LAG

As shown in Figure 14, EVPN multichassis link aggregation (M-LAG) virtualizes two VTEPs or EVPN gateways into one M-LAG system through M-LAG to avoid single points of failure. The VTEPs or EVPN gateways are called M-LAG member devices. For more information about M-LAG, see Layer 2—LAN Switching Configuration Guide.

Figure 14 EVPN M-LAG

VM reachability information synchronization

To ensure VM reachability information consistency in the M-LAG system, the M-LAG member devices synchronize MAC address entries and ARP or ND information with each other through a peer link. The peer link can be an Ethernet aggregate link or a VXLAN tunnel, which are referred to as direct peer link and tunnel peer link, respectively.

·	IMPORTANT: The VXLAN tunnel that acts as the peer link is automatically associated with all VXLANs on each M-LAG member device.

Virtual VTEP address

The M-LAG member devices use a virtual VTEP address to set up VXLAN tunnels with remote VTEPs or EVPN gateways.

Independent BGP neighbor relationship establishment

The M-LAG member devices use different BGP peer addresses to establish neighbor relationships with remote devices. For load sharing and link redundancy, a neighbor sends traffic destined for the virtual VTEP address to both of the M-LAG member devices through ECMP routes of the underlay network.

Site-facing link redundancy

IMPORTANT:

This mechanism ensures service continuity in case of site-facing AC failure.

As shown in Figure 14, a VM accesses the EVPN network through multiple Ethernet links that connect to the VTEPs. On each VTEP, all site-facing Ethernet links are assigned to a Layer 2 aggregation group for high availability. On the corresponding Layer 2 aggregate interfaces, Ethernet service instances are configured as ACs of VXLANs to match customer traffic.

Link redundancy mechanism for a direct peer link

If the peer link is an Ethernet aggregate link, VTEPs in the M-LAG system transmit data traffic between them over the peer link or a VXLAN tunnel when a site-facing AC fails.

· Data traffic transmission over a VXLAN tunnel—The VTEPs automatically set up a VXLAN tunnel between them and assign it to all VXLANs. When a site-facing AC on one M-LAG member device fails, the device forwards the remote packets destined for the AC to the other M-LAG member device over the VXLAN tunnel. The remote packets are encapsulated with the VXLAN ID of the failed site-facing AC. When the other M-LAG member device receives the packets, it decapsulates them and forwards them in the VXLAN where they belong.

· Data traffic transmission over the peer link—Each VTEP in the M-LAG system creates dynamic ACs on the peer-link interface by using one of the following methods:

¡ Creation based on site-facing ACs—When a site-facing AC is created, a VTEP automatically creates an AC on the peer-link interface. The automatically created AC uses the same traffic match criterion as the site-facing AC and is mapped to the same VSI as the site-facing AC.

¡ Creation based on VXLAN IDs—When a VXLAN is created, a VTEP automatically creates an AC on the peer-link interface. The automatically created AC uses a frame match criterion generated based on the VXLAN ID and is mapped to the VSI of the VXLAN.

When a site-facing AC goes down, traffic that a remote device sends to the AC is forwarded to the other M-LAG member device through the peer link. The other M-LAG member device identifies the VSI of the traffic and forwards the traffic to the destination.

Link redundancy mechanism for a tunnel peer link

If a site-facing AC on an M-LAG member device is down, traffic received from a VXLAN tunnel and destined for the AC will be encapsulated into VXLAN packets. The VXLAN ID belongs to the VXLAN that is associated with the VSI of the site-facing AC. The M-LAG member device forwards the VXLAN packets through the tunnel peer link to the peer M-LAG member device. The peer M-LAG member device assigns the traffic to the correct VSI based on the VXLAN ID in the received packets.

Configuring EVPN VXLAN

Configuration restrictions and guidelines

VXLAN tunnel configuration restrictions and guidelines

Make sure the following VXLAN tunnels are not associated with the same VXLAN when they have the same tunnel destination IP address:

· A VXLAN tunnel automatically created by EVPN.

· A manually created VXLAN tunnel.

VTEPs do not support automatic VXLAN tunnel setup.

For more information about manual tunnel configuration, see VXLAN Configuration Guide.

The device does not support VXLAN over IPv6 or VXLAN-DCI over IPv6 tunnels.

EVPN gateway configuration restrictions and guidelines

For information about hardware compatibility, feature restrictions, and hardware restrictions of site-facing interfaces of EVPN gateways, see VXLAN Configuration Guide.

Aggregate interface configuration restrictions and guidelines

Assign the same MAC address to a Layer 3 aggregate interface and its member ports if the member ports are provided by the following interface modules:

· FD interface modules.

· FE interface modules.

· SG interface modules.

If the Layer 3 aggregate interface and its member ports use different MAC addresses, packets received on the aggregate interface might carry incorrect VLAN tags when they are forwarded over a VXLAN tunnel.

EVPN VXLAN configuration task list

Tasks at a glance	Remarks
(Required) Creating a VXLAN on a VSI	N/A
(Required) Configuring an EVPN instance	N/A
(Required) Configuring BGP to advertise BGP EVPN routes	N/A
(Required) Mapping ACs to a VSI	Perform this task to assign customer traffic to VXLANs.
(Optional.) Configuring an EVPN gateway: · Configuring a centralized EVPN gateway · Configuring a distributed EVPN gateway	Perform this task to provide Layer 3 connectivity for VXLANs.
(Optional.) Managing remote MAC address entries and remote ARP or ND learning	N/A
(Optional.) Enabling conversational learning for forwarding entries	N/A
(Optional.) Configuring BGP EVPN route redistribution and advertisement	N/A
(Optional.) Disabling flooding for a VSI	Perform this task to reduce flooding to the transport network.
(Optional.) Enabling ARP or ND flood suppression	Perform this task to reduce ARP request broadcasts.
(Optional.) Testing the connectivity of a VXLAN tunnel	N/A
(Optional.) Enabling SNMP notifications for EVPN
(Optional.) Configuring EVPN M-LAG	N/A

Creating a VXLAN on a VSI

For more information about the VXLAN commands in this task, see VXLAN Command Reference.

To create a VXLAN on a VSI:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable L2VPN.	l2vpn enable	By default, L2VPN is disabled.
3. Create a VSI and enter VSI view.	vsi vsi-name	By default, no VSIs exist.
4. (Optional.) Configure a VSI description.	description text	By default, a VSI does not have a description.
5. Enable the VSI.	undo shutdown	By default, a VSI is enabled.
6. (Optional.) Set the MTU for the VSI.	mtu size	The default MTU is 1500 bytes for a VSI.
7. (Optional.) Enable MAC address learning for the VSI.	mac-learning enable	By default, MAC address learning is enabled for a VSI.
8. Create a VXLAN and enter VXLAN view.	vxlan vxlan-id	By default, no VXLANs exist. You can create only one VXLAN on a VSI. The VXLAN ID must be unique for each VSI.

Configuring an EVPN instance

You do not need to associate a VPN instance with a VXLAN that requires only Layer 2 connectivity. The BGP EVPN routes advertised by the device carry the RD and route targets configured for the EVPN instance associated with the VXLAN.

To configure an EVPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Create an EVPN instance and enter EVPN instance view.	evpn encapsulation vxlan	By default, no EVPN instance exists.
4. Configure an RD for the EVPN instance.	route-distinguisher { route-distinguisher \| auto [ router-id ] }	By default, no RD is configured for an EVPN instance.
5. Configure route targets for the EVPN instance.	vpn-target { vpn-target&<1-8> \| auto } * [ both \| export-extcommunity \| import-extcommunity ]	By default, an EVPN instance does not have route targets. Make sure the following requirements are met: · The import targets of the EVPN instance do not match the export targets of the VPN instance associated with the VXLAN or the public instance. · The export targets of the EVPN instance do not match the import targets of the VPN instance associated with the VXLAN or the public instance. For more information about VPN instance and public instance configuration, see "Configuring an L3 VXLAN ID for a VSI interface."

Configuring BGP to advertise BGP EVPN routes

Configuration restrictions and guidelines

For more information about BGP commands in this task, see Layer 3—IP Routing Command Reference.

Enabling BGP to advertise BGP EVPN routes

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a global router ID.	router id router-id	By default, no global router ID is configured.
3. Enable a BGP instance and enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is disabled and no BGP instances exist.
4. Specify remote VTEPs as BGP peers.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } as-number as-number	N/A
5. Create the BGP EVPN address family and enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
6. Enable BGP to exchange BGP EVPN routes with a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange BGP EVPN routes with peers.

Configuring BGP EVPN route settings

Configuring BGP EVPN to advertise default routes

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Advertise a default route to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } default-route-advertise { ipv4 \| ipv6 } vpn-instance vpn-instance-name	By default, no default route is advertised to any peers or peer groups.

Configuring attributes of BGP EVPN routes

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Permit the local AS number to appear in routes from a peer or peer group and set the number of appearances.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } allow-as-loop [ number ]	By default, the local AS number is not allowed in routes from peers.
5. Configure the device to not change the next hop of routes advertised to an EBGP peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } next-hop-invariable	By default, the device uses its address as the next hop of routes advertised to EBGP peers.
6. Advertise the COMMUNITY attribute to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } advertise-community	By default, the device does not advertise the COMMUNITY attribute to peers or peer groups.
7. Remove the default-gateway extended community attribute from the EVPN gateway routes advertised to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } default-gateway no-advertise	By default, EVPN gateway routes advertised to peers and peer groups contain the default-gateway extended community attribute.

Configuring optimal BGP EVPN route selection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Configure BGP to prefer routes with an IPv6 next hop during optimal route selection.	bestroute ipv6-nexthop	By default, BGP prefer routes with an IPv4 next hop during optimal route selection.
5. (Optional.) Set the optimal route selection delay timer.	route-select delay delay-value	By default, the optimal route selection delay timer is 0 seconds, which means optimal route selection is not delayed.

Configuring BGP route reflection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Configure the device as an RR and specify a peer or peer group as its client.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } reflect-client	By default, no RR or client is configured.
5. (Optional.) Enable BGP EVPN route reflection between clients.	reflect between-clients	By default, BGP EVPN route reflection between clients is enabled.
6. (Optional.) Configure the cluster ID of the RR.	reflector cluster-id { cluster-id \| ipv4-address }	By default, an RR uses its own router ID as the cluster ID.
7. (Optional.) Create a reflection policy for the RR to filter reflected BGP EVPN routes.	rr-filter ext-comm-list-number	By default, an RR does not filter reflected BGP EVPN routes.
8. (Optional.) Enable the RR to change the attributes of routes to be reflected.	reflect change-path-attribute	By default, an RR cannot change the attributes of routes to be reflected.

Filtering BGP EVPN routes

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Apply a routing policy to routes received from or advertised to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } route-policy route-policy-name { export \| import }	By default, no routing policies are applied to routes received from or advertised to peers or peer groups.
5. Enable route target filtering for BGP EVPN routes.	policy vpn-target	By default, route target filtering is enabled for BGP EVPN routes.

Configuring the BGP Additional Paths feature

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Configure the BGP Additional Paths capabilities.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } additional-paths { receive \| send } *	By default, no BGP Additional Paths capabilities are configured.
5. Set the maximum number of Add-Path optimal routes that can be advertised to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } advertise additional-paths best number	By default, a maximum of one Add-Path optimal route can be advertised to a peer or peer group.
6. Set the maximum number of Add-Path optimal routes that can be advertised to all peers.	additional-paths select-best best-number	By default, a maximum of one Add-Path optimal route can be advertised to all peers.

Enabling the device to ignore default routes in route recursion

Overview

By default, the device selects a default route to forward traffic if only the default route is obtained after BGP route recursion. If the default route does not point to the desired next hop, traffic forwarding will fail.

To resolve this issue, enable the device to ignore default routes in route recursion. If only the default route is obtained after route recursion is performed for a BGP route, that BGP route becomes invalid, and other BGP routes with the same prefix are selected for forwarding.

Enable this feature if multiple links exist between the device and a destination IP address. If one of the links fail, traffic will be switched to the other available links instead of being incorrectly forwarded based on a default route.

Configuration restrictions and guidelines

After you perform this task, VXLAN tunnels might be reestablished, and transient VXLAN traffic loss might occur. As a best practice, enable BGP EVPN route reception and advertisement again after you perform this task.

Configuration procedure

Step	Command	Remarks
7. Enter system view.	system-view	N/A
8. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
9. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
10. Enable the device to ignore default routes in route recursion.	nexthop recursive-lookup default-route ignore [ route-policy route-policy-name ]	By default, the device can select a default route for forwarding after performing route recursion.

Maintaining BGP sessions

Perform the following tasks in user view:

· Reset BGP sessions of the BGP EVPN address family.

reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } l2vpn evpn

· Soft-reset BGP sessions of the BGP EVPN address family.

refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | all | external | group group-name | internal } { export | import } l2vpn evpn

Mapping ACs to a VSI

Mapping a static Ethernet service instance to a VSI

Overview

A static Ethernet service instance matches a list of VLANs on a site-facing interface by using a frame match criterion. The VTEP assigns traffic from the VLANs to a VXLAN by mapping the static Ethernet service instance to a VSI. The VSI performs Layer 2 forwarding for the VLANs based on its MAC address table.

For a VSI that uses Ethernet access mode, you can manipulate the VLAN tags of incoming and outgoing traffic in its Ethernet service instance. The VLAN tag processing rules include adding VLAN tags, replacing VLAN tags, and removing VLAN tags. For information about the restrictions and guidelines for configuring VLAN tag processing rules, see the rewrite inbound tag and rewrite outbound tag commands in VXLAN Command Reference.

Configuration restrictions and guidelines

For information about the restrictions and guidelines, see mapping customer frames to a VSI in VXLAN Configuration Guide. For more information about the VXLAN commands in this task, see VXLAN Command Reference.

Configuration procedure

To map a static Ethernet service instance to a VSI:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.	· interface interface-type interface-number · interface bridge-aggregation interface-number	N/A
3. Assign the Layer 2 interface to a local-site VLAN.	a Set the port link type. port link-type { access \| trunk \| hybrid } b Use one of the following commands to assign the interface to a local-site VLAN: port access vlan vlan-id port trunk permit vlan { vlan-id-list \| all } port hybrid vlan vlan-id-list { tagged \| untagged }	The default link type is access. Make sure the VLAN has been created on the VTEP.
4. Create an Ethernet service instance and enter Ethernet service instance view.	service-instance instance-id	By default, no Ethernet service instances exist.
5. Configure a frame match criterion.	· Match frames that do not match any other service instance on the interface: encapsulation default · Match any 802.1Q tagged or untagged frames: encapsulation { tagged \| untagged } · Match frames tagged with the specified inner 802.1Q VLAN IDs: encapsulation c-vid vlan-id-list · Match frames tagged with the specified outer 802.1Q VLAN IDs: encapsulation s-vid vlan-id-list [ only-tagged ] · Match frames tagged with the specified outer and inner 802.1Q VLAN IDs: encapsulation s-vid vlan-id c-vid { vlan-id-list \| all } encapsulation s-vid vlan-id-list c-vid vlan-id-list	By default, an Ethernet service instance does not contain a frame match criterion.
6. (Optional.) Configure the VLAN tag processing rule for incoming traffic.	rewrite inbound tag { nest { c-vid vlan-id \| s-vid vlan-id [ c-vid vlan-id ] } \| remark { { 1-to-1 \| 2-to-1 } { c-vid vlan-id \| s-vid vlan-id } \| { 1-to-2 \| 2-to-2 } s-vid vlan-id c-vid vlan-id } \| strip { c-vid \| s-vid [ c-vid ] } } [ symmetric ]	By default, VLAN tags of incoming traffic are not processed.
7. (Optional.) Configure the VLAN tag processing rule for outgoing traffic.	rewrite outbound tag { nest { c-vid vlan-id \| s-vid vlan-id [ c-vid vlan-id ] } \| remark { { 1-to-1 \| 2-to-1 } { c-vid vlan-id \| s-vid vlan-id } \| { 1-to-2 \| 2-to-2 } s-vid vlan-id c-vid vlan-id } \| strip { c-vid \| s-vid [ c-vid ] } }	By default, VLAN tags of outgoing traffic are not processed.
8. Map the Ethernet service instance to a VSI.	xconnect vsi vsi-name [ access-mode { ethernet \| vlan } ] [ track track-entry-number&<1-3> ]	By default, an Ethernet service instance is not mapped to any VSI.

Mapping dynamic Ethernet service instances to VSIs

Overview

The 802.1X or MAC authentication feature can use the authorization VSI, the guest VSI, the Auth-Fail VSI, and the critical VSI to control the access of users to network resources. When assigning a user to a VSI, 802.1X or MAC authentication sends the VXLAN feature the VSI information and the user's access information, including access interface, VLAN, and MAC address. Then the VXLAN feature creates a dynamic Ethernet service instance for the user and maps it to the VSI. For more information about 802.1X authentication and MAC authentication, see Security Configuration Guide.

A dynamic Ethernet service instance supports the MAC-based traffic match mode that matches frames by source MAC address.

Configuration restrictions and guidelines

To use MAC-based traffic match mode for dynamic Ethernet service instances, you must enable MAC authentication or 802.1X authentication that uses MAC-based access control.

To use dynamic Ethernet service instances, follow these restrictions and guidelines:

· The site-facing interfaces must be on the following modules:

¡ The LSQM1SRP8X2QE0 MPU.

¡ FD interface modules.

¡ FE interface modules.

¡ SG interface modules.

· If two users in different VLANs use the same MAC address, they cannot access VXLANs simultaneously through an interface configured with the mac-based ac command.

· The link type of site-facing interfaces must be access or trunk.

· A site-facing interface can forward only untagged packets if it receives packets that do not carry tags or packets that carry the VLAN tag of the PVID.

· A dynamic Ethernet service instance supports only the frame match criterion configured by using the encapsulation s-vid vlan-id [ only-tagged ] command.

· Packets with the same source MAC address can match only one dynamic Ethernet service instance on an interface.

· Dynamic Ethernet service instances cannot be created on member ports of a Layer 2 aggregation group.

Configuration procedure

The device automatically creates a dynamic Ethernet service instance for an 802.1X or MAC authentication user and maps the Ethernet service instance to a VSI in the following conditions:

· The user is assigned to the guest VSI, Auth-Fail VSI, or critical VSI configured on the device.

· A remote AAA server issues an authorization VSI to the user.

For a dynamic Ethernet service instance to match traffic by the source MAC address, enable MAC-based traffic match mode for the dynamic Ethernet service instance.

To enable MAC-based traffic match mode for dynamic Ethernet service instances on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.	· interface interface-type interface-number · interface bridge-aggregation interface-number	N/A
3. Enable MAC-based traffic match mode for dynamic Ethernet service instances on the interface.	mac-based ac	By default, MAC-based traffic match mode is disabled for dynamic Ethernet service instances. For more information about this command, see VXLAN Command Reference.

Configuring a centralized EVPN gateway

Configuration restrictions and guidelines

If an EVPN network contains a centralized EVPN gateway, you must enable ARP or ND flood suppression on VTEPs. Typically remote ARP or ND learning is disabled in an EVPN network. When ARP or ND requests for the gateway MAC address are sent to the centralized EVPN gateway through VXLAN tunnels, the gateway does not respond to the requests. If ARP or ND flood suppression is disabled on VTEPs, VMs cannot obtain the MAC address of the gateway.

Configuring a centralized gateway interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VSI interface and enter VSI interface view.	interface vsi-interface vsi-interface-id	By default, no VSI interfaces exist. For more information about this command, see VXLAN Command Reference.
3. Assign an IPv4 or IPv6 address to the VSI interface.	· Assign an IPv4 address: ip address ip-address { mask \| mask-length } [ sub ] · Assign an IPv6 address: See IPv6 basics in Layer 3—IP Services Configuration Guide.	By default, no IPv4 or IPv6 address is assigned to a VSI interface.
4. Return to system view.	quit	N/A
5. Enter VSI view.	vsi vsi-name	N/A
6. Specify the VSI interface as the gateway interface for the VSI.	gateway vsi-interface vsi-interface-id	By default, no gateway interface is specified for a VSI. For more information about this command, see VXLAN Command Reference.

Setting the static flag for the MAC addresses of centralized gateway interfaces

About this task

In a network with a centralized EVPN gateway deployed, a VTEP considers a MAC address move occurs if an endpoint uses a MAC address identical to that of a centralized gateway interface. As a result, the VTEP overwrites the MAC address entry created for the centralized gateway interface with that created for the endpoint, and errors will occur in traffic forwarding.

To resolve this issue, set the static flag for the MAC addresses of centralized gateway interfaces on the centralized EVPN gateway. When advertising those MAC addresses through MAC/IP advertisement routes, the centralized EVPN gateway will set the static flag bit to 1 in the MAC mobility extended community. If an endpoint accesses the network with a MAC address identical to that of a centralized gateway interface, the endpoint's MAC address entry will not overwrite the entry for the centralized gateway interface.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the static flag for the MAC addresses of centralized gateway interfaces.	evpn route gateway-mac unmovable	By default, the static flag is not set for the MAC addresses of centralized gateway interfaces.

Configuring a distributed EVPN gateway

Configuration restrictions and guidelines

IPv4 or IPv6 addresses of remote ARP or ND entries cannot be pinged by the distributed VXLAN IP gateway that learns the ARP or ND entries.

As a best practice, do not use ARP flood suppression and local proxy ARP or ND flood suppression and local ND proxy together on distributed EVPN gateways. If both ARP flood suppression and local proxy ARP are enabled on a distributed EVPN gateway, only local proxy ARP takes effect. If both ND flood suppression and local ND proxy are enabled on a distributed EVPN gateway, only local ND proxy takes effect.

Configuration prerequisites

For a VXLAN to access the external network, specify the VXLAN's VSI interface on the border gateway as the next hop on distributed EVPN gateways by using one of the following methods:

· Configure a static route.

· Configure a PBR policy, and apply the policy by using the apply default-next-hop or apply next-hop command. For more information about configuring PBR policies, see PBR configuration in Layer 3—IP Routing Configuration Guide.

Configuring the traffic forwarding mode for EVPN VXLAN

The asymmetric IRB mode is supported only on distributed EVPN gateways. The mode takes effect only on Layer 3 traffic forwarded in the same VXLAN. In addition, the same VSI interface on different distributed EVPN gateways must have different IP addresses.

To configure the traffic forwarding mode for EVPN VXLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the traffic forwarding mode for EVPN VXLAN.	· Enable asymmetric IRB mode. evpn irb asymmetric [ route-policy route-policy-name ] · Enable symmetric IRB mode. undo evpn irb asymmetric	By default, a distributed EVPN gateway forwards EVPN VXLAN traffic in symmetric IRB mode.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the traffic forwarding mode for EVPN VXLAN.

· Enable asymmetric IRB mode.
evpn irb asymmetric [ route-policy route-policy-name ]

· Enable symmetric IRB mode.
undo evpn irb asymmetric

By default, a distributed EVPN gateway forwards EVPN VXLAN traffic in symmetric IRB mode.

Configuring a VSI interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VSI interface and enter VSI interface view.	interface vsi-interface vsi-interface-id	By default, no VSI interfaces exist. For more information about this command, see VXLAN Command Reference.
3. Assign an IPv4 or IPv6 address to the VSI interface.	· Assign an IPv4 address: ip address ip-address { mask \| mask-length } [ sub ] · Assign an IPv6 address: See IPv6 basics in Layer 3—IP Services Configuration Guide.	By default, no IPv4 or IPv6 address is assigned to a VSI interface. You can assign multiple IP addresses to a VSI interface for VSIs to share one gateway interface.
4. Assign a MAC address to the VSI interface.	mac-address mac-address	By default, the MAC address of VSI interfaces is the bridge MAC address + 1. To ensure correct forwarding after VM migration, you must assign the same MAC address to the VSI interfaces of a VXLAN on all distributed gateways.
5. Specify the VSI interface as a distributed gateway.	distributed-gateway local	By default, a VSI interface is not a distributed gateway. For more information about this command, see VXLAN Command Reference.
6. (Optional.) Enable local proxy ARP or local ND proxy.	· Enable local proxy ARP on an IPv4 gateway: local-proxy-arp enable [ ip-range startIP to endIP ] · Enable local ND proxy on an IPv6 gateway: local-proxy-nd enable	By default, local proxy ARP and local ND proxy are disabled. For more information about the commands, see Layer 3—IP Services Command Reference.
7. Return to system view.	quit	N/A
8. Enter VSI view.	vsi vsi-name	N/A
9. Specify the VSI interface as the gateway interface for the VSI.	gateway vsi-interface vsi-interface-id	By default, no gateway interface is specified for a VSI. For more information about this command, see VXLAN Command Reference.
10. Assign a subnet to the VSI.	gateway subnet { ipv4-address wildcard-mask \| ipv6-address prefix-length }	By default, no subnet exists on a VSI. You must configure this command on VSIs that share a gateway interface. This command enables the VSI interface to identify the VSI of a packet. For VSIs that share a gateway interface, the subnets must be unique. For more information about this command, see VXLAN Command Reference.

Configuring an L3 VXLAN ID for a VSI interface

Configuring an L3 VXLAN ID for the VSI interface of a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instances exist.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is configured for a VPN instance.
4. (Optional.) Configure route targets for the VPN instance.	vpn-target { vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ] \| auto }	By default, a VPN instance does not have route targets.
5. (Optional.) Apply an export routing policy to the VPN instance.	export route-policy route-policy	By default, no export routing policy is applied to a VPN instance.
6. Enter VPN instance EVPN view.	address-family evpn	N/A
7. Configure route targets for EVPN on the VPN instance.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, EVPN does not have route targets on a VPN instance. Make sure the following requirements are met: · The import targets of EVPN do not match the export targets of the VPN instance. · The export targets of EVPN do not match the import targets of the VPN instance.
8. (Optional.) Apply an export routing policy to EVPN on the VPN instance.	export route-policy route-policy	By default, no export routing policy is applied to EVPN on a VPN instance.
9. (Optional.) Apply an import routing policy to EVPN on the VPN instance.	import route-policy route-policy	By default, no import routing policy is applied to EVPN on a VPN instance. The VPN instance accepts a route when the export route targets of the route match local import route targets.
10. Return to VPN instance view.	quit	N/A
11. Return to system view.	quit	N/A
12. Create a VSI interface and enter VSI interface view.	interface vsi-interface vsi-interface-id	By default, no VSI interfaces exist.
13. Associate the VSI interface with the VPN instance.	ip binding vpn-instance vpn-instance-name	By default, a VSI interface is not associated with a VPN instance. The interface is on the public network.
14. Configure an L3 VXLAN ID for the VSI interface.	l3-vni vxlan-id	By default, no L3 VXLAN ID is configured for a VSI interface. A VPN instance can have only one L3 VXLAN ID. If multiple L3 VXLAN IDs are configured for a VPN instance, the VPN instance uses the lowest one. To view the L3 VXLAN ID of a VPN instance, use the display evpn routing-table command.

Configuring an L3 VXLAN ID for the VSI interface of the public instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create the public instance and enter its view.	ip public-instance	By default, the public instance does not exist.
3. Configure an RD for the public instance.	route-distinguisher route-distinguisher	By default, no RD is configured for the public instance.
4. Configure an L3 VXLAN ID for the public instance.	l3-vni vxlan-id	By default, the public instance does not have an L3 VXLAN ID. The public instance can have only one L3 VXLAN ID. To modify the L3 VXLAN ID for the public instance, you must first delete the original L3 VXLAN ID.
5. (Optional.) Configure route targets for the public instance.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, the public instance does not have route targets.
6. Enter IPv4 address family view, IPv6 address family view, or EVPN view.	· Enter IPv4 address family view: address-family ipv4 · Enter IPv6 address family view: address-family ipv6 · Enter EVPN view: address-family evpn	N/A
7. Configure route targets for the IPv4 address family, IPv6 address family, or EVPN.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, the IPv4 address family, IPv6 address family, and EVPN do not have route targets on the public instance. Make sure the following requirements are met: · The import targets of an EVPN instance do not match the export targets of the public instance. · The export targets of an EVPN instance do not match the import targets of the public instance.
8. Return to public instance view.	quit	N/A
9. Return to system view.	quit	N/A
10. Create a VSI interface and enter its view.	interface vsi-interface vsi-interface-id	By default, no VSI interfaces exist.
11. Configure an L3 VXLAN ID for the VSI interface.	l3-vni vxlan-id	By default, no L3 VXLAN ID is configured for a VSI interface. Of the VSI interfaces associated with the public instance, a minimum of one VSI interface must use the same L3 VXLAN ID as the public instance.

Configuring IP prefix route advertisement

Overview

If IGP routes are imported to the BGP-VPN IPv4 or IPv6 unicast address family and the corresponding VPN instance has an L3 VXLAN ID, the device advertises the imported routes as IP prefix advertisement routes.

If IGP routes are imported to the BGP IPv4 or IPv6 unicast address family and the public instance has an L3 VXLAN ID, the device advertises the imported routes as IP prefix advertisement routes.

A VTEP compares the export route targets of received IP prefix advertisement routes with the import route targets configured for the IPv4 address family or IPv6 address family on a VPN instance or the public instance. If the route targets match, the VTEP accepts the routes and adds the routes to the routing table of the VPN instance or public instance.

Configuration restrictions and guidelines

This feature is supported only by distributed EVPN gateway deployment.

For more information about the BGP commands in this task, see Layer 3—IP Routing Command Reference.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable a BGP instance and enter BGP instance view.	bgp as-number [ instance instance-name ] [ multi-session-thread ]	By default, BGP is disabled and no BGP instances exist.
3. Enter a BGP address family view.	· Enter BGP IPv4 unicast address family view: address-family ipv4 [ unicast ] · Enter BGP-VPN IPv4 unicast address family view: a. ip vpn-instance vpn-instance-name b. address-family ipv4 [ unicast ] · Enter BGP IPv6 unicast address family view: address-family ipv6 [ unicast ] · Enter BGP-VPN IPv6 unicast address family view: a. ip vpn-instance vpn-instance-name b. address-family ipv6 [ unicast ]	N/A
4. Enable BGP to redistribute routes from an IGP protocol.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, BGP does not redistribute IGP routes.
5. (Optional.) Enable default route redistribution into the BGP routing table.	default-route imported	By default, default route redistribution into the BGP routing table is disabled.
6. (Optional.) Return to BGP instance view.	quit	N/A
7. (Optional.) Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
8. (Optional.) Enable ECMP VPN route redistribution.	vpn-route cross multipath	By default, ECMP VPN route redistribution is disabled. If multiple routes have the same prefix and RD, BGP only imports the optimal route into the EVPN routing table. ECMP VPN route redistribution enables BGP to import all routes that have the same prefix and RD into the EVPN routing table.

Configuring BGP route replication between public and VPN instances

Overview

By default, BGP routes are isolated between VPN instances. In some scenarios, the PEs are required to advertise BGP routes across VPN instances and hide routing information for specific VPN instances. For this purpose, reoriginate BGP routes of these VPN instances in another VPN instance and advertise the reoriginated routes.

Figure 15 Network diagram for BGP route replication between public and VPN instances

As shown in Figure 15, PE 1 and PE 2 each establish an IBGP peer relationship with PE 3 over the public network. PE 1 and PE 2 import routes between the public and VPN instances to realize intercommunication between the public and VPN networks.

PE 1 and PE 2 establish BGP EVPN IBGP peer relationship and advertise VPN instance routes of local sites to each other for inter-site communication. When all links are up, PE 2 can directly accept the public network routes advertised from PE 3 and import the routes to the local site. When the link between PE 2 and PE 3 fails, public network routes cannot be advertised to PE 2 directly. As a result, users at the site attached to PE 2 cannot communication with the public network.

To resolve this issue:

1. Configure PE 1 to reoriginate all public network BGP routes that have been imported to VPN instances in a BGP-VPN address family view.

2. Configure PE 1 to advertise the reoriginated routes to IBGP peer PE 2.

To configure BGP route replication between public and VPN instances, you need to configure the following settings on PE 1:

1. Configure route targets for the public instance. Make sure the route targets match those of the VPN instances to which the public network BGP routes will be imported.

2. Use the route-replicate enable command to import the BGP routes in the public instance to VPN instances that have matching route targets as the public instance.

3. Use the advertise route-reoriginate command in a BGP-VPN address family view. The PE matches the route targets of other VPN instances with those of the VPN instance associated with the address family view. For matching VPN instances, the PE reoriginates all BGP unicast routes of these VPN instances in the BGP routing table of this VPN instance. The BGP routes do not include routes imported from the local device, for example, the IGP routes imported by using the import-route command.

4. By default, after PE 1 receives routes from an IBGP peer and reoriginates the routes, it does not advertise the reoriginated routes to IBGP peer PE 2. To advertise the reoriginated routes to IBGP peer PE 2, use the peer advertise vpn-reoriginate ibgp command.

Configuration restrictions and guidelines

For the peer advertise vpn-reoriginate ibgp command to take effect, you must also use the advertise route-reoriginate command.

If you execute the advertise route-reoriginate command in BGP-VPN IPv4 unicast address family view, this command reoriginates IPv4 unicast routes. If you execute the advertise route-reoriginate command in BGP-VPN IPv6 unicast address family view, this command reoriginates IPv6 unicast routes.

For more information about the advertise route-reoriginate and route-replicate enable commands, see MPLS L3VPN commands in MPLS Command Reference.

Configuration procedure

To configure BGP route replication between public and VPN instances:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. (Optional.) Enable BGP route replication between public and VPN instances.	route-replicate enable	By default, this feature is disabled.
4. Enter BGP-VPN IPv4 unicast address family view or BGP-VPN IPv6 unicast address family view.	· Execute the following commands in sequence to enter BGP-VPN IPv4 unicast address family view: a. ip vpn-instance vpn-instance-name b. address-family ipv4 [ unicast ] · Execute the following commands in sequence to enter BGP-VPN IPv6 unicast address family view: a. ip vpn-instance vpn-instance-name b. address-family ipv6 [ unicast ]	N/A
5. Reoriginate BGP unicast routes of other VPN instances in the BGP unicast routing table of this VPN instance.	advertise route-reoriginate [ route-policy route-policy-name ] [ replace-rt ]	By default, BGP unicast routes of other VPN instances are not reoriginated in the BGP unicast routing table of this VPN instance. This command can reoriginate BGP routes only for VPN instances that have matching route targets with this VPN instance. This command cannot reoriginate the routes imported from the local device to the BGP routing table.
6. Return to BGP instance view.	quit quit	N/A
7. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
8. (Optional.) Advertise the reoriginated BGP routes in the VPN instance to an IBGP peer or peer group in the format of IP prefix advertisement routes.	peer { group-name \| ipv4-address [ mask-length ] } advertise vpn-reoriginate ibgp	By default, reoriginated BGP routes in a VPN instance are not advertised to an IBGP peer or peer group.

Configuring the EVPN global MAC address

The EVPN global MAC address is used only by VSI interfaces associated with an L3 VXLAN ID. For such a VSI interface, the MAC address assigned to it by using the mac-address command takes precedence over the EVPN global MAC address.

A distributed EVPN gateway selects the lowest-numbered VSI interface that is associated with an L3 VXLAN ID as its router MAC address. In an M-LAG system, distributed EVPN gateways that act as M-LAG member devices might use different router MAC addresses, which causes forwarding errors. To resolve this problem, you can configure the same EVPN global MAC address on the gateways.

Do not use a reserved MAC address as the EVPN global MAC address. The reserved MAC address range is the bridge MAC address to the bridge MAC address + (9 × the total number of default and non-default MDCs).

To configure the EVPN global MAC address:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the EVPN global MAC address.	evpn global-mac mac-address	By default, no EVPN global MAC address is configured.

Disabling generation of IP prefix advertisement routes for the subnets of a VSI interface

Overview

A distributed VXLAN IP gateway by default generates IP prefix advertisement routes for the subnets of VSI interfaces and advertises these routes to remote VTEPs. The remote VTEPs advertise these routes to their local sites. To disable advertisement of these routes to remote sites, you can disable generation of IP prefix advertisement routes for the subnets of VSI interfaces.

Configuration restrictions and guidelines

This feature takes effect only on a VSI interface that provides distributed VXLAN IP gateway service (configured by using the distributed-gateway local command). It does not take effect on VSI interfaces that provide centralized VXLAN IP gateway service. The device only generates MAC/IP advertisement routes for VSI interfaces that provide centralized VXLAN IP gateway service.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI interface view.	interface vsi-interface vsi-interface-id	N/A
3. Disable generation of IP prefix advertisement routes for the subnets of the VSI interface.	ip-prefix-route generate disable	By default, the device generates IP prefix advertisement routes for the subnets of a VSI interface that provides distributed VXLAN IP gateway service.

Enabling a distributed EVPN gateway to send RA messages over VXLAN tunnels

Overview

By default, a distributed EVPN gateway drops the RS messages received from VXLAN tunnels and periodically advertises RA messages only to the local site. As a result, a distributed EVPN gateway does not send RA messages over VXLAN tunnels, and remote gateways cannot update information about the gateway based on RA messages. To resolve the issue, perform this task to enable distributed EVPN gateways to reply to remote RS messages with RA messages and periodically advertise RA messages over VXLAN tunnels.

Configuration restrictions and guidelines

You can configure RA message tunneling for VSI interfaces globally or on a per-VSI interface basis. The global configuration takes effect on all VSI interfaces. The interface-specific configuration takes precedence over the global configuration on a VSI interface.

Procedure (system view)

To globally enable VSI interfaces to send RA messages over VXLAN tunnels:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Globally enable VSI interfaces to send RA messages over VXLAN tunnels.	ipv6 nd ra tunnel-broadcast global enable	By default, VSI interfaces do not send RA messages over VXLAN tunnels.

Procedure (VSI interface view)

To enable a VSI interface to send RA messages over VXLAN tunnels:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI interface view.	interface vsi-interface vsi-interface-id	N/A
3. Enable the VSI interface to send RA messages over VXLAN tunnels.	ipv6 nd ra tunnel-broadcast enable	By default, a VSI interface uses the global RA message tunneling configuration.

Enabling traffic statistics for the VSIs automatically created for L3 VXLAN IDs

If you configure an L3 VXLAN ID on a distributed EVPN gateway, the gateway automatically creates a VSI for the L3 VXLAN ID. You cannot enter the view of such a VSI to configure settings on it.

This task enables the device to collect incoming and outgoing traffic statistics for the automatically created VSIs. You can use the display l2vpn vsi verbose command to view the traffic statistics and use the reset l2vpn statistics vsi command to clear the traffic statistics.

To enable traffic statistics for the VSIs that are automatically created for L3 VXLAN IDs.

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable traffic statistics for the VSIs that are automatically created for L3 VXLAN IDs.	l2vpn statistics vsi l3-vni	By default, the traffic statistics feature is disabled for the VSIs that are automatically created for L3 VXLAN IDs.

Enabling the device to advertise ARP information for the distributed EVPN gateway interfaces through MAC/IP advertisement routes

Overview

If a distributed EVPN gateway has downstream VTEPs attached, the gateway advertises ARP information for gateway interfaces through IP prefix advertisement routes. Because the VTEPs do not have gateway configuration, they cannot learn the ARP information for the gateway interfaces or forward traffic to the gateway. For the VTEPs to learn ARP information for the gateway interfaces, enable the distributed EVPN gateway to advertise ARP information for the gateway interfaces through MAC/IP advertisement routes.

Configuration procedure

Step	Command	Remarks
Enter system view.	system-view	N/A
Enable the device to advertise ARP information for the distributed EVPN gateway interfaces through MAC/IP advertisement routes.	evpn mac-ip advertise distributed-gateway	By default, the device does not advertise ARP information for the distributed EVPN gateway interfaces through MAC/IP advertisement routes.

Managing remote MAC address entries and remote ARP or ND learning

Disabling remote MAC address learning and remote ARP or ND learning

By default, the device learns MAC information, ARP information, and ND information of remote user terminals from packets received on VXLAN tunnel interfaces. The automatically learned remote MAC, ARP, and ND information might conflict with the remote MAC, ARP, and ND information advertised through BGP. As a best practice to avoid the conflicts, disable remote MAC address learning and remote ARP or ND learning on the device.

For more information about the VXLAN commands in this task, see VXLAN Command Reference.

To disable remote MAC address learning and remote ARP or ND learning:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable remote MAC address learning.	vxlan tunnel mac-learning disable	By default, remote MAC address learning is enabled.
3. Disable remote ARP learning.	vxlan tunnel arp-learning disable	By default, remote ARP learning is enabled.
4. Disable remote ND learning.	vxlan tunnel nd-learning disable	By default, remote ND learning is enabled.

Disabling MAC address advertisement

The MAC information and ARP or ND information advertised by the VTEP overlap. To avoid duplication, disable MAC address advertisement and withdraw the MAC addresses advertised to remote VTEPs.

To disable MAC address advertisement:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enter EVPN instance view.	evpn encapsulation vxlan	N/A
4. Disable MAC address advertisement and withdraw advertised MAC addresses.	mac-advertising disable	By default, MAC address advertisement is enabled.

Enabling MAC mobility event suppression

Overview

On an EVPN VXLAN network, misconfiguration of MAC addresses might cause two sites to contain the same MAC address. In this condition, VTEPs at the two sites constantly synchronize and update EVPN MAC entries and determine that MAC mobility events occur. As a result, an inter-site loop might occur, and the bandwidth is occupied by MAC entry synchronization traffic. To eliminate loops and suppress those MAC mobility events, enable MAC mobility event suppression on the VTEPs. This feature allows a MAC address to move a specified number of times (the MAC mobility suppression threshold) from a site within a MAC mobility detection cycle. If a MAC address moves more than the MAC mobility suppression threshold, the VTEP at the site will suppress the last MAC move to the local site and will not advertise information about the MAC address.

Configuration restrictions and guidelines

After you execute the undo evpn route mac-mobility suppression command or the suppression time expires, a VTEP acts as follows:

· Advertises MAC address entries immediately for the suppressed MAC address entries that have not aged out.

· Relearns the MAC addresses for the suppressed MAC address entries that have aged out and advertises the MAC address entries.

Configuration procedure

To enable MAC mobility event suppression:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable MAC mobility event suppression.	evpn route mac-mobility suppression [ detect-cycle detect-time \| detect-threshold move-times \| suppression-time [ suppression-time \| permanent ] ] *	By default, MAC mobility event suppression is disabled.

Disabling learning of MAC addresses from ARP or ND information

The MAC information and ARP or ND information advertised by a remote VTEP overlap. To avoid duplication, disable the learning of MAC addresses from ARP or ND information. EVPN will learn remote MAC addresses only from the MAC information advertised from remote sites.

To disable learning of MAC addresses from ARP or ND information:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enter EVPN instance view.	evpn encapsulation vxlan	N/A
4. Disable the EVPN instance from learning MAC addresses from ARP information.	arp mac-learning disable	By default, an EVPN instance learns MAC addresses from ARP information.
5. Disable the EVPN instance from learning MAC addresses from ND information.	nd mac-learning disable	By default, an EVPN instance learns MAC addresses from ND information.

Disabling ARP information advertisement

In an EVPN network with distributed gateways, you can disable ARP information advertisement for a VXLAN to save resources if all its user terminals use the same EVPN gateway device. The EVPN instance of the VXLAN will stop advertising ARP information through MAC/IP advertisement routes and withdraw advertised ARP information. When ARP information advertisement is disabled, user terminals in other VXLANs still can communicate with that VXLAN through IP prefix advertisement routes.

To disable ARP information advertisement:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enter EVPN instance view.	evpn encapsulation vxlan	N/A
4. Disable ARP information advertisement for the EVPN instance.	arp-advertising disable	By default, ARP information advertisement is enabled for an EVPN instance.

Disabling the VSI interface on a centralized EVPN gateway from learning ARP or ND information across subnets

On an EVPN VXLAN network deployed with a centralized EVPN gateway, VM 1 and VM 2 belong to the same VXLAN in subnet 10.1.1.0/24. The gateway interface is VSI-interface 1 and the gateway is connected to external Layer 3 network 10.1.2.0/24. The VTEP to which VM 2 is attached is configured with ARP or ND flood suppression. The IP address of VM 2 is mistakenly configured as an IP address in subnet 10.1.2.0/24 (for example, 10.1.2.2). In this situation, the VTEP connected to VM 2 advertises MAC/IP advertisement routes that contain ARP or ND information to the gateway. The IP address and MAC address in the routes are the IP address and MAC address of VM 2, respectively. The gateway learns the ARP or ND information and issues the information to the forwarding table. When VM 1 visits 10.1.2.2 in the external network, the gateway will forward the traffic to VM 2. As a result, VM 1 cannot visit 10.1.2.2.

To resolve the above issue, perform this task on the VSI interface to disable the VSI interface from learning ARP or ND information across subnets from MAC/IP advertisement routes.

To disable the VSI interface from learning ARP or ND information that does not belong to its subnet from MAC/IP advertisement routes:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI interface view on a centralized EVPN gateway.	interface vsi-interface vsi-interface-id	For more information about this command, see VXLAN Command Reference.
3. Disable the VSI interface from learning ARP or ND information that does not belong to its subnet from MAC/IP advertisement routes.	evpn span-segment { arp-learning \| nd-learning } disable	By default, the VSI interface on a centralized EVPN gateway learns ARP or ND information that does not belong to its subnet from MAC/IP advertisement routes.

Enabling ARP mobility event suppression

Overview

On an EVPN VXLAN network, misconfiguration of IP addresses might cause two sites to contain the same IP address. In this condition, VTEPs at the two sites constantly synchronize and update EVPN ARP entries and determine that ARP mobility events occur. As a result, an inter-site loop might occur, and the bandwidth is occupied by ARP entry synchronization traffic. To eliminate loops and suppress those ARP mobility events, enable ARP mobility event suppression on the VTEPs. This feature allows an IP address to move a specified number of times (the ARP mobility suppression threshold) from a site within an ARP mobility detection cycle. If an IP address moves more than the ARP mobility suppression threshold, the VTEP at the site will suppress the last ARP move to the local site and will not advertise ARP information for the IP address.

Configuration restrictions and guidelines

ARP mobility event suppression takes effect only on an EVPN VXLAN network configured with distributed EVPN gateways.

After you execute the undo evpn route arp-mobility suppression command or the suppression time expires, a VTEP acts as follows:

· Advertises ARP information immediately for the suppressed ARP entries that have not aged out.

· Relearns ARP information for the suppressed ARP entries that have aged out and advertises the ARP information.

If both MAC address entry conflicts and ARP entry conflicts exist for a MAC address, you must enable both MAC mobility event suppression and ARP mobility event suppression. If you enable only MAC mobility event suppression, the system cannot suppress MAC mobility events for the MAC address.

Configuration procedure

To enable ARP mobility event suppression:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable ARP mobility event suppression.	evpn route arp-mobility suppression [ detect-cycle detect-time \| detect-threshold move-times \| suppression-time [ suppression-time \| permanent ] ] *	By default, ARP mobility event suppression is disabled.

Enabling ND mobility event suppression

Overview

On an EVPN VXLAN network, misconfiguration of IP addresses might cause two sites to contain the same IP address. In this condition, VTEPs at the two sites constantly synchronize and update EVPN ND entries and determine that ND mobility events occur. As a result, an inter-site loop might occur, and the bandwidth is occupied by ND entry synchronization traffic. To eliminate loops and suppress those ND mobility events, enable ND mobility event suppression on the VTEPs. This feature allows an IP address to move a specified number of times (the ND mobility suppression threshold) from a site within an ND mobility detection cycle. If an IP address moves more than the ND mobility suppression threshold, the VTEP at the site will suppress the last ND move to the local site and will not advertise ND information for the IP address.

Configuration restrictions and guidelines

After you execute the undo evpn route nd-mobility suppression command or the suppression time expires, a VTEP acts as follows:

· Advertises ND information immediately for the suppressed ND entries that have not aged out.

· Relearns ND information for the suppressed ND entries that have aged out and advertises the ND information.

ND mobility event suppression takes effect only on the following EVPN VXLAN networks:

· EVPN VXLAN network enabled with ND flood suppression.

· EVPN VXLAN network configured with distributed VXLAN IP gateways.

If both MAC address entry conflicts and ND entry conflicts exist for a MAC address, you must enable both MAC mobility event suppression and ND mobility event suppression. If you enable only MAC mobility event suppression, the system cannot suppress MAC mobility events for the MAC address.

Configuration procedure

To enable ND mobility event suppression:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable ND mobility event suppression.	evpn route nd-mobility suppression [ detect-cycle detect-time \| detect-threshold move-times \| suppression-time [ suppression-time \| permanent ] ] *	By default, ND mobility event suppression is disabled.

Enabling ARP request proxy

ARP request proxy allows a VSI interface to send an ARP request sourced from itself when the local VTEP forwards an ARP request. The sent ARP request requests the same MAC address as the forwarded ARP request. This feature helps resolve certain communication issues.

In an EVPN VXLAN network, VM 1 and VM 2 are attached to VTEP 1 and VTEP 2, respectively, and the VMs are in the same subnet. The gateway interfaces of VM 1 and VM 2 are VSI-interface 1 on VTEP 1 and VSI-interface 2 on VTEP 2, respectively. The following conditions exist on the VTEPs:

· The VTEPs have established BGP EVPN neighbor relationships.

· EVPN is disabled from learning MAC addresses from ARP information.

· MAC address advertisement is disabled, and advertised MAC addresses are withdrawn.

· Remote-MAC address learning is disabled.

· Local proxy ARP is enabled on the VSI interfaces.

· The VSI interfaces use different IP addresses and MAC addresses.

In this network, when VM 1 attempts to communicate with VM 2, the following procedure occurs:

1. VM 1 sends an ARP request.

2. VTEP 1 learns the MAC address of VM 1 from the ARP request, replies to VM 1 on behalf of VM 2, and sends an ARP request to obtain the MAC address of VM 2.

3. VTEP 2 forwards the ARP request, and VM 2 replies to VTEP 1.

4. VTEP 2 forwards the ARP reply sent by VM 2 without learning the MAC address of VM 2 because EVPN is disabled from learning MAC addresses from ARP information.

5. VTEP 1 does not learn the MAC address of VM 2 because remote-MAC address learning is disabled.

As a result, VM 1 fails to communicate with VM 2.

For VM 1 to communicate with VM 2, enable ARP request proxy on VSI-interface 2 of VTEP 2. When receiving the ARP request sent by VTEP 1, VTEP 2 forwards it and sends an ARP request sourced from VSI-interface 2 simultaneously to VM 2, and VM 2 replies to both ARP requests. Then, VTEP 2 learns the MAC address of VM 2 from the ARP reply destined for VSI-interface 2 and advertises the MAC address to VTEP 1 through BGP EVPN routes. In this way, VTEP 1 obtains the MAC address of VM 2, and VM 1 and VM 2 can communicate.

To enable ARP request proxy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI interface view.	interface vsi-interface vsi-interface-id	N/A
3. Enable ARP request proxy.	arp proxy-send enable	By default, ARP request proxy is disabled on VSI interfaces.

Enabling conversational learning for forwarding entries

Perform the tasks in this section to issue forwarding entries to the hardware only when the entries are required for packet forwarding. The on-demand mechanism saves the device hardware resources.

The forwarding entries in this section include remote MAC address entries and host route FIB entries.

Configuration restrictions and guidelines

Perform the tasks in this section only on an EVPN VXLAN network.

Enabling conversational learning for remote MAC address entries

Overview

By default, the device issues a remote MAC address entry to the hardware after the remote MAC address is advertised to the local site by BGP EVPN routes. This feature enables the device to issue a remote MAC address entry to the hardware only when the entry is required for packet forwarding. This feature saves hardware resources on the device.

With this feature enabled, the device creates a blackhole MAC address entry for an unknown MAC address if it receives packets destined for that MAC address 50 times within a MAC aging interval. Those blackhole MAC address entries age out when the MAC aging timer expires. After a blackhole MAC address entry ages out, the device can forward the traffic destined for the MAC address. For more information about the aging timer for MAC address entries and blackhole MAC address entries, see MAC address table configuration in Layer 2—LAN Switching Configuration Guide.

Configuration restrictions and guidelines

To use this feature, execute the vxlan tunnel mac-learning disable command to disable remote MAC address learning.

This feature cannot take effect on VXLAN-DCI tunnels.

Configuration procedure

To enable conversational learning for remote MAC address entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable conversational learning for remote MAC address entries.	mac-address forwarding-conversational-learning	By default, conversational learning is disabled for remote MAC address entries.

Enabling conversational learning for host route FIB entries

Overview

By default, the device issues a host route FIB entry to the hardware after the entry is generated. This feature enables the device to issue a host route FIB entry to the hardware only when the entry is required for packet forwarding. This feature saves hardware resources on the device.

Configuration restrictions and guidelines

Use this feature only in the distributed IPv4 EVPN gateway deployment. When this feature is enabled, you must disable remote ARP learning by using the vxlan tunnel arp-learning disable command.

Set an appropriate aging timer for host route FIB entries according to your network. A much longer or shorter aging timer will degrade the device performance.

· If the aging timer is too long, the device will save many outdated host route FIB entries and fail to accommodate the most recent network changes. These entries cannot be used for correct packet forwarding and exhaust FIB resources.

· If the aging timer is too short, the device will delete the valid host route FIB entries that can still be effective for packet forwarding. As a result, FIB entry flapping will occur, and the device performance will be affected.

With conversational learning enabled for host route FIB entries, the device periodically sends ARP requests to learn the host route for an IP address if the following conditions exist:

· Incoming packets are destined for the IP address, and the IP address matches a direct route.

· The device does not have a host route for the IP address.

Before the probe node ages out, if the device has not learned a host route after receiving 50 packets destined for that IP address, the device adds a blackhole route for the IP address. The device retains the blackhole route until the probe node ages out or it learns a host route for the IP address.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable conversational learning for host route FIB entries.	ip forwarding-conversational-learning [ aging aging-time ]	By default, conversational learning is disabled for host route FIB entries.

Enabling conversational learning for IPv6 host route FIB entries

Overview

By default, the device issues an IPv6 host route FIB entry to the hardware after the entry is generated. This feature enables the device to issue an IPv6 host route FIB entry to the hardware only when the entry is required for packet forwarding. This feature saves hardware resources on the device.

Configuration restrictions and guidelines

Use this feature only in the distributed IPv6 EVPN gateway deployment. When this feature is enabled, you must disable remote ND learning by using the vxlan tunnel nd-learning disable command.

Set an appropriate aging timer for IPv6 host route FIB entries according to your network. A much longer or shorter aging timer will degrade the device performance.

· If the aging timer is too long, the device will save many outdated IPv6 host route FIB entries and fail to accommodate the most recent network changes. These entries cannot be used for correct packet forwarding and exhaust FIB resources.

· If the aging timer is too short, the device will delete the valid IPv6 host route FIB entries that can still be effective for packet forwarding. As a result, FIB entry flapping will occur, and the device performance will be affected.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable conversational learning for IPv6 host route FIB entries.	ipv6 forwarding-conversational-learning [ aging aging-time ]	By default, conversational learning is disabled for IPv6 host route FIB entries.

Configuring BGP EVPN route redistribution and advertisement

Redistributing MAC/IP advertisement routes into BGP unicast routing tables

This task enables the device to redistribute received MAC/IP advertisement routes that contain ARP or ND information into BGP unicast routing tables.

· If you perform this task in BGP IPv4 or IPv6 unicast address family view, the device will redistribute the routes into the BGP IPv4 or IPv6 unicast routing table and advertise them to the local site.

· If you perform this task in BGP-VPN IPv4 or IPv6 unicast address family view, the device will redistribute the routes into the BGP-VPN IPv4 or IPv6 unicast routing table of the corresponding VPN instance. To advertise the routes to the local site, you must configure the advertise l2vpn evpn command.

Configuring MAC/IP advertisement route redistribution for a BGP instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP IPv4 or IPv6 unicast address family view.	· Enter BGP IPv4 unicast address family view: address-family ipv4 [ unicast ] · Enter BGP IPv6 unicast address family view: address-family ipv6 [ unicast ]	N/A
4. Redistribute MAC/IP advertisement routes into the BGP IPv4 or IPv6 unicast routing table.	import evpn mac-ip	By default, MAC/IP advertisement routes are not redistributed into the BGP IPv4 or IPv6 unicast routing table.

Configuring MAC/IP advertisement route redistribution for a BGP-VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv4 or IPv6 unicast address family view.	· Enter BGP-VPN IPv4 unicast address family view: address-family ipv4 [ unicast ] · Enter BGP-VPN IPv6 unicast address family view: address-family ipv6 [ unicast ]	N/A
5. Redistribute MAC/IP advertisement routes into the BGP-VPN IPv4 or IPv6 unicast routing table.	import evpn mac-ip	By default, MAC/IP advertisement routes are not redistributed into the BGP-VPN IPv4 or IPv6 unicast routing table.

Setting the metric of BGP EVPN routes added to a VPN instance's routing table

About this task

After you perform this task, the device sets the metric of a BGP EVPN route added to a VPN instance's routing table to the metric of the IGP route pointing to the next hop in the original BGP EVPN route.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Set the metric of a BGP EVPN route added to a VPN instance's routing table to the metric of the IGP route pointing to the next hop in the original BGP EVPN route.	igp-metric inherit	By default, the device sets the metric to 0 when adding BGP EVPN routes a VPN instance's routing table.

Enabling BGP EVPN route advertisement to the local site

This feature enables the device to advertise BGP EVPN routes to the local site after the device adds the routes to the routing table of a VPN instance. The BGP EVPN routes are IP prefix advertisement routes and MAC/IP advertisement routes that contain ARP or ND information.

To enable BGP EVPN route advertisement to the local site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ] [ multi-session-thread ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv4 or IPv6 unicast address family view.	· Enter BGP-VPN IPv4 unicast address family view: address-family ipv4 [ unicast ] · Enter BGP-VPN IPv6 unicast address family view: address-family ipv6 [ unicast ]	N/A
5. Enable BGP EVPN route advertisement to the local site.	advertise l2vpn evpn	By default, BGP EVPN route advertisement to the local site is enabled.

Disabling flooding for a VSI

Overview

By default, the VTEP floods broadcast, unknown unicast, and unknown multicast frames received from the local site to the following interfaces in the frame's VXLAN:

· All site-facing interfaces except for the incoming interface.

· All VXLAN and VXLAN-DCI tunnel interfaces.

When receiving broadcast, unknown unicast, and unknown multicast frames on VXLAN tunnel interfaces, the device floods the frames to all site-facing interfaces in the frames' VXLAN.

To confine a kind of flood traffic, disable flooding for that kind of flood traffic on the VSI bound to the VXLAN.

For more information about the VXLAN commands in this task, see VXLAN Command Reference.

Configuration restrictions and guidelines

To disable an M-LAG member device from forwarding local flood traffic over the peer link within a VSI, use the flooding disable all all-direction command instead of the flooding disable all command.

Configuration procedure

To disable flooding for a VSI:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Disable flooding for the VSI.	flooding disable { all \| { broadcast \| unknown-multicast \| unknown-unicast } * } [ all-direction \| dci ]	By default, flooding is enabled for a VSI. To disable flooding only to VXLAN-DCI tunnel interfaces, specify the dci keyword. To disable flooding to both VXLAN tunnel interfaces and VXLAN-DCI tunnel interfaces, do not specify the dci keyword.
4. (Optional.) Enable selective flood for a MAC address.	selective-flooding mac-address mac-address	By default, selective flood is disabled. Use this feature to exclude a remote unicast or multicast MAC address from the remote flood suppression done by using the flooding disable command. The VTEP will flood the frames destined for the specified MAC address to remote sites when floods are confined to the local site.

Enabling ARP or ND flood suppression

Use ARP or ND flood suppression to reduce ARP request broadcasts or ND request multicasts.

The aging timer is fixed at 25 minutes for ARP or ND flood suppression entries. If the flooding disable command is configured, set the MAC aging timer to a higher value than the aging timer for ARP or ND flood suppression entries on all VTEPs. This setting prevents the traffic blackhole that occurs when a MAC address entry ages out before its ARP or ND flood suppression entry ages out. To set the MAC aging timer, use the mac-address timer command.

When remote ARP or ND learning is disabled for VXLANs, the device does not use ARP or ND flood suppression entries to respond to ARP or ND requests received on VXLAN tunnels.

To delete ARP flood suppression entries, use the reset arp suppression vsi command instead of the reset arp command. For more information about the reset arp suppression vsi command, see VXLAN Command Reference. For more information about the reset arp command, see ARP commands in Layer 3—IP Services Command Reference.

To delete ND flood suppression entries, use the reset ipv6 nd suppression vsi command instead of the reset ipv6 neighbors command. For more information about the reset ipv6 nd suppression vsi command, see VXLAN Command Reference. For more information about the reset ipv6 neighbors command, see IPv6 basics commands in Layer 3—IP Services Command Reference.

Enabling ARP flood suppression

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enable ARP flood suppression.	arp suppression enable	By default, ARP flood suppression is disabled. For more information about this command, see VXLAN Command Reference.

Enabling ND flood suppression

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enable ND flood suppression.	ipv6 nd suppression enable	By default, ND flood suppression is disabled. For more information about this command, see VXLAN Command Reference.

Testing the connectivity of a VXLAN tunnel

Configuration restrictions and guidelines

This feature is supported only by IPv4 VXLAN tunnels.

This feature is not supported by the VXLAN tunnels established by using the virtual VTEP address of an M-LAG system.

Enabling overlay OAM

You must enable overlay OAM on the tunnel destination device for a VXLAN tunnel before you can use the ping vxlan or tracert vxlan command to test reachability of the VXLAN tunnel on the tunnel source device.

To specify the -r 3 parameter in the ping vxlan or tracert vxlan command on the tunnel source device, you must also enable overlay OAM on the tunnel source device.

To enable overlay OAM:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable overlay OAM.	overlay oam enable	By default, overlay OAM is disabled.

Pinging a VXLAN tunnel destination

Perform this task to test the connectivity of a VXLAN tunnel in an EVPN VXLAN network when the tunnel has traffic loss or interruption issues. The process of a ping VXLAN operation is as follows:

1. The tunnel source VTEP sends VXLAN-encapsulated VXLAN echo requests to the tunnel destination VTEP.

2. The tunnel destination VTEP responds with VXLAN echo replies.

3. The tunnel source VTEP outputs packet statistics and the test result based on the received VXLAN echo replies.

Configuration restrictions and guidelines

Before you perform this task on the tunnel source device, you must enable overlay OAM on the tunnel destination device by using the overlay oam enable command.

The VTEP can distribute VXLAN echo requests among multiple paths to the destination based on the source UDP port. When a VXLAN tunnel has multiple paths on the transport network, you can configure load sharing parameters to ensure accuracy of the test result. You can use one of the following methods to configure source UDP ports for VXLAN echo requests:

· Specify a source UDP port range. The device will send VXLAN echo requests sourced from each UDP port in the UDP port range. You need to execute the ping vxlan command only once.

· Specify load balancing parameters such as source and destination MAC addresses, source and destination IP addresses, and protocol for the VTEP to calculate a source UDP port number. You need to execute the ping vxlan command multiple times to test connectivity of all paths.

The load balancing parameters change only the source UDP port number of VXLAN echo requests. Other fields of the requests will not be changed.

If you specify the vxlan-source-udpport vxlan-source-udpport [ end-vxlan-src-udpport ] parameters, the number of VXLAN echo requests sourced from each UDP port in the UDP port range is determined by the -c count parameter.

Configuration procedure

Task	Command	Remarks
Ping a VXLAN tunnel destination in any view.	ping vxlan [ -a inner-src-address \| -c count \| -m interval \| -r reply-mode \| -t timeout \| -tos tos-value ] * vxlan-id vxlan-id tunnel-source source-address tunnel-destination dest-address [ destination-udpport dest-port ] [ vxlan-source-address vxlan-source-address ] [ load-balance { vxlan-source-udpport vxlan-source-udpport [ end-vxlan-src-udpport ] \| source-address lb-src-address destination-address lb-dest-address protocol { udp \| lb-protocol-id } source-port lb-src-port destination-port lb-dest-port source-mac lb-source-mac destination-mac lb-destination-mac } ]	For more information about this command, see VXLAN Command Reference.

Tracing the path to a VXLAN tunnel destination

Perform this task to locate failed nodes on the path for a VXLAN tunnel that has traffic loss or interruption issues in an EVPN VXLAN network. The process of a tracert VXLAN operation is as follows:

1. The tunnel source VTEP sends VXLAN-encapsulated VXLAN echo requests to the tunnel destination VTEP. The TTL in the IP header of the requests is set to 1.

2. The first hop on the path responds to the tunnel source VTEP with a TTL-expired ICMP error message.

3. The tunnel source VTEP sends VXLAN echo requests with the TTL set to 2.

4. The second hop responds with a TTL-expired ICMP error message.

5. This process continues until a VXLAN echo request reaches the tunnel destination VTEP or the maximum TTL value is reached. If a VXLAN echo request reaches the tunnel destination VTEP, the tunnel destination VTEP sends a VXLAN echo reply to the tunnel source VTEP.

6. The tunnel source VTEP outputs packet statistics and the test result based on the received ICMP error messages and whether a VXLAN echo reply is received.

Configuration restrictions and guidelines

Before you perform this task on the tunnel source device, you must enable overlay OAM on the tunnel destination device by using the overlay oam enable command.

· Specify a source UDP port range. The device will send VXLAN echo requests sourced from each UDP port in the UDP port range. You need to execute the ping vxlan command only once.

The load balancing parameters change only the source UDP port number of VXLAN echo requests. Other fields of the requests will not be changed.

Configuration procedure

Task	Command	Remarks
Trace the path to a VXLAN tunnel destination in any view.	tracert vxlan [ -a inner-src-address \| -h ttl-value \| -r reply-mode \| -t timeout ] * vxlan-id vxlan-id tunnel-source source-address tunnel-destination dest-address [ destination-udpport dest-port ] [ vxlan-source-address vxlan-source-address ] [ load-balance { vxlan-source-udpport vxlan-source-udpport \| source-address lb-src-address destination-address lb-dest-address protocol { udp \| lb-protocol-id } source-port lb-src-port destination-port lb-dest-port source-mac lb-source-mac destination-mac lb-destination-mac } ]	For more information about this command, see VXLAN Command Reference.

Enabling SNMP notifications for EVPN

About this task

If SNMP notifications are enabled for EVPN, a MAC mobility suppression notification is sent to SNMP module after the MAC mobility suppression threshold is reached. For SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Procedure

Task	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for EVPN.	snmp-agent trap enable evpn [ mac-mobility-suppression ]	By default, SNMP notifications are disabled for EVPN.

Configuring EVPN M-LAG

EVPN M-LAG virtualizes two VTEPs or EVPN gateways into one M-LAG system to avoid single points of failure. The VTEPs or EVPN gateways use a virtual VTEP address to establish VXLAN tunnels to remote devices.

An AC that is attached to only one of the VTEPs in an M-LAG system is called a single-armed AC. To ensure that the traffic of a single-armed AC is forwarded to its attached VTEP, specify the IP addresses of the VTEPs in the M-LAG system by using the evpn m-lag local command. After you use this command, each VTEP in an M-LAG system changes the next hop of the routes for single-armed ACs to its local VTEP IP address when advertising the routes. When a VTEP receives BGP EVPN routes from the peer VTEP IP address specified by using this command, it does not set up a VXLAN tunnel to the peer VTEP.

You must execute the evpn m-lag local command if single-armed ACs are attached to an M-LAG system that uses a direct peer link. You do not need to execute this command on an M-LAG system that uses a tunnel peer link. In such an M-LAG system, a VTEP uses the source IP address of the peer link as the next hop of routes for single-armed ACs to ensure correct traffic forwarding.

Hardware compatibility with EVPN M-LAG

If you use member interfaces of an M-LAG group as transport-facing interfaces, follow these restrictions:

· Do not assign the same MAC address to the VLAN interfaces that provide source IP addresses for VXLAN tunnels.

· The M-LAG member devices must be directly connected to each other.

Use the interface modules that can provide transport-facing interfaces for VXLAN IP gateways to provide the following interfaces:

· Member ports of M-LAG interfaces.

· Member ports of peer-link interfaces.

· Physical outgoing interfaces for the VXLAN tunnel that acts as the peer link.

For more information, see VXLAN IP gateway configuration restrictions and guidelines in VXLAN Configuration Guide.

EVPN M-LAG and feature compatibility

802.1X, MAC authentication, and ND detection are not supported on an M-LAG system.

If Layer 2 IGMP snooping is configured on a VSI of a VTEP M-LAG member device, you must execute the igmp-snooping proxy enable command on the VSI. For more information about IGMP snooping proxying, see IGMP snooping configuration in IP Multicast Configuration Guide.

To ensure correct Layer 3 unicast forwarding, execute the undo mac-address static source-check enable command on the traffic outgoing interface for the tunnel peer link.

EVPN M-LAG configuration restrictions and guidelines

When you configure EVPN M-LAG, follow these restrictions and guidelines:

· For an M-LAG member device to re-establish VXLAN tunnels, you must execute the address-family l2vpn evpn command in BGP instance view after you enable or disable EVPN M-LAG.

· You cannot specify a secondary IP address of an interface as the virtual VTEP address.

· Specify a virtual IPv4 VTEP address if the underlay network is an IPv4 network, and specify a virtual IPv6 VTEP address if the underlay network is an IPv6 network. Otherwise, the VTEPs in an M-LAG group cannot set up VXLAN tunnels with remote VTEPs.

· Three VXLAN tunnels are set up between an M-LAG system and a peer VTEP. When the peer VTEP sends multicast, broadcast, or unknown unicast traffic (flood traffic) to the M-LAG system, the M-LAG member devices receive three identical flood flows and drop two of them. If the M-LAG member devices have learned the destination MAC address of the flood flow, the flood flows ought to be dropped will be unicasted, and the VMs attached to the M-LAG system will receive duplicate packets.

If a direct peer link is used, follow these restrictions:

· If the frame match criteria of dynamic ACs on the peer link are created based on site-facing Ethernet service instances, you can configure only the following criteria for site-facing Ethernet service instances:

¡ encapsulation s-vid vlan-id

¡ encapsulation untagged

In addition, you must set the access mode to VLAN for site-facing Ethernet service instances.

· You must configure VLAN access mode for the site-facing Ethernet service instances when the frame match criteria of dynamic ACs on the peer link are created based on VXLAN IDs.

· On the M-LAG system, you can only create site-facing ACs manually. The M-LAG member devices must have the same Ethernet service instance configuration, including:

¡ Ethernet service instances on M-LAG interfaces in the same M-LAG group and their frame match criteria and VXLAN IDs.

¡ Single-homed Ethernet service instances and their frame match criteria and VXLAN IDs.

· As a best practice, do not redistribute external routes on the M-LAG member devices.

If a tunnel peer link is used, follow these restrictions and guidelines:

· The peer link does not forward packets of the VLANs permitted on site-facing interfaces unless the VLANs match the frame match criteria of VSIs.

· On the M-LAG system, you can only create site-facing ACs manually. The M-LAG member devices must have the same configuration for Ethernet service instances on M-LAG interfaces and their frame match criteria and VXLAN IDs.

Forwarding entry configuration restrictions and guidelines

The VTEPs in an M-LAG system synchronize local or remote MAC address entries with each other over the peer link. However, they do not synchronize MAC address entry deletions. When you delete a MAC address entry from one VTEP, the other VTEP retains the entry that contains the same MAC address until the entry ages out.

At an IPv6 site, if you enable ND flood suppression on the VTEPs in an M-LAG system, both VTEPs reply with NA packets when one of the VTEPs receives an NS packet on an M-LAG interface.

If a route reflector reflects routes between the VTEPs in an M-LAG system, after you execute the evpn m-lag local command on both VTEPs or execute the undo evpn m-lag local command on one of the VTEPs, also execute the following commands on the VTEPs:

· reset arp.

· reset arp suppression vsi.

· reset ipv6 neighbors.

· reset ipv6 nd suppression vsi.

These commands clear ARP- and ND-related entries on the VTEPs to ensure correct forwarding.

Configuration prerequisites

In addition to EVPN M-LAG configuration, you must configure the following settings:

· Configure other M-LAG and EVPN settings depending on your network. For information about M-LAG configuration, see Layer 2—LAN Switching Configuration Guide.

· Use the m-lag mad exclude interface command to exclude all interfaces used by EVPN from the MAD shutdown action by M-LAG. The interfaces include VSI interfaces, interfaces that provide BGP peer addresses, interfaces used for setting up the keepalive link, and transport-facing outgoing interfaces of VXLAN tunnels.

· Execute the m-lag restore-delay command to set the data restoration interval to a value equal to or larger than 180 seconds.

If you use a tunnel peer link, you must also complete the following tasks:

· Manually create the VXLAN tunnel interface and configure it as the peer-link interface. An automatically created VXLAN tunnel cannot be used as a peer link.

· Use the m-lag mad exclude interface command to exclude VXLAN tunnel interfaces and their traffic outgoing interfaces from the MAD shutdown action by M-LAG before you configure them as peer-link interfaces. If you have configured the VXLAN tunnel interfaces as peer-link interfaces before excluding them and their traffic outgoing interfaces from the MAD shutdown action, you must first remove the peer-link interface configuration. After the VXLAN tunnel interfaces and their traffic outgoing interfaces come up, exclude the interfaces from the MAD shutdown action by M-LAG. Then, configure the VXLAN tunnel interfaces as peer-link interfaces.

· The source address of the tunnel peer link must be the address used by the device to establish BGP peer relationships with other devices.

· To prioritize transmission of M-LAG protocol packets on the peer link, use the tunnel tos command on the VXLAN tunnel interface to set a high ToS value for tunneled packets.

· Specify the virtual VTEP address and the source address of the tunnel peer link as the IP addresses of different loopback interfaces. Configure a routing protocol to advertise the IP addresses.

· You must disable spanning tree on the Layer 2 Ethernet interface that acts as the physical traffic outgoing interface of the tunnel peer link. If you enable spanning tree on that interface, the upstream device will falsely block the interfaces connected to the M-LAG member devices.

· Use the reserved vxlan command to specify a reserved VXLAN to forward M-LAG protocol packets. The M-LAG member devices in an M-LAG system must have the same reserved VXLAN.

Configuration procedure (IPv4)

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable EVPN M-LAG and specify the virtual VTEP address.	evpn m-lag group virtual-vtep-ipv4	By default, EVPN M-LAG is disabled. To modify the virtual VTEP address, you must first delete the original virtual VTEP address.
3. Specify the IP addresses of the VTEPs in the M-LAG system.	evpn m-lag local local-ipv4-address remote remote-ipv4-address	By default, the IP addresses of the VTEPs in an M-LAG system are not specified. Make sure the IP address of the local VTEP belongs to a local interface. Make sure the local VTEP IP address and peer VTEP IP address are reversed on the VTEPs in the M-LAG system.
4. Allow only MAC/IP advertisement routes to carry the local VTEP address.	evpn m-lag local mac-ip	By default, IMET routes, MAC/IP advertisement routes, and IP prefix advertisement routes carry the local VTEP address.
5. (Optional.) Enable the device to create frame match criteria based on VXLAN IDs for the direct peer link.	l2vpn m-lag peer-link ac-match-rule vxlan-mapping	By default, on an EVPN M-LAG system that uses a direct peer link, dynamic ACs on the peer link use frame match criteria that are identical to those of site-facing ACs. If you do not execute this command, do not configure overlapping outer VLAN IDs for Ethernet service instances of different VSIs. If you execute this command, do not create VXLANs with IDs larger than 16000000.

Configuration procedure (IPv6)

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable EVPN M-LAG and specify the virtual VTEP address.	evpn m-lag group virtual-vtep-ipv6	By default, EVPN M-LAG is disabled. To modify the virtual VTEP address, you must first delete the original virtual VTEP address.
3. Specify the IP addresses of the VTEPs in the M-LAG system.	evpn m-lag local local-ipv6-address remote remote-ipv6-address	By default, the IP addresses of the VTEPs in an M-LAG system are not specified. Make sure the IP address of the local VTEP belongs to a local interface. Make sure the local VTEP IP address and peer VTEP IP address are reversed on the VTEPs in the M-LAG system.
4. Allow only MAC/IP advertisement routes to carry the local VTEP address.	evpn m-lag local mac-ip	By default, IMET routes, MAC/IP advertisement routes, and IP prefix advertisement routes carry the local VTEP address.
5. (Optional.) Enable the device to create frame match criteria based on VXLAN IDs for the direct peer link.	l2vpn m-lag peer-link ac-match-rule vxlan-mapping	By default, on an EVPN M-LAG system that uses a direct peer link, dynamic ACs on the peer link use frame match criteria that are identical to those of site-facing ACs. If you do not execute this command, do not configure overlapping outer VLAN IDs for Ethernet service instances of different VSIs. If you execute this command, do not create VXLANs with IDs larger than 16000000.

Displaying and maintaining EVPN VXLAN

Execute display commands in any view and reset commands in user view.

Task	Command
Display BGP peer group information.	display bgp [ instance instance-name ] group l2vpn evpn [ group-name group-name ]
Display BGP EVPN routes.	display bgp [ instance instance-name ] l2vpn evpn [ peer { ipv4-address \| ipv6-address } { advertised-routes \| received-routes } [ statistics ] \| [ route-distinguisher route-distinguisher \| route-type { auto-discovery \| es \| igmp-ls \| igmp-js \| imet \| ip-prefix \| mac-ip \| s-pmsi \| smet } ] * [ { evpn-route route-length \| evpn-prefix } [ advertise-info ] \| { ipv4-address \| ipv6-address \| mac-address } [ verbose ] ] \| statistics ]
Display BGP peer or peer group information.	display bgp [ instance instance-name ] peer l2vpn evpn [ ipv4-address mask-length \| ipv6-address prefix-length \| { ipv4-address \| ipv6-address \| group-name group-name } log-info \| [ ipv4-address ] verbose ]
Display information about BGP update groups.	display bgp [ instance instance-name ] update-group l2vpn evpn [ ipv4-address \| ipv6-address ]
Display information about IPv4 peers that are automatically discovered through BGP.	display evpn auto-discovery { { imet \| mac-ip } [ mpls \| vxlan ] [ peer ip-address] [ vsi vsi-name ] \| macip-prefix [ nexthop next-hop ] [ count ] }
Display information about IPv6 peers that are automatically discovered through BGP.	display evpn ipv6 auto-discovery { imet [ peer ipv6-address ] [ vsi vsi-name ] \| mac-ip \| macip-prefix [ nexthop next-hop ] [ count ] }
Display EVPN instance information.	display evpn instance [ name instance-name \| vsi vsi-name ] vxlan
Display IPv6 EVPN MAC address entries.	display evpn ipv6 route mac [ local \| remote ] [ vsi vsi-name ] [ count ]
Display IPv4 EVPN MAC address entries.	display evpn route mac [ local \| remote ] [ vsi vsi-name ] [ count ]
Display EVPN MAC mobility information.	display evpn [ ipv6 ] route mac-mobility [ vsi vsi-name ] [ mac-address mac-address ]
Display EVPN ARP entries.	display evpn route arp [ local \| remote ] [ public-instance \| vpn-instance vpn-instance-name ] [ count ]
Display EVPN ND entries.	display evpn route nd [ local \| remote ] [ public-instance \| vpn-instance vpn-instance-name ] [ count ]
Display ND flood suppression entries.	display evpn route nd suppression [ local \| remote ] [ vsi vsi-name ] [ count ]
Display EVPN ND mobility information.	display evpn route nd-mobility [ public-instance \| vpn-instance vpn-instance-name ] [ ip ipv6-address ]
Display ARP flood suppression entries.	display evpn route arp suppression [ local \| remote ] [ vsi vsi-name ] [ count ]
Display EVPN ARP mobility information.	display evpn route arp-mobility [ public-instance \| vpn-instance vpn-instance-name ] [ ip ip-address ]
Display the routing table for a VPN instance.	display evpn routing-table [ ipv6 ] { public-instance \| vpn-instance vpn-instance-name } [ count ]
Cancel ARP mobility event suppression.	reset evpn route arp-mobility suppression [ public-instance \| vpn-instance vpn-instance-name [ ip ip-address ] ]
Cancel MAC mobility event suppression.	reset evpn route mac-mobility suppression [ vsi vsi-name [ mac mac-address ] ]
Cancel ND mobility event suppression.	reset evpn route nd-mobility suppression [ public-instance \| vpn-instance vpn-instance-name [ ip ipv6-address ] ]

NOTE:

For more information about the display bgp group, display bgp peer, and display bgp update-group commands, see BGP commands in Layer 3—IP Routing Command Reference.

EVPN VXLAN configuration examples

Centralized EVPN gateway configuration example

Network requirements

As shown in Figure 16:

· Configure VXLAN 10 and VXLAN 20 on Switch A, Switch B, and Switch C to provide connectivity for the VMs in the VXLANs across the network sites.

· Configure Switch C as a centralized EVPN gateway to provide gateway services and access to the connected Layer 3 network.

· Configure Switch D as an RR to reflect BGP EVPN routes between Switch A, Switch B, and Switch C.

NOTE:

This example provides configuration of IPv4 sites over an IPv4 underlay network. The configuration procedure does not differ between IPv4 and IPv6 networks.

Figure 16 Network diagram

‌

Configuration procedure

1. On VM 1 and VM 3, specify 10.1.1.1 as the gateway address. On VM 2 and VM 4, specify 10.1.2.1 as the gateway address. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces, as shown in Figure 16. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] arp suppression enable

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpnb

[SwitchA-vsi-vpnb] arp suppression enable

[SwitchA-vsi-vpnb] evpn encapsulation vxlan

[SwitchA-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchA-vsi-vpnb] vxlan 20

[SwitchA-vsi-vpnb-vxlan-20] quit

[SwitchA-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 4.4.4.4 as-number 200

[SwitchA-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2 3

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 2000 to match VLAN 3.

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 2000

[SwitchA-Ten-GigabitEthernet1/0/1-srv2000] encapsulation s-vid 3

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchA-Ten-GigabitEthernet1/0/1-srv2000] xconnect vsi vpnb

[SwitchA-Ten-GigabitEthernet1/0/1-srv2000] quit

[SwitchA-Ten-GigabitEthernet1/0/1] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] arp suppression enable

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] arp suppression enable

[SwitchB-vsi-vpnb] evpn encapsulation vxlan

[SwitchB-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchB-vsi-vpnb] vxlan 20

[SwitchB-vsi-vpnb-vxlan-20] quit

[SwitchB-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 4.4.4.4 as-number 200

[SwitchB-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2

[SwitchB-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] quit

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# On Ten-GigabitEthernet 1/0/2, create Ethernet service instance 2000 to match VLAN 3.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] port link-type trunk

[SwitchB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 3

[SwitchB-Ten-GigabitEthernet1/0/2] service-instance 2000

[SwitchB-Ten-GigabitEthernet1/0/2-srv2000] encapsulation s-vid 3

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchB-Ten-GigabitEthernet1/0/2-srv2000] xconnect vsi vpnb

[SwitchB-Ten-GigabitEthernet1/0/2-srv2000] quit

[SwitchB-Ten-GigabitEthernet1/0/2] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchC-vsi-vpna] vxlan 10

[SwitchC-vsi-vpna-vxlan-10] quit

[SwitchC-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] evpn encapsulation vxlan

[SwitchC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchC-vsi-vpnb] vxlan 20

[SwitchC-vsi-vpnb-vxlan-20] quit

[SwitchC-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Create VSI-interface 1 and assign the interface an IP address. The IP address will be used as the gateway address for VXLAN 10.

[SwitchC] interface vsi-interface 1

[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchC-Vsi-interface1] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] gateway vsi-interface 1

[SwitchC-vsi-vpna] quit

# Create VSI-interface 2 and assign the interface an IP address. The IP address will be used as the gateway address for VXLAN 20.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchC-Vsi-interface2] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] gateway vsi-interface 2

[SwitchC-vsi-vpnb] quit

6. Configure Switch D:

# Establish BGP connections with other transport network switches.

<SwitchD> system-view

[SwitchD] bgp 200

[SwitchD-bgp-default] group evpn

[SwitchD-bgp-default] peer 1.1.1.1 group evpn

[SwitchD-bgp-default] peer 2.2.2.2 group evpn

[SwitchD-bgp-default] peer 3.3.3.3 group evpn

[SwitchD-bgp-default] peer evpn as-number 200

[SwitchD-bgp-default] peer evpn connect-interface loopback 0

# Configure BGP to advertise BGP EVPN routes, and disable route target filtering for BGP EVPN routes.

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer evpn enable

[SwitchD-bgp-default-evpn] undo policy vpn-target

# Configure Switch D as an RR.

[SwitchD-bgp-default-evpn] peer evpn reflect-client

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

Verifying the configuration

1. Verify the EVPN gateway settings on Switch C:

# Verify that Switch C has advertised MAC/IP advertisement routes and IMET routes for the gateways and received MAC/IP advertisement routes and IMET routes from Switch A and Switch B. (Details not shown.)

# Verify that the VXLAN tunnel interfaces are up on Switch C.

[SwitchC] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 2.2.2.2

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 7 bytes/sec, 56 bits/sec, 0 packets/sec

Input: 10 packets, 980 bytes, 0 drops

Output: 85 packets, 6758 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 1 bytes/sec, 8 bits/sec, 0 packets/sec

Last 300 seconds output rate: 9 bytes/sec, 72 bits/sec, 0 packets/sec

Input: 277 packets, 20306 bytes, 0 drops

Output: 1099 packets, 85962 bytes, 0 drops

# Verify that the VSI interfaces are up on Switch C.

[SwitchC] display interface vsi-interface brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

Vsi1 UP UP 10.1.1.1

Vsi2 UP UP 10.1.2.1

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs.

[SwitchC] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 1

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

Tunnel1 0x5000001 UP Auto Disabled

VSI Name: vpnb

VSI Index : 1

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 2

VXLAN ID : 20

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

Tunnel1 0x5000001 UP Auto Disabled

# Verify that Switch C has created EVPN ARP entries for the VMs.

[SwitchC] display evpn route arp

Flags: D - Dynamic B - BGP L - Local active

G - Gateway S - Static M - Mapping I - Invalid

Public instance Interface: Vsi-interface2

IP address MAC address Router MAC VSI Index Flags

10.1.2.1 0005-0005-0005 - 1 GL

10.1.2.10 0000-1234-0002 - 1 B

10.1.2.20 0000-1234-0004 - 1 B

Public instance Interface: Vsi-interface1

IP address MAC address Router MAC VSI Index Flags

10.1.1.1 0003-0003-0003 - 0 GL

10.1.1.10 0000-1234-0001 - 0 B

10.1.1.20 0000-1234-0003 - 0 B

# Verify that Switch C has created FIB entries for the VMs.

[SwitchC] display fib 10.1.1.10

Destination count: 1 FIB entry count: 1

Flag:

U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static

R:Relay F:FRR

Destination/Mask Nexthop Flag OutInterface/Token Label

10.1.1.10/32 10.1.1.10 UH Vsi1 Null

2. Verify that VM 1, VM 2, VM 3, and VM 4 can communicate with one another.

Distributed IPv4 EVPN gateway in symmetric IRB mode configuration example

Network requirements

As shown in Figure 17:

· Configure VXLAN 10 and VXLAN 20 on Switch A and Switch B to provide connectivity for the VMs in the VXLANs across the network sites.

· Configure Switch A and Switch B as distributed EVPN gateways to provide gateway services in symmetric IRB mode. Configure Switch C as a border gateway to provide access to the connected Layer 3 network.

· Configure Switch D as an RR to reflect BGP EVPN routes between Switch A, Switch B, and Switch C.

NOTE:

This example provides configuration of IPv4 sites over an IPv4 underlay network. The configuration procedure does not differ between IPv4 and IPv6 sites.

Figure 17 Network diagram

‌

Configuration procedure

1. On VM 1 and VM 3, specify 10.1.1.1 as the gateway address. On VM 2 and VM 4, specify 10.1.2.1 as the gateway address. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces, as shown in Figure 17. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpnb

[SwitchA-vsi-vpnb] evpn encapsulation vxlan

[SwitchA-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchA-vsi-vpnb] vxlan 20

[SwitchA-vsi-vpnb-vxlan-20] quit

[SwitchA-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 4.4.4.4 as-number 200

[SwitchA-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2 3

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 2000 to match VLAN 3.

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 2000

[SwitchA-Ten-GigabitEthernet1/0/1-srv2000] encapsulation s-vid 3

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchA-Ten-GigabitEthernet1/0/1-srv2000] xconnect vsi vpnb

[SwitchA-Ten-GigabitEthernet1/0/1-srv2000] quit

[SwitchA-Ten-GigabitEthernet1/0/1] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchA] ip vpn-instance vpna

[SwitchA-vpn-instance-vpna] route-distinguisher 1:1

[SwitchA-vpn-instance-vpna] address-family ipv4

[SwitchA-vpn-ipv4-vpna] vpn-target 2:2

[SwitchA-vpn-ipv4-vpna] quit

[SwitchA-vpn-instance-vpna] address-family evpn

[SwitchA-vpn-evpn-vpna] vpn-target 1:1

[SwitchA-vpn-evpn-vpna] quit

[SwitchA-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpna

[SwitchA-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] mac-address 1-1-1

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] local-proxy-arp enable

[SwitchA-Vsi-interface1] quit

# Configure VSI-interface 2.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpna

[SwitchA-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchA-Vsi-interface2] mac-address 2-2-2

[SwitchA-Vsi-interface2] distributed-gateway local

[SwitchA-Vsi-interface2] local-proxy-arp enable

[SwitchA-Vsi-interface2] quit

# Associate VSI-interface 3 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 3

[SwitchA-Vsi-interface3] ip binding vpn-instance vpna

[SwitchA-Vsi-interface3] l3-vni 1000

[SwitchA-Vsi-interface3] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchA] vsi vpnb

[SwitchA-vsi-vpnb] gateway vsi-interface 2

[SwitchA-vsi-vpnb] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] evpn encapsulation vxlan

[SwitchB-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchB-vsi-vpnb] vxlan 20

[SwitchB-vsi-vpnb-vxlan-20] quit

[SwitchB-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 4.4.4.4 as-number 200

[SwitchB-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2

[SwitchB-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] quit

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# On Ten-GigabitEthernet 1/0/2, create Ethernet service instance 2000 to match VLAN 3.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] port link-type trunk

[SwitchB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 3

[SwitchB-Ten-GigabitEthernet1/0/2] service-instance 2000

[SwitchB-Ten-GigabitEthernet1/0/2-srv2000] encapsulation s-vid 3

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchB-Ten-GigabitEthernet1/0/2-srv2000] xconnect vsi vpnb

[SwitchB-Ten-GigabitEthernet1/0/2-srv2000] quit

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchB] ip vpn-instance vpna

[SwitchB-vpn-instance-vpna] route-distinguisher 1:1

[SwitchB-vpn-instance-vpna] address-family ipv4

[SwitchB-vpn-ipv4-vpna] vpn-target 2:2

[SwitchB-vpn-ipv4-vpna] quit

[SwitchB-vpn-instance-vpna] address-family evpn

[SwitchB-vpn-evpn-vpna] vpn-target 1:1

[SwitchB-vpn-evpn-vpna] quit

[SwitchB-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchB] interface vsi-interface 1

[SwitchB-Vsi-interface1] ip binding vpn-instance vpna

[SwitchB-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchB-Vsi-interface1] mac-address 1-1-1

[SwitchB-Vsi-interface1] distributed-gateway local

[SwitchB-Vsi-interface1] local-proxy-arp enable

[SwitchB-Vsi-interface1] quit

# Configure VSI-interface 2.

[SwitchB] interface vsi-interface 2

[SwitchB-Vsi-interface2] ip binding vpn-instance vpna

[SwitchB-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchB-Vsi-interface2] mac-address 2-2-2

[SwitchB-Vsi-interface2] distributed-gateway local

[SwitchB-Vsi-interface2] local-proxy-arp enable

[SwitchB-Vsi-interface2] quit

# Associate VSI-interface 3 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchB] interface vsi-interface 3

[SwitchB-Vsi-interface3] ip binding vpn-instance vpna

[SwitchB-Vsi-interface3] l3-vni 1000

[SwitchB-Vsi-interface3] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] gateway vsi-interface 1

[SwitchB-vsi-vpna] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] gateway vsi-interface 2

[SwitchB-vsi-vpnb] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Configure BGP to advertise BGP EVPN routes.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchC] ip vpn-instance vpna

[SwitchC-vpn-instance-vpna] route-distinguisher 1:1

[SwitchC-vpn-instance-vpna] address-family ipv4

[SwitchC-vpn-ipv4-vpna] vpn-target 2:2

[SwitchC-vpn-ipv4-vpna] quit

[SwitchC-vpn-instance-vpna] address-family evpn

[SwitchC-vpn-evpn-vpna] vpn-target 1:1

[SwitchC-vpn-evpn-vpna] quit

[SwitchC-vpn-instance-vpna] quit

# Associate VSI-interface 3 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchC] interface vsi-interface 3

[SwitchC-Vsi-interface3] ip binding vpn-instance vpna

[SwitchC-Vsi-interface3] l3-vni 1000

[SwitchC-Vsi-interface3] quit

# Configure a default route in which the nexthop is the IP address of a WAN device.

[SwitchC] ip route-static vpn-instance vpna 0.0.0.0 0 20.1.1.100

# Import the default route to the BGP IPv4 unicast routing table of VPN instance vpna.

[SwitchC] bgp 200

[SwitchC-bgp-default] ip vpn-instance vpna

[SwitchC-bgp-default-vpna] address-family ipv4 unicast

[SwitchC-bgp-default-ipv4-vpna] default-route imported

[SwitchC-bgp-default-ipv4-vpna] import-route static

[SwitchC-bgp-default-ipv4-vpna] quit

[SwitchC-bgp-default-vpna] quit

[SwitchC-bgp-default] quit

# Associate VLAN-interface 20 with VPN instance vpna.

[SwitchC] interface vlan-interface 20

[SwitchC-Vlan-interface20] ip binding vpn-instance vpna

[SwitchC-Vlan-interface20] ip address 20.1.1.3 24

[SwitchC-Vlan-interface20] quit

6. Configure Switch D:

# Establish BGP connections with other transport network switches.

<SwitchD> system-view

[SwitchD] bgp 200

[SwitchD-bgp-default] group evpn

[SwitchD-bgp-default] peer 1.1.1.1 group evpn

[SwitchD-bgp-default] peer 2.2.2.2 group evpn

[SwitchD-bgp-default] peer 3.3.3.3 group evpn

[SwitchD-bgp-default] peer evpn as-number 200

[SwitchD-bgp-default] peer evpn connect-interface loopback 0

# Configure BGP to advertise BGP EVPN routes, and disable route target filtering for BGP EVPN routes.

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer evpn enable

[SwitchD-bgp-default-evpn] undo policy vpn-target

# Configure Switch D as an RR.

[SwitchD-bgp-default-evpn] peer evpn reflect-client

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

Verifying the configuration

1. Verify the distributed EVPN gateway settings on Switch A:

# Verify that Switch A has advertised the IP prefix advertisement routes for the gateways and the MAC/IP advertisement routes and IMET routes for each VSI. Verify that Switch A has received the IP prefix advertisement routes for the gateways and the MAC/IP advertisement routes and IMET routes for each VSI from Switch B. (Details not shown.)

# Verify that the VXLAN tunnel interfaces are up on Switch A. (This example uses Tunnel 1.)

[SwitchA] display interface tunnel 1

Tunnel1

Current state: UP

Line protocol state: UP

…

# Verify that the VSI interfaces are up on Switch A.

[SwitchA] display interface vsi-interface brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

Vsi1 UP UP 10.1.1.1

Vsi2 UP UP 10.1.2.1

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs.

[SwitchA] display l2vpn vsi verbose

VSI Name: Auto_L3VNI1000_3

VSI Index : 1

VSI State : Down

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 3

VXLAN ID : 1000

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 1

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000001 Up Auto Disabled

Tunnel1 0x5000002 Up Auto Disabled

ACs:

AC Link ID State Type

XGE1/0/1 srv1000 0 Up Manual

VSI Name: vpnb

VSI Index : 2

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 2

VXLAN ID : 20

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000001 Up Auto Disabled

Tunnel1 0x5000002 Up Auto Disabled

ACs:

AC Link ID State Type

XGE1/0/1 srv2000 0 Up Manual

# Verify that Switch A has created ARP entries for the VMs.

[SwitchA] display arp

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI Interface/Link ID Aging Type

10.1.1.10 0000-1234-0001 0 0x0 20 D

10.1.2.10 0000-1234-0002 0 0x0 19 D

2.2.2.2 a0ce-5e24-0100 1 Tunnel0 N/A R

# Verify that Switch A has created EVPN ARP entries for the local VMs.

[SwitchA] display evpn route arp

Flags: D - Dynamic B - BGP L - Local active

G - Gateway S - Static M - Mapping I - Invalid

VPN instance:vpna Interface:Vsi-interface1

IP address MAC address Router MAC VSI Index Flags

10.1.1.1 0001-0001-0001 a0ce-7e40-0400 0 GL

10.1.1.10 0000-1234-0001 a0ce-7e40-0400 0 DL

10.1.2.10 0000-1234-0002 a0ce-7e40-0400 0 DL

10.1.1.20 0000-1234-0003 a0ce-7e40-0400 0 B

10.1.2.20 0000-1234-0004 a0ce-7e40-0400 0 B

2. Verify that VM 1, VM 2, VM 3, and VM 4 can communicate with one another.

Distributed IPv4 EVPN gateways in asymmetric IRB mode configuration example

Network requirements

As shown in Figure 18:

· Configure VXLAN 10 and VXLAN 20 on Switch A and Switch B to provide connectivity for the VMs in the VXLANs across the network sites.

· Configure Switch A and Switch B as distributed EVPN gateways to provide gateway services in asymmetric IRB mode. Configure Switch C as a border gateway to provide access to the connected Layer 3 network.

· Configure Switch D as an RR to reflect BGP EVPN routes between Switch A, Switch B, and Switch C.

Figure 18 Network diagram

‌

Configuration procedure

1. Specify 10.1.1.1, 10.1.2.1, 20.1.1.1, and 20.1.2.1 as the gateway addresses on VM 1, VM 2, VM 3, and VM 4, respectively. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces, as shown in Figure 18. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Enable asymmetric IRB mode for EVPN VXLAN.

[SwitchA] evpn irb asymmetric

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpnb

[SwitchA-vsi-vpnb] evpn encapsulation vxlan

[SwitchA-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchA-vsi-vpnb] vxlan 20

[SwitchA-vsi-vpnb-vxlan-20] quit

[SwitchA-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 4.4.4.4 as-number 200

[SwitchA-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchA] interface gigabitethernet 1/0/1

[SwitchA-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-GigabitEthernet1/0/1-srv1000] quit

# On GigabitEthernet 1/0/1, create Ethernet service instance 2000 to match VLAN 3.

[SwitchA-GigabitEthernet1/0/1] service-instance 2000

[SwitchA-GigabitEthernet1/0/1-srv2000] encapsulation s-vid 3

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchA-GigabitEthernet1/0/1-srv2000] xconnect vsi vpnb

[SwitchA-GigabitEthernet1/0/1-srv2000] quit

[SwitchA-GigabitEthernet1/0/1] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchA] ip vpn-instance vpna

[SwitchA-vpn-instance-vpna] route-distinguisher 1:1

[SwitchA-vpn-instance-vpna] address-family ipv4

[SwitchA-vpn-ipv4-vpna] vpn-target 2:2

[SwitchA-vpn-ipv4-vpna] quit

[SwitchA-vpn-instance-vpna] address-family evpn

[SwitchA-vpn-evpn-vpna] vpn-target 1:1

[SwitchA-vpn-evpn-vpna] quit

[SwitchA-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpna

[SwitchA-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] mac-address 1-1-1

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] local-proxy-arp enable

[SwitchA-Vsi-interface1] quit

# Configure VSI-interface 2.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpna

[SwitchA-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchA-Vsi-interface2] mac-address 2-2-2

[SwitchA-Vsi-interface2] distributed-gateway local

[SwitchA-Vsi-interface2] local-proxy-arp enable

[SwitchA-Vsi-interface2] quit

# Associate VSI-interface 3 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 3

[SwitchA-Vsi-interface3] ip binding vpn-instance vpna

[SwitchA-Vsi-interface3] l3-vni 1000

[SwitchA-Vsi-interface3] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchA] vsi vpnb

[SwitchA-vsi-vpnb] gateway vsi-interface 2

[SwitchA-vsi-vpnb] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Enable asymmetric IRB mode for EVPN VXLAN.

[SwitchA] evpn irb asymmetric

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] evpn encapsulation vxlan

[SwitchB-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchB-vsi-vpnb] vxlan 20

[SwitchB-vsi-vpnb-vxlan-20] quit

[SwitchB-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 4.4.4.4 as-number 200

[SwitchB-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface gigabitethernet 1/0/1

[SwitchB-GigabitEthernet1/0/1] service-instance 1000

[SwitchB-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchB-GigabitEthernet1/0/1-srv1000] quit

[SwitchB-GigabitEthernet1/0/1] quit

# On GigabitEthernet 1/0/2, create Ethernet service instance 2000 to match VLAN 3.

[SwitchB] interface gigabitethernet 1/0/2

[SwitchB-GigabitEthernet1/0/2] service-instance 2000

[SwitchB-GigabitEthernet1/0/2-srv2000] encapsulation s-vid 3

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchB-GigabitEthernet1/0/2-srv2000] xconnect vsi vpnb

[SwitchB-GigabitEthernet1/0/2-srv2000] quit

[SwitchB-GigabitEthernet1/0/2] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchB] ip vpn-instance vpna

[SwitchB-vpn-instance-vpna] route-distinguisher 1:1

[SwitchB-vpn-instance-vpna] address-family ipv4

[SwitchB-vpn-ipv4-vpna] vpn-target 2:2

[SwitchB-vpn-ipv4-vpna] quit

[SwitchB-vpn-instance-vpna] address-family evpn

[SwitchB-vpn-evpn-vpna] vpn-target 1:1

[SwitchB-vpn-evpn-vpna] quit

[SwitchB-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchB] interface vsi-interface 1

[SwitchB-Vsi-interface1] ip binding vpn-instance vpna

[SwitchB-Vsi-interface1] ip address 20.1.1.1 255.255.255.0

[SwitchB-Vsi-interface1] mac-address 1-1-1

[SwitchB-Vsi-interface1] distributed-gateway local

[SwitchB-Vsi-interface1] local-proxy-arp enable

[SwitchB-Vsi-interface1] quit

# Configure VSI-interface 2.

[SwitchB] interface vsi-interface 2

[SwitchB-Vsi-interface2] ip binding vpn-instance vpna

[SwitchB-Vsi-interface2] ip address 20.1.2.1 255.255.255.0

[SwitchB-Vsi-interface2] mac-address 2-2-2

[SwitchB-Vsi-interface2] distributed-gateway local

[SwitchB-Vsi-interface2] local-proxy-arp enable

[SwitchB-Vsi-interface2] quit

# Associate VSI-interface 3 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchB] interface vsi-interface 3

[SwitchB-Vsi-interface3] ip binding vpn-instance vpna

[SwitchB-Vsi-interface3] l3-vni 1000

[SwitchB-Vsi-interface3] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] gateway vsi-interface 1

[SwitchB-vsi-vpna] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] gateway vsi-interface 2

[SwitchB-vsi-vpnb] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Configure BGP to advertise BGP EVPN routes.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchC] ip vpn-instance vpna

[SwitchC-vpn-instance-vpna] route-distinguisher 1:1

[SwitchC-vpn-instance-vpna] address-family ipv4

[SwitchC-vpn-ipv4-vpna] vpn-target 2:2

[SwitchC-vpn-ipv4-vpna] quit

[SwitchC-vpn-instance-vpna] address-family evpn

[SwitchC-vpn-evpn-vpna] vpn-target 1:1

[SwitchC-vpn-evpn-vpna] quit

[SwitchC-vpn-instance-vpna] quit

# Associate VSI-interface 3 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchC] interface vsi-interface 3

[SwitchC-Vsi-interface3] ip binding vpn-instance vpna

[SwitchC-Vsi-interface3] l3-vni 1000

[SwitchC-Vsi-interface3] quit

# Configure a default route. The next hop is the IP address of a device in the Layer 3 network.

[SwitchC] ip route-static vpn-instance vpna 0.0.0.0 0 20.1.1.100

# Import the default route to the BGP IPv4 unicast routing table of VPN instance vpna.

[SwitchC] bgp 200

[SwitchC-bgp-default] ip vpn-instance vpna

[SwitchC-bgp-default-vpna] address-family ipv4 unicast

[SwitchC-bgp-default-ipv4-vpna] default-route imported

[SwitchC-bgp-default-ipv4-vpna] import-route static

[SwitchC-bgp-default-ipv4-vpna] quit

[SwitchC-bgp-default-vpna] quit

[SwitchC-bgp-default] quit

# Associate VLAN-interface 20 with VPN instance vpna. VLAN-interface 20 provides access to the Layer 3 network connected to Switch C.

[SwitchC] interface vlan-interface 20

[SwitchC-Vlan-interface20] ip binding vpn-instance vpna

[SwitchC-Vlan-interface20] ip address 20.1.1.3 24

[SwitchC-Vlan-interface20] quit

6. Configure Switch D:

# Establish BGP connections with other transport network switches.

<SwitchD> system-view

[SwitchD] bgp 200

[SwitchD-bgp-default] group evpn

[SwitchD-bgp-default] peer 1.1.1.1 group evpn

[SwitchD-bgp-default] peer 2.2.2.2 group evpn

[SwitchD-bgp-default] peer 3.3.3.3 group evpn

[SwitchD-bgp-default] peer evpn as-number 200

[SwitchD-bgp-default] peer evpn connect-interface loopback 0

# Configure BGP to advertise BGP EVPN routes, and disable route target filtering for BGP EVPN routes.

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer evpn enable

[SwitchD-bgp-default-evpn] undo policy vpn-target

# Configure Switch D as an RR.

[SwitchD-bgp-default-evpn] peer evpn reflect-client

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

Verifying the configuration

1. Verify the distributed EVPN gateway settings on Switch A:

# Verify that the VXLAN tunnel interfaces are up on Switch A. (This example uses Tunnel 0.)

[SwitchA] display interface tunnel 0

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the VSI interfaces are up on Switch A. (This example uses VSI-interface 1.)

[SwitchA] display interface vsi-interface 1

Vsi-interface1

Current state: UP

Line protocol state: UP

Description: Vsi-interface1 Interface

Bandwidth: 1000000 kbps

Maximum transmission unit: 1500

Internet address: 10.1.1.1/24 (primary)

IP packet frame type: Ethernet II, hardware address: 0003-0003-0003

IPv6 packet frame type: Ethernet II, hardware address: 0003-0003-0003

Physical: Unknown, baudrate: 1000000 kbps

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs.

[SwitchA] display l2vpn vsi verbose

VSI Name: Auto_L3VNI1000_3

VSI Index : 1

VSI State : Down

MTU : 1500

Bandwidth : -

Broadcast Restrain : 5120 kbps

Multicast Restrain : 5120 kbps

Unknown Unicast Restrain: 5120 kbps

MAC Learning : Enabled

MAC Table Limit : Unlimited

MAC Learning rate : Unlimited

Drop Unknown : Disabled

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 3

VXLAN ID : 1000

Tunnel Statistics : Disabled

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : 5120 kbps

Multicast Restrain : 5120 kbps

Unknown Unicast Restrain: 5120 kbps

MAC Learning : Enabled

MAC Table Limit : Unlimited

MAC Learning rate : Unlimited

Drop Unknown : Disabled

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 1

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

ACs:

AC Link ID State Type

GE1/0/1 srv1000 0x0 Up Manual

VSI Name: vpnb

VSI Index : 2

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : 5120 kbps

Multicast Restrain : 5120 kbps

Unknown Unicast Restrain: 5120 kbps

MAC Learning : Enabled

MAC Table Limit : Unlimited

MAC Learning rate : Unlimited

Drop Unknown : Disabled

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 2

VXLAN ID : 20

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

ACs:

AC Link ID State Type

GE1/0/1 srv2000 0x0 Up Manual

# Verify that Switch A has created ARP entries for the VMs. (Details not shown.)

# Verify that Switch A has created EVPN ARP entries for the VMs.

[SwitchA] display evpn route arp

Flags: D - Dynamic B - BGP L - Local active

G - Gateway S - Static M - Mapping I - Invalid

E - Multihoming ES sync F - Leaf

VPN instance: vpna Interface: Vsi-interface1

IP address MAC address Router MAC VSI index Flags

10.1.1.1 0001-0001-0001 522b-3413-0200 0 GL

10.1.1.10 521f-b814-0106 522b-3413-0200 0 DL

20.1.1.20 522b-3c6a-0406 522b-38cd-0300 0 B

2. Verify that VM 1, VM 2, VM 3, and VM 4 can communicate with one another. (Details not shown.)

Private-public IPv4 network communication example

Network requirements

As shown in Figure 19:

· Configure VXLAN 10, VXLAN 20, and VXLAN 30 on Switch A, Switch B, and Switch C to meet the following requirements:

¡ VXLAN 10 and VXLAN 20 are on the private network, and VXLAN 30 is on the public network.

¡ VXLAN 10 can communicate with VXLAN 20 and VXLAN 30, and VXLAN 20 is isolated from VXLAN 30.

· Configure Switch A, Switch B, and Switch C as distributed EVPN gateways to provide gateway services for the VXLANs.

· Configure Switch D as an RR to reflect BGP EVPN routes between Switch A, Switch B, and Switch C.

Figure 19 Network diagram

Configuration procedure

1. On VM 1, VM 2, and VM 3, specify 10.1.1.1, 10.1.2.1, and 10.1.3.1 as the gateway address, respectively. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces, as shown in Figure 19. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 4.4.4.4 as-number 200

[SwitchA-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 1.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 1

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 1

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# Configure RD and route target settings for VPN instance vpna.

[SwitchA] ip vpn-instance vpna

[SwitchA-vpn-instance-vpna] route-distinguisher 1:1

[SwitchA-vpn-instance-vpna] address-family ipv4

[SwitchA-vpn-ipv4-vpna] vpn-target 1:1

[SwitchA-vpn-ipv4-vpna] vpn-target 2:2 import-extcommunity

[SwitchA-vpn-ipv4-vpna] vpn-target 3:3 import-extcommunity

[SwitchA-vpn-ipv4-vpna] quit

[SwitchA-vpn-instance-vpna] address-family evpn

[SwitchA-vpn-evpn-vpna] vpn-target 1:1

[SwitchA-vpn-evpn-vpna] vpn-target 2:2 import-extcommunity

[SwitchA-vpn-evpn-vpna] vpn-target 3:3 import-extcommunity

[SwitchA-vpn-evpn-vpna] quit

[SwitchA-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpna

[SwitchA-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] local-proxy-arp enable

[SwitchA-Vsi-interface1] quit

# Associate VSI-interface 2 with VPN instance vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpna

[SwitchA-Vsi-interface2] l3-vni 1000

[SwitchA-Vsi-interface2] quit

# Create VSI-interface 3 and configure its L3 VXLAN ID as 2000 for matching routes from Switch B.

[SwitchA] interface vsi-interface 3

[SwitchA-Vsi-interface3] l3-vni 2000

[SwitchA-Vsi-interface3] quit

# Create VSI-interface 4 and configure its L3 VXLAN ID as 3000 for matching routes from Switch C.

[SwitchA] interface vsi-interface 4

[SwitchA-Vsi-interface4] l3-vni 3000

[SwitchA-Vsi-interface4] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] evpn encapsulation vxlan

[SwitchB-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchB-vsi-vpnb] vxlan 20

[SwitchB-vsi-vpnb-vxlan-20] quit

[SwitchB-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 4.4.4.4 as-number 200

[SwitchB-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2

[SwitchB-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpnb.

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpnb

[SwitchB-Ten-GigabitEthernet1/0/1-srv1000] quit

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# Configure RD and route target settings for VPN instance vpnb.

[SwitchB] ip vpn-instance vpnb

[SwitchB-vpn-instance-vpnb] route-distinguisher 2:2

[SwitchB-vpn-instance-vpnb] address-family ipv4

[SwitchB-vpn-ipv4-vpnb] vpn-target 2:2

[SwitchB-vpn-ipv4-vpnb] vpn-target 1:1 import-extcommunity

[SwitchB-vpn-ipv4-vpnb] quit

[SwitchB-vpn-instance-vpnb] address-family evpn

[SwitchB-vpn-evpn-vpnb] vpn-target 2:2

[SwitchB-vpn-evpn-vpnb] vpn-target 1:1 import-extcommunity

[SwitchB-vpn-evpn-vpnb] quit

[SwitchB-vpn-instance-vpnb] quit

# Configure VSI-interface 1.

[SwitchB] interface vsi-interface 1

[SwitchB-Vsi-interface1] ip binding vpn-instance vpnb

[SwitchB-Vsi-interface1] ip address 10.1.2.1 255.255.255.0

[SwitchB-Vsi-interface1] distributed-gateway local

[SwitchB-Vsi-interface1] local-proxy-arp enable

[SwitchB-Vsi-interface1] quit

# Create VSI-interface 2, and configure its L3 VXLAN ID as 1000 for matching routes from Switch A.

[SwitchB] interface vsi-interface 2

[SwitchB-Vsi-interface2] l3-vni 1000

[SwitchB-Vsi-interface2] qui

# Associate VSI-interface 3 with VPN instance vpnb, and configure the L3 VXLAN ID as 2000 for the VPN instance.

[SwitchB] interface vsi-interface 3

[SwitchB-Vsi-interface3] ip binding vpn-instance vpnb

[SwitchB-Vsi-interface3] l3-vni 2000

[SwitchB-Vsi-interface3] quit

# Create VSI-interface 4, and configure its L3 VXLAN ID as 3000 for matching routes from Switch C.

[SwitchB] interface vsi-interface 4

[SwitchB-Vsi-interface4] l3-vni 3000

[SwitchB-Vsi-interface4] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpnb.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] gateway vsi-interface 1

[SwitchB-vsi-vpnb] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpnc, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpnc

[SwitchC-vsi-vpnc] evpn encapsulation vxlan

[SwitchC-vsi-vpnc-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnc-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpnc-evpn-vxlan] quit

# Create VXLAN 30.

[SwitchC-vsi-vpnc] vxlan 30

[SwitchC-vsi-vpnc-vxlan-30] quit

[SwitchC-vsi-vpnc] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family ipv4 unicast

[SwitchC-bgp-default-ipv4] quit

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD, route target, and L3 VXLAN ID settings for the public instance.

[SwitchC] ip public-instance

[SwitchC-public-instance] route-distinguisher 3:3

[SwitchC-public-instance] l3-vni 3000

[SwitchC-public-instance] address-family ipv4

[SwitchC-public-instance-ipv4] vpn-target 3:3

[SwitchC-public-instance-ipv4] vpn-target 1:1 import-extcommunity

[SwitchC-public-instance-ipv4] quit

[SwitchC-public-instance] address-family evpn

[SwitchC-public-instance-evpn]vpn-target 3:3

[SwitchC-public-instance-evpn] vpn-target 1:1 import-extcommunity

[SwitchC-public-instance-evpn] quit

[SwitchC-public-instance] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 3.

[SwitchC] interface ten-gigabitethernet 1/0/1

[SwitchC-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 3

[SwitchC-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchC-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpnc.

[SwitchC-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpnc

[SwitchC-Ten-GigabitEthernet1/0/1-srv1000] quit

[SwitchC-Ten-GigabitEthernet1/0/1] quit

# Configure VSI-interface 1.

[SwitchC] interface vsi-interface 1

[SwitchC-Vsi-interface1] ip address 10.1.3.1 255.255.255.0

[SwitchC-Vsi-interface1] distributed-gateway local

[SwitchC-Vsi-interface1] local-proxy-arp enable

[SwitchC-Vsi-interface1] quit

# Create VSI-interface 2, and configure its L3 VXLAN ID as 1000 for matching routes from Switch A.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] l3-vni 1000

[SwitchC-Vsi-interface2] quit

# Create VSI-interface 3, and configure its L3 VXLAN ID as 2000 for matching routes from Switch B.

[SwitchC] interface vsi-interface 3

[SwitchC-Vsi-interface3] l3-vni 2000

[SwitchC-Vsi-interface3] quit

# Create VSI-interface 4 for the public instance, and configure the L3 VXLAN ID as 3000 for the VSI interface.

[SwitchC] interface vsi-interface 4

[SwitchC-Vsi-interface4] l3-vni 3000

[SwitchC-Vsi-interface4] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpnc.

[SwitchC] vsi vpnc

[SwitchC-vsi-vpnc] gateway vsi-interface 1

[SwitchC-vsi-vpnc] quit

6. Configure Switch D:

# Establish BGP connections with other transport network switches.

<SwitchD> system-view

[SwitchD] bgp 200

[SwitchD-bgp-default] group evpn

[SwitchD-bgp-default] peer 1.1.1.1 group evpn

[SwitchD-bgp-default] peer 2.2.2.2 group evpn

[SwitchD-bgp-default] peer 3.3.3.3 group evpn

[SwitchD-bgp-default] peer evpn as-number 200

[SwitchD-bgp-default] peer evpn connect-interface loopback 0

# Configure BGP to advertise BGP EVPN routes, and disable route target filtering for BGP EVPN routes.

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer evpn enable

[SwitchD-bgp-default-evpn] undo policy vpn-target

# Configure Switch D as an RR.

[SwitchD-bgp-default-evpn] peer evpn reflect-client

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

Verifying the configuration

1. Verify the distributed EVPN gateway settings on Switch A:

# Verify that the VXLAN tunnel interfaces are up on Switch A.

[SwitchA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 15 packets, 1470 bytes, 0 drops

Output: 15 packets, 1470 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 1.1.1.1, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 22 packets, 2156 bytes, 0 drops

Output: 23 packets, 2254 bytes, 0 drops

# Verify that the VSI interfaces are up on Switch A.

[SwitchA] display interface vsi-interface brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

Vsi1 UP UP 10.1.1.1

Vsi2 UP UP --

Vsi3 UP UP --

Vsi4 UP UP --

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs.

[SwitchA] display l2vpn vsi verbose

VSI Name: Auto_L3VNI1000_2

VSI Index : 1

VSI State : Down

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 2

VXLAN ID : 1000

VSI Name: Auto_L3VNI2000_3

VSI Index : 2

VSI State : Down

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 3

VXLAN ID : 2000

VSI Name: Auto_L3VNI3000_4

VSI Index : 3

VSI State : Down

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 4

VXLAN ID : 3000

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 1

VXLAN ID : 10

ACs:

AC Link ID State Type

XGE1/0/1 srv1000 0 Up Manual

# Verify that Switch A has created ARP entries for the VMs.

[SwitchA] display arp

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI Interface/Link ID Aging Type

10.1.1.10 582e-aaec-0806 0 0x0 10 D

11.1.1.4 582c-1385-0517 -- Vlan11 14 D

2.2.2.2 582e-8ba6-0700 2 Tunnel0 N/A R

3.3.3.3 9a51-95ba-1000 3 Tunnel1 N/A R

2. Verify that VM 1 can communicate with VM 2 and VM 3, and VM 2 cannot communicate with VM 3. (Details not shown.)

IPv4 EVPN M-LAG with a direct peer link configuration example

Network requirements

As shown in Figure 20, perform the following tasks to make sure the VMs can communicate with one another:

· Configure VXLAN 10 on Switch A and Switch B, and configure VXLAN 20 on Switch D.

· Configure EVPN M-LAG on Switch A and Switch B to virtualize them into one VTEP. The switches use a direct peer link.

· Configure Switch C as a centralized EVPN gateway and RR.

NOTE:

This example provides configuration of IPv4 sites extended by an IPv4 underlay network. The configuration procedure does not differ between site or underlay network types.

Figure 20 Network diagram

‌

Configuration procedure

1. On VM 1 and VM 2, specify 10.1.1.1 as the gateway address. On VM 3, specify 10.1.2.1 as the gateway address. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces (including loopback interfaces), as shown in Figure 20. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Use one of the following methods to configure frame match criteria for the dynamic ACs on the direct peer link:

IMPORTANT:

Switch A and Switch B must use the same method.

¡ Enable the switch to create frame match criteria based on VXLAN IDs for the dynamic ACs on the direct peer link.

[SwitchA] l2vpn m-lag peer-link ac-match-rule vxlan-mapping

¡ Enable the switch to create frame match criteria that are identical to those of site-facing ACs for the dynamic ACs on the direct peer link.

This is the default setting. No additional configuration is required.

# Enable EVPN M-LAG, and specify the virtual VTEP address as 1.2.3.4.

[SwitchA] evpn m-lag group 1.2.3.4

# Configure M-LAG system parameters.

[SwitchA] m-lag system-mac 0001-0001-0001

[SwitchA] m-lag system-number 1

[SwitchA] m-lag system-priority 10

[SwitchA] m-lag keepalive ip destination 60.1.1.2 source 60.1.1.1

[SwitchA] m-lag restore-delay 180

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.

[SwitchA] interface bridge-aggregation 3

[SwitchA-Bridge-Aggregation3] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation3] quit

# Assign Ten-GigabitEthernet 1/0/3 to link aggregation group 3.

[SwitchA] interface ten-gigabitethernet 1/0/3

[SwitchA-Ten-GigabitEthernet1/0/3] port link-aggregation group 3

[SwitchA-Ten-GigabitEthernet1/0/3] quit

# Specify Bridge-Aggregation 3 as the peer-link interface.

[SwitchA] interface bridge-aggregation 3

[SwitchA-Bridge-Aggregation3] port m-lag peer-link 1

[SwitchA-Bridge-Aggregation3] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation4] quit

# Assign Ten-GigabitEthernet 1/0/1 to link aggregation group 4.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-aggregation group 4

[SwitchA-Ten-GigabitEthernet1/0/1] quit

# Assign Bridge-Aggregation 4 to M-LAG group 4.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] port m-lag group 4

[SwitchA-Bridge-Aggregation4] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation5] quit

# Assign Ten-GigabitEthernet 1/0/2 to link aggregation group 5.

[SwitchA] interface ten-gigabitethernet 1/0/2

[SwitchA-Ten-GigabitEthernet1/0/2] port link-aggregation group 5

[SwitchA-Ten-GigabitEthernet1/0/2] quit

# Assign Bridge-Aggregation 5 to M-LAG group 5.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] port m-lag group 5

[SwitchA-Bridge-Aggregation5] quit

# Exclude interfaces from the shutdown action by M-LAG MAD.

[SwitchA] m-lag mad exclude interface loopback 0

[SwitchA] m-lag mad exclude interface ten-gigabitethernet 1/0/4

[SwitchA] m-lag mad exclude interface ten-gigabitethernet 1/0/5

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] arp suppression enable

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 3.3.3.3 as-number 200

[SwitchA-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Bridge-Aggregation 4, create Ethernet service instance 1000 to match VLAN 2.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] service-instance 1000

[SwitchA-Bridge-Aggregation4-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Bridge-Aggregation4-srv1000] xconnect vsi vpna

[SwitchA-Bridge-Aggregation4-srv1000] quit

# On Bridge-Aggregation 5, create Ethernet service instance 1000 to match VLAN 3.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] service-instance 1000

[SwitchA-Bridge-Aggregation5-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Bridge-Aggregation5-srv1000] xconnect vsi vpna

[SwitchA-Bridge-Aggregation5-srv1000] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Use one of the following methods to configure frame match criteria for the dynamic ACs on the direct peer link:

IMPORTANT:

Switch B must use the same method as Switch A.

¡ Enable the switch to create frame match criteria based on VXLAN IDs for the dynamic ACs on the direct peer link.

[SwitchB] l2vpn m-lag peer-link ac-match-rule vxlan-mapping

¡ Enable the switch to create frame match criteria that are identical to those of site-facing ACs for the dynamic ACs on the direct peer link.

This is the default setting. No additional configuration is required.

# Enable EVPN M-LAG, and specify the virtual VTEP address as 1.2.3.4.

[SwitchB] evpn m-lag group 1.2.3.4

# Configure M-LAG system parameters.

[SwitchB] m-lag system-mac 0001-0001-0001

[SwitchB] m-lag system-number 2

[SwitchB] m-lag system-priority 10

[SwitchB] m-lag keepalive ip destination 60.1.1.1 source 60.1.1.2

[SwitchB] m-lag restore-delay 180

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.

[SwitchB] interface bridge-aggregation 3

[SwitchB-Bridge-Aggregation3] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation3] quit

# Assign Ten-GigabitEthernet 1/0/3 to aggregation group 3.

[SwitchB] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] port link-aggregation group 3

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Specify Bridge-Aggregation 3 as the peer-link interface.

[SwitchB] interface bridge-aggregation 3

[SwitchB-Bridge-Aggregation3] port m-lag peer-link 1

[SwitchB-Bridge-Aggregation3] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation4] quit

# Assign Ten-GigabitEthernet 1/0/1 to aggregation group 4.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port link-aggregation group 4

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# Assign Bridge-Aggregation 4 to M-LAG group 4.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] port m-lag group 4

[SwitchB-Bridge-Aggregation4] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation5] quit

# Assign Ten-GigabitEthernet 1/0/2 to aggregation group 5.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] port link-aggregation group 5

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Assign Bridge-Aggregation 5 to M-LAG group 5.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] port m-lag group 5

[SwitchB-Bridge-Aggregation5] quit

# Exclude interfaces from the shutdown action by M-LAG MAD.

[SwitchB] m-lag mad exclude interface loopback 0

[SwitchB] m-lag mad exclude interface ten-gigabitethernet 1/0/4

[SwitchB] m-lag mad exclude interface ten-gigabitethernet 1/0/5

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] arp suppression enable

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On Bridge-Aggregation 4, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] service-instance 1000

[SwitchB-Bridge-Aggregation4-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Bridge-Aggregation4-srv1000] xconnect vsi vpna

[SwitchB-Bridge-Aggregation4-srv1000] quit

# On Bridge-Aggregation 5, create Ethernet service instance 1000 to match VLAN 3.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] service-instance 1000

[SwitchB-Bridge-Aggregation5-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Bridge-Aggregation5-srv1000] xconnect vsi vpna

[SwitchB-Bridge-Aggregation5-srv1000] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning.

[SwitchC] vxlan tunnel mac-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchC-vsi-vpna] vxlan 10

[SwitchC-vsi-vpna-vxlan-10] quit

[SwitchC-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] evpn encapsulation vxlan

[SwitchC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchC-vsi-vpnb] vxlan 20

[SwitchC-vsi-vpnb-vxlan-20] quit

[SwitchC-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes, and configure Switch C as an RR.

[SwitchC] bgp 200

[SwitchC-bgp-default] group evpn

[SwitchC-bgp-default] peer 1.1.1.1 group evpn

[SwitchC-bgp-default] peer 2.2.2.2 group evpn

[SwitchC-bgp-default] peer 4.4.4.4 group evpn

[SwitchC-bgp-default] peer evpn as-number 200

[SwitchC-bgp-default] peer evpn connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer evpn enable

[SwitchC-bgp-default-evpn] undo policy vpn-target

[SwitchC-bgp-default-evpn] peer evpn reflect-client

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Create VSI-interface 1 and assign it an IP address. The IP address is the gateway address of VXLAN 10.

[SwitchC] interface vsi-interface 1

[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchC-Vsi-interface1] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] gateway vsi-interface 1

[SwitchC-vsi-vpna] quit

# Create VSI-interface 2 and assign it an IP address. The IP address is the gateway address of VXLAN 20.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchC-Vsi-interface2] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] gateway vsi-interface 2

[SwitchC-vsi-vpnb] quit

6. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] arp suppression enable

[SwitchD-vsi-vpnb] evpn encapsulation vxlan

[SwitchD-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchD-vsi-vpnb] vxlan 20

[SwitchD-vsi-vpnb-vxlan-20] quit

[SwitchD-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 4.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchD-Ten-GigabitEthernet1/0/1] encapsulation s-vid 4

# Map Ethernet service instance 1000 to VSI vpnb.

[SwitchD-Ten-GigabitEthernet1/0/1] xconnect vsi vpnb

[SwitchD-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

1. Verify the centralized EVPN gateway settings on Switch C:

# Verify that Switch C has advertised MAC/IP advertisement routes and IMET routes of the gateway to other devices. Verify that Switch C has received MAC/IP advertisement routes and IMET routes from Switch A, Switch B, and Switch D. (Details not shown.)

# Verify that the VXLAN tunnel to Switch A and Switch B is up, and the tunnel destination address is the virtual VTEP address.

[SwitchC] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 1.2.3.4

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 4 bytes/sec, 32 bits/sec, 0 packets/sec

Input: 2 packets, 340 bytes, 0 drops

Output: 16 packets, 2793 bytes, 0 drops

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs.

[SwitchC] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 1

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

VSI Name: vpnb

VSI Index : 1

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 2

VXLAN ID : 20

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel1 0x5000001 UP Auto Disabled

2. Verify the EVPN M-LAG settings on Switch A:

# Verify that Switch A has BGP EVPN routes.

[SwitchA] display bgp l2vpn evpn

BGP local router ID is 1.2.3.4

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 5

Route distinguisher: 1:100

Total number of routes: 5

* > Network : [2][0][48][0800-2700-400e][0][0.0.0.0]/104

NextHop : 1.2.3.4 LocPrf : 100

PrefVal : 32768 OutLabel : NULL

MED : 0

Path/Ogn: i

* >i Network : [2][0][48][46b2-aea0-0101][0][0.0.0.0]/104

NextHop : 3.3.3.3 LocPrf : 100

PrefVal : 0 OutLabel : NULL

MED : 0

Path/Ogn: i

* > Network : [2][0][48][ac1e-24e3-0201][0][0.0.0.0]/104

NextHop : 3.3.3.3 LocPrf : 100

PrefVal : 0 OutLabel : NULL

MED : 0

Path/Ogn: i

* >i Network : [3][0][32][1.2.3.4]/80

NextHop : 1.2.3.4 LocPrf : 100

PrefVal : 32768 OutLabel : NULL

MED : 0

Path/Ogn: i

* >i Network : [3][0][32][3.3.3.3]/80

NextHop : 3.3.3.3 LocPrf : 100

PrefVal : 0 OutLabel : NULL

MED : 0

Path/Ogn: i

# Verify that the VXLAN tunnel to Switch C is up, and the tunnel source address is the virtual VTEP address.

[SwitchA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.2.3.4, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 1 bytes/sec, 8 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 33 packets, 6121 bytes, 0 drops

# Verify that ACs are automatically created on the peer link and assigned to VSIs.

¡ For dynamic ACs whose frame match criteria are generated based on VXLAN IDs:

[SwitchA] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 1

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

ACs:

AC Link ID State Type

BAGG3 srv1 0 Up Dynamic (M-LAG)

BAGG4 srv1000 1 Up Manual

BAGG5 srv1000 2 Up Manual

¡ For dynamic ACs whose frame match criteria are identical to those of site-facing ACs:

[SwitchA] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 1

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

ACs:

AC Link ID State Type

BAGG4 srv1000 0 Up Manual

BAGG3 srv2 1 Up Dynamic (M-LAG)

BAGG5 srv1000 2 Up Manual

BAGG3 srv3 3 Up Dynamic (M-LAG)

3. Verify network connectivity for the VMs:

# Verify that VM 1, VM 2, and VM 3 can communicate when both Switch A and Switch B are operating correctly. (Details not shown.)

# Verify that VM 1, VM 2, and VM 3 can communicate when Switch A's or Switch B's links to the local site are disconnected. (Details not shown.)

IPv4 EVPN M-LAG with a tunnel peer link configuration example

Network requirements

As shown in Figure 21, perform the following tasks to make sure the VMs can communicate with one another:

· Configure VXLAN 10 on Switch A, Switch B, and Switch C, and configure VXLAN 20 on Switch C and Switch D.

· Configure EVPN M-LAG on Switch A and Switch B to virtualize them into one VTEP. The switches use a tunnel peer link.

· Configure Switch C as a centralized EVPN gateway and RR.

NOTE:

This example provides configuration of IPv4 sites extended by an IPv4 underlay network. The configuration procedure does not differ between site or underlay network types.

Figure 21 Network diagram

‌

Configuration procedure

1. On VM 1 and VM 2, specify 10.1.1.1 as the gateway address. On VM 3, specify 10.1.2.1 as the gateway address. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces (including loopback interfaces), as shown in Figure 21. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Enable EVPN M-LAG, and specify the virtual VTEP address as 1.2.3.4.

[SwitchA] evpn m-lag group 1.2.3.4

# Specify the reserved VXLAN as VXLAN 1234.

[SwitchA] reserved vxlan 1234

# Configure M-LAG system parameters.

[SwitchA] m-lag system-mac 0001-0001-0001

[SwitchA] m-lag system-number 1

[SwitchA] m-lag system-priority 10

[SwitchA] m-lag keepalive ip destination 12.1.1.2 source 11.1.1.1

[SwitchA] m-lag restore-delay 180

# Exclude interfaces from the shutdown action by M-LAG MAD.

[SwitchA] m-lag mad exclude interface loopback 0

[SwitchA] m-lag mad exclude interface ten-gigabitethernet 1/0/4

# Create a tunnel to Switch B, and set the ToS of tunneled packets to 100.

[SwitchA] interface tunnel 1 mode vxlan

[SwitchA-Tunnel1] source 1.1.1.1

[SwitchA-Tunnel1] destination 2.2.2.2

[SwitchA-Tunnel1] tunnel tos 100

[SwitchA-Tunnel1] quit

# Exclude Tunnel 1 from the shutdown action by M-LAG MAD.

[SwitchA] m-lag mad exclude interface tunnel 1

# Specify Tunnel 1 as the peer-link interface.

[SwitchA] interface tunnel 1

[SwitchA-Tunnel1] port m-lag peer-link 1

[SwitchA-Tunnel1] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation4] quit

# Assign Ten-GigabitEthernet 1/0/1 to link aggregation group 4.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-aggregation group 4

[SwitchA-Ten-GigabitEthernet1/0/1] quit

# Assign Bridge-Aggregation 4 to M-LAG group 4.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] port m-lag group 4

[SwitchA-Bridge-Aggregation4] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation5] quit

# Assign Ten-GigabitEthernet 1/0/2 to link aggregation group 5.

[SwitchA] interface ten-gigabitethernet 1/0/2

[SwitchA-Ten-GigabitEthernet1/0/2] port link-aggregation group 5

[SwitchA-Ten-GigabitEthernet1/0/2] quit

# Assign Bridge-Aggregation 5 to M-LAG group 5.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] port m-lag group 5

[SwitchA-Bridge-Aggregation5] quit

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] arp suppression enable

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 3.3.3.3 as-number 200

[SwitchA-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Bridge-Aggregation 4, create Ethernet service instance 1000 to match VLAN 2.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] service-instance 1000

[SwitchA-Bridge-Aggregation4-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Bridge-Aggregation4-srv1000] xconnect vsi vpna

[SwitchA-Bridge-Aggregation4-srv1000] quit

# On Bridge-Aggregation 5, create Ethernet service instance 1000 to match VLAN 3.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] service-instance 1000

[SwitchA-Bridge-Aggregation5-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Bridge-Aggregation5-srv1000] xconnect vsi vpna

[SwitchA-Bridge-Aggregation5-srv1000] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Enable EVPN M-LAG, and specify the virtual VTEP address as 1.2.3.4.

[SwitchB] evpn m-lag group 1.2.3.4

# Specify the reserved VXLAN as VXLAN 1234.

[SwitchB] reserved vxlan 1234

# Configure M-LAG system parameters.

[SwitchB] m-lag system-mac 0001-0001-0001

[SwitchB] m-lag system-number 2

[SwitchB] m-lag system-priority 10

[SwitchB] m-lag keepalive ip destination 11.1.1.1 source 12.1.1.2

[SwitchB] m-lag restore-delay 180

# Exclude interfaces from the shutdown action by M-LAG MAD.

[SwitchB] m-lag mad exclude interface loopback 0

[SwitchB] m-lag mad exclude interface ten-gigabitethernet 1/0/4

# Create a tunnel to Switch A, and set the ToS of tunneled packets to 100.

[SwitchB] interface tunnel 1 mode vxlan

[SwitchB-Tunnel1] source 2.2.2.2

[SwitchB-Tunnel1] destination 1.1.1.1

[SwitchB-Tunnel1] tunnel tos 100

[SwitchB-Tunnel1] quit

# Exclude Tunnel 1 from the shutdown action by M-LAG MAD.

[SwitchB] m-lag mad exclude interface tunnel 1

# Specify Tunnel 1 as the peer-link interface.

[SwitchB] interface tunnel 1

[SwitchB-Tunnel1] port m-lag peer-link 1

[SwitchB-Tunnel1] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation4] quit

# Assign Ten-GigabitEthernet 1/0/1 to aggregation group 4.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port link-aggregation group 4

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# Assign Bridge-Aggregation 4 to M-LAG group 4.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] port m-lag group 4

[SwitchB-Bridge-Aggregation4] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation5] quit

# Assign Ten-GigabitEthernet 1/0/2 to aggregation group 5.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] port link-aggregation group 5

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Assign Bridge-Aggregation 5 to M-LAG group 5.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] port m-lag group 5

[SwitchB-Bridge-Aggregation5] quit

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] arp suppression enable

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On Bridge-Aggregation 4, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] service-instance 1000

[SwitchB-Bridge-Aggregation4-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Bridge-Aggregation4-srv1000] xconnect vsi vpna

[SwitchB-Bridge-Aggregation4-srv1000] quit

# On Bridge-Aggregation 5, create Ethernet service instance 1000 to match VLAN 3.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] service-instance 1000

[SwitchB-Bridge-Aggregation5-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Bridge-Aggregation5-srv1000] xconnect vsi vpna

[SwitchB-Bridge-Aggregation5-srv1000] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Create VSI gateway service loopback group 1, and assign Layer 2 Ethernet interface Ten-GigabitEthernet 1/0/4 to the service loopback group.

[SwitchC] service-loopback group 1 type vsi-gateway

[SwitchC] interface ten-gigabitethernet 1/0/4

[SwitchC-Ten-GigabitEthernet1/0/4] port service-loopback group 1

All configurations on the interface will be lost. Continue?[Y/N]:y

[SwitchA-Ten-GigabitEthernet1/0/4] quit

# Disable remote MAC address learning.

[SwitchC] vxlan tunnel mac-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchC-vsi-vpna] vxlan 10

[SwitchC-vsi-vpna-vxlan-10] quit

[SwitchC-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] evpn encapsulation vxlan

[SwitchC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchC-vsi-vpnb] vxlan 20

[SwitchC-vsi-vpnb-vxlan-20] quit

[SwitchC-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes, and configure Switch C as an RR.

[SwitchC] bgp 200

[SwitchC-bgp-default] group evpn

[SwitchC-bgp-default] peer 1.1.1.1 group evpn

[SwitchC-bgp-default] peer 2.2.2.2 group evpn

[SwitchC-bgp-default] peer 4.4.4.4 group evpn

[SwitchC-bgp-default] peer evpn as-number 200

[SwitchC-bgp-default] peer evpn connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer evpn enable

[SwitchC-bgp-default-evpn] undo policy vpn-target

[SwitchC-bgp-default-evpn] peer evpn reflect-client

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Create VSI-interface 1 and assign it an IP address. The IP address is the gateway address of VXLAN 10.

[SwitchC] interface vsi-interface 1

[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchC-Vsi-interface1] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] gateway vsi-interface 1

[SwitchC-vsi-vpna] quit

# Create VSI-interface 2 and assign it an IP address. The IP address is the gateway address of VXLAN 20.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchC-Vsi-interface2] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] gateway vsi-interface 2

[SwitchC-vsi-vpnb] quit

6. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] arp suppression enable

[SwitchD-vsi-vpnb] evpn encapsulation vxlan

[SwitchD-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchD-vsi-vpnb] vxlan 20

[SwitchD-vsi-vpnb-vxlan-20] quit

[SwitchD-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 4.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchD-Ten-GigabitEthernet1/0/1] encapsulation s-vid 4

# Map Ethernet service instance 1000 to VSI vpnb.

[SwitchD-Ten-GigabitEthernet1/0/1] xconnect vsi vpnb

[SwitchD-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

1. Verify the centralized EVPN gateway settings on Switch C:

# Verify that the VXLAN tunnels to Switch A and Switch B are up, and the device has established a VXLAN tunnel to Switch A and Switch B with the destination address as the virtual VTEP address.

[SwitchC] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 4.4.4.4

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 2 packets, 84 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 2 packets, 84 bytes, 0 drops

Tunnel2

Current state: UP

Line protocol state: UP

Description: Tunnel2 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 1.2.3.4

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 1 packets, 42 bytes, 0 drops

Tunnel3

Current state: UP

Line protocol state: UP

Description: Tunnel3 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 3.3.3.3, destination 2.2.2.2

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 1 packets, 42 bytes, 0 drops

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs.

[SwitchC] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 1

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel1 0x5000001 UP Auto Disabled

Tunnel2 0x5000002 UP Auto Disabled

Tunnel3 0x5000003 UP Auto Disabled

VSI Name: vpnb

VSI Index : 1

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

Gateway Interface : VSI-interface 2

VXLAN ID : 20

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

2. Verify the EVPN M-LAG settings on Switch A:

# Verify that Switch A has BGP EVPN routes.

[SwitchA] display bgp l2vpn evpn

BGP local router ID is 1.2.3.4

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 3

Route distinguisher: 1:10

Total number of routes: 5

* >i Network : [2][0][48][7e9a-48e9-0100][32][10.1.1.1]/136

NextHop : 3.3.3.3 LocPrf : 100

PrefVal : 0 OutLabel : NULL

MED : 0

Path/Ogn: i

* > Network : [3][0][32][1.1.1.1]/80

NextHop : 1.1.1.1 LocPrf : 100

PrefVal : 32768 OutLabel : NULL

MED : 0

Path/Ogn: i

* > Network : [3][0][32][1.2.3.4]/80

NextHop : 1.2.3.4 LocPrf : 100

PrefVal : 32768 OutLabel : NULL

MED : 0

Path/Ogn: i

* >i Network : [3][0][32][3.3.3.3]/80

NextHop : 3.3.3.3 LocPrf : 100

PrefVal : 0 OutLabel : NULL

MED : 0

Path/Ogn: i

* >i Network : [3][0][32][2.2.2.2]/80

NextHop : 2.2.2.2 LocPrf : 100

PrefVal : 0 OutLabel : NULL

MED : 0

Path/Ogn: i

# Verify that the VXLAN tunnel to Switch C is up, and the tunnel source address is the virtual VTEP address.

[SwitchA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.2.3.4, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 12 bytes/sec, 96 bits/sec, 0 packets/sec

Last 300 seconds output rate: 12 bytes/sec, 96 bits/sec, 0 packets/sec

Input: 239 packets, 25558 bytes, 0 drops

Output: 1241 packets, 109811 bytes, 0 drops

# Verify that ACs are automatically created on the peer link and assigned to VSIs.

[SwitchA] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : Unlimited

Broadcast Restrain : Unlimited

Multicast Restrain : Unlimited

Unknown Unicast Restrain: Unlimited

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

Tunnel1 0x5000001 UP Manual Disabled

ACs:

AC Link ID State Type

BAGG4 srv1000 0 Down Manual

BAGG5 srv1000 1 Down Manual

3. Verify network connectivity for the VMs:

# Verify that VM 1, VM 2, and VM 3 can communicate when both Switch A and Switch B are operating correctly. (Details not shown.)

# Verify that VM 1, VM 2, and VM 3 can communicate when Switch A's or Switch B's links to the local site are disconnected. (Details not shown.)

VXLAN tunnels protected by EVPN M-LAG with a direct peer link configuration example

Network requirements

As shown in Figure 20, perform the following tasks to make sure the VMs can communicate with one another:

· Configure VXLAN 10 on Switch A and Switch B, and configure VXLAN 20 on Switch D.

· Configure EVPN M-LAG on Switch A and Switch B to virtualize them into one VTEP. The switches use a direct peer link.

· Assign the transport-facing outgoing interfaces for the VXLAN tunnels of Switch A and Switch B to an M-LAG group.

· Configure Switch C as a centralized EVPN gateway and RR.

NOTE:

This example provides configuration of IPv4 sites extended by an IPv4 underlay network. The configuration procedure does not differ between site or underlay network types.

This example does not support load sharing tunneled traffic across ECMP routes on the underlay network.

Figure 22 Network diagram

‌

Configuration prerequisites

Execute the undo mac-address static source-check enable command on the aggregate interfaces to be configured as peer-link interfaces.

Configuration procedure

1. On VM 1 and VM 2, specify 10.1.1.1 as the gateway address. On VM 3, specify 10.1.2.1 as the gateway address. (Details not shown.)

2. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces (including loopback interfaces), as shown in Figure 20. (Details not shown.)

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

3. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Choose one of the following frame match criterion creation methods for dynamic ACs:

¡ Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the peer link.

[SwitchA] l2vpn m-lag peer-link ac-match-rule vxlan-mapping

¡ Use the default setting for dynamic ACs on the peer link to use frame match criteria identical to those of site-facing ACs.

# Enable EVPN M-LAG, and specify the virtual VTEP address as 1.2.3.4.

[SwitchA] evpn m-lag group 1.2.3.4

# Configure M-LAG system parameters.

[SwitchA] m-lag system-mac 0001-0001-0001

[SwitchA] m-lag system-number 1

[SwitchA] m-lag system-priority 10

[SwitchA] m-lag keepalive ip destination 60.1.1.2 source 60.1.1.1

[SwitchA] m-lag restore-delay 180

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.

[SwitchA] interface bridge-aggregation 3

[SwitchA-Bridge-Aggregation3] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation3] quit

# Assign Ten-GigabitEthernet 1/0/3 to link aggregation group 3.

[SwitchA] interface ten-gigabitethernet 1/0/3

[SwitchA-Ten-GigabitEthernet1/0/3] port link-aggregation group 3

[SwitchA-Ten-GigabitEthernet1/0/3] quit

# Specify Bridge-Aggregation 3 as the peer-link interface.

[SwitchA] interface bridge-aggregation 3

[SwitchA-Bridge-Aggregation3] port m-lag peer-link 1

[SwitchA-Bridge-Aggregation3] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation4] quit

# Assign Ten-GigabitEthernet 1/0/1 to link aggregation group 4.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-aggregation group 4

[SwitchA-Ten-GigabitEthernet1/0/1] quit

# Assign Bridge-Aggregation 4 to M-LAG group 4.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] port m-lag group 4

[SwitchA-Bridge-Aggregation4] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation5] quit

# Assign Ten-GigabitEthernet 1/0/2 to link aggregation group 5.

[SwitchA] interface ten-gigabitethernet 1/0/2

[SwitchA-Ten-GigabitEthernet1/0/2] port link-aggregation group 5

[SwitchA-Ten-GigabitEthernet1/0/2] quit

# Assign Bridge-Aggregation 5 to M-LAG group 5.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] port m-lag group 5

[SwitchA-Bridge-Aggregation5] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 50.

[SwitchA] interface bridge-aggregation 50

[SwitchA-Bridge-Aggregation50] link-aggregation mode dynamic

[SwitchA-Bridge-Aggregation50] quit

# Assign Ten-GigabitEthernet 1/0/5 (transport-facing outgoing interface for the VXLAN tunnel) to link aggregation group 50.

[SwitchA] interface ten-gigabitethernet 1/0/5

[SwitchA-Ten-GigabitEthernet1/0/5] port link-aggregation group 50

[SwitchA-Ten-GigabitEthernet1/0/5] quit

# Assign Bridge-Aggregation 50 to M-LAG group 50.

[SwitchA] interface bridge-aggregation 50

[SwitchA-Bridge-Aggregation50] port m-lag group 50

[SwitchA-Bridge-Aggregation50] quit

# Exclude interfaces from the shutdown action by M-LAG MAD.

[SwitchA] m-lag mad exclude interface loopback 0

[SwitchA] m-lag mad exclude interface ten-gigabitethernet 1/0/4

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] arp suppression enable

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 3.3.3.3 as-number 200

[SwitchA-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Bridge-Aggregation 4, create Ethernet service instance 1000 to match VLAN 2.

[SwitchA] interface bridge-aggregation 4

[SwitchA-Bridge-Aggregation4] service-instance 1000

[SwitchA-Bridge-Aggregation4-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Bridge-Aggregation4-srv1000] xconnect vsi vpna

[SwitchA-Bridge-Aggregation4-srv1000] quit

# On Bridge-Aggregation 5, create Ethernet service instance 1000 to match VLAN 3.

[SwitchA] interface bridge-aggregation 5

[SwitchA-Bridge-Aggregation5] service-instance 1000

[SwitchA-Bridge-Aggregation5-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Bridge-Aggregation5-srv1000] xconnect vsi vpna

[SwitchA-Bridge-Aggregation5-srv1000] quit

4. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Choose one of the following frame match criterion creation methods for dynamic ACs:

¡ Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the peer link.

[SwitchB] l2vpn m-lag peer-link ac-match-rule vxlan-mapping

¡ Use the default setting for dynamic ACs on the peer link to use frame match criteria identical to those of site-facing ACs.

# Enable EVPN M-LAG, and specify the virtual VTEP address as 1.2.3.4.

[SwitchB] evpn m-lag group 1.2.3.4

# Configure M-LAG system parameters.

[SwitchB] m-lag system-mac 0001-0001-0001

[SwitchB] m-lag system-number 2

[SwitchB] m-lag system-priority 10

[SwitchB] m-lag keepalive ip destination 60.1.1.1 source 60.1.1.2

[SwitchB] m-lag restore-delay 180

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.

[SwitchB] interface bridge-aggregation 3

[SwitchB-Bridge-Aggregation3] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation3] quit

# Assign Ten-GigabitEthernet 1/0/3 to aggregation group 3.

[SwitchB] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] port link-aggregation group 3

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Specify Bridge-Aggregation 3 as the peer-link interface.

[SwitchB] interface bridge-aggregation 3

[SwitchB-Bridge-Aggregation3] port m-lag peer-link 1

[SwitchB-Bridge-Aggregation3] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation4] quit

# Assign Ten-GigabitEthernet 1/0/1 to aggregation group 4.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port link-aggregation group 4

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# Assign Bridge-Aggregation 4 to M-LAG group 4.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] port m-lag group 4

[SwitchB-Bridge-Aggregation4] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation5] quit

# Assign Ten-GigabitEthernet 1/0/2 to aggregation group 5.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] port link-aggregation group 5

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Assign Bridge-Aggregation 5 to M-LAG group 5.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] port m-lag group 5

[SwitchB-Bridge-Aggregation5] quit

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 50.

[SwitchB] interface bridge-aggregation 50

[SwitchB-Bridge-Aggregation50] link-aggregation mode dynamic

[SwitchB-Bridge-Aggregation50] quit

# Assign Ten-GigabitEthernet 1/0/5 (transport-facing outgoing interface for the VXLAN tunnel) to link aggregation group 50.

[SwitchB] interface hundredgige 3/0/5

[SwitchB-Ten-GigabitEthernet1/0/5] port link-aggregation group 50

[SwitchB-Ten-GigabitEthernet1/0/5] quit

# Assign Bridge-Aggregation 50 to M-LAG group 50.

[SwitchB] interface ten-gigabitethernet 1/0/5

[SwitchB-Bridge-Aggregation50] port m-lag group 50

[SwitchB-Bridge-Aggregation50] quit

# Exclude interfaces from the shutdown action by M-LAG MAD.

[SwitchB] m-lag mad exclude interface loopback 0

[SwitchB] m-lag mad exclude interface ten-gigabitethernet 1/0/4

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] arp suppression enable

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# On Bridge-Aggregation 4, create Ethernet service instance 1000 to match VLAN 2.

[SwitchB] interface bridge-aggregation 4

[SwitchB-Bridge-Aggregation4] service-instance 1000

[SwitchB-Bridge-Aggregation4-srv1000] encapsulation s-vid 2

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Bridge-Aggregation4-srv1000] xconnect vsi vpna

[SwitchB-Bridge-Aggregation4-srv1000] quit

# On Bridge-Aggregation 5, create Ethernet service instance 1000 to match VLAN 3.

[SwitchB] interface bridge-aggregation 5

[SwitchB-Bridge-Aggregation5] service-instance 1000

[SwitchB-Bridge-Aggregation5-srv1000] encapsulation s-vid 3

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchB-Bridge-Aggregation5-srv1000] xconnect vsi vpna

[SwitchB-Bridge-Aggregation5-srv1000] quit

5. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpna, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchC-vsi-vpna] vxlan 10

[SwitchC-vsi-vpna-vxlan-10] quit

[SwitchC-vsi-vpna] quit

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] evpn encapsulation vxlan

[SwitchC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchC-vsi-vpnb] vxlan 20

[SwitchC-vsi-vpnb-vxlan-20] quit

[SwitchC-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes, and configure Switch C as an RR.

[SwitchC] bgp 200

[SwitchC-bgp-default] group evpn

[SwitchC-bgp-default] peer 1.1.1.1 group evpn

[SwitchC-bgp-default] peer 2.2.2.2 group evpn

[SwitchC-bgp-default] peer 4.4.4.4 group evpn

[SwitchC-bgp-default] peer evpn as-number 200

[SwitchC-bgp-default] peer evpn connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer evpn enable

[SwitchC-bgp-default-evpn] undo policy vpn-target

[SwitchC-bgp-default-evpn] peer evpn reflect-client

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Create VSI-interface 1 and assign it an IP address. The IP address is the gateway address of VXLAN 10.

[SwitchC] interface vsi-interface 1

[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchC-Vsi-interface1] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] gateway vsi-interface 1

[SwitchC-vsi-vpna] quit

# Create VSI-interface 2 and assign it an IP address. The IP address is the gateway address of VXLAN 20.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip address 10.1.2.1 255.255.255.0

[SwitchC-Vsi-interface2] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] gateway vsi-interface 2

[SwitchC-vsi-vpnb] quit

6. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchD] vxlan tunnel mac-learning disable

[SwitchD] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpnb, and configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] arp suppression enable

[SwitchD-vsi-vpnb] evpn encapsulation vxlan

[SwitchD-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[SwitchD-vsi-vpnb] vxlan 20

[SwitchD-vsi-vpnb-vxlan-20] quit

[SwitchD-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 4.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchD-Ten-GigabitEthernet1/0/1] encapsulation s-vid 4

# Map Ethernet service instance 1000 to VSI vpnb.

[SwitchD-Ten-GigabitEthernet1/0/1] xconnect vsi vpnb

[SwitchD-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

1. Verify the centralized EVPN gateway settings on Switch C:

# Verify that the VXLAN tunnel to Switch A and Switch B is up, and the tunnel destination address is the virtual VTEP address. (Details not shown.)

[SwitchC] display interface tunnel

# Verify that the VXLAN tunnels have been assigned to the VXLANs, and that the VSI interfaces are the gateway interfaces of their respective VXLANs. (Details not shown.)

[SwitchC] display l2vpn vsi verbose

2. Verify the EVPN M-LAG settings on Switch A:

# Verify that Switch A has BGP EVPN routes. (Details not shown.)

[SwitchA] display bgp l2vpn evpn

# Verify that the VXLAN tunnel to Switch C is up, and the tunnel source address is the virtual VTEP address. (Details not shown.)

[SwitchA] display interface tunnel

# Verify that ACs are automatically created on the peer link and assigned to VSIs. (Details not shown.)

[SwitchA] display l2vpn vsi verbose

3. Verify network connectivity for the VMs:

# Verify that VM 1, VM 2, and VM 3 can communicate when both Switch A and Switch B are operating correctly. (Details not shown.)

# Verify that VM 1, VM 2, and VM 3 can communicate when Switch A's or Switch B's links to the local site are disconnected. (Details not shown.)

4. Verify that VM 1, VM 2, and VM 3 can communicate when the link between Switch C and Switch A is disconnected.

Configuring EVPN-DCI

Overview

EVPN data center interconnect (EVPN-DCI) uses VXLAN-DCI tunnels to provide connectivity for data centers over an IP transport network.

EVPN-DCI network model

As shown in Figure 23, the EVPN-DCI network contains VTEPs and edge devices (EDs) located at the edge of the transport network. A VXLAN tunnel is established between a VTEP and an ED, and a VXLAN-DCI tunnel is established between two EDs. VXLAN-DCI tunnels use VXLAN encapsulation. Each ED de-encapsulates incoming VXLAN packets and re-encapsulates them based on the destination before forwarding the packets through a VXLAN or VXLAN-DCI tunnel.

Figure 23 EVPN-DCI network model

Working mechanisms

In an EVPN-DCI network, BGP EVPN peer relationships are established between EDs and between EDs and VTEPs. When advertising routes to a VTEP or another ED, an ED replaces the routes' nexthop IP address and router MAC address with its IP address and router MAC address.

In an EVPN-DCI network, a VTEP and an ED use a VXLAN tunnel to send traffic, and two EDs use a VXLAN-DCI tunnel to send traffic. An ED de-encapsulates incoming VXLAN packets and re-encapsulates them before forwarding the packets through a VXLAN or VXLAN-DCI tunnel.

EVPN-DCI dual-homing

As shown in Figure 24, EVPN-DCI dual-homing allows you to deploy two EDs at a data center for high availability and load sharing. To virtualize the redundant EDs into one device, a virtual ED address is configured on them. The redundant EDs use the virtual ED address to establish tunnels with VTEPs and remote EDs.

Figure 24 EVPN-DCI dual-homing

The redundant EDs use their respective IP addresses as the BGP peer addresses to establish BGP EVPN neighbor relationships with VTEPs and remote EDs. The VTEPs and remote EDs send traffic destined for the virtual ED address to both of the redundant EDs through the ECMP routes provided by the underlay network.

The redundant EDs communicate with remote data centers through the transport network. Devices in the dual-homed data center are unaware of the transport network. When the transport-side link fails on one of the redundant EDs, traffic destined for remote data centers is still sent to that ED. To resolve this issue, Monitor Link is used together with EVPN-DCI dual-homing.

On each redundant ED, the transport-facing physical interface is associated with the following loopback interfaces: The loopback interface that provides the IP address used for establishing BGP EVPN neighbor relationships and the loopback interface that provides the virtual ED address. If the transport-side link fails on a redundant ED, the loopback interfaces are placed in down state, and all traffic is forwarded by the other redundant ED. For more information about Monitor Link, see High Availability Configuration Guide.

For link redundancy, deploy multiple RRs on the spine nodes in a data center, and connect each redundant ED to the transport network through multiple links.

EVPN-DCI M-LAG

IMPORTANT:

To use this feature, make sure the site network and the underlay network are both IPv4 networks or both IPv6 networks.

As shown in Figure 25, you can use multichassis link aggregation (M-LAG) to virtualize two physical EDs of a data center into a virtual ED to prevent single points of failure from interrupting traffic. For more information about M-LAG, see Layer 2—LAN Switching Configuration Guide.

Figure 25 EVPN-DCI M-LAG

‌

EVPN-DCI M-LAG uses the following mechanisms:

· VM reachability information synchronization—To ensure VM reachability information consistency in the M-LAG system, the member EDs synchronize MAC address entries and ARP or ND information with each other over the peer link. The peer link can only be an Ethernet aggregate link.

· Virtual ED address—The member EDs use a virtual ED address to set up VXLAN tunnels or VXLAN-DCI tunnels with VTEPs or remote EDs.

· Independent BGP neighbor relationship establishment—The member EDs use different BGP peer addresses to establish neighbor relationships with remote devices. For load sharing and link redundancy, a neighbor sends traffic destined for the virtual ED address to both of the member EDs through ECMP routes of the underlay network.

The member EDs in an M-LAG system communicate with remote data centers through the transport network. Devices in the dual-homed data center are unaware of the transport network. When the transport-side link fails on one of the member EDs, traffic destined for remote data centers is still sent to that ED. To resolve this issue, Monitor Link is used together with EVPN-DCI M-LAG.

On each member ED, the transport-facing physical interface is associated with the following loopback interfaces: The loopback interface that provides the IP address used for establishing BGP EVPN neighbor relationships and the loopback interface that provides the virtual ED address. If the transport-side link fails on a member ED, the loopback interfaces are placed in down state, and all traffic is forwarded by the other member ED. For more information about Monitor Link, see High Availability Configuration Guide.

Configuration restrictions and guidelines

On an ED, make sure the VSI interfaces configured with L3 VXLAN IDs use the same MAC address. To modify the MAC address of a VSI interface, use the mac-address command.

To avoid packet loss, do not use a transport-facing interface to provide services for both VXLAN-DCI tunnels and VXLAN tunnels.

Assign the same MAC address to a Layer 3 aggregate interface and its member ports if the member ports are provided by the following interface modules:

· FD interface modules.

· FE interface modules.

· SG interface modules.

EVPN-DCI configuration task list

Perform all EVPN-DCI configuration tasks on EDs.

Tasks at a glance	Remarks
(Required.) Enabling DCI	N/A
(Required.) Enabling route nexthop replacement and route router MAC replacement	N/A
(Optional.) Enabling an ED to replace the L3 VXLAN ID, RD, and route targets of IP prefix advertisement routes	Use this feature to enable communication between data centers that use different L3 VXLAN IDs or hide the L3 VXLAN ID of a data center.
(Optional.) Suppressing BGP EVPN route advertisement	To reduce the number of BGP EVPN routes on EDs of an EVPN-DCI network, suppress the advertisement of specific BGP EVPN routes on the EDs.
(Optional.) Configuring VXLAN mapping	N/A
(Optional.) Configuring the BGP EVPN address family and the BGP VPNv4 or VPNv6 address family to exchange routes	N/A
(Optional.) Configuring EVPN-DCI dual-homing	N/A
(Optional.) Configuring EVPN-DCI M-LAG	N/A
(Optional.) Enabling EVPN-DCI support for cross-VXLAN Layer 2 multicast	N/A

Configuration prerequisites

Before you configure EVPN-DCI, complete basic EVPN configuration for each data center. For more information about basic EVPN configuration, see "Configuring EVPN."

Enabling DCI

For EDs to automatically establish VXLAN-DCI tunnels, you must enable DCI on the Layer 3 interfaces that interconnect the EDs.

An ED establishes VXLAN-DCI tunnels based on BGP EVPN routes. If DCI is disabled on the outgoing interfaces to remote sites, EDs cannot establish VXLAN-DCI tunnels.

To enable DCI:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable DCI.	dci enable	By default, DCI is disabled on an interface. You cannot enable DCI on a subinterface. Subinterfaces of a DCI-enabled interface inherit configuration of the interface.

Configuring an ED to modify BGP EVPN routes

Enabling route nexthop replacement and route router MAC replacement

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a global router ID.	router id router-id	By default, no global router ID is configured.
3. Enable a BGP instance and enter BGP instance view.	bgp as-number [ instance instance-name ] [ multi-session-thread ]	By default, BGP is disabled, and no BGP instances exist.
4. Specify local VTEPs and remote EDs as BGP peers.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers are specified.
5. Create the BGP EVPN address family and enter BGP EVPN address family view.	address-family l2vpn evpn	By default, the BGP EVPN address family does not exist.
6. Enable BGP to exchange BGP EVPN routes with a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange BGP EVPN routes with peers.
7. Set the local router as the next hop for routes advertised to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } next-hop-local	The default settings for this command are as follows: · BGP sets the local router as the next hop for all routes advertised to an EBGP peer or peer group. · BGP does not modify the next hop for EBGP routes advertised to an IBGP peer or peer group. The peers specified in this task must be VTEPs in the local data center.
8. Enable route router MAC replacement for a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } router-mac-local [ dci ]	By default, the device does not modify the router MAC address of routes before advertising the routes. This command enables the device to use its router MAC address to replace the router MAC address of routes received from and advertised to a peer or peer group. The peers specified in this task must be remote EDs. If you specify the dci keyword, the device establishes VXLAN-DCI tunnels with the peer or peer group. If you do not specify the dci keyword, whether the device establishes VXLAN-DCI tunnels with the peer or peer group depends on the dci enable command configuration in interface view.

Enabling an ED to replace the L3 VXLAN ID, RD, and route targets of IP prefix advertisement routes

Overview

In an EVPN-DCI network, use this feature to hide the L3 VXLAN IDs of data centers or enable communication between data centers that use different L3 VXLAN IDs or route targets.

After you enable this feature on an ED, the ED performs the following operations after receiving BGP EVPN advertisement routes:

1. Matches the route targets of the routes with the import route targets of local VPN instances.

2. Replaces the L3 VXLAN ID, RD, and route targets of the routes with those of the matching local VPN instance.

3. Advertises the routes to a VTEP or remote ED.

After you execute the peer re-originated command, the ED advertises only reoriginated BGP EVPN routes. For the ED to advertise both original and reoriginated BGP EVPN routes, execute the peer advertise original-route command.

An ED configured with the peer re-originated and peer advertise original-route commands advertises both original and reoriginated BGP EVPN routes. For the ED to advertise only original BGP EVPN routes, execute the peer suppress re-originated command on the ED.

Configuration restrictions and guidelines

If the RD of a received BGP EVPN route is identical to the RD of the matching local VPN instance, an ED does not replace the L3 VXLAN ID and route targets of the route or reoriginate the route. As a result, the ED does not advertise the route. As a best practice, assign unique RDs to VPN instances on different EVPN gateways and EDs when you use this feature.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Replace the L3 VXLAN ID, RD, and route targets (optional) of received BGP EVPN routes.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } re-originated [ imet \| ip-prefix \| mac-ip ] [ replace-rt ]	By default, the device does not modify the BGP EVPN routes that are received from peers or peer groups.
5. (Optional.) Enable the device to advertise original BGP EVPN routes together with the reoriginated BGP EVPN routes after the peer re-originated command is executed.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } advertise original-route	By default, the device advertises only reoriginated BGP EVPN routes to peers and peer groups after the peer re-originated command is executed.
6. (Optional.) Suppress advertisement of reoriginated BGP EVPN routes to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } suppress re-originated { imet \| ip-prefix \| mac-ip }	By default, the device advertises reoriginated BGP EVPN routes to peers and peer groups after the peer re-originated command is executed.

Suppressing BGP EVPN route advertisement

Overview

To reduce the number of BGP EVPN routes on EDs of an EVPN-DCI network, suppress the advertisement of specific BGP EVPN routes on the EDs.

Configuration restrictions and guidelines

If two VSI interfaces on EVPN gateways of different data centers use the same IP address, do not suppress the advertisement of MAC/IP advertisement routes on the EDs of the data centers. If you suppress the advertisement of these routes, the EDs cannot communicate with each other.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Suppress the advertisement of specific BGP EVPN routes to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] \| ipv6-address [ prefix-length ] } advertise evpn-route suppress { ip-prefix \| mac-ip }	By default, advertisement of BGP EVPN routes is not suppressed.

Configuring VXLAN mapping

Overview

The VXLAN mapping feature provides Layer 2 connectivity for a tenant subnet that uses different VXLAN IDs in multiple data centers.

If you map a local VXLAN to a remote VXLAN on an ED, the ED processes routes as follows:

· When the ED receives the local VXLAN's MAC/IP advertisement routes from local VTEPs, it performs the following operations:

¡ Adds the routes to the local VXLAN.

¡ Replaces the VXLAN ID of the routes with the remote VXLAN ID and advertises the routes to remote EDs.

· When the ED receives the remote VXLAN's MAC/IP advertisement routes from a remote data center, it adds the routes to the local VXLAN.

VXLAN mapping includes the following types:

· Non-intermediate VXLAN mapping—When two data centers use different VXLAN IDs for a subnet, map the local VXLAN to the remote VXLAN on the ED of one data center. For example, for VXLAN 10 of data center 1 to communicate with VXLAN 20 of data center 2, map VXLAN 10 to VXLAN 20 on the ED of data center 1.

· Intermediate VXLAN mapping—When multiple data centers use different VXLAN IDs for a subnet, map the VXLANs to an intermediate VXLAN on all EDs. For example, data center 1 uses VXLAN 10, data center 2 uses VXLAN 20, and data center 3 uses VXLAN 30. To provide connectivity for the VXLANs, map them to intermediate VXLAN 500 on EDs of the data centers. You must use intermediate VXLAN mapping if more than two data centers use different VXLAN IDs. The intermediate VXLAN can be used only for VXLAN mapping, and it cannot be used for common VXLAN services.

Configuration restrictions and guidelines

You must create mapped remote VXLANs on the device, create an EVPN instance for each remote VXLAN, and configure RD and route target settings for the EVPN instances.

When you use VXLAN mapping, follow these route target restrictions:

· EVPN instances and VPN instances do not have the same export targets.

· EVPN instances and the public instance do not have the same export targets.

If only Layer 2 connectivity is required between data centers with VXLAN mapping configured, you can enable EDs of the data centers to remove the route targets of the VPN instances with L3 VXLAN IDs associated from BGP EVPN routes for mapped remote VXLANs. This prevents remote EDs from adding the BGP EVPN routes for mapped remote VXLANs to the routing tables of VPN instances.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enter EVPN instance view.	evpn encapsulation vxlan	N/A
4. Map the local VXLAN to a remote VXLAN.	mapping vni vxlan-id	By default, a local VXLAN is not mapped to any remote VXLAN. The remote VXLAN ID cannot be the same as the reserved VXLAN ID specified by using the reserved vxlan command or the L3 VXLAN ID specified by using the l3-vni command. For more information about the reserved vxlan command, see VXLAN Command Reference.
5. (Optional.) Remove the route targets of VPN instances from BGP EVPN routes for mapped remote VXLANs.	a Execute the following commands in sequence to return to system view. quit quit b Enter BGP instance view. bgp as-number [ instance instance-name ] c Enter BGP EVPN address family view. address-family l2vpn evpn 6. Remove the route targets of VPN instances from BGP EVPN routes for mapped remote VXLANs. mapping-vni remove vpn-target	By default, the device does not remove the route targets of VPN instances from BGP EVPN routes for mapped remote VXLANs.

Configuring the BGP EVPN address family and the BGP VPNv4 or VPNv6 address family to exchange routes

Overview

When data centers are interconnected through an MPLS L3VPN network, EVPN EDs also act as MPLS L3VPN PEs. To enable communication between the data centers, you must perform the following tasks on the EDs:

· Configure both MPLS L3VPN and EVPN.

· Configure the BGP EVPN address family and the BGP VPNv4 or VPNv6 address family to exchange routes.

Figure 26 Data centers interconnected through an MPLS L3VPN network

Enabling BGP VPNv4 or VPNv6 route advertisement for the BGP EVPN address family

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
4. Enable BGP VPNv4 or VPNv6 route advertisement for the BGP EVPN address family.	advertise l3vpn route [ replace-rt ] [ advertise-policy policy-name ]	By default, BGP VPNv4 or VPNv6 routes are not advertised through the BGP EVPN address family. After you execute this command, the device advertises BGP VPNv4 or VPNv6 routes as IP prefix advertisement routes through the BGP EVPN address family.

Enabling BGP EVPN route advertisement for the BGP VPNv4 or VPNv6 address family

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP VPNv4 address family view or BGP VPNv6 address family view.	address-family { vpnv4 \| vpnv6 }	N/A
4. Enable BGP EVPN route advertisement for the BGP VPNv4 or VPNv6 address family.	advertise evpn route [ replace-rt ] advertise-policy policy-name ]	By default, BGP EVPN routes are not advertised through the BGP VPNv4 or VPNv6 address family. After you execute this command, the device advertises IP prefix advertisement routes and MAC/IP advertisement routes that contain host route information through the BGP VPNv4 or VPNv6 address family.

Configuring EVPN-DCI dual-homing

Overview

For high availability and load sharing, you can deploy two EDs at a data center. To virtualize the redundant EDs into one device, you must configure the same virtual ED address on them.

Configuration restrictions and guidelines

Do not configure a virtual ED address on the only ED of a data center.

On a redundant ED, the virtual ED address must be the IP address of a loopback interface, and it cannot be the BGP peer IP address of the ED.

Redundant EDs cannot provide access service for local VMs. They can act only as EDs. For correct communication, do not redistribute external routes on only one of the redundant EDs. However, you can redistribute the same external routes on both EDs.

The evpn edge group and evpn m-lag group commands are mutually exclusive. Do not use them together.

To use EVPN-DCI dual-homing, make sure the overlay and undelay networks are both IPv4 networks or both IPv6 networks.

If you execute the undo bgp command to disable the BGP instance of the EVPN address family, the evpn edge group setting will also be deleted. Make sure you are fully aware of the impact of the undo bgp command when you use it on a live network.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a virtual ED address.	evpn edge group { group-ipv4 \| group-ipv6 }	By default, no virtual ED address is configured.

Configuring EVPN-DCI M-LAG

To set up an M-LAG system with two EDs, configure a virtual VTEP address on the EDs. The EDs will use the virtual VTEP address to set up VXLAN tunnels or VXLAN-DCI tunnels with VTEPs or remote EDs.

Configuration restrictions and guidelines

Do not execute the evpn m-lag local command if you have configured EVPN-DCI M-LAG.

When you attach a user site to an M-LAG system, attach it to both M-LAG interfaces in an M-LAG group. Do not configure single-homed ACs on the member EDs.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a virtual ED address.	evpn m-lag group { virtual-vtep-ipv4 \| virtual-vtep-ipv6 }	By default, EVPN-DCI M-LAG is not configured.
3. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
4. Enter BGP EVPN address family view.	address-family l2vpn evpn	N/A
5. Enable the device to replace the next hop in advertised BGP EVPN routes with the virtual VTEP address.	nexthop evpn-m-lag group-address	The default settings are as follows: · When advertising BGP EVPN routes to an EBGP peer or peer group, the device replaces the next hop with the IP address of the source interface used to establish BGP sessions. · When advertising EBGP routes to an IBGP peer or peer group, the device does not modify the next hop.

Enabling EVPN-DCI support for cross-VXLAN Layer 2 multicast

Overview

This task enables Layer 2 multicast between two data centers that use different VXLAN IDs.

After you perform this task and execute the mapping vni command on an ED in an EVPN-DCI network, the ED performs the following operations:

1. Verifies that the route targets in a SMET route received from a remote ED or local VTEP match the import route targets of the local EVPN instance.

2. Replaces the route targets in the SMET route with those of the EVPN instance that uses the remote VXLAN ID mapped to the local VXLAN ID.

3. Advertises the SMET route to remote EDs or local VTEPs.

Configuration restrictions and guidelines

This task takes effect only after the mapping vni command is executed.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VSI view.	vsi vsi-name	N/A
3. Enter EVPN instance view.	evpn encapsulation vxlan	N/A
4. Enable SMET route reorigination based on the remote VXLAN IDs in VXLAN mappings.	mapping-vni-based smet	By default, the device does not reoriginate SMET routes based on mapped remote VXLAN IDs.

EVPN-DCI configuration examples

Basic EVPN-DCI configuration example (IPv4 underlay network)

Network requirements

As shown in Figure 27:

· Configure VXLAN 10 on Switch A through Switch D to provide connectivity for the VMs in the data centers.

· Configure Switch A and Switch D as VTEPs, and configure Switch B and Switch C as EDs.

Figure 27 Network diagram

‌

Configuration procedure

1. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces, as shown in Figure 27. (Details not shown.)

# Configure OSPF on the transport network for the switches to reach one another. (Details not shown.)

2. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning.

[SwitchA] vxlan tunnel mac-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD, and manually configure a route target for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target 123:456

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 100.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

3. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning.

[SwitchB] vxlan tunnel mac-learning disable

# Enable DCI on the Layer 3 interface that connects Switch B to Switch C for the switches to establish a VXLAN-DCI tunnel.

[SwitchB] interface vlan-interface 12

[SwitchB-Vlan-interface12] dci enable

[SwitchB-Vlan-interface12] quit

# Create VXLAN 10 on VSI vpna.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD, and manually configure a route target for the EVPN instance.

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target 123:456

[SwitchB-vsi-vpna-evpn-vxlan] quit

[SwitchB-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch A, and enable router MAC replacement for routes advertised to and received from Switch C.

[SwitchB] bgp 100

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchB-bgp-default] peer 1.1.1.1 as-number 100

[SwitchB-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchB-bgp-default-evpn] peer 1.1.1.1 enable

[SwitchB-bgp-default-evpn] peer 1.1.1.1 next-hop-local

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

4. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning.

[SwitchC] vxlan tunnel mac-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch B for the switches to establish a VXLAN-DCI tunnel.

[SwitchC] interface vlan-interface 12

[SwitchC-Vlan-interface12] dci enable

[SwitchC-Vlan-interface12] quit

# Create VXLAN 10 on VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] vxlan 10

[SwitchC-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD, and manually configure a route target for the EVPN instance.

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target 123:456

[SwitchC-vsi-vpna-evpn-vxlan] quit

[SwitchC-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch D, and enable router MAC replacement for routes advertised to and received from Switch B.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchC-bgp-default] peer 2.2.2.2 ebgp-max-hop 64

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 router-mac-local

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] peer 4.4.4.4 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

5. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning.

[SwitchD] vxlan tunnel mac-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchD] vsi vpna

[SwitchD-vsi-vpna] vxlan 10

[SwitchD-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD, and manually configure a route target for the EVPN instance.

[SwitchD-vsi-vpna] evpn encapsulation vxlan

[SwitchD-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpna-evpn-vxlan] vpn-target 123:456

[SwitchD-vsi-vpna-evpn-vxlan] quit

[SwitchD-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface Loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 200.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchD-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 200

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchD-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchD-Ten-GigabitEthernet1/0/1-srv1000] quit

Verifying the configuration

1. Verify the configuration on EDs. (This example uses Switch B.)

# Verify that the ED has discovered Switch A and Switch C through IMET routes and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchB] display evpn auto-discovery imet

Total number of automatically discovered peers: 2

VSI name: vpna

RD PE_address Tunnel_address Tunnel mode VXLAN ID

1:10 1.1.1.1 1.1.1.1 VXLAN 10

1:10 3.3.3.3 3.3.3.3 VXLAN-DCI 10

# Verify that the VXLAN and VXLAN-DCI tunnels on the ED are up.

[SwitchB] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the VXLAN and VXLAN-DCI tunnels have been assigned to the VXLAN.

[SwitchB] display l2vpn vsi name vpna verbose

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

Tunnel1 0x5000001 UP Auto Disabled

# Verify that the ED has generated EVPN MAC address entries for the VMs.

[SwitchB] display evpn route mac

Flags: D - Dynamic B - BGP L - Local active

G - Gateway S - Static M - Mapping I - Invalid

VSI name: vpna

MAC address Link ID/Name Flags Next hop

0001-0001-0011 Tunnel0 B 1.1.1.1

0001-0001-0033 Tunnel1 B 3.3.3.3

2. Verify that VM 1 and VM 2 can communicate. (Details not shown.)

EVPN-DCI intermediate VXLAN mapping configuration example (IPv4 underlay network)

Network requirements

As shown in Figure 28:

· Configure VXLAN 10 on VTEP Switch A and ED Switch B, and configure VXLAN 30 on VTEP Switch D and ED Switch C.

· Configure intermediate VXLAN mapping for VXLAN 10 and VXLAN 30 to have Layer 2 connectivity:

¡ Map VXLAN 10 to intermediate VXLAN 500 on Switch B.

¡ Map VXLAN 30 to intermediate VXLAN 500 on Switch C.

Figure 28 Network diagram

‌

Configuration procedure

1. Configure IP addresses and unicast routing settings:

# Assign IP addresses to interfaces, as shown in Figure 28. (Details not shown.)

# Configure OSPF on the transport network for the switches to reach one another. (Details not shown.)

2. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning.

[SwitchA] vxlan tunnel mac-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 100.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

3. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

[SwitchB] vxlan tunnel mac-learning disable

# Enable DCI on the Layer 3 interface that connects Switch B to Switch C for the switches to establish a VXLAN-DCI tunnel.

[SwitchB] interface vlan-interface 12

[SwitchB-Vlan-interface12] dci enable

[SwitchB-Vlan-interface12] quit

# Create VXLAN 10 on VSI vpna.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

# Map local VXLAN 10 to intermediate VXLAN 500.

[SwitchB-vsi-vpna-evpn-vxlan] mapping vni 500

[SwitchB-vsi-vpna-evpn-vxlan] quit

[SwitchB-vsi-vpna] quit

# Create VXLAN 500 on VSI vpnb. The switch will replace the VXLAN ID of VXLAN 10's traffic with VXLAN ID 500 when performing Layer 2 forwarding.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] vxlan 500

[SwitchB-vsi-vpnb-vxlan-500] quit

# Create an EVPN instance on VSI vpnb. Configure the switch to automatically generate an RD, and manually configure a route target for the EVPN instance.

[SwitchB-vsi-vpnb] evpn encapsulation vxlan

[SwitchB-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpnb-evpn-vxlan] vpn-target 123:456

[SwitchB-vsi-vpnb-evpn-vxlan] quit

[SwitchB-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch A, and enable router MAC replacement for routes advertised to and received from Switch C.

[SwitchB] bgp 100

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchB-bgp-default] peer 1.1.1.1 as-number 100

[SwitchB-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchB-bgp-default-evpn] peer 1.1.1.1 enable

[SwitchB-bgp-default-evpn] peer 1.1.1.1 next-hop-local

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

4. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning.

[SwitchC] vxlan tunnel mac-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch B for the switches to establish a VXLAN-DCI tunnel.

[SwitchC] interface vlan-interface 12

[SwitchC-Vlan-interface12] dci enable

[SwitchC-Vlan-interface12] quit

# Create VXLAN 30 on VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] vxlan 30

[SwitchC-vsi-vpna-vxlan-30] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

# Map local VXLAN 30 to intermediate VXLAN 500.

[SwitchC-vsi-vpna-evpn-vxlan] mapping vni 500

[SwitchC-vsi-vpna-evpn-vxlan] quit

[SwitchC-vsi-vpna] quit

# Create VXLAN 500 on VSI vpnb. The switch will replace the VXLAN ID of VXLAN 30's traffic with VXLAN ID 500 when performing Layer 2 forwarding.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] vxlan 500

[SwitchC-vsi-vpnb-vxlan-500] quit

# Create an EVPN instance on VSI vpnb. Configure the switch to automatically generate an RD, and manually configure a route target for the EVPN instance.

[SwitchC-vsi-vpnb] evpn encapsulation vxlan

[SwitchC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnb-evpn-vxlan] vpn-target 123:456

[SwitchC-vsi-vpnb-evpn-vxlan] quit

[SwitchC-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch D, and enable router MAC replacement for routes advertised to and received from Switch B.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchC-bgp-default] peer 2.2.2.2 ebgp-max-hop 64

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 router-mac-local

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] peer 4.4.4.4 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

5. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning.

[SwitchD] vxlan tunnel mac-learning disable

# Create VXLAN 30 on VSI vpna.

[SwitchD] vsi vpna

[SwitchD-vsi-vpna] vxlan 30

[SwitchD-vsi-vpna-vxlan-30] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchD-vsi-vpna] evpn encapsulation vxlan

[SwitchD-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpna-evpn-vxlan] quit

[SwitchD-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface Loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 200.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchD-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 200

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchD-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchD-Ten-GigabitEthernet1/0/1-srv1000] quit

Verifying the configuration

1. Verify the configuration on EDs. (This example uses Switch B.)

# Verify that the ED has discovered Switch A and Switch C through IMET routes and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchB] display evpn auto-discovery imet

Total number of automatically discovered peers: 2

VSI name: vpna

RD PE_address Tunnel_address Tunnel mode VXLAN ID

1:10 1.1.1.1 1.1.1.1 VXLAN 10

1:500 3.3.3.3 3.3.3.3 VXLAN-DCI 500

# Verify that the VXLAN and VXLAN-DCI tunnels on the ED are up.

[SwitchB] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the VXLAN and VXLAN-DCI tunnels have been assigned to VXLAN 10, and that no tunnels are assigned to intermediate VXLAN 500.

[SwitchB] display l2vpn vsi verbose

VSI Name: vpna

VSI Index : 0

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

VXLAN ID : 10

Tunnels:

Tunnel Name Link ID State Type Flood proxy

Tunnel0 0x5000000 UP Auto Disabled

Tunnel1 0x5000001 UP Auto Disabled

VSI Name: vpnb

VSI Index : 1

VSI State : Up

MTU : 1500

Bandwidth : -

Broadcast Restrain : -

Multicast Restrain : -

Unknown Unicast Restrain: -

MAC Learning : Enabled

MAC Table Limit : -

MAC Learning rate : -

Drop Unknown : -

Flooding : Enabled

Statistics : Disabled

VXLAN ID : 500

# Verify that the ED has generated EVPN MAC address entries for the VMs, and the remote MAC address entry has the M flag.

[SwitchB] display evpn route mac

Flags: D - Dynamic B - BGP L - Local active

G - Gateway S - Static M - Mapping I - Invalid

VSI name: vpna

MAC address Link ID/Name Flags Next hop

0001-0001-0011 Tunnel0 B 1.1.1.1

0001-0001-0033 Tunnel1 BM 3.3.3.3

2. Verify that VM 1 and VM 2 can communicate. (Details not shown.)

EVPN-DCI Layer 3 communication configuration example (IPv4 sites+IPv4 underlay network)

Network requirements

As shown in Figure 29:

· Configure VXLAN 10 for data center 1, and configure VXLAN 20 for data center 2.

· Configure Switch A and Switch D as distributed EVPN gateways to perform Layer 3 forwarding between VXLAN 10 and VXLAN 20.

· Configure Switch B and Switch C as EDs.

Figure 29 Network diagram

‌

Configuration procedure

1. Configure IP addresses and unicast routing settings:

# On VM 1, specify 10.1.1.1 as the gateway address. On VM 2, specify 10.1.2.1 as the gateway address. (Details not shown.)

# Assign IP addresses to interfaces, as shown in Figure 29. (Details not shown.)

# Configure OSPF on the transport network for the switches to reach one another. (Details not shown.)

2. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 100.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchA] ip vpn-instance vpn1

[SwitchA-vpn-instance-vpn1] route-distinguisher 1:1

[SwitchA-vpn-instance-vpn1] address-family ipv4

[SwitchA-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchA-vpn-ipv4-vpn1] quit

[SwitchA-vpn-instance-vpn1] address-family evpn

[SwitchA-vpn-evpn-vpn1] vpn-target 1:1

[SwitchA-vpn-evpn-vpn1] quit

[SwitchA-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] mac-address 1-1-1

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface2] l3-vni 1000

[SwitchA-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

3. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch B to Switch C for the switches to establish a VXLAN-DCI tunnel.

[SwitchB] interface vlan-interface 12

[SwitchB-Vlan-interface12] dci enable

[SwitchB-Vlan-interface12] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch A, and enable router MAC replacement for routes advertised to and received from Switch C.

[SwitchB] bgp 100

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchB-bgp-default] peer 1.1.1.1 as-number 100

[SwitchB-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchB-bgp-default-evpn] peer 1.1.1.1 enable

[SwitchB-bgp-default-evpn] peer 1.1.1.1 next-hop-local

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchB] ip vpn-instance vpn1

[SwitchB-vpn-instance-vpn1] route-distinguisher 1:2

[SwitchB-vpn-instance-vpn1] address-family ipv4

[SwitchB-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchB-vpn-ipv4-vpn1] quit

[SwitchB-vpn-instance-vpn1] address-family evpn

[SwitchB-vpn-evpn-vpn1] vpn-target 1:1

[SwitchB-vpn-evpn-vpn1] quit

[SwitchB-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchB] interface vsi-interface 2

[SwitchB-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchB-Vsi-interface2] l3-vni 1000

[SwitchB-Vsi-interface2] quit

4. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch B For the switches to establish a VXLAN-DCI tunnel.

[SwitchC] interface vlan-interface 12

[SwitchC-Vlan-interface12] dci enable

[SwitchC-Vlan-interface12] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch D, and enable router MAC replacement for routes advertised to and received from Switch B.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface Loopback 0

[SwitchC-bgp-default] peer 2.2.2.2 ebgp-max-hop 64

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface Loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 router-mac-local

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] peer 4.4.4.4 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchC] ip vpn-instance vpn1

[SwitchC-vpn-instance-vpn1] route-distinguisher 1:3

[SwitchC-vpn-instance-vpn1] address-family ipv4

[SwitchC-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchC-vpn-ipv4-vpn1] quit

[SwitchC-vpn-instance-vpn1] address-family evpn

[SwitchC-vpn-evpn-vpn1] vpn-target 1:1

[SwitchC-vpn-evpn-vpn1] quit

[SwitchC-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchC-Vsi-interface2] l3-vni 1000

[SwitchC-Vsi-interface2] quit

5. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchD] vxlan tunnel mac-learning disable

[SwitchD] vxlan tunnel arp-learning disable

# Create an EVPN instance on VSI vpnb. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] evpn encapsulation vxlan

[SwitchD-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20 on VSI vpnb.

[SwitchD-vsi-vpnb] vxlan 20

[SwitchD-vsi-vpnb-vxlan-20] quit

[SwitchD-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface Loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 3000 to match VLAN 3.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 3

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 3000

[SwitchD-Ten-GigabitEthernet1/0/1-srv3000] encapsulation s-vid 3

# Map Ethernet service instance 3000 to VSI vpnb.

[SwitchD-Ten-GigabitEthernet1/0/1-srv3000] xconnect vsi vpnb

[SwitchD-Ten-GigabitEthernet1/0/1-srv3000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchD] ip vpn-instance vpn1

[SwitchD-vpn-instance-vpn1] route-distinguisher 1:4

[SwitchD-vpn-instance-vpn1] address-family ipv4

[SwitchD-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchD-vpn-ipv4-vpn1] quit

[SwitchD-vpn-instance-vpn1] address-family evpn

[SwitchD-vpn-evpn-vpn1] vpn-target 1:1

[SwitchD-vpn-evpn-vpn1] quit

[SwitchD-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchD] interface vsi-interface 1

[SwitchD-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchD-Vsi-interface1] ip address 10.1.2.1 255.255.255.0

[SwitchD-Vsi-interface1] mac-address 1-2-1

[SwitchD-Vsi-interface1] distributed-gateway local

[SwitchD-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchD] interface vsi-interface 2

[SwitchD-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchD-Vsi-interface2] l3-vni 1000

[SwitchD-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpnb.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] gateway vsi-interface 1

[SwitchD-vsi-vpnb] quit

Verifying the configuration

1. Verify the configuration on EDs. (This example uses Switch B.)

# Verify that the ED has discovered Switch A and Switch C through MAC/IP advertisement routes and IP prefix advertisement routes, and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchB] display evpn auto-discovery macip-prefix

Destination IP Source IP L3VNI Tunnel mode OutgoingInterface

1.1.1.1 2.2.2.2 1000 VXLAN Vsi-interface2

3.3.3.3 2.2.2.2 1000 VXLAN-DCI Vsi-interface2

# Verify that the VXLAN and VXLAN-DCI tunnels on the ED are up.

[SwitchB] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the ED has EVPN ARP entries and EVPN routes for the VMs.

[SwitchB] display arp vpn-instance vpn1

Type: S Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI Interface/Link ID Aging Type

1.1.1.1 0031-1900-0000 0 Tunnel0 N/A R

3.3.3.3 0031-3900-0000 0 Tunnel1 N/A R

[SwitchB] display ip routing-table vpn-instance vpn1

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/24 BGP 255 0 1.1.1.1 Vsi2

10.1.1.11/32 BGP 255 0 1.1.1.1 Vsi2

10.1.2.0/24 BGP 255 0 3.3.3.3 Vsi2

10.1.2.22/32 BGP 255 0 3.3.3.3 Vsi2

2. Verify that VM 1 and VM 2 can communicate. (Details not shown.)

EVPN-DCI Layer 3 communication configuration example (IPv6 sites+IPv4 underlay network)

Network requirements

As shown in Figure 30:

· Configure VXLAN 10 for data center 1, and configure VXLAN 20 for data center 2.

· Configure Switch A and Switch D as distributed EVPN gateways to perform Layer 3 forwarding between VXLAN 10 and VXLAN 20.

· Configure Switch B and Switch C as EDs.

Figure 30 Network diagram

Configuration procedure

1. Configure IP addresses and unicast routing settings:

# On VM 1, specify 11::1 as the gateway address. On VM 2, specify 12::1 as the gateway address. (Details not shown.)

# Assign IP addresses to interfaces, as shown in Figure 30. (Details not shown.)

# Configure OSPF on the transport network for the switches to reach one another. (Details not shown.)

2. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ND learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel nd-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 100.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchA] ip vpn-instance vpn1

[SwitchA-vpn-instance-vpn1] route-distinguisher 1:1

[SwitchA-vpn-instance-vpn1] address-family ipv6

[SwitchA-vpn-ipv6-vpn1] vpn-target 2:2

[SwitchA-vpn-ipv6-vpn1] quit

[SwitchA-vpn-instance-vpn1] address-family evpn

[SwitchA-vpn-evpn-vpn1] vpn-target 1:1

[SwitchA-vpn-evpn-vpn1] quit

[SwitchA-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface1] ipv6 address 11::1 64

[SwitchA-Vsi-interface1] mac-address 1-1-1

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface2] ipv6 address auto link-local

[SwitchA-Vsi-interface2] l3-vni 1000

[SwitchA-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

3. Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote MAC address learning and remote ND learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel nd-learning disable

# Enable DCI on the Layer 3 interface that connects Switch B to Switch C for the switches to establish a VXLAN-DCI tunnel.

[SwitchB] interface vlan-interface 12

[SwitchB-Vlan-interface12] dci enable

[SwitchB-Vlan-interface12] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch A, and enable router MAC replacement for routes advertised to and received from Switch C.

[SwitchB] bgp 100

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchB-bgp-default] peer 1.1.1.1 as-number 100

[SwitchB-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchB-bgp-default-evpn] peer 1.1.1.1 enable

[SwitchB-bgp-default-evpn] peer 1.1.1.1 next-hop-local

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchB] ip vpn-instance vpn1

[SwitchB-vpn-instance-vpn1] route-distinguisher 1:2

[SwitchB-vpn-instance-vpn1] address-family ipv6

[SwitchB-vpn-ipv6-vpn1] vpn-target 2:2

[SwitchB-vpn-ipv6-vpn1] quit

[SwitchB-vpn-instance-vpn1] address-family evpn

[SwitchB-vpn-evpn-vpn1] vpn-target 1:1

[SwitchB-vpn-evpn-vpn1] quit

[SwitchB-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchB] interface vsi-interface 2

[SwitchB-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchB-Vsi-interface2] ipv6 address auto link-local

[SwitchB-Vsi-interface2] l3-vni 1000

[SwitchB-Vsi-interface2] quit

4. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ND learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel nd-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch B For the switches to establish a VXLAN-DCI tunnel.

[SwitchC] interface vlan-interface 12

[SwitchC-Vlan-interface12] dci enable

[SwitchC-Vlan-interface12] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch D, and enable router MAC replacement for routes advertised to and received from Switch B.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface Loopback 0

[SwitchC-bgp-default] peer 2.2.2.2 ebgp-max-hop 64

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface Loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 router-mac-local

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] peer 4.4.4.4 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchC] ip vpn-instance vpn1

[SwitchC-vpn-instance-vpn1] route-distinguisher 1:3

[SwitchC-vpn-instance-vpn1] address-family ipv6

[SwitchC-vpn-ipv6-vpn1] vpn-target 2:2

[SwitchC-vpn-ipv6-vpn1] quit

[SwitchC-vpn-instance-vpn1] address-family evpn

[SwitchC-vpn-evpn-vpn1] vpn-target 1:1

[SwitchC-vpn-evpn-vpn1] quit

[SwitchC-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchC-Vsi-interface2] ipv6 address auto link-local

[SwitchC-Vsi-interface2] l3-vni 1000

[SwitchC-Vsi-interface2] quit

5. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning and remote ND learning.

[SwitchD] vxlan tunnel mac-learning disable

[SwitchD] vxlan tunnel nd-learning disable

# Create an EVPN instance on VSI vpnb. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] evpn encapsulation vxlan

[SwitchD-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20 on VSI vpnb.

[SwitchD-vsi-vpnb] vxlan 20

[SwitchD-vsi-vpnb-vxlan-20] quit

[SwitchD-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface Loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 3000 to match VLAN 3.

[SwitchD] interface ten-gigabitethernet 1/0/1

[SwitchD-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 3

[SwitchD-Ten-GigabitEthernet1/0/1] service-instance 3000

[SwitchD-Ten-GigabitEthernet1/0/1-srv3000] encapsulation s-vid 3

# Map Ethernet service instance 3000 to VSI vpnb.

[SwitchD-Ten-GigabitEthernet1/0/1-srv3000] xconnect vsi vpnb

[SwitchD-Ten-GigabitEthernet1/0/1-srv3000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchD] ip vpn-instance vpn1

[SwitchD-vpn-instance-vpn1] route-distinguisher 1:4

[SwitchD-vpn-instance-vpn1] address-family ipv6

[SwitchD-vpn-ipv6-vpn1] vpn-target 2:2

[SwitchD-vpn-ipv6-vpn1] quit

[SwitchD-vpn-instance-vpn1] address-family evpn

[SwitchD-vpn-evpn-vpn1] vpn-target 1:1

[SwitchD-vpn-evpn-vpn1] quit

[SwitchD-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchD] interface vsi-interface 1

[SwitchD-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchD-Vsi-interface1] ipv6 address 12::1 64

[SwitchD-Vsi-interface1] mac-address 1-2-1

[SwitchD-Vsi-interface1] distributed-gateway local

[SwitchD-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchD] interface vsi-interface 2

[SwitchD-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchD-Vsi-interface2] ipv6 address auto link-local

[SwitchD-Vsi-interface2] l3-vni 1000

[SwitchD-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpnb.

[SwitchD] vsi vpnb

[SwitchD-vsi-vpnb] gateway vsi-interface 1

[SwitchD-vsi-vpnb] quit

Verifying the configuration

1. Verify the configuration on EDs. (This example uses Switch B.)

# Verify that the ED has discovered Switch A and Switch C through MAC/IP advertisement routes and IP prefix advertisement routes, and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchB] display evpn auto-discovery macip-prefix

Destination IP Source IP L3VNI Tunnel mode OutInterface

1.1.1.1 2.2.2.2 1000 VXLAN Vsi-interface2

3.3.3.3 2.2.2.2 1000 VXLAN-DCI Vsi-interface2

# Verify that the VXLAN and VXLAN-DCI tunnels on the ED are up.

[SwitchB] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the ED has routes for the VMs.

[SwitchB] display ipv6 routing-table vpn-instance vpn1

Destinations : 4 Routes : 4

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 12::1/128 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.3 Preference: 255

Interface : Vsi2 Cost : 0

Destination: 11::1/128 Protocol : BGP4+

NextHop : ::FFFF:1.1.1.1 Preference: 255

Interface : Vsi2 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : InLoop0 Cost : 0

2. Verify that VM 1 and VM 2 can communicate. (Details not shown.)

EVPN-DCI dual-homing configuration example (IPv4 sites+IPv4 underlay network)

Network requirements

As shown in Figure 31:

· Configure VXLAN 10 for data center 1, and configure VXLAN 20 for data center 2.

· Configure Switch A and Switch G as distributed EVPN gateways to perform Layer 3 forwarding between VXLAN 10 and VXLAN 20.

· Configure Switch C and Switch D as EDs of data center 1, and configure Switch F as the ED of data center 2.

· Configure Switch B as an RR.

NOTE:

This example provides configuration of IPv4 sites over an IPv4 underlay network. The configuration procedure does not differ between IPv4 and IPv6 sites or underlay networks.

Figure 31 Network diagram

‌

Configuration procedure

1. Configure IP addresses and unicast routing settings:

# On VM 1, specify 100.1.1.1 as the gateway address. On VM 2, specify 100.1.2.1 as the gateway address. (Details not shown.)

# Assign IP addresses to the interfaces, as shown in Figure 31. (Details not shown.)

# Configure OSPF for the switches to reach one another. (Details not shown.)

2. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 100.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchA] ip vpn-instance vpn1

[SwitchA-vpn-instance-vpn1] route-distinguisher 1:1

[SwitchA-vpn-instance-vpn1] address-family ipv4

[SwitchA-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchA-vpn-ipv4-vpn1] quit

[SwitchA-vpn-instance-vpn1] address-family evpn

[SwitchA-vpn-evpn-vpn1] vpn-target 1:1

[SwitchA-vpn-evpn-vpn1] quit

[SwitchA-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface1] ip address 100.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] mac-address 1-1-1

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface2] l3-vni 1000

[SwitchA-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

3. Configure Switch B as an RR.

<SwitchB> system-view

[SwitchB] bgp 100

[SwitchB-bgp-default] group evpn internal

[SwitchB-bgp-default] peer evpn connect-interface loopback 0

[SwitchB-bgp-default] peer 1.1.1.1 group evpn

[SwitchB-bgp-default] peer 3.3.3.3 group evpn

[SwitchB-bgp-default] peer 4.4.4.4 group evpn

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] undo policy vpn-target

[SwitchB-bgp-default-evpn] peer evpn enable

[SwitchB-bgp-default-evpn] peer evpn reflect-client

[SwitchB-bgp-default-evpn] quit

4. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch E for automatic VXLAN-DCI tunnel establishment.

[SwitchC] interface vlan-interface 13

[SwitchC-Vlan-interface13] dci enable

[SwitchC-Vlan-interface13] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch B, and enable router MAC replacement for routes advertised to and received from Switch F.

[SwitchC] bgp 100

[SwitchC-bgp-default] peer 6.6.6.6 as-number 200

[SwitchC-bgp-default] peer 6.6.6.6 connect-interface loopback 0

[SwitchC-bgp-default] peer 6.6.6.6 ebgp-max-hop 64

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 6.6.6.6 enable

[SwitchC-bgp-default-evpn] peer 6.6.6.6 router-mac-local

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchC] ip vpn-instance vpn1

[SwitchC-vpn-instance-vpn1] route-distinguisher 1:2

[SwitchC-vpn-instance-vpn1] address-family ipv4

[SwitchC-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchC-vpn-ipv4-vpn1] quit

[SwitchC-vpn-instance-vpn1] address-family evpn

[SwitchC-vpn-evpn-vpn1] vpn-target 1:1

[SwitchC-vpn-evpn-vpn1] quit

[SwitchC-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchC-Vsi-interface2] l3-vni 1000

[SwitchC-Vsi-interface2] mac-address 1-2-3

[SwitchC-Vsi-interface2] quit

# Configure 1.2.3.4 as the virtual ED address, and assign the IP address to Loopback 2. Configure OSPF to advertise the virtual ED address.

[SwitchC] evpn edge group 1.2.3.4

[SwitchC] interface loopback 2

[SwitchC-LoopBack2] ip address 1.2.3.4 32

[SwitchC-LoopBack2] quit

[SwitchC] ospf

[SwitchC-ospf-1] area 0

[SwitchC-ospf-1-area-0.0.0.0] network 1.2.3.4 0.0.0.0

[SwitchC-ospf-1-area-0.0.0.0] quit

[SwitchC-ospf-1] quit

# Configure monitor link group 1 to associate physical interfaces connected to Switch E with Loopback 0 and Loopback 2. Set the switchover delay for the downlink interface to 90 seconds.

[SwitchC] undo monitor-link disable

[SwitchC] monitor-link group 1

[SwitchC-mtlk-group1] port ten-gigabitethernet 1/0/1 uplink

[SwitchC-mtlk-group1] port loopback 0 downlink

[SwitchC-mtlk-group1] port loopback 2 downlink

[SwitchC-mtlk-group1] downlink up-delay 90

[SwitchC-mtlk-group1] quit

5. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchD] vxlan tunnel mac-learning disable

[SwitchD] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch D to Switch E for automatic VXLAN-DCI tunnel establishment.

[SwitchD] interface vlan-interface 14

[SwitchD-Vlan-interface14] dci enable

[SwitchD-Vlan-interface14] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch B, and enable router MAC replacement for routes advertised to and received from Switch F.

[SwitchD] bgp 100

[SwitchD-bgp-default] peer 6.6.6.6 as-number 200

[SwitchD-bgp-default] peer 6.6.6.6 connect-interface loopback 0

[SwitchD-bgp-default] peer 6.6.6.6 ebgp-max-hop 64

[SwitchD-bgp-default] peer 2.2.2.2 as-number 100

[SwitchD-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 6.6.6.6 enable

[SwitchD-bgp-default-evpn] peer 6.6.6.6 router-mac-local

[SwitchD-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchD-bgp-default-evpn] peer 2.2.2.2 next-hop-local

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchD] ip vpn-instance vpn1

[SwitchD-vpn-instance-vpn1] route-distinguisher 1:2

[SwitchD-vpn-instance-vpn1] address-family ipv4

[SwitchD-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchD-vpn-ipv4-vpn1] quit

[SwitchD-vpn-instance-vpn1] address-family evpn

[SwitchD-vpn-evpn-vpn1] vpn-target 1:1

[SwitchD-vpn-evpn-vpn1] quit

[SwitchD-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchD] interface vsi-interface 2

[SwitchD-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchD-Vsi-interface2] l3-vni 1000

[SwitchD-Vsi-interface2] mac-address 1-2-3

[SwitchD-Vsi-interface2] quit

# Configure 1.2.3.4 as the virtual ED address, and assign the IP address to Loopback 2. Configure OSPF to advertise the virtual ED address.

[SwitchD] evpn edge group 1.2.3.4

[SwitchD] interface loopback 2

[SwitchD-LoopBack2] ip address 1.2.3.4 32

[SwitchD-LoopBack2] quit

[SwitchD] ospf

[SwitchD-ospf-1] area 0

[SwitchD-ospf-1-area-0.0.0.0] network 1.2.3.4 0.0.0.0

[SwitchD-ospf-1-area-0.0.0.0] quit

[SwitchD-ospf-1] quit

# Configure monitor link group 1 to associate physical interfaces connected to Switch E with Loopback 0 and Loopback 2. Set the switchover delay for the downlink interface to 90 seconds.

[SwitchD] undo monitor-link disable

[SwitchD] monitor-link group 1

[SwitchD-mtlk-group1] port ten-gigabitethernet 1/0/1 uplink

[SwitchD-mtlk-group1] port loopback 0 downlink

[SwitchD-mtlk-group1] port loopback 2 downlink

[SwitchD-mtlk-group1] downlink up-delay 90

[SwitchD-mtlk-group1] quit

6. Configure Switch F:

# Enable L2VPN.

<SwitchF> system-view

[SwitchF] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchF] vxlan tunnel mac-learning disable

[SwitchF] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch F to Switch E for automatic VXLAN-DCI tunnel establishment.

[SwitchF] interface vlan-interface 15

[SwitchF-Vlan-interface15] dci enable

[SwitchF-Vlan-interface15] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch G, and enable router MAC replacement for routes advertised to and received from Switch C and Switch D.

[SwitchF] bgp 200

[SwitchF-bgp-default] peer 3.3.3.3 as-number 100

[SwitchF-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchF-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchF-bgp-default] peer 4.4.4.4 as-number 100

[SwitchF-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchF-bgp-default] peer 4.4.4.4 ebgp-max-hop 64

[SwitchF-bgp-default] peer 7.7.7.7 as-number 200

[SwitchF-bgp-default] peer 7.7.7.7 connect-interface loopback 0

[SwitchF-bgp-default] address-family l2vpn evpn

[SwitchF-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchF-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchF-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchF-bgp-default-evpn] peer 4.4.4.4 router-mac-local

[SwitchF-bgp-default-evpn] peer 7.7.7.7 enable

[SwitchF-bgp-default-evpn] peer 7.7.7.7 next-hop-local

[SwitchF-bgp-default-evpn] quit

[SwitchF-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchF] ip vpn-instance vpn1

[SwitchF-vpn-instance-vpn1] route-distinguisher 1:4

[SwitchF-vpn-instance-vpn1] address-family ipv4

[SwitchF-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchF-vpn-ipv4-vpn1] quit

[SwitchF-vpn-instance-vpn1] address-family evpn

[SwitchF-vpn-evpn-vpn1] vpn-target 1:1

[SwitchF-vpn-evpn-vpn1] quit

[SwitchF-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchF] interface vsi-interface 2

[SwitchF-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchF-Vsi-interface2] l3-vni 1000

[SwitchF-Vsi-interface2] quit

7. Configure Switch G:

# Enable L2VPN.

<SwitchG> system-view

[SwitchG] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchG] vxlan tunnel mac-learning disable

[SwitchG] vxlan tunnel arp-learning disable

# Create VXLAN 20 on VSI vpnb.

[SwitchG] vsi vpnb

[SwitchG-vsi-vpnb] vxlan 20

[SwitchG-vsi-vpnb-vxlan-20] quit

# Create an EVPN instance on VSI vpnb. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchG-vsi-vpnb] evpn encapsulation vxlan

[SwitchG-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchG-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchG-vsi-vpnb-evpn-vxlan] quit

[SwitchG-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchG] bgp 200

[SwitchG-bgp-default] peer 6.6.6.6 as-number 200

[SwitchG-bgp-default] peer 6.6.6.6 connect-interface loopback 0

[SwitchG-bgp-default] address-family l2vpn evpn

[SwitchG-bgp-default-evpn] peer 6.6.6.6 enable

[SwitchG-bgp-default-evpn] quit

[SwitchG-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 2000 to match VLAN 200.

[SwitchG] interface ten-gigabitethernet 1/0/1

[SwitchG-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchG-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200

[SwitchG-Ten-GigabitEthernet1/0/1] service-instance 2000

[SwitchG-Ten-GigabitEthernet1/0/1-srv2000] encapsulation s-vid 200

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchG-Ten-GigabitEthernet1/0/1-srv2000] xconnect vsi vpnb

[SwitchG-Ten-GigabitEthernet1/0/1-srv2000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchG] ip vpn-instance vpn1

[SwitchG-vpn-instance-vpn1] route-distinguisher 1:5

[SwitchG-vpn-instance-vpn1] address-family ipv4

[SwitchG-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchG-vpn-ipv4-vpn1] quit

[SwitchG-vpn-instance-vpn1] address-family evpn

[SwitchG-vpn-evpn-vpn1] vpn-target 1:1

[SwitchG-vpn-evpn-vpn1] quit

[SwitchG-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchG] interface vsi-interface 1

[SwitchG-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchG-Vsi-interface1] ip address 100.1.2.1 255.255.255.0

[SwitchG-Vsi-interface1] mac-address 2-2-2

[SwitchG-Vsi-interface1] distributed-gateway local

[SwitchG-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchG] interface vsi-interface 2

[SwitchG-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchG-Vsi-interface2] l3-vni 1000

[SwitchG-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpnb.

[SwitchG] vsi vpnb

[SwitchG-vsi-vpnb] gateway vsi-interface 1

[SwitchG-vsi-vpnb] quit

Verifying the configuration

1. Verify the configuration on EDs. (This example uses Switch C.)

# Verify that the ED has discovered Switch A and Switch F through MAC/IP advertisement routes and IP prefix advertisement routes, and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchC] display evpn auto-discovery macip-prefix

Destination IP Source IP L3VNI Tunnel mode OutInterface

1.1.1.1 1.2.3.4 1000 VXLAN Vsi-interface2

6.6.6.6 1.2.3.4 1000 VXLAN-DCI Vsi-interface2

# Verify that the VXLAN and VXLAN-DCI tunnels on the ED are up.

[SwitchC] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 1.2.3.4, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 1.2.3.4, destination 6.6.6.6

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the ED has ARP entries and routes for the VMs.

[SwitchC] display arp vpn-instance vpn1

Type: S Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI Interface/Link ID Aging Type

1.1.1.1 0031-1900-0000 0 Tunnel0 N/A R

6.6.6.6 0031-3900-0000 0 Tunnel1 N/A R

[SwitchC] display ip routing-table vpn-instance vpn1

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost NextHop Interface

100.1.1.0/24 BGP 255 0 1.1.1.1 Vsi2

100.1.1.10/32 BGP 255 0 1.1.1.1 Vsi2

100.1.2.0/24 BGP 255 0 6.6.6.6 Vsi2

100.1.2.20/32 BGP 255 0 6.6.6.6 Vsi2

2. Verify the configuration on Switch A:

# Verify that the switch has discovered the virtual ED through MAC/IP advertisement routes and IP prefix advertisement routes, and has established a VXLAN tunnel to the virtual ED.

[SwitchA] display evpn auto-discovery macip-prefix

Destination IP Source IP L3VNI Tunnel mode OutInterface

1.2.3.4 1.1.1.1 1000 VXLAN Vsi-interface2

# Verify that the VXLAN tunnel on the switch is up.

[SwitchA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Last clearing of counters: Never

Tunnel source 1.1.1.1, destination 1.2.3.4

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the switch has ARP entries and routes for the VMs.

[SwitchA] display arp vpn-instance vpn1

Type: S Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN/VSI Interface/Link ID Aging Type

1.2.3.4 0031-1900-0001 0 Tunnel0 N/A R

[SwitchA] display ip routing-table vpn-instance vpn1

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost NextHop Interface

100.1.2.0/24 BGP 255 0 1.2.3.4 Vsi2

100.1.2.10/32 BGP 255 0 1.2.3.4 Vsi2

3. Verify that VM 1 and VM 2 can communicate when both Switch C and Switch D are working correctly and when Switch C or Switch D fails. (Details not shown.)

EVPN-DCI M-LAG configuration example

Network requirements

As shown in Figure 32:

· Configure VXLAN 10 for data center 1, and configure VXLAN 20 for data center 2.

· Configure Switch A and Switch G as distributed EVPN gateways to perform Layer 3 forwarding between VXLAN 10 and VXLAN 20.

· For data center 1, configure Switch C and Switch D as EDs and use M-LAG to virtualize them into one device.

· For data center 2, configure Switch F as an ED.

· Configure Switch B as an RR.

Figure 32 Network diagram

‌

Configuration procedure

1. Configure IP addresses and unicast routing settings:

# On VM 1, specify 100.1.1.1 as the gateway address. On VM 2, specify 100.1.2.1 as the gateway address. (Details not shown.)

# Assign IP addresses to interfaces, as shown in Figure 32. (Details not shown.)

# Configure OSPF for the switches to reach one another. (Details not shown.)

2. Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create VXLAN 10 on VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance on VSI vpna. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 1000 to match VLAN 100.

[SwitchA] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100

[SwitchA-Ten-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet1/0/1-srv1000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchA] ip vpn-instance vpn1

[SwitchA-vpn-instance-vpn1] route-distinguisher 1:1

[SwitchA-vpn-instance-vpn1] address-family ipv4

[SwitchA-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchA-vpn-ipv4-vpn1] quit

[SwitchA-vpn-instance-vpn1] address-family evpn

[SwitchA-vpn-evpn-vpn1] vpn-target 1:1

[SwitchA-vpn-evpn-vpn1] quit

[SwitchA-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface1] ip address 100.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] mac-address 1-1-1

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchA] interface vsi-interface 2

[SwitchA-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchA-Vsi-interface2] l3-vni 1000

[SwitchA-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

3. Configure Switch B as an RR.

<SwitchB> system-view

[SwitchB] bgp 100

[SwitchB-bgp-default] group evpn internal

[SwitchB-bgp-default] peer evpn connect-interface loopback 0

[SwitchB-bgp-default] peer 1.1.1.1 group evpn

[SwitchB-bgp-default] peer 3.3.3.3 group evpn

[SwitchB-bgp-default] peer 4.4.4.4 group evpn

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] undo policy vpn-target

[SwitchB-bgp-default-evpn] peer evpn enable

[SwitchB-bgp-default-evpn] peer evpn reflect-client

[SwitchB-bgp-default-evpn] quit

4. Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch E for automatic VXLAN-DCI tunnel establishment.

[SwitchC] interface vlan-interface 13

[SwitchC-Vlan-interface13] dci enable

[SwitchC-Vlan-interface13] quit

# Specify the virtual VTEP address as 1.2.3.4.

[SwitchA] evpn m-lag group 1.2.3.4

# Configure M-LAG system parameters.

[SwitchC] m-lag system-mac 0001-0001-0001

[SwitchC] m-lag system-number 1

[SwitchC] m-lag system-priority 10

[SwitchC] m-lag keepalive ip destination 60.1.1.1 source 60.1.1.2

[SwitchC] m-lag restore-delay 180

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.

[SwitchC] interface bridge-aggregation 3

[SwitchC-Bridge-Aggregation3] link-aggregation mode dynamic

[SwitchC-Bridge-Aggregation3] quit

# Assign Ten-GigabitEthernet 1/0/3 to aggregation group 3.

[SwitchC] interface ten-gigabitethernet 1/0/3

[SwitchC-Ten-GigabitEthernet1/0/3] port link-aggregation group 3

[SwitchC-Ten-GigabitEthernet1/0/3] quit

# Specify Bridge-Aggregation 3 as the peer-link interface.

[SwitchC] interface bridge-aggregation 3

[SwitchC-Bridge-Aggregation3] port m-lag peer-link 1

[SwitchC-Bridge-Aggregation3] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch B, and enable router MAC replacement for routes advertised to and received from Switch F.

[SwitchC] bgp 100

[SwitchC-bgp-default] peer 6.6.6.6 as-number 200

[SwitchC-bgp-default] peer 6.6.6.6 connect-interface loopback 0

[SwitchC-bgp-default] peer 6.6.6.6 ebgp-max-hop 64

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] nexthop evpn-m-lag group-address

[SwitchC-bgp-default-evpn] peer 6.6.6.6 enable

[SwitchC-bgp-default-evpn] peer 6.6.6.6 router-mac-local

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchC] ip vpn-instance vpn1

[SwitchC-vpn-instance-vpn1] route-distinguisher 1:2

[SwitchC-vpn-instance-vpn1] address-family ipv4

[SwitchC-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchC-vpn-ipv4-vpn1] quit

[SwitchC-vpn-instance-vpn1] address-family evpn

[SwitchC-vpn-evpn-vpn1] vpn-target 1:1

[SwitchC-vpn-evpn-vpn1] quit

[SwitchC-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchC] interface vsi-interface 2

[SwitchC-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchC-Vsi-interface2] l3-vni 1000

[SwitchC-Vsi-interface2] mac-address 1-2-3

[SwitchC-Vsi-interface2] quit

# Configure monitor link group 1 to associate Ten-GigabitEthernet 1/0/1 with Loopback 0 and Loopback 2. Set the switchover delay for the downlink interface to 90 seconds.

[SwitchC] undo monitor-link disable

[SwitchC] monitor-link group 1

[SwitchC-mtlk-group1] port ten-gigabitethernet 1/0/1 uplink

[SwitchC-mtlk-group1] port loopback 0 downlink

[SwitchC-mtlk-group1] port loopback 2 downlink

[SwitchC-mtlk-group1] downlink up-delay 90

[SwitchC-mtlk-group1] quit

5. Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchD] vxlan tunnel mac-learning disable

[SwitchD] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch D to Switch E for automatic VXLAN-DCI tunnel establishment.

[SwitchD] interface vlan-interface 14

[SwitchD-Vlan-interface14] dci enable

[SwitchD-Vlan-interface14] quit

# Specify the virtual VTEP address as 1.2.3.4.

[SwitchD] evpn m-lag group 1.2.3.4

# Configure M-LAG system parameters.

[SwitchD] m-lag system-mac 0001-0001-0001

[SwitchD] m-lag system-number 2

[SwitchD] m-lag system-priority 10

[SwitchD] m-lag keepalive ip destination 60.1.1.1 source 60.1.1.2

[SwitchD] m-lag restore-delay 180

# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.

[SwitchD] interface bridge-aggregation 3

[SwitchD-Bridge-Aggregation3] link-aggregation mode dynamic

[SwitchD-Bridge-Aggregation3] quit

# Assign Ten-GigabitEthernet 1/0/3 to link aggregation group 3.

[SwitchD] interface ten-gigabitethernet 1/0/3

[SwitchD-Ten-GigabitEthernet1/0/3] port link-aggregation group 3

[SwitchD-Ten-GigabitEthernet1/0/3] quit

# Specify Bridge-Aggregation 3 as the peer-link interface.

[SwitchD] interface bridge-aggregation 3

[SwitchD-Bridge-Aggregation3] port m-lag peer-link 1

[SwitchD-Bridge-Aggregation3] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch B, and enable router MAC replacement for routes advertised to and received from Switch F.

[SwitchD] bgp 100

[SwitchD-bgp-default] peer 6.6.6.6 as-number 200

[SwitchD-bgp-default] peer 6.6.6.6 connect-interface loopback 0

[SwitchD-bgp-default] peer 6.6.6.6 ebgp-max-hop 64

[SwitchD-bgp-default] peer 2.2.2.2 as-number 100

[SwitchD-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] nexthop evpn-m-lag group-address

[SwitchD-bgp-default-evpn] peer 6.6.6.6 enable

[SwitchD-bgp-default-evpn] peer 6.6.6.6 router-mac-local

[SwitchD-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchD-bgp-default-evpn] peer 2.2.2.2 next-hop-local

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchD] ip vpn-instance vpn1

[SwitchD-vpn-instance-vpn1] route-distinguisher 1:2

[SwitchD-vpn-instance-vpn1] address-family ipv4

[SwitchD-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchD-vpn-ipv4-vpn1] quit

[SwitchD-vpn-instance-vpn1] address-family evpn

[SwitchD-vpn-evpn-vpn1] vpn-target 1:1

[SwitchD-vpn-evpn-vpn1] quit

[SwitchD-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchD] interface vsi-interface 2

[SwitchD-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchD-Vsi-interface2] l3-vni 1000

[SwitchD-Vsi-interface2] mac-address 1-2-3

[SwitchD-Vsi-interface2] quit

# Configure monitor link group 1 to associate Ten-GigabitEthernet 1/0/1 with Loopback 0 and Loopback 2. Set the switchover delay for the downlink interface to 90 seconds.

[SwitchD] undo monitor-link disable

[SwitchD] monitor-link group 1

[SwitchD-mtlk-group1] port ten-gigabitethernet 1/0/1 uplink

[SwitchD-mtlk-group1] port loopback 0 downlink

[SwitchD-mtlk-group1] port loopback 2 downlink

[SwitchD-mtlk-group1] downlink up-delay 90

[SwitchD-mtlk-group1] quit

6. Configure Switch F:

# Enable L2VPN.

<SwitchF> system-view

[SwitchF] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchF] vxlan tunnel mac-learning disable

[SwitchF] vxlan tunnel arp-learning disable

# Enable DCI on the Layer 3 interface that connects Switch F to Switch E for automatic VXLAN-DCI tunnel establishment.

[SwitchF] interface vlan-interface 15

[SwitchF-Vlan-interface15] dci enable

[SwitchF-Vlan-interface15] quit

[SwitchF] bgp 200

[SwitchF-bgp-default] peer 3.3.3.3 as-number 100

[SwitchF-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchF-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchF-bgp-default] peer 4.4.4.4 as-number 100

[SwitchF-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchF-bgp-default] peer 4.4.4.4 ebgp-max-hop 64

[SwitchF-bgp-default] peer 7.7.7.7 as-number 200

[SwitchF-bgp-default] peer 7.7.7.7 connect-interface loopback 0

[SwitchF-bgp-default] address-family l2vpn evpn

[SwitchF-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchF-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchF-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchF-bgp-default-evpn] peer 4.4.4.4 router-mac-local

[SwitchF-bgp-default-evpn] peer 7.7.7.7 enable

[SwitchF-bgp-default-evpn] peer 7.7.7.7 next-hop-local

[SwitchF-bgp-default-evpn] quit

[SwitchF-bgp-default] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchF] ip vpn-instance vpn1

[SwitchF-vpn-instance-vpn1] route-distinguisher 1:4

[SwitchF-vpn-instance-vpn1] address-family ipv4

[SwitchF-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchF-vpn-ipv4-vpn1] quit

[SwitchF-vpn-instance-vpn1] address-family evpn

[SwitchF-vpn-evpn-vpn1] vpn-target 1:1

[SwitchF-vpn-evpn-vpn1] quit

[SwitchF-vpn-instance-vpn1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchF] interface vsi-interface 2

[SwitchF-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchF-Vsi-interface2] l3-vni 1000

[SwitchF-Vsi-interface2] quit

7. Configure Switch G:

# Enable L2VPN.

<SwitchG> system-view

[SwitchG] l2vpn enable

# Disable remote MAC address learning and remote ARP learning.

[SwitchG] vxlan tunnel mac-learning disable

[SwitchG] vxlan tunnel arp-learning disable

# Create VXLAN 20 on VSI vpnb.

[SwitchG] vsi vpnb

[SwitchG-vsi-vpnb] vxlan 20

[SwitchG-vsi-vpnb-vxlan-20] quit

# Create an EVPN instance on VSI vpnb. Configure the switch to automatically generate an RD and a route target for the EVPN instance.

[SwitchG-vsi-vpnb] evpn encapsulation vxlan

[SwitchG-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchG-vsi-vpnb-evpn-vxlan] vpn-target auto

[SwitchG-vsi-vpnb-evpn-vxlan] quit

[SwitchG-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchG] bgp 200

[SwitchG-bgp-default] peer 6.6.6.6 as-number 200

[SwitchG-bgp-default] peer 6.6.6.6 connect-interface loopback 0

[SwitchG-bgp-default] address-family l2vpn evpn

[SwitchG-bgp-default-evpn] peer 6.6.6.6 enable

[SwitchG-bgp-default-evpn] quit

[SwitchG-bgp-default] quit

# On Ten-GigabitEthernet 1/0/1, create Ethernet service instance 2000 to match VLAN 200.

[SwitchG] interface ten-gigabitethernet 1/0/1

[SwitchG-Ten-GigabitEthernet1/0/1] port link-type trunk

[SwitchG-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200

[SwitchG-Ten-GigabitEthernet1/0/1] service-instance 2000

[SwitchG-Ten-GigabitEthernet1/0/1-srv2000] encapsulation s-vid 200

# Map Ethernet service instance 2000 to VSI vpnb.

[SwitchG-Ten-GigabitEthernet1/0/1-srv2000] xconnect vsi vpnb

[SwitchG-Ten-GigabitEthernet1/0/1-srv2000] quit

# Configure RD and route target settings for VPN instance vpn1.

[SwitchG] ip vpn-instance vpn1

[SwitchG-vpn-instance-vpn1] route-distinguisher 1:4

[SwitchG-vpn-instance-vpn1] address-family ipv4

[SwitchG-vpn-ipv4-vpn1] vpn-target 2:2

[SwitchG-vpn-ipv4-vpn1] quit

[SwitchG-vpn-instance-vpn1] address-family evpn

[SwitchG-vpn-evpn-vpn1] vpn-target 1:1

[SwitchG-vpn-evpn-vpn1] quit

[SwitchG-vpn-instance-vpn1] quit

# Configure VSI-interface 1 as a distributed gateway.

[SwitchG] interface vsi-interface 1

[SwitchG-Vsi-interface1] ip binding vpn-instance vpn1

[SwitchG-Vsi-interface1] ip address 100.1.2.1 255.255.255.0

[SwitchG-Vsi-interface1] mac-address 2-2-2

[SwitchG-Vsi-interface1] distributed-gateway local

[SwitchG-Vsi-interface1] quit

# Create VSI-interface 2. Associate VSI-interface 2 with VPN instance vpn1, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[SwitchG] interface vsi-interface 2

[SwitchG-Vsi-interface2] ip binding vpn-instance vpn1

[SwitchG-Vsi-interface2] l3-vni 1000

[SwitchG-Vsi-interface2] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpnb.

[SwitchG] vsi vpnb

[SwitchG-vsi-vpnb] gateway vsi-interface 1

[SwitchG-vsi-vpnb] quit

Verifying the configuration

1. Verify the configuration on EDs. (This example uses Switch C.)

# Verify that the ED has discovered Switch A and Switch F through MAC/IP advertisement routes and IP prefix advertisement routes, and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchC] display evpn auto-discovery macip-prefix

Destination IP Source IP L3VNI Tunnel mode OutInterface

1.1.1.1 3.3.3.3 1000 VXLAN Vsi-interface2

6.6.6.6 3.3.3.3 1000 VXLAN-DCI Vsi-interface2

# Verify that the VXLAN and VXLAN-DCI tunnels on the ED are up.

[SwitchC] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.2.3.4, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.2.3.4, destination 6.6.6.6

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the ED has ARP entries and routes for the VMs.

[SwitchC] display ip routing-table vpn-instance vpn1

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost NextHop Interface

100.1.1.0/24 BGP 255 0 1.1.1.1 Vsi2

100.1.1.10/32 BGP 255 0 1.1.1.1 Vsi2

100.1.2.0/24 BGP 255 0 6.6.6.6 Vsi2

100.1.2.20/32 BGP 255 0 6.6.6.6 Vsi2

2. Verify the configuration on Switch A:

# Verify that the switch has discovered the virtual ED through MAC/IP advertisement routes and IP prefix advertisement routes, and has established a VXLAN tunnel to the virtual ED.

[SwitchA] display evpn auto-discovery macip-prefix

Destination IP Source IP L3VNI Tunnel mode OutInterface

1.2.3.4 1.1.1.1 1000 VXLAN Vsi-interface2

# Verify that the VXLAN tunnel on the switch is up.

[SwitchA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 1.1.1.1, destination 1.2.3.4

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the switch has ARP entries and routes for the VMs.

[SwitchA] display ip routing-table vpn-instance vpn1

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost NextHop Interface

100.1.2.0/24 BGP 255 0 1.2.3.4 Vsi2

100.1.2.10/32 BGP 255 0 1.2.3.4 Vsi2

3. Verify that VM 1 and VM 2 can communicate when both Switch C and Switch D are working correctly and when Switch C or Switch D fails. (Details not shown.)

18-EVPN Configuration Guides

Network model

Configuration automation

Assignment of traffic to VXLANs

Centralized EVPN gateway deployment

Distributed EVPN gateway deployment

Basic concepts

VSI interfaces

Layer 3 forwarding entry learning

Traffic forwarding

Communication between private and public networks

VSI interfaces

Layer 3 forwarding

ARP and ND flood suppression

Link redundancy mechanism for a direct peer link

Link redundancy mechanism for a tunnel peer link

Configuring EVPN VXLAN

EVPN VXLAN configuration task list

Configuring BGP to advertise BGP EVPN routes

Configuring attributes of BGP EVPN routes

Configuring optimal BGP EVPN route selection

Configuring BGP route reflection

Filtering BGP EVPN routes

Configuring the BGP Additional Paths feature

Overview

Configuration restrictions and guidelines

Configuration procedure

Mapping ACs to a VSI

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Configuring a centralized gateway interface

About this task

Procedure

Configuring a distributed EVPN gateway

Configuring an L3 VXLAN ID for the VSI interface of a VPN instance

Configuring an L3 VXLAN ID for the VSI interface of the public instance

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Procedure (system view)

Procedure (VSI interface view)

Overview

Configuration procedure

Managing remote MAC address entries and remote ARP or ND learning

Overview

Configuration restrictions and guidelines

Configuration procedure

Disabling the VSI interface on a centralized EVPN gateway from learning ARP or ND information across subnets

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Overview

Configuration restrictions and guidelines

Configuration procedure

Configuring MAC/IP advertisement route redistribution for a BGP instance

Configuring MAC/IP advertisement route redistribution for a BGP-VPN instance

About this task

Procedure

Overview