< Home

Web: Example for Configuring Communication Between Different Network Segments Through VXLAN Tunnels

The VXLAN feature is often used with hot standby, virtual system, and NAT features on a data center.

Networking Requirements

As shown in Figure 1, an enterprise has its Host1 and Host2 deployed at different locations of the data center, and the FW serves as a Layer 3 VXLAN gateway of the data center. The enterprise attempts to enable mutual communication between Host1 and Host2 through VXLAN tunnels.

Figure 1 Networking for configuring communication between different network segments through VXLAN tunnels

Configuration Roadmap

  1. Configure BDs and BDIF interfaces.

    The FW serves as a Layer 3 VXLAN gateway and needs to have VXLAN tunnels established with both Switch1 and Switch2. Therefore, two BDs and two BDIF interfaces shall be created.

  2. Configure the NVE tunnel interface.

    The FW needs to use only one NVE interface to establish VXLAN tunnels with both Switch1 and Switch2.

Procedure

  1. Complete basic network configurations on the FW.
    1. Choose Network > Interface and set the IP addresses and security zones of GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2.

    2. Choose Network > Route > OSPF and configure OSPF.

      1. Click Add, set relevant parameters, and click OK.

        Type

        OSPF v2

        Process ID

        1

      2. Click Advanced, Area Settings, and then Add. Set relevant parameters and click OK. Repeat this step to add a route with IP Network being 2.2.2.2.

        Area

        0

        IP Network

        1.1.1.2

        Mask/Wildcard Mask

        0.0.0.255

        Authentication Mode

        NONE

      3. Click Route Import and then Add, set relevant parameters, and click OK.

        Route Type

        Direct

  2. Configure a VXLAN tunnel.
    1. Choose Network > Interface and create a local loopback interface with the IP address being 172.1.3.1/24.
    2. Choose Network > VXLAN.
    3. Click Enable corresponding to VXLAN and VXLAN Monitoring, set Source IP Address to the local loopback address created in the preceding step, and click Apply.

    4. Click Add to configure VXLAN tunnel information.

  3. Create two BDIF interfaces.

    The BD is automatically created when you configure the VXLAN tunnel.

    1. Choose Network > Interface and click Add to create a BDIF interface.

    2. Click OK.
    3. Repeat the preceding steps to create the BDIF20 interface.

  4. Configure a security policy on the FW to allow VXLAN packets through.
    1. a. Choose Policy > Security Policy > Security Policy.
    2. b. Click Add and set the parameters of the security policy for the Local -> Untrust interzone as follows.

      Name

      policy_vxlan

      Source Zone

      local,untrust

      Destination Zone

      local,untrust

      Source Address/Region

      172.1.0.0/16

      Action

      Permit

    3. Click OK.
  5. Configure Switch1 and Switch2. For details, see the switch product documentation.

    • Configure OSPF on the switches to advertise routes.
    • Configure tunnel information of Layer 2 VXLAN gateways.

Verification

  1. Run the display vxlan tunnel command on the FW. The VXLAN tunnels have been established.
  2. Host1 can properly access Host2.

Configuration Scripts

#
sysname FW
#
bridge-domain 1
 vxlan vni 10
#
bridge-domain 2
 vxlan vni 20
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.2 24
#
interface GigabitEthernet 0/0/2
 ip address 2.2.2.2 24
#
interface LoopBack1
 ip address 172.1.3.1 255.255.255.255
#
interface Vbdif1
 ip address 10.1.1.2 255.255.255.0
#
interface Vbdif2
 ip address 20.1.1.2 255.255.255.0
#
interface Nve1
 source 172.1.3.1
 vxlan statistic enable
 vni 10 head-end peer-list 172.1.1.1
 vni 20 head-end peer-list 172.1.2.1
#
firewall zone trust
 set priority 85
 add interface Vbdif1
 add interface Vbdif2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
 add interface GigabitEthernet 0/0/2
#
ospf 1
 area 0.0.0.0
  network 172.1.3.1 0.0.0.0
  network 1.1.1.0 0.0.0.255
  network 2.2.2.0 0.0.0.255
#
security-policy
 rule name vxlan
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address 172.1.0.0 mask 255.255.0.0
  service vxlan
  action permit
Parent Topic: Configuration Examples for VXLAN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic