Help Center/ Enterprise Switch/ Getting Started/ Step 4: Configure a Tunnel Gateway in Your Data Center
Updated on 2024-12-09 GMT+08:00

Step 4: Configure a Tunnel Gateway in Your Data Center

Scenarios

This section describes how to configure the tunnel gateway on a VXLAN tunnel switch of an on-premises data center.

The following uses Huawei CE6850, Ruijie RG-S6250, and H3C S6520 series switches as examples. To check more configurations, see the product documentation of the corresponding switch.

Notes and Constraints

If you use an enterprise switch to connect your on-premises data center to the cloud, the switches of your data center must support the VXLAN function. If high reliability is required, the VXLAN switches need to be deployed in disaster recovery mode.

The following lists some switches that support the VXLAN function.
  • Huawei switches: Huawei CE58, CE68, CE78, and CE88 series switches, such as CE6870, CE6875, CE6881, CE6863, and CE12800 switches
  • Switches of other vendors: Cisco Nexus 9300 , Ruijie RG-S6250, and H3C S6520 series switches

Networking Example

In this example, the Layer 2 subnet gateway and the VXLAN tunnel are on different switches.

The tunnel IP address on the cloud is 10.0.6.3, the tunnel IP address of the tunnel switch on the on-premises data center is 2.2.2.2, and the tunnel VNI is 5010.

Figure 1 Layer 2 subnet gateway and VXLAN tunnel on different switches

Procedure (Huawei CE6850 Switches)

Configure the tunnel switch of your data center to divert the traffic of the VLAN corresponding to the Layer 2 subnet to the tunnel.

Currently, most CE series switches do not support forwarding of encapsulated VXLAN packets through Layer 3 sub-interfaces. Layer 3 sub-interfaces cannot be used by VXLAN uplinks (connected to enterprise switches). Instead, VLAN interfaces can be used.

  1. Log in to the tunnel switch and run the system-view command to switch to the system view.
  2. Switch to the loopback 0 interface view and configure the tunnel IP address.

    Example:

    interface loopback 0

    ip address 2.2.2.2 255.255.255.255

  1. Use the quit command to exit the interface view and return to the system view.
  2. Switch to the bridge domain (BD) view and configure the VXLAN VNI for the BD.

    Example:

    bridge-domain 10

    vxlan vni 5010

  3. Use the quit command to exit the BD view and return to the system view.
  4. Create a Layer 2 sub-interface and use the sub-interface to divert traffic from the VLAN at Layer 2 to the tunnel.

    Example:

    interface 10ge 1/0/2.1 mode l2

    encapsulation dot1q vid 100

    bridge-domain 10

  1. Use the interface nve command to create an NVE interface, switch to the NVE interface view, and configure the IP address (2.2.2.2) for the source VTEP of the VXLAN tunnel.

    Example:

    interface nve1

    source 2.2.2.2

  1. Use the vni command in the NVE interface view to configure an ingress replication list for VNI 5010.

    Example:

    vni 5010 head-end peer-list 10.0.6.3

  2. Check the VXLAN configuration status in the system view:

    display vxlan vni 5010 verbose

    Figure 2 VXLAN configuration status

    If the value of State is up, the tunnel status is normal.

Procedure (Ruijie RG-S6250 Switches)

Establish a VXLAN tunnel between a VXLAN switch and an enterprise switch, so that Layer 2 packets from an on-premises server can be encapsulated into IP packets and then sent to the enterprise switch. Configure VXLAN and VLAN encapsulation rules on downlink Layer 2 sub-interfaces of the VXLAN switch to identify the VXLAN of packets.

  1. Enter the global configuration mode.

    Example:

    Ruijie#configure

  1. Create a VXLAN.

    Example:

    Ruijie(config)#vxlan 5010

    VXLAN ID 5010 in this step must be the same as the tunnel VNI in remote access information configured during Layer 2 connection creation in Table 1.

  2. Switch to the loopback interface view and configure the tunnel IP address.

    Example:

    Ruijie(config)#interface loopback 0

    Ruijie(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255

    Ruijie(config-if-Loopback 0)# exi

    For a new interface IP address (including the loopback interface IP address) of the VXLAN switch, check whether there is a route to direct traffic from the IP address to the tunnel subnet of the enterprise switch. If there is no such a route, configure one on the VXLAN switch. The VXLAN switch can be an aggregation switch or a core switch. Select a switch based on the network plan.

  3. Create a VXLAN tunnel.
    1. Create an OverlayTunnel1 interface. This interface is used to statically create an overlay tunnel.

      Example:

      Ruijie(config)#interface overlayTunnel 1

    2. Specify the source IP address of the overlay tunnel. This will be the loopback interface IP address.

      Example:

      Ruijie(config-if-OverlayTunnel 1)#tunnel source 2.2.2.2

    3. Specify the destination IP address of the overlay tunnel. This will be the tunnel IP address of the enterprise switch.

      Example:

      Ruijie(config-if-OverlayTunnel 1)#tunnel destination 10.0.6.3

      Ruijie(config-if-OverlayTunnel 1)#exit

  1. Associate the VXLAN instance with the OverlayTunnel interface.

    Example:

    Ruijie(config)#vxlan 5010

    Ruijie(config-vxlan)#tunnel-interface OverlayTunnel 1

    Ruijie(config-vxlan)#exit

    • A maximum of six Layer 2 connections can be created on an enterprise switch. Each connection corresponds to a VXLAN. Multiple VXLAN instances can be associated with the same OverlayTunnel interface, for example, OverlayTunnel1.
    • A VXLAN switch can connect to multiple enterprise switches. In this case, you can associate multiple OverlayTunnel interfaces, for example, OverlayTunnel1 and OverlayTunnel2, with the same VXLAN.
    • Due to chip limitations, Ruijie RG-S6250 switches do not allow multiple VXLAN tunnels to use the same physical egress, and each VXLAN tunnel needs to encapsulate its unique DMAC and VID information. For details, contact Ruijie technical support.
  1. Create a Layer 2 sub-interface and configure VXLAN and VLAN encapsulation rules.

    Create the sub-interface (AggregatePort 1.100) on the link aggregation interface (AggregatePort1) to receive data packets of VLAN 100, encapsulate the packets into VXLAN 5010, and forward them through the VXLAN tunnel.

    Example:

    Ruijie(config)#interface AggregatePort 1.100

    Ruijie(config-subif-AggregatePort 1.100)#encapsulation dot1q s-vid 100

    Ruijie(config-subif-AggregatePort 1.100)#encapsulation vxlan 5010

    Ruijie(config-subif-AggregatePort 1.100)#exit

    The method for creating Ethernet service instances on physical Ethernet interfaces of switches is similar.

  2. Check the VXLAN configuration status in the system view:

    show vxlan 5010

    VXLAN configuration status
    VXLAN 5010
    Symmetric property  : FALSE
    Router Interface    : -
    Extend VLAN         : -
    VTEP Adjacency Count: 1
    VTEP Adjacency List :
    Interface              Source IP       Destination IP  Type
    ---------------------- --------------- --------------- -------
    OverlayTunnel 1      2.2.2.2   10.0.6.3      static

Procedure (H3C S6520 Switches)

Establish a VXLAN tunnel between a VXLAN switch and an enterprise switch, associate the VXLAN tunnel with a VXLAN, so that Layer 2 packets from VMs can be encapsulated into IP packets and then sent to the enterprise switch. Configure Ethernet service instances and matching rules on downlink interfaces of a VXLAN switch to identify the VXLAN that packets belong to.

  1. Configure the switch to work in VXLAN mode.

    Save the configuration, and restart the switch. (Skip this step if the switch is already working in VXLAN mode.)

    Example:

    <SwitchA> system-view

    [SwitchA] switch-mode 1

    Reboot device to make the configuration take effect.

    [SwitchA] quit

    <SwitchA> reboot

    Start to check configuration with next startup configuration file, please wait..
    .......DONE!
    Current configuration may be lost after the reboot, save current configuration?
    [Y/N]:y
    This command will reboot the device. Continue? [Y/N]:y
  1. Create a tunnel interface and configure an IP address for the interface.

    Create a loopback interface and configure an IP address for the loopback interface as the remote IP address of the VXLAN tunnel.

    Example:

    [SwitchA] interface loopback 0

    [SwitchA-LoopBack0] ip address 2.2.2.2 32

    For a new interface IP address (including the loopback interface IP address) of the VXLAN switch, check whether there is a route to direct traffic from the IP address to the tunnel subnet of the enterprise switch. If there is no such a route, configure one on the VXLAN switch. The VXLAN switch can be an aggregation switch or a core switch. Select a switch based on the network plan.

  2. Create a VXLAN.
    1. Enable L2VPN.

      Example:

      <SwitchA> system-view

      [SwitchA] l2vpn enable

    2. Enable Layer 2 forwarding for the VXLAN tunnel.

      Example:

      [SwitchA] undo vxlan ip-forwarding

    3. Create the VSI vpna and VXLAN 5010.

      Example:

      [SwitchA] vsi vpna

      [SwitchA-vsi-vpna] vxlan 5010

      [SwitchA-vsi-vpna-vxlan5010] quit

      [SwitchA-vsi-vpna] quit

      The VXLAN ID must be the same as the tunnel VNI in remote access information configured during Layer 2 connection creation in Table 1.

  3. Create a VXLAN tunnel.

    Create a VXLAN tunnel (Tunnel1) to the enterprise switch.

    Example:

    [SwitchA] interface tunnel 1 mode vxlan

    [SwitchA-Tunnel1] source 2.2.2.2

    [SwitchA-Tunnel1] destination 10.0.6.3

    [SwitchA-Tunnel1] quit

  1. Associate the VXLAN with the VXLAN tunnel.

    On the VXLAN switch, associate the VXLAN tunnel (Tunnel1) with VXLAN 5010.

    Example:

    [SwitchA] vsi vpna

    [SwitchA-vsi-vpna] vxlan 5010

    [SwitchA-vsi-vpna-vxlan5010] tunnel 1

    [SwitchA-vsi-vpna-vxlan5010] quit

    [SwitchA-vsi-vpna] quit

    • A maximum of six Layer 2 connections can be created on an enterprise switch. Each connection corresponds to a VXLAN. Multiple VXLANs can be associated with the same VXLAN tunnel, such as, Tunnel1.
    • A VXLAN switch can connect to multiple enterprise switches. In this case, you can associate multiple VXLAN tunnels, for example, Tunnel1 and Tunnel2, with the same VXLAN.
  1. Configure an Ethernet service instance to match frames and associate the instance with the VSI.

    Create Ethernet service instance 1000 on Bridge-Aggregation1 of the VXLAN switch to match frames of VLAN 100 and associate the instance with VSI vpna (VXLAN 5010).

    Example:

    [SwitchA] Bridge-Aggregation 1

    [SwitchA-Bridge-Aggregation1] port link-type trunk

    [SwitchA-Bridge-Aggregation1] service-instance 1000

    [SwitchA-Bridge-Aggregation1-srv1000] encapsulation s-vid 100

    [SwitchA-Bridge-Aggregation1-srv1000] xconnect vsi vpna

    [SwitchA-Bridge-Aggregation1-srv1000] quit

    [SwitchA-Bridge-Aggregation1] quit

    The method for creating Ethernet service instances on physical Ethernet interfaces of switches is similar.

  2. Check the status of the VXLAN tunnel interface.
    • The status of the VXLAN tunnel interface is Up.

      Example:

      [SwitchA]display interface Tunnel 1

      Tunnel1
      Current state: UP
      Line protocol state: UP
      Description: Tunnel1 Interface
      Bandwidth: 64 kbps
      Maximum transmission unit: 1464
      Internet protocol processing: Disabled
      Last clearing of counters: 17:19:44 Fri 01/18/2013
      Tunnel source 2.2.2.2, destination 10.0.6.3
      Tunnel protocol/transport UDP_VXLAN/IP
      Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
      Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
      Input: 0 packets, 0 bytes, 4 drops
      Output: 0 packets, 0 bytes, 0 drops
    • Check the VSI information. The VXLAN tunnel associated with the VXLAN and the Ethernet service instance associated with the VSI are in Up status.

      Example:

      [SwitchA]display l2vpn vsi verbose

      VSI Name: vnpa
      VSI Index               : 1
      VSI State               : Up
      MTU                     : 1500
      Bandwidth               : -
      Broadcast Restrain      : -
      Multicast Restrain      : -
      Unknown Unicast Restrain: -
      MAC Learning            : Enabled
      MAC Table Limit         : -
      MAC Learning rate       : -
      Drop Unknown            : -
      Flooding                : Enabled
      Statistics              : Disabled
      VXLAN ID                : 5010
      Tunnels:
      Tunnel Name          Link ID    State    Type        Flood proxy
      Tunnel1              0x5000001  UP       Manual      Disabled
      ACs:
      AC                   Link ID    State    Type
      BAGG1 srv1000        0          Up       Manual