这个实验分为两个部分,第一个是L3VPN OVER SRV6,第二个是EVPN L3VPN OVER SRV6
一、L3VPN OVER SRV6
SRV6 L3VPN实验。本次实验是在GNS3上做的,使用的设备是华为NE40E
转发面是SRV6,控制面是MP-BGP VPNV4。注意控制面不是EVPN
首先启用ISIS ipv6(略)
1、配置IPV4 VPN实例
ip vpn-instance vpn2
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
interface Ethernet1/0/8
undo shutdown
ip binding vpn-instance vpn2
ip address 192.168.200.1 255.255.255.0
2、配置srv6并在isis发布locator
segment-routing ipv6
encapsulation source-address 2001::1
locator test ipv6-prefix A100:1:: 96 static 16
isis 100
segment-routing ipv6 locator test
3、配置BGP vpnv4邻居及VPN
bgp 100
peer 2001::9 as-number 100
peer 2001::9 connect-interface LoopBack0
ipv4-family vpnv4
policy vpn-target
peer 2001::9 enable
peer 2001::9 prefix-sid
ipv4-family vpn-instance vpn2
import-route direct
segment-routing ipv6 locator test
segment-routing ipv6 best-effort
注意在P设备(兼RR)上不需要配置srv6,也不需要配置VPN实例,但要配置prefix-sid
bgp 100
peer 2001::1 as-number 100
peer 2001::1 connect-interface LoopBack0
ipv4-family vpnv4
undo policy vpn-target
peer 2001::1 enable
peer 2001::1 reflect-client
peer 2001::1 prefix-sid
二、EVPN L3VPN OVER SRV6
本次实验是在eve-ng下做的,使用的是Huawei 6700V-L设备。不要用NE40E来做,它支持EVPN也支持SRV6(可以做L3VPN OVER SRV6)但不支持EVPN OVER SRV6,表现在l2vpn-family evpn视图里面无法建立IPV6对等体。
信令或者说是控制平面是EVPN,使用EVPN通告L3路由。数据平面或者说是转发平面是SRV6。注意跟L3VPN OVER SRV6区别开来,L3VPN OVER SRV6的控制平面是MP BGP的VPNV4,不是EVPN。
拓扑很简单,有一台P设备兼做路由反射器,P设备下联了三台PE。每台PE下接了一台VPC用于测试联通性。
PE1--vpc1
|
P-------PE2--vpc2
|
PE3--vpc3
首先进行基础配置,使用ISIS保存环回接口0的IPV6地址互通。给出一台PE1的配置,其它类似:
isis 100
is-level level-2
cost-style wide
network-entity 49.0773.1111.1111.1111.00
#
ipv6 enable topology ipv6
interface LoopBack0
ipv6 enable
ipv6 address 2001::1/128
isis ipv6 enable 100
interface GE0/0/1
ipv6 enable
ipv6 address auto link-local
isis ipv6 enable 100注意基础配置里面不需要配置IPV4,全程使用IPV6地址。
配置VPN实例,这里面以PE1为例,其它两台PE类似:
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity evpn
vpn-target 1:1 import-extcommunity evpn
#
interface GE0/0/7
ip binding vpn-instance vpn1
ip address 172.23.3.1 255.255.255.0
#注意创建VPN实例的vpn-target时要配置evpn,表明这是一个evpn的实例。
跟路由反射器建立BGP EVPN邻居,注意不需要建立VPNV4邻居,还有一点需要注意,要手工配置router-id,因为我们之前没有配置IPV4地址,所以系统无法自动选择一个ipv4地址作为router-id。以下是PE3的配置:
bgp 100
router-id 3.3.3.3
private-4-byte-as enable
peer 2001::9 as-number 100
peer 2001::9 connect-interface LoopBack0
#
ipv4-family unicast
#
ipv4-family vpn-instance vpn1
import-route direct
advertise l2vpn evpn
#
l2vpn-family evpn
policy vpn-target
peer 2001::9 enableP设备的配置类似,但要注意配置路由反射
bgp 100
router-id 9.9.9.9
private-4-byte-as enable
group pe internal
peer pe connect-interface LoopBack0
peer 2001::1 as-number 100
peer 2001::1 group pe
peer 2001::2 as-number 100
peer 2001::2 group pe
peer 2001::3 as-number 100
peer 2001::3 group pe
#
ipv4-family unicast
undo peer pe enable
#
l2vpn-family evpn
undo policy vpn-target
peer pe enable
peer pe advertise encap-type srv6
peer pe reflect-client
peer 2001::1 enable
peer 2001::1 group pe
peer 2001::2 enable
peer 2001::2 group pe
peer 2001::3 enable
peer 2001::3 group pe
#再配置段路由,并通过isis把locator发布出去。注意这里sid是自动生成,你也可以手工生成。
segment-routing ipv6
encapsulation source-address 2001::3
locator pe ipv6-prefix 2001:300:: 64 static 32
isis 100
segment-routing ipv6 locator pe最后把evpn的封装类型配置为srv6,默认是mpls的。另外还需要在vpn实例里面配置srv6 be模式。注意后面的evpn不能漏了,否则无法通过evpn发布路由。
bgp 100
l2vpn-family evpn
peer 2001::9 advertise encap-type srv6
quit
ipv4-family vpn-instance vpn1
segment-routing ipv6 best-effort evpn
segment-routing ipv6 locator pe evpn查看一下发布的vpn路由:
[PE1-segment-routing-ipv6-locator]display bgp evpn all routing-table prefix-route
Local AS number : 100
BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
EVPN address family:
Number of Ip Prefix Routes: 2
Route Distinguisher: 100:1
Network(EthTagId/IpPrefix/IpPrefixLen) NextHop
*> 0:172.23.1.0:24 0.0.0.0
*>i 0:172.23.2.0:24 2001::2查看一下路由:
[PE1-segment-routing-ipv6-locator]disp ip routing-table vpn-instance vpn1
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpn1
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.23.1.0/24 Direct 0 0 D 172.23.1.1 GE0/0/7
172.23.1.1/32 Direct 0 0 D 127.0.0.1 GE0/0/7
172.23.1.255/32 Direct 0 0 D 127.0.0.1 GE0/0/7
172.23.2.0/24 IBGP 255 0 RD 2001:200::1:0:3C GE0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0这里面2001:200::1:0:3C 是PE2自动分配的end-dt4 操作码。
最后ping测试一下联通性:
[PE1-segment-routing-ipv6-locator]ping -vpn-instance vpn1 172.23.2.1
PING 172.23.2.1: 56 data bytes, press CTRL_C to break
Reply from 172.23.2.1: bytes=56 Sequence=1 ttl=255 time=32 ms
Reply from 172.23.2.1: bytes=56 Sequence=2 ttl=255 time=22 ms
Reply from 172.23.2.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 172.23.2.1: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 172.23.2.1: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 172.23.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/12/32 ms