[游戏开发]DCI互联 Layer 3 VRF-MPLS （EVE vqfx实验）

Layer 3 VPN-MPLS互联方案简介：

QFX10000作为VxLAN隧道的发前端端和终止端。相比其它方案，Layer 3 VPN-MPLS互联最大好处是对现有的WAN 网络没有改动。

实验拓扑

中间三台MX属于WAN，模拟PE和P，AS100；
两个PE上配置VRF实例，PE间MPLS 隧道；
DC1和DC2内部采用EBGP互联；
Border间建跨DC的VxLAN隧道；
关键点就是：DCI的underlay承载在MPLS L3VPN上，overlay还是evpn vxlan。

实验目标

跨数据中心，10.10.10.19 可以访问10.10.10.21和100.0.0.22

DC内配置

DC1-PE:
set routing-options router-id 10.0.0.2
set routing-options autonomous-system 65002
set protocols evpn vni-options vni 10010 vrf-target target:10010:1
set protocols evpn vni-options vni 100100 vrf-target target:100100L:1
set protocols evpn encapsulation vxlan
set protocols evpn default-gateway do-not-advertise
set protocols evpn extended-vni-list all
set protocols bgp group l3clos-l type external
set protocols bgp group l3clos-l export importlo0
set protocols bgp group l3clos-l multipath multiple-as
set protocols bgp group l3clos-l neighbor 172.16.0.0 local-address 172.16.0.1
set protocols bgp group l3clos-l neighbor 172.16.0.0 family inet unicast
set protocols bgp group l3clos-l neighbor 172.16.0.0 peer-as 65001
set protocols bgp group l3clos-l-evpn type external
set protocols bgp group l3clos-l-evpn multihop ttl 1
set protocols bgp group l3clos-l-evpn multihop no-nexthop-change
set protocols bgp group l3clos-l-evpn family evpn signaling loops 2
set protocols bgp group l3clos-l-evpn multipath multiple-as
set protocols bgp group l3clos-l-evpn neighbor 10.0.0.1 local-address 10.0.0.2
set protocols bgp group l3clos-l-evpn neighbor 10.0.0.1 family evpn signaling
set protocols bgp group l3clos-l-evpn neighbor 10.0.0.1 peer-as 65001
EBGP 注意 no-nexthop-change，和TTL的设置
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.0.0.2:1
set switch-options vrf-target target💯100
set vlans default vlan-id 1
set vlans vn10 description vn10
set vlans vn10 vlan-id 10
set vlans vn10 l3-interface irb.10
set vlans vn10 vxlan vni 10010
set vlans vn100 description 100
set vlans vn100 vlan-id 100
set vlans vn100 l3-interface irb.100
set vlans vn100 vxlan vni 100100

DC1-Border：
set routing-options router-id 10.0.0.3
set routing-options autonomous-system 65003
set protocols evpn vni-options vni 10010 vrf-target target:10010:1
set protocols evpn vni-options vni 100100 vrf-target target:100100L:1
set protocols evpn encapsulation vxlan
set protocols evpn default-gateway do-not-advertise
set protocols evpn extended-vni-list all
set protocols bgp group l3clos-l type external
set protocols bgp group l3clos-l export importlo0
set protocols bgp group l3clos-l multipath multiple-as
set protocols bgp group l3clos-l neighbor 172.16.0.2 local-address 172.16.0.3
set protocols bgp group l3clos-l neighbor 172.16.0.2 family inet unicast
set protocols bgp group l3clos-l neighbor 172.16.0.2 peer-as 65001
set protocols bgp group l3clos-l-evpn type external
set protocols bgp group l3clos-l-evpn multihop ttl 1
set protocols bgp group l3clos-l-evpn multihop no-nexthop-change
set protocols bgp group l3clos-l-evpn family evpn signaling loops 2
set protocols bgp group l3clos-l-evpn multipath multiple-as
set protocols bgp group l3clos-l-evpn neighbor 10.0.0.1 local-address 10.0.0.3
set protocols bgp group l3clos-l-evpn neighbor 10.0.0.1 family evpn signaling
set protocols bgp group l3clos-l-evpn neighbor 10.0.0.1 peer-as 65001
set protocols bgp group DC1 type external
set protocols bgp group DC1 family inet unicast
set protocols bgp group DC1 export importlo0
set protocols bgp group DC1 neighbor 192.168.100.0 local-address 192.168.100.1
set protocols bgp group DC1 neighbor 192.168.100.0 peer-as 100
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.0.0.3:1
set switch-options vrf-target target💯100
set vlans default vlan-id 1
set vlans vn10 description vn10
set vlans vn10 vlan-id 10
set vlans vn10 l3-interface irb.10
set vlans vn10 vxlan vni 10010
set vlans vn100 description 100
set vlans vn100 vlan-id 100
set vlans vn100 l3-interface irb.100
set vlans vn100 vxlan vni 100100

WAN侧配置

DC1-PE:
建MPLS隧道，把Border的lo0 BGP发布到对端
set protocols rsvp interface lo0.0
set protocols rsvp interface ge-0/0/1.0
set protocols mpls label-switched-path lsp-DC2 to 3.3.3.3
set protocols mpls interface all
set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 1.1.1.1
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp export importlo0
set protocols bgp group ibgp neighbor 3.3.3.3
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set policy-options policy-statement importdirect term importdirect from family inet
set policy-options policy-statement importdirect term importdirect from protocol direct
set policy-options policy-statement importdirect term importdirect then accept
set policy-options policy-statement importlo0 term importlo0 from family inet
set policy-options policy-statement importlo0 term importlo0 from protocol direct
set policy-options policy-statement importlo0 term importlo0 then accept
set routing-instances DC1 instance-type vrf
set routing-instances DC1 interface ge-0/0/0.0
set routing-instances DC1 interface lo0.2
set routing-instances DC1 route-distinguisher 1:1
set routing-instances DC1 vrf-target target:1:1
set routing-instances DC1 routing-options autonomous-system 100
set routing-instances DC1 protocols bgp group DC1 type external
set routing-instances DC1 protocols bgp group DC1 family inet unicast
set routing-instances DC1 protocols bgp group DC1 export importdirect
set routing-instances DC1 protocols bgp group DC1 neighbor 192.168.100.1 local-address 192.168.100.0
set routing-instances DC1 protocols bgp group DC1 neighbor 192.168.100.1 peer-as 65003
如果两个DC的AS号相同，必须配置 as-override参数，否则BGP会认为环路。

Border间配置

underlay：Border和PE间EBGP；overlay：两个Border之间 EVPN
DC1-Border：
set protocols bgp group DC1 type external
set protocols bgp group DC1 family inet unicast
set protocols bgp group DC1 export importlo0
set protocols bgp group DC1 neighbor 192.168.100.0 local-address 192.168.100.1
set protocols bgp group DC1 neighbor 192.168.100.0 peer-as 100
set protocols bgp group DC1-DC2 type external
set protocols bgp group DC1-DC2 multihop no-nexthop-change
set protocols bgp group DC1-DC2 family evpn signaling
set protocols bgp group DC1-DC2 neighbor 20.0.0.3 multihop ttl 255
set protocols bgp group DC1-DC2 neighbor 20.0.0.3 local-address 10.0.0.3
set protocols bgp group DC1-DC2 neighbor 20.0.0.3 peer-as 66003

检查测试

PE间公网隧道

DC1-Leaf 上MAC

DC1-Border vxlan tunnel

PC跨数据中心ping：

wireshark抓包

DC1-PE—P接口抓包
10.10.10.19—>10.10.10.21
MPLS两层标签：外层公网标签，内网私网标签和MPLS L3 VPN一样；
VxLAN VNI 标签10010

10.10.10.21---->10.10.10.19回包：
此处公网标签已弹出，所以只有一层私网标签，和VxLAN VNI标签

10.10.10.19----> 100.0.0.22 跨网段访问，非对称IRB
MPLS的两层标签不变；
VxLAN VNI 100100：ingress方向，做路由，桥接（所以是vn100的 VNI100100），egress桥接。

100.0.0.22 ----> 10.10.10.19 回包
VxLAN VNI 10010，也是同理。

拓扑中设备配置：

https://download.csdn.net/download/qq_33681684/24164315