VxLAN
{Back to Index}
Table of Contents
1 概述
Figure 1: VXLAN 概念
1.1 名词解释
NVE
运行 VXLAN 的设备称为 NVE
VNI (VXLAN Network ID)
用于标识一个 VXLAN 网络,类似 VLAN ID ,数量多达 16M 。VTEP 会根据配置将 VLAN 映射成 VNI , 而 VLAN 信息仅为本地有效
VTEP
隧道端点,本质是一个 IP 地址
BD (Bridge Domain)
可以理解为广播域,BD 中可以创建逻辑接口 vBDif ,类似 SVI 的概念,用于三层转发
2 静态 VxLAN 1
2.1 二层转发
Figure 2: 转发模型
2.1.1 实验一 (w/ VLAN)
Figure 3: 实验环境
配置清单
----------------- R1 ---------------------- en conf t hostname R1 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int e0/0 ip address 10.1.12.1 255.255.255.0 no sh exit int e0/1 ip address 10.1.13.1 255.255.255.0 no sh exit router ospf 110 router-id 1.1.1.1 network 10.1.12.1 0.0.0.0 area 0 network 10.1.13.1 0.0.0.0 area 0 exit end ----------------- CSR2 ---------------------- en conf t hostname CSR2 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 2.2.2.2 255.255.255.255 ! int g1 ip address 10.1.12.2 255.255.255.0 no sh exit router ospf 110 router-id 2.2.2.2 network 2.2.2.2 0.0.0.0 area 0 network 10.1.12.2 0.0.0.0 area 0 exit ! !! PART 1 interface nve1 source-interface Loopback0 member vni 4096 ingress-replication 3.3.3.3 exit member vni 4097 ingress-replication 3.3.3.3 exit exit !! PART 2 int g2 service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric ! service instance 20 ethernet encapsulation dot1q 20 rewrite ingress tag pop 1 symmetric ! exit !! PART 3 bridge-domain 10 member g2 service-instance 10 member vni 4096 exit bridge-domain 20 member g2 service-instance 20 member vni 4097 exit int g2 no sh !! do not forget this exit end ----------------- CSR3 ---------------------- en conf t hostname CSR3 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 3.3.3.3 255.255.255.255 ! int g1 ip address 10.1.13.3 255.255.255.0 no sh exit router ospf 110 router-id 3.3.3.3 network 3.3.3.3 0.0.0.0 area 0 network 10.1.13.3 0.0.0.0 area 0 exit ! interface nve1 source-interface Loopback0 member vni 4096 ingress-replication 2.2.2.2 exit member vni 4097 ingress-replication 2.2.2.2 exit exit int g2 service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric ! service instance 20 ethernet encapsulation dot1q 20 rewrite ingress tag pop 1 symmetric ! exit bridge-domain 10 member g2 service-instance 10 member vni 4096 exit bridge-domain 20 member g2 service-instance 20 member vni 4097 exit int g2 no sh exit end ----------------- SW4 ---------------------- en conf t hostname SW4 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int e0/0 switchport trunk encapsulation dot1q switchport mode trunk exit int e0/1 switchport access vlan 10 switchport mode access exit int e0/2 switchport access vlan 20 switchport mode access exit end ----------------- SW5 ---------------------- en conf t hostname SW5 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int e0/0 switchport trunk encapsulation dot1q switchport mode trunk exit int e0/1 switchport access vlan 10 switchport mode access exit int e0/2 switchport access vlan 20 switchport mode access exit end ----------------- PC6 ---------------------- en conf t hostname PC6 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.10.6 255.255.255.0 no sh exit end ----------------- PC7 ---------------------- en conf t hostname PC7 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.10.7 255.255.255.0 no sh exit end ----------------- PC8 ---------------------- en conf t hostname PC8 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.20.8 255.255.255.0 no sh exit end ----------------- PC9 ---------------------- en conf t hostname PC9 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.20.9 255.255.255.0 no sh exit end
rewrite ingress tag pop 1 symmetric 该条配置不配的话也能通,但是在下面三层转发的实验中如果不配的话就不能通,暂时不知道为什么。
show bridge-domain
CSR2#sh bridge-domain 10 Bridge-domain 10 (2 ports in all) State: UP Mac learning: Enabled Aging-Timer: 300 second(s) Maximum address limit: 65536 GigabitEthernet2 service instance 10 vni 4096 AED MAC address Policy Tag Age Pseudoport 0 AABB.CC00.6000 forward dynamic 275 GigabitEthernet2.EFP10 0 AABB.CC00.7000 forward dynamic 153 nve1.VNI4096, VxLAN src: 2.2.2.2 dst: 3.3.3.3 CSR2#sh bridge-domain 20 Bridge-domain 20 (2 ports in all) State: UP Mac learning: Enabled Aging-Timer: 300 second(s) Maximum address limit: 65536 GigabitEthernet2 service instance 20 vni 4097 AED MAC address Policy Tag Age Pseudoport 0 AABB.CC00.9000 forward dynamic 278 nve1.VNI4097, VxLAN src: 2.2.2.2 dst: 3.3.3.3 0 AABB.CC00.8000 forward dynamic 278 GigabitEthernet2.EFP20
2.2 三层转发(集中式网关)
2.2.1 实验一 (w/o VLAN)
Figure 4: 实验环境
配置清单
----------------- CSR1 ---------------------- en conf t hostname CSR1 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 1.1.1.1 255.255.255.255 ! int g1 ip address 10.1.12.1 255.255.255.0 no sh exit int g2 ip address 10.1.13.1 255.255.255.0 no sh exit router ospf 110 router-id 1.1.1.1 network 1.1.1.1 0.0.0.0 area 0 network 10.1.12.1 0.0.0.0 area 0 network 10.1.13.1 0.0.0.0 area 0 exit interface nve1 source-interface Loopback0 member vni 6010 ingress-replication 2.2.2.2 exit member vni 6020 ingress-replication 3.3.3.3 exit exit bridge-domain 6010 member vni 6010 exit bridge-domain 6020 member vni 6020 exit int bdi 6010 ip address 192.168.10.254 255.255.255.0 no sh exit int bdi 6020 ip address 192.168.20.254 255.255.255.0 no sh exit end ----------------- CSR2 ---------------------- en conf t hostname CSR2 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 2.2.2.2 255.255.255.255 ! int g1 ip address 10.1.12.2 255.255.255.0 no sh exit router ospf 110 router-id 2.2.2.2 network 2.2.2.2 0.0.0.0 area 0 network 10.1.12.2 0.0.0.0 area 0 exit ! interface nve1 source-interface Loopback0 member vni 6010 ingress-replication 1.1.1.1 exit exit int g2 service instance 1 ethernet encapsulation untagged exit bridge-domain 6010 member g2 service-instance 1 member vni 6010 exit int g2 no sh exit end ----------------- CSR3 ---------------------- en conf t hostname CSR3 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 3.3.3.3 255.255.255.255 ! int g1 ip address 10.1.13.3 255.255.255.0 no sh exit router ospf 110 router-id 3.3.3.3 network 3.3.3.3 0.0.0.0 area 0 network 10.1.13.3 0.0.0.0 area 0 exit ! interface nve1 source-interface Loopback0 member vni 6020 ingress-replication 1.1.1.1 exit exit int g2 service instance 1 ethernet encapsulation untagged exit bridge-domain 6020 member g2 service-instance 1 member vni 6020 exit int g2 no sh exit end ----------------- PC6 ---------------------- en conf t hostname PC6 no ip do lo ip default-gateway 192.168.10.254 line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.10.6 255.255.255.0 no sh exit end ----------------- PC9 ---------------------- en conf t hostname PC9 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing ip default-gateway 192.168.20.254 int e0/0 ip address 192.168.20.9 255.255.255.0 no sh exit end
2.2.2 实验二 (w/ VLAN)
Figure 5: 实验环境
配置清单
----------------- CSR1 ---------------------- en conf t hostname CSR1 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 1.1.1.1 255.255.255.255 ! int g1 ip address 10.1.12.1 255.255.255.0 no sh exit int g2 ip address 10.1.13.1 255.255.255.0 no sh exit router ospf 110 router-id 1.1.1.1 network 1.1.1.1 0.0.0.0 area 0 network 10.1.12.1 0.0.0.0 area 0 network 10.1.13.1 0.0.0.0 area 0 exit interface nve1 source-interface Loopback0 member vni 6010 ingress-replication 2.2.2.2 exit member vni 6020 ingress-replication 3.3.3.3 exit exit bridge-domain 10 member vni 6010 exit bridge-domain 20 member vni 6020 exit int bdi 10 ip address 192.168.10.254 255.255.255.0 no sh exit int bdi 20 ip address 192.168.20.254 255.255.255.0 no sh exit end ----------------- CSR2 ---------------------- en conf t hostname CSR2 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 2.2.2.2 255.255.255.255 ! int g1 ip address 10.1.12.2 255.255.255.0 no sh exit router ospf 110 router-id 2.2.2.2 network 2.2.2.2 0.0.0.0 area 0 network 10.1.12.2 0.0.0.0 area 0 exit interface nve1 source-interface Loopback0 member vni 6010 ingress-replication 1.1.1.1 ingress-replication 3.3.3.3 exit member vni 6020 ingress-replication 1.1.1.1 ingress-replication 3.3.3.3 exit exit int g2 service instance 10 ethernet encapsulation dot1q 10 ! This command is required to remove the VLAN tag before sending the VLAN traffic to VxLAN and ! adding the VLAN tag in the reverse direction. rewrite ingress tag pop 1 symmetric exit service instance 20 ethernet encapsulation dot1q 20 rewrite ingress tag pop 1 symmetric exit exit bridge-domain 10 member g2 service-instance 10 member vni 6010 exit bridge-domain 20 member g2 service-instance 20 member vni 6020 exit int g2 no sh exit end ----------------- CSR3 ---------------------- en conf t hostname CSR3 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int lo0 ip address 3.3.3.3 255.255.255.255 ! int g1 ip address 10.1.13.3 255.255.255.0 no sh exit router ospf 110 router-id 3.3.3.3 network 3.3.3.3 0.0.0.0 area 0 network 10.1.13.3 0.0.0.0 area 0 exit ! interface nve1 source-interface Loopback0 member vni 6010 ingress-replication 1.1.1.1 ingress-replication 2.2.2.2 exit member vni 6020 ingress-replication 1.1.1.1 ingress-replication 2.2.2.2 exit exit int g2 service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric exit service instance 20 ethernet encapsulation dot1q 20 rewrite ingress tag pop 1 symmetric exit exit bridge-domain 10 member g2 service-instance 10 member vni 6010 exit bridge-domain 20 member g2 service-instance 20 member vni 6020 exit int g2 no sh exit end ----------------- SW4 ---------------------- en conf t hostname SW4 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int e0/0 switchport trunk encapsulation dot1q switchport mode trunk exit int e0/1 switchport access vlan 10 switchport mode access exit int e0/2 switchport access vlan 20 switchport mode access exit end ----------------- SW5 ---------------------- en conf t hostname SW5 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit int e0/0 switchport trunk encapsulation dot1q switchport mode trunk exit int e0/1 switchport access vlan 10 switchport mode access exit int e0/2 switchport access vlan 20 switchport mode access exit end ----------------- PC6 ---------------------- en conf t hostname PC6 no ip do lo ip default-gateway 192.168.10.254 line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.10.6 255.255.255.0 no sh exit end ----------------- PC7 ---------------------- en conf t hostname PC7 no ip do lo ip default-gateway 192.168.20.254 line con 0 exec-timeout 0 0 logging synchronous exit no ip routing int e0/0 ip address 192.168.20.7 255.255.255.0 no sh exit end ----------------- PC8 ---------------------- en conf t hostname PC8 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing ip default-gateway 192.168.10.254 int e0/0 ip address 192.168.10.8 255.255.255.0 no sh exit end ----------------- PC9 ---------------------- en conf t hostname PC9 no ip do lo line con 0 exec-timeout 0 0 logging synchronous exit no ip routing ip default-gateway 192.168.20.254 int e0/0 ip address 192.168.20.9 255.255.255.0 no sh exit end
Footnotes:
1
生产环境中多使用基于 EVPN 的动态 VXLAN 技术