Contents

Configuring microsegmentation· 1

About microsegmentation· 1

Basic concepts· 1

Components of microsegmentation· 1

How microsegmentation works· 2

Restrictions and guidelines: Microsegmentation configuration· 3

Microsegmentation tasks at a glance· 3

Prerequisites for microsegmentation configuration· 4

Configuring a microsegment 4

Configuring an aggregate microsegment 5

Configuring an ACL· 5

Configuring a GBP· 6

Configuring PBR· 6

Configuring a QoS policy· 7

Configuring packet filtering· 8

Configuring the microsegment extended community attribute· 8

Configuring the network address match method for microsegments· 9

Enabling SNMP notifications for microsegmentation· 9

Display and maintenance commands for microsegmentation· 10

Microsegmentation configuration examples· 10

Example: Configuring microsegmentation· 10

Example: Configuring microsegmentation in an EVPN network· 24

 

Configuring microsegmentation

About microsegmentation

The microsegmentation feature, also called group-based security segregation, controls traffic based on groups the traffic assigned to. For example, you can group servers in data centers based on specific criteria and apply traffic control policies to different groups.

Basic concepts

Microsegment

A microsegment groups endpoints (such as servers) based on specific criteria. Each microsegment has a globally unique ID.

Group-based policy

A group-based policy (GBP) is a microsegment-based traffic control policy can be implemented by using the following functions:

·     PBR—A policy node corresponds to a GBP and controls communication between microsegments through the apply next-hop or apply output-interface null0 action. For more information about PBR, see Layer 3—IP Routing Configuration Guide.

·     QoS policy—A class-behavior association corresponds to a GBP and controls communication between microsegments through the filter deny or filter permit action in the traffic behavior. For more information about QoS policy, see QoS configuration ACL and QoS Configuration Guide.

·     Packet filtering—A packet filter corresponds to a GBP and controls communication between microsegments through the permit or deny rule in an ACL. For more information about packet filtering, see ACL configuration ACL and QoS Configuration Guide.

Components of microsegmentation

As shown in Figure 1, the microsegmentation feature contains the microsegment, ACL, and GBP settings. A GBP can be a QoS policy, a packet filter, or a PBR policy node.

This feature controls whether members in different microsegments can communicate. The GBP takes effect on the local end of a link. To control bidirectional traffic, configure this feature on both ends. Intermediate nodes do not require the configuration of this feature.

This feature can be used in IP, VXLAN, and EVPN networks. The configurations are slightly different in different networks.

·     In an IP network, all settings must be configured on the Layer 3 gateway devices. In a VXLAN or EVPN network, all settings must be configured on the VTEPs.

·     In an EVPN network, if the microsegment settings are automatically synchronized to the remote end through the BGP extended community attribute in the MAC/IP advertisement route, you do not need to configure microsegment settings on the remote end.

Figure 1 Microsegmentation configuration workflow

‌

How microsegmentation works

The microsegmentation feature works in the same way in IP, VXLAN, and EVPN networks. As shown in Figure 2, this section takes unidirectional traffic in an IP network as an example to illustrate how this feature works. This example uses a QoS policy as the GBP.

1.     After receiving a packet sent from Host A to Host D, Device A obtains its source IP address (192.168.1.2) and destination IP address (192.168.1.5).

2.     Device A searches the FIB table for the source IP address according to the longest match rule and determines that Host A belongs to microsegment 1.

3.     Device A searches the FIB table for the destination IP address according to the longest match rule and determines that Host B belongs to microsegment 2.

4.     Device A matches microsegment 1 and microsegment 2 against ACLs and executes one of the following actions in the QoS policy on matching packets:

¡     Forwards matching packets if the action is filter permit.

¡     Drops matching packets if the action is filter deny.

Figure 2 Forwarding of Layer 3 packets in an IP network

‌

The microsegmentation feature works in the same way for cross-device packet forwarding.

Restrictions and guidelines: Microsegmentation configuration

When you use this feature to control unidirectional inter-VPN traffic, follow these restrictions and guidelines:

·     On the source PE device, if the route guiding traffic forwarding is a network route, you must add the destination address of the route to a microsegment as a member.

·     On the destination PE device, if the route is a host route, you must add the destination address of the route to a microsegment as a member.

Microsegmentation tasks at a glance

To configure microsegmentation, perform the following tasks:

1.     Configuring a microsegment

2.     (Optional.) Configuring an aggregate microsegment

3.     Configuring an ACL

4.     Configuring a GBP

Choose one option as needed:

¡     Configuring PBR

¡     Configuring a QoS policy

¡     Configuring packet filtering

5.     (Optional.) Configuring the microsegment extended community attribute

Perform this task in an EVPN network to avoid extended community attribute conflicts.

6.     (Optional.) Configuring the network address match method for microsegments

7.     (Optional.) Enabling SNMP notifications for microsegmentation

Prerequisites for microsegmentation configuration

This feature can be used in IP, VXLAN, and EVPN networks. For information about configuring these features, see the relevant configuration guides.

Configuring a microsegment

Restrictions and guidelines

To control bidirectional traffic, follow these rules:

·     In an IP or VXLAN network, configure the same microsegment settings on the two ends.

·     In an EVPN network, configure a microsegment only on the local end. When distributing a MAC/IP advertisement route, the device carries the microsegment ID in the BGP extended community attribute. If the members (IP addresses) are in the distributed route, the microsegment settings are automatically synchronized to the remote end. The synchronized microsegment settings directly take effect on the remote end and are not subject to the microsegment enable command. If you also configure a microsegment on the remote end,, the synchronized microsegment settings overwrite the configured ones in the case of any setting differences.

For more information about MAC/IP advertisement routes, see EVPN overview in EVPN Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Create a microsegment and enter microsegment view.

microsegment microsegment-id [ name microsegment-name ]

3.     Add a member to the microsegment.

member ipv4 ipv4-address { mask | mask-length } [ vpn-instance vpn-instance-name ]

member ipv6 ipv6-address prefix-length [ vpn-instance vpn-instance-name ]

By default, a microsegment does not contain members.

4.     (Optional.) Add users connected through the corresponding AC by mapping the microsegment interface to a VSI.

xconnect vsi

By default, a microsegment is not bound to any VSI.

The information about added users is not displayed in the display microsegment command output.

For more information about the xconnect vsi command, see VXLAN Command Reference.

5.     Return to system view.

quit

6.     Enable microsegmentation.

microsegment enable

By default, microsegmentation is disabled.

Configuring an aggregate microsegment

About this task

An aggregate microsegment is a group of microsegments with contiguous IDs. The ID of the aggregate microsegment is the start microsegment ID. You can use a mask to specify the member microsegments for an aggregate microsegment.

As shown in Figure 3, microsegments 8 through 15 can communicate with one another. To prevent communication between microsegments 12 and 14 and between microsegments 13 and 14, you can use an aggregate microsegment instead of reconfiguring microsegment settings. In this example, you can combine microsegments 12 and 13 to create an aggregate microsegment with ID 12, and use a GBP to prevent communication between aggregate microsegment 12 and microsegment 14.

Figure 3 Microsegment aggregation

 

Procedure

1.     Enter system view.

system-view

2.     Create an aggregate microsegment and enter its view.

microsegment aggregation aggregation-id mask-length mask-length [ name aggregation-name ]

Configuring an ACL

Restrictions and guidelines

To control bidirectional traffic, you must configure an ACL on both ends and configure an ACL rule with swapped source and destination microsegments on the two ends.

If you use a PBR policy node or a QoS policy as the GBP, the ACL rules must be permit rules. The apply action or QoS action is taken on matching packets.

If you use a packet filter as the GBP, the ACL rules can be permit or deny rules. Matching packets are permitted or denied.

Procedure

1.     Enter system view.

system-view

2.     Create an IPv4 or IPv6 advanced ACL and enter its view. Choose one option as needed:

¡     acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]

¡     acl [ ipv6 ] { advanced | basic } { acl-number | name acl-name } [ match-order { auto | config } ]

3.     Configure a rule.

For more information, see the rule command in ACL and QoS Command Reference.

In the rule command, the destination microsegment microsegment-id and source microsegment microsegment-id options must be specified, and other parameters can be configured as needed.

Configuring a GBP

Configuring PBR

About this task

You can control communication between microsegments by referencing an ACL and specifying a next hop (permitting traffic) or the output interface NULL0 (dropping traffic) in a PBR policy.

For more information about PBR, see Layer 3—IP Routing Configuration Guide.

Restrictions and guidelines

To control bidirectional traffic, you must configure PBR on both ends.

Procedure

1.     Enter system view.

system-view

2.     Create a node for a policy, and enter its view.

policy-based-route policy-name [ deny | permit ] node node-number

3.     Set an ACL match criterion for the node.

if-match acl { acl-number | name acl-name }

By default, no ACL match criterion is set.

4.     Configure an action for the node. Choose one option as needed:

¡     Set a next hop.

apply next-hop ip-address

¡     Set NULL0 as the output interface.

apply output-interface null0

By default, no action is configured.

5.     Return to system view.

quit

6.     Enter interface view.

interface interface-type interface-number

7.     Specify the policy for interface PBR.

ip policy-based-route policy-name [ share-mode ]

By default, no interface policy is applied to an interface.

Configuring a QoS policy

About this task

You can use the traffic filtering action in a QoS policy to control communication between microsegments.

Procedure

1.     Enter system view.

system-view

2.     Define a traffic class.

a.     Create a traffic class and enter traffic class view.

traffic classifier classifier-name [ operator { and | or } ]

b.     Configure a match criterion.

if-match acl [ ipv6 ] { acl-number | name acl-name }

By default, no match criterion is configured.

Only IPv4 and IPv6 advanced ACLs can be used to match packets.

c.     Return to system view.

quit

3.     Define a traffic behavior.

a.     Create a traffic behavior and enter traffic behavior view.

traffic behavior behavior-name

b.     Configure a traffic filtering action.

filter { deny | permit }

By default, no traffic filtering action is configured.

c.     Return to system view.

quit

4.     Define a QoS policy.

a.     Create a QoS policy and enter QoS policy view.

qos policy policy-name

b.     Associate the traffic class with the traffic behavior in the QoS policy.

classifier classifier-name behavior behavior-name

By default, a traffic class is not associated with a traffic behavior.

c.     Return to system view.

quit

5.     Apply the QoS policy to an interface.

a.     Enter interface view.

interface interface-type interface-number

b.     Apply the QoS policy to the inbound direction of the interface.

qos apply policy policy-name inbound [ share-mode ]

By default, no QoS policy is applied to an interface.

Configuring packet filtering

About this task

You can apply an ACL to the inbound direction of an interface to control communication between microsegments.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Apply an ACL to the inbound direction of the interface.

packet-filter [ ipv6 ] { acl-number | name acl-name } inbound [ share-mode ]

By default, no ACL is applied to an interface.

Configuring the microsegment extended community attribute

About this task

A MAC/IP advertisement route carries microsegment IDs in a BGP extended community attribute and advertises microsegment settings to a peer through the extended community attribute. For more information about MAC/IP advertisement routes, see EVPN overview in EVPN Configuration Guide.

To avoid attribute conflicts, you can perform this task to modify the microsegment extended community attribute value.

Procedure

1.     Enter system view.

system-view

2.     Enter BGP instance view.

bgp as-number [ instance instance-name ]

3.     Set the microsegment extended community attribute value.

extcommunity-type microsegment-id microsegment-type-value

The default setting is 83ff (hexadecimal).

4.     (Optional.) Display the microsegment extended community attribute value in BGP EVPN routes and the microsegment ID.

display bgp l2vpn evpn

For more information about this command, see EVPN commands in EVPN Command Reference.

5.     (Optional.) Display the microsegment IDs carried in routes.

display ip routing-table

For more information about this command, see IP basics commands in Layer 3—IP Routing Command Reference.

Configuring the network address match method for microsegments

About this task

The device determines the segment membership of packets by matching the source and destination IP addresses of packets. The following match methods are available:

·     Exact match—The mask lengths of the source and destination IP addresses must be equal to those of members in microsegments. For example, a packet sourced from 10.10.10.1/24 matches member 10.10.10.0/24 instead of 10.10.10.0/23.

·     Longest match—The mask lengths of the source and destination IP addresses can be greater than or equal to those of members in microsegments. For example, a packet sourced from 10.10.10.1/24 matches member 10.10.10.0/16.

The device uses different match methods for different member types of microsegments:

·     Host addresses (IPv4 addresses with a 32-bit mask and IPv6 addresses with a 128-bit prefix) use the longest match method, which cannot be modified.

·     The default route (0.0.0.0/0 or 0::0/0) uses the exact match method, which cannot be modified.

·     Network addresses (IPv4 addresses with a 1-bit to 31-bit mask and IPv6 addresses with a 1-bit to 127-bit prefix) use the exact match method by default. If you execute the microsegment subnet-match longest command, the longest match method is used. If you execute the microsegment subnet-match disable command, no microsegment member can be matched.

The longest match method helps you simplify configuration when you need to add a large number of network addresses to a microsegment. For example, to match network addresses 10.10.10.0/24, 10.10.20.0/24, and 10.10.30.0/24 to microsegment 1, you need to execute only the member ipv4 10.10.10.0/16 command if you use longest match.

Procedure

1.     Enter system view.

system-view

2.     Configure the network address match method for microsegments.

microsegment subnet-match { disable | longest }

By default, exact match is used for network addresses.

Enabling SNMP notifications for microsegmentation 

About this task

To report critical microsegmentation events to an SNMP NMS, enable SNMP notifications for microsegmentation.

For microsegmentation SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about configuring SNMP, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable SNMP notifications for microsegmentation.

snmp-agent trap enable microsegment

By default, SNMP notifications are enabled for microsegmentation.

Display and maintenance commands for microsegmentation

Execute display commands in any view.

 

Task	Command
Display aggregate microsegment configuration.	display microsegment aggregation [ aggregation-id | name aggregation-name ]
Display microsegment configuration.	display microsegment [ microsegment-id | name microsegment-name ]

‌

Microsegmentation configuration examples

Example: Configuring microsegmentation

Network configuration

As shown in Figure 4, configure microsegmentation to meet the following requirements:

·     Host A, Host B, and the general server can access the file server.

·     Host A and the general server cannot access each other. Host B and the general server cannot access each other.

Figure 4 Network diagram

‌

Table 1 Interface label and interface name mappings

Interface label	Interface name
Interface2	HundredGigE1/1/2
Interface3	HundredGigE1/1/3

 

Analysis

1.     Add Host A and Host B to microsegment 1.

2.     Add the general server to microsegment 2, and add the file server to microsegment 3.

3.     Configure a QoS policy to allow microsegment 1 and microsegment 3 to communicate, allow microsegment 2 and microsegment 3 to communicate, and prevent microsegment 1 and microsegment 2 from communicating.

Restrictions and guidelines

Make sure the mask length of the packet's source and destination addresses matches the address mask length of the microsegment members during configuration. Otherwise, the microsegment members specified in the ACL rules may fail to match the packets.

·     If the mask length of the packet's source and destination addresses is greater than that of the microsegment member addresses, you must configure the subnet address matching method for microsegment as longest match. Otherwise, the microsegment members specified in the ACL rules will not match the packets.

·     If the mask length of the packet's source and destination addresses is less than that of the microsegment member addresses, the microsegment members specified in the ACL rules will not match the packets.

Configuring Device A

 

1.     Configure interfaces and network connectivity.

# Create VLANs and specify the IP addresses for the VLAN interfaces.

<Sysname> system-view

[Sysname] sysname DeviceA

[DeviceA] vlan 10

[DeviceA-vlan10] port hundredgige 1/1/2

[DeviceA-vlan10] quit

[DeviceA] interface vlan-interface 10

[DeviceA-Vlan-interface10] ip address 192.168.1.254 24

[DeviceA-Vlan-interface10] undo shutdown

[DeviceA-Vlan-interface10] quit

[DeviceA] interface hundredgige 1/1/2

[DeviceA-HundredGigE1/1/2] undo shutdown

[DeviceA-HundredGigE1/1/2] quit

[DeviceA] vlan 20

[DeviceA-vlan20] port hundredgige 1/1/3

[DeviceA-vlan20] quit

[DeviceA] interface vlan-interface 20

[DeviceA-Vlan-interface20] ip address 192.168.2.254 24

[DeviceA-Vlan-interface20] undo shutdown

[DeviceA-Vlan-interface20] quit

[DeviceA] interface hundredgige 1/1/3

[DeviceA-HundredGigE1/1/3] undo shutdown

[DeviceA-HundredGigE1/1/3] quit

[DeviceA] vlan 12

[DeviceA-vlan12] quit

[DeviceA] interface vlan-interface 12

[DeviceA-Vlan-interface12] ip address 12.0.0.2 30

[DeviceA-Vlan-interface12] undo shutdown

[DeviceA-Vlan-interface12] quit

[DeviceA] interface hundredgige 1/1/1

[DeviceA-HundredGigE1/1/1] undo shutdown

[DeviceA-HundredGigE1/1/1] port link-type trunk

[DeviceA-HundredGigE1/1/1] port trunk permit vlan 12

[DeviceA-HundredGigE1/1/1] quit

# Configure IS-IS to enable route connectivity in the network.

[DeviceA] isis 1

[DeviceA-isis-1] cost-style wide

[DeviceA-isis-1] network-entity 00.0000.0000.0001.00

[DeviceA-isis-1] is-level level-2

[DeviceA-isis-1] address-family ipv4 unicast

[DeviceA-isis-1-ipv4] quit

[DeviceA-isis-1] quit

[DeviceA] interface vlan-interface 10

[DeviceA-Vlan-interface20] isis enable 1

[DeviceA-Vlan-interface20] quit

[DeviceA] interface vlan-interface 20

[DeviceA-Vlan-interface30] isis enable 1

[DeviceA-Vlan-interface30] quit

[DeviceA] interface vlan-interface 12

[DeviceA-Vlan-interface12] isis enable 1

[DeviceA-Vlan-interface12] quit

2.     Configure microsegments:

# Create microsegment 1, and add the IP addresses of Host A and Host B as its members.

<DeviceA> system-view

[DeviceA] microsegment 1 name EPG1

[DeviceA-microsegment-1] member ipv4 192.168.1.1 24

[DeviceA-microsegment-1] member ipv4 192.168.2.1 24

[DeviceA-microsegment-1] quit

# Create microsegment 2, and add the IP address of the general server as its member.

[DeviceA] microsegment 2 name EPG2

[DeviceA-microsegment-2] member ipv4 192.168.3.1 24

[DeviceA-microsegment-2] quit

# Create microsegment 3, and add the IP address of the file server as its member.

[DeviceA] microsegment 3 name EPG3

[DeviceA-microsegment-3] member ipv4 192.168.4.1 24

[DeviceA-microsegment-3] quit

# Enable microsegmentation.

[DeviceA] microsegment enable

3.     Configure ACLs:

# Create an IPv4 advanced ACL named EPG1-EPG3, configure a rule to match the IP packets from microsegment 1 to microsegment 3.

[DeviceA] acl advanced name EPG1-EPG3

[DeviceA-acl-ipv4-adv-EPG1-EPG3] rule 0 permit ip source microsegment 1 destination microsegment 3

[Device-acl-ipv4-adv-EPG1-EPG3] quit

# Create an IPv4 advanced ACL named EPG1-EPG2, configure a rule to match the IP packets from microsegment 1 to microsegment 2.

[DeviceA] acl advanced name EPG1-EPG2

[DeviceA-acl-ipv4-adv-EPG1-EPG2] rule 0 permit ip source microsegment 1 destination microsegment 2

[DeviceA-acl-ipv4-adv-EPG1-EPG2] quit

4.     Configuring a QoS policy:

# Create a traffic class named CLASSIFIER-GBP13, and use ACL EPG1-EPG3 as the match criterion.

[DeviceA] traffic classifier CLASSIFIER-GBP13

[DeviceA-classifier-CLASSIFIER-GBP13] if-match acl name EPG1-EPG3

[DeviceA-classifier-CLASSIFIER-GBP13] quit

# Create a traffic behavior named BEHAVIOR-GBP13, configure a permit action, and configure packet statiatics collection.

[DeviceA] traffic behavior BEHAVIOR-GBP13

[DeviceA-behavior-BEHAVIOR-GBP13] filter permit

[DeviceA-behavior-BEHAVIOR-GBP13] accounting packet

[DeviceA-behavior-BEHAVIOR-GBP13] quit

# Create a traffic class named CLASSIFIER-GBP12, and use ACL EPG1-EPG2 as the match criterion.

[DeviceA] traffic classifier CLASSIFIER-GBP12

[DeviceA-classifier-CLASSIFIER-GBP12] if-match acl name EPG1-EPG2

[DeviceA-classifier-CLASSIFIER-GBP12] quit

# Create a traffic behavior named BEHAVIOR-GBP12, configure a deny action, and configure packet statiatics collection.

[DeviceA] traffic behavior BEHAVIOR-GBP12

[DeviceA-behavior-BEHAVIOR-GBP12] filter deny

[DeviceA-behavior-BEHAVIOR-GBP12] accounting packet

[DeviceA-behavior-BEHAVIOR-GBP12] quit

# Create a QoS policy named GBP1, and associate the configured traffic classes and traffic behaviors in the QoS policy.

[DeviceA] qos policy GBP1

[DeviceA-qospolicy-GBP1] classifier CLASSIFIER-GBP13 behavior BEHAVIOR-GBP13

[DeviceA-qospolicy-GBP1] classifier CLASSIFIER-GBP12 behavior BEHAVIOR-GBP12

[DeviceA-qospolicy-GBP1] quit

# Apply QoS policy GBP1 to the inbound direction of HundredGigE 1/1/2.

[DeviceA] interface hundredgige 1/1/2

[DeviceA-HundredGigE1/1/2] qos apply policy GBP1 inbound

[DeviceA-HundredGigE1/1/2] quit

# Apply QoS policy GBP1 to the inbound direction of HundredGigE 1/1/3.

[DeviceA] interface hundredgige 1/1/3

[DeviceA-HundredGigE1/1/3] qos apply policy GBP1 inbound

[DeviceA-HundredGigE1/1/3] quit

Configuring Device B

# Create VLANs and specify the IP addresses for the VLAN interfaces.

<Sysname> system-view

[Sysname] sysname DeviceB

[DeviceB] vlan 12

[DeviceB-vlan12] quit

[DeviceB] interface vlan-interface 12

[DeviceB-Vlan-interface12] ip address 12.0.0.1 30

[DeviceB-Vlan-interface12] undo shutdown

[DeviceB-Vlan-interface12] quit

[DeviceB] interface hundredgige 1/1/1

[DeviceB-HundredGigE1/1/1] undo shutdown

[DeviceB-HundredGigE1/1/1] port link-type trunk

[DeviceB-HundredGigE1/1/1] port trunk permit vlan 12

[DeviceB-HundredGigE1/1/1] quit

[DeviceB] vlan 23

[DeviceB-vlan23] quit

[DeviceB] interface vlan-interface 23

[DeviceB-Vlan-interface23] ip address 23.0.0.2 30

[DeviceB-Vlan-interface23] undo shutdown

[DeviceB-Vlan-interface23] quit

[DeviceB] interface hundredgige 1/1/2

[DeviceB-HundredGigE1/1/2] undo shutdown

[DeviceB-HundredGigE1/1/2] port link-type trunk

[DeviceB-HundredGigE1/1/2] port trunk permit vlan 23

[DeviceB-HundredGigE1/1/2] quit

# Configure IS-IS to enable route connectivity in the network.

[DeviceB] isis 1

[DeviceB-isis-1] cost-style wide

[DeviceB-isis-1] network-entity 00.0000.0000.0002.00

[DeviceB-isis-1] is-level level-2

[DeviceB-isis-1] address-family ipv4 unicast

[DeviceB-isis-1-ipv4] quit

[DeviceB-isis-1] quit

[DeviceB] interface vlan-interface 12

[DeviceB-Vlan-interface12] isis enable 1

[DeviceB-Vlan-interface12] quit

[DeviceB] interface vlan-interface 23

[DeviceB-Vlan-interface23] isis enable 1

[DeviceB-Vlan-interface23] quit

Configuring Device C

1.     Configure interfaces and network connectivity.

# Create VLANs and specify the IP addresses for the VLAN interfaces.

<Sysname> system-view

[Sysname] sysname DeviceC

[DeviceC] vlan 30

[DeviceC-vlan30] port hundredgige 1/1/2

[DeviceC-vlan30] quit

[DeviceC] interface vlan-interface 30

[DeviceC-Vlan-interface30] ip address 192.168.3.254 24

[DeviceC-Vlan-interface30] undo shutdown

[DeviceC-Vlan-interface30] quit

[DeviceC] interface hundredgige 1/1/2

[DeviceC-HundredGigE1/1/2] undo shutdown

[DeviceC-HundredGigE1/1/2] quit

[DeviceC] vlan 40

[DeviceC-vlan40] port hundredgige 1/1/3

[DeviceC-vlan40] quit

[DeviceC] interface vlan-interface 40

[DeviceC-Vlan-interface40] ip address 192.168.2.254 24

[DeviceC-Vlan-interface40] undo shutdown

[DeviceC-Vlan-interface40] quit

[DeviceC] interface hundredgige 1/1/3

[DeviceC-HundredGigE1/1/3] undo shutdown

[DeviceC-HundredGigE1/1/3] quit

[DeviceC] vlan 23

[DeviceC-vlan23] quit

[DeviceC] interface vlan-interface 23

[DeviceC-Vlan-interface23] ip address 23.0.0.1 30

[DeviceC-Vlan-interface23] undo shutdown

[DeviceC-Vlan-interface23] quit

[DeviceC] interface hundredgige 1/1/1

[DeviceC-HundredGigE1/1/1] undo shutdown

[DeviceC-HundredGigE1/1/1] port link-type trunk

[DeviceC-HundredGigE1/1/1] port trunk permit vlan 23

[DeviceC-HundredGigE1/1/1] quit

# Configure IS-IS to enable route connectivity in the network.

[DeviceC] isis 1

[DeviceC-isis-1] cost-style wide

[DeviceC-isis-1] network-entity 00.0000.0000.0003.00

[DeviceC-isis-1] is-level level-2

[DeviceC-isis-1] address-family ipv4 unicast

[DeviceC-isis-1-ipv4] quit

[DeviceC-isis-1] quit

[DeviceC] interface vlan-interface 30

[DeviceC-Vlan-interface30] isis enable 1

[DeviceC-Vlan-interface30] quit

[DeviceC] interface vlan-interface 40

[DeviceC-Vlan-interface40] isis enable 1

[DeviceC-Vlan-interface40] quit

[DeviceC] interface vlan-interface 23

[DeviceC-Vlan-interface23] isis enable 1

[DeviceC-Vlan-interface23] quit

 

2.     Configure microsegments:

# Create microsegment 1, and add the IP addresses of Host A and Host B as its members.

<DeviceC> system-view

[DeviceC] microsegment 1 name EPG1

[DeviceC-microsegment-1] member ipv4 192.168.1.1 24

[DeviceC-microsegment-1] member ipv4 192.168.2.1 24

[DeviceC-microsegment-1] quit

# Create microsegment 2, and add the IP address of the general server as its member.

[DeviceC] microsegment 2 name EPG2

[DeviceC-microsegment-2] member ipv4 192.168.3.1 24

[DeviceC-microsegment-2] quit

# Create microsegment 3, and add the IP address of the file server as its member.

[DeviceC] microsegment 3 name EPG3

[DeviceC-microsegment-3] member ipv4 192.168.4.1 24

[DeviceC-microsegment-3] quit

# Enable microsegmentation.

[DeviceC] microsegment enable

3.     Configure ACLs:

# Create an IPv4 advanced ACL named EPG3-EPG1, configure a rule to match the IP packets from microsegment 3 to microsegment 1.

<DeviceC> system-view

[DeviceC] acl advanced name EPG3-EPG1

[DeviceC-acl-ipv4-adv-EPG3-EPG1] rule 0 permit ip source microsegment 3 destination microsegment 1

[DeviceC-acl-ipv4-adv-EPG3-EPG1] quit

# Create an IPv4 advanced ACL named EPG2-EPG1, configure a rule to match the IP packets from microsegment 2 to microsegment 1.

[DeviceC] acl advanced name EPG2-EPG1

[DeviceC-acl-ipv4-adv-EPG2-EPG1] rule 0 permit ip source microsegment 2 destination microsegment 1

[DeviceC-acl-ipv4-adv-EPG2-EPG1] quit

# Create an IPv4 advanced ACL named EPG2-EPG3, configure a rule to match the IP packets from microsegment 2 to microsegment 3.

[DeviceC] acl advanced name EPG2-EPG3

[DeviceC-acl-ipv4-adv-EPG2-EPG3] rule 0 permit ip source microsegment 2 destination microsegment 3

[DeviceC-acl-ipv4-adv-EPG2-EPG3] quit

# Create an IPv4 advanced ACL named EPG3-EPG2, configure a rule to match the IP packets from microsegment 3 to microsegment 2.

[DeviceC] acl advanced name EPG3-EPG2

[DeviceC-acl-ipv4-adv-EPG3-EPG2] rule 0 permit ip source microsegment 3 destination microsegment 2

[DeviceC-acl-ipv4-adv-EPG3-EPG2] quit

4.     Configuring a QoS policy:

# Create a traffic class named CLASSIFIER-GBP23, and use ACL EPG2-EPG3 as the match criterion.

[DeviceC] traffic classifier CLASSIFIER-GBP23

[DeviceC-classifier-CLASSIFIER-GBP23] if-match acl name EPG2-EPG3

[DeviceC-classifier-CLASSIFIER-GBP23] quit

# Create a traffic behavior named BEHAVIOR-GBP23, configure a permit action, and configure packet statistics collection.

[DeviceC] traffic behavior BEHAVIOR-GBP23

[DeviceC-behavior-BEHAVIOR-GBP23] filter permit

[DeviceC-behavior-BEHAVIOR-GBP23] accounting packet

[DeviceC-behavior-BEHAVIOR-GBP23] quit

# Create a traffic class named CLASSIFIER-GBP21, and use ACL EPG2-EPG1 as the match criterion.

[DeviceC] traffic classifier CLASSIFIER-GBP21

[DeviceC-classifier-CLASSIFIER-GBP21] if-match acl name EPG2-EPG1

[DeviceC-classifier-CLASSIFIER-GBP21] quit

# Create a traffic behavior named BEHAVIOR-GBP21, configure a deny action, and configure packet statistics collection.

[DeviceC] traffic behavior BEHAVIOR-GBP21

[DeviceC-behavior-BEHAVIOR-GBP21] filter deny

[DeviceC-behavior-BEHAVIOR-GBP21] accounting packet

[DeviceC-behavior-BEHAVIOR-GBP21] quit

# Create a QoS policy named GBP2, and associate the configured traffic classes and traffic behaviors in the QoS policy.

[DeviceC] qos policy GBP2

[DeviceC-qospolicy-GBP2] classifier CLASSIFIER-GBP23 behavior BEHAVIOR-GBP23

[DeviceC-qospolicy-GBP2] classifier CLASSIFIER-GBP21 behavior BEHAVIOR-GBP21

[DeviceC-qospolicy-GBP2] quit

# Create a traffic class named CLASSIFIER-GBP31, and use ACL EPG3-EPG1 as the match criterion.

[DeviceC] traffic classifier CLASSIFIER-GBP31

[DeviceC-classifier-CLASSIFIER-GBP31] if-match acl name EPG3-EPG1

[DeviceC-classifier-CLASSIFIER-GBP31] quit

# Create a traffic behavior named BEHAVIOR-GBP31, configure a permit action, and configure packet statistics collection.

[DeviceC] traffic behavior BEHAVIOR-GBP31

[DeviceC-behavior-BEHAVIOR-GBP31] filter permit

[DeviceC-behavior-BEHAVIOR-GBP31] accounting packet

[DeviceC-behavior-BEHAVIOR-GBP31] quit

# Create a traffic class named CLASSIFIER-GBP32, and use ACL EPG3-EPG2 as the match criterion.

[DeviceC] traffic classifier CLASSIFIER-GBP32

[DeviceC-classifier-CLASSIFIER-GBP32] if-match acl name EPG3-EPG2

[DeviceC-classifier-CLASSIFIER-GBP32] quit

# Create a traffic behavior named BEHAVIOR-GBP32, configure a permit action, and configure packet statistics collection.

[DeviceC] traffic behavior BEHAVIOR-GBP32

[DeviceC-behavior-BEHAVIOR-GBP32] filter permit

[DeviceC-behavior-BEHAVIOR-GBP32] accounting packet

[DeviceC-behavior-BEHAVIOR-GBP32] quit

# Create a QoS policy named GBP3, and associate the configured traffic classes and traffic behaviors in the QoS policy.

[DeviceC] qos policy GBP3

[DeviceC-qospolicy-GBP3] classifier CLASSIFIER-GBP31 behavior BEHAVIOR-GBP31

[DeviceC-qospolicy-GBP3] classifier CLASSIFIER-GBP32 behavior BEHAVIOR-GBP32

[DeviceC-qospolicy-GBP3] quit

# Apply QoS policy GBP2 to the inbound direction of HundredGigE 1/1/2.

[DeviceC] interface hundredgige 1/1/2

[DeviceC-HundredGigE1/1/2] qos apply policy GBP2 inbound

[DeviceC-HundredGigE1/1/2] quit

# Apply QoS policy GBP3 to the inbound direction of HundredGigE 1/1/3.

[DeviceC] interface hundredgige 1/1/3

[DeviceC-HundredGigE1/1/3] qos apply policy GBP3 inbound

[DeviceC-HundredGigE1/1/3] quit

Verifying the configuration

# Verify that Host A and Host B cannot successfully ping the general server.

C:\> ping 192.168.3.1

 

Pinging 192.168.3.1 with 32 bytes of data:

 

Request timed out

Request timed out

Request timed out

Request timed out

 

Ping statistics for 192.168.3.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The output shows that Host A and Host B cannot successfully ping the general server.

# Verify that Host A and Host B can successfully ping the file server.

C:\> ping 192.168.4.1

 

Pinging 192.168.40.100 with 32 bytes of data:

 

Reply from 192.168.10.100: bytes=32 time=1ms TTL=255

Reply from 192.168.10.100: bytes=32 time<1ms TTL=255

Reply from 192.168.10.100: bytes=32 time<1ms TTL=255

Reply from 192.168.10.100: bytes=32 time<1ms TTL=255

 

Ping statistics for 192.168.10.100:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

The output shows that Host A and Host B can successfully ping the file server.

# Display the configuration of each microsegment on Device A.

[DeviceA] display microsegment 1

Microsegment ID    : 1

Microsegment name  : EPG1

  IPv4 member:

    192.168.1.1/32

    192.168.2.1/32

[DeviceA] display microsegment 2

Microsegment ID    : 2

Microsegment name  : EPG2

  IPv4 member:

    192.168.3.1/32

[DeviceA] display microsegment 3

Microsegment ID    : 3

Microsegment name  : EPG3

  IPv4 member:

    192.168.4.1/32

# Display summary and state information about microsegments on Device A.

[DeviceA] display microsegment

Microsegment status: Enabled

Total microsegments: 3

Microsegment list  :

  Microsegment ID  Members  Microsegment name

  1                2        EPG1

  2                1        EPG2

  3                1        EPG3

[DeviceA] display qos policy interface

Interface: HundredGigE1/1/2

  Direction: Inbound

  Policy: GBP1

   Classifier: CLASSIFIER-GBP13

     Operator: AND

     Rule(s) :

      If-match acl name EPG1-EPG3

     Behavior: BEHAVIOR-GBP13

      Accounting enable:

        5 (Packets)

        0 (pps)

      Filter enable: Permit

   Classifier: CLASSIFIER-GBP12

     Operator: AND

     Rule(s) :

      If-match acl name EPG1-EPG2

     Behavior: BEHAVIOR-GBP12

      Accounting enable:

        5 (Packets)

        0 (pps)

      Filter enable: Deny

 

Interface: HundredGigE1/1/3

  Direction: Inbound

  Policy: GBP1

   Classifier: CLASSIFIER-GBP13

     Operator: AND

     Rule(s) :

      If-match acl name EPG1-EPG3

     Behavior: BEHAVIOR-GBP13

      Accounting enable:

        5 (Packets)

        0 (pps)

      Filter enable: Permit

   Classifier: CLASSIFIER-GBP12

     Operator: AND

     Rule(s) :

      If-match acl name EPG1-EPG2

     Behavior: BEHAVIOR-GBP12

      Accounting enable:

        5 (Packets)

        0 (pps)

      Filter enable: Deny

# Display the configuration of microsegments, and ACLs, and QoS policies on Device D. (Details not shown.)

Configuration files

·     Device A

#

 sysname DeviceA

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 00.0000.0000.0001.00

 #

 address-family ipv4 unicast

#

vlan 10

#

vlan 12

#

vlan 20

#

 microsegment enable

#

microsegment 1 name EPG1

 member ipv4 192.168.1.0 255.255.255.0

 member ipv4 192.168.2.0 255.255.255.0

#

microsegment 2 name EPG2

 member ipv4 192.168.3.0 255.255.255.0

#

microsegment 3 name EPG3

 member ipv4 192.168.4.0 255.255.255.0

#

traffic classifier CLASSIFIER-GBP12 operator and

 if-match acl name EPG1-EPG2

#

traffic classifier CLASSIFIER-GBP13 operator and

 if-match acl name EPG1-EPG3

#

traffic behavior BEHAVIOR-GBP12

 accounting packet

 filter deny

#

traffic behavior BEHAVIOR-GBP13

  accounting packet

  filter permit

#

qos policy GBP1

 classifier CLASSIFIER-GBP13 behavior BEHAVIOR-GBP13

 classifier CLASSIFIER-GBP12 behavior BEHAVIOR-GBP12

#

interface Vlan-interface10

 ip address 192.168.1.254 255.255.255.0

 isis enable 1

#

interface Vlan-interface12

 ip address 12.0.0.2 255.255.255.252

 isis enable 1

#

interface Vlan-interface20

 ip address 192.168.2.254 255.255.255.0

 isis enable 1

#

interface HundredGigE1/1/1

 port link-type trunk

 port trunk permit vlan 1 12

#

interface HundredGigE1/1/2

 port access vlan 10

 qos apply policy GBP1 inbound

#

interface HundredGigE1/1/3

 port access vlan 20

 qos apply policy GBP1 inbound

#

acl advanced name EPG1-EPG2

 rule 0 permit ip source microsegment 1 destination microsegment 2

#

acl advanced name EPG1-EPG3

 rule 0 permit ip source microsegment 1 destination microsegment 3

#

·     Device B

#

 sysname DeviceB

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 00.0000.0000.0002.00

 #

 address-family ipv4 unicast

#

vlan 12

#

vlan 23

#

interface Vlan-interface12

 ip address 12.0.0.1 255.255.255.252

 isis enable 1

#

interface Vlan-interface23

 ip address 23.0.0.2 255.255.255.252

 isis enable 1

#

interface HundredGigE1/1/1

 port link-type trunk

 port trunk permit vlan 1 12

#

interface HundredGigE1/1/2

 port link-type trunk

 port trunk permit vlan 1 23

#

·     Device C

#

 sysname DeviceC

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 00.0000.0000.0003.00

 #

 address-family ipv4 unicast

#

vlan 23

#

vlan 30

#

vlan 40

#

 microsegment enable

#

microsegment 1 name EPG1

 member ipv4 192.168.1.0 255.255.255.0

 member ipv4 192.168.2.0 255.255.255.0

#

microsegment 2 name EPG2

 member ipv4 192.168.3.0 255.255.255.0

#

microsegment 3 name EPG3

 member ipv4 192.168.4.0 255.255.255.0

#

traffic classifier CLASSIFIER-GBP21 operator and

 if-match acl name EPG2-EPG1

#

traffic classifier CLASSIFIER-GBP23 operator and

 if-match acl name EPG2-EPG3

#

traffic classifier CLASSIFIER-GBP31 operator and

 if-match acl name EPG3-EPG1

#

traffic classifier CLASSIFIER-GBP32 operator and

 if-match acl name EPG3-EPG2

#

traffic behavior BEHAVIOR-GBP21

 accounting packet

 filter deny

#

traffic behavior BEHAVIOR-GBP23

 accounting packet

 filter permit

#

traffic behavior BEHAVIOR-GBP31

 accounting packet

 filter permit

#

traffic behavior BEHAVIOR-GBP32

 accounting packet

 filter permit

#

qos policy GBP2

 classifier CLASSIFIER-GBP23 behavior BEHAVIOR-GBP23

 classifier CLASSIFIER-GBP21 behavior BEHAVIOR-GBP21

#

qos policy GBP3

 classifier CLASSIFIER-GBP31 behavior BEHAVIOR-GBP31

 classifier CLASSIFIER-GBP32 behavior BEHAVIOR-GBP32

#

interface Vlan-interface23

 ip address 23.0.0.1 255.255.255.252

 isis enable 1

#

interface Vlan-interface30

 ip address 192.168.3.254 255.255.255.0

 isis enable 1

#

interface Vlan-interface40

 ip address 192.168.2.254 255.255.255.0

 isis enable 1

#

interface HundredGigE1/1/1

 port link-type trunk

 port trunk permit vlan 1 23

#

interface HundredGigE1/1/2

 port access vlan 30

 qos apply policy GBP2 inbound

#

interface HundredGigE1/1/3

 port access vlan 40

 qos apply policy GBP3 inbound

#

acl advanced name EPG2-EPG1

 rule 0 permit ip source microsegment 2 destination microsegment 1

#

acl advanced name EPG2-EPG3

 rule 0 permit ip source microsegment 2 destination microsegment 3

#

acl advanced name EPG3-EPG1

 rule 0 permit ip source microsegment 3 destination microsegment 1

#

acl advanced name EPG3-EPG2

 rule 0 permit ip source microsegment 3 destination microsegment 2

#

Example: Configuring microsegmentation in an EVPN network

Network configuration

As shown in Figure 5, configure microsegmentation to meet the following requirements:

·     Host A and Host B can access the file server.

·     Host A cannot access the general server. Host B can access the general server.

Figure 5 Network diagram

‌

Table 2 Interface label and interface name mappings

Interface label	Interface name
Interface2	HundredGigE1/1/2
Interface3	HundredGigE1/1/3

 

Analysis

1.     Add Host A to microsegment 1, Host B to microsegment 2, and the general server to microsegment 3.

2.     Configure PBR to allow microsegment 1 and microsegment 2 to communicate, allow microsegment 2 and microsegment 3 to communicate, and prevent microsegment 1 and microsegment 3 from communicating.

3.     Deploy Device A and Device C as distributed EVPN gateways. Add Host A and the general server to VXLAN 10, and Host B and the file server to VXLAN 20. Devices within the same VXLAN communicate at Layer 2, and devices in different VXLANs communicate at Layer 3 through the distributed EVPN gateways.

4.     Configure microsegment 1 and microsegment 2 on Device A, and configure microsegment 3 to on Device C. Configure the system to synchronize member information of these microsegments to peer devices through BGP EVPN routes.

Restrictions and guidelines

Make sure the mask length of the source and destination addresses in the configuration matches the address mask length of the microsegment members. Otherwise, the microsegment members specified in the ACL rules may fail to match the packets.

Configuring Device A

 

1.     Configure interfaces and network connectivity.

# Create VLANs and specify the IP addresses for the VLAN interfaces.

<Sysname> system-view

[Sysname] sysname DeviceA

[DeviceA] vlan 10

[DeviceA-vlan10] port hundredgige 1/1/2

[DeviceA-vlan10] quit

[DeviceA] interface hundredgige 1/1/2

[DeviceA-HundredGigE1/1/2] undo shutdown

[DeviceA-HundredGigE1/1/2] quit

[DeviceA] vlan 20

[DeviceA-vlan20] port hundredgige 1/1/3

[DeviceA-vlan20] quit

[DeviceA] interface hundredgige 1/1/3

[DeviceA-hundredgige 1/1/3] undo shutdown

[DeviceA-hundredgige 1/1/3] quit

[DeviceA] vlan 12

[DeviceA-vlan12] quit

[DeviceA] interface vlan-interface 12

[DeviceA-Vlan-interface12] ip address 12.0.0.2 30

[DeviceA-Vlan-interface12] undo shutdown

[DeviceA-Vlan-interface12] quit

[DeviceA] interface hundredgige 1/1/1

[DeviceA-HundredGigE1/1/1] undo shutdown

[DeviceA-HundredGigE1/1/1] port link-type trunk

[DeviceA-HundredGigE1/1/1] port trunk permit vlan 12

[DeviceA-HundredGigE1/1/1] quit

# Configure IS-IS to enable route connectivity in the network.

[DeviceA] isis 1

[DeviceA-isis-1] cost-style wide

[DeviceA-isis-1] network-entity 00.0000.0000.0001.00

[DeviceA-isis-1] is-level level-2

[DeviceA-isis-1] address-family ipv4 unicast

[DeviceA-isis-1-ipv4] quit

[DeviceA-isis-1] quit

[DeviceA] interface vlan-interface 10

[DeviceA-Vlan-interface20] isis enable 1

[DeviceA-Vlan-interface20] quit

[DeviceA] interface vlan-interface 20

[DeviceA-Vlan-interface30] isis enable 1

[DeviceA-Vlan-interface30] quit

[DeviceA] interface vlan-interface 12

[DeviceA-Vlan-interface12] isis enable 1

[DeviceA-Vlan-interface12] quit

# Enable L2VPN.

[DeviceA] l2vpn enable

# Disable remote-MAC address learning and disable remote ARP learning.

[DeviceA] vxlan tunnel mac-learning disable

[DeviceA] vxlan tunnel arp-learning disable

# Create an EVPN instance under VSI vpna, and configure the router to automatically generate an RD and a route target for the EVPN instance.

[DeviceA] vsi vpna

[DeviceA-vsi-vpna] evpn encapsulation vxlan

[DeviceA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[DeviceA-vsi-vpna-evpn-vxlan] vpn-target auto

[DeviceA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[DeviceA-vsi-vpna] vxlan 10

[DeviceA-vsi-vpna-vxlan-10] quit

[DeviceA-vsi-vpna] quit

# Create an EVPN instance under VSI vpnb, and configure the router to automatically generate an RD and a route target for the EVPN instance.

[DeviceA] vsi vpnb

[DeviceA-vsi-vpnb] evpn encapsulation vxlan

[DeviceA-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[DeviceA-vsi-vpnb-evpn-vxlan] vpn-target auto

[DeviceA-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[DeviceA-vsi-vpnb] vxlan 20

[DeviceA-vsi-vpnb-vxlan-20] quit

[DeviceA-vsi-vpnb] quit

# Create an EVPN instance under VSI vpnc, and configure the router to automatically generate an RD and a route target for the EVPN instance.

[DeviceA] vsi vpnc

[DeviceA-vsi-vpnc] evpn encapsulation vxlan

[DeviceA-vsi-vpnc-evpn-vxlan] route-distinguisher auto

[DeviceA-vsi-vpnc-evpn-vxlan] vpn-target auto

[DeviceA-vsi-vpnc-evpn-vxlan] quit

# Create VXLAN 30.

[DeviceA-vsi-vpnc] vxlan 30

[DeviceA-vsi-vpnc-vxlan-30] quit

[DeviceA-vsi-vpnc] quit

# Configure BGP to advertise BGP EVPN routes.

[DeviceA] bgp 100

[DeviceA-bgp-default] peer 3.3.3.3 as-number 100

[DeviceA-bgp-default] peer 3.3.3.3 connect-interface loopback 0

[DeviceA-bgp-default] address-family l2vpn evpn

[DeviceA-bgp-default-evpn] peer 3.3.3.3 enable

[DeviceA-bgp-default-evpn] quit

[DeviceA-bgp-default] quit

# On HundredGigE 1/1/2, create Ethernet service instance 1000 to match VLAN 10.

[DeviceA] interface hundredgige 1/1/2

[DeviceA-HundredGigE1/1/2] service-instance 1000

[DeviceA-HundredGigE1/1/2-srv1000] encapsulation s-vid 10

# Map Ethernet service instance 1000 to VSI vpna.

[DeviceA-HundredGigE1/1/2-srv1000] xconnect vsi vpna

[DeviceA-HundredGigE1/1/2-srv1000] quit

# On HundredGigE 1/1/3, create Ethernet service instance 2000 to match VLAN 20.

[DeviceA] interface hundredgige 1/1/3

[DeviceA-HundredGigE1/1/3] service-instance 2000

[DeviceA-HundredGigE1/1/3-srv2000] encapsulation s-vid 20

# Map Ethernet service instance 2000 to VSI vpnb.

[DeviceA-HundredGigE1/1/3-srv2000] xconnect vsi vpnb

[DeviceA-HundredGigE1/1/3-srv2000] quit

[DeviceA-HundredGigE1/1/3] quit

# Configure RD and route target settings for VPN instance l3vpna.

[DeviceA] ip vpn-instance l3vpna

[DeviceA-vpn-instance-l3vpna] route-distinguisher 1:1

[DeviceA-vpn-instance-l3vpna] address-family ipv4

[DeviceA-vpn-ipv4-l3vpna] vpn-target 2:2

[DeviceA-vpn-ipv4-l3vpna] quit

[DeviceA-vpn-instance-l3vpna] address-family evpn

[DeviceA-vpn-evpn-l3vpna] vpn-target 1:1

[DeviceA-vpn-evpn-l3vpna] quit

[DeviceA-vpn-instance-l3vpna] quit

# Configure VSI-interface 1.

[DeviceA] interface vsi-interface 1

[DeviceA-Vsi-interface1] ip binding vpn-instance l3vpna

[DeviceA-Vsi-interface1] ip address 192.168.1.254 24

[DeviceA-Vsi-interface1] mac-address 1-1-1

[DeviceA-Vsi-interface1] distributed-gateway local

[DeviceA-Vsi-interface1] local-proxy-arp enable

[DeviceA-Vsi-interface1] quit

# Configure VSI-interface 2.

[DeviceA] interface vsi-interface 2

[DeviceA-Vsi-interface2] ip binding vpn-instance l3vpna

[DeviceA-Vsi-interface2] ip address 192.168.2.254 24

[DeviceA-Vsi-interface2] mac-address 2-2-2

[DeviceA-Vsi-interface2] distributed-gateway local

[DeviceA-Vsi-interface2] local-proxy-arp enable

[DeviceA-Vsi-interface2] quit

# Configure VSI-interface 3.

[DeviceA] interface vsi-interface 3

[DeviceA-Vsi-interface1] ip binding vpn-instance l3vpna

[DeviceA-Vsi-interface1] ip address 192.168.3.254 24

[DeviceA-Vsi-interface1] mac-address 3-3-3

[DeviceA-Vsi-interface1] distributed-gateway local

[DeviceA-Vsi-interface1] local-proxy-arp enable

[DeviceA-Vsi-interface1] quit

# Configure VSI-interface 4, associate VSI-interface 4 with VPN instance l3vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[DeviceA] interface vsi-interface 4

[DeviceA-Vsi-interface4] ip binding vpn-instance l3vpna

[DeviceA-Vsi-interface4] l3-vni 1000

[DeviceA-Vsi-interface4] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[DeviceA] vsi vpna

[DeviceA-vsi-vpna] gateway vsi-interface 1

[DeviceA-vsi-vpna] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[DeviceA] vsi vpnb

[DeviceA-vsi-vpnb] gateway vsi-interface 2

[DeviceA-vsi-vpnb] quit

# Specify VSI-interface 3 as the gateway interface for VSI vpnc.

[DeviceA] vsi vpnc

[DeviceA-vsi-vpnc] gateway vsi-interface 3

[DeviceA-vsi-vpnc] quit

2.     Configure microsegments:

# Create microsegment 1, and add the IP addresses of Host A as its member.

[DeviceA] microsegment 1 name EPG1

[DeviceA-microsegment-1] member ipv4 192.168.1.1 24 vpn-instance l3vpna

[DeviceA-microsegment-1] quit

# Create microsegment 2, and add the IP address of Host B as its member.

[DeviceA] microsegment 2 name EPG2

[DeviceA-microsegment-2] member ipv4 192.168.2.1 24 vpn-instance l3vpna

[DeviceA-microsegment-2] quit

# Enable microsegmentation.

[DeviceA] microsegment enable

3.     Configure ACLs:

# Create an IPv4 advanced ACL named EPG1-EPG3, configure a rule to match the IP packets from microsegment 1 to microsegment 3.

[DeviceA] acl advanced name EPG1-EPG3

[DeviceA-acl-ipv4-adv-EPG1-EPG3] rule 0 permit ip source microsegment 1 destination microsegment 3

[Device-acl-ipv4-adv-EPG1-EPG3] quit

# Create an IPv4 advanced ACL named EPG1-EPG2, configure a rule to match the IP packets from microsegment 1 to microsegment 2.

[DeviceA] acl advanced name EPG1-EPG2

[DeviceA-acl-ipv4-adv-EPG1-EPG2] rule 0 permit ip source microsegment 1 destination microsegment 2

[DeviceA-acl-ipv4-adv-EPG1-EPG2] quit

# Create an IPv4 advanced ACL named EPG2-EPG3, configure a rule to match the IP packets from microsegment 2 to microsegment 3.

[DeviceA] acl advanced name EPG2-EPG3

[DeviceA-acl-ipv4-adv-EPG2-EPG3] rule 0 permit ip source microsegment 2 destination microsegment 3

[DeviceA-acl-ipv4-adv-EPG2-EPG3] quit

# Create a traffic class named CLASSIFIER-GBP13, and use ACL EPG1-EPG3 as the match criterion.

[DeviceA] traffic classifier CLASSIFIER-GBP13

[DeviceA-classifier-CLASSIFIER-GBP13] if-match acl name EPG1-EPG3

[DeviceA-classifier-CLASSIFIER-GBP13] quit

# Create a traffic behavior named BEHAVIOR-GBP13, configure a deny action, and configure packet statiatics collection.

[DeviceA] traffic behavior BEHAVIOR-GBP13

[DeviceA-behavior-BEHAVIOR-GBP13] filter deny

[DeviceA-behavior-BEHAVIOR-GBP13] accounting packet

[DeviceA-behavior-BEHAVIOR-GBP13] quit

# Create a traffic class named CLASSIFIER-GBP12, and use ACL EPG1-EPG2 as the match criterion.

[DeviceA] traffic classifier CLASSIFIER-GBP12

[DeviceA-classifier-CLASSIFIER-GBP12] if-match acl name EPG1-EPG2

[DeviceA-classifier-CLASSIFIER-GBP12] quit

# Create a traffic behavior named BEHAVIOR-GBP12, configure a permit action, and configure packet statiatics collection.

[DeviceA] traffic behavior BEHAVIOR-GBP12

[DeviceA-behavior-BEHAVIOR-GBP12] filter permit

[DeviceA-behavior-BEHAVIOR-GBP12] accounting packet

[DeviceA-behavior-BEHAVIOR-GBP12] quit

# Create a traffic class named CLASSIFIER-GBP23, and use ACL EPG2-EPG3 as the match criterion.

[DeviceA] traffic classifier CLASSIFIER-GBP23

[DeviceA-classifier-CLASSIFIER-GBP23] if-match acl name EPG2-EPG3

[DeviceA-classifier-CLASSIFIER-GBP23] quit

# Create a traffic behavior named BEHAVIOR-GBP23, configure a permit action, and configure packet statiatics collection.

[DeviceA] traffic behavior BEHAVIOR-GBP23

[DeviceA-behavior-BEHAVIOR-GBP23] filter permit

[DeviceA-behavior-BEHAVIOR-GBP23] accounting packet

[DeviceA-behavior-BEHAVIOR-GBP23] quit

# Create a QoS policy named GBP1, associate traffic class CLASSIFIER-GBP13 and traffic behavior BEHAVIOR-GBP13, and associate traffic class CLASSIFIER-GBP12 and traffic behavior BEHAVIOR-GBP12 in the QoS policy.

[DeviceA] qos policy GBP1

[DeviceA-qospolicy-GBP1] classifier CLASSIFIER-GBP13 behavior BEHAVIOR-GBP13

[DeviceA-qospolicy-GBP1] classifier CLASSIFIER-GBP12 behavior BEHAVIOR-GBP12

[DeviceA-qospolicy-GBP1] quit

# Create a QoS policy named GBP2, and associate traffic class CLASSIFIER-GBP23 and traffic behavior BEHAVIOR-GBP23 in the QoS policy.

[DeviceA] qos policy GBP2

[DeviceA-qospolicy-GBP2] classifier CLASSIFIER-GBP23 behavior BEHAVIOR-GBP23

[DeviceA-qospolicy-GBP2] quit

# Apply QoS policy GBP1 to the inbound direction of HundredGigE 1/1/2.

[DeviceA] interface hundredgige 1/1/2

[DeviceA-HundredGigE1/1/2] qos apply policy GBP1 inbound

[DeviceA-HundredGigE1/1/2] quit

# Apply QoS policy GBP2 to the inbound direction of HundredGigE 1/1/3.

[DeviceA] interface hundredgige 1/1/3

[DeviceA-HundredGigE1/1/3] qos apply policy GBP2 inbound

[DeviceA-HundredGigE1/1/3] quit

Configuring Device B

# Create VLANs and specify the IP addresses for the VLAN interfaces.

<Sysname> system-view

[Sysname] sysname DeviceB

[DeviceB] vlan 12

[DeviceB-vlan12] quit

[DeviceB] interface vlan-interface 12

[DeviceB-Vlan-interface12] ip address 12.0.0.1 30

[DeviceB-Vlan-interface12] undo shutdown

[DeviceB-Vlan-interface12] quit

[DeviceB] interface hundredgige 1/1/1

[DeviceB-HundredGigE1/1/1] undo shutdown

[DeviceB-HundredGigE1/1/1] port link-type trunk

[DeviceB-HundredGigE1/1/1] port trunk permit vlan 12

[DeviceB-HundredGigE1/1/1] quit

[DeviceB] vlan 23

[DeviceB-vlan23] quit

[DeviceB] interface vlan-interface 23

[DeviceB-Vlan-interface23] ip address 23.0.0.2 30

[DeviceB-Vlan-interface23] undo shutdown

[DeviceB-Vlan-interface23] quit

[DeviceB] interface hundredgige 1/1/2

[DeviceB-HundredGigE1/1/2] undo shutdown

[DeviceB-HundredGigE1/1/2] port link-type trunk

[DeviceB-HundredGigE1/1/2] port trunk permit vlan 23

[DeviceB-HundredGigE1/1/2] quit

# Configure IS-IS to enable route connectivity in the network.

[DeviceB] isis 1

[DeviceB-isis-1] cost-style wide

[DeviceB-isis-1] network-entity 00.0000.0000.0002.00

[DeviceB-isis-1] is-level level-2

[DeviceB-isis-1] address-family ipv4 unicast

[DeviceB-isis-1-ipv4] quit

[DeviceB-isis-1] quit

[DeviceB] interface vlan-interface 12

[DeviceB-Vlan-interface12] isis enable 1

[DeviceB-Vlan-interface12] quit

[DeviceB] interface vlan-interface 23

[DeviceB-Vlan-interface23] isis enable 1

[DeviceB-Vlan-interface23] quit

[DeviceB] interface LoopBack0

[DeviceB-LoopBack0] ip address 2.2.2.2 32

[DeviceB-LoopBack0] isis enable 1

[DeviceB-LoopBack0] quit

Configuring Device C

# Create VLANs and specify the IP addresses for the VLAN interfaces.

<Sysname> system-view

[Sysname] sysname DeviceC

[DeviceC] vlan 30

[DeviceC-vlan30] port hundredgige 1/1/2

[DeviceC-vlan30] quit

[DeviceC] interface hundredgige 1/1/2

[DeviceC-HundredGigE1/1/2] undo shutdown

[DeviceC-HundredGigE1/1/2] quit

[DeviceC] vlan 23

[DeviceC-vlan23] quit

[DeviceC] interface vlan-interface 23

[DeviceC-Vlan-interface23] ip address 23.0.0.1 30

[DeviceC-Vlan-interface23] undo shutdown

[DeviceC-Vlan-interface23] quit

[DeviceC] interface hundredgige 1/1/1

[DeviceC-HundredGigE1/1/1] undo shutdown

[DeviceC-HundredGigE1/1/1] port link-type trunk

[DeviceC-HundredGigE1/1/1] port trunk permit vlan 23

[DeviceC-HundredGigE1/1/1] quit

# Configure IS-IS to enable route connectivity in the network.

[DeviceC] isis 1

[DeviceC-isis-1] cost-style wide

[DeviceC-isis-1] network-entity 00.0000.0000.0003.00

[DeviceC-isis-1] is-level level-2

[DeviceC-isis-1] address-family ipv4 unicast

[DeviceC-isis-1-ipv4] quit

[DeviceC-isis-1] quit

[DeviceC] interface vlan-interface 23

[DeviceC-Vlan-interface23] isis enable 1

[DeviceC-Vlan-interface23] quit

[DeviceC] interface LoopBack0

[DeviceC-LoopBack0] ip address 3.3.3.3 32

[DeviceC-LoopBack0] isis enable 1

[DeviceC-LoopBack0] quit

# Enable L2VPN.

[DeviceC] l2vpn enable

# Disable remote-MAC address learning and disable remote ARP learning.

[DeviceC] vxlan tunnel mac-learning disable

[DeviceC] vxlan tunnel arp-learning disable

# Create an EVPN instance under VSI vpna, and configure the router to automatically generate an RD and a route target for the EVPN instance.

[DeviceC] vsi vpna

[DeviceC-vsi-vpna] evpn encapsulation vxlan

[DeviceC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[DeviceC-vsi-vpna-evpn-vxlan] vpn-target auto

[DeviceC-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[DeviceC-vsi-vpna] vxlan 10

[DeviceC-vsi-vpna-vxlan-10] quit

[DeviceC-vsi-vpna] quit

# Create an EVPN instance under VSI vpnb, and configure the router to automatically generate an RD and a route target for the EVPN instance.

[DeviceC] vsi vpnb

[DeviceC-vsi-vpnb] evpn encapsulation vxlan

[DeviceC-vsi-vpnb-evpn-vxlan] route-distinguisher auto

[DeviceC-vsi-vpnb-evpn-vxlan] vpn-target auto

[DeviceC-vsi-vpnb-evpn-vxlan] quit

# Create VXLAN 20.

[DeviceC-vsi-vpnb] vxlan 20

[DeviceC-vsi-vpnb-vxlan-20] quit

[DeviceC-vsi-vpnb] quit

# Create an EVPN instance under VSI vpnc, and configure the router to automatically generate an RD and a route target for the EVPN instance.

[DeviceC] vsi vpnc

[DeviceC-vsi-vpnc] evpn encapsulation vxlan

[DeviceC-vsi-vpnc-evpn-vxlan] route-distinguisher auto

[DeviceC-vsi-vpnc-evpn-vxlan] vpn-target auto

[DeviceC-vsi-vpnc-evpn-vxlan] quit

# Create VXLAN 30.

[DeviceC-vsi-vpnc] vxlan 30

[DeviceC-vsi-vpnc-vxlan-30] quit

[DeviceC-vsi-vpnc] quit

# Configure BGP to advertise BGP EVPN routes.

[DeviceC] bgp 100

[DeviceC-bgp-default] peer 1.1.1.1 as-number 100

[DeviceC-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[DeviceC-bgp-default] address-family l2vpn evpn

[DeviceC-bgp-default-evpn] peer 1.1.1.1 enable

[DeviceC-bgp-default-evpn] quit

[DeviceC-bgp-default] quit

# On HundredGigE 1/1/2, create Ethernet service instance 1000 to match VLAN 30.

[DeviceC] interface hundredgige 1/1/2

[DeviceC-HundredGigE1/1/2] service-instance 1000

[DeviceC-HundredGigE1/1/2-srv1000] encapsulation s-vid 30

# Map Ethernet service instance 1000 to VSI vpna.

[DeviceC-HundredGigE1/1/2-srv1000] xconnect vsi vpna

[DeviceC-HundredGigE1/1/2-srv1000] quit

# Configure RD and route target settings for VPN instance l3vpna.

[DeviceC] ip vpn-instance l3vpna

[DeviceC-vpn-instance-l3vpna] route-distinguisher 1:1

[DeviceC-vpn-instance-l3vpna] address-family ipv4

[DeviceC-vpn-ipv4-l3vpna] vpn-target 2:2

[DeviceC-vpn-ipv4-l3vpna] quit

[DeviceC-vpn-instance-l3vpna] address-family evpn

[DeviceC-vpn-evpn-l3vpna] vpn-target 1:1

[DeviceC-vpn-evpn-l3vpna] quit

[DeviceC-vpn-instance-l3vpna] quit

# Configure VSI-interface 1.

[DeviceC] interface vsi-interface 1

[DeviceC-Vsi-interface1] ip binding vpn-instance l3vpna

[DeviceC-Vsi-interface1] ip address 192.168.1.254 24

[DeviceC-Vsi-interface1] mac-address 1-1-1

[DeviceC-Vsi-interface1] distributed-gateway local

[DeviceC-Vsi-interface1] local-proxy-arp enable

[DeviceC-Vsi-interface1] quit

# Configure VSI-interface 2.

[DeviceC] interface vsi-interface 2

[DeviceC-Vsi-interface2] ip binding vpn-instance l3vpna

[DeviceC-Vsi-interface2] ip address 192.168.2.254 24

[DeviceC-Vsi-interface2] mac-address 2-2-2

[DeviceC-Vsi-interface2] distributed-gateway local

[DeviceC-Vsi-interface2] local-proxy-arp enable

[DeviceC-Vsi-interface2] quit

# Configure VSI-interface 3.

[DeviceC] interface vsi-interface 3

[DeviceC-Vsi-interface1] ip binding vpn-instance l3vpna

[DeviceC-Vsi-interface1] ip address 192.168.3.254 24

[DeviceC-Vsi-interface1] mac-address 3-3-3

[DeviceC-Vsi-interface1] distributed-gateway local

[DeviceC-Vsi-interface1] local-proxy-arp enable

[DeviceC-Vsi-interface1] quit

# Configure VSI-interface 4, associate VSI-interface 4 with VPN instance l3vpna, and configure the L3 VXLAN ID as 1000 for the VPN instance.

[DeviceC] interface vsi-interface 4

[DeviceC-Vsi-interface4] ip binding vpn-instance l3vpna

[DeviceC-Vsi-interface4] l3-vni 1000

[DeviceC-Vsi-interface4] quit

# Specify VSI-interface 1 as the gateway interface for VSI vpna.

[DeviceC] vsi vpna

[DeviceC-vsi-vpna] gateway vsi-interface 1

[DeviceC-vsi-vpna] quit

# Specify VSI-interface 2 as the gateway interface for VSI vpnb.

[DeviceC] vsi vpnb

[DeviceC-vsi-vpnb] gateway vsi-interface 2

[DeviceC-vsi-vpnb] quit

# Specify VSI-interface 3 as the gateway interface for VSI vpnc.

[DeviceC] vsi vpnc

[DeviceC-vsi-vpnc] gateway vsi-interface 3

[DeviceC-vsi-vpnc] quit

# Create microsegment 3, and add the IP addresses of the general server as its member.

[DeviceC] microsegment 3 name EPG3

[DeviceC-microsegment-3] member ipv4 192.168.3.1 24 vpn-instance l3vpna

[DeviceC-microsegment-3] quit

Verifying the configuration

# On Device C, execute the display bgp l2vpn evpn command to view detailed EVPN route information. Check the MAC/IP advertisement route for IP address 192.168.1.1, and verify that the extended community attribute Ext-Community carried by this route contains microsegment information, which indicates that EVPN route learning is normal.

[DeviceC] display bgp l2vpn evpn [2][0][48][6e7f-a8c5-0407][32][192.168.1.1]/136

 

 

 BGP local router ID: 3.3.3.3

 Local AS number: 100

 

 

 Route distinguisher: 1:2(l3vpna)

 Total number of routes: 1

 Paths:   1 available, 1 best

 

 BGP routing table information of [2][0][48][6e7f-a8c5-0407][32][192.168.1.1]/136:

 From            : 1.1.1.1  (1.1.1.1)

 Rely nexthop    : 23.0.0.2

 Original nexthop: 1.1.1.1

 Route age       : 00h02m32s

 OutLabel        : NULL

 Ext-Community   : <RT: 1:1>, <RT: 100:10>, <Encapsulation Type: VXLAN>, <Route

                   r's MAC: 6e7f-9995-0100>, <MicroSegment-id: Type 0x83ff, ID

                   1>

 RxPathID        : 0x0

 TxPathID        : 0x0

 AS-path         : (null)

 Origin          : igp

 Attribute value : MED 0, localpref 100, pref-val 0

 State           : valid, internal, best, remoteredist

 IP precedence   : N/A

 QoS local ID    : N/A

 Traffic index   : N/A

 EVPN route type : MAC/IP advertisement route

 ESI             : 0000.0000.0000.0000.0000

 Ethernet tag ID : 0

 MAC address     : 6e7f-a8c5-0407

 IP address      : 192.168.1.1/32

 MPLS label1     : 10

 MPLS label2     : 1000

 Tunnel policy   : NULL

 Rely tunnel IDs : N/A

…

# Verify that Host A cannot ping the general server but Host B can.

C:\> ping 192.168.3.1

 

Pinging 192.168.3.1 with 32 bytes of data:

 

Request timed out

Request timed out

Request timed out

Request timed out

 

Ping statistics for 192.168.3.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

# Display the configuration of each microsegment on Device A.

[DeviceA] display microsegment 1

Microsegment ID    : 1

Microsegment name  : EPG1

  IPv4 member:

    192.168.1.1/24

[DeviceA] display microsegment 2

Microsegment ID    : 2

Microsegment name  : EPG2

  IPv4 member:

    192.168.2.1/24

[DeviceA] display microsegment 3

Microsegment ID    : 3

Microsegment name  : EPG3

  IPv4 member:

    192.168.2.1/24

# Display summary information about microsegments on Device A.

[DeviceA] display microsegment

Microsegment status: Enabled

Total microsegments: 3

Microsegment list  :

  Microsegment ID  Members  Microsegment name

  1                1        EPG1

  2                1        EPG2

  3                1        EPG3

# Display the QoS policy configuration and running status on HundredGigE1/1/2 of Device A.

[DeviceA] display qos policy interface HundredGigE1/1/2

Interface: HundredGigE1/1/2

  Direction: Inbound

  Policy: GBP1

   Classifier: CLASSIFIER-GBP13

     Rule(s) :

      If-match acl name EPG1-EPG3

     Behavior: BEHAVIOR-GBP13

      Accounting enable:

        5 (Packets)

        0 (pps)

      Filter enable: Deny

   Classifier: CLASSIFIER-GBP12

     Rule(s) :

      If-match acl name EPG1-EPG2

     Behavior: BEHAVIOR-GBP12

      Accounting enable:

        5 (Packets)

        0 (pps)

      Filter enable: Permit

Configuration files

·     Device A

#

 sysname DeviceA

#

ip vpn-instance l3vpna

 route-distinguisher 1:1

 #

 address-family ipv4

  vpn-target 2:2 import-extcommunity

  vpn-target 2:2 export-extcommunity

 #

 address-family evpn

  vpn-target 1:1 import-extcommunity

  vpn-target 1:1 export-extcommunity

#

 vxlan tunnel mac-learning disable

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 00.0000.0000.0001.00

 #

 address-family ipv4 unicast

#

vlan 10

#

vlan 12

#

vlan 20

#

 microsegment enable

#

microsegment 1 name EPG1

 member ipv4 192.168.1.0 255.255.255.0 vpn-instance l3vpna

#

microsegment 2 name EPG2

 member ipv4 192.168.2.0 255.255.255.0 vpn-instance l3vpna

#

traffic classifier CLASSIFIER-GBP12 operator and

 if-match acl name EPG1-EPG2

#

traffic classifier CLASSIFIER-GBP13 operator and

 if-match acl name EPG1-EPG3

#

traffic classifier CLASSIFIER-GBP23 operator and

 if-match acl name EPG2-EPG3

#

traffic behavior BEHAVIOR-GBP12

 accounting packet

 filter permit

#

traffic behavior BEHAVIOR-GBP13

 accounting packet

 filter deny

#

traffic behavior BEHAVIOR-GBP23

 accounting packet

 filter permit

#

qos policy GBP1

 classifier CLASSIFIER-GBP13 behavior BEHAVIOR-GBP13

 classifier CLASSIFIER-GBP12 behavior BEHAVIOR-GBP12

#

qos policy GBP2

 classifier CLASSIFIER-GBP23 behavior BEHAVIOR-GBP23

#

 l2vpn enable

 vxlan tunnel arp-learning disable

#

vsi vpna

 gateway Vsi-interface 1

 vxlan 10

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

#

vsi vpnb

 gateway Vsi-interface 2

 vxlan 20

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

#

vsi vpnc

 gateway Vsi-interface 3

 vxlan 30

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

 isis enable 1

#

interface Vlan-interface12

 ip address 12.0.0.2 255.255.255.252

 isis enable 1

#

interface HundredGigE1/1/1

 port link-type trunk

 port trunk permit vlan 1 12

#

interface HundredGigE1/1/2

 port access vlan 10

 qos apply policy GBP1 inbound

 #

 service-instance 1000

  encapsulation s-vid 10

  xconnect vsi vpna

#

interface HundredGigE1/1/3

 port access vlan 20

 qos apply policy GBP2 inbound

 #

 service-instance 2000

  encapsulation s-vid 20

  xconnect vsi vpnb

#

#

interface Vsi-interface1

 ip binding vpn-instance l3vpna

 ip address 192.168.1.254 255.255.255.0

 mac-address 0001-0001-0001

 local-proxy-arp enable

 distributed-gateway local

#

interface Vsi-interface2

 ip binding vpn-instance l3vpna

 ip address 192.168.2.254 255.255.255.0

 mac-address 0002-0002-0002

 local-proxy-arp enable

 distributed-gateway local

#

interface Vsi-interface3

 ip binding vpn-instance l3vpna

 ip address 192.168.3.254 255.255.255.0

 mac-address 0003-0003-0003

 local-proxy-arp enable

 distributed-gateway local

#

interface Vsi-interface4

 ip binding vpn-instance l3vpna

 l3-vni 1000

#

bgp 100

 router-id 1.1.1.1

 peer 3.3.3.3 as-number 100

 peer 3.3.3.3 connect-interface LoopBack0

 #

 address-family l2vpn evpn

  peer 3.3.3.3 enable

#

acl advanced name EPG1-EPG2

 rule 0 permit ip source microsegment 1 destination microsegment 2

#

acl advanced name EPG1-EPG3

 rule 0 permit ip source microsegment 1 destination microsegment 3

#

acl advanced name EPG2-EPG3

 rule 0 permit ip source microsegment 2 destination microsegment 3

#

·     Device B

#

 sysname DeviceB

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 00.0000.0000.0002.00

 #

 address-family ipv4 unicast

#

vlan 12

#

vlan 23

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

 isis enable 1

#

interface Vlan-interface12

 ip address 12.0.0.1 255.255.255.252

 isis enable 1

#

interface Vlan-interface23

 ip address 23.0.0.2 255.255.255.252

 isis enable 1

#

interface HundredGigE1/1/1

 port link-type trunk

 port trunk permit vlan 1 12

#

interface HundredGigE1/1/2

 port link-type trunk

 port trunk permit vlan 1 23

#

·     Device C

#

 sysname DeviceC

#

ip vpn-instance l3vpna

 route-distinguisher 1:2

 #

 address-family ipv4

  vpn-target 2:2 import-extcommunity

  vpn-target 2:2 export-extcommunity

 #

 address-family evpn

  vpn-target 1:1 import-extcommunity

  vpn-target 1:1 export-extcommunity

#

 vxlan tunnel mac-learning disable

#

isis 1

 is-level level-2

 cost-style wide

 network-entity 00.0000.0000.0003.00

 #

 address-family ipv4 unicast

vlan 23

#

vlan 30

#

vlan 40

#

 microsegment enable

#

microsegment 3 name EPG3

 member ipv4 192.168.3.0 255.255.255.0 vpn-instance l3vpna

#

 l2vpn enable

 vxlan tunnel arp-learning disable

#

vsi vpna

 gateway Vsi-interface 1

 vxlan 10

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

#

vsi vpnb

 gateway Vsi-interface 2

 vxlan 20

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

#

vsi vpnc

 gateway Vsi-interface 3

 vxlan 30

 evpn encapsulation vxlan

  route-distinguisher auto

  vpn-target auto export-extcommunity

  vpn-target auto import-extcommunity

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

 isis enable 1

#

interface Vlan-interface23

 ip address 23.0.0.1 255.255.255.252

 isis enable 1

#

interface HundredGigE1/1/1

 port link-type trunk

 port trunk permit vlan 1 23

#

interface HundredGigE1/1/2

 port access vlan 30

 #

 service-instance 1000

  encapsulation s-vid 30

  xconnect vsi vpnc

#

interface Vsi-interface1

 ip binding vpn-instance l3vpna

 ip address 192.168.1.254 255.255.255.0

 mac-address 0001-0001-0001

 local-proxy-arp enable

 distributed-gateway local

#

interface Vsi-interface2

 ip binding vpn-instance l3vpna

 ip address 192.168.2.254 255.255.255.0

 mac-address 0002-0002-0002

 local-proxy-arp enable

 distributed-gateway local

#

interface Vsi-interface3

 ip binding vpn-instance l3vpna

 ip address 192.168.3.254 255.255.255.0

 mac-address 0003-0003-0003

 local-proxy-arp enable

 distributed-gateway local

#

interface Vsi-interface4

 ip binding vpn-instance l3vpna

 l3-vni 1000

#

bgp 100

 router-id 3.3.3.3

 peer 1.1.1.1 as-number 100

 peer 1.1.1.1 connect-interface LoopBack0

 #

 address-family l2vpn evpn

  peer 1.1.1.1 enable

#