由于工作需要，今天又把Cisco的VXLAN配置拿出来温故了一下，把一些关键的配置点记录在此，给有需要的朋友分享。

拓扑

PC7 属于vlan2，IP 100.2.0.7/24;
PC8 属于vlan3，IP 100.3.0.8/24
VMX vlan2 和 vlan3子接口 IP 100.2.0.254/24,100.3.0.254/24.

Spine1：

开启feature
nv overlay evpn
feature bgp
feature pim
feature vn-segment-vlan-based
feature lldp
feature bfd
feature nv overlay
配置组播
ip pim rp-address 10.38.1.1 group-list 224.0.0.0/4
ip pim log-neighbor-changes
ip pim ssm range 232.0.0.0/8
ip pim anycast-rp 10.38.1.1 10.38.2.1 #10.38.2.1和10.38.2.2路由必须打通
ip pim anycast-rp 10.38.1.1 10.38.2.2
ip pim bfd
BGP路由策略
route-map loopback2bgp permit 10
match tag 9527
route-map unchanged permit 10
set ip next-hop unchanged

配置3层互联接口
interface Ethernet1/1
no switchport
mtu 9216
no ip redirects
ip address 10.1.0.0/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode
no shutdown

interface Ethernet1/2
no switchport
mtu 9216
no ip redirects
ip address 10.1.0.2/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode
no shutdown

interface Ethernet1/3
no switchport
mtu 9216
no ip redirects
ip address 10.1.0.4/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode
no shutdown

配置环回接口
interface loopback0
description underlay
ip address 10.38.2.1/32 tag 9527
ip pim sparse-mode

interface loopback1
description RP
ip address 10.38.1.1/32 tag 9527 #Lo1 IP作为RP，两台Spine一致
ip pim sparse-mode

配置BGP EVPN
router bgp 100 #Spine采用相同AS号
router-id 10.38.2.1
timers bgp 3 9
log-neighbor-changes
address-family ipv4 unicast
redistribute direct route-map loopback2bgp
address-family l2vpn evpn
nexthop route-map unchanged
retain route-target all
配置underlay，互联接口建立邻居
neighbor 10.1.0.1 #Leaf邻居
bfd
remote-as 201
address-family ipv4 unicast
allowas-in 3 #因为两台Spine的AS号相同，必须配置allowas-in才能打通Spine间Lo0路由
send-community
send-community extended
neighbor 10.1.0.3 #Border-Leaf1邻居
bfd
remote-as 301
address-family ipv4 unicast
allowas-in 3
disable-peer-as-check #Border-Leaf的AS号相同，Spine不检查AS号才能传递Border-Leaf之间的路由
send-community
send-community extended
neighbor 10.1.0.5 #Border-Leaf2邻居
bfd
remote-as 301
address-family ipv4 unicast
allowas-in 3
disable-peer-as-check
send-community
send-community extended
配置overlay，Lo0建立邻居
neighbor 10.38.3.1 #Leaf 邻居
remote-as 201
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
send-community
send-community extended
route-map unchanged out #不改变下一跳，否则不能建立vxlan隧道
rewrite-evpn-rt-asn #重新修改RT
neighbor 10.38.3.2 #Border-Leaf1邻居
remote-as 301
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
disable-peer-as-check
send-community
send-community extended
route-map unchanged out
rewrite-evpn-rt-asn
neighbor 10.38.3.3 #Border-Leaf2邻居
remote-as 301
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
disable-peer-as-check
send-community
send-community extended
route-map unchanged out
rewrite-evpn-rt-asn

Leaf1：

开启feature
nv overlay evpn
feature bgp
feature pim
feature vn-segment-vlan-based
feature lldp
feature bfd
feature nv overlay
配置组播
ip pim rp-address 10.38.1.1 group-list 224.0.0.0/4 #10.38.1.1设置在两台Spine上
ip pim log-neighbor-changes
ip pim ssm range 232.0.0.0/8
ip pim bfd

配置VLAN和VNI
vlan 2
vn-segment 10002
vlan 3
vn-segment 10003

BGP路由策略
route-map loopback2bgp permit 10
match tag 9527

配置3层互联接口
interface Ethernet1/1
description to-spine01
no switchport
mtu 9216
no ip redirects
ip address 10.1.0.1/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode
no shutdown

interface Ethernet1/2
description to-spine02
no switchport
mtu 9216
no ip redirects
ip address 10.2.0.1/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode
no shutdown

nve接口
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback2
source-interface hold-down-time 30
member vni 10002 mcast-group 239.1.1.2 #VNI1002对应组播239.1.1.2
member vni 10003 mcast-group 239.1.1.3 #VNI1003对应组播239.1.1.3

业务接口
interface Ethernet1/3
switchport access vlan 2 #互联PC7
mtu 9216
switchport isolated

interface Ethernet1/4
switchport access vlan 3 #互联PC8
mtu 9216
switchport isolated

配置环回接口
interface loopback0
description underlay
ip address 10.38.3.1/32 tag 9527
ip pim sparse-mode

interface loopback2
description nve
ip address 10.38.4.1/32 tag 9527
ip pim sparse-mode

配置BGP EVPN
router bgp 201 #Leaf AS号201
router-id 10.38.3.1
timers bgp 3 9
log-neighbor-changes
address-family ipv4 unicast
redistribute direct route-map loopback2bgp #重分布Lo0接口路由
maximum-paths 2 #开启BGP多路径，最大路径数2
address-family l2vpn evpn
配置underlay 邻居
neighbor 10.1.0.0
bfd
remote-as 100
address-family ipv4 unicast
disable-peer-as-check #因为两台Spine的AS号相同，忽略AS检测才能传递Spine之间的Lo0路由
send-community
send-community extended
neighbor 10.2.0.0
bfd
remote-as 100
address-family ipv4 unicast
disable-peer-as-check
send-community
send-community extended
配置overlay邻居
neighbor 10.38.2.1
remote-as 100
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
send-community
send-community extended
rewrite-evpn-rt-asn #RT是根据AS号自动分配，需要重新修改AS号才能接收来自其它AS的路由
neighbor 10.38.2.2
remote-as 100
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
send-community
send-community extended
rewrite-evpn-rt-asn
evpn RD、RT
evpn
vni 10002 l2
rd auto #自动生成RD
route-target import auto #自动生成RT
route-target export auto
vni 10003 l2
rd auto
route-target import auto
route-target export auto

Border-Leaf1：

开启feature
nv overlay evpn
feature bgp
feature pim
feature vn-segment-vlan-based
feature lacp
feature vpc
feature lldp
feature bfd
feature nv overlay

配置组播
ip pim rp-address 10.38.1.1 group-list 224.0.0.0/4 #10.38.1.1设置在两台Spine上
ip pim log-neighbor-changes
ip pim ssm range 232.0.0.0/8
ip pim bfd

配置VLAN和VNI
vlan 2
vn-segment 10002
vlan 3
vn-segment 10003

生成树 MST
spanning-tree mst configuration
name pod16
revision 1

BGP路由策略
route-map loopback2bgp permit 10
match tag 9527

配置VPC
vrf context vpc-keepalive
vpc domain 16 # 编号16
peer-switch
role priority 1024 # Border-Leaf1 primary 配置1024，Border-Leaf2 secondary 默认32667
peer-keepalive destination 192.168.0.2 source 192.168.0.1 vrf vpc-keepalive
peer-gateway
auto-recovery
ipv6 nd synchronize
ip arp synchronize

keepalive
interface Ethernet1/3
description keepalive
no switchport
mtu 9216
vrf member vpc-keepalive #绑定vrf vpc-keepalive
ip address 192.168.0.1/30 #Border-Leaf1 配置192.168.0.1/30，Border-Leaf2 配置192.168.0.2/30
no shutdown

vpc peer-link
interface port-channel100
switchport mode trunk
switchport trunk allowed vlan 2-3
spanning-tree port type network
vpc peer-link

interface Ethernet1/4
description vpc-peer-link
switchport mode trunk
switchport trunk allowed vlan 2-4
channel-group 100 mode active

配置3层互联接口
interface Ethernet1/1
description to-spine01
no switchport
mtu 9216
no ip redirects
ip address 10.1.0.3/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode

interface Ethernet1/2
description to-spine02
no switchport
mtu 9216
no ip redirects
ip address 10.2.0.3/31
no ipv6 redirects
ip pim bfd-instance
ip pim sparse-mode

业务接口
interface port-channel500 #port-channel 方式互联vmx路由器
switchport mode trunk
switchport trunk allowed vlan 2-4
mtu 9216
vpc 500

interface Ethernet1/5
switchport mode trunk
switchport trunk allowed vlan 2-3
mtu 9216
channel-group 500 mode active

配置环回接口
interface loopback0
description underlay
ip address 10.38.3.2/32 tag 9527
ip pim sparse-mode

interface loopback2
description nve
ip address 10.38.4.2/32 tag 9527
ip address 10.38.4.254/32 secondary tag 9527 #关联nve， secondary ip 两台Border-Leaf相同
ip pim sparse-mode

配置BGP EVPN
router bgp 301 #两台Border-Leaf的AS号相同
router-id 10.38.3.2
timers bgp 3 9
log-neighbor-changes
address-family ipv4 unicast
redistribute direct route-map loopback2bgp #重分布Lo0接口路由
maximum-paths 2 #开启BGP多路径，最大路径数2
address-family l2vpn evpn
配置underlay 邻居
neighbor 10.1.0.2
bfd
remote-as 100
address-family ipv4 unicast
allowas-in 3 #因为两台Border-Leaf的AS号相同，必须配置allowas-in才能打通Border-Leaf间Lo0路由
disable-peer-as-check #因为两台Spine的AS号相同，忽略AS检测才能传递Spine之间的Lo0路由
send-community
send-community extended
neighbor 10.2.0.2
bfd
remote-as 100
address-family ipv4 unicast
allowas-in 3
disable-peer-as-check
send-community
send-community extended
配置overlay 邻居
neighbor 10.38.2.1
remote-as 100
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
allowas-in 3
send-community
send-community extended
rewrite-evpn-rt-asn #RT是根据AS号自动分配，需要重新修改AS号才能接收来自其它AS的路由
neighbor 10.38.2.2
remote-as 100
update-source loopback0
ebgp-multihop 2
address-family l2vpn evpn
allowas-in 3
send-community
send-community extended
rewrite-evpn-rt-asn

evpn RD、RT
evpn
vni 10002 l2
rd auto
route-target import auto
route-target export auto
vni 10003 l2
rd auto
route-target import auto
route-target export auto

结果

Underlay peer

Overlay peer

vxlan 接口

vni组播组

L2 路由表

Mac地址表

vlan2 IP地址可达，vlan3 IP地址可达