本配置适用于应用驱动园区 DR2000 ADCAM 7.3(E0506H02)版本
1.指定设备为LEAF设备
vcf-fabric role leaf
2.创建VLAN1和VLAN4094,并创建管理地址。VLAN1为管理网段,VLAN4094为SDN下发策略网段。
vlan 1
vlan 4094
int vlan1
ip add xxx.xxx.xxx.xxx
3.配置vlan三层虚接口,用于和SPINE互通。此处规划使用vlan4089
vlan 4089
description LEAF互通
int vlan4089
ip add xxx.xxx.xxx.xxx 30
4.配置LOOKBACK接口,作为router id
int lookback0
ip add xxx.xxx.xxx.xxx 32
5.配置OSPF
ospf 1
graceful-restart ietf
area 0.0.0.0
network xxx.xxx.xxx.xxx 0.0.0.0
network xxx.xxx.xxx.xxx 0.0.0.0
6.配置BGP EVPN
bgp 100
graceful-restart
router-id xxx.xxx.xxx.xxx
peer xxx.xxx.xxx.xxx as-number 100
peer xxx.xxx.xxx.xxx connect-interface LoopBack0
address-family l2vpn evpn
peer xxx.xxx.xxx.xxx enable
7.使能L2VPN
l2vpn enable
8.配置vpn-default、VSI vxlan4094、VSI虚接口IP地址以及L3 VNI,并在下行AC口(连接Access设备的接口)上配置服务实例(绑定vsi vxlan4094),用完成控制通道的连通。
#
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
# 配置vsi虚接口4094的IP地址。
interface Vsi-interface4094
ip binding vpn-instance vpn-default
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
local-proxy-arp enable
#
# 配置三层转发用的vsi接口以及L3 VNI
# ip address unnumbered 命令用来配置本接口借用指定接口的IP地址,当vpn-default下创建安全组时,三层转发指定发送报文的源ip为vsi4094的接口ip
interface Vsi-interface4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface 4094
l3-vni 4092
# 配置vsi vxlan4094实例
#
vsi vsi4094
gateway vsi-interface 4094
vxlan 4094
evpn encapsulation vxlan
mac-advertising disable
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
dhcp snooping trust tunnel
#
8.配置LLDP,用于确定拓扑关系
lldp global enable
9.配置STP
#
stp instance 0 root secondary
undo stp vlan 2 to 4094 enable
stp mode pvst
stp global enable
#
10.配置SNMP、NETCONF
# 配置SNMP,下面的配置为默认配置,SNMP团体字根据实际情况配置
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
#NETCONF配置
netconf soap http enable
netconf soap https enable
#
11.配置本地用户local-user h3c,为后续Director连接设备时使用。
# Director中的需要设置的NETCONF参数与此处设置的用户名、密码相同
local-user h3c class manage // h3c为创建的用户名
password simple h3c // h3c为设置的密码
service-type ftp
service-type telnet http https ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
12.配置telnet用户名密码(此处可在初始配置,如具体telnet连通功能可不配置)
# Director中的需要设置的Telent参数与此处设置的用户名、密码相同
# 若Director中不设置Telent密码,该处可以不用设置
telnet server enable
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
# 设置Telent的用户名、密码为admin、admin
local-user admin class manage
password simple admin
service-type telnet http https ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
13.检查配置
上述配置完成后,分别检查配置成功情况。包括vsi-interface 4092,4094接口up
[s75exs]dis int Vsi-interface brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
Vsi4092 UP UP --
Vsi4094 UP UP 110.0.5.110
[s75exs]dis l2vpn vsi
Total number of VSIs: 2, 1 up, 1 down, 0 admin down
VSI Name VSI Index MTU State
4094 0 1500 Up
Auto_L3VNI4092_4092 1 1500 Down //自动生成
14.关闭vxlan tunnel的mac地址学习和arp学习
#关闭vxlan tunnel的arp学习
vxlan tunnel arp-learning disable
#
# 关闭vxlan tunnel的mac地址学习
vxlan tunnel mac-learning disable
#
15.开启远端同步arp表项不下驱动功能
#为节约硬件资源,EVPN远端arp同步过来的表项,默认不下驱动硬件,有流量触发的时候才下发
#目前只有S5560设备支持
ip forwarding-conversational-learning
#流量停止,硬件表项老化删除的默认老化时间为60分钟,通过以下命令可以进行设置
[S5560X]ip forwarding-conversational-learning aging ?
INTEGER<60-1440> Aging time in (minutes)
[S5560X]
16.SPINE设备配置
在已经存在的环境中,添加LEAF结点只需要配置BGP100即可。
bgp 100
peer 30.0.0.17 as-number 100
peer 30.0.0.17 connect-interface LoopBack0
address-family l2vpn evpn
peer 30.0.0.17 enable
peer 30.0.0.17 reflect-client
17.将LEAF的下行接口配置为TRUNK
18.配置完毕