单DC分布式网关部署方式的VXLAN二层架构举例

SE_YT 2024-12-30 交换机 6 阅读

适用产品和版本

  • CE16800(除X系列单板外)、CE8800、CE6800(除CE6820H、CE6820H-K、CE6820S、CE6885-LL低时延模式外)系列产品V300R020C00或更高版本。
  • 如果需要了解软件版本与交换机具体型号的配套信息,请查看硬件中心

组网需求

图1所示,二层架构中Spine、Border Leaf、Service Leaf三者融合部署,Server Leaf-Spine/Border Leaf/Service Leaf在物理拓扑上形成两个层次的架构,故属于“二层架构”。

  • Border Leaf层:Border Leaf交换机作为分布式Overlay组网中的出口,南向与Server Leaf之间使用三层路由口互联,形成ECMP IP转发网络;北向与出口路由器PE互联。
  • Server Leaf层:Server Leaf交换机部署M-LAG,北向与Border Leaf设备通过三层路由口互联。
图1 单DC分布式网关部署方式的VXLAN二层架构组网图

规划交换机的两类Loopback地址,建议如下所示。

  • Loopback0:专门作为VTEP IP地址。对于双活设备组,组成员的VTEP IP必须保持一致。
  • Loopback1:
    • 作为Router-ID地址
    • M-LAG的DFS-Group IP地址
    • 建立BGP EVPN对等体时发送BGP报文的源接口
  • Loopback2:作为静态Bypass VXLAN隧道的源端IP地址。

每台交换机的Loopback地址的具体规划如表1所示。

表1 数据准备表(Loopback地址规划)
设备名称 Loopback0 Loopback1 Loopback2
BorderLeaf_1 10.125.99.1/32(虚MAC:00e0-fc00-0101) 10.125.98.1/32 10.135.98.1/32
BorderLeaf_2 10.125.99.1/32(虚MAC:00e0-fc00-0101) 10.125.98.2/32 10.135.98.2/32
ServerLeaf1_1 10.125.99.2/32 10.125.98.3/32 10.135.98.3/32
ServerLeaf1_2 10.125.99.2/32 10.125.98.4/32 10.135.98.4/32
ServerLeaf2_1 10.125.99.3/32 10.125.98.5/32 10.135.98.5/32
ServerLeaf2_2 10.125.99.3/32 10.125.98.6/32 10.135.98.6/32
表2 互联地址规划
设备名称 接口编号 IP地址 对接设备及接口编号 说明
BorderLeaf_1 Eth-Trunk20 10.125.97.17/30 BorderLeaf_2:Eth-Trunk20 出口逃生路径
100GE4/0/0 10.125.97.1/30 PE1 -
100GE4/0/1 10.125.97.5/30 PE2 -
100GE1/0/0 10.125.97.21/30 ServerLeaf1_1:100GE1/0/1 -
100GE1/0/1 10.125.97.25/30 ServerLeaf1_2:100GE1/0/1 -
100GE1/0/2 10.125.97.29/30 ServerLeaf2_1:100GE1/0/1 -
100GE1/0/3 10.125.97.33/30 ServerLeaf2_2:100GE1/0/1 -
100GE4/0/43 - FW-1 -
100GE4/0/44 - FW-2 -
vlanif11 10.125.97.57/29 - FW互联的管理链路接口地址
BorderLeaf_2 Eth-Trunk20 10.125.97.18/30 BorderLeaf_1:Eth-Trunk20 出口逃生路径
100GE4/0/0 10.125.97.9/30 PE1 -
100GE4/0/1 10.125.97.13/30 PE2 -
100GE1/0/0 10.125.97.37/30 ServerLeaf1_1:100GE1/0/2 -
100GE1/0/1 10.125.97.41/30 ServerLeaf1_2:100GE1/0/2 -
100GE1/0/2 10.125.97.45/30 ServerLeaf2_1:100GE1/0/2 -
100GE1/0/3 10.125.97.49/30 ServerLeaf2_2:100GE1/0/2 -
100GE4/0/43 - FW-1 -
100GE4/0/44 - FW-2 -
vlanif11 10.125.97.57/29 - FW互联的管理链路接口地址
ServerLeaf1_1 100GE1/0/1 10.125.97.22/30 BorderLeaf_1:100GE1/0/0 -
100GE1/0/2 10.125.97.38/30 BorderLeaf_2:100GE1/0/0 -
ServerLeaf1_2 100GE1/0/1 10.125.97.26/30 BorderLeaf_1:100GE1/0/1 -
100GE1/0/2 10.125.97.42/30 BorderLeaf_2:100GE1/0/1 -
ServerLeaf2_1 100GE1/0/1 10.125.97.30/30 BorderLeaf_1:100GE1/0/2 -
100GE1/0/2 10.125.97.46/30 BorderLeaf_2:100GE1/0/2 -
ServerLeaf2_2 100GE1/0/1 10.125.97.34/30 BorderLeaf_1:100GE1/0/3 -
100GE1/0/2 10.125.97.50/30 BorderLeaf_2:100GE1/0/3 -
FW-1 Eth-Trunk0(10GE 1/0/0 to 1/0/1) 10.125.97.73/30 FW2:Eth-Trunk0 防火墙心跳口
Eth-Trunk11(10GE 1/0/8、1/0/9) - - 与BorderLeaf_1、BorderLeaf_2互联端口
Vlanif3004 10.125.97.242/30 - vsys_1
FW-2 Eth-Trunk0 10.125.97.74/30 FW-1:Eth-Trunk0 防火墙心跳口
Eth-Trunk11(10GE 1/0/8、1/0/9) 10.125.97.242/30 - 与BorderLeaf_1、BorderLeaf_2互联端口
表3 外网IP地址
访问外网的IP地址
1.2.3.4/24
表4 设备的RD值和RT值
设备名称 VLAN ID 广播域BD ID VXLAN网络标识VNI ID EVPN实例 VPN实例
RD值 RT值 VPN实例名称 VXLAN网络标识VNI ID RD值 RT值
ERT/IRT ERT ERT/IRT(EVPN)
ServerLeaf1_1 10 10 10 10:2 100:10 100:5010 vpn1 5010 20:2 100:5010
ServerLeaf1_2 10:4 vpn2 20:4
ServerLeaf2_1 20 20 20 10:3 100:20 vpn3 20:3
ServerLeaf2_2 10:5 vpn4 20:5

配置思路

配置思路如下:

  1. 配置VXLAN优化命令。
  2. 配置Underlay网络。
    1. 配置Border Leaf。
      1. 配置IP地址:配置与Server Leaf节点三层互联地址,与防火墙互联管理地址;配置Loopback0地址(作为VTEP地址);配置Loopback1地址(作为Router-ID&dfs-group);配置NVE接口VTEP IP地址。
      2. 配置M-LAG:配置M-LAG全局模式、DFS组、peer-link,并分别配置与防火墙互联M-LAG接口。
      3. 配置路由:配置OSPF路由,配置OSPF接口的网络类型为P2P,并发布Loopback地址及与防火墙管理地址;配置BGP EVPN作为VXLAN的控制平面。
    2. 配置Server Leaf。配置思路与Border Leaf一样。
    3. 配置防火墙。
      1. 配置防火墙基础信息。
      2. 关闭备份当前运行配置的功能,在主备防火墙上均需要配置。
      3. 配置防火墙与Border Leaf/Service Leaf互联端口。
      4. 配置两台防火墙之间的心跳接口。
      5. 配置两台防火墙的主备镜像模式。
      6. 配置安全域及缺省安全策略。只需要在FW-1中进行配置,FW-2将自动同步。
      7. 使能防火墙的vsys功能。只需要在FW-1中进行配置,FW-2将自动同步。
  3. 配置Overlay网络。
    1. 配置Border Leaf。
    2. 配置Server Leaf。
    3. 配置防火墙。

操作步骤

  1. 配置VXLAN优化命令。在CE设备上进行VXLAN相关配置前,请先根据不同的设备款型,配置VXLAN优化命令,以确保业务稳定运行。设备款型不同具体的配置命令行不一样。

    # 配置BorderLeaf_1。其他设备的配置与BorderLeaf_1类似,这里不再赘述。

    <HUAWEI> system-view
[~HUAWEI] sysname BorderLeaf_1
[*HUAWEI] commit
[*BorderLeaf_1] system resource large-route  //配置系统资源模式为大路由模式该配置需要重启设备才能生效。仅CE16800(安装E系列单板、EK系列单板)、CE6863H、CE6863H-K、CE6881H、CE6881H-K支持。
[*BorderLeaf_1] vxlan tunnel-status track exact-route  //使能VXLAN隧道目的端精确路由状态订阅功能,优化网络收敛性能。
[*BorderLeaf_1] commit
  2. 配置Underlay网络。
    1. 配置Border Leaf。
      1. 配置IP地址。
        1. 配置Border Leaf与其他设备互联IP地址。#配置BorderLeaf_1与Server Leaf的互联接口地址: 
          [~BorderLeaf_1] interface 100GE 1/0/0
[~BorderLeaf_1-100GE1/0/0] description to ServerLeaf1_1
[*BorderLeaf_1-100GE1/0/0] undo portswitch
[*BorderLeaf_1-100GE1/0/0] ip address 10.125.97.21 255.255.255.252
[*BorderLeaf_1-100GE1/0/0] ospf network-type p2p   //配置与Server Leaf互联OSPF接口的网络类型为P2P
[*BorderLeaf_1-100GE1/0/0] quit
[*BorderLeaf_1] interface 100GE 1/0/1
[*BorderLeaf_1-100GE1/0/1] description to ServerLeaf1_2
[*BorderLeaf_1-100GE1/0/1] undo portswitch
[*BorderLeaf_1-100GE1/0/1] ip address 10.125.97.25 255.255.255.252
[*BorderLeaf_1-100GE1/0/1] ospf network-type p2p
[*BorderLeaf_1-100GE1/0/1] quit
[*BorderLeaf_1] interface 100GE 1/0/2
[*BorderLeaf_1-100GE1/0/2] description to ServerLeaf2_1
[*BorderLeaf_1-100GE1/0/2] undo portswitch
[*BorderLeaf_1-100GE1/0/2] ip address 10.125.97.29 255.255.255.252
[*BorderLeaf_1-100GE1/0/2] ospf network-type p2p
[*BorderLeaf_1-100GE1/0/2] quit
[*BorderLeaf_1] interface 100GE 1/0/3
[*BorderLeaf_1-100GE1/0/3] description to ServerLeaf2_2
[*BorderLeaf_1-100GE1/0/3] undo portswitch
[*BorderLeaf_1-100GE1/0/3] ip address 10.125.97.33 255.255.255.252
[*BorderLeaf_1-100GE1/0/3] ospf network-type p2p
[*BorderLeaf_1-100GE1/0/3] quit
[*BorderLeaf_1-100GE1/0/3] commit

          #配置BorderLeaf_2与Server Leaf的互联接口地址:

          [~BorderLeaf_2] interface 100GE 1/0/0
[~BorderLeaf_2-100GE1/0/0] description to ServerLeaf1_1
[*BorderLeaf_2-100GE1/0/0] undo portswitch
[*BorderLeaf_2-100GE1/0/0] ip address 10.125.97.37 255.255.255.252
[*BorderLeaf_2-100GE1/0/0] ospf network-type p2p
[*BorderLeaf_2-100GE1/0/0] quit
[*BorderLeaf_2] interface 100GE 1/0/1
[*BorderLeaf_2-100GE1/0/1] description to ServerLeaf1_2
[*BorderLeaf_2-100GE1/0/1] undo portswitch
[*BorderLeaf_2-100GE1/0/1] ip address 10.125.97.41 255.255.255.252
[*BorderLeaf_2-100GE1/0/1] ospf network-type p2p
[*BorderLeaf_2-100GE1/0/1] quit
[*BorderLeaf_2] interface 100GE 1/0/2
[*BorderLeaf_2-100GE1/0/2] description to ServerLeaf2_1
[*BorderLeaf_2-100GE1/0/2] undo portswitch
[*BorderLeaf_2-100GE1/0/2] ip address 10.125.97.45 255.255.255.252
[*BorderLeaf_2-100GE1/0/2] ospf network-type p2p
[*BorderLeaf_2-100GE1/0/2] quit
[*BorderLeaf_2] interface 100GE 1/0/3
[*BorderLeaf_2-100GE1/0/3] description to ServerLeaf2_2
[*BorderLeaf_2-100GE1/0/3] undo portswitch
[*BorderLeaf_2-100GE1/0/3] ip address 10.125.97.49 255.255.255.252
[*BorderLeaf_2-100GE1/0/3] ospf network-type p2p
[*BorderLeaf_2-100GE1/0/3] quit
[*BorderLeaf_2-100GE1/0/3] commit

          #配置BorderLeaf_1与PE的互联接口地址:

          [~BorderLeaf_1] interface 100GE 4/0/0
[*BorderLeaf_1-100GE4/0/0] description to PE1
[*BorderLeaf_1-100GE4/0/0] undo portswitch
[*BorderLeaf_1-100GE4/0/0] ip address 10.125.97.1 255.255.255.252
[*BorderLeaf_1-100GE4/0/0] quit
[*BorderLeaf_1] interface 100GE 4/0/1
[*BorderLeaf_1-100GE4/0/1] description to PE2
[*BorderLeaf_1-100GE4/0/1] undo portswitch
[*BorderLeaf_1-100GE4/0/1] ip address 10.125.97.5 255.255.255.252
[*BorderLeaf_1-100GE4/0/1] quit
[*BorderLeaf_1-100GE4/0/1] commit

          #配置BorderLeaf_2与PE的互联接口地址:

          [~BorderLeaf_2] interface 100GE 4/0/0
[*BorderLeaf_2-100GE4/0/0] description to PE1
[*BorderLeaf_2-100GE4/0/0] undo portswitch
[*BorderLeaf_2-100GE4/0/0] ip address 10.125.97.9 255.255.255.252
[*BorderLeaf_2-100GE4/0/0] quit
[*BorderLeaf_2] interface 100GE 4/0/1
[*BorderLeaf_2-100GE4/0/1] description to PE2
[*BorderLeaf_2-100GE4/0/1] undo portswitch
[*BorderLeaf_2-100GE4/0/1] ip address 10.125.97.13 255.255.255.252
[*BorderLeaf_2-100GE4/0/1] quit
[*BorderLeaf_2-100GE4/0/1] commit
        2. 配置Border Leaf的Loopback接口地址。#配置BorderLeaf_1的Loopback接口地址: 
          [~BorderLeaf_1] interface LoopBack 0
[*BorderLeaf_1-LoopBack0] description VTEP
[*BorderLeaf_1-LoopBack0] ipv6 enable    //当需要使用IPv6时,配置使能IPv6
[*BorderLeaf_1-LoopBack0] ip address 10.125.99.1 255.255.255.255
[*BorderLeaf_1-LoopBack0] quit
[*BorderLeaf_1] interface LoopBack 1
[*BorderLeaf_1-LoopBack1] description DFS-GROUP/ROUTER-ID
[*BorderLeaf_1-LoopBack1] ip address 10.125.98.1 255.255.255.255
[*BorderLeaf_1-LoopBack1] quit
[*BorderLeaf_1] interface LoopBack 2
[*BorderLeaf_1-LoopBack2] description Bypass VXLAN
[*BorderLeaf_1-LoopBack2] ip address 10.135.98.1 255.255.255.255
[*BorderLeaf_1-LoopBack2] quit
[*BorderLeaf_1] commit

          #配置BorderLeaf_2的Loopback接口地址:

          [~BorderLeaf_2] interface LoopBack 0
[*BorderLeaf_2-LoopBack0] description VTEP
[*BorderLeaf_2-LoopBack0] ipv6 enable    //当需要使用IPv6时,配置使能IPv6
[*BorderLeaf_2-LoopBack0] ip address 10.125.99.1 255.255.255.255
[*BorderLeaf_2-LoopBack0] quit
[*BorderLeaf_2] interface LoopBack 1
[*BorderLeaf_2-LoopBack1] description DFS-GROUP/ROUTER-ID
[*BorderLeaf_2-LoopBack1] ip address 10.125.98.2 255.255.255.255
[*BorderLeaf_2-LoopBack1] quit
[*BorderLeaf_2] interface LoopBack 2
[*BorderLeaf_2-LoopBack2] description Bypass VXLAN
[*BorderLeaf_2-LoopBack2] ip address 10.135.98.2 255.255.255.255
[*BorderLeaf_2-LoopBack2] quit
[*BorderLeaf_2] commit
        3. 配置NVE接口VTEP IP和虚拟MAC地址。#配置BorderLeaf_1的NVE接口: 
          [~BorderLeaf_1] vlan 100   //本VLAN不能划分给其他业务使用,本例中以100举例
[*BorderLeaf_1-vlan100] quit
[*BorderLeaf_1] interface vlanif 100
[*BorderLeaf_1-Vlanif100] reserved for vxlan bypass   //指定peer-link接口上VLANIF的IPv4地址只给Bypass VXLAN隧道使用
[*BorderLeaf_1-Vlanif100] ip address 10.125.96.1 30   //配置静态Bypass VXLAN隧道的源端IPv4地址
[*BorderLeaf_1-Vlanif100] quit
[*BorderLeaf_1] ip route-static 10.135.98.2 32 10.125.96.2 preference 1   //配置静态路由,打通Bypass VXLAN隧道
[~BorderLeaf_1] interface nve 1
[*BorderLeaf_1-Nve1] source 10.125.99.1
[*BorderLeaf_1-Nve1] mac-address 00e0-fc00-0101
[*BorderLeaf_1-Nve1] pip-source 10.135.98.1 peer 10.135.98.2 bypass   //创建静态Bypass VXLAN隧道,指定源端地址和对端地址
[*BorderLeaf_1-Nve1] commit

          #配置BorderLeaf_2的NVE接口:

          [~BorderLeaf_2] vlan 100  
[*BorderLeaf_2-vlan100] quit
[*BorderLeaf_2] interface vlanif 100
[*BorderLeaf_2-Vlanif100] reserved for vxlan bypass
[*BorderLeaf_2-Vlanif100] ip address 10.125.96.2 30
[*BorderLeaf_2-Vlanif100] quit
[*BorderLeaf_1] ip route-static 10.135.98.1 32 10.125.96.1 preference 1
[~BorderLeaf_2] interface nve 1
[*BorderLeaf_2-Nve1] source 10.125.99.1
[*BorderLeaf_2-Nve1] mac-address 00e0-fc00-0101
[*BorderLeaf_2-Nve1] pip-source 10.135.98.2 peer 10.135.98.1 bypass
[*BorderLeaf_2-Nve1] commit
      2. 配置M-LAG。
        1. 配置M-LAG模式。#配置BorderLeaf_1的M-LAG模式: 
          [~BorderLeaf_1] stp mode rstp
[*BorderLeaf_1] stp v-stp enable   //配置V-STP方式的M-LAG
[*BorderLeaf_1] commit

          #配置BorderLeaf_2的M-LAG模式:

          [~BorderLeaf_2] stp mode rstp
[*BorderLeaf_2] stp v-stp enable   //配置V-STP方式的M-LAG
[*BorderLeaf_2] commit
        2. 配置M-LAG的DFS组。#配置BorderLeaf_1的DFS组: 
          [~BorderLeaf_1] dfs-group 1
[*BorderLeaf_1-dfs-group-1] priority 150    //配置DFS优先级高于对端,默认是100 
[*BorderLeaf_1-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206
[*BorderLeaf_1-dfs-group-1] dual-active detection source ip 10.125.98.1 
[*BorderLeaf_1-dfs-group-1] consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式 
[*BorderLeaf_1-dfs-group-1] quit 
[*BorderLeaf_1-dfs-group-1] commit

          #配置BorderLeaf_2的DFS组:

          [~BorderLeaf_2] dfs-group 1
[*BorderLeaf_2-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206     
[*BorderLeaf_2-dfs-group-1] dual-active detection source ip 10.125.98.2 
[*BorderLeaf_2-dfs-group-1] consistency-check enable mode loose   
[*BorderLeaf_2-dfs-group-1] quit 
[*BorderLeaf_2-dfs-group-1] commit
        3. 配置peer-link。#配置BorderLeaf_1的peer-link: 
          [~BorderLeaf_1] interface Eth-Trunk 0
[*BorderLeaf_1-Eth-Trunk0] trunkport 100GE 4/0/47 
[*BorderLeaf_1-Eth-Trunk0] trunkport 100GE 1/0/23
[*BorderLeaf_1-Eth-Trunk0] mode lacp-static
[*BorderLeaf_1-Eth-Trunk0] peer-link 1
[*BorderLeaf_1-Eth-Trunk0] port vlan exclude 1
[*BorderLeaf_1-Eth-Trunk0] commit

          #配置BorderLeaf_2的peer-link:

          [~BorderLeaf_2] interface Eth-Trunk 0
[*BorderLeaf_2-Eth-Trunk0] trunkport 100GE 4/0/47 
[*BorderLeaf_2-Eth-Trunk0] trunkport 100GE 1/0/23
[*BorderLeaf_2-Eth-Trunk0] mode lacp-static
[*BorderLeaf_2-Eth-Trunk0] peer-link 1
[*BorderLeaf_2-Eth-Trunk0] port vlan exclude 1
[*BorderLeaf_2-Eth-Trunk0] commit
        4. 配置M-LAG接口。配置与防火墙互联的业务链路。

          #配置BorderLeaf_1与防火墙互联:

          [~BorderLeaf_1] interface Eth-Trunk 11   //配置与FW主设备(FW-1)互联业务口
[*BorderLeaf_1-Eth-Trunk11] trunkport 100GE 4/0/43
[*BorderLeaf_1-Eth-Trunk11] port link-type trunk
[*BorderLeaf_1-Eth-Trunk11] undo port trunk allow-pass vlan 1
[*BorderLeaf_1-Eth-Trunk11] stp edged-port enable
[*BorderLeaf_1-Eth-Trunk11] mode lacp-static
[*BorderLeaf_1-Eth-Trunk11] dfs-group 1 m-lag 3
[*BorderLeaf_1-Eth-Trunk11] quit
[*BorderLeaf_1] interface Eth-Trunk12   //配置与FW备设备(FW-2)互联业务口
[*BorderLeaf_1-Eth-Trunk12] trunkport 100GE 4/0/44
[*BorderLeaf_1-Eth-Trunk12] port link-type trunk
[*BorderLeaf_1-Eth-Trunk12] undo port trunk allow-pass vlan 1
[*BorderLeaf_1-Eth-Trunk12] stp edged-port enable
[*BorderLeaf_1-Eth-Trunk12] mode lacp-static
[*BorderLeaf_1-Eth-Trunk12] dfs-group 1 m-lag 4
[*BorderLeaf_1-Eth-Trunk12] quit
[*BorderLeaf_1] commit

          #配置BorderLeaf_2与防火墙互联:

          [~BorderLeaf_2] interface Eth-Trunk 11   //配置与FW主设备(FW-1)互联业务口
[*BorderLeaf_2-Eth-Trunk11] trunkport 100GE 4/0/43
[*BorderLeaf_2-Eth-Trunk11] port link-type trunk
[*BorderLeaf_2-Eth-Trunk11] undo port trunk allow-pass vlan 1
[*BorderLeaf_2-Eth-Trunk11] stp edged-port enable
[*BorderLeaf_2-Eth-Trunk11] mode lacp-static
[*BorderLeaf_2-Eth-Trunk11] dfs-group 1 m-lag 3
[*BorderLeaf_2-Eth-Trunk11] quit
[*BorderLeaf_2] interface Eth-Trunk12   //配置与FW备设备(FW-2)互联业务口
[*BorderLeaf_2-Eth-Trunk12] trunkport 100GE 4/0/44
[*BorderLeaf_2-Eth-Trunk12] port link-type trunk
[*BorderLeaf_2-Eth-Trunk12] undo port trunk allow-pass vlan 1
[*BorderLeaf_2-Eth-Trunk12] stp edged-port enable
[*BorderLeaf_2-Eth-Trunk12] mode lacp-static
[*BorderLeaf_2-Eth-Trunk12] dfs-group 1 m-lag 4
[*BorderLeaf_2-Eth-Trunk12] quit
[*BorderLeaf_2-Eth-Trunk12] commit
      3. 配置路由。
        1. 配置OSPF路由打通VXLAN Underlay路由。#配置BorderLeaf_1的OSPF路由: 
          [~BorderLeaf_1] bfd    //全局使能BFD功能
[*BorderLeaf_1-bfd] quit
[*BorderLeaf_1] ospf
[*BorderLeaf_1] ospf 1 router-id 10.125.98.1
[*BorderLeaf_1-ospf-1] bfd all-interfaces enable
[*BorderLeaf_1-ospf-1] bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3  
[*BorderLeaf_1-ospf-1] lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
[*BorderLeaf_1-ospf-1] area 0.0.0.0
[*BorderLeaf_1-ospf-1-area-0.0.0.0] network 10.125.97.20 0.0.0.3      //分别建立与4台Server Leaf设备的路由邻居
[*BorderLeaf_1-ospf-1-area-0.0.0.0] network 10.125.97.24 0.0.0.3
[*BorderLeaf_1-ospf-1-area-0.0.0.0] network 10.125.97.28 0.0.0.3 
[*BorderLeaf_1-ospf-1-area-0.0.0.0] network 10.125.97.32 0.0.0.3
[*BorderLeaf_1-ospf-1-area-0.0.0.0] network 10.125.98.1 0.0.0.0      //发布Loopback地址
[*BorderLeaf_1-ospf-1-area-0.0.0.0] network 10.125.99.1 0.0.0.0
[*BorderLeaf_1-ospf-1-area-0.0.0.0] quit
[*BorderLeaf_1-ospf-1] quit
[*BorderLeaf_1-ospf-1] commit

          #配置BorderLeaf_2的OSPF路由:

          [~BorderLeaf_2] bfd    //全局使能BFD功能
[*BorderLeaf_2-bfd] quit
[*BorderLeaf_2] ospf
[*BorderLeaf_2] ospf 1 router-id 10.125.98.2
[*BorderLeaf_2-ospf-1] bfd all-interfaces enable
[*BorderLeaf_2-ospf-1] bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   //仅组网中全部为支持硬件BFD的款型时,配置500ms*3;其余保持默认配置1000ms*3
[*BorderLeaf_2-ospf-1] lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
[*BorderLeaf_2-ospf-1] area 0.0.0.0
[*BorderLeaf_2-ospf-1-area-0.0.0.0] network 10.125.97.36 0.0.0.3      //分别建立与4台Server Leaf设备的路由邻居
[*BorderLeaf_2-ospf-1-area-0.0.0.0] network 10.125.97.40 0.0.0.3
[*BorderLeaf_2-ospf-1-area-0.0.0.0] network 10.125.97.44 0.0.0.3 
[*BorderLeaf_2-ospf-1-area-0.0.0.0] network 10.125.97.48 0.0.0.3
[*BorderLeaf_2-ospf-1-area-0.0.0.0] network 10.125.98.2 0.0.0.0      //发布Loopback地址
[*BorderLeaf_2-ospf-1-area-0.0.0.0] network 10.125.99.1 0.0.0.0
[*BorderLeaf_2-ospf-1-area-0.0.0.0] quit
[*BorderLeaf_2-ospf-1] quit
[*BorderLeaf_2-ospf-1] commit
        2. 配置OSPF网络故障收敛性能优化。
          #配置BorderLeaf_1的OSPF网络故障收敛性能优化:

          [~BorderLeaf_1] interface 100GE 1/0/0
[*BorderLeaf_1-100GE1/0/0] ospf peer hold-max-cost timer 300000   //所有Border Leaf和Server Leaf配置OSPF邻居建立后在本地设备的LSA中保持最大开销值的时间300s,源于240s的M-LAG延迟UP时间(同时overlay路由收敛)+ 60s的设备表项同步时间
[*BorderLeaf_1-100GE1/0/0] quit
[*BorderLeaf_1] interface 100GE 1/0/1
[*BorderLeaf_1-100GE1/0/1] ospf peer hold-max-cost timer 300000
[*BorderLeaf_1-100GE1/0/1] quit
[*BorderLeaf_1] interface 100GE 1/0/2
[*BorderLeaf_1-100GE1/0/2] ospf peer hold-max-cost timer 300000
[*BorderLeaf_1-100GE1/0/2] quit
[*BorderLeaf_1] interface 100GE 1/0/3
[*BorderLeaf_1-100GE1/0/3] ospf peer hold-max-cost timer 300000
[*BorderLeaf_1-100GE1/0/3] quit
[*BorderLeaf_1-100GE1/0/3] commit

          #配置BorderLeaf_2的OSPF网络故障收敛性能优化,配置过程及数据与BorderLeaf_1一致,不再赘述。

        3. 配置BGP EVPN。#配置BorderLeaf_1: 
          [~BorderLeaf_1] evpn-overlay enable     //使能EVPN作为VXLAN的控制平面
[*BorderLeaf_1] bgp 100
[*BorderLeaf_1-bgp] router-id 10.125.98.1
[*BorderLeaf_1-bgp] advertise lowest-priority all-address-family peer-up delay 360  //在邻居状态由Down到Up时将BGP路由的优先级调整为最低优先级;路由延时发布,解决回切场景丢包时间长问题
[*BorderLeaf_1-bgp] undo default ipv4-unicast       //关闭BGP IPv4单播邻居,降低设备负荷
[*BorderLeaf_1-bgp] group ServerLeaf internal       //配置Server Leaf的对等体组并加入相应对等体。
[*BorderLeaf_1-bgp] peer 10.125.98.3 group ServerLeaf
[*BorderLeaf_1-bgp] peer 10.125.98.4 group ServerLeaf
[*BorderLeaf_1-bgp] peer 10.125.98.5 group ServerLeaf
[*BorderLeaf_1-bgp] peer 10.125.98.6 group ServerLeaf
[*BorderLeaf_1-bgp] peer ServerLeaf connect-interface LoopBack1    //指定发送BGP报文的源接口
[*BorderLeaf_1-bgp] l2vpn-family evpn          //使能并进入BGP-EVPN地址族视图
[*BorderLeaf_1-bgp-af-evpn] undo policy vpn-target       //配置去使能对接收到的EVPN路由使能VPN-Target过滤功能
[*BorderLeaf_1-bgp-af-evpn] peer ServerLeaf enable
[*BorderLeaf_1-bgp-af-evpn] peer 10.125.98.3 group ServerLeaf
[*BorderLeaf_1-bgp-af-evpn] peer 10.125.98.4 group ServerLeaf
[*BorderLeaf_1-bgp-af-evpn] peer 10.125.98.5 group ServerLeaf
[*BorderLeaf_1-bgp-af-evpn] peer 10.125.98.6 group ServerLeaf
[*BorderLeaf_1-bgp-af-evpn] peer ServerLeaf advertise irb   //配置向BGP EVPN对等体组Server Leaf发布irb和irbv6路由
[*BorderLeaf_1-bgp-af-evpn] peer ServerLeaf advertise irbv6
[*BorderLeaf_1-bgp-af-evpn] peer ServerLeaf reflect-client   //配置路由反射器功能
[*BorderLeaf_1-bgp-af-evpn] quit
[*BorderLeaf_1-bgp] quit
[*BorderLeaf_1-bgp] commit

          #配置BorderLeaf_2:

          [~BorderLeaf_2] evpn-overlay enable 
[*BorderLeaf_2] bgp 100
[*BorderLeaf_2-bgp] router-id 10.125.98.2
[*BorderLeaf_2-bgp] advertise lowest-priority all-address-family peer-up delay 360  //在邻居状态由Down到Up时将BGP路由的优先级调整为最低优先级;路由延时发布,解决回切场景丢包时间长问题
[*BorderLeaf_2-bgp] undo default ipv4-unicast       //关闭BGP IPv4单播邻居,降低设备负荷
[*BorderLeaf_2-bgp] group ServerLeaf internal       //配置Server Leaf的对等体组并加入相应对等体。
[*BorderLeaf_2-bgp] peer 10.125.98.3 group ServerLeaf
[*BorderLeaf_2-bgp] peer 10.125.98.4 group ServerLeaf
[*BorderLeaf_2-bgp] peer 10.125.98.5 group ServerLeaf
[*BorderLeaf_2-bgp] peer 10.125.98.6 group ServerLeaf
[*BorderLeaf_2-bgp] peer ServerLeaf connect-interface LoopBack1    //指定发送BGP报文的源接口
[*BorderLeaf_2-bgp] l2vpn-family evpn          //使能并进入BGP-EVPN地址族视图
[*BorderLeaf_2-bgp-af-evpn] undo policy vpn-target       //配置去使能对接收到的EVPN路由使能VPN-Target过滤功能
[*BorderLeaf_2-bgp-af-evpn] peer ServerLeaf enable
[*BorderLeaf_2-bgp-af-evpn] peer 10.125.98.3 group ServerLeaf
[*BorderLeaf_2-bgp-af-evpn] peer 10.125.98.4 group ServerLeaf
[*BorderLeaf_2-bgp-af-evpn] peer 10.125.98.5 group ServerLeaf
[*BorderLeaf_2-bgp-af-evpn] peer 10.125.98.6 group ServerLeaf
[*BorderLeaf_2-bgp-af-evpn] peer ServerLeaf advertise irb 
[*BorderLeaf_2-bgp-af-evpn] peer ServerLeaf advertise irbv6
[*BorderLeaf_2-bgp-af-evpn] peer ServerLeaf reflect-client
[*BorderLeaf_2-bgp-af-evpn] quit
[*BorderLeaf_2-bgp] quit
[*BorderLeaf_2-bgp] commit
    2. 配置接入Server Leaf组。
      1. 配置IP地址。
        1. 配置Server Leaf与Border Leaf互联IP地址。#配置ServerLeaf1_1与Border Leaf的互联接口地址: 
          [~ServerLeaf1_1] interface 100GE 1/0/1
[*ServerLeaf1_1-100GE1/0/1] description to BorderLeaf_1
[*ServerLeaf1_1-100GE1/0/1] undo portswitch
[*ServerLeaf1_1-100GE1/0/1] ip address 10.125.97.22 255.255.255.252
[*ServerLeaf1_1-100GE1/0/1] ospf network-type p2p   //配置与Border Leaf互联OSPF接口的网络类型为P2P
[*ServerLeaf1_1-100GE1/0/1] quit
[*ServerLeaf1_1] interface 100GE 1/0/2
[*ServerLeaf1_1-100GE1/0/2] description to BorderLeaf_2
[*ServerLeaf1_1-100GE1/0/2] undo portswitch
[*ServerLeaf1_1-100GE1/0/2] ip address 10.125.97.38 255.255.255.252
[*ServerLeaf1_1-100GE1/0/2] ospf network-type p2p
[*ServerLeaf1_1-100GE1/0/2] quit
[*ServerLeaf1_1-100GE1/0/2] commit

          #配置ServerLeaf1_2与Border Leaf的互联接口地址:

          [~ServerLeaf1_2] interface 100GE 1/0/1
[*ServerLeaf1_2-100GE1/0/1] description to BorderLeaf_1
[*ServerLeaf1_2-100GE1/0/1] undo portswitch
[*ServerLeaf1_2-100GE1/0/1] ip address 10.125.97.26 255.255.255.252
[*ServerLeaf1_2-100GE1/0/1] ospf network-type p2p
[*ServerLeaf1_2-100GE1/0/1] quit
[*ServerLeaf1_2] interface 100GE 1/0/2
[*ServerLeaf1_2-100GE1/0/2] description to BorderLeaf_2
[*ServerLeaf1_2-100GE1/0/2] undo portswitch
[*ServerLeaf1_2-100GE1/0/2] ip address 10.125.97.42 255.255.255.252
[*ServerLeaf1_2-100GE1/0/2] ospf network-type p2p
[*ServerLeaf1_2-100GE1/0/2] quit
[*ServerLeaf1_2-100GE1/0/2] commit

          #配置ServerLeaf2_1与Border Leaf的互联接口地址:

          [~ServerLeaf2_1] interface 100GE 1/0/1
[*ServerLeaf2_1-100GE1/0/1] description to BorderLeaf_1
[*ServerLeaf2_1-100GE1/0/1] undo portswitch
[*ServerLeaf2_1-100GE1/0/1] ip address 10.125.97.30 255.255.255.252
[*ServerLeaf2_1-100GE1/0/1] ospf network-type p2p
[*ServerLeaf2_1-100GE1/0/1] quit
[*ServerLeaf2_1] interface 100GE 1/0/2
[*ServerLeaf2_1-100GE1/0/2] description to BorderLeaf_2
[*ServerLeaf2_1-100GE1/0/2] undo portswitch
[*ServerLeaf2_1-100GE1/0/2] ip address 10.125.97.46 255.255.255.252
[*ServerLeaf2_1-100GE1/0/2] ospf network-type p2p
[*ServerLeaf2_1-100GE1/0/2] quit
[*ServerLeaf2_1-100GE1/0/2] commit

          #配置ServerLeaf2_2与Border Leaf的互联接口地址:

          [~ServerLeaf2_2] interface 100GE 1/0/1
[*ServerLeaf2_2-100GE1/0/1] description to BorderLeaf_1
[*ServerLeaf2_2-100GE1/0/1] undo portswitch
[*ServerLeaf2_2-100GE1/0/1] ip address 10.125.97.34 255.255.255.252
[*ServerLeaf2_2-100GE1/0/1] ospf network-type p2p
[*ServerLeaf2_2-100GE1/0/1] quit
[*ServerLeaf2_2] interface 100GE 1/0/2
[*ServerLeaf2_2-100GE1/0/2] description to BorderLeaf_2
[*ServerLeaf2_2-100GE1/0/2] undo portswitch
[*ServerLeaf2_2-100GE1/0/2] ip address 10.125.97.50 255.255.255.252
[*ServerLeaf2_2-100GE1/0/2] ospf network-type p2p
[*ServerLeaf2_2-100GE1/0/2] quit
[*ServerLeaf2_2-100GE1/0/2] commit
        2. 配置Server Leaf的Loopback接口地址。#配置ServerLeaf1_1的Loopback接口地址: 
          [~ServerLeaf1_1] interface LoopBack 0
[*ServerLeaf1_1-LoopBack0] description VTEP
[*ServerLeaf1_1-LoopBack0] ipv6 enable    //当需要使用IPv6时,配置使能IPv6
[*ServerLeaf1_1-LoopBack0] ip address 10.125.99.2 255.255.255.255
[*ServerLeaf1_1-LoopBack0] quit
[*ServerLeaf1_1] interface LoopBack 1
[*ServerLeaf1_1-LoopBack1] description DFS-GROUP/ROUTER-ID
[*ServerLeaf1_1-LoopBack1] ip address 10.125.98.3 255.255.255.255
[*ServerLeaf1_1-LoopBack1] quit
[*ServerLeaf1_1] interface LoopBack 2
[*ServerLeaf1_1-LoopBack2] description Bypass VXLAN
[*ServerLeaf1_1-LoopBack2] ip address 10.135.98.3 255.255.255.255
[*ServerLeaf1_1-LoopBack2] quit
[*ServerLeaf1_1] commit

          #配置ServerLeaf1_2的Loopback接口地址:

          [~ServerLeaf1_2] interface LoopBack 0
[*ServerLeaf1_2-LoopBack0] description VTEP
[*ServerLeaf1_2-LoopBack0] ipv6 enable    //当需要使用IPv6时,配置使能IPv6
[*ServerLeaf1_2-LoopBack0] ip address 10.125.99.2 255.255.255.255
[*ServerLeaf1_2-LoopBack0] quit
[*ServerLeaf1_2] interface LoopBack 1
[*ServerLeaf1_2-LoopBack1] description DFS-GROUP/ROUTER-ID
[*ServerLeaf1_2-LoopBack1] ip address 10.125.98.4 255.255.255.255
[*ServerLeaf1_2-LoopBack1] quit
[*ServerLeaf1_2] interface LoopBack 2
[*ServerLeaf1_2-LoopBack2] description Bypass VXLAN
[*ServerLeaf1_2-LoopBack2] ip address 10.135.98.4 255.255.255.255
[*ServerLeaf1_2-LoopBack2] quit
[*ServerLeaf1_2] commit

          #配置ServerLeaf2_1的Loopback接口地址:

          [~ServerLeaf2_1] interface LoopBack 0
[*ServerLeaf2_1-LoopBack0] description VTEP
[*ServerLeaf2_1-LoopBack0] ipv6 enable    //当需要使用IPv6时,配置使能IPv6
[*ServerLeaf2_1-LoopBack0] ip address 10.125.99.3 255.255.255.255
[*ServerLeaf2_1-LoopBack0] quit
[*ServerLeaf2_1] interface LoopBack 1
[*ServerLeaf2_1-LoopBack1] description DFS-GROUP/ROUTER-ID
[*ServerLeaf2_1-LoopBack1] ip address 10.125.98.5 255.255.255.255
[*ServerLeaf2_1-LoopBack1] quit
[*ServerLeaf2_1] interface LoopBack 2
[*ServerLeaf2_1-LoopBack2] description Bypass VXLAN
[*ServerLeaf2_1-LoopBack2] ip address 10.135.98.5 255.255.255.255
[*ServerLeaf2_1-LoopBack2] quit
[*ServerLeaf2_1] commit

          #配置ServerLeaf2_2的Loopback接口地址:

          [~ServerLeaf2_2] interface LoopBack 0
[*ServerLeaf2_2-LoopBack0] description VTEP
[*ServerLeaf2_2-LoopBack0] ipv6 enable    //当需要使用IPv6时,配置使能IPv6
[*ServerLeaf2_2-LoopBack0] ip address 10.125.99.3 255.255.255.255
[*ServerLeaf2_2-LoopBack0] quit
[*ServerLeaf2_2] interface LoopBack 1
[*ServerLeaf2_2-LoopBack1] description DFS-GROUP/ROUTER-ID
[*ServerLeaf2_2-LoopBack1] ip address 10.125.98.6 255.255.255.255
[*ServerLeaf2_2-LoopBack1] quit
[*ServerLeaf2_2] interface LoopBack 2
[*ServerLeaf2_2-LoopBack2] description Bypass VXLAN
[*ServerLeaf2_2-LoopBack2] ip address 10.135.98.6 255.255.255.255
[*ServerLeaf2_2-LoopBack2] quit
[*ServerLeaf2_2] commit
        3. 配置NVE接口VTEP IP和虚拟MAC地址。#配置ServerLeaf1_1的NVE接口: 
          [~ServerLeaf1_1] vlan 100
[*ServerLeaf1_1-vlan100] quit 
[*ServerLeaf1_1] interface vlanif 100 
[*ServerLeaf1_1-Vlanif100] ip address 10.125.96.5 30 
[*ServerLeaf1_1-Vlanif100] reserved for vxlan bypass 
[*ServerLeaf1_1-Vlanif100] quit
[*ServerLeaf1_1-Vlanif100] ip route-static 10.135.98.4 32 10.125.96.6 preference 1
[*ServerLeaf1_1] interface nve 1
[*ServerLeaf1_1-Nve1] source 10.125.99.2
[*ServerLeaf1_1-Nve1] mac-address 00e0-fc00-0102
[*ServerLeaf1_1-Nve1] pip-source 10.135.98.3 peer 10.135.98.4 bypass
[*ServerLeaf1_1-Nve1] commit

          #配置ServerLeaf1_2的NVE接口:

          [~ServerLeaf1_2] vlan 100 
[*ServerLeaf1_2-vlan100] quit 
[*ServerLeaf1_2] interface vlanif 100 
[*ServerLeaf1_2-Vlanif100] ip address 10.125.96.6 30 
[*ServerLeaf1_2-Vlanif100] reserved for vxlan bypass 
[*ServerLeaf1_2-Vlanif100] quit
[*ServerLeaf1_2-Vlanif100] ip route-static 10.135.98.3 32 10.125.96.5 preference 1
[*ServerLeaf1_2] interface nve 1
[*ServerLeaf1_2-Nve1] source 10.125.99.2
[*ServerLeaf1_2-Nve1] mac-address 00e0-fc00-0102
[*ServerLeaf1_2-Nve1] pip-source 10.135.98.4 peer 10.135.98.3 bypass
[*ServerLeaf1_2-Nve1] commit

          #配置ServerLeaf2_1的NVE接口:

          [~ServerLeaf2_1] vlan 100 
[*ServerLeaf2_1-vlan100] quit 
[*ServerLeaf2_1] interface vlanif 100 
[*ServerLeaf2_1-Vlanif100] ip address 10.125.96.9 30 
[*ServerLeaf2_1-Vlanif100] reserved for vxlan bypass 
[*ServerLeaf2_1-Vlanif100] quit
[*ServerLeaf2_1-Vlanif100] ip route-static 10.135.98.6 32 10.125.96.10 preference 1
[*ServerLeaf2_1] interface nve 1
[*ServerLeaf2_1-Nve1] source 10.125.99.3
[*ServerLeaf2_1-Nve1] mac-address 00e0-fc00-0103
[*ServerLeaf2_1-Nve1] pip-source 10.135.98.5 peer 10.135.98.6 bypass
[*ServerLeaf2_1-Nve1] commit

          #配置ServerLeaf2_2的NVE接口:

          [~ServerLeaf2_2] vlan 100 
[*ServerLeaf2_2-vlan100] quit 
[*ServerLeaf2_2] interface vlanif 100 
[*ServerLeaf2_2-Vlanif100] ip address 10.125.96.10 30 
[*ServerLeaf2_2-Vlanif100] reserved for vxlan bypass 
[*ServerLeaf2_2-Vlanif100] quit
[*ServerLeaf2_2-Vlanif100] ip route-static 10.135.98.5 32 10.125.96.9 preference 1
[*ServerLeaf2_2] interface nve 1
[*ServerLeaf2_2-Nve1] source 10.125.99.3
[*ServerLeaf2_2-Nve1] mac-address 00e0-fc00-0103
[*ServerLeaf2_2-Nve1] pip-source 10.125.98.6 peer 10.125.98.5 bypass
[*ServerLeaf2_2-Nve1] commit
      2. 配置M-LAG。
        1. 配置M-LAG模式。#配置ServerLeaf1_1的M-LAG模式: 
          [~ServerLeaf1_1] stp mode rstp
[*ServerLeaf1_1] stp v-stp enable         //配置V-STP方式的M-LAG
[*ServerLeaf1_1] stp tc-protection        //使能设备对TC类型BPDU报文的保护功能
[*ServerLeaf1_1] stp bpdu-protection      //使能设备的BPDU保护功能
[*ServerLeaf1_1] commit

          #配置ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2的M-LAG模式。配置过程及数据与ServerLeaf1_1一致,不再赘述。

        2. 配置M-LAG的DFS组。#配置ServerLeaf1_1的DFS组: 
          [~ServerLeaf1_1] dfs-group 1
[*ServerLeaf1_1-dfs-group-1] priority 150    //配置DFS优先级高于对端,默认是100 
[*ServerLeaf1_1-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206     
[*ServerLeaf1_1-dfs-group-1] dual-active detection source ip 10.125.98.3 
[*ServerLeaf1_1-dfs-group-1] consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式 
[*ServerLeaf1_1-dfs-group-1] quit 
[*ServerLeaf1_1-dfs-group-1] commit

          #配置ServerLeaf1_2的DFS组:

          [~ServerLeaf1_2] dfs-group 1
[*ServerLeaf1_2-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206     
[*ServerLeaf1_2-dfs-group-1] dual-active detection source ip 10.125.98.4
[*ServerLeaf1_2-dfs-group-1] consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式 
[*ServerLeaf1_2-dfs-group-1] quit 
[*ServerLeaf1_2-dfs-group-1] commit

          #配置ServerLeaf2_1的DFS组:

          [~ServerLeaf2_1] dfs-group 1
[*ServerLeaf2_1-dfs-group-1] priority 150    //配置DFS优先级高于对端,默认是100 
[*ServerLeaf2_1-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206     
[*ServerLeaf2_1-dfs-group-1] dual-active detection source ip 10.125.98.5
[*ServerLeaf2_1-dfs-group-1] consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式 
[*ServerLeaf2_1-dfs-group-1] quit 
[*ServerLeaf2_1-dfs-group-1] commit

          #配置ServerLeaf2_2的DFS组:

          [~ServerLeaf2_2] dfs-group 1
[*ServerLeaf2_2-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206     
[*ServerLeaf2_2-dfs-group-1] dual-active detection source ip 10.125.98.6
[*ServerLeaf2_2-dfs-group-1] consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式 
[*ServerLeaf2_2-dfs-group-1] quit 
[*ServerLeaf2_2-dfs-group-1] commit
        3. 配置peer-link。#配置ServerLeaf1_1的peer-link: 
          [~ServerLeaf1_1] interface Eth-Trunk 0
[*ServerLeaf1_1-Eth-Trunk0] trunkport 100GE 1/0/5 to 1/0/6
[*ServerLeaf1_1-Eth-Trunk0] mode lacp-static
[*ServerLeaf1_1-Eth-Trunk0] peer-link 1
[*ServerLeaf1_1-Eth-Trunk0] port vlan exclude 1
[*ServerLeaf1_1-Eth-Trunk0] commit

          #配置ServerLeaf1_2的peer-link:

          [~ServerLeaf1_2] interface Eth-Trunk 0
[*ServerLeaf1_2-Eth-Trunk0] trunkport 100GE 1/0/5 to 1/0/6
[*ServerLeaf1_2-Eth-Trunk0] mode lacp-static
[*ServerLeaf1_2-Eth-Trunk0] peer-link 1
[*ServerLeaf1_2-Eth-Trunk0] port vlan exclude 1
[*ServerLeaf1_2-Eth-Trunk0] commit

          #配置ServerLeaf2_1的peer-link:

          [~ServerLeaf2_1] interface Eth-Trunk 0
[*ServerLeaf2_1-Eth-Trunk0] trunkport 100GE 1/0/5 to 1/0/6
[*ServerLeaf2_1-Eth-Trunk0] mode lacp-static
[*ServerLeaf2_1-Eth-Trunk0] peer-link 1
[*ServerLeaf2_1-Eth-Trunk0] port vlan exclude 1
[*ServerLeaf2_1-Eth-Trunk0] commit

          #配置ServerLeaf2_2的peer-link:

          [~ServerLeaf2_2] interface Eth-Trunk 0
[*ServerLeaf2_2-Eth-Trunk0] trunkport 100GE 1/0/5 to 1/0/6
[*ServerLeaf2_2-Eth-Trunk0] mode lacp-static
[*ServerLeaf2_2-Eth-Trunk0] peer-link 1
[*ServerLeaf2_2-Eth-Trunk0] port vlan exclude 1
[*ServerLeaf2_2-Eth-Trunk0] commit
        4. 配置业务服务器以负载分担方式接入。#配置ServerLeaf1_1与业务服务器对接: 
          [~ServerLeaf1_1] interface Eth-Trunk 10
[*ServerLeaf1_1-Eth-Trunk10] mode lacp-static
[*ServerLeaf1_1-Eth-Trunk10] port link-type trunk
[*ServerLeaf1_1-Eth-Trunk10] undo port trunk allow-pass vlan 1
[*ServerLeaf1_1-Eth-Trunk10] trunkport 100GE 1/0/1
[*ServerLeaf1_1-Eth-Trunk10] dfs-group 1 m-lag 10
[*ServerLeaf1_1-Eth-Trunk10] stp edged-port enable   //配置边缘端口
[*ServerLeaf1_1-Eth-Trunk10] quit
[*ServerLeaf1_1] interface 100GE 1/0/1           //服务器接入端口
[*ServerLeaf1_1-100GE1/0/1] storm suppression unknown-unicast 5   //配置未知单播抑制,经验值为100GE端口的5%带宽,建议业务端口都部署
[*ServerLeaf1_1-100GE1/0/1] storm suppression multicast packets 1000  //配置未知组播报文抑制,经验值为1000pps。
[*ServerLeaf1_1-100GE1/0/1] storm suppression broadcast packets 1000  //配置广播报文抑制,经验值为1000pps,建议业务端口都部署
[*ServerLeaf1_1-100GE1/0/1] commit

          #配置ServerLeaf1_2与业务服务器对接:

          [~ServerLeaf1_2] interface Eth-Trunk 10
[*ServerLeaf1_2-Eth-Trunk10] mode lacp-static
[*ServerLeaf1_2-Eth-Trunk10] port link-type trunk
[*ServerLeaf1_2-Eth-Trunk10] undo port trunk allow-pass vlan 1
[*ServerLeaf1_2-Eth-Trunk10] trunkport 100GE 1/0/1
[*ServerLeaf1_2-Eth-Trunk10] dfs-group 1 m-lag 10
[*ServerLeaf1_2-Eth-Trunk10] stp edged-port enable   //配置边缘端口
[*ServerLeaf1_2-Eth-Trunk10] quit
[*ServerLeaf1_2] interface 100GE 1/0/1           //服务器接入端口
[*ServerLeaf1_2-100GE1/0/1] storm suppression unknown-unicast 5   //配置未知单播抑制,经验值为100GE端口的5%带宽,建议业务端口都部署
[*ServerLeaf1_2-100GE1/0/1] storm suppression multicast packets 1000  //配置未知组播报文抑制,经验值为1000pps。
[*ServerLeaf1_2-100GE1/0/1] storm suppression broadcast packets 1000  //配置广播报文抑制,经验值为1000pps,建议业务端口都部署
[*ServerLeaf1_2-100GE1/0/1] commit

          #配置ServerLeaf2_1、ServerLeaf2_2与业务服务器对接。配置过程与上述配置类似,不再赘述。

        5. 配置业务服务器以主备方式接入。#配置ServerLeaf1_1与业务服务器对接: 
          [~ServerLeaf1_1] interface 100GE 1/0/2
[*ServerLeaf1_1-100GE1/0/2] port link-type trunk
[*ServerLeaf1_1-100GE1/0/2] undo port trunk allow-pass vlan 1  //不放通VLAN1,防止成环
[*ServerLeaf1_1-100GE1/0/2] storm suppression unknown-unicast 5   //配置未知单播抑制,经验值为100GE端口的5%带宽,建议业务端口都部署
[*ServerLeaf1_1-100GE1/0/2] storm suppression multicast packets 1000  //配置未知组播报文抑制,经验值为1000pps。
[*ServerLeaf1_1-100GE1/0/2] storm suppression broadcast packets 1000  //配置广播报文抑制,经验值为1000pps,建议业务端口都部署
[*ServerLeaf1_1-100GE1/0/2] stp edged-port enable
[*ServerLeaf1_1-100GE1/0/2] commit

          #配置ServerLeaf1_2与业务服务器对接:

          [~ServerLeaf1_2] interface 100GE 1/0/2
[*ServerLeaf1_2-100GE1/0/2] port link-type trunk
[*ServerLeaf1_2-100GE1/0/2] undo port trunk allow-pass vlan 1  //不放通VLAN1,防止成环
[*ServerLeaf1_2-100GE1/0/2] storm suppression unknown-unicast 5   //配置未知单播抑制,经验值为100GE端口的5%带宽,建议业务端口都部署
[*ServerLeaf1_2-100GE1/0/2] storm suppression multicast packets 1000  //配置未知组播报文抑制,经验值为1000pps。
[*ServerLeaf1_2-100GE1/0/2] storm suppression broadcast packets 1000  //配置广播报文抑制,经验值为1000pps,建议业务端口都部署
[*ServerLeaf1_2-100GE1/0/2] stp edged-port enable
[*ServerLeaf1_2-100GE1/0/2] commit

          #配置ServerLeaf2_1、ServerLeaf2_2与业务服务器对接。配置过程与上述配置类似,不再赘述。

        6. 配置monitor-link关联上行接口和下行接口,避免单台设备的所有上行链路都故障时,本台设备用户侧流量无法转发。Downlink只列出了1个端口做示例,实际部署时请根据规划补齐。

          #配置ServerLeaf1_1的monitor-link:

          [~ServerLeaf1_1] monitor-link group 1
[*ServerLeaf1_1-mtlk-group1] port 100GE1/0/1 uplink
[*ServerLeaf1_1-mtlk-group1] port 100GE1/0/2 uplink
[*ServerLeaf1_1-mtlk-group1] port Eth-Trunk10 downlink 1
[*ServerLeaf1_1-mtlk-group1] timer recover-time 60       //配置回切时间,防止上行故障回切丢包。
[*ServerLeaf1_1-mtlk-group1] commit

          #配置ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2的monitor-link。配置过程及数据与ServerLeaf1_1一致,不再赘述。

      3. 配置路由。
        1. 配置OSPF路由打通VXLAN Underlay路由。#配置ServerLeaf1_1的OSPF路由: 
          [~ServerLeaf1_1] bfd    //全局使能BFD功能
[*ServerLeaf1_1-bfd] quit
[*ServerLeaf1_1] ospf 1 router-id 10.125.98.3
[*ServerLeaf1_1-ospf-1] bfd all-interfaces enable
[*ServerLeaf1_1-ospf-1] bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   
[*ServerLeaf1_1-ospf-1] lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
[*ServerLeaf1_1-ospf-1] area 0.0.0.0
[*ServerLeaf1_1-ospf-1-area-0.0.0.0] network 10.125.97.20 0.0.0.3      //分别建立与2台Border Leaf设备的路由邻居
[*ServerLeaf1_1-ospf-1-area-0.0.0.0] network 10.125.97.36 0.0.0.3
[*ServerLeaf1_1-ospf-1-area-0.0.0.0] network 10.125.98.3 0.0.0.0       //发布Loopback地址
[*ServerLeaf1_1-ospf-1-area-0.0.0.0] network 10.125.99.2 0.0.0.0       
[*ServerLeaf1_1-ospf-1-area-0.0.0.0] quit
[*ServerLeaf1_1-ospf-1] quit
[*ServerLeaf1_1-ospf-1] commit

          #配置ServerLeaf1_2的OSPF路由:

          [~ServerLeaf1_2] bfd  
[*ServerLeaf1_2-bfd] quit
[*ServerLeaf1_2] ospf 1 router-id 10.125.98.4
[*ServerLeaf1_2-ospf-1] bfd all-interfaces enable
[*ServerLeaf1_2-ospf-1] bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   
[*ServerLeaf1_2-ospf-1] lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
[*ServerLeaf1_2-ospf-1] area 0.0.0.0
[*ServerLeaf1_2-ospf-1-area-0.0.0.0] network 10.125.97.24 0.0.0.3      //分别建立与2台Border Leaf设备的路由邻居
[*ServerLeaf1_2-ospf-1-area-0.0.0.0] network 10.125.97.40 0.0.0.3
[*ServerLeaf1_2-ospf-1-area-0.0.0.0] network 10.125.98.4 0.0.0.0       //发布Loopback地址
[*ServerLeaf1_2-ospf-1-area-0.0.0.0] network 10.125.99.2 0.0.0.0       
[*ServerLeaf1_2-ospf-1-area-0.0.0.0] quit
[*ServerLeaf1_2-ospf-1] quit
[*ServerLeaf1_2-ospf-1] commit

          #配置ServerLeaf2_1的OSPF路由:

          [~ServerLeaf2_1] bfd   
[*ServerLeaf2_1-bfd] quit
[*ServerLeaf2_1] ospf 1 router-id 10.125.98.5
[*ServerLeaf2_1-ospf-1] bfd all-interfaces enable
[*ServerLeaf2_1-ospf-1] bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   
[*ServerLeaf2_1-ospf-1] lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
[*ServerLeaf2_1-ospf-1] area 0.0.0.0
[*ServerLeaf2_1-ospf-1-area-0.0.0.0] network 10.125.97.28 0.0.0.3      //分别建立与2台Border Leaf设备的路由邻居
[*ServerLeaf2_1-ospf-1-area-0.0.0.0] network 10.125.97.44 0.0.0.3
[*ServerLeaf2_1-ospf-1-area-0.0.0.0] network 10.125.98.5 0.0.0.0       //发布Loopback地址
[*ServerLeaf2_1-ospf-1-area-0.0.0.0] network 10.125.99.3 0.0.0.0       
[*ServerLeaf2_1-ospf-1-area-0.0.0.0] quit
[*ServerLeaf2_1-ospf-1] quit
[*ServerLeaf2_1-ospf-1] commit

          #配置ServerLeaf2_2的OSPF路由:

          [~ServerLeaf2_2] bfd  
[*ServerLeaf2_2-bfd] quit
[*ServerLeaf2_2] ospf 1 router-id 10.125.98.6
[*ServerLeaf2_2-ospf-1] bfd all-interfaces enable
[*ServerLeaf2_2-ospf-1] bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   
[*ServerLeaf2_2-ospf-1] lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
[*ServerLeaf2_2-ospf-1] area 0.0.0.0
[*ServerLeaf2_2-ospf-1-area-0.0.0.0] network 10.125.97.32 0.0.0.3      //分别建立与2台Border Leaf设备的路由邻居
[*ServerLeaf2_2-ospf-1-area-0.0.0.0] network 10.125.97.48 0.0.0.3
[*ServerLeaf2_2-ospf-1-area-0.0.0.0] network 10.125.98.6 0.0.0.0       //发布Loopback地址
[*ServerLeaf2_2-ospf-1-area-0.0.0.0] network 10.125.99.3 0.0.0.0       
[*ServerLeaf2_2-ospf-1-area-0.0.0.0] quit
[*ServerLeaf2_2-ospf-1] quit
[*ServerLeaf2_2-ospf-1] commit
        2. 配置OSPF网络故障收敛性能优化。
          #配置ServerLeaf1_1的OSPF网络故障收敛性能优化:

          [~ServerLeaf1_1] interface 100GE 1/0/1
[*ServerLeaf1_1-100GE1/0/1] ospf peer hold-max-cost timer 300000   //所有Border Leaf和Server Leaf配置OSPF邻居建立后在本地设备的LSA中保持最大开销值的时间300s,源于240s的M-LAG延迟UP时间(同时overlay路由收敛)+ 60s的设备表项同步时间
[*ServerLeaf1_1-100GE1/0/1] quit
[*ServerLeaf1_1] interface 100GE 1/0/2
[*ServerLeaf1_1-100GE1/0/2] ospf peer hold-max-cost timer 300000  
[*ServerLeaf1_1-100GE1/0/2] quit
[*ServerLeaf1_1-100GE1/0/2] commit

          #配置ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2的OSPF网络故障收敛性能优化,配置过程及数据与ServerLeaf1_1一致,不再赘述。

        3. 配置BGP EVPN。#配置ServerLeaf1_1的BGP EVPN: 
          [~ServerLeaf1_1] evpn-overlay enable     //使能EVPN作为VXLAN的控制平面
[*ServerLeaf1_1] bgp 100
[*ServerLeaf1_1-bgp] router-id 10.125.98.3
[*ServerLeaf1_1-bgp] advertise lowest-priority all-address-family peer-up delay 360  //在邻居状态由Down到Up时将BGP路由的优先级调整为最低优先级;路由延时发布,解决回切场景丢包时间长问题
[*ServerLeaf1_1-bgp] undo default ipv4-unicast       //关闭BGP IPv4单播邻居,降低设备负荷
[*ServerLeaf1_1-bgp] group BorderLeaf internal       //配置名为BorderLeaf的对等体组并加入相应对等体。
[*ServerLeaf1_1-bgp] peer 10.125.98.1 group BorderLeaf
[*ServerLeaf1_1-bgp] peer 10.125.98.2 group BorderLeaf
[*ServerLeaf1_1-bgp] peer ServerLeaf connect-interface LoopBack1    //指定发送BGP报文的源接口
[*ServerLeaf1_1-bgp] l2vpn-family evpn          //使能并进入BGP-EVPN地址族视图
[*ServerLeaf1_1-bgp-af-evpn] peer BorderLeaf enable
[*ServerLeaf1_1-bgp-af-evpn] peer 10.125.98.1 group BorderLeaf
[*ServerLeaf1_1-bgp-af-evpn] peer 10.125.98.2 group BorderLeaf
[*ServerLeaf1_1-bgp-af-evpn] peer BorderLeaf advertise irb   //配置向BGP EVPN对等体组BorderLeaf发布irb和irbv6路由
[*ServerLeaf1_1-bgp-af-evpn] peer BorderLeaf advertise irbv6
[*ServerLeaf1_1-bgp-af-evpn] quit
[*ServerLeaf1_1-bgp] quit
[*ServerLeaf1_1-bgp] commit

          #配置ServerLeaf1_2的BGP EVPN:

          [~ServerLeaf1_2] evpn-overlay enable     //使能EVPN作为VXLAN的控制平面
[*ServerLeaf1_2] bgp 100
[*ServerLeaf1_2-bgp] router-id 10.125.98.4
[*ServerLeaf1_2-bgp] advertise lowest-priority all-address-family peer-up delay 360  //在邻居状态由Down到Up时将BGP路由的优先级调整为最低优先级;路由延时发布,解决回切场景丢包时间长问题
[*ServerLeaf1_2-bgp] undo default ipv4-unicast       //关闭BGP IPv4单播邻居,降低设备负荷
[*ServerLeaf1_2-bgp] group BorderLeaf internal       //配置名为BorderLeaf的对等体组并加入相应对等体。
[*ServerLeaf1_2-bgp] peer 10.125.98.1 group BorderLeaf
[*ServerLeaf1_2-bgp] peer 10.125.98.2 group BorderLeaf
[*ServerLeaf1_2-bgp] peer ServerLeaf connect-interface LoopBack1    //指定发送BGP报文的源接口
[*ServerLeaf1_2-bgp] l2vpn-family evpn          //使能并进入BGP-EVPN地址族视图
[*ServerLeaf1_2-bgp-af-evpn] peer BorderLeaf enable
[*ServerLeaf1_2-bgp-af-evpn] peer 10.125.98.1 group BorderLeaf
[*ServerLeaf1_2-bgp-af-evpn] peer 10.125.98.2 group BorderLeaf
[*ServerLeaf1_2-bgp-af-evpn] peer BorderLeaf advertise irb   //配置向BGP EVPN对等体组BorderLeaf发布irb和irbv6路由
[*ServerLeaf1_2-bgp-af-evpn] peer BorderLeaf advertise irbv6
[*ServerLeaf1_2-bgp-af-evpn] quit
[*ServerLeaf1_2-bgp] quit
[*ServerLeaf1_2-bgp] commit

          #配置ServerLeaf2_1、ServerLeaf2_2的BGP EVPN。配置过程与上述配置类似,不再赘述。

    3. 配置防火墙。
      1. 配置防火墙基础信息。
        1. 配置防火墙的设备名称。#配置防火墙FW-1的设备名称: 
          <HUAWEI> system-view
[HUAWEI] sysname FW-1

          #配置防火墙FW-2的设备名称:

          <HUAWEI> system-view
[HUAWEI] sysname FW-2
        2. 配置防火墙管理口IP。#配置防火墙FW-1的管理IP: 
          [FW-1] interface 10GE 0/0/0
[FW-1-10GE0/0/0] ip address 192.168.39.50 24
[FW-1-10GE0/0/0] service-manage http permit
[FW-1-10GE0/0/0] service-manage https permit
[FW-1-10GE0/0/0] service-manage ping permit
[FW-1-10GE0/0/0] quit

          #配置防火墙FW-2的管理IP:

          [FW-2] interface 10GE 0/0/0
[FW-2-10GE0/0/0] ip address 192.168.39.51 24
[FW-2-10GE0/0/0] service-manage http permit
[FW-2-10GE0/0/0] service-manage https permit
[FW-2-10GE0/0/0] service-manage ping permit
[FW-2-10GE0/0/0] quit
      2. 关闭备份当前运行配置的功能,在主备防火墙上均需要配置。#在FW-1上,关闭备份当前运行配置的功能: 
        [FW-1] configuration backup local disable

        #在FW2上,关闭备份当前运行配置的功能:

        [FW-2] configuration backup local disable
      3. 配置防火墙与Border Leaf互联端口。#配置FW-1上的业务端口: 
        [FW-1] interface Eth-Trunk11 
[FW-1-Eth-Trunk11] portswitch
[FW-1-Eth-Trunk11] port link-type trunk
[FW-1-Eth-Trunk11] undo port trunk allow-pass vlan 1
[FW-1-Eth-Trunk11] trunkport 10GE 1/0/8 to 1/0/9
[FW-1-Eth-Trunk11] mode lacp-static
[FW-1-Eth-Trunk11] quit
[FW-1] interface 10GE1/0/8  //开启当前使用的接口
[FW-1-10GE1/0/8] undo shutdown
[FW-1-10GE1/0/8] quit
[FW-1] interface 10GE1/0/9 
[FW-1-10GE1/0/9] undo shutdown
[FW-1-10GE1/0/9] quit

        #配置FW-2上的业务端口,配置过程及数据与FW-1一致,不再赘述。

      4. 配置两台防火墙之间的心跳接口。#配置FW-1上的心跳接口: 
        [FW-1] interface Eth-Trunk0 
[FW-1-Eth-Trunk0] description HRP
[FW-1-Eth-Trunk0] ip address 10.125.97.73 255.255.255.252
[FW-1-Eth-Trunk0] trunkport 10GE 1/0/0 to 1/0/1
[FW-1-Eth-Trunk0] mode lacp-static
[FW-1-Eth-Trunk0] quit
[FW-1] interface 10GE1/0/0  //开启当前使用的接口
[FW-1-10GE1/0/0] undo shutdown
[FW-1-10GE1/0/0] quit
[FW-1] interface 10GE1/0/1
[FW-1-10GE1/0/1] undo shutdown
[FW-1-10GE1/0/1] quit

        #配置FW-2上的心跳接口:

        [FW-2] interface Eth-Trunk0 
[FW-2-Eth-Trunk0] description HRP
[FW-2-Eth-Trunk0] ip address 10.125.97.74 255.255.255.252
[FW-2-Eth-Trunk0] trunkport 10GE 1/0/0 to 1/0/1
[FW-2-Eth-Trunk0] mode lacp-static
[FW-2-Eth-Trunk0] quit
[FW-2] interface 10GE1/0/0  //开启当前使用的接口
[FW-2-10GE1/0/0] undo shutdown
[FW-2-10GE1/0/0] quit
[FW-2] interface 10GE1/0/1
[FW-2-10GE1/0/1] undo shutdown
[FW-2-10GE1/0/1] quit
      5. 配置两台防火墙的主备镜像模式。#配置FW-1: 
        [FW-1] hrp interface Eth-Trunk0 remote 10.125.97.74    //指定心跳口
[FW-1] hrp mirror config enable                          //配置镜像模式
[FW-1] hrp enable                                         //启用双机热备功能
[FW-1] hrp track interface Eth-Trunk11                 //配置VGMP组监控上下行业务接口
[FW-1] undo hrp track trunk-member enable              //关闭hrp监控trunk成员接口状态
[FW-1] hrp mgt-interface Eth-Trunk1                    //配置双机热备管理接口
[FW-1] hrp mirror session enable                       //启用会话快速备份功能
[FW-1] hrp standby config enable                       //开启备用设备的部分配置功能
[FW-1] hrp base config enable                          //配置FW启动时以基础配置启动,其他配置从对端设备同步。
[FW-1] undo hrp preempt                                 //关闭防火墙镜像模式下的主备抢占
        #配置FW-2:

        [FW-2] hrp interface Eth-Trunk0 remote 10.125.97.73
[FW-2] hrp mirror config enable                          
[FW-2] hrp enable          //备防火墙配置完镜像模式,启用双机热备功能后,后续配置可以从主防火墙同步
[FW-2] hrp track interface Eth-Trunk11                
[FW-2] undo hrp track trunk-member enable            
[FW-2] hrp mgt-interface Eth-Trunk1                 
[FW-2] hrp mirror session enable                   
[FW-2] hrp standby config enable                     
[FW-2] hrp base config enable                        
[FW-2] undo hrp preempt
      6. 配置安全域及缺省安全策略。如下只需要在FW-1中进行配置,FW2将自动同步。
        #配置Virtual-if0、管理口和心跳口加入安全域:

        [FW-1] firewall zone untrust
[FW-1-zone-untrust] add interface Virtual-if0
[FW-1-zone-untrust] quit
[FW-1] firewall zone dmz
[FW-1-zone-dmz] add interface Eth-Trunk1
[FW-1-zone-dmz] add interface Eth-Trunk0
[FW-1-zone-dmz] quit

        #配置缺省的安全策略为permit:

        [FW-1] security-policy
[FW-1-policy-security] default action permit
[FW-1-policy-security] quit
      7. 使能防火墙的vsys功能。如下只需要在FW-1中进行配置,FW-2将自动同步。 
        [FW-1] vsys enable   //使能防火墙的vsys功能
[FW-1] interface Virtual-if api transform    //开启北向接口的Virtual-if名称转换功能
[FW-1] firewall forward cross-vsys extended  //将FW配置为扩展模式,同一报文最多可以实现跨两次vsys转发。不同VPN之间通过EIP在出口vsys互通场景必须配置。
  3. 配置Overlay网络。
    1. 配置Server Leaf。
      1. 配置业务接入点。# 配置ServerLeaf1_1的业务接入点。 
        [~ServerLeaf1_1] bridge-domain 10
[*ServerLeaf1_1-bd10] quit
[*ServerLeaf1_1] interface eth-trunk 10.1 mode l2
[*ServerLeaf1_1-Eth-Trunk10.1] encapsulation dot1q vid 10
[*ServerLeaf1_1-Eth-Trunk10.1] bridge-domain 10
[*ServerLeaf1_1-Eth-Trunk10.1] quit
[*ServerLeaf1_1-Eth-Trunk10.1] commit

        # 配置ServerLeaf1_2的业务接入点。

        [~ServerLeaf1_2] bridge-domain 10
[*ServerLeaf1_2-bd10] quit
[*ServerLeaf1_2] interface eth-trunk 10.1 mode l2
[*ServerLeaf1_2-Eth-Trunk10.1] encapsulation dot1q vid 10
[*ServerLeaf1_2-Eth-Trunk10.1] bridge-domain 10
[*ServerLeaf1_2-Eth-Trunk10.1] quit
[*ServerLeaf1_2-Eth-Trunk10.1] commit

        # 配置ServerLeaf2_1、ServerLeaf2_2的业务接入点,配置过程与上述配置类似,只是需要将bd10配置为bd20。

      2. 配置VPN实例和EVPN实例。# 配置ServerLeaf1_1。 
        [~ServerLeaf1_1] ip vpn-instance vpn1
[*ServerLeaf1_1-vpn-instance-vpn1] vxlan vni 5010
[*ServerLeaf1_1-vpn-instance-vpn1] ipv4-family
[*ServerLeaf1_1-vpn-instance-vpn1-af-ipv4] route-distinguisher 20:2
[*ServerLeaf1_1-vpn-instance-vpn1-af-ipv4] vpn-target 100:5010 evpn
[*ServerLeaf1_1-vpn-instance-vpn1-af-ipv4] quit
[*ServerLeaf1_1-vpn-instance-vpn1] quit
[*ServerLeaf1_1] bridge-domain 10
[*ServerLeaf1_1-bd10] vxlan vni 10
[*ServerLeaf1_1-bd10] evpn
[*ServerLeaf1_1-bd10-evpn] route-distinguisher 10:2
[*ServerLeaf1_1-bd10-evpn] vpn-target 100:10
[*ServerLeaf1_1-bd10-evpn] vpn-target 100:5010 export-extcommunity
[*ServerLeaf1_1-bd10-evpn] quit
[*ServerLeaf1_1-bd10] quit
[*ServerLeaf1_1] commit

        # 配置ServerLeaf1_2。

        [~ServerLeaf1_2] ip vpn-instance vpn2
[*ServerLeaf1_2-vpn-instance-vpn1] vxlan vni 5010
[*ServerLeaf1_2-vpn-instance-vpn1] ipv4-family
[*ServerLeaf1_2-vpn-instance-vpn1-af-ipv4] route-distinguisher 20:4
[*ServerLeaf1_2-vpn-instance-vpn1-af-ipv4] vpn-target 100:5010 evpn
[*ServerLeaf1_2-vpn-instance-vpn1-af-ipv4] quit
[*ServerLeaf1_2-vpn-instance-vpn1] quit
[*ServerLeaf1_2] bridge-domain 10
[*ServerLeaf1_2-bd10] vxlan vni 10
[*ServerLeaf1_2-bd10] evpn
[*ServerLeaf1_2-bd10-evpn] route-distinguisher 10:4
[*ServerLeaf1_2-bd10-evpn] vpn-target 100:10
[*ServerLeaf1_2-bd10-evpn] vpn-target 100:5010 export-extcommunity
[*ServerLeaf1_2-bd10-evpn] quit
[*ServerLeaf1_2-bd10] quit
[*ServerLeaf1_2] commit

        # 配置ServerLeaf2_1、ServerLeaf2_2,配置过程与上述配置类似。

      3. 配置VNI的头端复制列表。#配置ServerLeaf1_1的头端复制列表: 
        [~ServerLeaf1_1] interface nve 1
[*ServerLeaf1_1-Nve1] vni 10 head-end peer-list protocol bgp

        #配置ServerLeaf1_2的头端复制列表:

        [~ServerLeaf1_2] interface nve 1
[*ServerLeaf1_2-Nve1] vni 10 head-end peer-list protocol bgp

        # ServerLeaf2_1、ServerLeaf2_2的配置与上述配置类似,这里不再赘述。

      4. 在Server Leaf上配置VXLAN三层网关。
        # 在ServerLeaf1_1上配置VXLAN三层网关。

        [~ServerLeaf1_1] interface vbdif10
[*ServerLeaf1_1-Vbdif10] ip binding vpn-instance vpn1
[*ServerLeaf1_1-Vbdif10] ip address 10.1.1.1 255.255.255.0
[*ServerLeaf1_1-Vbdif10] mac-address 00e0-fc00-0102
[*ServerLeaf1_1-Vbdif10] vxlan anycast-gateway enable
[*ServerLeaf1_1-Vbdif10] arp collect host enable
[*ServerLeaf1_1-Vbdif10] arp broadcast-detect enable
[*ServerLeaf1_1-Vbdif10] quit
[*ServerLeaf1_1] commit

        # ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2的配置与ServerLeaf1_1类似,这里不再赘述。要注意ServerLeaf1_1与ServerLeaf1_2要配置相同的Vbdif接口的IP地址和MAC地址。

      5. 配置BGP对邻居发布IP前缀路由。# 配置ServerLeaf1_1。ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2的配置与ServerLeaf1_1类似,这里不再赘述。 
        [~ServerLeaf1_1] bgp 100
[~ServerLeaf1_1-bgp] ipv4-family vpn-instance vpn1
[*ServerLeaf1_1-bgp] import-route direct
[*ServerLeaf1_1-bgp] import-route static //对接防火墙的外部路由
[*ServerLeaf1_1-bgp] advertise l2vpn evpn
[*ServerLeaf1_1-bgp] quit
[*ServerLeaf1_1-bgp] quit
[*ServerLeaf1_1] commit
    2. 配置Border Leaf。配置通过Border Leaf访问外网的静态路由。

      # 配置BorderLeaf_1。

      [~BorderLeaf_1] ip route-static 1.2.3.4 255.255.255.0 10.125.97.242

      # 配置BorderLeaf_2。

      [~BorderLeaf_2] ip route-static 1.2.3.4 255.255.255.0 10.125.97.242
    3. 配置FW。关联外部网络的业务,经过防火墙转发,但源IP未改变。为了实现租户使用公网IP与Internet互通,需要部署SNAT实现源IP地址的公私网转换。
      1. 配置vsys关键参数。# 配置FW-1。 
        [FW-1] vlan 3004
[FW-1-vlan3004] quit
[FW-1] interface Vlanif3004
[FW-1-Vlanif3004] ip binding vpn-instance vsys_1
[FW-1-Vlanif3004] ip address 10.125.97.242 255.255.255.252
[FW-1-Vlanif3004] quit
[FW-1] ip route-static 0.0.0.0 0.0.0.0 public
[FW-1] ip route-static 10.132.1.0 255.255.255.0 10.125.97.241

        # 配置FW-2。

        [FW-2] vlan 3004
[FW-2-vlan3004] quit
[FW-2] interface Vlanif3004
[FW-2-Vlanif3004] ip binding vpn-instance vsys_1
[FW-2-Vlanif3004] ip address 10.125.97.242 255.255.255.252
[FW-2-Vlanif3004] quit
[FW-2] ip route-static 0.0.0.0 0.0.0.0 public
[FW-2] ip route-static 10.132.1.0 255.255.255.0 10.125.97.241
      2. 配置public关键参数。# 配置FW-1。 
        [FW-1] vsys name vsys_1 1
[FW-1-vsys_1] assign vlan 3004
[FW-1-vsys_1] quit
[FW-1] ip vpn-instance vsys_1
[FW-1-vsys_1] ipv4-family
[FW-1-vsys_1] quit
[FW-1] vlan 3005
[FW-1-vlan3005] quit
[FW-1] interface Vlanif3005
[FW-1-Vlanif3005] ip address 10.125.97.242 255.255.255.252
[FW-1-Vlanif3005] quit
[FW-1] interface Eth-Trunk11
[FW-1-Eth-Trunk11] portswitch
[FW-1-Eth-Trunk11] port link-type trunk
[FW-1-Eth-Trunk11] undo port trunk allow-pass vlan 1
[FW-1-Eth-Trunk11] port trunk allow-pass vlan 3004 to 3005
[FW-1-Eth-Trunk11] quit
[FW-1] ip route-static 0.0.0.0 0.0.0.0 10.125.97.241
[FW-1] ip route-static 10.132.1.0 255.255.255.0 vpn-instance vsys_1

        # 配置FW-2。

        [FW-2] vsys name vsys_1 1
[FW-2-vsys_1] assign vlan 3004
[FW-2-vsys_1] quit
[FW-2] ip vpn-instance vsys_1
[FW-2-vsys_1] ipv4-family
[FW-2-vsys_1] quit
[FW-2] vlan 3005
[FW-2-vlan3005] quit
[FW-2] interface Vlanif3005
[FW-2-Vlanif3005] ip address 10.125.97.242 255.255.255.252
[FW-2-Vlanif3005] quit
[FW-2] interface Eth-Trunk11
[FW-2-Eth-Trunk11] portswitch
[FW-2-Eth-Trunk11] port link-type trunk
[FW-2-Eth-Trunk11] undo port trunk allow-pass vlan 1
[FW-2-Eth-Trunk11] port trunk allow-pass vlan 3004 to 3005
[FW-2-Eth-Trunk11] quit
[FW-2] ip route-static 0.0.0.0 0.0.0.0 10.125.97.241
[FW-2] ip route-static 10.132.1.0 255.255.255.0 vpn-instance vsys_1
      3. 配置SNAT。# 配置FW_1。 
        [FW-1] nat address-group addgrp 0
[FW-1-address-group-addgrp] mode pat
[FW-1-address-group-addgrp] section 0 1.2.3.4 1.2.3.4
[FW-1-address-group-addgrp] quit
[FW-1] security-policy
[FW-1-policy-security] rule name rule1
[FW-1-policy-security-rule-rule1] source-address 10.132.1.0 mask 255.255.255.0
[FW-1-policy-security-rule-rule1] action permit
[FW-1] nat-policy
[FW-1-policy-nat] rule name rule1
[FW-1-policy-nat-rule-rule1] description SNAT_01
[FW-1-policy-nat-rule-rule1] source-zone trust
[FW-1-policy-nat-rule-rule1] destination-zone untrust
[FW-1-policy-nat-rule-rule1] source-address 10.132.1.0 mask 255.255.255.0
[FW-1-policy-nat-rule-rule1] action source-nat address-group addgrp 
[FW-1-policy-nat-rule-rule1] quit 
[FW-1-policy-nat] quit 
[FW-1] firewall import-flow public 1.2.3.4 1.2.3.4 vpn-instance vsys_1

        # 配置FW-2。配置过程与参数与FW_1一致,这边不再赘述。

检查配置结果

  1. Underlay配置完成后,需按照下述步骤检查配置结果是否正常。
    1. 检查Underlay路由邻居状态,Loop接口地址能相互ping通,以BorderLeaf_1的显示为例。#Border Leaf分别和Server Leaf建立OSPF邻居: 
      <BorderLeaf_1> display ospf peer brief
OSPF Process 1 with Router ID 10.125.98.1
                   Peer Statistic Information
				
Total number of peer(s): 4
 Peer(s) in full state: 4
-----------------------------------------------------------------------------
 Area Id         Interface                  Neighbor id          State
 0.0.0.0         100GE1/0/0                  10.125.98.3          Full
 0.0.0.0         100GE1/0/1                  10.125.98.4          Full
 0.0.0.0         100GE1/0/2                  10.125.98.5          Full
 0.0.0.0         100GE1/0/3                  10.125.98.6          Full
-----------------------------------------------------------------------------
    2. 检查BGP EVPN邻居状态,以BorderLeaf_1为例。Border Leaf与Server Leaf分别建立BGP EVPN对等体关系: 
      <BorderLeaf_1> display bgp evpn peer 
 BGP local router ID        : 10.125.98.1
 Local AS number            : 100
 Total number of peers      : 4
 Peers in established state : 4

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  10.125.98.3     4         100      646     2973     0 08:44:07 Established        3
  10.125.98.4     4         100      651     2983     0 08:43:53 Established        3
  10.125.98.5     4         100      605     2729     0 08:43:50 Established        0
  10.125.98.6     4         100      607     2733     0 08:44:21 Established        0
  2. Overlay配置完成后,需按照下述步骤检查配置结果是否正常。
    1. 检查VXLAN隧道的信息,在ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2上执行display vxlan tunnel命令可查看到VXLAN隧道的信息。以ServerLeaf1_1显示为例。 
      [~ServerLeaf1_1] display vxlan tunnel
Number of vxlan tunnel : 1
Tunnel ID   Source                Destination           State  Type     Uptime
-----------------------------------------------------------------------------------
4026531841  10.125.99.2           10.125.99.3           up     dynamic  0032h21m

      ServerLeaf1_2、ServerLeaf2_1、ServerLeaf2_2上的二层子接口需要有服务器接入后,才可以查看到隧道状态为up。在无服务器接入的情况下,会因为没有IRB类型路由的发布,导致无法查看到VXLAN隧道状态。

    2. 检查BGP EVPN邻居状态,以BorderLeaf_1为例。Border Leaf与Server Leaf分别建立BGP EVPN对等体关系: 
      <BorderLeaf_1> display bgp evpn peer
 BGP local router ID        : 10.125.98.1
 Local AS number            : 100
 Total number of peers      : 4
 Peers in established state : 4

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
  10.125.98.3     4         100      646     2973     0 08:44:07 Established        3
  10.125.98.4     4         100      651     2983     0 08:43:53 Established        3
  10.125.98.5     4         100      605     2729     0 08:43:50 Established        0
  10.125.98.6     4         100      607     2733     0 08:44:21 Established        0

配置脚本

  • BorderLeaf_1的配置脚本 
    # --------BorderLeaf_1与Server Leaf互联接口地址
interface 100GE1/0/0  
 description to ServerLeaf1_1                 
 undo portswitch 
 ip address 10.125.97.21 255.255.255.252 
# 
interface 100GE1/0/1 
 description to ServerLeaf1_2   
 undo portswitch 
 ip address 10.125.97.25 255.255.255.252 
# 
interface 100GE1/0/2 
 description to ServerLeaf2_1   
 undo portswitch 
 ip address 10.125.97.29 255.255.255.252 
# 
interface 100GE1/0/3 
 description to ServerLeaf2_2   
 undo portswitch 
 ip address 10.125.97.33 255.255.255.252 
#

#--------BorderLeaf_1与FW互联的管理链路接口地址
vlan 11 
interface Vlanif11 
 description to FW1-2 
 ip address 10.125.97.57 255.255.255.248 
 mac-address 00e0-fc00-0101 
#

#-------静态Bypass VXLAN隧道源IP地址
vlan 100
#
interface Vlanif100
 ip address 10.125.96.1 255.255.255.252
 reserved for vxlan bypass
#
ip route-static 10.135.98.2 32 10.125.96.2 preference 1
#

#--------BorderLeaf_1的Loopback接口地址
interface LoopBack0 
 description VTEP 
 ipv6 enable    //当需要使用IPv6时,配置使能IPv6
 ip address 10.125.99.1 255.255.255.255 
# 
interface LoopBack1 
 description AC-MGMT/DFS-GROUP/ROUTER-ID 
 ip address 10.125.98.1 255.255.255.255 
#
interface LoopBack2 
 description Bypass VXLAN 
 ip address 10.135.98.1 255.255.255.255 
#

#--------BorderLeaf_1的NVE接口
interface Nve1    
 source 10.125.99.1    
 mac-address 00e0-fc00-0101  
 pip-source 10.135.98.1 peer 10.135.98.2   
#

#--------BorderLeaf_1的M-LAG模式
stp mode rstp
stp v-stp enable   //配置V-STP方式的M-LAG
# 

#--------M-LAG的DFS组
dfs-group 1 
 priority 150    //配置DFS优先级高于对端,默认是100 
 authentication-mode hmac-sha256 password %+%##!!!!!!!!!"!!!!"!!!!*!!!!C+tR0CW9x*eB&pWp`t),Azgwh\o8#4LZPD!!!!!!!!!!!!!!!9!!!!>fwJ)I0E{=:%,*,XRhbH&t0MCy_8=7!!!!!!!!!!%+%#
 dual-active detection source ip 10.125.98.1  
 consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式
#

#--------peer-link
interface Eth-Trunk0 
 trunkport 100GE 4/0/47 
 trunkport 100GE 1/0/23 
 mode lacp-static
 lacp mixed-rate link enable   //使能不同速率的接口加入LACP模式的Eth-Trunk接口后可转发数据报文功能
 peer-link 1 
 port vlan exclude 1 
#
interface 100GE1/0/23
 distribute-weight 4          //配置100GE成员接口的负载分担权重值为4,100GE成员接口的权重值保持默认值1
#

#--------M-LAG接口:BorderLeaf_1与防火墙互联
interface Eth-Trunk1    //配置与FW主设备互联管理口
 description FW_1_MGMT  
 trunkport 100GE 4/0/41 
 port default vlan 11 
 mode lacp-static
 dfs-group 1 m-lag 1 
# 
interface Eth-Trunk2    //配置与FW备设备互联管理口
 description FW_2_MGMT  
 trunkport 100GE 4/0/42 
 port default vlan 11 
 mode lacp-static
 dfs-group 1 m-lag 2 
# 
interface Eth-Trunk11   //配置与FW主设备互联业务口
 trunkport 100GE 4/0/43 
 port link-type trunk
 undo port trunk allow-pass vlan 1
 stp edged-port enable
 mode lacp-static
 dfs-group 1 m-lag 3 
# 
interface Eth-Trunk12   //配置与FW备设备互联业务口
 trunkport 100GE 4/0/44 
 port link-type trunk
 undo port trunk allow-pass vlan 1
 stp edged-port enable
 mode lacp-static
 dfs-group 1 m-lag 4 
#

#--------OSPF路由打通VXLAN Underlay路由
bfd    //全局使能BFD功能
#
ospf 1 router-id 10.125.98.1 
 bfd all-interfaces enable
 bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3  
 lsa-arrival-interval intelligent-timer 50 50 50     //设置OSPF LSA接收的时间间隔,优化收敛时间
 area 0.0.0.0 
  network 10.125.97.20 0.0.0.3 
  network 10.125.97.24 0.0.0.3 
  network 10.125.97.28 0.0.0.3 
  network 10.125.97.32 0.0.0.3   //分别建立与4台Server Leaf设备的路由邻居
  network 10.125.97.56 0.0.0.7   //发布防火墙带内管理地址,打通路由
  network 10.125.98.1 0.0.0.0 
  network 10.125.99.1 0.0.0.0    //发布Loopback地址
# 
interface 100GE1/0/0  
 description to ServerLeaf1_1                 
 undo portswitch 
 ip address 10.125.97.21 255.255.255.252 
 ospf network-type p2p   //配置与Server Leaf互联OSPF接口的网络类型为P2P
# 
interface 100GE1/0/1 
 description to ServerLeaf1_2   
 undo portswitch 
 ip address 10.125.97.25 255.255.255.252 
 ospf network-type p2p      
# 
interface 100GE1/0/2 
 description to ServerLeaf2_1   
 undo portswitch 
 ip address 10.125.97.29 255.255.255.252 
 ospf network-type p2p      
# 
interface 100GE1/0/3 
 description to ServerLeaf2_2   
 undo portswitch 
 ip address 10.125.97.33 255.255.255.252 
 ospf network-type p2p      
#

#--------OSPF网络故障收敛性能优化
interface 100GE1/0/0
 ospf peer hold-max-cost timer 300000   //所有Spine和Leaf配置OSPF邻居建立后在本地设备的LSA中保持最大开销值的时间300s,源于240s的M-LAG延迟UP时间(同时overlay路由收敛)+ 60s的设备表项同步时间
#
interface 100GE1/0/1
 ospf peer hold-max-cost timer 300000       
#
interface 100GE1/0/2
 ospf peer hold-max-cost timer 300000 
#
interface 100GE1/0/3
 ospf peer hold-max-cost timer 300000 
#

#--------BGP EVPN
evpn-overlay enable     //使能EVPN作为VXLAN的控制平面
# 
bgp 100 
 router-id 10.125.98.1 
 advertise lowest-priority all-address-family peer-up delay 360  //在邻居状态由Down到Up时将BGP路由的优先级调整为最低优先级;路由延时发布,解决回切场景丢包时间长问题
 undo default ipv4-unicast       //关闭BGP IPv4单播邻居,降低设备负荷
 group ServerLeaf internal       //配置Server Leaf的对等体组并加入相应对等体。
 peer 10.125.98.3 group ServerLeaf    
 peer 10.125.98.4 group ServerLeaf 
 peer 10.125.98.5 group ServerLeaf 
 peer 10.125.98.6 group ServerLeaf  
 peer ServerLeaf connect-interface LoopBack1    //指定发送BGP报文的源接口
 # 
 l2vpn-family evpn          //使能并进入BGP-EVPN地址族视图
  undo policy vpn-target       //配置去使能对接收到的EVPN路由使能VPN-Target过滤功能
  peer ServerLeaf enable
  peer 10.125.98.3 group ServerLeaf
  peer 10.125.98.4 group ServerLeaf
  peer 10.125.98.5 group ServerLeaf
  peer 10.125.98.6 group ServerLeaf
  peer ServerLeaf advertise irb   //配置向BGP EVPN对等体组Server Leaf发布irb和irbv6路由
  peer ServerLeaf advertise irbv6
  peer ServerLeaf reflect-client   //配置路由反射器功能
#

#
ip route-static 1.2.3.4 255.255.255.0 10.125.97.242
#
  • BorderLeaf_2的配置脚本 
    # --------BorderLeaf_2与Server Leaf互联接口地址
interface 100GE1/0/0 
 description to ServerLeaf1_1   
 undo portswitch 
 ip address 10.125.97.37 255.255.255.252 
# 
interface 100GE1/0/1 
 description to ServerLeaf1_2   
 undo portswitch 
 ip address 10.125.97.41 255.255.255.252 
# 
interface 100GE1/0/2 
 description to ServerLeaf2_1   
 undo portswitch 
 ip address 10.125.97.45 255.255.255.252 
# 
interface 100GE1/0/3 
 description to ServerLeaf2_2   
 undo portswitch 
 ip address 10.125.97.49 255.255.255.252 
#

#--------BorderLeaf_2与FW互联的管理链路接口地址
vlan 11 
interface Vlanif11 
 description to FW1-2 
 ip address 10.125.97.57 255.255.255.248 
 mac-address 00e0-fc00-0101 
#

#-------静态Bypass VXLAN隧道源IP地址
vlan 100
 m-lag peer-link reserved
#
interface Vlanif100
 ip address 10.125.96.2 255.255.255.252
 reserved for vxlan bypass
#
ip route-static 10.135.98.1 32 10.125.96.1 preference 1
#

#--------BorderLeaf_2的Loopback接口地址
interface LoopBack0   
 description VTEP  
 ipv6 enable   //当需要使用IPv6时,配置使能IPv6
 ip address 10.125.99.1 255.255.255.255      
#  
interface LoopBack1     
 description AC-MGMT/DFS-GROUP/ROUTER-ID   
 ip address 10.125.98.2 255.255.255.255    
#      
interface LoopBack2 
 description Bypass VXLAN 
 ip address 10.135.98.2 255.255.255.255 
#

#--------BorderLeaf_2的NVE接口
interface Nve1                                     
 source 10.125.99.1    
 mac-address 00e0-fc00-0101  
 pip-source 10.135.98.2 peer 10.135.98.1 bypass
#

#--------BorderLeaf_2的M-LAG模式
stp mode rstp
stp v-stp enable 
# 

#--------M-LAG的DFS组
dfs-group 1 
 authentication-mode hmac-sha256 password %+%##!!!!!!!!!"!!!!"!!!!*!!!!C+tR0CW9x*eB&pWp`t),Azgwh\o8#4LZPD!!!!!!!!!!!!!!!9!!!!>fwJ)I0E{=:%,*,XRhbH&t0MCy_8=7!!!!!!!!!!%+%#
 dual-active detection source ip 10.125.98.2  
 consistency-check enable mode loose
#

#--------peer-link
interface Eth-Trunk0 
 trunkport 100GE 4/0/47 
 trunkport 100GE 1/0/23 
 mode lacp-static 
 lacp mixed-rate link enable 
 peer-link 1 
 port vlan exclude 1
#
interface 100GE1/0/23                                                                                                               
 distribute-weight 4 
#

#--------M-LAG接口:BorderLeaf_2与防火墙互联
interface Eth-Trunk1 
 description FW_1_MGMT  
 trunkport 100GE 4/0/41 
 port default vlan 11 
 mode lacp-static
 dfs-group 1 m-lag 1 
# 
interface Eth-Trunk2 
 description FW_2_MGMT  
 trunkport 100GE 4/0/42 
 port default vlan 11 
 mode lacp-static
 dfs-group 1 m-lag 2 
# 
interface Eth-Trunk11 
 trunkport 100GE 4/0/43 
 port link-type trunk
 undo port trunk allow-pass vlan 1
 stp edged-port enable
 mode lacp-static
 dfs-group 1 m-lag 3 
# 
interface Eth-Trunk12 
 trunkport 100GE 4/0/44 
 port link-type trunk
 undo port trunk allow-pass vlan 1
 stp edged-port enable
 mode lacp-static
 dfs-group 1 m-lag 4 
#

#--------OSPF路由打通VXLAN Underlay路由
bfd            
#
ospf 1 router-id 10.125.98.2 
 bfd all-interfaces enable
 bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3  //仅组网中全部为支持硬件BFD的款型时,配置500ms*3;其余保持默认配置1000ms*3
 lsa-arrival-interval intelligent-timer 50 50 50
 area 0.0.0.0 
  network 10.125.97.36 0.0.0.3 
  network 10.125.97.40 0.0.0.3 
  network 10.125.97.44 0.0.0.3 
  network 10.125.97.48 0.0.0.3 
  network 10.125.97.56 0.0.0.7 
  network 10.125.98.2 0.0.0.0 
  network 10.125.99.1 0.0.0.0 
# 
interface 100GE1/0/0 
 description to ServerLeaf1_1   
 undo portswitch 
 ip address 10.125.97.37 255.255.255.252 
 ospf network-type p2p      
# 
interface 100GE1/0/1 
 description to ServerLeaf1_2   
 undo portswitch 
 ip address 10.125.97.41 255.255.255.252 
 ospf network-type p2p      
# 
interface 100GE1/0/2 
 description to ServerLeaf2_1   
 undo portswitch 
 ip address 10.125.97.45 255.255.255.252 
 ospf network-type p2p      
# 
interface 100GE1/0/3 
 description to ServerLeaf2_2   
 undo portswitch 
 ip address 10.125.97.49 255.255.255.252 
 ospf network-type p2p      
#

#--------OSPF网络故障收敛性能优化
interface 100GE1/0/0
 ospf peer hold-max-cost timer 300000   //所有Spine和Leaf配置OSPF邻居建立后在本地设备的LSA中保持最大开销值的时间300s,源于240s的M-LAG延迟UP时间(同时overlay路由收敛)+ 60s的设备表项同步时间
#
interface 100GE1/0/1
 ospf peer hold-max-cost timer 300000       
#
interface 100GE1/0/2
 ospf peer hold-max-cost timer 300000 
#
interface 100GE1/0/3
 ospf peer hold-max-cost timer 300000 
#

#--------BGP EVPN
evpn-overlay enable                     
# 
bgp 100 
 router-id 10.125.98.2  
 advertise lowest-priority all-address-family peer-up delay 360   
 undo default ipv4-unicast             
 group ServerLeaf internal
 peer 10.125.98.3 group ServerLeaf                      
 peer 10.125.98.4 group ServerLeaf 
 peer 10.125.98.5 group ServerLeaf 
 peer 10.125.98.6 group ServerLeaf  
 peer ServerLeaf connect-interface LoopBack1
 # 
 l2vpn-family evpn 
  undo policy vpn-target                            
  peer ServerLeaf enable
  peer 10.125.98.3 group ServerLeaf
  peer 10.125.98.4 group ServerLeaf
  peer 10.125.98.5 group ServerLeaf
  peer 10.125.98.6 group ServerLeaf
  peer ServerLeaf advertise irb   
  peer ServerLeaf advertise irbv6
  peer ServerLeaf reflect-client   
#

#
ip route-static 1.2.3.4 255.255.255.0 10.125.97.242
#
  • ServerLeaf1_1的配置脚本 
    #--------ServerLeaf1_1与Border Leaf的互联接口地址
interface 100GE1/0/1 
 description to BorderLeaf_1  
 undo portswitch 
 ip address 10.125.97.22 255.255.255.252 
 ospf network-type p2p
# 
interface 100GE1/0/2 
 description to BorderLeaf_2  
 undo portswitch 
 ip address 10.125.97.38 255.255.255.252 
 ospf network-type p2p
#

#--------Loopback接口地址
interface LoopBack0    
 description VTEP  
 ipv6 enable     //当需要使用IPv6时,配置使能IPv6                                        
 ip address 10.125.99.2 255.255.255.255                      
#                 
interface LoopBack1               
 description AC-MGMT/DFS-GROUP/ROUTER-ID    
 ip address 10.125.98.3 255.255.255.255    
#  
interface LoopBack2 
 description Bypass VXLAN 
 ip address 10.135.98.3 255.255.255.255 
#

#-------静态Bypass VXLAN隧道源IP地址
vlan 100
#
interface Vlanif100
 ip address 10.125.96.5 255.255.255.252
 reserved for vxlan bypass
#
ip route-static 10.135.98.4 32 10.125.96.6 preference 1
#

#--------NVE接口VTEP IP和虚拟MAC地址
interface Nve1    
 source 10.125.99.2    
 mac-address 00e0-fc00-0102   
 pip-source 10.135.98.3 peer 10.135.98.4 bypass
#

#--------M-LAG模式
stp mode rstp
stp v-stp enable   //配置V-STP方式的M-LAG
stp tc-protection              //使能设备对TC类型BPDU报文的保护功能
stp bpdu-protection            //使能设备的BPDU保护功能
arp ip-conflict-detect enable  //使能设备的IP地址冲突检测的功能
# 

#--------M-LAG的DFS组
dfs-group 1 
 priority 150    //配置DFS优先级高于对端,默认是100 
 authentication-mode hmac-sha256 password %+%##!!!!!!!!!"!!!!"!!!!*!!!!C+tR0CW9x*eB&pWp`t),Azgwh\o8#4LZPD!!!!!!!!!!!!!!!9!!!!>fwJ)I0E{=:%,*,XRhbH&t0MCy_8=7!!!!!!!!!!%+%#
 dual-active detection source ip 10.125.98.3  
 consistency-check enable mode loose    //使能M-LAG配置一致性检查,模式为松散模式
#

#--------peer-link
interface Eth-Trunk0 
 trunkport 100GE 1/0/5 to 1/0/6 
 mode lacp-static 
 peer-link 1 
 port vlan exclude 1
#

#--------业务服务器以负载分担方式接入
interface eth-trunk 10
 mode lacp-static  
 port link-type trunk              
 undo port trunk allow-pass vlan 1  
 trunkport 100GE 1/0/1 
 dfs-group 1 m-lag 10  
 stp edged-port enable    //配置边缘端口
#
interface 100GE1/0/1   //服务器接入端口
 storm suppression unknown-unicast 5   //配置未知单播抑制,经验值为100GE端口的5%带宽,建议业务端口都部署
 storm suppression multicast packets 1000  //配置组播报文抑制,经验值为1000pps。
 storm suppression broadcast packets 1000  //配置广播报文抑制,经验值为1000pps,建议业务端口都部署
#

#--------服务器以主备方式接入
interface 100GE1/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1  //不放通VLAN1,防止成环
 storm suppression unknown-unicast 5  //配置未知单播抑制,经验值为100GE端口的5%带宽,建议业务端口都部署
 storm suppression multicast packets 1000  //配置组播报文抑制,经验值为1000pps
 storm suppression broadcast packets 1000  //配置广播报文抑制,经验值为1000pps,建议业务端口都部署
 stp edged-port enable
#

#--------monitor-link关联上行接口和下行接口
monitor-link group 1 
 port 100GE1/0/1 uplink 
 port 100GE1/0/2 uplink 
 port Eth-Trunk10 downlink 1 
 timer recover-time 60   //配置回切时间,防止上行故障回切丢包。
#

# --------OSPF路由
bfd            //全局使能BFD功能
#
ospf 1 router-id 10.125.98.3 
 bfd all-interfaces enable
 bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   
 lsa-arrival-interval intelligent-timer 50 50 50   //设置OSPF LSA接收的时间间隔,优化收敛时间
 area 0.0.0.0 
  network 10.125.97.20 0.0.0.3 
  network 10.125.97.36 0.0.0.3   //分别建立与2台Border Leaf设备的路由邻居
  network 10.125.98.3 0.0.0.0 
  network 10.125.99.2 0.0.0.0   //发布Loopback地址
# 

#--------网络故障收敛性能优化
interface 100GE1/0/2   
 ospf peer hold-max-cost timer 300000    //所有Spine和Leaf配置OSPF邻居建立后在本地设备的LSA中保持最大开销值的时间300s,源于240s的M-LAG延迟UP时间(同时overlay路由收敛)+ 60s的设备表项同步时间
#
interface 100GE1/0/3  
 ospf peer hold-max-cost timer 300000    
#

#--------BGP EVPN
evpn-overlay enable   //使能EVPN作为VXLAN的控制平面
# 
bgp 100 
 router-id 10.125.98.3 
 undo default ipv4-unicast   //关闭BGP IPv4单播邻居,降低设备负荷 
 group BorderLeaf internal    //配置BorderLeaf的对等体组并加入相应对等体
 peer 10.125.98.1 group BorderLeaf 
 peer 10.125.98.2 group BorderLeaf 
 peer Spine connect-interface LoopBack1   //指定发送BGP报文的源接口
 # 
 l2vpn-family evpn 
  policy vpn-target 
  peer BorderLeaf enable
  peer 10.125.98.1 group BorderLeaf 
  peer 10.125.98.2 group BorderLeaf 
  peer Spine advertise irb
  peer Spine advertise irbv6
#

#--------Overlay配置
ip vpn-instance vpn1
 ipv4-family
  route-distinguisher 20:2
  vpn-target 100:5010 export-extcommunity evpn
  vpn-target 100:5010 import-extcommunity evpn
 vxlan vni 5010
#
bridge-domain 10
 vxlan vni 10
 evpn
  route-distinguisher 10:2
  vpn-target 100:10 export-extcommunity
  vpn-target 100:5010 export-extcommunity
  vpn-target 100:10 import-extcommunity
#
interface Vbdif10
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 arp broadcast-detect enable
 mac-address 00e0-fc00-0102
 vxlan anycast-gateway enable
 arp collect host enable
#
  • ServerLeaf1_2的配置脚本 
    #--------ServerLeaf1_2与Border Leaf的互联接口地址
interface 100GE1/0/1 
 description to BorderLeaf_1  
 undo portswitch 
 ip address 10.125.97.26 255.255.255.252 
 ospf network-type p2p
# 
interface 100GE1/0/2 
 description to BorderLeaf_2  
 undo portswitch 
 ip address 10.125.97.42 255.255.255.252 
 ospf network-type p2p
#

#--------Loopback接口地址
interface LoopBack0 
 description VTEP 
 ipv6 enable    //当需要使用IPv6时,配置使能IPv6   
 ip address 10.125.99.2 255.255.255.255 
# 
interface LoopBack1 
 description AC-MGMT/DFS-GROUP/ROUTER-ID  
 ip address 10.125.98.4 255.255.255.0 
#
interface LoopBack2 
 description Bypass VXLAN 
 ip address 10.135.98.4 255.255.255.255 
#

#-------静态Bypass VXLAN隧道源IP地址
vlan 100
#
interface Vlanif100
 ip address 10.125.96.6 255.255.255.252
 reserved for vxlan bypass
#
ip route-static 10.135.98.3 32 10.125.96.5 preference 1
#

#--------NVE接口VTEP IP和虚拟MAC地址
interface Nve1    
 source 10.125.99.2    
 mac-address 00e0-fc00-0102   
 pip-source 10.135.98.4 peer 10.135.98.3 bypass
#

#--------M-LAG模式
stp mode rstp
stp v-stp enable   //配置V-STP方式的M-LAG
stp tc-protection              //使能设备对TC类型BPDU报文的保护功能
stp bpdu-protection            //使能设备的BPDU保护功能
arp ip-conflict-detect enable  //使能设备的IP地址冲突检测的功能
# 

#--------M-LAG的DFS组
dfs-group 1 
 source ip 10.125.98.4  
 consistency-check enable mode loose
#

#--------peer-link
interface Eth-Trunk0 
 trunkport 100GE 1/0/5 to 1/0/6 
 mode lacp-static 
 peer-link 1 
 port vlan exclude 1
#

#--------业务服务器以负载分担方式接入
interface eth-trunk 10 
  mode lacp-static
  port link-type trunk  
  undo port trunk allow-pass vlan 1  
  trunkport 100GE 1/0/1 
  dfs-group 1 m-lag 10   
  stp edged-port enable 
#
interface 100GE1/0/1
 storm suppression unknown-unicast 5
 storm suppression multicast packets 1000
 storm suppression broadcast packets 1000
#

#--------服务器以主备方式接入
interface 100GE1/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 storm suppression unknown-unicast 5
 storm suppression multicast packets 1000
 storm suppression broadcast packets 1000
 stp edged-port enable
#

#--------monitor-link关联上行接口和下行接口
monitor-link group 1 
 port 100GE1/0/1 uplink 
 port 100GE1/0/2 uplink 
 port Eth-Trunk10 downlink 1 
 timer recover-time 60      
#

# --------OSPF路由
bfd            
#
ospf 1 router-id 10.125.98.4 
 bfd all-interfaces enable
 bfd all-interfaces min-tx-interval 500 min-rx-interval 500 detect-multiplier 3   //仅组网中全部为支持硬件BFD的款型时,配置500ms*3;其余保持默认配置1000ms*3
 lsa-arrival-interval intelligent-timer 50 50 50   //优化三层架构,两台物理设备之间多路ECMP情况的OSPF收敛时间
 area 0.0.0.0 
  network 10.125.97.24 0.0.0.3 
  network 10.125.97.40 0.0.0.3 
  network 10.125.98.4 0.0.0.0 
  network 10.125.99.2 0.0.0.0 
# 

#--------网络故障收敛性能优化
interface 100GE1/0/2   
 ospf peer hold-max-cost timer 300000    //所有Spine和Leaf配置OSPF邻居建立后在本地设备的LSA中保持最大开销值的时间300s,源于240s的M-LAG延迟UP时间(同时overlay路由收敛)+ 60s的设备表项同步时间
#
interface 100GE1/0/3  
 ospf peer hold-max-cost timer 300000    
#

#--------BGP EVPN
evpn-overlay enable                    
# 
bgp 100 
 router-id 10.125.98.4  
 undo default ipv4-unicast             
 group Spine internal            
 peer 10.125.98.1 group Spine
 peer 10.125.98.2 group Spine
 peer Spine connect-interface LoopBack1      
 # 
 l2vpn-family evpn 
  policy vpn-target 
  peer Spine enable
  peer 10.125.98.1 group Spine
  peer 10.125.98.2 group Spine
  peer Spine advertise irb
  peer Spine advertise irbv6
#

#
ip vpn-instance vpn1
 ipv4-family
  route-distinguisher 20:4
  vpn-target 100:5010 export-extcommunity evpn
  vpn-target 100:5010 import-extcommunity evpn
 vxlan vni 5010
#
bridge-domain 10
 vxlan vni 10
 evpn
  route-distinguisher 10:4
  vpn-target 100:10 export-extcommunity
  vpn-target 100:5010 export-extcommunity
  vpn-target 100:10 import-extcommunity
#
interface Vbdif10
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 arp broadcast-detect enable
 mac-address 00e0-fc00-0102
 vxlan anycast-gateway enable
 arp collect host enable
#
  • ServerLeaf2_1、ServerLeaf2_2的配置脚本与ServerLeaf1_1、ServerLeaf1_2类似,不再赘述。
  • FW-1的配置脚本 
    #--------vsys关键配置
interface Vlanif3004                                                                                                                
 ip binding vpn-instance vsys_1                                                                                      
 ip address 10.125.97.242 255.255.255.252                                                                                           
# 
ip route-static 0.0.0.0 0.0.0.0 public                                                                                              
ip route-static 10.132.1.0 255.255.255.0 10.125.97.241                                                                             
# 

#--------public关键配置                                                                                                                                
vsys name vsys_1 1                                                                                                   
 assign vlan 3004                                                                                                                   
# 
ip vpn-instance vsys_1                                                                                               
 ipv4-family                                                                                                                        
# 
interface Vlanif3005                                                                                                                
 ip address 10.125.97.242 255.255.255.252                                                                                           
#          
interface Eth-Trunk11                                                                                                               
 portswitch                                                                                                                         
 port link-type trunk                                                                                                               
 undo port trunk allow-pass vlan 1                                                                                                  
 port trunk allow-pass vlan 3004 to 3005                                                                                            
#
ip route-static 0.0.0.0 0.0.0.0 10.125.97.241                                                                               
ip route-static 10.132.1.0 255.255.255.0 vpn-instance vsys_1                                                      
#

#--------SNAT的配置                                                                                                                                
nat address-group addgrp 0
 mode pat
 section 0 1.2.3.4 1.2.3.4
#
security-policy
 rule name 20191228113827
  source-address 10.132.1.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name rule1
  description SNAT_01
  source-zone trust
  destination-zone untrust
  source-address 10.132.1.0 mask 255.255.255.0
  action source-nat address-group addgrp
#
 firewall import-flow public 1.2.3.4 1.2.3.4 vpn-instance vsys_1                                             
#
  • FW-2的配置脚本 
    #--------vsys关键配置                                                                                                                            
interface Vlanif3004                                                                                                                
 ip binding vpn-instance vsys_1                                                                                      
 ip address 10.125.97.242 255.255.255.252                                                                                           
# 
ip route-static 0.0.0.0 0.0.0.0 public                                                                                              
ip route-static 10.132.1.0 255.255.255.0 10.125.97.241                                                                             
# 

#--------public关键配置 
#                                                                                                                                   
vsys name vsys_1 1                                                                                                   
 assign vlan 3004                                                                                                                   
# 
ip vpn-instance vsys_1                                                                                               
 ipv4-family                                                                                                                        
# 
interface Vlanif3005                                                                                                                
 ip address 10.125.97.242 255.255.255.252                                                                                           
#          
interface Eth-Trunk11                                                                                                               
 portswitch                                                                                                                         
 port link-type trunk                                                                                                               
 undo port trunk allow-pass vlan 1                                                                                                  
 port trunk allow-pass vlan 3004 to 3005                                                                                            
#
ip route-static 0.0.0.0 0.0.0.0 10.125.97.241                                                                               
ip route-static 10.132.1.0 255.255.255.0 vpn-instance vsys_1                                                      
#

# --------SNAT的配置
nat address-group addgrp 0
 mode pat
 section 0 1.2.3.4 1.2.3.4
#
security-policy
 rule name 20191228113827
  source-address 10.132.1.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name rule1
  description SNAT_01
  source-zone trust
  destination-zone untrust
  source-address 10.132.1.0 mask 255.255.255.0
  action source-nat address-group addgrp
#                                                                           
 firewall import-flow public 1.2.3.4 1.2.3.4 vpn-instance vsys_1 
#

版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/2788.html
来源:CNESA
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
打赏
海报
单DC分布式网关部署方式的VXLAN二层架构举例
适用产品和版本 CE16800(除X系列单板外)、CE8800、CE6800(除CE6820H、CE6820H-K、CE6820S、CE6885-LL低时延模式外)系列产品V300R020C00或更高版本。 如果需要了解软件版本与交换机具体型号的配套信息,请查看硬件中心。 组网需求 如图1所示,二层架构中Spine、Border Leaf、Service Leaf三者融合部署,Server Leaf-Spine/Border Leaf/Service Leaf在物理拓扑上形成两个层次的架构,故属于“二层架构”。 Border Leaf层:Border Leaf交换机作为分布式Overlay组网中的出口,南向与Server Leaf之间使用三层路由口互联,形成ECMP IP转发网络;北向与出口路由器PE互联。 Server Leaf层:Server Leaf交换机部署M-LAG,北向与Border Leaf设备通过三层路由口互联。 图1 单DC分布式网关部署方式的VXLAN二层架构组网图 规划交换机的两类Loopback地址,建议如下所示。 Loopback0:专门作为VTEP IP地址。对于双活设备组,组成员的VTEP IP必须保持一致。 Loopback1: 作为Router-ID地址 M-LAG的DFS-Group IP地址 建立BGP EVPN对等体时发送BGP报文的源接口 Loopback2:作为静态Bypass VXLAN隧道的源端IP地址。 每台交换机的Loopback地址的具体规划如表1所示。 表1 数据准备表(Loopback地址规划) 设备名称 Loopback0 Loopback1 Loopback2 BorderLeaf_1 10.125.99.1/32(虚MAC:00e0-fc00-0101) 10.125.98.1/32 10.135.98.1/32 BorderLeaf_2 10.125.99.1/32(虚MAC:00e0-fc00-0101) 10.125.98.2/32 10.135.98.2/32 ServerLeaf1_1 10.125.99.2/32 10.125.98.3/32 10.135.98.3/32 ServerLeaf1_2 10.125.99.2/32 10.125.98.4/32 10.135.98.4/32 ServerLeaf2_1 10.125.99.3/32 10.125.98.5/32 10.135.98.5/32 ServerLeaf2_2 10.125.99.3/32 10.125.98.6/32 10.135.98.6/32 表2 互联……
<<上一篇
下一篇>>