Contents

Configuring CloudSec· 1

About CloudSec· 1

Basic concepts of CloudSec· 1

CloudSec mechanisms· 2

CloudSec encapsulation format 2

Typical CloudSec network deployment 2

CloudSec operating mechanism·· 3

Restrictions and guidelines: Cloudsec· 4

CloudSec tasks at a glance· 4

Configuring a CloudSec policy· 4

Configure a CloudSec peer 5

Associating a tunnel source interface with CloudSec· 6

Configuring BGP to advertise CloudSec encryption information· 6

Display and maintenance commands for CloudSec· 7

CloudSec configuration examples· 7

Example: Configuring CloudSec to protect the VXLAN tunneled traffic between data centers· 7

 

Configuring CloudSec

About CloudSec

Cloud Security (CloudSec) is designed to protect data transmission over an IP transport network between VXLAN sites. On an extended Layer 2 network, you cannot use MACsec to encrypt packets transmitted over an IP transport network between sites, even though it has been widely used for intra-site data transmission protection. CloudSec protects VXLAN-tunneled packets by encapsulating VXLAN packets in a CloudSec header. This enables the devices to route the CloudSec packets between subnets without decrypting them.

Basic concepts of CloudSec

CA

A connectivity association (CA) is a collection of two or more members that use the same key and key algorithm suite. Members of a CA are called participants. The key used by CA participants is called a CAK. A CAK comes in one of the following types depending on the number of members in the CA:

·     Pairwise CAK for a two-member CA.

·     Group CAK for a CA that contains three or more members.

A CAK is generated by the Keychain module based on the key string specified by using the key-string command.

SA

A security association (SA) is an agreement negotiated by CA participants. The agreement includes a cipher suite and keys for integrity check.

SC

A secure channel is a channel established by two communicating participants to encrypt transmitted data. A secure channel can have multiple SAs, each with a unique key called a secure association key (SAK). A SAK is derived from the CAK to encrypt data transmitted in the secure channel.

SCI

A secure channel identifier (SCI) uniquely identifies a secure channel. It ensures that every pair of communicating nodes correctly identifies and verifies their secure channel, preventing unauthorized nodes from inserting or tampering with data. By using SCIs to identify secure channels, CloudSec provides enhanced data protection and security to ensure secrecy and integrity of data.

The sender inserts the SCI value in a packet based on its configuration and policy. The receiver verifies this SCI value and compares it with the preconfigured policy to determine if the packet comes from the expected secure channel.

AN

An association number (AN) identifies an SA in an SC. Combined with SCI, it uniquely identifies a concrete SA instance.

KEK

A key encourage key (KEK) encrypts SAK keys.

CloudSec mechanisms

Data encryption

To encrypt packets transmitted in an EVPN VXLAN tunnel, you enable CloudSec and associate the source interface of the tunnel with CloudSec. When the tunnel interface receives a packet, the device encrypts the packet with CloudSec, and then sends the encrypted packet in the tunnel to the remote device. Upon receipt of the CloudSec encrypted packet, the remote device decrypts it.

The encryption and decryption keys used by the two devices are generated and exchanged as follows:

1.     Each device uses the Keychain module to generate an initial key.

2.     Each device uses the initial key and the CloudSec cipher suite to produce the key actually used for encryption and decryption.

3.     The two devices exchange the keys for encryption and decryption through BGP.

Integrity check

The device uses a key derived from the CAK to compute an integrity check value (ICV) for CloudSec protected packets and appends the key to the end of the CloudSec header. When the remote device receives a CloudSec protected packet, it uses the key generated by the Keychain module to compute an ICV and compares it with the ICV in the packet. If the ICVs are the same, the packet is valid. If the ICVs differ, the remote device discards the packet.

CloudSec encapsulation format

As shown in Figure 1, the device inserts a CloudSec header before the VXLAN packet header to encrypt VXLAN packets for secure transmission of VXLAN tunneled packets.

Figure 1 CloudSec encapsulation

 

Typical CloudSec network deployment

As shown in Figure 2, use CloudSec to secure VXLAN tunneled traffic between data centers. Switches A and B are VTEPs for data center 1, while Switches C and D are VTEPs for data center 2. Switches B and C also act as edge devices (EDs) between the two data centers. The network uses EVPN to extend Layer 2 connectivity between the two data centers and uses CloudSec to encrypt VXLAN-DCI tunneled traffic between the two data centers for data security.

Figure 2 Typical CloudSec network deployment

 

CloudSec operating mechanism

As shown in Figure 3, CloudSec uses the following procedure to protect traffic between two devices: establish a secure channel, negotiate a key for encryption, and encrypt or decrypt packets.

Figure 3 CloudSec operating mechanism

 

2.     Establish a secure channel.

To establish a CloudSec secure channel from the local device to a remote device, make sure the transmit SCI on the local device has the same value as the receive SCI on the remote device.

3.     Negotiate a key for encryption.

The two devices generate and exchange keys for encryption and decryption of VXLAN tunneled packets, as follows:

a.     Each device uses the Keychain module to generate an initial key.

b.     Each device uses the initial key and the CloudSec cipher suite to produce the key actually used for encryption and decryption.

c.     The two devices exchange the keys for encryption and decryption through BGP.

4.     Encrypt and decrypt packets.

The local device and the remote device use the negotiated key to encrypt and decrypt VXLAN packets, respectively.

Restrictions and guidelines: Cloudsec

Some early shipped SF interface modules might not support this feature. The device installed with such modules will prompt that the configuration is not supported.

The feature is applicable only to protect VXLAN tunneled packets.

Configure the peer CloudSec devices with the same cipher suite.

You cannot use CloudSec in M-LAG or ES multi-homing scenarios.

CloudSec cannot encrypt Layer 2 or Layer 3 multicast packets.

CloudSec is available only for protection of tunnels automatically created through BGP. It cannot encrypt manually created tunnels.

If a CloudSec encrypted packet can be correctly decrypted, its mirrored packet is the one after decryption. If the packet cannot be correctly decrypted, its mirrored packet is the one before decryption.

When you configure CloudSec for encryption of EVPN VXLAN tunneled IPv6 packets, use the following guidelines:

·     Do not use a VLAN interface or Layer 3 subinterface as the source interface of the tunnels.

·     Do not execute the include sci command in CloudSec policy view to enable inclusion of the transmit SCI in encrypted packets.

You can enable CloudSec or MACsec on the device, but not both. For more information about MACsec, see MACsec configuration in Security Configuration Guide.

CloudSec tasks at a glance

To configure CloudSec, perform the following tasks:

1.     Configuring a CloudSec policy

2.     Configure a CloudSec peer

3.     Associating a tunnel source interface with CloudSec

4.     Configuring BGP to advertise CloudSec encryption information

Configuring a CloudSec policy

About this task

To configure CloudSec, first create a CloudSec policy, and then configure CloudSec settings in it, including a cipher suite and the SAK rekey interval.

Restrictions and guidelines

To create multiple CloudSec policies, repeat the cloudsec policy command.

The device has a default CloudSec policy named default-policy. You cannot delete or modify it.

When you use the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite for a VXLAN tunnel, make sure its transport-facing physical interfaces are in the same port group on the same module. If they are in different port groups or on different modules, encryption or decryption will fail. To identify port group memberships, execute the display hardware internal port mapping command in probe view. Ports with the same LchipId value belong to the same group.

Procedure

1.     Enter system view.

system-view

2.     Create a CloudSec policy and enter its view.

cloudsec policy policy-name

3.     Specify a cipher suite.

cipher-suite { gcm-aes-128 | gcm-aes-256 | gcm-aes-xpn-128 | gcm-aes-xpn-256 }

By default, CloudSec uses the GCM-AES-128 cipher suite.

4.     Include the transmit SCI in the CloudSec header.

include sci

By default, the device does not insert the transmit SCI in the CloudSec header.

5.     Configure the SAK rekey interval.

sak-rekey-interval interval

By default, SAKs do not update.

Configure a CloudSec peer

About this task

Perform this task to create a CloudSec peer and specify the CloudSec parameters for use with the peer. These parameters include a one-to-one keychain and CloudSec policy binding, as well as the transmit and receive SCIs. The CloudSec policy contains settings such as the cipher suite and SAK rekey interval.

Restrictions and guidelines

If the CloudSec policy specified in a keychain and CloudSec policy binding has not been created, the device uses the default CloudSec policy named default-policy for the peer. The specified CloudSec policy applies after it is created.

You can specify only one keychain and CloudSec policy binding for a peer.

CloudSec only uses keys for a keychain and does not use authentication algorithms for the keys. The keys can be activated only after you configure authentication algorithms for them. You must configure the same key for keychains and specify an authentication algorithm for each key at both ends of the CloudSec protected tunnel. The specified authentication algorithms can be different. For more information about keys and authentication algorithms, see keychain configuration in Security Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Create a CloudSec peer and enter its view.

cloudsec peer { ipv4-address | ipv6-address }

3.     Specify a pair of keychain and CloudSec policy for the CloudSec peer.

keychain keychain-name policy policy-name

By default, no keychain and CloudSec policy binding applies to a CloudSec peer.

4.     Set a receive SCI value for CloudSec-protected packets.

sci rx sci-value

By default, no receive SCI value is set for CloudSec protected packets.

5.     Set a transmit SCI value for CloudSec-protected packets.

sci tx sci-value

By default, no transmit SCI value is set for CloudSec protected packets.

Associating a tunnel source interface with CloudSec

About this task

To protect the packets transmitted in an EVPN VXLAN tunnel with CloudSec, you must associate its tunnel source interface with CloudSec.

Procedure

1.     Enter system view.

system-view

2.     Associate a tunnel source interface with CloudSec.

cloudsec source-interface interface-type interface-number

By default, no tunnel source interfaces associate with CloudSec.

Configuring BGP to advertise CloudSec encryption information

About this task

This feature enables BGP to advertise the source addresses of VXLAN tunnels as BGP unicast route prefixes to the specified peers. When BGP advertises this unicast route information, it also advertises the encryption information generated by the device to the specified peers. The peers will encrypt the packets transmitted in the CloudSec protected VXLAN tunnels to the device based on the received encryption information.

Restrictions and guidelines

The Tunnel Encapsulation attribute is optional transitive. You must make sure the specified peers can identify the Tunnel Encapsulation attribute and the encrypted information contained in this attribute. A peer will be unable to encrypt VXLAN tunneled packets with this information if it cannot identify the Tunnel Attribute or CloudSec encryption information.

This feature does not encrypt VXLAN tunneled protocol packets that are not transparently transmitted.

Procedure

1.     Enter system view.

system-view

2.     Enter BGP instance view.

bgp as-number [ instance instance-name ]

3.     Enter BGP IPv4 unicast address family view or BGP IPv6 unicast address family view.

¡     Enter BGP IPv4 unicast address family view.

address-family ipv4 [ unicast ]

¡     Enter BGP IPv6 unicast address family view.

address-family ipv6 [ unicast ]

4.     Configure the device to advertise CloudSec encryption information to a specified peer or peer group.

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | link-local-address interface interface-type interface-number } advertise-cloudsec

interface-peer interface-type interface-number advertise-cloudsec

By default, the device does not advertise CloudSec encryption information to peers or peer groups.

The link-local-address interface interface-type parameters are available only in BGP IPv6 unicast address family view.

Display and maintenance commands for CloudSec

Execute display commands in any view to verify the operation of CloudSec.

 

Task	Command
Display local CloudSec information.	display cloudsec local [ ipv4-address | ipv6-address ]
Display peer CloudSec information.	display cloudsec peer [ ipv4-address | ipv6-address ] [ verbose ]
Display CloudSec policies.	display cloudsec policy [ name policy-name ]

 

CloudSec configuration examples

Example: Configuring CloudSec to protect the VXLAN tunneled traffic between data centers

This example provides configuration of IPv4 sites over an IPv4 underlay network. The configuration procedure does not differ between IPv4 and IPv6 sites or underlay networks.

Network configuration

As shown in Figure 4, Switches A and B are VTEPs for data center 1, while Switches C and D are VTEPs for data center 2. Switches B and C also act as EDs between the two data centers. Data centers 1 and 2 use VXLAN 10 and VXLAN 30 to process traffic of the same service, respectively.

Configure EVPN to extend Layer 2 connectivity between the two data centers, and CloudSec to encrypt VXLAN tunneled traffic between the two data centers for data security.

Figure 4 Network diagram

 

Procedure

1.     Configure IP addresses and unicast routing settings:

# Configure the IP address and subnet mask for each interface.

# Configure OSPF on all transport network switches (Switches A through D) for them to reach one another. (Details not shown.)

2.     Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote-MAC address learning.

[SwitchA] vxlan tunnel mac-learning disable

# Create VXLAN 10 in VSI vpna.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

# Create an EVPN instance in VSI vpna, and configure the switch to automatically generate a route distinguisher (RD) and a route target (RT) for the EVPN instance.

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchA] bgp 100

[SwitchA-bgp-default] peer 2.2.2.2 as-number 100

[SwitchA-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# On Ten-GigabitEthernet 3/0/1Ten-GigabitEthernet3/0/1, create Ethernet service instance 1000 and configure it to match data frames from VLAN 100.

[SwitchA] interface ten-gigabitethernet 3/0/1

[SwitchA-Ten-GigabitEthernet3/0/1] service-instance 1000

[SwitchA-Ten-GigabitEthernet3/0/1-srv1000] encapsulation s-vid 100

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchA-Ten-GigabitEthernet3/0/1Ten-GigabitEthernet3/0/1-srv1000] xconnect vsi vpna

[SwitchA-Ten-GigabitEthernet3/0/1Ten-GigabitEthernet3/0/1-srv1000] quit

3.     Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote-MAC address learning.

[SwitchB] vxlan tunnel mac-learning disable

# Enable DCI on the Layer 3 interface that connects Switch A to Switch C for automatic VXLAN-DCI tunnel establishment.

[SwitchB] interface vlan-interface 12

[SwitchB-Vlan-interface12] dci enable

[SwitchB-Vlan-interface12] quit

# Create VXLAN 10 in VSI vpna.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

# Create an EVPN instance in VSI vpna, and configure the switch to automatically generate an RD and an RT for the EVPN instance.

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

# Map local VXLAN 10 to remote VXLAN 500.

[SwitchB-vsi-vpna-evpn-vxlan] mapping vni 500

[SwitchB-vsi-vpna-evpn-vxlan] quit

[SwitchB-vsi-vpna] quit

# Create VXLAN 500 in VSI vpnb. The VXLAN is used for replacing the local VXLAN during Layer 2 forwarding.

[SwitchB] vsi vpnb

[SwitchB-vsi-vpnb] vxlan 500

[SwitchB-vsi-vpnb-vxlan-500] quit

# Create an EVPN instance in VSI vpnb. Configure the switch to automatically generate an RD, and manually configure an RT for the EVPN instance.

[SwitchB-vsi-vpnb] evpn encapsulation vxlan

[SwitchB-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpnb-evpn-vxlan] vpn-target 123:456

[SwitchB-vsi-vpnb-evpn-vxlan] quit

[SwitchB-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch A, and enable router MAC replacement for routes advertised to and received from Switch C.

[SwitchB] bgp 100

[SwitchB-bgp-default] peer 3.3.3.3 as-number 200

[SwitchB-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[SwitchB-bgp-default] peer 3.3.3.3 ebgp-max-hop 64

[SwitchB-bgp-default] peer 1.1.1.1 as-number 100

[SwitchB-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchB-bgp-default-evpn] peer 3.3.3.3 router-mac-local

[SwitchB-bgp-default-evpn] peer 1.1.1.1 enable

[SwitchB-bgp-default-evpn] peer 1.1.1.1 next-hop-local

[SwitchB-bgp-default-evpn] quit

[SwitchB-bgp-default] address-family ipv4 unicast

[SwitchB-bgp-default-ipv4] peer 3.3.3.3 enable

[SwitchB-bgp-default-ipv4] peer 3.3.3.3 advertise-cloudsec

[SwitchB-bgp-default] quit

# Configure a keychain.

[SwitchB] keychain 1 mode absolute

[SwitchB-keychain-1] key 1

[SwitchB-keychain-1-key-1] authentication-algorithm hmac-sha-256

[SwitchB-keychain-1-key-1] key-string plain 123456

[SwitchB-keychain-1-key-1] send-lifetime utc 00:00:00 2023/01/01 to 00:00:00 2024/01/01

[SwitchB-keychain-1-key-1] accept-lifetime utc 00:00:00 2023/01/01 to 00:00:00 2024/01/01

[SwitchB-keychain-1-key-1]

# Configure a CloudSec policy.

[SwitchB]cloudsec policy 1

[SwitchB-cloudsec-policy-1] cipher-suite gcm-aes-256

[SwitchB-cloudsec-policy-1] include sci

[SwitchB-cloudsec-policy-1] sak-rekey-interval 2000

# Create a CloudSec peer and apply keychain 1 and CloudSec policy 1 to the CloudSec peer. Set the receive SCI value to 1 and transmit SCI value to 2. The receive SCI value and transmit SCI value of the local device equal to the transmit SCI value and receive SCI value of the peer device, respectively.

[SwitchB] cloudsec peer 3.3.3.3

[SwitchB-cloudsec-peer-3.3.3.3] keychain 1 policy 1

[SwitchB-cloudsec-peer-3.3.3.3] sci rx 1

[SwitchB-cloudsec-peer-3.3.3.3] sci tx 2

[SwitchB-cloudsec-peer-3.3.3.3]

# Associate the VXLAN tunnel source interface with CloudSec.

[SwitchB] cloudsec source-interface LoopBack 0

4.     Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote-MAC address learning.

[SwitchC] vxlan tunnel mac-learning disable

# Enable DCI on the Layer 3 interface that connects Switch C to Switch B for automatic VXLAN-DCI tunnel establishment

[SwitchC] interface vlan-interface 12

[SwitchC-Vlan-interface12] dci enable

[SwitchC-Vlan-interface12] quit

# Create VXLAN 30 in VSI vpna.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] vxlan 30

[SwitchC-vsi-vpna-vxlan-30] quit

# Create an EVPN instance in VSI vpna, and configure the switch to automatically generate an RD and an RT for the EVPN instance.

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

# Map local VXLAN 30 to remote VXLAN 500.

[SwitchC-vsi-vpna-evpn-vxlan] mapping vni 500

[SwitchC-vsi-vpna-evpn-vxlan] quit

[SwitchC-vsi-vpna] quit

# Create VXLAN 500 in VSI vpnb. The VXLAN ID is used for replacing the local VXLAN ID during Layer forwarding.

[SwitchC] vsi vpnb

[SwitchC-vsi-vpnb] vxlan 500

[SwitchC-vsi-vpnb-vxlan-500] quit

# Create an EVPN instance in VSI vpnb. Configure the switch to automatically generate an RD, and manually configure an RT for the EVPN instance.

[SwitchC-vsi-vpnb] evpn encapsulation vxlan

[SwitchC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpnb-evpn-vxlan] vpn-target 123:456

[SwitchC-vsi-vpnb-evpn-vxlan] quit

[SwitchC-vsi-vpnb] quit

# Configure BGP to advertise BGP EVPN routes. Enable nexthop replacement for routes advertised to Switch D, and enable router MAC replacement for routes advertised to and received from Switch B.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 2.2.2.2 as-number 100

[SwitchC-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[SwitchC-bgp-default] peer 2.2.2.2 ebgp-max-hop 64

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 2.2.2.2 enable

[SwitchC-bgp-default-evpn] peer 2.2.2.2 router-mac-local

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] peer 4.4.4.4 next-hop-local

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] address-family ipv4 unicast

[SwitchC-bgp-default-ipv4] peer 2.2.2.2 enable

[SwitchC-bgp-default-ipv4] peer 2.2.2.2 advertise-cloudsec

[SwitchC-bgp-default] quit

# Configure a keychain.

[SwitchC] keychain 1 mode absolute

[SwitchC-keychain-1]key 1

[SwitchC-keychain-1-key-1] authentication-algorithm hmac-sha-256

[SwitchC-keychain-1-key-1] key-string plain 123456

[SwitchC-keychain-1-key-1] send-lifetime utc 00:00:00 2023/01/01 to 00:00:00 2024/01/01

[SwitchC-keychain-1-key-1] accept-lifetime utc 00:00:00 2023/01/01 to 00:00:00 2024/01/01

[SwitchC-keychain-1-key-1]

# Configure a CloudSec policy.

[SwitchC] cloudsec policy 1

[SwitchC-cloudsec-policy-1] cipher-suite gcm-aes-256

[SwitchC-cloudsec-policy-1] include sci

[SwitchC-cloudsec-policy-1] sak-rekey-interval 2000

# Create a CloudSec peer and apply keychain 1 and CloudSec policy 1 to the CloudSec peer. Set the receive SCI value to 2 and transmit SCI value to 1. The receive SCI value and transmit SCI value of the local device equal to the transmit SCI value and receive SCI value of the peer device, respectively.

[SwitchC] cloudsec peer 2.2.2.2

[SwitchC-cloudsec-peer-2.2.2.2] keychain 1 policy 1

[SwitchC-cloudsec-peer-2.2.2.2] sci rx 2

[SwitchC-cloudsec-peer-2.2.2.2] sci tx 1

[SwitchC-cloudsec-peer-2.2.2.2]

# Associate the VXLAN tunnel source interface with CloudSec.

[SwitchC] cloudsec source-interface LoopBack 0

5.     Configure Switch D:

# Enable L2VPN.

<SwitchD> system-view

[SwitchD] l2vpn enable

# Disable remote-MAC address learning.

[SwitchD] vxlan tunnel mac-learning disable

# Create VXLAN 30 in VSI vpna.

[SwitchD] vsi vpna

[SwitchD-vsi-vpna] vxlan 30

[SwitchD-vsi-vpna-vxlan-30] quit

# Create an EVPN instance in VSI vpna, and configure the switch to automatically generate an RD and an RT for the EVPN instance.

[SwitchD-vsi-vpna] evpn encapsulation vxlan

[SwitchD-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchD-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchD-vsi-vpna-evpn-vxlan] quit

[SwitchD-vsi-vpna] quit

# Configure BGP to advertise BGP EVPN routes.

[SwitchD] bgp 200

[SwitchD-bgp-default] peer 3.3.3.3 as-number 200

[SwitchD-bgp-default] peer 3.3.3.3 connect-interface Loopback 0

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer 3.3.3.3 enable

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# On Ten-GigabitEthernet 3/0/1Ten-GigabitEthernet3/0/1, create Ethernet service instance 1000 and configure it to match data frames from VLAN 200.

[SwitchD] interface ten-gigabitethernet 3/0/1ten-gigabitethernet 3/0/1

[SwitchD-Ten-GigabitEthernet3/0/1Ten-GigabitEthernet3/0/1] service-instance 1000

[SwitchD-Ten-GigabitEthernet3/0/1Ten-GigabitEthernet3/0/1-srv1000] encapsulation s-vid 200

# Map Ethernet service instance 1000 to VSI vpna.

[SwitchD-Ten-GigabitEthernet3/0/1Ten-GigabitEthernet3/0/1-srv1000] xconnect vsi vpna

[SwitchD-Ten-GigabitEthernet3/0/1Ten-GigabitEthernet3/0/1-srv1000] quit

Verifying the configuration

1.     Verify the configuration on EDs. (The following uses Switch B as an example.)

# Verify that the ED has discovered Switch A and Switch C through IMET routes and has established VXLAN and VXLAN-DCI tunnels to the switches.

[SwitchB] display evpn auto-discovery imet

Total number of automatically discovered peers: 2

 

VSI name: vpna

RD                    PE_address      Tunnel_address  Tunnel mode VXLAN ID

1:10                  1.1.1.1         1.1.1.1         VXLAN       10

1:500                 3.3.3.3         3.3.3.3         VXLAN-DCI   500

# Verify that the tunnel interfaces in VXLAN and VXLAN-DCI modes on the ED are up.

[SwitchB] display interface tunnel

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel protocol/transport UDP_VXLAN/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

 

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64 kbps

Maximum transmission unit: 1464

Internet protocol processing: Disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Tunnel source 2.2.2.2, destination 3.3.3.3

Tunnel protocol/transport UDP_VXLAN-DCI/IP

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that the VXLAN and VXLAN-DCI tunnels have been assigned to the VXLAN.

[SwitchB] display l2vpn vsi verbose

VSI Name: vpna

  VSI Index               : 0

  VSI State               : Up

  MTU                     : 1500

  Bandwidth               : Unlimited

  Broadcast Restrain      : Unlimited

  Multicast Restrain      : Unlimited

  Unknown Unicast Restrain: Unlimited

  MAC Learning            : Enabled

  MAC Table Limit         : -

  MAC Learning rate       : -

  Drop Unknown            : -

  Flooding                : Enabled

  Statistics              : Disabled

  VXLAN ID                : 10

  Tunnel Statistics       : Enabled

  Tunnels:

    Tunnel Name          Link ID    State    Type        Flood proxy

    Tunnel1              0x5000000  UP       Auto        Disabled

    Tunnel1              0x5000001  UP       Auto        Disabled

 

VSI Name: vpnb

  VSI Index               : 1

  VSI State               : Down

  MTU                     : 1500

  Bandwidth               : Unlimited

  Broadcast Restrain      : Unlimited

  Multicast Restrain      : Unlimited

  Unknown Unicast Restrain: Unlimited

  MAC Learning            : Enabled

  MAC Table Limit         : -

  MAC Learning rate       : -

  Drop Unknown            : -

  Flooding                : Enabled

  Statistics              : Disabled

  VXLAN ID                : 500

# Verify that the ED has generated EVPN MAC address entries for the VMs.

[SwitchB] display evpn route mac

Flags: D - Dynamic   B - BGP      L - Local active

       G - Gateway   S - Static   M - Mapping        I - Invalid

 

VSI name: vpna

MAC address     Link ID/Name     Flags   Next hop

0001-0001-0011  Tunnel1          B       1.1.1.1

0001-0001-0033  Tunnel1          BM      3.3.3.3

# Verify that VXLAN tunnel 500 is protected by the CloudSec peer.

[SwitchB] display cloudsec peer verbose

Peer address 3.3.3.3

  Active policy             : 1

  TunnelNo                  : 500

  Included SCI              : Yes

  Cipher suite              : GCM-AES-256

  SAK rekey interval        : 0

  Tx secure channel:

    SCI         : 2

    Current SA  : AN 0

2.     Verify that VM 1 and VM 2 can access each other. (Details not shown.)