基于虚拟网络的隧道

Segment definition

每个细分市场都有自己的政策。例如,如果一组客户属于admin细分市场,与分配给客人客户的细分相比,该细分市场可以具有更好的QoS和安全特权。

Inter-segment traffic is prohibited between two segments based on policy.

A segment does not map to a network construct such as a VLAN or a VRF. Multiple segments can co-exist within a VLAN or a segment can span multiple VLANs and VRFs. However, the switch must realize segmentation using network constructs such as VLANs, VRFs ACLs, etc.

Example

This example illustrates a simple deployment using two VLANs and VRFs.

Overlay Client VLAN L2 VLAN Subnet
10 100 1.1.1.0/24
20 200 2.2.2.0/24
Overlay Client VRF L3 VNI Overlay SVIs on VRF Overlay ROPs on VRF
A 10000
  • VLAN interface of 10, 20 on access..
  • VLAN interface to the north of Core (if any needed).
 ROP interfaces to the north of Core.
Configuration on switches A1 A2 Core
  • L2 VNI 100.
  • Anycast Gateway for 1.1.1.0/24.
  • VLAN interface for 10.

 Y Y N
  • L2 VNI 200.
  • Anycast Gateway for 2.2.2.0/24.
  • VLAN接口20。

 Y Y N
  • VRF A.
  • L3 VRF for A.

 Y Y Y
  • RD, RTs for VRF A. (Can be derived from L3 VNI too.)
 Y Y Y

The two VRFs are configured on the core switch, and the two VLANs and VRFs are configured on the two access switches as required. The two VLANs and the VRF are part of therunning config在两个访问开关上。

Initially, the status of the two VLANs on the access switches isdown. This means that:

  • EVPN routes - RT-3 (IMET) route, and RT-5 and RT-2 with respect to the VLAN interfaces are not announced by the switches.
  • No VXLAN tunnels are established between any pairs of switches.

When Host H1 connects to A1, the host is authenticated with CPPM and the client is mapped to Role-1 on VLAN 10. This results in the following:

  • The VLAN state changes toupin show commands on A1.

  • The L2 and L3 forwarding constructs for the local MAC of H1 are programmed onto VLAN 10 inside A1.

  • The IMET route for L2VNI is advertised by A1.

    • This route is not used by the core as it does not have footprint of VLAN 10 on it.

    • This route is not used by A2 either - this is because it does not have a local VLAN 10 on "up" state as yet.

  • RT-5 prefix route (if enabled) is advertised by A1.

    • Upon receiving the route, the core programs the prefix route (1.1.1.0/24). This also results in VxLAN tunnel programming on the core towards A1.

    • A2 still does not use this route, because the VRF is not instantiated on A2 yet.

  • The RT-4 and the RT-2 routes are advertised by A1.

    • 收到路线后,核心将路线主机路线(1.1.1.1/32)与BH AS A1一起编程。但是,现有的通往A1的隧道被重复使用。

    • A2仍然不使用此路线。

  • The BUM domain for VLAN 10 on A1 is still the local host H1. This is because VLAN 10 is not instantiated on any other switch as yet.

  • 来自核心的任何前缀路线均由A1编程,并且还将VXLAN隧道编程为核心。

When Host H2 connects to A2, the host is authenticated with CPPM and the client is mapped to say Role-1 and the role's VLAN is VLAN 10. This results in the following:

  • The VLAN state is changes to "up" in the show commands.

  • The L2 and L3 forwarding constructs for the local MAC of H2 is programmed into VLAN 10 inside A2.

  • The IMET route for L2VNI is advertised by A2.

    • This route is not used by the core again as it does not have footprint of VLAN 10 on it.

    • This route is used by A1. It creates a VXLAN tunnel towards A2 and adds it to the BUM domain for VLAN 10.

  • RT-5 prefix route (if enabled) is advertised by A2.

    • Upon receiving the route, the core programs the prefix route (1.1.1.0/24). In the absence of ECMP, the existing route in the core is overwritten. This also results in VxLAN tunnel programming on the core towards A2.

    • A1 still does not use this route, this is because the local connected route for 1.1.1.0/24 has higher priority.

  • The RT-4 and the RT-2 routes are advertised by A2.

    • 在接收到路线,罗依的核心项目ute host route (1.1.1.2/32). The existing tunnel is reused.

    • A1 programs the 1.1.1.2/32 route into its FIB with NH as VTEP towards A2.

  • 从核心的任何前缀路线都由A2编程,并且还将VXLAN隧道编程为核心

  • Thus a full mesh of VxLAN tunnels is created.

If host H3 connects to A2 and it is on boarded on VLAN 20. This results in the following:

  • The VLAN state of VLAN 20 changes to "up" in the show commands

  • The L2 and L3 forwarding constructs for the local MAC of H3 is programmed into VLAN 20 inside A2.

  • The IMET route for L2VNI is advertised by A2

    • 核心不再使用此路线,因为它没有VLAN 20的占地面积。

    • This route is not used by A1 either for the same reason.

  • RT-5 prefix route (if enabled) is advertised by A2

    • Upon receiving the route, the core programs the prefix route (2.2.2.0/24). The core reuses the existing tunnel.

    • A1还使用NH为A2编程前缀路线。

  • The RT-4 and the RT-2 routes with respect to H3 are advertised by A2.

    • A1 programs its FIB for host route 2.2.2.2/24 with NH as A2. But it reuses the existing tunnel.

    • 核心上的行为相同。

Additional notes

  • Reference counts maintained in the access switches ensure that existing tunnels are reused as and when new clients come up.
  • The clients leaving the VLAN (disconnect/Auth time out etc.) can lead to the reversal of the procedure described above - i.e. deletion of local programming, withdrawal of routes, VLAN status change, etc. The reversal is initiated based on reference count.
  • Dynamic VLAN instantiation does not mandate VNI association for VLANs. Even local VLANs with secure clients (if any) are also dynamically instantiated.