分布式对称网关
spine配置
bgp evpn配置
router bgp 7677
bgp router-id 192.168.59.130
bgp bestpath as-path multipath-relax
neighbor fabric peer-group
neighbor fabric remote-as external
neighbor 192.168.59.128 peer-group fabric
neighbor 192.168.59.129 peer-group fabric
!
address-family l2vpn evpn
neighbor fabric activate
exit-address-family
!leaf1和host1配置
接口配置
#在root权限下配置
#!/bin/bash
#enable forward
sysctl -w net.ipv4.ip_forward=1
sysctl -p
#add host1
ip netns add host1
ip link add veth1 type veth peer name eth0 netns host1
ip netns exec host1 ip link set lo up
ip netns exec host1 ip link set eth0 up
ip netns exec host1 ip addr add 2.2.2.2/24 dev eth0
ip netns exec host1 ip route add default via 2.2.2.254 dev eth0
ip link add br10 type bridge
ip link add vxlan10 type vxlan id 10 local 192.168.59.128 dstport 4789 nolearning
ip link set br10 up
ip link set veth1 up
ip link set vxlan10 up
ip link set veth1 master br10
ip link set vxlan10 master br10
ip link set dev br10 address 00:00:01:02:03:10
ip addr add 2.2.2.254/24 dev br10
#add l3 vni
ip link add br100 type bridge
ip link add vxlan100 type vxlan id 100 local 192.168.59.128 dstport 4789 nolearning
ip link set br100 up
ip link set vxlan100 up
ip link set vxlan100 master br100
ip link set dev br100 address 00:00:01:02:03:04
# add vrf
ip link add evpn-vrf type vrf table 100
ip link set evpn-vrf up
ip link set br100 master evpn-vrf
ip link set br10 master evpn-vrf bgp evpn配置
vrf evpn-vrf
vni 100
exit-vrf
!
router bgp 7675
bgp router-id 192.168.59.128
bgp bestpath as-path multipath-relax
neighbor fabric peer-group
neighbor fabric remote-as external
neighbor 192.168.59.130 peer-group fabric
!
address-family l2vpn evpn
neighbor fabric activate
advertise-all-vni
exit-address-family
!
router bgp 7675 vrf evpn-vrf
!
address-family l2vpn evpn
advertise ipv4 unicast
exit-address-family
!
line vty
!
end注:
vrf evpn-vrf
vni 100
exit-vrf这段指令表示指定了一个l3vni
router bgp 7675 vrf evpn-vrf
!
address-family l2vpn evpn
advertise ipv4 unicast
exit-address-family
!这段指令advertise ipv4 unicast表示宣告RT-5路由。
leaf2和host2配置
接口配置
#在root权限下配置
#!/bin/bash
#enable forward
sysctl -w net.ipv4.ip_forward=1
sysctl -p
#add host2
ip netns add host2
ip link add veth2 type veth peer name eth0 netns host2
ip netns exec host2 ip link set lo up
ip netns exec host2 ip link set eth0 up
ip netns exec host2 ip addr add 1.1.1.1/24 dev eth0
ip netns exec host2 ip route add default via 1.1.1.254 dev eth0
#add br20
ip link add br20 type bridge
ip link set br20 up
ip link set veth2 up
ip link set veth2 master br20
ip addr add 1.1.1.254/24 dev br20
#add host3
ip netns add host3
ip link add veth3 type veth peer name eth0 netns host3
ip netns exec host3 ip link set lo up
ip netns exec host3 ip link set eth0 up
ip netns exec host3 ip addr add 2.2.2.3/24 dev eth0
ip netns exec host3 ip route add default via 2.2.2.254 dev eth0
ip link add br30 type bridge
ip link add vxlan10 type vxlan id 10 local 192.168.59.129 dstport 4789 nolearning
ip link set vxlan10 up
ip link set vxlan10 master br30
ip link set br30 up
ip link set veth3 up
ip link set veth3 master br30
ip addr add 2.2.2.254/24 dev br30
ip link set dev br30 address 00:00:01:02:03:10
#add l3vni
ip link add br100 type bridge
ip link add vxlan100 type vxlan id 100 local 192.168.59.129 dstport 4789 nolearning
ip link set br100 up
ip link set vxlan100 up
ip link set vxlan100 master br100
ip link set dev br100 address 00:00:01:02:03:05
#add vrf
ip link add evpn-vrf type vrf table 100
ip link set evpn-vrf up
ip link set br100 master evpn-vrf
ip link set br20 master evpn-vrf
ip link set br30 master evpn-vrf bgp evpn配置
vrf evpn-vrf
vni 100
exit-vrf
!
router bgp 7676
bgp router-id 192.168.59.129
bgp bestpath as-path multipath-relax
neighbor fabric peer-group
neighbor fabric remote-as external
neighbor 192.168.59.130 peer-group fabric
!
address-family l2vpn evpn
neighbor fabric activate
advertise-all-vni
exit-address-family
!
router bgp 7676 vrf evpn-vrf
!
address-family l2vpn evpn
advertise ipv4 unicast
exit-address-family
!
line vty
!
end查看bgp信息
在host3上pinghost1:
root@3cfbe6f4301d:/# ip netns exec host3 ping 2.2.2.2 -c 1
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=0.095 ms
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.095/0.095/0.095/0.000 ms
root@3cfbe6f4301d:/# leaf1
- 查看路由信息
70cf8caaa686# show ip bgp l2vpn evpn
BGP table version is 30, local router ID is 192.168.59.128
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: ip 192.168.59.128:3
*> [2]:[0]:[48]:[06:20:e4:53:a6:8a]
192.168.59.128 32768 i
*> [2]:[0]:[48]:[06:20:e4:53:a6:8a]:[32]:[2.2.2.2]
192.168.59.128 32768 i
*> [3]:[0]:[32]:[192.168.59.128]
192.168.59.128 32768 i
Route Distinguisher: ip 192.168.59.129:3
*> [2]:[0]:[48]:[4e:3b:63:e3:19:5e]
192.168.59.129 0 7677 7676 i
*> [2]:[0]:[48]:[4e:3b:63:e3:19:5e]:[32]:[2.2.2.3]
192.168.59.129 0 7677 7676 i
*> [3]:[0]:[32]:[192.168.59.129]
192.168.59.129 0 7677 7676 i
Displayed 6 out of 6 total prefixes
70cf8caaa686# - 查看内核路由信息
70cf8caaa686# show ip route vrf evpn-vrf
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
VRF evpn-vrf:
C>* 2.2.2.0/24 is directly connected, br10, 02:35:07
B>* 2.2.2.3/32 [20/0] via 192.168.59.129, br100 onlink, 00:12:45
70cf8caaa686# leaf2
- 查看路由信息
3cfbe6f4301d# show ip bgp l2vpn evpn
BGP table version is 40, local router ID is 192.168.59.129
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: ip 192.168.59.128:3
*> [2]:[0]:[48]:[06:20:e4:53:a6:8a]
192.168.59.128 0 7677 7675 i
*> [2]:[0]:[48]:[06:20:e4:53:a6:8a]:[32]:[2.2.2.2]
192.168.59.128 0 7677 7675 i
*> [3]:[0]:[32]:[192.168.59.128]
192.168.59.128 0 7677 7675 i
Route Distinguisher: ip 192.168.59.129:3
*> [2]:[0]:[48]:[4e:3b:63:e3:19:5e]
192.168.59.129 32768 i
*> [2]:[0]:[48]:[4e:3b:63:e3:19:5e]:[32]:[2.2.2.3]
192.168.59.129 32768 i
*> [3]:[0]:[32]:[192.168.59.129]
192.168.59.129 32768 i
Displayed 6 out of 6 total prefixes
3cfbe6f4301d# - 查看内核路由信息
3cfbe6f4301d# show ip route vrf evpn-vrf
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
VRF evpn-vrf:
C>* 1.1.1.0/24 is directly connected, br20, 01:50:19
C>* 2.2.2.0/24 is directly connected, br30, 01:50:19
B>* 2.2.2.2/32 [20/0] via 192.168.59.128, br100 onlink, 00:14:22
3cfbe6f4301d# 从上面可以看出,bgp-evpn为host1安装了一条精确主机路由。
抓包分析
在对称模式下,type-2路由会携带连个vni,邻居收到该路由会在vni所在的路由表中安装对应的fdb表项,同时会安装精确路由表项。注意上面的router mac扩展团体属性,它是路由mac,安装精确路由时会为nexthop安装一个邻居表项,mac地址就是该mac。
网段路由
目前host2还不能ping通host1,因为host1所在vtep没有1.1.1.0/24的路由。这个时候需要host2所在的vtep发布网段路由。
使用network命令进行发布:
router bgp 7676 vrf evpn-vrf
!
address-family ipv4 unicast
network 1.1.1.0/24
exit-address-family
!值得注意的是,地址族上下文是ipv4,而不是evpn。这点不是很理解。
也可以使用redistribute connected命令进行发布,该命令会发布所有直连网段路由。
leaf01
- 查看evpn路由信息
70cf8caaa686# show ip bgp l2vpn evpn
BGP table version is 7, local router ID is 192.168.59.128
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: ip 2.2.2.254:2
*> [5]:[0]:[24]:[1.1.1.0]
192.168.59.129 0 7677 7676 i
Route Distinguisher: ip 192.168.59.128:3
*> [2]:[0]:[48]:[06:20:e4:53:a6:8a]
192.168.59.128 32768 i
*> [2]:[0]:[48]:[06:20:e4:53:a6:8a]:[32]:[2.2.2.2]
192.168.59.128 32768 i
*> [3]:[0]:[32]:[192.168.59.128]
192.168.59.128 32768 i
Route Distinguisher: ip 192.168.59.129:3
*> [2]:[0]:[48]:[4e:3b:63:e3:19:5e]
192.168.59.129 0 7677 7676 i
*> [2]:[0]:[48]:[4e:3b:63:e3:19:5e]:[32]:[2.2.2.3]
192.168.59.129 0 7677 7676 i
*> [3]:[0]:[32]:[192.168.59.129]
192.168.59.129 0 7677 7676 i
Displayed 7 out of 7 total prefixes
70cf8caaa686# 可以看到多了一个type-5类型的路由。
- host1 ping 1.1.1.1
root@70cf8caaa686:/# ip netns exec host1 ping 1.1.1.1 -c 1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=62 time=0.133 ms
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.133/0.133/0.133/0.000 ms
root@70cf8caaa686:/# 抓包分析
上面的报文是type-5前缀路由报文,该报文对应的网段路由模型是Interface-less IP-VRF-to-IP-VRF。在该路由中携带了router-mac扩展团体,该值是host2所在vtep上的br100的mac地址。host1所在vtep封装报文时,内层目的MAC将会使用该MAC。
总结
在分布式对称模型中,跨网段路由时,不管命中的是精确路由还是网段路由,不管本地是否有目的网段vni,都是使用l3 vni进行报文封装,同网段使用的fdb转发,vni为该网段的vni。
ubuntu
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。