Aruba JL851AAE Configuration Guide

i

IMC Orchestrator 6.2 DCI Configuration

Guide

The information in this document is subject to change without notice.

i 
Contents 
Overview ························································································1 
Configure controller-deployed DCI ·······················································3 
Deployment workflows ·················································································································· 3 
Network planning ························································································································· 6 
Network topology ·················································································································· 6 
Resource plan ···················································································································· 11 
Procedure ································································································································· 13 
Configure underlay network basic settings ··············································································· 13 
Configure basic security service resource settings ····································································· 17 
Pre-configure basic multicast settings ····················································································· 18 
Configure controller basic settings ·························································································· 18 
Configure overlay Layer 2 interconnection ················································································ 26 
Configure overlay Layer 3 interconnection without firewall traversal ·············································· 31 
Configure overlay Layer 3 interconnection with firewall traversal ·················································· 40 
Configure Layer 2 multicast interconnection ············································································· 55 
Configure Layer 3 multicast interconnection ············································································· 60 
O&M monitoring ························································································································· 69 
Configure Super Controller-deployed multi-DC interconnection ················ 70 
Deployment workflows ················································································································ 70 
Network planning ······················································································································· 71 
Network topology ················································································································ 71 
Resource plan ···················································································································· 76 
Procedure ································································································································· 77 
Configure underlay network basic settings ··············································································· 77 
Configure basic security service resource settings ····································································· 80 
Configure controller basic settings ·························································································· 81 
Configure basic settings of Super Controller ············································································· 88 
Configure overlay Layer 3 interconnection without firewall traversal ·············································· 93 
Configure overlay Layer 3 interconnection without firewall traversal ············································ 100 
Restrictions and guidelines ········································································································ 114 
O&M monitoring ······················································································································· 114 
 

1

Overview

EVPN VXLAN DCI uses a three-hop VXLAN tunnel:

• The first hop is from the local DC leaf device to the local DC ED device.

• The second hop is from the local DC ED device to the remote DC ED device.

• The third hop is from the remote DC ED device to the remote DC leaf device.

To enable overlay Layer 2 VXLAN interconnection, Layer 3 VXLAN interconnection without firewall

traversal, and Layer 3 VXLAN interconnection with firewall traversal, establish EBGP neighbor

relationships between EDs and IBGP neighbors between EDs and devices in the DC, and configure

VXLAN mapping, route reorigination, PBR and other technologies. In different DCs, the same subnet

of the same tenant might use different VXLANs. When these DCs are interconnected, to ensure that

traffic between the same tenant and the same subnet is forwarded at Layer 2, VXLAN mapping

needs to be performed on the EDs. Modify the RD, L3VNI, and RTs in EVPN routes by using route

reorigination to achieve DC interconnection without exposing the L3 VNIs of DCs.

Detailed configuration is as follows:

• Overlay Layer 2 VLAN interconnection—DC 1 EDs and DC 2 EDs map their local tenant

VXLANs to the same intermediate VXLAN. The EDs of both DCs exchange type-2 EVPN

routes for service interconnection of the same network segment in different DCs.

• Overlay Layer 3 VXLAN interconnection without firewall traversal—VPN mapping is

enabled on DC 1 EDs and DC 2 EDs. The import RTs of one VPN are the export RTs of the

other VPN, and vice versa. Route replication is performed on local tenant VPNs to enable

service interconnection between different network segments in different DCs.

• Overlay Layer 3 VXLAN interconnection with firewall traversal—VPN mapping is enabled

on DC 1 EDs and DC 2 EDs. The import RTs of one VPN are the export RTs of the other

VPN, and vice versa. Route replication is performed on local tenant VPNs and PBR is used to

direct the traffic to the firewalls to ensure service security of different network segments in

different DCs.

Figure 1 Network diagram

Dedicated EDs, border devices collocated with EDs, and spine and border devices collocated with

EDs are available. To ensure availability, the two EDs of each DC form a DR system. The above

figure shows the spine and border devices collocated with EDs.

Spine-

Border1 Spine-

Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

FW1 FW2

IPL

IPL IPL

Spine-

Border1 Spine-

Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

FW1 FW2

IPL

IPL IPL

DC1 DC2

Internet

DCI

2

Basic underlay configurations for EDs are consistent with those for border devices. See IMC

Orchestrator 6.2 Solution Underlay Configuration Guide to complete the underlay configurations for

EDs. Then, manually configure EBGP neighbors and route reorigination.

This document introduces the following DCI solutions:

• Controller-deployed DCI—This solution offers DCI Layer 2 interconnection and DCI Layer 3

interconnection with or without firewall traversal. This solution requires pre-configuration on

EDs and deployment from the controller.

• Super Controller-deployed multi-DC interconnection—This solution offers DCI Layer 3

interconnection with or without firewall traversal. This solution requires the Super Controller

component to be deployed on the IMC PLAT in one DC. Super Controller will act as the upper

level controller to manage the SDN controller clusters of multiple DCs. It automates EBGP

connection setup between multiple sites to simplify configuration. This solution requires pre-

configuration on EDs and deployment from Super Controller.

3

Configure controller-deployed DCI

If route reduction is configured, reserve one interface for the service loopback group feature on each

ED. Do not use those interfaces for any other purposes.

Deployment workflows

Overlay Layer 2 interconnect deployment workflow

Figure 2 Deployment workflow

Overlay Layer 3 interconnect without firewall traversal deployment workflow

Figure 3 Deployment workflow

Configure basic controller Settings

Configure basic underlay network

Settings Configure the tenant external

network

Configure the tenant network

Add a border device group

Bind the tenant to a border

gateway

Add Layer 2 DC interconnect

Configure DCI End

Required sub-process

Required main process

Add a fabric

Configure a VDS

Add physical devices

Add an IP address pool

Add a VLAN pool

Add a tenant

Bind the border gateway to the

vRouter

Add a vNetwork

Add a vRouter

Start

Configure basic controller Settings

Configure basic underlay network

Settings Configure the tenant external

network

Configure the tenant network

Add a border device group

Bind the tenant to a border

gateway

Add Layer 3 DC interconnect

Configure DCI End

Required sub-process

Required main process

Add a fabric

Configure a VDS

Add physical devices

Add an IP address pool

Add a VLAN pool

Add a tenant

Bind the border gateway to the

vRouter

Add a vNetwork

Add a vRouter

Start

4

Overlay Layer 3 interconnect with firewall traversal deployment workflow

Figure 4 Deployment workflow

Layer 2 multicast interconnection deployment workflow

Figure 5 Deployment workflow

Configure basic controller Settings

Configure basic underlay network

Settings Configure the tenant external

network

Configure the tenant network

Add a border device group

Configure a FW resource pool and

template

Add Layer 3 DC interconnect

Configure DCI End

Required sub-process

Required main process

Add a fabric

Configure a VDS

Add physical devices

Add an IP address pool

Add a VLAN pool

Add a tenant

Add an egress gateway

Add a vNetwork

Add a vRouter

Start

Add an external network

Bind the tenant to a border

gateway

Bind the egress gateway to the

vRouter

Bind the vRouter to the external

network

Create a FW resource for the

tenant

Add a FW

Bind the FW resource to the

vRouter

Configure basic security service

resource Settings

Configure basic underlay network

Settings Configure the tenant network

Configure basic controller Settings End

Required sub-process

Required main process

Configure the tenant gateway and

service resources

Bind the vRouter to the border

gateway

Start

Add a fabric

Configure a VDS

Add a border device group

Add a border gateway

Add a VLAN-VXLAN mapping

Add a tenant

Bind the tenant to the border

gateway

Add a vNetwork

Add a vRouter

Configure DCI

Add a Layer 2 DC interconnect

5

Layer 3 multicast interconnection deployment workflow

Figure 6 Deployment workflow

Note: If firewalls are disabled, services might not be isolated. For example, there are two subnets

under a vRouter. Subnet A is configured with Layer 2 DCI, Subnet B is configured with Layer 3 DCI,

and peer DC Subnet C is configured with Layer 3 DCI to interconnect with Subnet B. In this scenario,

Subnet C can also communicate with Subnet A. They cannot be isolated.#

Configure basic security service

resource Settings

Configure basic underlay network

Settings Configure the tenant network

Configure basic controller Settings End

Required sub-process

Required main process

Configure the tenant gateway and

service resources

Bind the vRouter to the border

gateway

Start

Add a fabric

Configure a VDS

Add a border device group

Add a border gateway

Add a VLAN-VXLAN mapping

Add a tenant

Bind the tenant to the border

gateway

Add a vNetwork

Add a vRouter

Configure DCI

Add a Layer 3 DC interconnect

Configure Layer 3 multicast

6

Network planning

Three network models are supported: dedicated EDs, border devices collocated with EDs, and spine

and border devices collocated with EDs. The three network models have the same overlay

configuration with different underlay configurations.

Network topology

Dedicated EDs network diagram

The dedicated EDs model supports overlay Layer 2 interconnect scenario and overlay Layer 3

interconnect without firewall traversal scenarios, but does not support the overlay Layer 3

interconnect with firewall traversal scenario.

Figure 7 Dedicated EDs

For the connection s between switching devices, see IMC Orchestrator 6.2 Underlay Network

Configuration Guide. For planning of the management and service IP addresses of the devices, see

Table 1.

Table 1 IP assignment

Device

Management IP

addresses

Service IP addresses

ED 1 (DC 1)

192.168.11.10/24

VTEP IP: 10.1.1.10/24

Interconnection IP with DCI switch: 12.1.1.1/30

Interconnection interface with DCI switch: Ten-

GigabitEthernet1/0/17

Interface reserved for route reduction: Ten-

GigabitEthernet1/0/44

ED 2 (DC 1)

192.168.11.11/24

VTEP IP: 10.1.1.11/24

Interconnection IP with DCI switch: 12.1.1.5/30

Interconnection interface with DCI switch: Ten-

GigabitEthernet1/0/17

Interface reserved for route reduction: Ten-

GigabitEthernet1/0/44

Internet

Border1 Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

IPL

IPL IPL

Spine1 Spine2

ED1 ED2

IPL

Internet

Border1 Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

IPL

IPL IPL

Spine1 Spine2

ED1 ED2

IPL

DC1 DC2

ED1

DCI switch

7

Device

Management IP

addresses

Service IP addresses

Spine 1 (DC 1)

192.168.11.2/24

VTEP IP: 10.1.1.2/24

Spine 2 (DC 1)

192.168.11.3/24

VTEP IP: 10.1.1.3/24

Leaf 1 (DC 1)

192.168.11.4/24

VTEP IP: 10.1.1.4/24

Leaf 2 (DC 1)

192.168.11.5/24

VTEP IP: 10.1.1.5/24

Leaf 3 (DC 1)

192.168.11.6/24

VTEP IP: 10.1.1.6/24

Leaf 4 (DC 1)

192.168.11.7/24

VTEP IP: 10.1.1.7/24

ED 1 (DC 2)

192.168.21.10/24

VTEP IP: 10.1.2.10/24

Interconnection IP with DCI switch: 12.1.1.9/30

ED 2 (DC 2)

192.168.21.11/24

VTEP IP: 10.1.2.11/24

Interconnection IP with DCI switch: 12.1.1.13/30

Spine 1 (DC 2)

192.168.21.2/24

VTEP IP: 10.1.2.2/24

Spine 2 (DC 2)

192.168.21.3/24

VTEP IP: 10.1.2.3/24

Leaf 1 (DC 2)

192.168.21.4/24

VTEP IP: 10.1.2.4/24

Leaf 2 (DC 2)

192.168.21.5/24

VTEP IP: 10.1.2.5/24

Leaf 3 (DC 2)

192.168.21.6/24

VTEP IP: 10.1.2.6/24

Leaf 4 (DC 2)

192.168.21.7/24

VTEP IP: 10.1.2.7/24

Border devices collocated with EDs

Border 1 and Border 2 for a DR system. Border devices connect with DCI devices through Layer 3

interfaces and connect FW and external network devices through DR interfaces.

Border devices collocated with EDs supports overlay Layer 2 interconnect and overlay Layer 3

interconnect with or without firewall traversal scenarios.

Figure 8 Border devices collocated with EDs

Internet

Border1 Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

FW1 FW2

IPL

IPL IPL

Spine1 Spine2

Internet

Border1 Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

FW1 FW2

IPL

IPL IPL

Spine1 Spine2

DC1 DC2

Uplink

Downlink DCI switch

8

For the connections between switching devices, see IMC Orchestrator 6.2 Underlay Network

Configuration Guide for planning. For planning of the management and service IP addresses of the

devices, see Table 2.

Table 2 IP assignment

Device

Management IP

addresses

Service IP addresses

Border 1 (DC1)

192.168.11.8/24

VTEP IP: 10.1.1.8/24

Interconnection IP with DCI switch: 12.1.1.1/30

Interconnection interface with DCI switch: Ten-

GigabitEthernet1/0/17

Interface reserved for route reduction: Ten-

GigabitEthernet1/0/44

The connection with FW interfaces is shown in Table 3.

Border 2 (DC1)

192.168.11.9/24

VTEP IP: 10.1.1.9/24

Interconnection IP with DCI switch: 12.1.1.5/30

Interconnection interface with DCI switch: Ten-

GigabitEthernet1/0/17

Interface reserved for route reduction: Ten-

GigabitEthernet1/0/44

The connection with FW interfaces is shown in Table 3.

Spine 1 (DC1)

192.168.11.2/24

VTEP IP: 10.1.1.2/24

Spine 2 (DC1)

192.168.11.3/24

VTEP IP: 10.1.1.3/24

Leaf 1 (DC1)

192.168.11.4/24

VTEP IP: 10.1.1.4/24

Leaf 2 (DC1)

192.168.11.5/24

VTEP IP: 10.1.1.5/24

Leaf 3 (DC1)

192.168.11.6/24

VTEP IP: 10.1.1.6/24

Leaf 4 (DC1)

192.168.11.7/24

VTEP IP: 10.1.1.7/24

FW 1 (DC1)

192.168.11.12/24

/

FW 2 (DC1)

192.168.11.13/24

/

Border 1 (DC2)

192.168.21.8/24

VTEP IP: 10.1.2.8/24

Interconnection IP with DCI switch: 12.1.1.9/30

Border 2 (DC2)

192.168.21.9/24

VTEP IP: 10.1.2.9/24

Interconnection IP with DCI switch: 12.1.1.13/30

Spine 1 (DC2)

192.168.21.2/24

VTEP IP: 10.1.2.2/24

Spine 2 (DC2)

192.168.21.3/24

VTEP IP: 10.1.2.3/24

Leaf 1 (DC2)

192.168.21.4/24

VTEP IP: 10.1.2.4/24

Leaf 2 (DC2)

192.168.21.5/24

VTEP IP: 10.1.2.5/24

Leaf 3 (DC2)

192.168.21.6/24

VTEP IP: 10.1.2.6/24

Leaf 4 (DC2)

192.168.21.7/24

VTEP IP: 10.1.2.7/24

FW 1 (DC2)

192.168.21.12/24

The connection with border interfaces is shown in Table 3.

FW 2 (DC2)

192.168.21.13/24

The connection with border interfaces is shown in Table 3.

The connections of service interfaces between the border devices and FWs are shown in Table 3:

9

Table 3 Service interface aggregation between the border devices and FWs

FW

Border

Downlink interfaces:

FW 1 XGE2/0/3, member port of RAGG 2

FW 1 XGE2/0/4, member port of RAGG 2

Uplink interfaces:

FW 1 XGE2/0/5, member port of RAGG 3

FW 1 XGE2/0/6, member port of RAGG 3

Downlink interfaces:

Border 1 XGE6/0/1, member port of BAGG1 in

DR group 1

Border 2 XGE6/0/1, member port of BAGG1 in

DR group 1

Uplink interfaces:

Border 1 XGE6/0/2, member port of BAGG2 in

DR group 2

Border 2 XGE6/0/2, member port of BAGG2 in

DR group 2

Downlink interfaces:

FW 2 XGE2/0/3, member port of RAGG 2

FW 2 XGE2/0/4, member port of RAGG 2

Uplink interfaces:

FW 2 XGE2/0/5, member port of RAGG 3

FW 2 XGE2/0/6, member port of RAGG 3

Downlink interfaces:

Border 1 XGE6/0/5, member port of BAGG5 in

DR group 5

Border 2 XGE6/0/5, member port of BAGG5 in

DR group 5

Uplink interfaces:

Border 1 XGE6/0/6, member port of BAGG6 in

DR group 5

Border 2 XGE6/0/6, member port of BAGG6 in

DR group 6

Spine and border devices collocated with EDs

Spine-Border 1 and Spine-Border 2 for a DR system. Spine-Border devices connect with DCI devices

through Layer 3 interfaces and connect FWs and external network devices through DR interfaces.

Spine and border devices collocated with EDs supports overlay Layer 2 interconnect and overlay

Layer 3 interconnect with or without firewall traversal scenarios.

Figure 9 Spine and border devices collocated with EDs

For the connections between switching devices, see IMC Orchestrator 6.2 Underlay Network

Configuration Guide. For planning of the management and service IP addresses of the devices, see

Table 4.

Spine-

Border1 Spine-

Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

FW1 FW2

IPL

IPL IPL

Spine-

Border1 Spine-

Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2 Server3 Server4

FW1 FW2

IPL

IPL IPL

DC1 DC2

Internet

Uplink

Downlink DCI switch

10

Table 4 IP assignment

Device

Management IP

addresses

Service IP addresses

Spine-Border 1

(DC 1)

192.168.11.2/24

VTEP IP: 10.1.1.2/24

Interconnection IP with DCI switch: 12.1.1.1/30

Interconnection interface with DCI switch: Ten-

GigabitEthernet1/0/17

Interface reserved for route reduction: Ten-

GigabitEthernet1/0/44

The connection with FW interfaces is shown in Table 5.

Spine-Border 2

(DC 1)

192.168.11.3/24

VTEP IP: 10.1.1.3/24

Interconnection IP with DCI switch: 12.1.1.5/30

Interconnection interface with DCI switch: Ten-

GigabitEthernet1/0/17

Interface reserved for route reduction: Ten-

GigabitEthernet1/0/44

The connection with FW interfaces is shown in Table 5.

Leaf 1 (DC1)

192.168.11.4/24

VTEP IP: 10.1.1.4/24

Leaf 2 (DC1)

192.168.11.5/24

VTEP IP: 10.1.1.5/24

Leaf 3 (DC1)

192.168.11.6/24

VTEP IP: 10.1.1.6/24

Leaf 4 (DC1)

192.168.11.7/24

VTEP IP: 10.1.1.7/24

FW 1 (DC1)

192.168.11.12/24

/

FW 2 (DC1)

192.168.11.13/24

/

Spine-Border 1 (DC

1)

192.168.21.2/24

VTEP IP: 10.1.2.2/24

Interconnection IP with DCI switch: 12.1.1.9/30

Spine-Border

2(DC2)

192.168.21.3/24

VTEP IP: 10.1.2.3/24

Interconnection IP with DCI switch: 12.1.1.13/30

Leaf 1 (DC2)

192.168.21.4/24

VTEP IP: 10.1.2.4/24

Leaf 2 (DC2)

192.168.21.5/24

VTEP IP: 10.1.2.5/24

Leaf 3 (DC2)

192.168.21.6/24

VTEP IP: 10.1.2.6/24

Leaf 4 (DC2)

192.168.21.7/24

VTEP IP: 10.1.2.7/24

FW 1 (DC2)

192.168.21.12/24

The connection with border interfaces is shown in Table 5.

FW 2 (DC2)

192.168.21.13/24

The connection with border interfaces is shown in Table 5.

Table 5 Service interface aggregation between the border devices and FWs

FW

Border

Downlink interfaces:

FW 1 XGE2/0/3, member port of RAGG 2

FW 1 XGE2/0/4, member port of RAGG 2

Uplink interfaces:

FW 1 XGE2/0/5, member port of RAGG 3

FW 1 XGE2/0/6, member port of RAGG 3

Downlink interfaces:

Border 1 XGE6/0/1, member port of BAGG1 in

DR group 1

Border 2 XGE6/0/1, member port of BAGG1 in

DR group 1

Uplink interfaces:

Border 1 XGE6/0/1, member port of BAGG2 in

DR group 2

11

FW

Border

Border 2 XGE6/0/2, member port of BAGG2 in

DR group 2

Downlink interfaces:

FW 2 XGE2/0/3, member port of RAGG 2

FW 2 XGE2/0/4, member port of RAGG 2

Uplink interfaces:

FW 1 XGE2/0/5, member port of RAGG 3

FW 1 XGE2/0/6, member port of RAGG 3

Downlink interfaces:

Border 1 XGE6/0/5, member port of BAGG5 in

DR group 5

Border 2 XGE6/0/5, member port of BAGG5 in

DR group 5

Uplink interfaces:

Border 1 XGE6/0/6, member port of BAGG6 in

DR group 6

Border 2 XGE6/0/6, member port of BAGG6 in

DR group 6

Resource plan

Table 6 Resource plan

Resource

DC 1 configuration example

DC 2 configuration example

Device management network

• Subnet: 192.168.11.0/24

• Gateway: 192.168.11.1

• Subnet: 192.168.21.0/24

• Gateway: 192.168.21.1

IP

address

pool

DC interconnection

network

• Name: DC interconnection

network 1

• Subnets: 10.70.1.0/24;

2001::10:70:1:/112

• Default address pool: Not

selected

• Name: DC interconnection

network 2

• Subnets: 10.70.10.0/24;

2001: 10:70:10::/112

• Default address pool: Not

selected

Tenant carrier LB

internal network

• Name: Tenant carrier LB

internal network 1

• 10.50.1.0/24

• 2001::10:50:1:/112

• Name: Tenant carrier LB

internal network 2

• 10.50.10.0/24

• 2001:10:50:10::/112

Tenant carrier FW

internal network

• Name: Tenant carrier FW

internal network 1

• Subnets: 10.60.1.0/24;

2001::10:60:1:/112

• Default address pool: Not

selected

• Name: Tenant carrier FW

internal network 2

• Subnets: 10.60.10.0/24:

2001:10:60:10::/112

• Default address pool: Not

selected

Virtual

management

network

• Name: Virtual management

network 1

• Subnets: 192.168.10.0/24

• Gateway address:

192.168.10.1

• Default address pool: Not

selected

• Name: Virtual management

network 2

• Subnets: 192.168.100.0/24

• Gateway address:

192.168.100.1

• Default address pool: Not

selected

VLAN

pool

Tenant carrier

network

• Name: Tenant carrier VLAN 1

• VLAN range: 500 - 999

• Default VLAN pool: Not

selected

• Name: Tenant carrier VLAN 2

• VLAN range: 500 - 999

• Default VLAN pool: Not

selected

Overlay

resources

Fabric

• Name: Fabric 1

• AS number: 100

• Name: Fabric 2

• AS number: 1000

12

Resource

DC 1 configuration example

DC 2 configuration example

VDS

• Name: VDS 1

• Carrier fabric: Fabric 1

• VXLAN ID range: 1-

16777215

• Name: VDS 1

• Carrier fabric: Fabric 2

• VXLAN ID range: 1-

16777215

vRouter

• Layer 2 interconnect:

router2801

• Layer 3 interconnect:

router2802

• Layer 3 interconnect (with

firewall traversal): router2803

• Layer 2 interconnect:

router2804

• Layer 3 interconnect:

router2805

• Layer 3 interconnect (with

firewall traversal): router2806

Subnet:

• Layer 2 interconnect:

11.28.1.0/24;

2001:11:28:1::/64

• Layer 3 interconnect:

11.28.2.0/24:

2001:11:28:2::/64

• Layer 3 interconnect (with

firewall traversal):

11.28.3.0/24;

2001:11:28:3::/64

• Layer 2 interconnect:

11.28.1.0/24;

2001:11:28:1::/64

• Layer 3 interconnect:

11.28.3.0/24:

2001:11:28:3::/64

• Layer 4 interconnect (with

firewall traversal):

11.28.4.0/24;

2001:11:28:3::/64

13

Procedure

Configure underlay network basic settings

Incorporate switching devices

Configure and incorporate switching devices in the network. For details, see IMC Orchestrator 6.2

Underlay Network Configuration Guide.

Underlay network basic configurations of EDs are the same as border devices.

Pre-configure DCI

Interconnection is required between the loopback interfaces that are used to establish BGP

neighbors between EDs of two DCs and between the DRNI virtual addresses. Static or dynamic

routing can be configured according to networking requirements to achieve interconnection. OSPF

is used as an example. The following steps are performed manually.

Pre-configure route reduction

Reserve an interface for route reduction. The interface is not required to be up.

[ED1] system-view

[ED1] service-loopback group 5 type inter-vpn-fwd

[ED1] interface Twenty-FiveGigE1/0/44

[ED1-Twenty-FiveGigE1/0/44] port link-mode bridge

[ED1-Twenty-FiveGigE1/0/44] port service-loopback group 5

Pre-configure DCI for dedicated ED devices

ED 1 of DC 1 is used as an example.

• Configure OSPF.

[ED1] ospf 1

[ED1-ospf-1] non-stop-routing

[ED1-ospf-1] area 0.0.0.0

[ED1-ospf-1] quit

• Configure the interfaces that connect DCI switch to the ED to enable Layer 3 interconnection

between the local and remote VTEPs.

[ED1] interface Ten-GigabitEthernet1/0/17

[ED1-Ten-GigabitEthernet1/0/17] port link-mode route

[ED1-Ten-GigabitEthernet1/0/17] ip address 12.1.1.1 255.255.255.252

[ED1-Ten-GigabitEthernet1/0/17] ospf network-type p2p

[ED1-Ten-GigabitEthernet1/0/17] ospf 1 area 0.0.0.0

[ED1-Ten-GigabitEthernet1/0/17] quit

• Configure BGP:

The command descriptions are as follows:

 peer ebgp as-number: 1000, AS number of remote DC.

 peer 10.1.2.10 group ebgp: 10.1.2.10 is the VTEP IP address of ED 1 (DC 2) (real

IP address of the device as a DR member device).

 peer 10.1.2.11 group ebgp: 10.1.2.11 is the VTEP IP address of ED 2 (DC 2) (real

IP address of the device as a DR member device).

 peer ebgp route-policy SDN_POLICY_DCI_L3CONNECT export: the

SDN_POLICY_DCI_L3CONNECT name is fixed and when the Layer 3 DC

interconnection is created, the controller issues the route policy. Verify the configuration by

14

executing the display current-configuration configuration route-policy

command on the device.

 peer{ group-name } re-originated [ imet | mac-ip ] replace-rt:

Regenerate the EVPN route.

[ED1] bgp 100

[ED1-bgp-default] group ebgp external

[ED1-bgp-default] peer ebgp as-number 1000

[ED1-bgp-default] peer ebgp connect-interface LoopBack0

[ED1-bgp-default] peer ebgpebgp-max-hop 64

[ED1-bgp-default] peer 10.1.2.10 group ebgp

[ED1-bgp-default] peer 10.1.2.11 group ebgp

[ED1-bgp-default] address-family l2vpn evpn

[ED1-bgp-default-evpn] peer ebgp enable

[ED1-bgp-default-evpn] peer ebgp route-policy SDN_POLICY_DCI_L3CONNECT export

[ED1-bgp-default-evpn] peer ebgp router-mac-local dci

[ED1-bgp-default-evpn] peer ebgp re-originated replace-rt

[ED1-bgp-default-evpn] peer ebgp re-originated mac-IP replace-rt

[ED1-bgp-default-evpn] peer ebgp re-originated imet replace-rt

[ED1-bgp-default-evpn] peer ebgp re-originated smet replace-rt

[ED1-bgp-default-evpn] peer ebgp re-originated s-pmsi replace-rt

[ED1-bgp-default-evpn] peer evpn re-originated replace-rt

[ED1-bgp-default-evpn] peer evpn re-originated mac-IP replace-rt

[ED1-bgp-default-evpn] peer evpn re-originated imet replace-rt

[ED1-bgp-default-evpn] peer evpn re-originated smet replace-rt

[ED1-bgp-default-evpn] peer evpn re-originated s-pmsi replace-rt

[ED1-bgp-default-evpn] quit

[ED1-bgp-default] quit

• Configure a route policy:

Execute the route-policy SDN_PREDEF_deny_default command on the ED device to filter

the default routes and prevent loops. This route policy will not be restored by the controller,

and is used when a border device creates a VPN at the creation of overlay Layer 3 DC

interconnect (with firewall traversal).

[ED1] ip prefix-list SDN_PREDEF_default index 10 permit 0.0.0.0 0

[ED1] ipv6 prefix-list SDN_PREDEF_default index 10 permit :: 0

[ED1] route-policy SDN_PREDEF_deny_default deny node 0

[ED1-route-policy-SDN_PREDEF_default-0] if-match ip address prefix-list

SDN_PREDEF_default

[ED1-route-policy-SDN_PREDEF_default-0] if-match ipv6 address prefix-list

SDN_PREDEF_default

[ED1-route-policy-SDN_PREDEF_default-0] quit

[ED1] route-policy SDN_PREDEF_deny_default permit node 1000

Pre-configure DCI on border devices collocated with EDs

The Border 1 device in DC 1 is used as an example.

• Configure OSPF.

[border1] ospf 1

[border1-ospf-1] non-stop-routing

[border1-ospf-1] area 0.0.0.0

[border1-ospf-1] quit

15

• Configure the interconnection interfaces between Border 1 and DCI switch to enable Layer 3

interconnect between the local and remote VTEPs.

[border1] interface Ten-GigabitEthernet1/0/17

[border1-Ten-GigabitEthernet1/0/17] port link-mode route

[border1-Ten-GigabitEthernet1/0/17] ip address 12.1.1.1 255.255.255.252

[border1-Ten-GigabitEthernet1/0/17] ospf network-type p2p

[border1-Ten-GigabitEthernet1/0/17] ospf 1 area 0.0.0.0

[border1-Ten-GigabitEthernet1/0/17] quit

• Configure BGP:

The command descriptions are as follows:

 peer ebgp as-number 1000: 1000, AS number of remote DC.

 peer 10.1.2.8 group ebgp: 10.1.2.8 is the VTEP IP address of Border 1 (DC 2) (real

IP address of the device as a DR member device).

 peer 10.1.2.9 group ebgp: 10.1.2.9 is the VTEP IP address of Border 2 (DC 2) (real IP

address of the device as a DR member device).

 peer ebgp route-policy SDN_POLICY_DCI_L3CONNECT export: The

SDN_POLICY_DCI_L3CONNECT name is fixed and when the Layer 3 DC

interconnection is created, the controller issues the route policy. Verify the configuration by

executing the display current-configuration configuration route-policy

command on the device.

 peer { group-name } re-originated [ imet | mac-ip ] replace-rt:

Regenerate the EVPN route.

[border1] bgp 100

[border1-bgp-default] group ebgp external

[border1-bgp-default] peer ebgp as-number 1000

[border1-bgp-default] peer ebgp connect-interface LoopBack0

[border1-bgp-default] peer ebgpebgp-max-hop 64

[border1-bgp-default] peer 10.1.2.8 group ebgp

[border1-bgp-default] peer 10.1.2.9 group ebgp

[border1-bgp-default] address-family l2vpn evpn

[border1-bgp-default-evpn] nexthopevpn-drni group-address

[border1-bgp-default-evpn] peer ebgp enable

[border1-bgp-default-evpn] peer ebgp route-policy SDN_POLICY_DCI_L3CONNECT export

[border1-bgp-default-evpn] peer ebgp router-mac-local dci

[border1-bgp-default-evpn] peer ebgp re-originated replace-rt

[border1-bgp-default-evpn] peer ebgp re-originated mac-IP replace-r

[border1-bgp-default-evpn] peer ebgp re-originated imet replace-rt

[border1-bgp-default-evpn] peer evpn re-originated replace-rt

[border1-bgp-default-evpn] peer evpn re-originated mac-IP replace-rt

[border1-bgp-default-evpn] peer evpn re-originated imet replace-rt

[border1-bgp-default-evpn] quit

[border1-bgp-default] quit

• Configure a route policy:

Execute the route-policy SDN_PREDEF_deny_default command on the ED device to filter

the default routes to prevent loops. This route policy will not be restored by the controller, and

is used when a border device creates a VPN at the creation of overlay Layer 3 DC

interconnect (with firewall traversal).

[border1] ip prefix-list SDN_PREDEF_default index 10 permit 0.0.0.0 0

[border1] ipv6 prefix-list SDN_PREDEF_default index 10 permit :: 0

16

[border1] route-policy SDN_PREDEF_deny_default deny node 0

[border1-route-policy- DN_PREDEF_deny_default-0] if-match ip address prefix-list

SDN_PREDEF_default

[border1-route-policy-SDN_PREDEF_deny_default-0] if-match ipv6 address prefix-

list SDN_PREDEF_default

[border1-route-policy-SDN_PREDEF_deny_default-0] quit

[border1] route-policy SDN_PREDEF_deny_default permit node 1000

[border1-route-policy-SDN_PREDEF_deny_default-1000] quit

• Assign the links between Border 1 and the firewalls to VLANs.

[border1] interface Bridge-Aggregation1

[border1-Bridge-Aggregation1] port trunk permitvlan 1 500 to 999

[border1-Bridge-Aggregation1] quit

[border1] interface Bridge-Aggregation2

[border1-Bridge-Aggregation2] port trunk permit vlan1 500 to 999

[border1-Bridge-Aggregation2] quit

Pre-configure DCI on spine and border devices collocated with EDs

Spine-Border 1 in DC 1 is used as an example.

• Configure OSPF.

[spine-border1] ospf 1

[spine-border1-ospf-1] non-stop-routing

[spine-border1-ospf-1] area 0.0.0.0

[spine-border1-ospf-1] quit

• Configure the ED connection interfaces

[spine-border1] interface Ten-GigabitEthernet1/0/17

[spine-border1-Ten-GigabitEthernet1/0/17] port link-mode route

[spine-border1-Ten-GigabitEthernet1/0/17] ip address 12.1.1.1 255.255.255.252

[spine-border1-Ten-GigabitEthernet1/0/17] ospf network-type p2p

[spine-border1-Ten-GigabitEthernet1/0/17] ospf 1 area 0.0.0.0

[spine-border1-Ten-GigabitEthernet1/0/17] quit

• Configure BGP:

The command descriptions are as follows:

 peer ebgp as-number 1000: 1000, AS number of remote DC.

 peer 10.1.2.2 group ebgp: 10.1.2.2 is the VTEP IP address of Spine-Border 1 (DC

2) (real IP address of the device as a DR member device).

 peer 10.1.2.3 group ebgp: 10.1.2.3 is the VTEP IP address of Spine-Border 2 (DC

2) (real IP address of the device as a DR member device).

 peer ebgp route-policy SDN_POLICY_DCI_L3CONNECT export: The

SDN_POLICY_DCI_L3CONNECT name is fixed and when the Layer 3 DC interconnection

is created, the controller issues the route policy. Verify the configuration by executing the

display current-configuration configuration route-policy command on

the device.

 peer { group-name } re-originated [ imet | mac-ip ] replace-rt:

Regenerate the EVPN route.

 peer evpn advertise original-route: This command is required in spine and

border devices collocated with EDs.

[spine-border1] bgp 100

[spine-border1-bgp-default] groupebgp external

[spine-border1-bgp-default] peerebgp as-number 1000

17

[spine-border1-bgp-default] peerebgp connect-interface LoopBack0

[spine-border1-bgp-default] peerebgpebgp-max-hop 64

[spine-border1-bgp-default] peer 10.1.2.2 group ebgp

[spine-border1-bgp-default] peer 10.1.2.3 group ebgp

[spine-border1-bgp-default] address-family l2vpn evpn

[spine-border1-bgp-default-evpn] peer ebgp enable

[spine-border1-bgp-default-evpn] peer ebgp route-policy SDN_POLICY_DCI_L3CONNECT

export

[spine-border1-bgp-default-evpn] peer ebgp router-mac-local dci

[spine-border1-bgp-default-evpn] peer ebgp re-originated replace-rt

[spine-border1-bgp-default-evpn] peer ebgp re-originated mac-IP replace-r

[spine-border1-bgp-default-evpn] peer ebgp re-originated imet replace-rt

[spine-border1-bgp-default-evpn] peer evpn re-originated replace-rt

[spine-border1-bgp-default-evpn] peer evpn re-originated mac-IP replace-rt

[spine-border1-bgp-default-evpn] peer evpn re-originated imet replace-rt

[spine-border1-bgp-default-evpn] peer evpn advertise original-route

[spine-border1-bgp-default-evpn] quit

[spine-border1-bgp-default] quit

• Configure a route policy:

Execute the route-policy SDN_PREDEF_deny_default command on the ED device to filter

the default routes to prevent loops. This route policy will not be restored by the controller, and

is used when a border device creates a VPN at the creation of overlay Layer 3 DC

interconnect (with firewall traversal).

[spine-border1] ip prefix-list SDN_PREDEF_default index 10 permit 0.0.0.0 0

[spine-border1] ipv6 prefix-list SDN_PREDEF_default index 10 permit :: 0

[spine-border1] route-policy SDN_PREDEF_deny_default deny node 0

[spine-border1-SDN_PREDEF_deny_default-0] if-match ip address prefix-list

SDN_PREDEF_default

[spine-border1-SDN_PREDEF_deny_default-0] if-match ipv6 address prefix-list

SDN_PREDEF_default

[spine-border1-SDN_PREDEF_deny_default-0] quit

[spine-border1] route-policy SDN_PREDEF_deny_default permit node 1000

[spine-border1-SDN_PREDEF_deny_default-1000] quit

• Assign the links between Spine-Border 1 and the firewalls to VLANs.

[spine-border1] interface Bridge-Aggregation1

[spine-border1-Bridge-Aggregation1] port trunk permitvlan 1 500 to 999

[spine-border1-Bridge-Aggregation1] quit

[spine-border1] interface Bridge-Aggregation2

[spine-border1-Bridge-Aggregation2] port trunk permit vlan1 500 to 999

[spine-border1-Bridge-Aggregation2] quit

Configure basic security service resource settings

Configure basic security service resources as described in the service gateway chapter of IMC

Orchestrator 6.2 Security Service Resources Configuration Guide.

Complete the following configurations for DC 1:

• Configure IP address pools. In this scenario, four IP address pools need to be configured: The

DC interconnection network, the tenant carrier LB internal network, the tenant carrier FW

18

internal network, and the virtual management network. For the address pool planning, see 错

误!未找到引用源。.

• Configure the VLAN pool. In this scenario, you need to configure the tenant carrier network

VLAN pool. For the VLAN pool planning, see 错误!未找到引用源。.

• Configure and incorporate the security devices in the network and complete the creation of

L4-L7 resource pools and templates.

• Create the tenant publictenant1. Assign service resources pubfwcontext1 and publbcontext1

to the tenant publictenant1.

Complete the following configurations for DC 2:

• Configure IP address pools. In this scenario, four IP address pools need to be configured: The

DC interconnection network, the tenant carrier LB internal network, the tenant carrier FW

internal network, and the virtual management network. For the address pool planning, see 错

误!未找到引用源。.

• Configure the VLAN pool. In this scenario, you need to configure the tenant carrier network

VLAN pool. For the VLAN pool planning, see 错误!未找到引用源。.

• Configure and incorporate the security devices in the network and complete the creation of

L4-L7 resource pools and templates.

• Create the tenant publictenant2. Assign service resources pubfwcontext2 and publbcontext2

to the tenant publictenant2.

Pre-configure basic multicast settings

Pre-configure the EDs

[ED1] interface Ten-GigabitEthernet 1/0/17

[ED1-Ten-GigabitEthernet 1/0/17] pim sm

[ED2] interface Ten-GigabitEthernet 1/0/17

[ED2-Ten-GigabitEthernet 1/0/17] pim sm

Pre-configure the spine devices

[spine] multicast routing

Configure controller basic settings

This section only introduces the configuration procedures of basic settings. For specific configuration

data, see "Configure controller basic settings" in the chapter of each scenario.

Log in to the controller

After the controller is deployed, the corresponding menu will be loaded in IMC PLAT. You can use

the controller functions after logging in to IMC PLAT.

To log in to IMC PLAT:

Enter the login address to IMC PLAT (default login address:

http://ucenter_ip_address:30000/central/index.html) in the browser. Press Enter to open the login

page as shown in Figure 10.

Ucenter_ip_address: North-bound service virtual IP address of the Installer cluster where IMC PLAT

locates.

In the login address, 30000 is the port number.

Page is loading ...

Aruba JL851AAE Configuration Guide

This manual is also suitable for

Aruba JL851AAE Configuration Guide

Related papers

Other documents