华为NE40E路由器配置EVPN L3VPNv6 over SRv6 BE的VPN FRR功能
2022-01-26 COCOgsta
加入收藏
组网需求
如图1所示:
路由器PE1、PE2和PE3属于同一自治系统,要求它们之间通过IS-IS协议达到IPv6网络互连的目的。
PE1、PE2和PE3属于IS-IS进程1,都是Level-2设备。
要求在PE之间建立双向SRv6 BE路径,承载EVPN L3VPNv6业务。同时为了提升网络可靠性,要求在PE1上配置VPN FRR功能。
图1 配置EVPN L3VPNv6 over SRv6 BE的VPN FRR功能组网图
配置思路
- 使能PE各个接口的IPv6转发能力,配置各接口的IPv6地址。
- 在各PE上使能IS-IS,配置Level级别,指定网络实体。
- 在各PE上配置IPv6 VPN实例,接入各自连接的CE。
- 在PE和CE之间建立EBGP对等体关系。
- 在PE之间建立BGP EVPN对等体关系。
- 在各PE上配置SRv6。配置IS-IS的SRv6能力。
- 在PE1上使能VPN FRR功能,同时配置BFD检测对端Locator可达性,提升VPN FRR切换速度。
操作步骤
1.使能各接口的IPv6转发能力,配置IPv6地址,以PE1为例,其他路由器的配置过程相同,不再赘述
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[*HUAWEI] commit
[~PE1] interface gigabitethe.NET 1/0/0
[~PE1-GigabitEthernet1/0/0] ipv6 enable
[*PE1-GigabitEthernet1/0/0] ipv6 address 2001:db8:1::1 96
[*PE1-GigabitEthernet1/0/0] quit
[*PE1] interface gigabitethernet 2/0/0
[*PE1-GigabitEthernet2/0/0] ipv6 enable
[*PE1-GigabitEthernet2/0/0] ipv6 address 2001:db8:3::1 96
[*PE1-GigabitEthernet2/0/0] quit
[*PE1] interface LoopBack 1
[*PE1-LoopBack1] ipv6 enable
[*PE1-LoopBack1] ipv6 address 1::1 128
[*PE1-LoopBack1] quit
[*PE1] commit
2.配置IS-IS
# 配置PE1。
[~PE1] isis 1
[*PE1-isis-1] is-level level-2
[*PE1-isis-1] cost-style wide
[*PE1-isis-1] network-entity 10.0000.0000.0001.00
[*PE1-isis-1] ipv6 enable topology ipv6
[*PE1-isis-1] quit
[*PE1] interface gigabitethernet 1/0/0
[*PE1-GigabitEthernet1/0/0] isis ipv6 enable 1
[*PE1-GigabitEthernet1/0/0] quit
[*PE1] interface gigabitethernet 2/0/0
[*PE1-GigabitEthernet2/0/0] isis ipv6 enable 1
[*PE1-GigabitEthernet2/0/0] quit
[*PE1] interface loopback1
[*PE1-LoopBack1] isis ipv6 enable 1
[*PE1-LoopBack1] commit
[~PE1-LoopBack1] quit
# 配置PE2。
[~PE2] isis 1
[*PE2-isis-1] is-level level-2
[*PE2-isis-1] cost-style wide
[*PE2-isis-1] network-entity 10.0000.0000.0002.00
[*PE2-isis-1] ipv6 enable topology ipv6
[*PE2-isis-1] quit
[*PE2] interface gigabitethernet 1/0/0
[*PE2-GigabitEthernet1/0/0] isis ipv6 enable 1
[*PE2-GigabitEthernet1/0/0] quit
[*PE2] interface loopback1
[*PE2-LoopBack1] isis ipv6 enable 1
[*PE2-LoopBack1] commit
[~PE2-LoopBack1] quit
# 配置PE3。
[~PE3] isis 1
[*PE3-isis-1] is-level level-2
[*PE3-isis-1] cost-style wide
[*PE3-isis-1] network-entity 10.0000.0000.0004.00
[*PE3-isis-1] ipv6 enable topology ipv6
[*PE3-isis-1] quit
[*PE3] interface gigabitethernet 1/0/0
[*PE3-GigabitEthernet1/0/0] isis ipv6 enable 1
[*PE3-GigabitEthernet1/0/0] quit
[*PE3] interface loopback1
[*PE3-LoopBack1] isis ipv6 enable 1
[*PE3-LoopBack1] commit
[~PE3-LoopBack1] quit
配置完成后,可按如下指导检查IS-IS是否配置成功。
# 显示IS-IS邻居信息。以PE1为例。
[~PE1] display isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI
--------------------------------------------------------------------------------
0000.0000.0004* GE2/0/0 0000.0000.0004.02 Up 7s L2 64
0000.0000.0002* GE1/0/0 0000.0000.0002.02 Up 9s L2 64
Total Peer(s): 2
# 显示IS-IS路由表信息。以PE1为例。
[~PE1] display isis route
Route information for ISIS(1)
-----------------------------
ISIS(1) Level-2 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
--------------------------------------------------------------------------------
1::/128 Loop1 Direct 0 D/-/L/-
2::/128 GE1/0/0 FE80::3A92:6CFF:FE31:307 10 A/-/-/-
3::/128 GE2/0/0 FE80::3A92:6CFF:FE41:305 10 A/-/-/-
2001:DB8:1::/96 GE1/0/0 Direct 10 D/-/L/-
2001:DB8:3::/96 GE2/0/0 Direct 10 D/-/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set, LP-Local Prefix-Sid
Protect Type: L-Link Protect, N-Node Protect
3.在PE设备上配置IPv6 L3VPN实例并将IPv6 L3VPN实例绑定到接入侧接口
# 配置PE1。
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv6-family
[*PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv6] vpn-target 111:1 evpn
[*PE1-vpn-instance-vpna-af-ipv6] quit
[*PE1-vpn-instance-vpna] quit
[*PE1] interface gigabitethernet3/0/0
[*PE1-GigabitEthernet3/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet3/0/0] ipv6 enable
[*PE1-GigabitEthernet3/0/0] ipv6 address 2001:DB8:11::1 64
[*PE1-GigabitEthernet3/0/0] quit
[*PE1] bgp 100
[*PE1-bgp] ipv6-family vpn-instance vpna
[*PE1-bgp-6-vpna] import-route direct
[*PE1-bgp-6-vpna] advertise l2vpn evpn
[*PE1-bgp-6-vpna] quit
[*PE1-bgp] quit
[*PE1] commit
# 配置PE2。
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv6-family
[*PE2-vpn-instance-vpna-af-ipv6] route-distinguisher 200:1
[*PE2-vpn-instance-vpna-af-ipv6] vpn-target 111:1 evpn
[*PE2-vpn-instance-vpna-af-ipv6] quit
[*PE2-vpn-instance-vpna] quit
[*PE2] interface gigabitethernet2/0/0
[*PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[*PE2-GigabitEthernet2/0/0] ipv6 enable
[*PE2-GigabitEthernet2/0/0] ipv6 address 2001:DB8:22::1 64
[*PE2-GigabitEthernet2/0/0] quit
[*PE2] bgp 100
[*PE2-bgp] ipv6-family vpn-instance vpna
[*PE2-bgp-6-vpna] import-route direct
[*PE2-bgp-6-vpna] advertise l2vpn evpn
[*PE2-bgp-6-vpna] quit
[*PE2-bgp] quit
[*PE2] commit
# 配置PE3。
[~PE3] ip vpn-instance vpna
[*PE3-vpn-instance-vpna] ipv6-family
[*PE3-vpn-instance-vpna-af-ipv6] route-distinguisher 300:1
[*PE3-vpn-instance-vpna-af-ipv6] vpn-target 111:1 evpn
[*PE3-vpn-instance-vpna-af-ipv6] quit
[*PE3-vpn-instance-vpna] quit
[*PE3] interface gigabitethernet2/0/0
[*PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[*PE3-GigabitEthernet2/0/0] ipv6 enable
[*PE3-GigabitEthernet2/0/0] ipv6 address 2001:DB8:33::1 64
[*PE3-GigabitEthernet2/0/0] quit
[*PE3] bgp 100
[*PE3-bgp] ipv6-family vpn-instance vpna
[*PE3-bgp-6-vpna] import-route direct
[*PE3-bgp-6-vpna] advertise l2vpn evpn
[*PE3-bgp-6-vpna] quit
[*PE3-bgp] quit
[*PE3] commit
4.在PE与CE之间建立EBGP对等体关系
# 配置CE1。
[~CE1] interface LoopBack1
[*CE1-LoopBack1] ipv6 enable
[*CE1-LoopBack1] ipv6 address 11::11 128
[*CE1-LoopBack1] quit
[*CE1] bgp 65410
[*CE1-bgp] router-id 10.11.1.1
[*CE1-bgp] peer 2001:DB8:11::1 as-number 100
[*CE1-bgp] ipv6-family unicast
[*CE1-bgp-af-ipv6] import-route direct
[*CE1-bgp-af-ipv6] peer 2001:DB8:11::1 enable
[*CE1-bgp-af-ipv6] commit
[~CE1-bgp-af-ipv6] quit
[~CE1-bgp] quit
# 配置PE1。
[~PE1] bgp 100
[~PE1-bgp] router-id 1.1.1.1
[*PE1-bgp] ipv6-family vpn-instance vpna
[*PE1-bgp-6-vpna] peer 2001:DB8:11::2 as-number 65410
[*PE1-bgp-6-vpna] import-route direct
[*PE1-bgp-6-vpna] commit
[~PE1-bgp-6-vpna] quit
[~PE1-bgp] quit
# 配置CE2。
[~CE2] interface LoopBack1
[*CE2-LoopBack1] ipv6 enable
[*CE2-LoopBack1] ipv6 address 22::22 128
[*CE2-LoopBack1] quit
[*CE2] bgp 65420
[*CE2-bgp] router-id 10.12.1.1
[*CE2-bgp] peer 2001:DB8:22::1 as-number 100
[*CE2-bgp] peer 2001:DB8:33::1 as-number 100
[*CE2-bgp] ipv6-family unicast
[*CE2-bgp-af-ipv6] import-route direct
[*CE2-bgp-af-ipv6] peer 2001:DB8:22::1 enable
[*CE2-bgp-af-ipv6] peer 2001:DB8:33::1 enable
[*CE2-bgp-af-ipv6] commit
[~CE2-bgp-af-ipv6] quit
[~CE2-bgp] quit
# 配置PE2。
[~PE2] bgp 100
[~PE2-bgp] router-id 2.2.2.2
[*PE2-bgp] ipv6-family vpn-instance vpna
[*PE2-bgp-6-vpna] peer 2001:DB8:22::2 as-number 65420
[*PE2-bgp-6-vpna] import-route direct
[*PE2-bgp-6-vpna] commit
[~PE2-bgp-6-vpna] quit
[~PE2-bgp] quit
# 配置PE3。
[~PE3] bgp 100
[~PE3-bgp] router-id 3.3.3.3
[*PE3-bgp] ipv6-family vpn-instance vpna
[*PE3-bgp-6-vpna] peer 2001:DB8:33::2 as-number 65420
[*PE3-bgp-6-vpna] import-route direct
[*PE3-bgp-6-vpna] commit
[~PE3-bgp-6-vpna] quit
[~PE3-bgp] quit
配置完成后,在PE设备上执行display bgp vpnv6 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
[~PE1] display bgp vpnv6 vpn-instance vpna peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
VPN-Instance vpna, Router ID 1.1.1.1:
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2001:DB8:11::2 4 65410 98 103 0 01:22:02 Established 2
5.在PE设备之间建立BGP EVPN对等体关系
# 配置PE1。
[~PE1] bgp 100
[~PE1-bgp] peer 2::2 as-number 100
[*PE1-bgp] peer 2::2 connect-interface loopback 1
[*PE1-bgp] peer 3::3 as-number 100
[*PE1-bgp] peer 3::3 connect-interface loopback 1
[*PE1-bgp] l2vpn-family evpn
[*PE1-bgp-af-evpn] peer 2::2 enable
[*PE1-bgp-af-evpn] peer 3::3 enable
[*PE1-bgp-af-evpn] quit
[*PE1-bgp] quit
[*PE1] commit
# 配置PE2。
[~PE2] bgp 100
[~PE2-bgp] peer 1::1 as-number 100
[*PE2-bgp] peer 1::1 connect-interface loopback 1
[*PE2-bgp] l2vpn-family evpn
[*PE2-bgp-af-evpn] peer 1::1 enable
[*PE2-bgp-af-evpn] quit
[*PE2-bgp] quit
[*PE2] commit
# 配置PE3。
[~PE3] bgp 100
[~PE3-bgp] peer 1::1 as-number 100
[*PE3-bgp] peer 1::1 connect-interface loopback 1
[*PE3-bgp] l2vpn-family evpn
[*PE3-bgp-af-evpn] peer 1::1 enable
[*PE3-bgp-af-evpn] quit
[*PE3-bgp] quit
[*PE3] commit
配置完成后,在PE设备上执行display bgp evpn peer命令,可以看到PE之间的BGP EVPN对等体关系已建立,并达到Established状态。以PE1的显示为例:
[~PE1] display bgp evpn peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2::2 4 100 23 22 0 00:15:33 Established 3
3::3 4 100 23 23 0 00:15:35 Established 3
6.在PE之间建立SRv6 BE路径
# 配置PE1。
[~PE1] segment-routing ipv6
[*PE1-segment-routing-ipv6] encapsulation source-address 1::1
[*PE1-segment-routing-ipv6] locator as1 ipv6-prefix 10:: 64 static 32
[*PE1-segment-routing-ipv6-locator] quit
[*PE1-segment-routing-ipv6] quit
[*PE1] isis 1
[*PE1-isis-1] segment-routing ipv6 locator as1
[*PE1-isis-1] quit
[*PE1] bgp 100
[*PE1-bgp] l2vpn-family evpn
[*PE1-bgp-af-evpn] peer 2::2 advertise encap-type srv6
[*PE1-bgp-af-evpn] peer 3::3 advertise encap-type srv6
[*PE1-bgp-af-evpn] quit
[*PE1-bgp] ipv6-family vpn-instance vpna
[*PE1-bgp-6-vpna] segment-routing ipv6 locator as1 evpn
[*PE1-bgp-6-vpna] segment-routing ipv6 best-effort evpn
[*PE1-bgp-6-vpna] quit
[*PE1-bgp] quit
[*PE1] commit
# 配置PE2。
[~PE2] segment-routing ipv6
[*PE2-segment-routing-ipv6] encapsulation source-address 2::2
[*PE2-segment-routing-ipv6] locator as1 ipv6-prefix 20:: 64 static 32
[*PE2-segment-routing-ipv6-locator] quit
[*PE2-segment-routing-ipv6] quit
[*PE2] isis 1
[*PE2-isis-1] segment-routing ipv6 locator as1
[*PE2-isis-1] quit
[*PE2] bgp 100
[*PE2-bgp] l2vpn-family evpn
[*PE2-bgp-af-evpn] peer 1::1 advertise encap-type srv6
[*PE2-bgp-af-evpn] quit
[*PE2-bgp] ipv6-family vpn-instance vpna
[*PE2-bgp-6-vpna] segment-routing ipv6 locator as1 evpn
[*PE2-bgp-6-vpna] segment-routing ipv6 best-effort evpn
[*PE2-bgp-6-vpna] quit
[*PE2-bgp] quit
[*PE2] commit
# 配置PE3。
[~PE3] segment-routing ipv6
[*PE3-segment-routing-ipv6] encapsulation source-address 3::3
[*PE3-segment-routing-ipv6] locator as1 ipv6-prefix 30:: 64 static 32
[*PE3-segment-routing-ipv6-locator] quit
[*PE3-segment-routing-ipv6] quit
[*PE3] isis 1
[*PE3-isis-1] segment-routing ipv6 locator as1
[*PE3-isis-1] quit
[*PE3] bgp 100
[*PE3-bgp] l2vpn-family evpn
[*PE3-bgp-af-evpn] peer 1::1 advertise encap-type srv6
[*PE3-bgp-af-evpn] quit
[*PE3-bgp] ipv6-family vpn-instance vpna
[*PE3-bgp-6-vpna] segment-routing ipv6 locator as1 evpn
[*PE3-bgp-6-vpna] segment-routing ipv6 best-effort evpn
[*PE3-bgp-6-vpna] quit
[*PE3-bgp] quit
[*PE3] commit
7.配置VPN FRR
配置VPN FRR,使用BFD检测Locator路由。如果Locator路由不可达,触发VPN FRR进行路径切换。
# 配置PE1。
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv6-family
[~PE1-vpn-instance-vpna-af-ipv6] vpn frr
[*PE1-vpn-instance-vpna-af-ipv6] commit
[~PE1-vpn-instance-vpna-af-ipv6] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] bgp 100
[~PE1-bgp] ipv6-family vpn-instance vpna
[~PE1-bgp-6-vpna] route-select delay 300
[*PE1-bgp-6-vpna] commit
[~PE1-bgp-6-vpna] quit
[~PE1-bgp] quit
[~PE1] bfd
[*PE1-bfd] quit
[*PE1] bfd pe1tope2 bind peer-ipv6 20::
[*PE1-bfd-session-pe1tope2] discriminator local 100
[*PE1-bfd-session-pe1tope2] discriminator remote 200
[*PE1-bfd-session-pe1tope2] commit
[~PE1-bfd-session-pe1tope2] quit
# 配置PE2。
[~PE2] bfd
[*PE2-bfd] quit
[*PE2] bfd pe2tope1 bind peer-ipv6 10::
[*PE2-bfd-session-pe2tope1] discriminator local 200
[*PE2-bfd-session-pe2tope1] discriminator remote 100
[*PE2-bfd-session-pe2tope1] commit
[~PE2-bfd-session-pe2tope1] quit
8.检查配置结果
执行命令display ipv6 routing-table vpn-instance vpna ipv6-address verbose查看VPN路由信息。以PE1的显示为例:
[~PE1] display ipv6 routing-table vpn-instance vpna 22::22 128 verbose
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1
Destination : 22::22 PrefixLength : 128
NextHop : 20::1:0:3C Preference : 255
Neighbour : 2::2 ProcessID : 0
Label : NULL Protocol : IBGP
State : Active Adv Relied Cost : 0
Entry ID : 0 EntryFlags : 0x00000000
Reference Cnt: 0 Tag : 0
Priority : low Age : 92sec
IndirectID : 0x100016E Instance :
RelayNextHop : 20::1:0:3C TunnelID : 0x0
Interface : SRv6 BE Flags : RD
BkNextHop : 30::1:0:21 BkInterface : SRv6 BE
BkLabel : NULL BkTunnelID : 0x0
BkPETunnelID : 0x0 BkIndirectID : 0x100016A
从以上显示信息可以看出,VPN路由22::22/128具有备份出接口,VPN FRR路由表项已经生成。
同一VPN的CE能够相互Ping通,例如:
[~CE1] ping ipv6 -a 11::11 22::22
PING 22::22 : 56 data bytes, press CTRL_C to break
Reply from 22::22
bytes=56 Sequence=1 hop limit=62 time=57 ms
Reply from 22::22
bytes=56 Sequence=2 hop limit=62 time=5 ms
Reply from 22::22
bytes=56 Sequence=3 hop limit=62 time=5 ms
Reply from 22::22
bytes=56 Sequence=4 hop limit=62 time=5 ms
Reply from 22::22
bytes=56 Sequence=5 hop limit=62 time=4 ms
--- 22::22 ping statistics---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max=4/15/57 ms
