六、业务连通性测试与动态观测 (Traffic Test & Observation)
(续)
E03:Packet Walk (IPv6 数据流全景解析)
本篇将通过真实的数据包转发过程(Packet Walk),观察 IPv6 流量在 Underlay 与 Overlay 之间的封装、解封装与转发表匹配行为。
本节不再关注配置命令本身 ,而是完全站在数据包真实转发视角,验证 EVPN 控制平面设计是否按预期工作。
📌 说明
以下各场景 均假设为独立的首次通信 ,
以便清晰观察 IPv6 下的完整收敛过程。
0. 场景预设与基础信息(IPv6)
0.1 拓扑与设备角色
-
Leaf1
- 接入:Serv1(VLAN 10)、Serv2(VLAN 20)
- VTEP IP:
20.20.20.20
-
Leaf2
- 接入:Serv3(VLAN 30)、Serv4(VLAN 40)
- VTEP IP:
30.30.30.30
-
BL1
- 连接 Internet / R1
- VTEP IP:
40.40.40.40
0.2 IPv6 子网与 Anycast Gateway 规划
| VLAN / BD | IPv6 前缀 | Anycast Gateway IPv6 |
|---|---|---|
| VLAN 10 / BD100 / BD300 | 172:16:1::/64 |
172:16:1::1 |
| VLAN 20 / BD200 / BD400 | 10:10:10::/64 |
10:10:10::1 |
0.3 终端 IPv6 信息表
| 角色 | IPv6 地址 | 接入 Leaf | VLAN / BD | VNI |
|---|---|---|---|---|
| Serv1 | 172:16:1::10 |
Leaf1 | VLAN 10 / BD100 | L2VNI 8000 |
| Serv2 | 10:10:10::10 |
Leaf1 | VLAN 20 / BD200 | L2VNI 9000 |
| Serv3 | 172:16:1::20 |
Leaf2 | VLAN 30 / BD300 | L2VNI 8000 |
| Serv4 | 10:10:10::20 |
Leaf2 | VLAN 40 / BD400 | L2VNI 9000 |
0.4 IPv6 邻居发现与地址映射技术说明
在 IPv6 场景下,不再使用 ARP 协议完成 IP → MAC 的解析,而是通过 IPv6 邻居发现协议(NDP) 实现同等功能。
从 EVPN / VXLAN 的视角看,NDP 与 ARP 在机制层面完全等价,只是报文类型与组播模型不同。
一、IPv6 邻居发现协议(NDP)工作机制
IPv6 邻居发现协议(NDP)是 ICMPv6 的核心组成部分,整合了 IPv4 中以下功能:
- ARP(地址解析)
- 路由器发现
- ICMP 重定向
- 重复地址检测(DAD)
在地址解析场景中:
- 当节点需要与某个 IPv6 地址通信,但未知其 MAC 地址时
- 会发送 邻居请求(NS, Neighbor Solicitation)
- 目标节点收到后,使用 邻居通告(NA, Neighbor Advertisement) 单播回复自身 MAC
- 发起节点将 IPv6 ↔ MAC 映射写入邻居缓存(Neighbor Cache)
📌 在 EVPN 场景中:
- NS / NA 本质仍是二层控制报文
- 是否跨 Leaf,取决于 L2VNI + Type 3 的泛洪范围
二、IPv6 单播地址 → 请求节点组播地址映射(以 Serv1 为例)
IPv6 为避免无意义的广播,引入了 请求节点组播地址(Solicited Node Multicast Address)。
映射规则(RFC 4291)如下:
- 固定前缀:
ff02::1:ff - 提取目标 IPv6 地址 最后 24 位
- 拼接生成请求节点组播地址
示例(Serv1)
-
Serv1 IPv6 地址:
172:16:1::10 -
完整展开后:
0172:0016:0001:0000:0000:0000:0000:0010 -
提取最后 24 位:
000010 -
生成请求节点组播地址:
ff02::1:ff00:0010
三、IPv6 组播地址 → 二层以太网 MAC 映射(以 Serv1 为例)
IPv6 组播报文在以太网上传输时,需要进一步映射为 二层组播 MAC 地址,规则遵循 RFC 2464:
- 固定前缀:
33:33 - 提取 IPv6 组播地址 最后 32 位
- 拼接生成以太网组播 MAC
示例
-
IPv6 请求节点组播地址:
ff02::1:ff00:0010 -
提取最后 32 位:
ff00:0010 -
对应二层组播 MAC:
33:33:ff:00:00:10
小结:为什么这些细节在 EVPN 中很重要?
-
NS / NA ≈ ARP
- 只是表现形式不同
-
IPv6 组播 ≠ 无控制泛洪
- 在 EVPN 中同样受 Type 3 约束
-
IPv6 主机 MAC / IP
- 仍然通过 EVPN Type 2(MAC + IPv6) 进行通告
-
IPv6 的引入:
- 没有改变 EVPN 的控制平面逻辑
- 只是把"地址族"从 IPv4 扩展为 IPv6
场景一(IPv6):同子网二层互通
Intra-Subnet Bridging over EVPN VXLAN (IPv6)
流量路径
Serv1 (172:16:1::10) → Serv3 (172:16:1::20)
通信特征
- 源目 IPv6 地址同属
172:16:1::/64 - 分别接入 不同 Leaf
- Leaf1 的 BD100 与 Leaf2 的 BD300
→ 通过 EVPN/VXLAN + L2VNI 8000 组成同一个逻辑二层广播域 - VLAN / BD 仅具备本地意义(Local Significance)
- Leaf 在本场景中 全程作为二层桥(Bridge)
- Overlay 使用 VXLAN L2VNI = 8000
- 地址解析由 IPv6 邻居发现(ND) 完成,而非 ARP
阶段 1:Serv1 的 ND 请求触发 BUM 泛洪(Type 3 决定泛洪范围)
1️⃣ Serv1 发送 Neighbor Solicitation(NS)
-
Serv1 需要解析 Serv3 的 MAC 地址
-
构造 Neighbor Solicitation(NS) 报文:
- "Who has
172:16:1::20? Tell172:16:1::10"
- "Who has
-
报文特征:
- SMAC = Serv1
- DMAC = IPv6 Solicited-Node 对应的二层组播 MAC
(33:33:ff:xx:xx:xx) - ICMPv6 Type 135(NS)
📌 与 IPv4 的区别
- ARP Broadcast → IPv6 Solicited-Node Multicast
- 但在 EVPN 看来,仍然是一个 BUM 报文
bash
# **Neighbor Solicitation(NS)** 报文
Frame 5: Packet, 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: 40:3f:ab:de:4d:11, Dst: 33:33:ff:00:00:20
Destination: 33:33:ff:00:00:20
Source: 40:3f:ab:de:4d:11
Type: 802.1Q Virtual LAN (0x8100)
[Stream index: 2]
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 10
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 0000 1010 = ID: 10
Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: 172:16:1::10, Dst: ff02::1:ff00:20
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 32
Next Header: ICMPv6 (58)
Hop Limit: 255
Source Address: 172:16:1::10
Destination Address: ff02::1:ff00:20
[Stream index: 0]
Internet Control Message Protocol v6
Type: Neighbor Solicitation (135)
Code: 0
Checksum: 0x3d0e [correct]
[Checksum Status: Good]
Reserved: 00000000
Target Address: 172:16:1::20
ICMPv6 Option (Source link-layer address : 40:3f:ab:de:4d:11)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 40:3f:ab:de:4d:112️⃣ Leaf1 入站处理(Ingress Bridge)
- Leaf1 在接入口收到 NS 报文
- VLAN 10 → 映射到 本地 BD100
- Leaf1 判断该帧属于 L2VNI 8000
此时 Leaf1 同样执行两个并行但逻辑独立的动作:
🔹 动作 A:本地 MAC 学习(数据平面)
-
Leaf1 在 BD100 的 MAC 表中学习:
Serv1 MAC → 本地接入接口
这是所有后续控制与转发行为的起点。
🔹 动作 B:触发 EVPN Type 2(MAC-only)路由生成(控制平面)
由于:
- BD100 绑定 L2VNI 8000
- EVPN 已启用
- 当前仅完成 MAC 学习,尚未获得 IPv6 地址绑定
👉 Leaf1 立即生成一条 EVPN Type 2(MAC-only)路由:
"MAC Serv1 属于 L2VNI 8000,对应的 VTEP 是 20.20.20.20"
并通过 BGP EVPN 通告给 Leaf2。
📌 关键点
IPv6 并不会改变 Type 2(MAC-only)的产生逻辑只要 Leaf 首次学习到 MAC,就会立即通告。
3️⃣ Leaf1 执行 BUM 泛洪(基于 EVPN Type 3)
回到数据平面流程:
-
Leaf1 判断该 NS 报文为 BUM 流量
-
查找 L2VNI 8000 的 头端复制列表
- 该列表由 EVPN Type 3(IMET)路由构建
随后执行 VXLAN 封装:
- VNI = 8000
- Outer Src IP =
20.20.20.20 - Outer Dst IP =
30.30.30.30 - Inner Payload = 原始 IPv6 NS 报文
并将报文单播发送至 Leaf2。
阶段 2:Leaf2 接收 NS 报文(控制平面 & 数据平面并发收敛)
1️⃣ Leaf2 解封装并泛洪
- Leaf2 收到 VXLAN 报文
- 根据 VNI 8000 映射到 本地 BD300
- 在 BD300 内执行泛洪
- Serv3 收到 NS 报文
2️⃣ Leaf2 的两条"学习路径"
此时 Leaf2 几乎同时获得 Serv1 MAC 的两类信息:
🔹 路径 A:控制平面(BGP EVPN)
-
Leaf2 通过 BGP 收到:
- EVPN Type 2(MAC-only)路由
-
内容:
Serv1 MAC → VTEP 20.20.20.20
-
这是 权威的控制平面信息
🔹 路径 B:数据平面(Flooding & Learning)
-
Leaf2 在解封装 NS 报文时:
-
从 Inner Ethernet Header 中看到:
SMAC = Serv1
-
-
尝试在 BD300 中学习:
Serv1 MAC → VXLAN 隧道口(20.20.20.20)
❓关键问题:最终采用哪一条 MAC 表项?
结论与 IPv4 场景完全一致:
EVPN 控制平面(Type 2)优先,覆盖数据平面学习结果
IPv6 ND 的引入 不会改变这一优先级规则。
阶段 3:Neighbor Advertisement(NA)触发对称 MAC 学习与反向 EVPN 通告
1️⃣ Serv3 发送 Neighbor Advertisement(NA)
-
Serv3 构造 NA 报文:
- "
172:16:1::20is at fa:9e:65:74:00:10"
- "
-
报文特征:
- SMAC = Serv3
- DMAC = Serv1
- ICMPv6 Type 136(NA)
-
这是一个 标准二层单播帧
2️⃣ Leaf2 入站处理:本地 MAC 学习
-
Leaf2 在接入口收到 NA 报文
-
在 BD300 的 MAC 表中学习:
Serv3 MAC → 本地接入接口
3️⃣ Leaf2 触发 EVPN Type 2(MAC-only)路由生成
由于:
- BD300 绑定 L2VNI 8000
- EVPN 已启用
👉 Leaf2 生成 EVPN Type 2(MAC-only)路由:
"MAC Serv3 属于 L2VNI 8000,对应的 VTEP 是 30.30.30.30"
并通告给 Leaf1。
4️⃣ Leaf2 单播 VXLAN 转发 NA 报文
-
Leaf2 查 BD300 / EVPN 表
-
命中:
Serv1 MAC → VTEP 20.20.20.20
执行 VXLAN 封装:
- VNI = 8000
- Outer Src IP =
30.30.30.30 - Outer Dst IP =
20.20.20.20
bash
# Leaf2 单播 VXLAN 转发 NA 报文
Frame 17: Packet, 136 bytes on wire (1088 bits), 136 bytes captured (1088 bits)
Ethernet II, Src: fa:e8:d2:bf:00:12, Dst: fa:e8:d2:bf:00:22
Internet Protocol Version 4, Src: 30.30.30.30, Dst: 20.20.20.20 # Leaf2 -> Leaf1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 122
Identification: 0x0000 (0)
000. .... = Flags: 0x0
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 253
Protocol: UDP (17)
Header Checksum: 0x590f [validation disabled]
[Header checksum status: Unverified]
Source Address: 30.30.30.30
Destination Address: 20.20.20.20
[Stream index: 1]
User Datagram Protocol, Src Port: 4789, Dst Port: 4789
Source Port: 4789
Destination Port: 4789
Length: 102
Checksum: 0x0000 [zero-value ignored]
[Stream index: 0]
[Stream Packet Number: 2]
[Timestamps]
UDP payload (94 bytes)
Virtual eXtensible Local Area Network
Flags: 0x0800, VXLAN Network ID (VNI)
Group Policy ID: 0
VXLAN Network Identifier (VNI): 8000
Reserved: 0
Ethernet II, Src: fa:9e:65:74:00:10, Dst: 40:3f:ab:de:4d:11 # Serv3 -> Serv1 MAC Address
Destination: 40:3f:ab:de:4d:11
Source: fa:9e:65:74:00:10
Type: IPv6 (0x86dd)
[Stream index: 6]
Internet Protocol Version 6, Src: 172:16:1::20, Dst: 172:16:1::10
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 32
Next Header: ICMPv6 (58)
Hop Limit: 255
Source Address: 172:16:1::20
Destination Address: 172:16:1::10
[Stream index: 1]
Internet Control Message Protocol v6
Type: Neighbor Advertisement (136)
Code: 0
Checksum: 0xb095 [correct]
[Checksum Status: Good]
Flags: 0x60000000, Solicited, Override
Target Address: 172:16:1::20
ICMPv6 Option (Target link-layer address : fa:9e:65:74:00:10)
Type: Target link-layer address (2)
Length: 1 (8 bytes)
Link-layer address: fa:9e:65:74:00:105️⃣ Leaf1 解封装并完成闭环
-
Leaf1 解封装 VXLAN
-
根据 VNI 映射到 BD100
-
转发 NA 报文给 Serv1
-
同时确认:
Serv3 MAC → VTEP 30.30.30.30
✅ IPv6 场景一完成后的全网状态
Leaf1(BD100)
| MAC | 指向 |
|---|---|
| Serv1 | 本地接口 |
| Serv3 | VTEP 30.30.30.30(EVPN Type 2) |
Leaf2(BD300)
| MAC | 指向 |
|---|---|
| Serv3 | 本地接口 |
| Serv1 | VTEP 20.20.20.20(EVPN Type 2) |
场景一(IPv6)总结
-
IPv6 ND ≠ 新机制
- 只是 ARP 的 IPv6 表现形式
-
L2VNI 定义逻辑广播域
- 与 IPv4 完全一致
-
EVPN Type 3
- 决定 NS / NA 的泛洪范围
-
EVPN Type 2(MAC-only)
- 仍然是二层单播转发的权威来源
-
IPv6 的引入
- 没有改变 EVPN 的控制平面哲学
- 只是验证了其协议无关性
场景二(IPv6):同 Leaf 跨子网三层互通
Intra-Leaf Inter-Subnet Routing over EVPN (IPv6)
流量路径
Serv1 (172:16:1::10) → Serv2 (10:10:10::10)
通信特征
- 源目地址位于 不同 IPv6 前缀
- 均接入在 同一台 Leaf(Leaf1)
- 通信起点仍然是 二层 → 三层的过渡过程
- 会触发 NDP(默认网关与目标主机的邻居解析)
- 会触发 EVPN Type 2(MAC + IPv6)路由生成
- 不会触发 VXLAN 封装
👉 IPv6 的三层通信同样必须先完成"主机 → 网关"的二层解析
只不过这个过程由 NDP(Neighbor Discovery Protocol) 完成,而不是 ARP。
阶段 1:Serv1 解析 IPv6 默认网关的 MAC(三层通信的真实起点)
这是一个 IPv6 场景下同样不可跳过的前置阶段。
1️⃣ Serv1 发送 Neighbor Solicitation(NS)
- Serv1 判断目标地址
10:10:10::10不在本地前缀 - 需要将报文交给默认网关
172:16:1::1 - 但本地 Neighbor Cache 中尚无该条目
于是 Serv1 发送 NDP Neighbor Solicitation:
- 报文语义:
"Who has 172:16:1::1? Tell 172:16:1::10"
-
报文特征:
SMAC = Serv1DMAC = Solicited-Node MulticastSIP = 172:16:1::10DIP = FF02::1:FFxx:xxxx
-
本质仍然是二层泛洪语义(IPv6 多播)
2️⃣ Leaf1 接收 NS(命中 Anycast Gateway)
-
Leaf1 在 VLAN 10 / BD100 收到 NS
-
发现目标 IPv6 地址
172:16:1::1是:- 本地配置的 Anycast Gateway IPv6 地址
Leaf1 的行为是:
- 不会泛洪
- 直接本地应答
3️⃣ Leaf1 回复 Neighbor Advertisement(NA)
-
Leaf1 构造 NA 报文:
- "172:16:1::1 is at Anycast GW MAC"
-
单播返回给 Serv1
bash
# Leaf1 回复 Neighbor Advertisement(NA)
Frame 5: Packet, 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: 00:01:00:01:00:01, Dst: 40:3f:ab:de:4d:11
802.1Q Virtual LAN, PRI: 6, DEI: 0, ID: 10
Internet Protocol Version 6, Src: 172:16:1::1, Dst: 172:16:1::10
Internet Control Message Protocol v6
Type: Neighbor Advertisement (136)
Code: 0
Checksum: 0x90f3 [correct]
[Checksum Status: Good]
Flags: 0xe0000000, Router, Solicited, Override
1... .... .... .... .... .... .... .... = Router: Set
.1.. .... .... .... .... .... .... .... = Solicited: Set
..1. .... .... .... .... .... .... .... = Override: Set
...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0
Target Address: 172:16:1::1
ICMPv6 Option (Target link-layer address : 00:01:00:01:00:01)
Type: Target link-layer address (2)
Length: 1 (8 bytes)
Link-layer address: 00:01:00:01:00:01🔑 关键点:EVPN Type 2(MAC + IPv6)的生成时刻
就在 Leaf1 收到 Serv1 发来的 NS 的这一刻,Leaf1 同时完成了三件事:
✅ ① 本地 MAC 学习(数据平面)
-
在 BD100 的 MAC 表中学习:
Serv1 MAC → 本地接入接口
✅ ② IPv6 Neighbor Cache 学习(IP → MAC)
-
在 VBDIF100(IPv6 三层接口) 中记录:
172:16:1::10 → Serv1 MAC
bash
# IPv6 Neighbor Cache 学习(IP → MAC)
[Leaf1]dis ipv6 neighbors 172:16:1::10
-----------------------------------------------------------------------------
IPv6 Address : 172:16:1::10
Link-layer : 403f-abde-4d11 State : REACH
Interface : GE1/0/2.1 Age : 0
VLAN : 10 CEVLAN : -
VPN name : vpn1 Is Router : FALSE
Secure FLAG : UN-SECURE Nickname : -
Source IP : -
Destination IP: -
VNI : - BD : 100
-----------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0 Remote: 0
[Leaf1]✅ ③ 触发 EVPN Type 2(MAC + IPv6)路由生成(控制平面)
由于:
- BD100 绑定 L2VNI 8000
- VRF vpn1 绑定 L3VNI 100
- 已开启 IPv6 Host Collect / ND 同步
👉 Leaf1 生成一条 EVPN Type 2(MAC + IPv6)路由:
"主机 172:16:1::10 / MAC Serv1
位于 L2VNI 8000 / L3VNI 100,
对应的 VTEP 是 20.20.20.20"
并通过 BGP EVPN 通告给其他 Leaf。
也同时生成一条EVPN Type 2 MAC路由。
📌 与 IPv4 完全一致的结论
- 是否跨 Leaf ❌ 无关
- 是否使用 VXLAN ❌ 无关
- 只与 Leaf 是否首次完整感知到主机 MAC / IPv6 地址有关
bash
# Leaf1 生成一条 EVPN Type 2(MAC + IPv6)路由,也同时生成一条EVPN Type 2 MAC路由。
Frame 12: Packet, 313 bytes on wire (2504 bits), 313 bytes captured (2504 bits)
Ethernet II, Src: fa:e8:d2:bf:00:22, Dst: fa:e8:d2:bf:00:12
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
Transmission Control Protocol, Src Port: 54133, Dst Port: 179, Seq: 1, Ack: 1, Len: 259
Border Gateway Protocol - UPDATE Message
Marker: ffffffffffffffffffffffffffffffff
Length: 147
Type: UPDATE Message (2)
Withdrawn Routes Length: 0
Total Path Attribute Length: 124
Path attributes
Path Attribute - ORIGIN: IGP
Path Attribute - AS_PATH: empty
Path Attribute - LOCAL_PREF: 100
Path Attribute - EXTENDED_COMMUNITIES
Flags: 0xc0, Optional, Transitive, Complete
Type Code: EXTENDED_COMMUNITIES (16)
Length: 40
Carried extended communities: (5 communities)
Route Target: 100:10 [Transitive 2-Octet AS-Specific]
Route Target: 200:10 [Transitive 2-Octet AS-Specific]
Encapsulation: VXLAN Encapsulation [Transitive Opaque]
Type: Transitive Opaque (0x03)
Subtype (Opaque): Encapsulation (0x0c)
Tunnel type: VXLAN Encapsulation (8)
EVPN Router's MAC: Router's MAC: fa:e8:d2:bf:00:21 [Transitive EVPN]
Type: Transitive EVPN (0x06)
Subtype (EVPN): EVPN Router's MAC (0x03)
Router's MAC: fa:e8:d2:bf:00:21
ARP/ND: 0x0200 0x0000 0x0000 [Transitive EVPN]
Type: Transitive EVPN (0x06)
0... .... = IANA Authority: Allocated on First Come First Serve Basis
.0.. .... = Transitive across ASes: Transitive
Subtype (EVPN): ARP/ND (0x08)
Raw Value: 0x0200 0x0000 0x0000
Path Attribute - MP_REACH_NLRI
Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
Type Code: MP_REACH_NLRI (14)
Length: 63
Address family identifier (AFI): Layer-2 VPN (25)
Subsequent address family identifier (SAFI): EVPN (70)
Next hop: 20.20.20.20
IPv4 Address: 20.20.20.20
Number of Subnetwork points of attachment (SNPA): 0
Network Layer Reachability Information (NLRI)
EVPN NLRI: MAC Advertisement Route
Route Type: MAC Advertisement Route (2)
Length: 52
Route Distinguisher: 0000001400000001 (20:1)
ESI: 00:00:00:00:00:00:00:00:00:00
Ethernet Tag ID: 0
MAC Address Length: 48
MAC Address: 40:3f:ab:de:4d:11
IP Address Length: 128
IPv6 address: 172:16:1::10
VNI: 8000
VNI: 100
Border Gateway Protocol - UPDATE Message
Marker: ffffffffffffffffffffffffffffffff
Length: 112
Type: UPDATE Message (2)
Withdrawn Routes Length: 0
Total Path Attribute Length: 89
Path attributes
Path Attribute - ORIGIN: IGP
Path Attribute - AS_PATH: empty
Path Attribute - LOCAL_PREF: 100
Path Attribute - EXTENDED_COMMUNITIES
Path Attribute - MP_REACH_NLRI
Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
Type Code: MP_REACH_NLRI (14)
Length: 44
Address family identifier (AFI): Layer-2 VPN (25)
Subsequent address family identifier (SAFI): EVPN (70)
Next hop: 20.20.20.20
Number of Subnetwork points of attachment (SNPA): 0
Network Layer Reachability Information (NLRI)
EVPN NLRI: MAC Advertisement Route
Route Type: MAC Advertisement Route (2)
Length: 33
Route Distinguisher: 0000001400000001 (20:1)
ESI: 00:00:00:00:00:00:00:00:00:00
Ethernet Tag ID: 0
MAC Address Length: 48
MAC Address: 40:3f:ab:de:4d:11
IP Address Length: 0
IP Address: NOT INCLUDED
VNI: 8000阶段 2:Serv1 发送 ICMPv6 Echo Request
-
Serv1 已获得:
- 网关 IPv6 → MAC 映射
-
正式发送 ICMPv6 Echo Request:
报文特征:
SMAC = Serv1DMAC = Anycast Gateway MACSIP = 172:16:1::10DIP = 10:10:10::10Next Header = ICMPv6
bash
# Serv1 发送 ICMPv6 Echo Request
Frame 7: Packet, 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
Ethernet II, Src: 40:3f:ab:de:4d:11, Dst: 00:01:00:01:00:01
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 10
Internet Protocol Version 6, Src: 172:16:1::10, Dst: 10:10:10::10
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 1101 1000 0010 1011 0000 = Flow Label: 0xd82b0
Payload Length: 64
Next Header: ICMPv6 (58)
Hop Limit: 64
Source Address: 172:16:1::10
Destination Address: 10:10:10::10
[Stream index: 4]
Internet Control Message Protocol v6
Type: Echo (ping) request (128)
Code: 0
Checksum: 0x3e9a [correct]
[Checksum Status: Good]
Identifier: 0x0003
Sequence: 1
[No response seen] # 第一个ping包通常会timeout,因为目的网段的网关还需要解析目的地址的mac.
Timestamp from Echo data: Jan 19, 2026 05:52:06.293896000 中国标准时间
[Timestamp from Echo data (relative): 863.845000 milliseconds]
HiPerConTracer Trace Service
Magic Number: 0x10111213
Send TTL: 20
Round: 21
Checksum Tweak: 0x1617
Send Time Stamp: Oct 8, 2031 18:37:15.066146335 UTC阶段 3:Leaf1 发现 Serv2 为本地直连主机,但尚未知其 MAC
1️⃣ Leaf1 路由查表:确认 Serv2 为本地直连
- Leaf1 在 VRF vpn1(IPv6 RIB) 中查找:
text
10:10:10::10/128 Direct VBDIF200Leaf1 已明确:
- Serv2 位于 本地 Leaf
- 不需要 VXLAN
- 下一跳为 VBDIF200
❗关键问题:Leaf1 是否已经知道 Serv2 的 MAC?
答案:不一定。
首次通信时:
-
已知:
- IPv6 地址直连
-
但未知:
10:10:10::10 → MAC
2️⃣ Leaf1 发送 Neighbor Solicitation(查询 Serv2 MAC)
- Leaf1 作为 IPv6 网关
- 在 VLAN 20 / BD200 中发送 NS:
"Who has 10:10:10::10? Tell 10:10:10::1"
-
报文特征:
SMAC = Anycast Gateway MACDMAC = Solicited-Node MulticastSIP = 10:10:10::1
📌 这是 Leaf 作为三层网关主动发起的 NDP
bash
# Leaf1 发送 Neighbor Solicitation(查询 Serv2 MAC)
Frame 8: Packet, 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: 00:02:00:02:00:02, Dst: 33:33:ff:00:00:10
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 20
Internet Protocol Version 6, Src: 10:10:10::1, Dst: ff02::1:ff00:10
0110 .... = Version: 6
.... 1100 0000 .... .... .... .... .... = Traffic Class: 0xc0 (DSCP: CS6, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 32
Next Header: ICMPv6 (58)
Hop Limit: 255
Source Address: 10:10:10::1
Destination Address: ff02::1:ff00:10
[Stream index: 5]
Internet Control Message Protocol v6
Type: Neighbor Solicitation (135)
Code: 0
Checksum: 0x7918 [correct]
[Checksum Status: Good]
Reserved: 00000000
Target Address: 10:10:10::10
ICMPv6 Option (Source link-layer address : 00:02:00:02:00:02)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 00:02:00:02:00:023️⃣ Serv2 返回 Neighbor Advertisement
-
Serv2 回复 NA:
- "10:10:10::10 is at "
-
单播返回 Leaf1
bash
# Serv2 返回 Neighbor Advertisement
Frame 9: Packet, 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: 76:4e:c0:14:7d:7a, Dst: 00:02:00:02:00:02
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 20
Internet Protocol Version 6, Src: 10:10:10::10, Dst: 10:10:10::1
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 32
Next Header: ICMPv6 (58)
Hop Limit: 255
Source Address: 10:10:10::10
Destination Address: 10:10:10::1
[Stream index: 6]
Internet Control Message Protocol v6
Type: Neighbor Advertisement (136)
Code: 0
Checksum: 0x6115 [correct]
[Checksum Status: Good]
Flags: 0x60000000, Solicited, Override
0... .... .... .... .... .... .... .... = Router: Not set
.1.. .... .... .... .... .... .... .... = Solicited: Set
..1. .... .... .... .... .... .... .... = Override: Set
...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0
Target Address: 10:10:10::10
ICMPv6 Option (Target link-layer address : 76:4e:c0:14:7d:7a)
Type: Target link-layer address (2)
Length: 1 (8 bytes)
Link-layer address: 76:4e:c0:14:7d:7a4️⃣ Leaf1 完成本地 IPv6 对称学习
Leaf1 在收到 NA 后,同时完成:
✅ MAC 表学习
-
BD200:
Serv2 MAC → 本地接口
✅ IPv6 Neighbor Cache
-
VBDIF200:
10:10:10::10 → Serv2 MAC
bash
# IPv6 Neighbor Cache
[Leaf1]dis ipv6 neighbors 10:10:10::10
-----------------------------------------------------------------------------
IPv6 Address : 10:10:10::10
Link-layer : 764e-c014-7d7a State : REACH
Interface : GE1/0/2.2 Age : 0
VLAN : 20 CEVLAN : -
VPN name : vpn1 Is Router : FALSE
Secure FLAG : UN-SECURE Nickname : -
Source IP : -
Destination IP: -
VNI : - BD : 200
-----------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0 Remote: 0 🔔 是否触发 EVPN Type 2(MAC + IPv6)?
答案:一定会。
由于:
- BD200 绑定 L2VNI 9000
- VRF vpn1 绑定 L3VNI 100
👉 Leaf1 同样会生成:
-
EVPN Type 2(MAC + IPv6)路由
10:10:10::10 / MAC Serv2- Next-hop VTEP =
20.20.20.20
并向其他 Leaf 通告。
📌 即使 Serv1 与 Serv2 在同一台 Leaf 上
EVPN 控制平面依然要保持"全网可达的一致认知"
阶段 4:Leaf1 完成真正的三层转发
至此:
- Serv1 → 网关:网关MAC已解析
- 网关 → Serv2:Serv2 MAC已解析
Leaf1 执行真正的 IPv6 三层转发:
- 重写二层 MAC
- Hop Limit -- 1
- ICMPv6 Echo Request 转发给 Serv2
场景二(IPv6)总结
IPv6 并没有改变 EVPN 的收敛哲学,只是更换了"触发工具"。
-
IPv6 三层通信 ≠ 不需要二层解析
-
NDP(NS / NA):
- 在 IPv6 中承担了 ARP 的角色
-
每一次主机 MAC + IPv6 的首次完整识别
- 都会触发 EVPN Type 2(MAC + IPv6)
-
是否 VXLAN 封装
- 只取决于下一跳是否为远端 VTEP
-
EVPN 控制平面
- 依然比数据平面更早收敛,为未来跨 Leaf 流量提前铺路
场景三(IPv6):跨 Leaf + 跨子网三层互通
Inter-Leaf Inter-Subnet Routing over EVPN VXLAN (IPv6, Symmetric IRB)
流量路径
Serv1 → Serv4
- Serv1 :
172:16:1::10(Leaf1) - Serv4 :
10:10:10::20(Leaf2)
通信特征
- 源目 IPv6 地址位于 不同前缀
- 分别接入在 不同 Leaf
- 每台 Leaf 均部署 Anycast IPv6 Gateway
- 使用 EVPN VXLAN + Symmetric IRB
- 首次通信时,控制平面信息尚未完备
- 会发生一次跨 Leaf 的 NDP(NS/NA)解析
- 邻居收敛完成后,后续流量进入 确定性 IPv6 单播转发
阶段 1:Serv1 发起跨前缀通信(主机侧行为)
Serv1 判断目标 IPv6 地址 10:10:10::20:
- 不属于本地前缀
172:16:1::/64 - 默认网关为
172:16:1::1
由于这是一次全新通信:
-
Serv1 的 Neighbor Cache 中尚无:
172:16:1::1 → MAC
因此 Serv1 发送 Neighbor Solicitation(NS):
text
Who has 172:16:1::1?
Tell 172:16:1::10Leaf1 作为 Anycast IPv6 Gateway:
-
本地应答 Neighbor Advertisement(NA)
-
并在此过程中完成:
- Serv1 的 MAC / IPv6 学习
- 触发 EVPN Type 2(MAC + IPv6,Serv1)
📌 该机制与 IPv4 场景二 / 场景三中的
"主机 → 网关 NDP"完全等价,此处不再展开。
阶段 2:Leaf1 查 IPv6 路由,确认目标前缀为"直连子网"
Serv1 随后发送 ICMPv6 Echo Request:
text
SIP = 172:16:1::10
DIP = 10:10:10::20
DMAC = Anycast Gateway MACLeaf1 收到报文后:
1️⃣ 进入 VRF vpn1 的 IPv6 转发表
2️⃣ 查找目的地址 10:10:10::20
命中一条 直连前缀路由:
text
10:10:10::/64 Direct VBDIF200此时 Leaf1 的判断是:
- 目标前缀
10:10:10::/64是 本地直连子网 - 默认网关地址为
10:10:10::1 - 但尚未知 Serv4 的 MAC
阶段 3:Leaf1 发起 NDP,请求解析远端 Serv4 的 MAC
这是 IPv6 场景中最关键、也最容易被忽略的一步。
由于:
-
Leaf1 需要把报文交付给
10:10:10::20 -
但 Neighbor Cache 中尚无:
10:10:10::20 → MAC
👉 Leaf1 必须主动发送 Neighbor Solicitation:
text
Who has 10:10:10::20?
Tell 10:10:10::1这个 NS 报文的命运
-
该 NS 属于:
- BD200 / L2VNI(10:10:10::/64 所在广播域)
-
Leaf1 查找该 L2VNI 的泛洪范围
-
依据 EVPN Type 3(IMET)
-
以 VXLAN L2VNI 方式:
- 将 NS 报文发送至 Leaf2
📌 注意
此阶段:
- 不是 L3VNI
- 不是单播
而是一轮标准的:
跨 Leaf 的 IPv6 二层邻居发现泛洪
bash
# Leaf1 发起 NDP,请求解析远端 Serv4 的 MAC
Frame 20: Packet, 136 bytes on wire (1088 bits), 136 bytes captured (1088 bits)
Ethernet II, Src: fa:e8:d2:bf:00:22, Dst: fa:e8:d2:bf:00:12
Internet Protocol Version 4, Src: 20.20.20.20, Dst: 30.30.30.30
User Datagram Protocol, Src Port: 4789, Dst Port: 4789
Virtual eXtensible Local Area Network
Flags: 0x0800, VXLAN Network ID (VNI)
Group Policy ID: 0
VXLAN Network Identifier (VNI): 9000
Reserved: 0
Ethernet II, Src: 00:02:00:02:00:02, Dst: 33:33:ff:00:00:20
Internet Protocol Version 6, Src: 10:10:10::1, Dst: ff02::1:ff00:20
0110 .... = Version: 6
.... 1100 0000 .... .... .... .... .... = Traffic Class: 0xc0 (DSCP: CS6, ECN: Not-ECT)
.... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 32
Next Header: ICMPv6 (58)
Hop Limit: 255
Source Address: 10:10:10::1
Destination Address: ff02::1:ff00:20
[Stream index: 2]
Internet Control Message Protocol v6
Type: Neighbor Solicitation (135)
Code: 0
Checksum: 0x78f8 [correct]
[Checksum Status: Good]
Reserved: 00000000
Target Address: 10:10:10::20
ICMPv6 Option (Source link-layer address : 00:02:00:02:00:02)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 00:02:00:02:00:02阶段 4:Leaf2 接收 NS,请求到达 Serv4
1️⃣ Leaf2 接收 VXLAN 报文
2️⃣ 根据 L2VNI 映射到本地 BD
3️⃣ 在 BD 内泛洪 NS
4️⃣ Serv4 收到 Neighbor Solicitation:
text
Who has 10:10:10::20?阶段 5:Serv4 回复 NA,触发 Leaf2 学习与 EVPN 通告
Serv4 返回 Neighbor Advertisement(NA) (单播),由Leaf2的网关接收和处理,注意不是Leaf1的网关,这也是分布式网关的意义之一:
text
10:10:10::20 is at <Serv4 MAC>Leaf2 在这一刻完成三件关键事情:
✅ ① 本地 MAC 学习(数据平面)
-
在 BD200 中学习:
Serv4 MAC → 本地接入接口
同时触发 EVPN Type 2 的生成条件。
✅ ② IPv6 Neighbor Cache 学习(IP → MAC)
-
在 Anycast Gateway 接口
10:10:10::1:- 学习
10:10:10::20 → Serv4 MAC
- 学习
✅ ③ 触发 EVPN Type 2(MAC + IPv6)路由生成
由于:
- BD 绑定 L2VNI
- VRF 绑定 L3VNI
- 已开启 IPv6 Host Collect / ND 同步
👉 Leaf2 生成一条 EVPN Type 2(MAC + IPv6)路由:
text
10:10:10::20 / MAC Serv4
Next-hop VTEP = 30.30.30.30并通过 BGP EVPN 通告给 Leaf1。
📌 关键点
该 Type 2 路由:
- 一定由 首次真实接入该主机的 Leaf(Leaf2) 产生
- 且一定发生在 NDP 完整收敛之后
bash
# Leaf2 生成EVPN Type 2(MAC + IPv6)路由和MAC路由, 并通过 **BGP EVPN** 通告给 Leaf1。
Frame 21: Packet, 341 bytes on wire (2728 bits), 341 bytes captured (2728 bits)
Ethernet II, Src: fa:e8:d2:bf:00:12, Dst: fa:e8:d2:bf:00:22
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 179, Dst Port: 54133, Seq: 438, Ack: 396, Len: 287
Border Gateway Protocol - UPDATE Message
Marker: ffffffffffffffffffffffffffffffff
Length: 126
Type: UPDATE Message (2)
Withdrawn Routes Length: 0
Total Path Attribute Length: 103
Path attributes
Path Attribute - ORIGIN: IGP
Path Attribute - AS_PATH: empty
Path Attribute - LOCAL_PREF: 100
Path Attribute - ORIGINATOR_ID: 3.3.3.3
Path Attribute - CLUSTER_LIST: 1.1.1.1
Path Attribute - EXTENDED_COMMUNITIES
Flags: 0xc0, Optional, Transitive, Complete
Type Code: EXTENDED_COMMUNITIES (16)
Length: 24
Carried extended communities: (3 communities)
Route Target: 100:20 [Transitive 2-Octet AS-Specific]
Route Target: 200:10 [Transitive 2-Octet AS-Specific]
Encapsulation: VXLAN Encapsulation [Transitive Opaque]
Path Attribute - MP_REACH_NLRI
Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
Type Code: MP_REACH_NLRI (14)
Length: 44
Address family identifier (AFI): Layer-2 VPN (25)
Subsequent address family identifier (SAFI): EVPN (70)
Next hop: 30.30.30.30
Number of Subnetwork points of attachment (SNPA): 0
Network Layer Reachability Information (NLRI)
EVPN NLRI: MAC Advertisement Route
Route Type: MAC Advertisement Route (2)
Length: 33
Route Distinguisher: 0000001e00000002 (30:2)
ESI: 00:00:00:00:00:00:00:00:00:00
Ethernet Tag ID: 0
MAC Address Length: 48
MAC Address: 38:05:60:49:71:64
IP Address Length: 0
IP Address: NOT INCLUDED
VNI: 9000
Border Gateway Protocol - UPDATE Message
Marker: ffffffffffffffffffffffffffffffff
Length: 161
Type: UPDATE Message (2)
Withdrawn Routes Length: 0
Total Path Attribute Length: 138
Path attributes
Path Attribute - ORIGIN: IGP
Path Attribute - AS_PATH: empty
Path Attribute - LOCAL_PREF: 100
Path Attribute - ORIGINATOR_ID: 3.3.3.3
Path Attribute - CLUSTER_LIST: 1.1.1.1
Path Attribute - EXTENDED_COMMUNITIES
Flags: 0xc0, Optional, Transitive, Complete
Type Code: EXTENDED_COMMUNITIES (16)
Length: 40
Carried extended communities: (5 communities)
Route Target: 100:20 [Transitive 2-Octet AS-Specific]
Route Target: 200:10 [Transitive 2-Octet AS-Specific]
Encapsulation: VXLAN Encapsulation [Transitive Opaque]
EVPN Router's MAC: Router's MAC: fa:e8:d2:bf:00:31 [Transitive EVPN]
ARP/ND: 0x0200 0x0000 0x0000 [Transitive EVPN]
Type: Transitive EVPN (0x06)
Subtype (EVPN): ARP/ND (0x08)
Raw Value: 0x0200 0x0000 0x0000
Path Attribute - MP_REACH_NLRI
Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
Type Code: MP_REACH_NLRI (14)
Length: 63
Address family identifier (AFI): Layer-2 VPN (25)
Subsequent address family identifier (SAFI): EVPN (70)
Next hop: 30.30.30.30
Number of Subnetwork points of attachment (SNPA): 0
Network Layer Reachability Information (NLRI)
EVPN NLRI: MAC Advertisement Route
Route Type: MAC Advertisement Route (2)
Length: 52
Route Distinguisher: 0000001e00000002 (30:2)
ESI: 00:00:00:00:00:00:00:00:00:00
Ethernet Tag ID: 0
MAC Address Length: 48
MAC Address: 38:05:60:49:71:64
IP Address Length: 128
IPv6 address: 10:10:10::20
VNI: 9000
VNI: 100阶段 6:Leaf1 收到 Type 2(MAC/IPv6),通信进入确定性阶段
Leaf1 通过 BGP EVPN 收到:
text
10:10:10::20/128 → VTEP 30.30.30.30此时:
-
Leaf1 已完整掌握 Serv4 的位置
-
IPv6 转发表中新增:
- 一条 EVPN 学到的 IPv6 主机路由
bash
# Leaf1 已完整掌握 Serv4 的位置
[Leaf1]dis ipv6 routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpn1
Destinations : 8 Routes : 8
...
Destination : 10:10:10::20 PrefixLength : 128
NextHop : ::FFFF:30.30.30.30 Preference : 255
Cost : 0 Protocol : IBGP
RelayNextHop : :: TunnelID : 0x0000000027f0000001
Interface : VXLAN Flags : RD阶段 7:后续 ICMPv6 报文基于 EVPN 主机路由转发
后续,Leaf1 再次收到来自 Serv1 的 ICMPv6 Echo Request 时:
-
查 IPv6 路由:
- 命中
10:10:10::20/128(EVPN)
- 命中
-
判断:
- 下一跳为 远端 VTEP(Leaf2)
Leaf1 执行 VXLAN 封装:
text
VNI = L3VNI 100
Outer Src IP = 20.20.20.20
Outer Dst IP = 30.30.30.30
Inner Payload = IPv6 Packet并将报文单播发送给 Leaf2。
bash
# Serv1 的 ICMPv6 Echo Request,Leaf1 执行 VXLAN 封装,将报文单播发送给 Leaf2
Frame 23: Packet, 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits)
Ethernet II, Src: fa:e8:d2:bf:00:22, Dst: fa:e8:d2:bf:00:12
Internet Protocol Version 4, Src: 20.20.20.20, Dst: 30.30.30.30
User Datagram Protocol, Src Port: 4789, Dst Port: 4789
Virtual eXtensible Local Area Network
Flags: 0x0800, VXLAN Network ID (VNI)
Group Policy ID: 0
VXLAN Network Identifier (VNI): 100
Reserved: 0
Ethernet II, Src: 00:01:00:01:00:01, Dst: fa:e8:d2:bf:00:31
Destination: fa:e8:d2:bf:00:31 # EVPN Router's MAC: fa:e8:d2:bf:00:31,Type2 mac/ip路由通过携带过来的
Source: 00:01:00:01:00:01
Type: IPv6 (0x86dd)
[Stream index: 7]
Internet Protocol Version 6, Src: 172:16:1::10, Dst: 10:10:10::20
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 1001 1110 0101 1101 = Flow Label: 0x09e5d
Payload Length: 64
Next Header: ICMPv6 (58)
Hop Limit: 63
Source Address: 172:16:1::10
Destination Address: 10:10:10::20
[Stream index: 3]
Internet Control Message Protocol v6
Type: Echo (ping) request (128)
Code: 0
Checksum: 0x8da8 [correct]
[Checksum Status: Good]
Identifier: 0x0004
Sequence: 2
[Response In: 25]
Timestamp from Echo data: Jan 19, 2026 06:28:38.807713000 中国标准时间
[Timestamp from Echo data (relative): 8.903000 milliseconds]
HiPerConTracer Trace ServiceLeaf2 解封装后:
- 查本地直连 IPv6 路由
- 重写二层头
- 将 ICMPv6 报文交付给 Serv4
场景三(IPv6)总结
这个 IPv6 场景揭示了一个与 IPv4 完全一致,但常被忽视的事实:
1️⃣ 跨 Leaf + 跨前缀通信,第一次一定是"非确定性的"
-
在 EVPN IPv6 主机路由建立前:
- Leaf 必须依赖 NDP
- NDP 可能跨 Leaf 泛洪(L2VNI + Type 3)
2️⃣ EVPN Type 2(MAC + IPv6)不是"先天存在的"
-
它一定由:
- 首次真实接入该主机的 Leaf
- 在 NDP 收敛完成后(就是产生Neighbor cache,类似ARP cache后)
- 才生成并通告
3️⃣ 真正的 VXLAN L3 单播,是"后半段故事"
-
邻居发现阶段:
- L2VNI + Type 3(IMET)
-
业务转发阶段:
- L3VNI + Type 2(MAC + IPv6)(意思就是数据平面根据产生的主机路由进行转发)
4️⃣ Symmetric IRB 的真正价值(IPv6 同样成立)
它允许:
- 初始阶段依赖泛洪(NDP)
- 一旦主机被感知,全网立刻切换为:
高速、确定、无泛洪的 IPv6 三层单播模式
场景四(IPv6):南北向流量互通
North--South Traffic via Border Leaf(IPv6)
流量路径:
Serv1 → R1
- Serv1 :
172:16:1::10/64
(Tenant 内部 IPv6 主机) - R1 :
182:1:1::2/64
(外部 IPv6 网络 / Internet)
通信特征(IPv6 视角)
- 源 IPv6 位于 EVPN VXLAN Tenant
- 目的 IPv6 位于 VXLAN Fabric 之外
- 流量必须经过 Border Leaf(BL1)
- 控制平面依赖 EVPN Type 5(IPv6 Prefix Route)
- 数据平面为 VXLAN L3 转发
- 属于典型 IPv6 南北向流量模型
📌 IPv6 语义提醒
- IPv6 无 ARP
- 使用 NDP(NS / NA)
- Type 5 可以承载 IPv6 前缀(/64、/48 等)
阶段 1:Border Leaf 生成并发布 IPv6 EVPN Type 5
南北向通信的真正起点 ,依然发生在业务流量出现之前。
1️⃣ Border Leaf 学习外部 IPv6 路由
- BL1 与外部路由器 R1 建立 IPv6 三层邻接
- 从 R1 学习到外部 IPv6 前缀,例如:
text
182:1:1::/642️⃣ Border Leaf 将 IPv6 前缀注入 EVPN
在 BL1 的 VRF(vpn1)中配置:
text
advertise l2vpn evpnBL1 生成一条 EVPN Type 5(IPv6 Prefix Route):
text
Prefix: 182:1:1::/64
L3VNI: 100
Next-hop VTEP: 40.40.40.40并通过 BGP EVPN(经 Spine RR) 通告给所有 Leaf。
📌 Type 5 的本质(再次强调)
不携带 MAC
不关心二层邻居
只解决一件事:
"去往这个 IPv6 前缀,Overlay 的下一跳是谁"
bash
# EVPN Type 5(IPv6 Prefix Route)
Frame 12: Packet, 272 bytes on wire (2176 bits), 272 bytes captured (2176 bits)
Ethernet II, Src: fa:e8:d2:bf:00:12, Dst: fa:e8:d2:bf:00:22
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 179, Dst Port: 54133, Seq: 20, Ack: 1, Len: 218
Border Gateway Protocol - UPDATE Message
Marker: ffffffffffffffffffffffffffffffff
Length: 218
Type: UPDATE Message (2)
Withdrawn Routes Length: 0
Total Path Attribute Length: 195
Path attributes
Path Attribute - ORIGIN: INCOMPLETE
Path Attribute - AS_PATH: empty
Path Attribute - MULTI_EXIT_DISC: 0
Path Attribute - LOCAL_PREF: 100
Path Attribute - ORIGINATOR_ID: 4.4.4.4
Path Attribute - CLUSTER_LIST: 1.1.1.1
Path Attribute - EXTENDED_COMMUNITIES
Flags: 0xc0, Optional, Transitive, Complete
Type Code: EXTENDED_COMMUNITIES (16)
Length: 24
Carried extended communities: (3 communities)
Route Target: 200:10 [Transitive 2-Octet AS-Specific]
Encapsulation: VXLAN Encapsulation [Transitive Opaque]
EVPN Router's MAC: Router's MAC: fa:e8:d2:bf:00:41 [Transitive EVPN]
Path Attribute - MP_REACH_NLRI
Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
Type Code: MP_REACH_NLRI (14)
Length: 129
Address family identifier (AFI): Layer-2 VPN (25)
Subsequent address family identifier (SAFI): EVPN (70)
Next hop: 40.40.40.40
Number of Subnetwork points of attachment (SNPA): 0
Network Layer Reachability Information (NLRI)
EVPN NLRI: IP Prefix route
Route Type: IP Prefix route (5)
Length: 58
Route Distinguisher: 0000019000000001 (400:1)
ESI: 00:00:00:00:00:00:00:00:00:00
Ethernet Tag ID: 0
IP prefix length: 128
IPv6 address: 182:1:1::1
IPv6 Gateway address: ::
VNI: 100
EVPN NLRI: IP Prefix route
Route Type: IP Prefix route (5)
Length: 58
Route Distinguisher: 0000019000000001 (400:1)
ESI: 00:00:00:00:00:00:00:00:00:00
Ethernet Tag ID: 0
IP prefix length: 64
IPv6 address: 182:1:1::
IPv6 Gateway address: ::
VNI: 100阶段 2:Leaf1 的初始状态(IPv6)
在 Serv1 发包之前,Leaf1 已具备:
- 一条 EVPN Type 5(IPv6)路由:
text
182:1:1::/64 → VTEP 40.40.40.40Leaf1 的认知是:
- 目的前缀在 Fabric 外
- 下一跳是 Border Leaf
- 不需要知道 R1 的 MAC
- 也不会触发任何 NDP
📌
Type 5 = 纯三层指引IPv6 下这一点反而更加"干净"。
bash
# 在 Serv1 发包之前,Leaf1 已具备相关EVPN Type 5(IPv6)路由
[Leaf1]dis ipv6 routing-table vpn-instance vpn1 182:1:1::
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination : 182:1:1:: PrefixLength : 64
NextHop : ::FFFF:40.40.40.40 Preference : 255
Cost : 0 Protocol : IBGP
RelayNextHop : 0.0.0.0 TunnelID : 0x0000000027f0000002
Interface : VXLAN Flags : RD
[Leaf1]阶段 3:Serv1 发起 IPv6 访问(主机视角)
Serv1 访问外部 IPv6 地址:
text
182:1:1::2主机行为:
- 判断目标 IPv6 不在本地前缀
172:16:1::/64 - 向默认网关
172:16:1::1发送 Neighbor Solicitation - 学习到 Anycast Gateway MAC
Leaf1(Anycast Gateway):
-
本地回应 Neighbor Advertisement
-
学习 Serv1 的:
- IPv6 地址
- MAC 地址
-
触发 EVPN Type 2(MAC + IPv6)
-
也会触发 EVPN Type 2(MAC )
⚠️
Type 2 的生成机制在前文已经完整说明,这里不再展开。
随后 Serv1 发送 ICMPv6 Echo Request:
text
SIP = 172:16:1::10
DIP = 182:1:1::2
DMAC = Anycast Gateway MAC阶段 4:Leaf1 查 IPv6 路由,命中 EVPN Type 5
Leaf1 在 VRF vpn1 中进行 IPv6 查表:
text
182:1:1::2命中:
text
182:1:1::/64 EVPN Type-5 → VTEP 40.40.40.40Leaf1 得出结论:
- 目标在 VXLAN Fabric 之外
- Overlay 下一跳是 Border Leaf
- 需要进行 VXLAN L3 封装
阶段 5:Leaf1 → Border Leaf 的 VXLAN L3 转发(IPv6)
Leaf1 执行 VXLAN 封装:
- VNI = L3VNI 100
- Outer Src IP =
20.20.20.20 - Outer Dst IP =
40.40.40.40 - Inner Payload = 原始 IPv6 报文
📌 注意
- 不使用 L2VNI
- 不携带目的主机 MAC
- 这是一次 完全基于 Type 5 的三层 Overlay 转发
阶段 6:Border Leaf 解封装并转发至外部 IPv6 网络
Border Leaf 处理流程:
1️⃣ 接收 VXLAN 报文
2️⃣ 根据 L3VNI 100 映射到 VRF vpn1
3️⃣ 解封装得到原始 IPv6 报文:
text
SIP = 172:16:1::10
DIP = 182:1:1::2BL1 查 VRF IPv6 路由表:
-
命中从 R1 学习到的外部前缀
-
执行普通 IPv6 三层转发:
- Hop Limit -- 1
- 重写二层 MAC
-
将报文发送给 R1
阶段 7:返回流量(External → Tenant,IPv6)
R1 回复 ICMPv6 Echo Reply:
text
SIP = 182:1:1::2
DIP = 172:16:1::10Border Leaf 的回程处理
-
BL1 查 VRF 路由:
172:16:1::10/128
-
该路由来源于:
- EVPN Type 2(MAC + IPv6,Serv1)
bash
[BL1]dis ipv6 routing-table vpn-instance vpn1 172:16:1::10
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination : 172:16:1::10 PrefixLength : 128
NextHop : ::FFFF:20.20.20.20 Preference : 255
Cost : 0 Protocol : IBGP
RelayNextHop : 0.0.0.0 TunnelID : 0x0000000027f0000002
Interface : VXLAN Flags : RD
[BL1-bgp-6-vpn1]于是 BL1:
-
执行 VXLAN L3 封装:
- VNI = 100
- Outer Dst =
20.20.20.20
-
将报文送回 Leaf1
Leaf1 解封装后:
- 转发给 Serv1
- 完成一次南北向通信闭环
场景四(IPv6)总结
-
南北向流量,IPv6 与 IPv4 的核心机制完全一致
-
区别仅在于:
- ARP → NDP
- IPv4 Prefix → IPv6 Prefix
-
Type 5 是 Tenant 走向外部世界的唯一"路标"
-
Border Leaf:
- 向内是 EVPN Fabric 的一部分
- 向外是标准 IPv6 路由器
到此为止(IPv6 视角):
-
场景一 :二层桥接
(EVPN Type 2 + Type 3,IPv6 仅作为二层承载,不参与转发决策)
-
场景二 :同 Leaf 三层互通
(EVPN Type 2:MAC + IPv6 /128 主机路由)
-
场景三 :跨 Leaf 三层互通
(EVPN Type 2 主机路由 + L3VNI Overlay 单播)
-
场景四 :南北向流量互通
(EVPN Type 5:IPv6 Prefix Route,纯三层引导)
👉 EVPN VXLAN 在 IPv6 场景下的核心转发与收敛行为,已完整呈现。
可以看到:
IPv6 并没有改变 EVPN 的设计哲学
控制平面仍然围绕:
- Type 2(主机可达性)
- Type 3(二层泛洪控制)
- Type 5(前缀级引导)
变化的只是:
- ARP → NDP
- IPv4 地址 → IPv6 地址
- 而不是 EVPN 的逻辑本身