Configuring a VXLAN Tunnel

To allow VXLAN tunnel establishment using EVPN, configure an EVPN instance, establish a BGP EVPN peer relationship, and configure ingress replication.

Context

VXLAN packets are transmitted through VXLAN tunnels. In distributed VXLAN gateway scenarios, perform the following steps on a VXLAN gateway to use EVPN for establishing VXLAN tunnels:

  1. Configure a BGP EVPN peer relationship. Configure VXLAN gateways to establish BGP EVPN peer relationships so that they can exchange EVPN routes. If an RR has been deployed, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR.

  2. (Optional) Configure an RR. The deployment of RRs reduces the number of BGP EVPN peer relationships to be established, simplifying configuration. A live-network device can be used as an RR, or a standalone RR can be deployed. Spine nodes are generally used as RRs, and leaf nodes as RR clients.

  3. Configure an EVPN instance. EVPN instances are used to receive and advertise EVPN routes.

  4. Configure ingress replication. After ingress replication is configured for a VNI, the system uses BGP EVPN to construct a list of remote VTEPs. After a VXLAN gateway receives BUM packets, its sends a copy of the BUM packets to every VXLAN gateway in the list.

BUM packet forwarding is implemented only using ingress replication. To establish a VXLAN tunnel between a Huawei device and a non-Huawei device, ensure that the non-Huawei device also has ingress replication configured. Otherwise, communication fails.

Procedure

  1. Configure a BGP EVPN peer relationship. If an RR has been deployed, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR. If the spine node and gateway reside in different ASs, the gateway must establish an EBGP EVPN peer relationship with the spine node.
    1. Run bgp as-number

      BGP is enabled, and the BGP view is displayed.

    2. (Optional) Run router-id ipv4-address

      A router ID is set.

    3. Run peer ipv4-address as-number as-number

      The peer device is configured as a BGP peer.

    4. (Optional) Run peer ipv4-address connect-interface interface-type interface-number [ ipv4-source-address ]

      A source interface and a source address are specified to set up a TCP connection with the BGP peer.

      When loopback interfaces are used to establish a BGP connection, running the peer connect-interface command on both ends is recommended to ensure the connectivity. If this command is run on only one end, the BGP connection may fail to be established.

    5. (Optional) Run peer ipv4-address ebgp-max-hop [ hop-count ]

      The maximum number of hops is set for an EBGP EVPN connection.

      In most cases, a directly connected physical link must be available between EBGP EVPN peers. If you want to establish EBGP EVPN peer relationships between indirectly connected devices, run the peer ebgp-max-hop command. The command also can configure the maximum number of hops for an EBGP EVPN connection.

      When the IP address of loopback interface to establish an EBGP EVPN peer relationship, run the peer ebgp-max-hop (of which the value of hop-count is not less than 2) command. Otherwise, the peer relationship fails to be established.

    6. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    7. Run peer { ipv4-address | group-name } enable

      The device is enabled to exchange EVPN routes with a specified peer or peer group.

    8. Run peer { ipv4-address | group-name } advertise encap-type vxlan

      The device is enabled to advertise EVPN routes that carry the VXLAN encapsulation attribute to the peer.

    9. (Optional) Run peer { group-name | ipv4-address } route-policy route-policy-name { import | export }

      A routing policy is specified for routes received from or to be advertised to a BGP EVPN peer or peer group.

      After the routing policy is applied, the routes received from or to be advertised to a specified BGP EVPN peer or peer group will be filtered, ensuring that only desired routes are imported or advertised. This configuration helps manage routes and reduce required routing entries and system resources.

    10. (Optional) Run peer { ipv4-address | group-name } next-hop-invariable

      The device is prevented from changing the next hop address of a route when advertising the route to an EBGP peer. If the spine node and gateway have established an EBGP EVPN peer relationship, run the peer next-hop-invariable command to ensure that the next hops of routes received by the gateway point to other gateways.

    11. (Optional) Run peer { group-name | ipv4-address } mac-limit number [ percentage ] [ alert-only | idle-forever | idle-timeout times ]

      The maximum number of MAC advertisement routes that can be received from each peer is configured.

      If an EVPN instance may import many invalid MAC advertisement routes from peers and these routes occupy a large proportion of the total MAC advertisement routes. If the received MAC advertisement routes exceed the specified maximum number, the system displays an alarm, instructing users to check the validity of the MAC advertisement routes received in the EVPN instance.

    12. (Optional) Perform the following operations to enable the function to advertise the routes carrying the large-community attribute to BGP EVPN peers:

      The large-community attribute includes a 2-byte or 4-byte AS number and two 4-byte LocalData fields, allowing the administrator to flexibly use route-policies. Before enabling the function to advertise the routes carrying the large-community attribute to BGP EVPN peers, configure the route-policy related to the large-community attribute and use the route-policy to set the large-community attribute.

      1. Run peer { ipv4-address | group-name } route-policy route-policy-name export

        The outbound route-policy of the BGP EVPN peer is configured.

      2. Run peer { ipv4-address | group-name } advertise-large-community

        The device is enabled to advertise the routes carrying the large-community attribute to BGP EVPN peers or peer groups.

        If the routes carrying the large-community attribute does not need to be advertised to one BGP EVPN peer in the peer group, run the peer ipv4-address advertise-large-community disable command.

    13. (Optional) Run peer ipv4-address graceful-restart static-timer restart-time

      The maximum duration from the time the local device finds that the peer device is restarted to the time a BGP EVPN session is re-established is set.

      BGP GR prevents traffic interruptions caused by re-establishment of a BGP peer relationship. You can run either the graceful-restart timer restart time or peer graceful-restart static-timer command to set this maximum wait time.

      • To set the maximum wait time for re-establishing all BGP peer relationships, run the graceful-restart timer restart command in the BGP view. The maximum wait time can be set to 3600s at most.

      • To set the maximum wait time for re-establishing a specified BGP-EVPN peer relationship, run the peer graceful-restart static-timer command in the BGP EVPN view. The maximum wait time can be set to a value greater than 3600s.

      If both the graceful-restart timer restart time and peer graceful-restart static-timer commands are run, the latter configuration takes effect.

      This step can be performed only after GR has been enabled using the graceful-restart command in the BGP view.

    14. (Optional) Run peer peerIpv4Addr path-attribute-treat attribute-id { id [ to id2 ] } &<1-255> { discard | withdraw | treat-as-unknown }

      A special mode for processing specified path attributes in received BGP EVPN Update messages is configured.

      A BGP EVPN Update message contains various path attributes. If a local device receives Update messages containing malformed path attributes, the involved BGP EVPN sessions may flap. To enhance reliability, you can configure a special mode for processing specified path attributes in received BGP EVPN Update messages. The special mode can be:

      • Discards the specified path attributes.

      • Withdraws the routes with the specified path attributes.

      • Processes the specified path attributes as unknown ones.

    15. Run quit

      Exit from the BGP-EVPN address family view.

    16. Run quit

      Exit from the BGP view.

  2. (Optional) Configure an RR. If an RR is configured, each VXLAN gateway only needs to establish a BGP EVPN peer relationship with the RR, reducing the number of BGP EVPN peer relationships to be established and simplifying configuration.
    1. Run bgp as-number

      The BGP view is displayed.

    2. Run l2vpn-family evpn

      The BGP-EVPN address family view is displayed.

    3. Run peer { ipv4-address | group-name } enable

      The device is enabled to exchange EVPN routes with a specified peer or peer group.

    4. (Optional) Run peer { ipv4-address | group-name } next-hop-invariable

      The device is prevented from changing the next hop address of a route when advertising the route to an EBGP EVPN peer.

    5. Run peer { ipv4-address | group-name } reflect-client

      The device is configured as an RR and an RR client is specified.

    6. Run undo policy vpn-target

      The function to filter received EVPN routes based on VPN targets is disabled. If you do not perform this step, the RR will fail to receive and reflect the routes sent by clients.

    7. Run quit

      Exit from the BGP-EVPN address family view.

    8. Run quit

      Exit from the BGP view.

  3. Configure an EVPN instance.
    1. Run evpn vpn-instance vpn-instance-name bd-mode

      A BD EVPN instance is created, and the EVPN instance view is displayed.

    2. Run route-distinguisher route-distinguisher

      An RD is configured for the EVPN instance.

    3. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      VPN targets are configured for the EVPN instance. The export VPN target of the local end must be the same as the import VPN target of the remote end, and the import VPN target of the local end must be the same as the export VPN target of the remote end.

    4. (Optional) Run import route-policy policy-name

      The current EVPN instance is associated with an import routing policy.

      To control route import more precisely, perform this step to associate the EVPN instance with an import routing policy and set attributes for eligible routes.

    5. (Optional) Run export route-policy policy-name

      The current EVPN instance is associated with an export routing policy.

      To control route export more precisely, perform this step to associate the EVPN instance with an export routing policy and set attributes for eligible routes.

    6. (Optional) Run tnl-policy policy-name

      The EVPN instance is associated with a tunnel policy.

      This configuration enables PEs to use TE tunnels to transmit data packets.

    7. (Optional) Run mac limit number { simply-alert | mac-unchanged }

      The maximum number of MAC addresses allowed by an EVPN instance is configured.

      After a device learns a large number of MAC addresses, system performance may deteriorate when the device is busy processing services. This is because MAC addresses consume system resources. To improve system security and reliability, run the mac limit command to configure the maximum number of MAC addresses allowed by an EVPN instance. If the number of MAC addresses learned by an EVPN instance exceeds the maximum number, the system displays an alarm message, instructing you to check the validity of MAC addresses in the EVPN instance.

    8. (Optional) Run mac-route no-advertise

      The device is disabled from sending local MAC routes with the current VNI to the EVPN peer.

      In Layer 3 VXLAN gateway scenarios where Layer 2 traffic forwarding is not involved, perform this step to disable local MAC routes from being advertised to the EVPN peer. This configuration prevents the EVPN peer from receiving MAC routes, thereby conserving device resources.

    9. (Optional) Run local mac-only-route no-generate

      The device is disabled from generating an EVPN MAC route when the local MAC address exists in both a MAC address entry and an ARP/ND entry.

      If a MAC address entry and an ARP/ND entry on the device both contain the local MAC address, the device generates both an EVPN MAC/IP route and an EVPN MAC route by default. To optimize memory utilization, perform this step so that the device generates only the EVPN MAC/IP route. To ensure normal Layer 2 traffic forwarding, also run the mac-ip route generate-mac command on the peer device to enable the function to generate MAC address entries based on MAC/IP routes.

    10. (Optional) Run mac-ip route generate-mac

      The function to generate MAC address entries based on MAC/IP routes is enabled.

      If the peer device is configured not to advertise MAC routes (using the mac-route no-advertise command) or not to generate MAC routes (using the local mac-only-route no-generate command), the local device cannot generate MAC address entries by default. To ensure normal Layer 2 traffic forwarding, perform this step on the local device to enable the function to generate MAC entries based on MAC/IP routes.

    11. Run quit

      Exit from the EVPN instance view.

    12. Run bridge-domain bd-id

      The BD view is displayed.

      By default, no BD is created.

    13. Run vxlan vni vni-id split-horizon-mode

      A VNI is created and associated with the BD, and split horizon is applied to the BD.

    14. Run evpn binding vpn-instance vpn-instance-name [ bd-tag bd-tag ]

      A specified EVPN instance is bound to the BD. By specifying different bd-tag values, you can bind multiple BDs with different VLANs to the same EVPN instance and isolate services in the BDs.

    15. Run quit

      Return to the system view.

  4. Configure an ingress replication list.
    1. Run interface nve nve-number

      An NVE interface is created, and the NVE interface view is displayed.

    2. Run source ip-address

      An IP address is configured for the source VTEP.

    3. Run vni vni-id head-end peer-list protocol bgp

      An ingress replication list is configured.

      After the ingress of a VXLAN tunnel receives BUM packets, it replicates these packets and sends a copy to each VTEP in the ingress replication list. The ingress replication list is a collection of remote VTEP IP addresses to which the ingress of a VXLAN tunnel should send replicated BUM packets.

    4. Run quit

      Return to the system view.

  5. (Optional) Configure MAC addresses for NVE interfaces.

    In distributed VXLAN gateway (EVPN BGP) scenarios, if you want to use active-active VXLAN gateways to load-balance traffic, configure the same VTEP MAC address on the two VXLAN gateways. Otherwise, the two gateways cannot forward traffic properly on the VXLAN network.

    1. Run interface nve nve-number

      The NVE interface view is displayed.

    2. Run mac-address mac-address

      A MAC address is configured for the NVE interface.

    3. Run quit

      Exit from the NVE interface view.

  6. Run commit

    The configuration is committed.

Parent Topic: Configuring VXLAN in Distributed Gateway Mode Using BGP EVPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >