Step 4: Configure a Tunnel Gateway in Your Data Center
Scenarios
This section describes how to configure the tunnel gateway on a VXLAN tunnel switch of an on-premises data center.
The following uses Huawei CE6850, Ruijie RG-S6250, and H3C S6520 series switches as examples. To check more configurations, see the product documentation of the corresponding switch.
Notes and Constraints
If you use an enterprise switch to connect your on-premises data center to the cloud, the switches of your data center must support the VXLAN function. If high reliability is required, the VXLAN switches need to be deployed in disaster recovery mode.
- Huawei switches: Huawei CE58, CE68, CE78, and CE88 series switches, such as CE6870, CE6875, CE6881, CE6863, and CE12800 switches
- Switches of other vendors: Cisco Nexus 9300 , Ruijie RG-S6250, and H3C S6520 series switches
Networking Example
In this example, the Layer 2 subnet gateway and the VXLAN tunnel are on different switches.
The tunnel IP address on the cloud is 10.0.6.3, the tunnel IP address of the tunnel switch on the on-premises data center is 2.2.2.2, and the tunnel VNI is 5010.
Procedure (Huawei CE6850 Switches)
Configure the tunnel switch of your data center to divert the traffic of the VLAN corresponding to the Layer 2 subnet to the tunnel.
Currently, most CE series switches do not support forwarding of encapsulated VXLAN packets through Layer 3 sub-interfaces. Layer 3 sub-interfaces cannot be used by VXLAN uplinks (connected to enterprise switches). Instead, VLAN interfaces can be used.
- Log in to the tunnel switch and run the system-view command to switch to the system view.
- Switch to the loopback 0 interface view and configure the tunnel IP address.
interface loopback 0
ip address 2.2.2.2 255.255.255.255
- Use the quit command to exit the interface view and return to the system view.
- Switch to the bridge domain (BD) view and configure the VXLAN VNI for the BD.
bridge-domain 10
vxlan vni 5010
- Use the quit command to exit the BD view and return to the system view.
- Create a Layer 2 sub-interface and use the sub-interface to divert traffic from the VLAN at Layer 2 to the tunnel.
interface 10ge 1/0/2.1 mode l2
encapsulation dot1q vid 100
bridge-domain 10
- Use the interface nve command to create an NVE interface, switch to the NVE interface view, and configure the IP address (2.2.2.2) for the source VTEP of the VXLAN tunnel.
Example:
interface nve1
source 2.2.2.2
- Use the vni command in the NVE interface view to configure an ingress replication list for VNI 5010.
Example:
vni 5010 head-end peer-list 10.0.6.3
- Check the VXLAN configuration status in the system view:
display vxlan vni 5010 verbose
Figure 2 VXLAN configuration status
If the value of State is up, the tunnel status is normal.
Procedure (Ruijie RG-S6250 Switches)
Establish a VXLAN tunnel between a VXLAN switch and an enterprise switch, so that Layer 2 packets from an on-premises server can be encapsulated into IP packets and then sent to the enterprise switch. Configure VXLAN and VLAN encapsulation rules on downlink Layer 2 sub-interfaces of the VXLAN switch to identify the VXLAN of packets.
- Create a VXLAN.
Ruijie(config)#vxlan 5010
VXLAN ID 5010 in this step must be the same as the tunnel VNI in remote access information configured during Layer 2 connection creation in Table 1.
- Switch to the loopback interface view and configure the tunnel IP address.
Ruijie(config)#interface loopback 0
Ruijie(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255
Ruijie(config-if-Loopback 0)# exi
For a new interface IP address (including the loopback interface IP address) of the VXLAN switch, check whether there is a route to direct traffic from the IP address to the tunnel subnet of the enterprise switch. If there is no such a route, configure one on the VXLAN switch. The VXLAN switch can be an aggregation switch or a core switch. Select a switch based on the network plan.
- Create a VXLAN tunnel.
- Create an OverlayTunnel1 interface. This interface is used to statically create an overlay tunnel.
Ruijie(config)#interface overlayTunnel 1
- Specify the source IP address of the overlay tunnel. This will be the loopback interface IP address.
Ruijie(config-if-OverlayTunnel 1)#tunnel source 2.2.2.2
- Specify the destination IP address of the overlay tunnel. This will be the tunnel IP address of the enterprise switch.
Ruijie(config-if-OverlayTunnel 1)#tunnel destination 10.0.6.3
Ruijie(config-if-OverlayTunnel 1)#exit
- Create an OverlayTunnel1 interface. This interface is used to statically create an overlay tunnel.
- Associate the VXLAN instance with the OverlayTunnel interface.
Ruijie(config)#vxlan 5010
Ruijie(config-vxlan)#tunnel-interface OverlayTunnel 1
Ruijie(config-vxlan)#exit
- A maximum of six Layer 2 connections can be created on an enterprise switch. Each connection corresponds to a VXLAN. Multiple VXLAN instances can be associated with the same OverlayTunnel interface, for example, OverlayTunnel1.
- A VXLAN switch can connect to multiple enterprise switches. In this case, you can associate multiple OverlayTunnel interfaces, for example, OverlayTunnel1 and OverlayTunnel2, with the same VXLAN.
- Due to chip limitations, Ruijie RG-S6250 switches do not allow multiple VXLAN tunnels to use the same physical egress, and each VXLAN tunnel needs to encapsulate its unique DMAC and VID information. For details, contact Ruijie technical support.
- Create a Layer 2 sub-interface and configure VXLAN and VLAN encapsulation rules.
Create the sub-interface (AggregatePort 1.100) on the link aggregation interface (AggregatePort1) to receive data packets of VLAN 100, encapsulate the packets into VXLAN 5010, and forward them through the VXLAN tunnel.
Example:
Ruijie(config)#interface AggregatePort 1.100
Ruijie(config-subif-AggregatePort 1.100)#encapsulation dot1q s-vid 100
Ruijie(config-subif-AggregatePort 1.100)#encapsulation vxlan 5010
Ruijie(config-subif-AggregatePort 1.100)#exit
The method for creating Ethernet service instances on physical Ethernet interfaces of switches is similar.
- Check the VXLAN configuration status in the system view:
VXLAN configuration status
VXLAN 5010 Symmetric property : FALSE Router Interface : - Extend VLAN : - VTEP Adjacency Count: 1 VTEP Adjacency List : Interface Source IP Destination IP Type ---------------------- --------------- --------------- ------- OverlayTunnel 1 2.2.2.2 10.0.6.3 static
Procedure (H3C S6520 Switches)
Establish a VXLAN tunnel between a VXLAN switch and an enterprise switch, associate the VXLAN tunnel with a VXLAN, so that Layer 2 packets from VMs can be encapsulated into IP packets and then sent to the enterprise switch. Configure Ethernet service instances and matching rules on downlink interfaces of a VXLAN switch to identify the VXLAN that packets belong to.
- Configure the switch to work in VXLAN mode.
Save the configuration, and restart the switch. (Skip this step if the switch is already working in VXLAN mode.)
Example:
<SwitchA> system-view
[SwitchA] switch-mode 1
Reboot device to make the configuration take effect.
[SwitchA] quit
<SwitchA> reboot
Start to check configuration with next startup configuration file, please wait.. .......DONE! Current configuration may be lost after the reboot, save current configuration? [Y/N]:y This command will reboot the device. Continue? [Y/N]:y
- Create a tunnel interface and configure an IP address for the interface.
Create a loopback interface and configure an IP address for the loopback interface as the remote IP address of the VXLAN tunnel.
Example:
[SwitchA] interface loopback 0
[SwitchA-LoopBack0] ip address 2.2.2.2 32
For a new interface IP address (including the loopback interface IP address) of the VXLAN switch, check whether there is a route to direct traffic from the IP address to the tunnel subnet of the enterprise switch. If there is no such a route, configure one on the VXLAN switch. The VXLAN switch can be an aggregation switch or a core switch. Select a switch based on the network plan.
- Create a VXLAN.
- Enable L2VPN.
<SwitchA> system-view
[SwitchA] l2vpn enable
- Enable Layer 2 forwarding for the VXLAN tunnel.
[SwitchA] undo vxlan ip-forwarding
- Create the VSI vpna and VXLAN 5010.
Example:
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 5010
[SwitchA-vsi-vpna-vxlan5010] quit
[SwitchA-vsi-vpna] quit
The VXLAN ID must be the same as the tunnel VNI in remote access information configured during Layer 2 connection creation in Table 1.
- Enable L2VPN.
- Create a VXLAN tunnel.
Create a VXLAN tunnel (Tunnel1) to the enterprise switch.
Example:
[SwitchA] interface tunnel 1 mode vxlan
[SwitchA-Tunnel1] source 2.2.2.2
[SwitchA-Tunnel1] destination 10.0.6.3
[SwitchA-Tunnel1] quit
- Associate the VXLAN with the VXLAN tunnel.
On the VXLAN switch, associate the VXLAN tunnel (Tunnel1) with VXLAN 5010.
Example:
[SwitchA] vsi vpna
[SwitchA-vsi-vpna] vxlan 5010
[SwitchA-vsi-vpna-vxlan5010] tunnel 1
[SwitchA-vsi-vpna-vxlan5010] quit
[SwitchA-vsi-vpna] quit
- A maximum of six Layer 2 connections can be created on an enterprise switch. Each connection corresponds to a VXLAN. Multiple VXLANs can be associated with the same VXLAN tunnel, such as, Tunnel1.
- A VXLAN switch can connect to multiple enterprise switches. In this case, you can associate multiple VXLAN tunnels, for example, Tunnel1 and Tunnel2, with the same VXLAN.
- Configure an Ethernet service instance to match frames and associate the instance with the VSI.
Create Ethernet service instance 1000 on Bridge-Aggregation1 of the VXLAN switch to match frames of VLAN 100 and associate the instance with VSI vpna (VXLAN 5010).
Example:
[SwitchA] Bridge-Aggregation 1
[SwitchA-Bridge-Aggregation1] port link-type trunk
[SwitchA-Bridge-Aggregation1] service-instance 1000
[SwitchA-Bridge-Aggregation1-srv1000] encapsulation s-vid 100
[SwitchA-Bridge-Aggregation1-srv1000] xconnect vsi vpna
[SwitchA-Bridge-Aggregation1-srv1000] quit
[SwitchA-Bridge-Aggregation1] quit
The method for creating Ethernet service instances on physical Ethernet interfaces of switches is similar.
- Check the status of the VXLAN tunnel interface.
- The status of the VXLAN tunnel interface is Up.
Example:
[SwitchA]display interface Tunnel 1
Tunnel1 Current state: UP Line protocol state: UP Description: Tunnel1 Interface Bandwidth: 64 kbps Maximum transmission unit: 1464 Internet protocol processing: Disabled Last clearing of counters: 17:19:44 Fri 01/18/2013 Tunnel source 2.2.2.2, destination 10.0.6.3 Tunnel protocol/transport UDP_VXLAN/IP Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Input: 0 packets, 0 bytes, 4 drops Output: 0 packets, 0 bytes, 0 drops
- Check the VSI information. The VXLAN tunnel associated with the VXLAN and the Ethernet service instance associated with the VSI are in Up status.
Example:
[SwitchA]display l2vpn vsi verbose
VSI Name: vnpa VSI Index : 1 VSI State : Up MTU : 1500 Bandwidth : - Broadcast Restrain : - Multicast Restrain : - Unknown Unicast Restrain: - MAC Learning : Enabled MAC Table Limit : - MAC Learning rate : - Drop Unknown : - Flooding : Enabled Statistics : Disabled VXLAN ID : 5010 Tunnels: Tunnel Name Link ID State Type Flood proxy Tunnel1 0x5000001 UP Manual Disabled ACs: AC Link ID State Type BAGG1 srv1000 0 Up Manual
- The status of the VXLAN tunnel interface is Up.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
