Table of Contents

Related Documents

09-M-LAG+EVPN Distributed Gateway (OSPF on Underlay Network)+DHCP Relay+Microsegmentation+Service Chain Configuration Example

Title	Size	Download
09-M-LAG+EVPN Distributed Gateway (OSPF on Underlay Network)+DHCP Relay+Microsegmentation+Service Chain Configuration Example	935.68 KB

Configuring M-LAG, EVPN distributed gateway (OSPF on the underlay network), DHCP relay, microsegmentation, and service chain

Network configuration

As shown in Figure 1:

· Deploy M-LAG systems at the leaf tier on a leaf-spine network to provide node redundancy.

· Place EVPN gateways at the leaf tier. Configure the members in each M-LAG system to provide distributed EVPN gateway services.

· Use DHCP for dynamic assignment of IP addresses. This example deploys DHCP clients in a different VXLAN than the DHCP server.

· For the DHCP clients to obtain IP services from the DHCP server, configure DHCP relay between them.

The following information describes the deployment in detail:

· At the leaf tier, set up M-LAG systems A, B, and C.

¡ M-LAG system A—Contains nodes Leaf 1 and Leaf 2.

¡ M-LAG system B—Contains nodes Leaf 3 and Leaf 4.

¡ M-LAG system C—Contains nodes Leaf 5 and Leaf 6.

· Leaf 1 and Leaf 2 act as service leaf nodes and connect to the firewall devices.

¡ Configure two M-LAG interfaces on each of the two nodes. On each node, connect one M-LAG interface to firewall EW for east-west protection and connect the other to firewall NS for north-south protection.

¡ All east-west flows (traffic between servers on the internal network) except for DHCP messages must be forwarded to firewall EW before they can reach their destination.

¡ All north-south flows (traffic from the internal network to the external network) must be forwarded to firewall NS before they can reach their destination.

¡ Use VXLANs 10999 and 11000 to accommodate traffic sent towards and received from firewall EW, respectively. Use VXLANs 10997 and 10998 to accommodate traffic sent towards and received from firewall NS, respectively.

· M-LAG system B (Leaf 3 and Leaf 4) and M-LAG system C (Leaf 5 and Leaf 6) connect to the servers. The physical server that hosts the DHCP clients (VMs) is singled homed to node Leaf 3. The physical device that hosts the DHCP server (a VM) is single homed to node Leaf 5.

· The DHCP clients belong to VXLAN 13313 and the DHCP server belongs to VXLAN 13342. Place EVPN distributed gateways at the leaf tier to provide Layer 3 connectivity between the DHCP clients and server. Configure the M-LAG systems at the leaf tier to provide DHCP relay services between the DHCP clients and server.

· At the border tier, set up an M-LAG system with Border 1 and Border 2, and use M-LAG interfaces to connect the M-LAG system to external devices and downstream Spine A and Spine B.

· Deploy nodes Spine A and Spine B as route reflectors (RRs) to reflect routes between the leaf nodes and forward underlay traffic.

· Run OSPF on the underlay network to establish L3 connectivity between the devices.

· Deploy service chains to direct service traffic to the firewalls for filtering and protection.

· Configure the following VPN instances:

¡ Assign VPN ZHTESTCTVRF to accommodate all business services.

¡ Assign VPN ZHTESTCTFWEW01VRF to accommodate EW firewall services.

¡ Assign VPN ZHTESTCTFWNS01VRF to accommodate NS firewall services.

· Deploy both IPv4 and IPv6 services. IPv6 traffic is forwarded through IPv6 over IPv4 tunnels.

Configure ACs for the servers to access the leaf devices, and configure the leaf devices to assign VMs to microsegments based on the IP address. Configure microsegmentation as follows:

· Assign the business subnets to microsegment EPG 10001.

· Assign the subnet accomodating common servers, such as the FTP server, to microsegment EPG 10002.

· Assign the subnet accomodating the default route to the external network to microsegment EPG 10001.

· Assign the subnet accomodating the DHCP server to microsegment EPG 10001.

· Permit communication between microsegments EPG 10001 and EPG 10001.

· Direct the traffic sent between microsegments EPG 10001 and EPG 10002 to firewall EW.

· Direct the traffic sent between microsegments EPG 10001 and EPG 10003 to firewall NS.

· Direct the traffic sent between microsegments EPG 10001 and EPG 10004 to firewall EW, except for DHCP messages.

· Permit communication between microsegments EPG 10002 and EPG 10002.

· Direct the traffic sent between microsegments EPG 10002 and EPG 10003 to firewall NS.

· Permit communication between microsegments EPG 10002 and EPG 10004.

· Permit communication within microsegment EPG 10004.

Figure 1 Network diagram

Device	Interface	IP address	Description
Spine A	Loopback0	197.32.241.37	None.
	HGE1/0/1	Borrowed from Loopback 0	Connected to Leaf 1.
	HGE1/0/2	Borrowed from Loopback 0	Connected to Leaf 2.
	HGE1/0/3	Borrowed from Loopback 0	Connected to Leaf 3.
	HGE1/0/4	Borrowed from Loopback 0	Connected to Leaf 4.
	HGE1/0/5	Borrowed from Loopback 0	Connected to Leaf 5.
	HGE1/0/6	Borrowed from Loopback 0	Connected to Leaf 6.
	HGE1/0/7	Borrowed from Loopback 0	Connected to Border 1.
	HGE1/0/8	Borrowed from Loopback 0	Connected to Border 2.
Spine B	Loopback0	197.32.241.38	None.
	HGE1/0/1	Borrowed from Loopback 0	Connected to Leaf 1.
	HGE1/0/2	Borrowed from Loopback 0	Connected to Leaf 2.
	HGE1/0/3	Borrowed from Loopback 0	Connected to Leaf 3.
	HGE1/0/4	Borrowed from Loopback 0	Connected to Leaf 4.
	HGE1/0/5	Borrowed from Loopback 0	Connected to Leaf 5.
	HGE1/0/6	Borrowed from Loopback 0	Connected to Leaf 6.
	HGE1/0/7	Borrowed from Loopback 0	Connected to Border 1.
	HGE1/0/8	Borrowed from Loopback 0	Connected to Border 2.
Leaf 1	Loopback0	197.32.241.41	None.
	Loopback2	197.32.241.55	None.
	VSI-interface10997	197.32.224.21	Gateway of VXLAN 10997.
	VSI-interface10998	197.32.224.25	Gateway of VXLAN 10998.
	VSI-interface10999	197.32.224.29	Gateway of VXLAN 10999.
	VSI-interface11000	197.32.224.33	Gateway of VXLAN 11000.
	VSI-interface13313	197.32.13.254	Gateway of VXLAN 13313.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	N/A	Connected to Leaf 2, member port of the peer link.
	Twenty-FiveGigE1/0/54	197.32.241.57	Connected to Leaf 2, member port of the keepalive link.
	HGE1/0/51	N/A	Connected to the EW firewall, member port of M-LAG group member interface Bridge-Aggregation 257.
	HGE1/0/52	N/A	Connected to firewall NS, member port of M-LAG group member interface Bridge-Aggregation 258.
Leaf 2	Loopback0	197.32.241.42	None.
	Loopback2	197.32.241.55	None.
	VSI-interface10997	197.32.224.21	Gateway of VXLAN 10997.
	VSI-interface10998	197.32.224.25	Gateway of VXLAN 10998.
	VSI-interface10999	197.32.224.29	Gateway of VXLAN 10999.
	VSI-interface11000	197.32.224.33	Gateway of VXLAN 11000.
	VSI-interface13313	197.32.13.254	Gateway of VXLAN 13313.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	N/A	Connected to Leaf 1, member port of the peer link.
	Twenty-FiveGigE1/0/54	197.32.241.58	Connected to Leaf 1, member port of the keepalive link.
	HGE1/0/51	N/A	Connected to firewall EW, member port of M-LAG group member interface Bridge-Aggregation 257.
	HGE1/0/52	N/A	Connected to firewall NS, member port of M-LAG group member interface Bridge-Aggregation 258.
Leaf 3	Loopback0	197.32.241.43	None.
	Loopback2	197.32.241.64	None.
	VSI-interface13313	197.32.13.254	Gateway of VXLAN 13313.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	N/A	Connected to Leaf 4, member port of the peer link.
	Twenty-FiveGigE1/0/54	197.32.241.61	Connected to Leaf 4, member port of the keepalive link.
	Twenty-FiveGigE1/0/2	N/A	Connected to DHCP clients.
Leaf 4	Loopback0	197.32.241.44	None.
	Loopback2	197.32.241.64	None.
	VSI-interface13313	197.32.13.254	Gateway of VXLAN 13313.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	N/A	Connected to Leaf 3, member port of the peer link.
	Twenty-FiveGigE1/0/54	197.32.241.62	Connected to Leaf 3, member port of the keepalive link.
Leaf 5	Loopback0	197.32.241.45	None.
	Loopback2	197.32.241.67	None.
	VSI-interface13342	197.32.42.254	Gateway of VXLAN 13342.
	VSI-interface13316	197.32.162.54	Gateway of VXLAN 13316.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	N/A	Connected to Leaf 6, member port of the peer link.
	Twenty-FiveGigE1/0/54	197.32.241.77	Connected to Leaf 6, member port of the keepalive link.
	Twenty-FiveGigE1/0/2	N/A	Connected to the DHCP server.
Leaf 6	Loopback0	197.32.241.46	None.
	Loopback2	197.32.241.67	None.
	VSI-interface13342	197.32.42.254	Gateway of VXLAN 13342.
	VSI-interface13316	197.32.162.54	Gateway of VXLAN 13316.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	N/A	Connected to Leaf 5, member port of the peer link.
	Twenty-FiveGigE1/0/54	197.32.241.78	Connected to Leaf 5, member port of the keepalive link.
Border 1	Loopback0	197.32.241.47	None.
	Loopback2	197.32.241.86	None.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	Borrowed from Loopback 0	Connected to Border 2, member port of the peer link.
	HGE1/0/51	Borrowed from Loopback 0	Connected to L3switch.
	Twenty-FiveGigE1/0/54	197.32.241.93	Connected to Border 2, member port of the keepalive link.
Border 2	Loopback0	197.32.241.48	None.
	Loopback2	197.32.241.86	None.
	HGE1/0/25	Borrowed from Loopback 0	Connected to Spine A.
	HGE1/0/26	Borrowed from Loopback 0	Connected to Spine B.
	HGE1/0/31	Borrowed from Loopback 0	Connected to Border 1, member port of the peer link.
	HGE1/0/51	Borrowed from Loopback 0	Connected to L3switch.
	Twenty-FiveGigE1/0/54	197.32.241.94	Connected to Border 1, member port of the keepalive link.
EW firewall	Vlan-interface999	197.32.224.30	None.
	Vlan-interface1000	197.32.224.34	None.
	HGE2/0/29	N/A	Connected to Leaf 1, member port of M-LAG group member interface Bridge-Aggregation 257.
	HGE2/0/30	N/A	Connected to Leaf 2, member port of M-LAG group member interface Bridge-Aggregation 257.
NS firewall	Vlan-interface997	197.32.224.22	None.
	Vlan-interface998	197.32.224.26	None.
	HGE3/0/29	N/A	Connected to Leaf 1, member port of M-LAG group member interface Bridge-Aggregation 258.
	HGE3/0/30	N/A	Connected to Leaf 2, member port of M-LAG group member interface Bridge-Aggregation 258.
DHCP server	N/A	197.32.42.9	None.

Applicable product matrix

IMPORTANT:

In addition to running an applicable software version, you must also install the most recent patch, if any.

Microsegmentation and service chain are supported only by S6805, S6825, S6850, and S9850 switches. For configuration of other device models, see M-LAG+EVPN Distributed Gateway+DHCP Relay Configuration Example.

Role	Device	Software version
Spine	S12500X-AF	F2809 and higher F28xx or R28xx versions
Spine	S12500G-AF	R7624P12
Border/Leaf	S6800, S6860	F2717 and higher F27xx or R27xx versions Do not use F28xx or R28xx versions.
	S6805, S6825, S6850, S9850 S6850 switches are used in this configuration example.	F6632 and higher F66xx or R66xx versions
	S6890	F2809 and higher F28xx or R28xx versions
	S6812, S6813	Under development. To obtain the latest images, contact Technical Support.
	S9820-64H (EVPN gateway not supported) S9820-8C (EVPN not supported)	Not supported
SDN controller	N/A	E3610P12H02, or contact Technical Support to obtain a higher version

Restrictions and guidelines

· The member devices in an M-LAG system must use the same M-LAG system MAC address. Different M-LAG systems must each have a unique M-LAG system MAC address on the network.

· As a best practice, run a dynamic routing protocol between the spine devices and the external network.

· If leaf devices provide both distributed EVPN gateway and DHCP relay services, you must perform the following steps:

¡ Execute the dhcp relay mac-forward enable command to enable MAC address table lookup for DHCP replies that do not have request forwarding information.

¡ Execute the dhcp relay request-from-tunnel discard command on the VSI interfaces that act as DHCP relay agents to discard the DHCP requests received from VXLAN tunnels. This feature prevents the DHCP server from receiving the same DHCP request from the relay agents on different leaf devices.

Configuring the service leaf nodes (Leaf 1 and Leaf 2)

Procedure summary

· Configuring the device modes

· Configuring the underlay routing protocol

· Configuring L3VPN

· Setting up the M-LAG system and the peer link

· Configuring the firewall-attached M-LAG interfaces on the leaf devices

· Configuring the links towards the spine tier

· Configuring distributed EVPN gateways

· Configuring ACs

Configuring the device modes

For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:

· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).

· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).

· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).

Configuring the underlay routing protocol

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
router id 197.32.241.41	router id 197.32.241.42	Manual or controller-based	Configure a router ID.
ospf 65530	ospf 65530	Manual or controller-based	Run OSPF process 65530.
non-stop-routing	non-stop-routing	Manual or controller-based	Enable OSPF NSR.
stub-router include-stub on-startup 900	stub-router include-stub on-startup 900	Manual or controller-based	Specify the cost of the stub links (link type 3) in Router LSAs to the maximum value 65535 to accelerate network convergence.
area 0.0.0.0	area 0.0.0.0	Manual or controller-based	Create OSPF area 0.0.0.0.
interface LoopBack0	interface LoopBack0	Manual or controller-based	Enter the view of Loopback 0.
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on Loopback 0.
quit	quit	Manual or controller-based	Return to system view.
interface LoopBack2	interface LoopBack2	Manual or controller-based	Enter the view of Loopback 2.
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on Loopback 2.

Configuring L3VPN

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
interface LoopBack0	interface LoopBack0	Manual or controller-based	Configure Loopback 0.
ip address 197.32.241.41 255.255.255.255	ip address 197.32.241.42 255.255.255.255	Manual or controller-based	Assign an IP address to Loopback 0.
quit	quit	Manual or controller-based	Return to system view.
interface LoopBack2	interface LoopBack2	Manual or controller-based	Configure Loopback 2.
ip address 197.32.241.55 255.255.255.255	ip address 197.32.241.55 255.255.255.255	Manual or controller-based	Assign an IP address to Loopback 2.
ip vpn-instance auto-online-mlag	ip vpn-instance auto-online-mlag	Manual or controller-based	Configure the VPN instance where the keepalive link belongs.
quit	quit	Manual or controller-based	Return to system view.
ip vpn-instance mgmt	ip vpn-instance mgmt	Manual or controller-based	Configure the VPN instance where the management interface belongs.
quit	quit	Manual or controller-based	Return to system view.
ip vpn-instance ZHTESTCTVRF	ip vpn-instance ZHTESTCTVRF	Manual or controller-based	Configure the service VPN instance where the servers belong. To ensure correct route learning, configure consistent route targets for the service VPN instance on different devices.
route-distinguisher 1:10000	route-distinguisher 2:10000	Manual or controller-based	Configure an RD for the VPN instance.
address-family ipv4	address-family ipv4	Manual or controller-based	Enter VPN instance IPv4 address family view.
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity	vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance IPv4 address family view.
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity	vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance IPv4 address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
address-family ipv6	address-family ipv6	Manual or controller-based	Enter VPN instance IPv6 address family view.
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity	vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance IPv6 address family view.
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity	vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance IPv6 address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
address-family evpn	address-family evpn	Manual or controller-based	Enter VPN instance EVPN address family view.
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity	vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance EVPN address family view.
vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity	vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance EVPN address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
quit	quit	Manual or controller-based	Return to system view.
ip vpn-instance ZHTESTCTFWNS01VRF	ip vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Configure the VPN instance where firewall NS belongs. To ensure correct route learning, configure consistent route targets for the NS firewall VPN instance on different devices.
route-distinguisher 1:10001	route-distinguisher 2:10001	Manual or controller-based	Configure an RD for the VPN instance.
address-family ipv4	address-family ipv4	Manual or controller-based	Enter VPN instance IPv4 address family view.
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity	vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance IPv4 address family view.
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity	vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance IPv4 address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
address-family ipv6	address-family ipv6	Manual or controller-based	Enter VPN instance IPv6 address family view.
route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct	route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct	Manual or controller-based	Redistribute the IPv6 VLINK direct routes of VPN instance ZHTESTCTVRF to the current VPN instance.
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity	vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance IPv6 address family view.
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity	vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance IPv6 address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
address-family evpn	address-family evpn	Manual or controller-based	Enter VPN instance EVPN address family view.
vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity	vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance EVPN address family view.
vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity	vpn-target0:10001 1:10001 0.39.17.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance EVPN address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
quit	quit	Manual or controller-based	Return to system view.
ip vpn-instance ZHTESTCTFWEW01VRF	ip vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Configure the VPN instance where firewall EW belongs. To ensure correct route learning, configure consistent route targets for firewall EW VPN instance on different devices.
route-distinguisher 1:10002	route-distinguisher 2:10002	Manual or controller-based	Configure an RD for the VPN instance.
address-family ipv4	address-family ipv4	Manual or controller-based	Enter VPN instance IPv4 address family view.
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity	vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance IPv4 address family view.
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance IPv4 address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
address-family ipv6	address-family ipv6	Manual or controller-based	Enter VPN instance IPv6 address family view.
route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct	route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct	Manual or controller-based	Redistribute the IPv6 VLINK direct routes of VPN instance ZHTESTCTVRF to the current VPN instance.
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity	vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance IPv6 address family view.
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance IPv6 address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
address-family evpn	address-family evpn	Manual or controller-based	Enter VPN instance EVPN address family view.
vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity	vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity	Manual or controller-based	Configure import targets in VPN instance EVPN address family view.
vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	Manual or controller-based	Configure export targets in VPN instance EVPN address family view.
quit	quit	Manual or controller-based	Return to VPN instance view.
quit	quit	Manual or controller-based	Return to system view.
ip route-static vpn-instance ZHTESTCTFWNS01VRF 0.0.0.0 0 vpn-instance ZHTESTCTVRF 197.32.224.18 description SDN_ROUTE	ip route-static vpn-instance ZHTESTCTFWNS01VRF 0.0.0.0 0 vpn-instance ZHTESTCTVRF 197.32.224.18 description SDN_ROUTE	Manual or controller-based	Direct the traffic matching the IPv4 default route of the NS firewall VPN instance to the external network address configured on the border devices in the user VPN instance. This configuration ensures correct forwarding of south-to-north traffic returned from firewall NS.
ipv6 route-static vpn-instance ZHTESTCTFWNS01VRF :: 0 vpn-instance ZHTESTCTVRF FD00:0:97B0:2::F description SDN_ROUTE	ipv6 route-static vpn-instance ZHTESTCTFWNS01VRF :: 0 vpn-instance ZHTESTCTVRF FD00:0:97B0:2::F description SDN_ROUTE	Manual or controller-based	Direct the traffic matching the IPv6 default route of the NS firewall VPN instance to the external network address configured on the border devices in the user VPN instance. This configuration ensures correct forwarding of south-to-north traffic returned from firewall NS.
quit	quit	Manual or controller-based	Return to system view.

Setting up the M-LAG system and the peer link

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
m-lag system-mac 0c3a-fa36-ef49	m-lag system-mac 0c3a-fa36-ef49	Manual or controller-based	Set the MAC address of the M-LAG system. You must assign the same M-LAG system MAC address to the member devices in an M-LAG system.
m-lag system-number 1	m-lag system-number 2	Manual or controller-based	Set the M-LAG system number. You must assign different M-LAG system numbers to the member devices in an M-LAG system.
m-lag system-priority 10	m-lag system-priority 10	Manual or controller-based	Set the M-LAG system priority. You must set the same M-LAG system priority on the member devices in an M-LAG system.
m-lag keepalive ip destination 197.32.241.58 source 197.32.241.57 vpn-instance auto-online-mlag	m-lag keepalive ip destination 197.32.241.57 source 197.32.241.58 vpn-instance auto-online-mlag	Manual or controller-based	Configure the source and destination IP addresses of keepalive packets. The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively.
m-lag restore-delay 300	m-lag restore-delay 300	Manual or controller-based	Set the data restoration interval. To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces.
m-lag mad default-action none	m-lag mad default-action none	Manual or controller-based	Set the M-LAG MAD action to none. When the M-LAG system splits, M-LAG MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by M-LAG MAD.
m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26 m-lag mad include interface HundredGigE1/0/51 m-lag mad include interface HundredGigE1/0/52	m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26 m-lag mad include interface HundredGigE1/0/51 m-lag mad include interface HundredGigE1/0/52	Manual or controller-based	Configure M-LAG MAD to shut down the uplink interfaces and firewall-attached physical interfaces.
interface Twenty-FiveGigE 1/0/54	interface Twenty-FiveGigE 1/0/54	Manual or controller-based	Enter the interface view for the keepalive link.
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface for keepalive detection to operate in route mode as a Layer 3 interface.
ip binding vpn-instance auto-online-mlag	ip binding vpn-instance auto-online-mlag	Manual or controller-based	Associate the interface with VPN instance auto-online-mlag, the VPN instance for M-LAG keepalive detection.
ip address 197.32.241.57 255.255.255.252	ip address 197.32.241.58 255.255.255.252	Manual or controller-based	Assign an IP address to the interface as planned.
quit	quit	Manual or controller-based	Return to system view.
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Create the Layer 2 aggregate interface to be used as peer-link interface, and enter interface view.
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface to operate in dynamic mode.
quit	quit	Manual or controller-based	Return to system view.
interface HundredGigE1/0/31	interface HundredGigE1/0/31	Manual or controller-based	Enter the view of the physical port for the peer link.
port link-aggregation group 256	port link-aggregation group 256	Manual or controller-based	Assign the physical port to the aggregation group for the peer link (aggregation group 256).
quit	quit	Manual or controller-based	Return to system view.
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Enter aggregate interface view.
port m-lag peer-link 1	port m-lag peer-link 1	Manual or controller-based	Specify Bridge-Aggregation 256 as the peer-link interface.
port trunk pvid vlan 4094	port trunk pvid vlan 4094	Manual or controller-based	Set the PVID of the physical port to 4094.
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on Bridge-Aggregation 256.
quit	quit	Manual or controller-based	Return to system view.
interface Vlan-interface 4094	interface Vlan-interface 4094	Manual or controller-based	Create a VLAN interface on each of the M-LAG member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one M-LAG interface. This example uses VLAN-interface 4094.
ip address 197.32.241.141 255.255.255.0	ip address 197.32.241.142 255.255.255.0	Manual or controller-based	Assign an IP address to VLAN-interface 4094.
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Configure OSPF on VLAN-interface 4094.

Configuring the firewall-attached M-LAG interfaces on the leaf devices

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
interface bridge-aggregation 257	interface bridge-aggregation 257	Manual or controller-based	Create the Layer 2 aggregate interface to be used as the M-LAG interface connected to firewall EW.
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface to operate in dynamic mode.
port m-lag group 1	port m-lag group 1	Manual or controller-based	Assign the aggregate interface (Bridge-Aggregation 257) to M-LAG group 1.
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of M-LAG interface Bridge-Aggregation 257 to trunk.
port trunk permit vlan 1 997 to 1000	port trunk permit vlan 1 997 to 1000	Manual or controller-based	Assign M-LAG interface Bridge-Aggregation 257 to VLANs 997 through 1000.
quit	quit	Manual or controller-based	Return to system view.
interface HundredGigE1/0/51	interface HundredGigE1/0/51	Manual or controller-based	Enter the view of the physical port connected to firewall EW.
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of the physical port to trunk.
port trunk permit vlan 1 997 to 1000	port trunk permit vlan 1 997 to 1000	Manual or controller-based	Assign the physical port to VLANs 997 through 1000.
port link-aggregation group 257	port link-aggregation group 257	Manual or controller-based	Assign the physical port to aggregation group 257. This is the aggregation group for the aggregate interface connected to firewall EW.
quit	quit	Manual or controller-based	Return to system view.
interface bridge-aggregation 258	interface bridge-aggregation 258	Manual or controller-based	Create the Layer 2 aggregate interface to be used as the M-LAG interface connected to firewall NS.
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface to operate in dynamic mode.
port m-lag group 2	port m-lag group 2	Manual or controller-based	Assign the aggregate interface (Bridge-Aggregation 258) to M-LAG group 2.
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of M-LAG interface Bridge-Aggregation 258 to trunk.
port trunk permit vlan 1 997 to 1000	port trunk permit vlan 1 997 to 1000	Manual or controller-based	Assign M-LAG interface Bridge-Aggregation 258 to VLANs 997 through 1000.
quit	quit	Manual or controller-based	Return to system view.
interface HundredGigE1/0/52	interface HundredGigE1/0/52	Manual or controller-based	Enter the view of the physical port connected to firewall NS.
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of the physical port to trunk.
port trunk permit vlan 1 997 to 1000	port trunk permit vlan 1 997 to 1000	Manual or controller-based	Assign the physical port to VLANs 997 through 1000.
port link-aggregation group 258	port link-aggregation group 258	Manual or controller-based	Assign the physical port to aggregation group 258. This is the aggregation group for the aggregate interface connected to firewall NS.

Configuring the links towards the spine tier

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
interface HundredGigE1/0/25	interface HundredGigE1/0/25	Manual or controller-based	Enter the view of the physical interface connected to Spine A.
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface to operate in route mode as a Layer 3 interface.
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the interface to borrow the IP address of Loopback 0.
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the interface.
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets.
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	Manual or controller-based	Specify advertisable TLVs on the interface.
quit	quit	Manual or controller-based	Return to system view.
interface HundredGigE1/0/26	interface HundredGigE1/0/26	Manual or controller-based	Enter the view of the physical interface connected to Spine B.
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface to operate in route mode as a Layer 3 interface.
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the interface to borrow the IP address of Loopback 0.
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the interface.
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets.
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	Manual or controller-based	Specify advertisable TLVs on the interface.

Configuring distributed EVPN gateways

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
l2vpn enable	l2vpn enable	Manual or controller-based	Enable L2VPN.
l2vpn m-lag peer-link ac-match-rule vxlan-mapping	l2vpn m-lag peer-link ac-match-rule vxlan-mapping	Manual or controller-based	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the peer link. Perform this task when the M-LAG system uses a direct physical link as the peer link.
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	Manual or controller-based	Disable remote ARP learning. This setting avoids the conflict between automatically learned ARP entries and ARP entries advertised through BGP EVPN.
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual or controller-based	Disable remote MAC address learning. This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through BGP EVPN.
vxlan default-decapsulation source interface LoopBack0	vxlan default-decapsulation source interface LoopBack0	Manual or controller-based	Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them.
vlan all	vlan all	Manual or controller-based	Create VLANs 1 through 4094.
evpn m-lag group 197.32.241.55	evpn m-lag group 197.32.241.55	Manual or controller-based	Enable EVPN M-LAG and set the virtual VTEP address.
evpn m-lag local 197.32.241.41 remote 197.32.241.42	evpn m-lag local 197.32.241.42 remote 197.32.241.41	Manual or controller-based	Specify the IP addresses of the local and peer VTEPs in the M-LAG system. This step is required if the M-LAG system uses a direct physical link as the peer link and has ACs attached to only one of the member devices.
evpn global-mac 0c3a-fa38-4695	evpn global-mac 0c3a-fa38-4695	Manual or controller-based	Configure an EVPN global MAC address.
interface Vsi-interface10997	interface Vsi-interface10997	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for routing traffic to firewall NS.
ip binding vpn-instance ZHTESTCTFWNS01VRF	ip binding vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall NS.
ip address 197.32.224.21 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:100::/64 no-advertise ipv6 address FD00:0:97B0:100::1/64	ip address 197.32.224.21 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:100::/64 no-advertise ipv6 address FD00:0:97B0:100::1/64	Manual or controller-based	Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices.
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices.
arp route-direct advertise	arp route-direct advertise	Manual or controller-based	Enable ARP direct route advertisement.
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.
quit	quit	Manual or controller-based	Return to system view.
interface Vsi-interface10998	interface Vsi-interface10998	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for receiving traffic returned from firewall NS.
ip binding vpn-instance ZHTESTCTFWNS01VRF	ip binding vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall NS.
ip address 197.32.224.25 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:101::/64 no-advertise ipv6 address FD00:0:97B0:101::1/64	ip address 197.32.224.25 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:101::/64 no-advertise ipv6 address FD00:0:97B0:101::1/64	Manual or controller-based	Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices.
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices.
arp route-direct advertise	arp route-direct advertise	Manual or controller-based	Enable ARP direct route advertisement.
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.
quit	quit	Manual or controller-based	Return to system view.
interface Vsi-interface10999	interface Vsi-interface10999	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for routing traffic to firewall EW.
ip binding vpn-instance ZHTESTCTFWEW01VRF	ip binding vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall EW.
ip address 197.32.224.29 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:102::/64 no-advertise ipv6 address FD00:0:97B0:102::1/64	ip address 197.32.224.29 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:102::/64 no-advertise ipv6 address FD00:0:97B0:102::1/64	Manual or controller-based	Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices.
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices.
arp route-direct advertise	arp route-direct advertise	Manual or controller-based	Enable ARP direct route advertisement.
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.
quit	quit	Manual or controller-based	Return to system view.
interface Vsi-interface11000	interface Vsi-interface11000	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for receiving traffic returned from firewall EW.
ip binding vpn-instance ZHTESTCTFWEW01VRF	ip binding vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall EW.
ip address 197.32.224.33 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:103::/64 no-advertise ipv6 address FD00:0:97B0:103::1/64	ip address 197.32.224.33 255.255.255.252 sub ipv6 nd ra prefix FD00:0:97B0:103::/64 no-advertise ipv6 address FD00:0:97B0:103::1/64	Manual or controller-based	Assign an IP address to the VSI interface. You must assign the same IP address to all members of the distributed EVPN gateway for a VXLAN on different devices.
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway. You must assign the same MAC address to all members of the distributed EVPN gateway for a VXLAN on different devices.
arp route-direct advertise	arp route-direct advertise	Manual or controller-based	Enable ARP direct route advertisement.
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.
quit	quit	Manual or controller-based	Return to system view.
vsi SDN_VSI_10997	vsi SDN_VSI_10997	Manual or controller-based	Create the VSI for sending traffic to firewall NS.
gateway vsi-interface 10997	gateway vsi-interface 10997	Manual or controller-based	Specify a gateway interface for the VSI.
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP flood suppression and ND flood suppression.
vxlan 10997	vxlan 10997	Manual or controller-based	Create VXLAN 10997.
quit	quit	Manual or controller-based	Return to VSI view.
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.
quit quit	quit quit	Manual or controller-based	Return to system view.
vsi SDN_VSI_10998	vsi SDN_VSI_10998	Manual or controller-based	Create the VSI for receiving traffic from firewall NS.
gateway vsi-interface 10998	gateway vsi-interface 10998	Manual or controller-based	Specify a gateway interface for the VSI.
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP flood suppression and ND flood suppression.
vxlan 10998	vxlan 10998	Manual or controller-based	Create VXLAN 10998.
quit	quit	Manual or controller-based	Return to VSI view.
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.
quit quit	quit quit	Manual or controller-based	Return to system view.
vsi SDN_VSI_10999	vsi SDN_VSI_10999	Manual or controller-based	Create the VSI for sending traffic to firewall EW.
gateway vsi-interface 10999	gateway vsi-interface 10999	Manual or controller-based	Specify a gateway interface for the VSI.
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP flood suppression and ND flood suppression.
vxlan 10999	vxlan 10999	Manual or controller-based	Create VXLAN 10999.
quit	quit	Manual or controller-based	Return to VSI view.
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.
quit quit	quit quit	Manual or controller-based	Return to system view.
vsi SDN_VSI_11000	vsi SDN_VSI_11000	Manual or controller-based	Create the VSI for receiving traffic from firewall EW.
gateway vsi-interface 11000	gateway vsi-interface 11000	Manual or controller-based	Specify a gateway interface for the VSI.
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP flood suppression and ND flood suppression.
vxlan 11000	vxlan 11000	Manual or controller-based	Create VXLAN 11000.
quit	quit	Manual or controller-based	Return to VSI view.
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.
quit quit	quit quit	Manual or controller-based	Return to system view.
interface Vsi-interface10001	interface Vsi-interface10001	Manual or controller-based	Create the VSI interface for L3 connectivity to firewall NS.
ip binding vpn-instance ZHTESTCTFWNS01VRF	ip binding vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall NS.
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.
l3-vni 10001	l3-vni 10001	Manual or controller-based	Assign an L3VNI to the interface.
quit	quit	Manual or controller-based	Return to system view.
interface Vsi-interface10002	interface Vsi-interface10002	Manual or controller-based	Create the VSI interface for L3 connectivity to firewall EW.
ip binding vpn-instance ZHTESTCTFWEW01VRF	ip binding vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall EW.
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.
l3-vni 10002	l3-vni 10002	Manual or controller-based	Assign an L3VNI to the interface.
quit	quit	Manual or controller-based	Return to system view.
interface Vsi-interface10000	interface Vsi-interface10000	Manual or controller-based	Create the VSI interface for L3 connectivity to servers.
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for servers.
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.
l3-vni 10000	l3-vni 10000	Manual or controller-based	Assign an L3VNI to the interface.
bgp 65530	bgp 65530	Manual or controller-based	Enable the specified BGP instance and enter its view.
non-stop-routing	non-stop-routing	Manual or controller-based	Enable BGP nonstop routing (NSR).
router-id 197.32.241.41	router-id 197.32.241.42	Manual or controller-based	Specify a unique router ID for the BGP instance on each BGP device.
group evpn internal	group evpn internal	Manual or controller-based	Create an IBGP peer group named evpn.
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual or controller-based	Specify a source interface for establishing TCP connections to a peer or peer group.
peer 197.32.241.37 group evpn	peer 197.32.241.37 group evpn	Manual or controller-based	Add node Spine A to IBGP group evpn.
peer 197.32.241.38 group evpn	peer 197.32.241.38 group evpn	Manual or controller-based	Add node Spine B to IBGP group evpn.
address-family l2vpn evpn	address-family l2vpn evpn	Manual or controller-based	Create the BGP EVPN address family and enter its view.
peer evpn enable	peer evpn enable	Manual or controller-based	Enable BGP to exchange BGP EVPN routes with IBGP peer group evpn.
quit	quit	Manual or controller-based	Return to BGP instance view.
ip vpn-instance ZHTESTCTFWEW01VRF	ip vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains firewall EW, and enter BGP-VPN instance view.
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.
network 197.32.224.28 255.255.255.252 network 197.32.224.29 255.255.255.255 network 197.32.224.30 255.255.255.255 network 197.32.224.32 255.255.255.252 network 197.32.224.33 255.255.255.255 network 197.32.224.34 255.255.255.255	network 197.32.224.28 255.255.255.252 network 197.32.224.29 255.255.255.255 network 197.32.224.30 255.255.255.255 network 197.32.224.32 255.255.255.252 network 197.32.224.33 255.255.255.255 network 197.32.224.34 255.255.255.255	Manual or controller-based	Specify the local networks to be advertised by BGP.
quit quit	quit quit	Manual or controller-based	Return to BGP instance view.
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Create the BGP-VPN IPv6 unicast address family and enter its view.
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.
network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128	network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128	Manual or controller-based	Specify the local networks to be advertised by BGP.
quit quit	quit quit	Manual or controller-based	Return to BGP instance view.
ip vpn-instance ZHTESTCTFWNS01VRF	ip vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains firewall NS, and enter BGP-VPN instance view.
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.
network 197.32.224.20 255.255.255.252 network 197.32.224.21 255.255.255.255 network 197.32.224.22 255.255.255.255 network 197.32.224.24 255.255.255.252 network 197.32.224.25 255.255.255.255 network 197.32.224.26 255.255.255.255	network 197.32.224.20 255.255.255.252 network 197.32.224.21 255.255.255.255 network 197.32.224.22 255.255.255.255 network 197.32.224.24 255.255.255.252 network 197.32.224.25 255.255.255.255 network 197.32.224.26 255.255.255.255	Manual or controller-based	Specify the local networks to be advertised by BGP.
quit quit	quit quit	Manual or controller-based	Return to BGP instance view.
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Create the BGP-VPN IPv6 unicast address family and enter its view.
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.
network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128	network FD00:0:97B0:102:: 64 network FD00:0:97B0:102::1 128 network FD00:0:97B0:102::F 128 network FD00:0:97B0:103:: 64 network FD00:0:97B0:103::1 128 network FD00:0:97B0:103::F 128	Manual or controller-based	Specify the local networks to be advertised by BGP.
quit quit	quit quit	Manual or controller-based	Return to BGP instance view.
ip vpn-instance ZHTESTCTVRF	ip vpn-instance ZHTESTCTVRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains servers, and enter BGP-VPN instance view.
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.
network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255 network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255	network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255 network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255	Manual or controller-based	Specify the local networks to be advertised by BGP.
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Create the BGP-VPN IPv6 unicast address family and enter its view.
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.
network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128 network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128	network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128 network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128	Manual or controller-based	Specify the local networks to be advertised by BGP.

Configuring ACs

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
interface Bridge-Aggregation257	interface Bridge-Aggregation257	Manual or controller-based	Enter the view of the aggregate interface connected to firewall EW.
service-instance 997	service-instance 997	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid 997	encapsulation s-vid 997	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_10997	xconnect vsi SDN_VSI_10997	Manual or controller-based	Map the AC to a VSI.
service-instance 998	service-instance 998	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid 998	encapsulation s-vid 998	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_10998	xconnect vsi SDN_VSI_10998	Manual or controller-based	Map the AC to a VSI.
quit	quit	Manual or controller-based	Return to interface view.
service-instance 999	service-instance 999	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid 999	encapsulation s-vid 999	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_10999	xconnect vsi SDN_VSI_10999	Manual or controller-based	Map the AC to a VSI.
quit	quit	Manual or controller-based	Return to interface view.
service-instance 1000	service-instance 1000	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid1000	encapsulation s-vid 1000	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_11000	xconnect vsi SDN_VSI_11000	Manual or controller-based	Map the AC to a VSI.
quit quit	quit quit	Manual or controller-based	Return to system view.
interface Bridge-Aggregation258	interface Bridge-Aggregation258	Manual or controller-based	Enter the view of the aggregate interface connected to firewall NS.
service-instance 997	service-instance 997	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid 997	encapsulation s-vid 997	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_10997	xconnect vsi SDN_VSI_10997	Manual or controller-based	Map the AC to a VSI.
quit	quit	Manual or controller-based	Return to interface view.
service-instance 998	service-instance 998	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid 998	encapsulation s-vid 998	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_10998	xconnect vsi SDN_VSI_10998	Manual or controller-based	Map the AC to a VSI.
quit	quit	Manual or controller-based	Return to interface view.
service-instance 999	service-instance 999	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid 999	encapsulation s-vid 999	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_10999	xconnect vsi SDN_VSI_10999	Manual or controller-based	Map the AC to a VSI.
quit	quit	Manual or controller-based	Return to interface view.
service-instance 1000	service-instance 1000	Manual or controller-based	Create an Ethernet service instance.
encapsulation s-vid1000	encapsulation s-vid 1000	Manual or controller-based	Specify the outer VLAN IDs to match.
xconnect vsi SDN_VSI_11000	xconnect vsi SDN_VSI_11000	Manual or controller-based	Map the AC to a VSI.
quit quit	quit quit	Manual or controller-based	Return to system view.

Configuring leaf nodes (Leaf 3 and Leaf 4)

Procedure summary

· Configuring the device modes

· Configuring the underlay routing protocol

· Configuring L3VPN

· Setting up the M-LAG system and the peer link

· Configuring the links towards the spine tier

· Configuring the distributed EVPN gateway

· Configuring ACs

Configuring the device modes

For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:

· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).

· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).

· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).

Configuring the underlay routing protocol

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
router id 197.32.241.43	router id 197.32.241.44	Manual or controller-based	Specify a unique global router ID for each device.	N/A
ospf 65530	ospf 65530	Manual or controller-based	Create OSPF process 65530.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable non-stop routing (NSR) for OSPF.	N/A
stub-router include-stub on-startup 900	stub-router include-stub on-startup 900	Manual or controller-based	To accelerate network convergence, specify the router as a stub router during reboot for the specified period of time.	This command sets the cost of stub links to the maximum value (65535). Neighbors on such links will not send packets to the stub router as long as they have a route with a smaller cost.
area 0.0.0.0	area 0.0.0.0	Manual or controller-based	Create OSPF area 0.0.0.0.	N/A
interface loopback 0	interface loopback 0	Manual or controller-based	Enter the interface view of Loopback 0.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface loopback 2	interface loopback 2	Manual or controller-based	Enter the interface view of Loopback 2.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 2.	N/A

Configuring L3VPN

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
interface loopback 0	interface loopback 0	Manual or controller-based	Configure interface Loopback 0.	N/A
ip address 197.32.241.43 255.255.255.255	ip address 197.32.241.44 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface loopback 2	interface loopback 2	Manual or controller-based	Configure interface Loopback 2.	N/A
ip address 197.32.241.64 255.255.255.255	ip address 197.32.241.64 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 2.	N/A
ip vpn-instance auto-online-mlag	ip vpn-instance auto-online-mlag	Manual or controller-based	Create a VPN instance for the M-LAG keepalive link. In this example, the VPN instance name is auto-online-mlag.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance mgmt	ip vpn-instance mgmt	Manual or controller-based	Create a VPN instance for the management port. In this example, the VPN instance name is mgmt.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTVRF route-distinguisher3:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTVRF route-distinguisher 4:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for user services. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 3:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 4:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for the north-south firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 3:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 4:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity	Manual or controller-based	Configure the VPN instance for the east-west firewall service. Set a route distinguisher (RD) for the VPN instance, and set the import and export route targets (RTs) for the VPN instance IPv4/IPv6 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.

Setting up the M-LAG system and the peer link

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
m-lag system-mac 0c3a-fa36-acef	m-lag system-mac 0c3a-fa36-acef	Manual or controller-based	Set the MAC address of the M-LAG system.	You must assign the same M-LAG system MAC address to the member devices in an M-LAG system.
m-lag system-number 1	m-lag system-number 2	Manual or controller-based	Set the M-LAG system number.	You must assign different M-LAG system numbers to the member devices in an M-LAG system.
m-lag system-priority 10	m-lag system-priority 10	Manual or controller-based	Set the M-LAG system priority.	You must set the same M-LAG system priority on the member devices in an M-LAG system.
m-lag keepalive ip destination 197.32.241.62 source 197.32.241.61 vpn-instance auto-online-mlag	m-lag keepalive ip destination 197.32.241.61 source 197.32.241.62 vpn-instance auto-online-mlag	Manual or controller-based	Configure the source and destination IP addresses of keepalive packets.	The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively.
m-lag restore-delay 300	m-lag restore-delay 300	Manual or controller-based	Set the data restoration interval. This parameter specifies the maximum amount of time for the secondary M-LAG member device to synchronize data with the primary M-LAG member device during M-LAG system setup.	To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces.
m-lag mad default-action none	m-lag mad default-action none	Manual or controller-based	Set the M-LAG MAD action to none. When the M-LAG system splits, M-LAG MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by M-LAG MAD.	N/A
m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26	m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26	Manual or controller-based	Configure M-LAG MAD to shut down the uplink interfaces.	N/A
interface Twenty-FiveGigE 1/0/54	interface Twenty-FiveGigE 1/0/54	Manual or controller-based	Enter the interface view for the keepalive link.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface for keepalive detection to operate in route mode as a Layer 3 interface.	N/A
ip binding vpn-instance auto-online-mlag	ip binding vpn-instance auto-online-mlag	Manual or controller-based	Associate the interface with VPN instance auto-online-mlag, the VPN instance for M-LAG keepalive detection.	N/A
ip address 197.32.241.61 255.255.255.252	ip address 197.32.241.62 255.255.255.252	Manual or controller-based	Assign an IP address to the interface as planned.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Create the Layer 2 aggregate interface to be used as the peer-link interface, and enter interface view.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface to operate in dynamic mode.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/31	interface HundredGigE1/0/31	Manual or controller-based	Enter the view of the physical port for the peer link.	N/A
port link-aggregation group 256	port link-aggregation group 256	Manual or controller-based	Assign the physical port to the aggregation group for the peer link (aggregation group 256).	N/A
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Enter aggregate interface view.	N/A
port m-lag peer-link 1	port m-lag peer-link 1	Manual or controller-based	Specify the aggregate interface (Bridge-Aggregation 256) as the peer-link interface.	N/A
port trunk pvid vlan 4094	port trunk pvid vlan 4094	Manual or controller-based	Set the PVID of the physical port to 4094.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on Bridge-Aggregation 256.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface Vlan-interface 4094	interface Vlan-interface 4094	Manual or controller-based	Create a VLAN interface on each of the M-LAG member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one M-LAG interface. This example uses VLAN-interface 4094.	N/A
ip address 197.32.241.143 255.255.255.0	ip address 197.32.241.144 255.255.255.0	Manual or controller-based	Assign an IP address to VLAN-interface 4094.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Configure OSPF on VLAN-interface 4094.	N/A

Configuring the links towards the spine tier

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
interface HundredGigE1/0/25	interface HundredGigE1/0/25	Manual or controller-based	Enter the view of the physical interface connected to Spine A.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface loopback 0	ip address unnumbered interface loopback 0	Manual or controller-based	Configure the interface to borrow the IP address of Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the interface.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets.	N/A
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	Manual or controller-based	Specify advertisable TLVs on the interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/26	interface HundredGigE1/0/26	Manual or controller-based	Enter the view of the physical interface connected to Spine B.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface loopback 0	ip address unnumbered interface loopback 0	Manual or controller-based	Configure the interface to borrow the IP address of Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the interface.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets.	N/A
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	Manual or controller-based	Specify advertisable TLVs on the interface.	N/A

Configuring the distributed EVPN gateway

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
l2vpn enable	l2vpn enable	Manual or controller-based	Enable L2VPN.	N/A
l2vpn m-lag peer-link ac-match-rule vxlan-mapping	l2vpn m-lag peer-link ac-match-rule vxlan-mapping	Manual or controller-based	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the peer link. Perform this task when the M-LAG system uses a direct physical link as the peer link.	N/A
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	Manual or controller-based	Disable remote ARP/ND learning. This setting avoids the conflict between automatically learned ARP/ND entries and ARP/ND entries advertised through BGP EVPN.	N/A
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual or controller-based	Disable remote MAC address learning. This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through BGP EVPN.	N/A
vxlan default-decapsulation source interface loopback 0	vxlan default-decapsulation source interface loopback 0	Manual or controller-based	Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them.	N/A
vlan all	vlan all	Manual or controller-based	Create VLANs 1 through 4094.	N/A
evpn m-lag group 197.32.241.64	evpn m-lag group 197.32.241.64	Manual or controller-based	Enable EVPN M-LAG and set the virtual VTEP address.	N/A
evpn m-lag local 197.32.241.43 remote 197.32.241.44	evpn m-lag local 197.32.241.44 remote 197.32.241.43	Manual or controller-based	Specify the IP addresses of the local and peer VTEPs in the M-LAG system.	This step is required if the M-LAG system uses a direct physical link as the peer link and has ACs attached to only one of the member devices.
evpn global-mac 0c3a-fa38-3d3b	evpn global-mac 0c3a-fa38-3d3b	Manual or controller-based	Configure an EVPN global MAC address.	N/A
interface Vsi-interface13313	interface Vsi-interface13313	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for compute servers.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for compute servers.	N/A
ip address 197.32.13.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1013::/64 no-advertise ipv6 address FD00:0:97B0:1013::FFFF/64	ip address 197.32.13.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1013::/64 no-advertise ipv6 address FD00:0:97B0:1013::FFFF/64	Manual or controller-based	Assign an IPv4 address and an IPv6 address to the VSI interface.	N/A
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway.	N/A
arp route-direct advertise ipv6 nd route-direct advertise	arp route-direct advertise ipv6 nd route-direct advertise	Manual or controller-based	Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes.	N/A
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
vsi SDN_VSI_13313	vsi SDN_VSI_13313	Manual or controller-based	Create a VSI to provide access services for the attached compute servers.	N/A
gateway vsi-interface 13313	gateway vsi-interface 13313	Manual or controller-based	Specify the gateway interface for the VSI.	N/A
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP/ND flood suppression.	N/A
vxlan 13313	vxlan 13313	Manual or controller-based	Create VXLAN 13313.	N/A
quit	quit	Manual or controller-based	Return to VSI view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.	N/A
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.	N/A
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.	N/A
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.	N/A
quit quit	quit quit	Manual or controller-based	Return to system view.	N/A
interface Vsi-interface 13314	interface Vsi-interface 13314	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for compute servers.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for compute servers.	N/A
ip address 197.32.14.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1014::/64 no-advertise ipv6 address FD00:0:97B0:1014::FFFF/64	ip address 197.32.14.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1014::/64 no-advertise ipv6 address FD00:0:97B0:1014::FFFF/64	Manual or controller-based	Assign an IPv4 address and an IPv6 address to the VSI interface.	N/A
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway.	N/A
arp route-direct advertise ipv6 nd route-direct advertise	arp route-direct advertise ipv6 nd route-direct advertise	Manual or controller-based	Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes.	N/A
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
vsi SDN_VSI_13314	vsi SDN_VSI_13314	Manual or controller-based	Create a VSI to provide access services for the attached compute servers.	N/A
gateway vsi-interface 13314	gateway vsi-interface 13314	Manual or controller-based	Specify the gateway interface for the VSI.	N/A
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP/ND flood suppression.	N/A
vxlan 13314	vxlan 13314	Manual or controller-based	Create VXLAN 13314.	N/A
quit	quit	Manual or controller-based	Return to VSI view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.	N/A
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.	N/A
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.	N/A
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.	N/A
quit quit	quit quit	Manual or controller-based	Return to system view.	N/A
interface Vsi-interface10001	interface Vsi-interface10001	Manual or controller-based	Create the VSI interface for L3 connectivity to firewall NS.	N/A
ip binding vpn-instance ZHTESTCTFWNS01VRF	ip binding vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall NS.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.	N/A
l3-vni 10001	l3-vni 10001	Manual or controller-based	Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface.	N/A
interface Vsi-interface10002	interface Vsi-interface10002	Manual or controller-based	Create the VSI interface for L3 connectivity to firewall EW.	N/A
ip binding vpn-instance ZHTESTCTFWEW01VRF	ip binding vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall EW.	N/A
l3-vni 10002	l3-vni 10002	Manual or controller-based	Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.	N/A
interface Vsi-interface10000	interface Vsi-interface10000	Manual or controller-based	Create the VSI interface for L3 connectivity to compute servers.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for compute servers.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.	N/A
l3-vni 10000	l3-vni 10000	Manual or controller-based	Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface.	N/A
bgp 65530	bgp 65530	Manual or controller-based	Enable the specified BGP instance and enter its view.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable BGP non-stop routing (NSR).	N/A
router-id 197.32.241.43	router-id 197.32.241.44	Manual or controller-based	Specify a unique router ID for the BGP instance on each BGP device.	N/A
group evpn internal	group evpn internal	Manual or controller-based	Create an IBGP peer group named evpn.	N/A
peer evpn connect-interface loopback 0	peer evpn connect-interface loopback 0	Manual or controller-based	Specify a source interface for establishing TCP connections to a peer or peer group.	N/A
peer 197.32.241.37 group evpn	peer 197.32.241.37 group evpn	Manual or controller-based	Add node Spine A to IBGP group evpn.	N/A
peer 197.32.241.38 group evpn	peer 197.32.241.38 group evpn	Manual or controller-based	Add node Spine B to IBGP group evpn.	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual or controller-based	Create the BGP EVPN address family and enter its view.	N/A
peer evpn enable	peer evpn enable	Manual or controller-based	Enable BGP to exchange BGP EVPN routes with IBGP peer group evpn.	N/A
quit	quit	Manual or controller-based	Return to BGP instance view.	N/A
ip vpn-instance ZHTESTCTFWEW01VRF	ip vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains firewall EW, and enter BGP-VPN instance view.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
quit quit	quit quit	Manual or controller-based	Return to BGP instance view.	N/A
ip vpn-instance ZHTESTCTFWNS01VRF	ip vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains firewall NS, and enter BGP-VPN instance view.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
quit quit	quit quit	Manual or controller-based	Return to BGP instance view.	N/A
ip vpn-instance ZHTESTCTVRF	ip vpn-instance ZHTESTCTVRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains compute servers, and enter BGP-VPN instance view.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255	network 197.32.13.0 255.255.255.0 network 197.32.13.254 255.255.255.255	Manual or controller-based	Specify the local networks to be advertised by BGP.	N/A
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Create the BGP-VPN IPv6 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128	network FD00:0:97B0:1013:: 64 network FD00:0:97B0:1013::FFFF 128	Manual or controller-based	Specify the local networks to be advertised by BGP.	N/A

Configuring ACs

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
interface Twenty-FiveGigE 1/0/2	interface Twenty-FiveGigE 1/0/4	Manual or controller-based	Enter the view of the physical port connected to compute servers.	N/A
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of the physical port to trunk.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual or controller-based	Remove the port from VLAN 1.	N/A
port trunk permit vlan 3313	port trunk permit vlan 3314	Manual or controller-based	Assign the port to a VLAN.	N/A
port trunk pvid vlan 3313	port trunk pvid vlan 3314	Manual or controller-based	Set the PVID of the port.	N/A
service-instance 3313	service-instance 3314	Manual or controller-based	Create an Ethernet service instance.	N/A
encapsulation untagged	encapsulation untagged	Manual or controller-based	Configure the Ethernet service instance to match any frames that do not have an 802.1Q VLAN tag.	N/A
xconnect vsi SDN_VSI_13313 access-mode ethernet	xconnect vsi SDN_VSI_13314 access-mode ethernet	Manual or controller-based	Map the Ethernet service instance to the specified VSI.	N/A

Configuring leaf nodes (Leaf 5 and Leaf 6)

Procedure summary

· Configuring the device modes

· Configuring the underlay routing protocol

· Configuring L3VPN

· Setting up the M-LAG system and the peer link

· Configuring the links towards the spine tier

· Configuring the distributed EVPN gateway

· Configuring ACs

Configuring the device modes

For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:

· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).

· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).

· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).

Configuring the underlay routing protocol

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
router id 197.32.241.45	router id 197.32.241.46	Manual or controller-based	Specify a unique global router ID for each device.	N/A
ospf 65530	ospf 65530	Manual or controller-based	Create OSPF process 65530.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable non-stop routing (NSR) for OSPF.	N/A
stub-router include-stub on-startup 900	stub-router include-stub on-startup 900	Manual or controller-based	To accelerate network convergence, specify the router as a stub router during reboot for the specified period of time.	This command sets the cost of stub links to the maximum value (65535). Neighbors on such links will not send packets to the stub router as long as they have a route with a smaller cost.
area 0.0.0.0	area 0.0.0.0	Manual or controller-based	Create OSPF area 0.0.0.0.	N/A
interface loopback0	interface loopback0	Manual or controller-based	Enter the interface view of Loopback 0.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface loopback 2	interface loopback 2	Manual or controller-based	Enter the interface view of Loopback 2.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 2.	N/A

Configuring L3VPN

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
interface loopback 0	interface loopback 0	Manual or controller-based	Configure interface Loopback 0.	N/A
ip address 197.32.241.45 255.255.255.255	ip address 197.32.241.46 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface loopback 2	interface loopback 2	Manual or controller-based	Configure interface Loopback 2.	N/A
ip address 197.32.241.67 255.255.255.255	ip address 197.32.241.67 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 2.	N/A
ip vpn-instance auto-online-mlag	ip vpn-instance auto-online-mlag	Manual or controller-based	Create a VPN instance for the M-LAG keepalive link. In this example, the VPN instance name is auto-online-mlag.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance mgmt	ip vpn-instance mgmt	Manual or controller-based	Create a VPN instance for the management port. In this example, the VPN instance name is mgmt.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTVRF route-distinguisher 5:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTVRF route-distinguisher 6:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for user services. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 5:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 6:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for the north-south firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4/IPv6 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 5:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 6:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for the east-west firewall service. Set a route distinguisher (RD) for the VPN instance, and set the import and export route targets (RTs) for the VPN instance IPv4/IPv6 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.

Setting up the M-LAG system and the peer link

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
m-lag system-mac 0c3a-fa36-b811	m-lag system-mac 0c3a-fa36-b811	Manual or controller-based	Set the MAC address of the M-LAG system.	You must assign the same M-LAG system MAC address to the member devices in an M-LAG system.
m-lag system-number 1	m-lag system-number 2	Manual or controller-based	Set the M-LAG system number.	You must assign different M-LAG system numbers to the member devices in an M-LAG system.
m-lag system-priority 10	m-lag system-priority 10	Manual or controller-based	Set the M-LAG system priority.	You must set the same M-LAG system priority on the member devices in an M-LAG system.
m-lag keepalive ip destination 197.32.241.78 source 197.32.241.77 vpn-instance auto-online-mlag	m-lag keepalive ip destination 197.32.241.77 source 197.32.241.78 vpn-instance auto-online-mlag	Manual or controller-based	Configure the source and destination IP addresses of keepalive packets.	The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively.
m-lag restore-delay 300	m-lag restore-delay 300	Manual or controller-based	Set the data restoration interval. This parameter specifies the maximum amount of time for the secondary M-LAG member device to synchronize data with the primary M-LAG member device during M-LAG system setup.	To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces.
m-lag mad default-action none	m-lag mad default-action none	Manual or controller-based	Set the M-LAG MAD action to none. When the M-LAG system splits, M-LAG MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by M-LAG MAD.	N/A
m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26	m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26	Manual or controller-based	Configure M-LAG MAD to shut down the uplink interfaces.	N/A
interface Twenty-FiveGigE 1/0/54	interface Twenty-FiveGigE 1/0/54	Manual or controller-based	Enter the interface view for the keepalive link.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface for keepalive detection to operate in route mode as a Layer 3 interface.	N/A
ip binding vpn-instance auto-online-mlag	ip binding vpn-instance auto-online-mlag	Manual or controller-based	Associate the interface with VPN instance auto-online-mlag, the VPN instance for M-LAG keepalive detection.	N/A
ip address 197.32.241.77 255.255.255.252	ip address 197.32.241.78 255.255.255.252	Manual or controller-based	Assign an IP address to the interface as planned.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Create the Layer 2 aggregate interface to be used as the peer-link interface, and enter interface view.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface to operate in dynamic mode.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/31	interface HundredGigE1/0/31	Manual or controller-based	Enter the view of the physical port for the peer link.	N/A
port link-aggregation group 256	port link-aggregation group 256	Manual or controller-based	Assign the physical port to the aggregation group for the peer link (aggregation group 256).	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Create the Layer 2 aggregate interface to be used as the peer-link interface, and enter interface view.	N/A
port m-lag peer-link 1	port m-lag peer-link 1	Manual or controller-based	Specify the aggregate interface (Bridge-Aggregation 256) as the peer-link interface.	N/A
port trunk pvid vlan 4094	port trunk pvid vlan 4094	Manual or controller-based	Set the PVID of the physical port to 4094.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on Bridge-Aggregation 256.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface Vlan-interface 4094	interface Vlan-interface 4094	Manual or controller-based	Create a VLAN interface on each of the M-LAG member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one M-LAG interface. This example uses VLAN-interface 4094.	N/A
ip address 197.32.241.145 255.255.255.0	ip address 197.32.241.146 255.255.255.0	Manual or controller-based	Assign an IP address to VLAN-interface 4094.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Configure OSPF on VLAN-interface 4094.	N/A

Configuring the links towards the spine tier

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
interface HundredGigE1/0/25	interface HundredGigE1/0/25	Manual or controller-based	Enter the view of the physical interface connected to Spine A.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface loopback 0	ip address unnumbered interface loopback 0	Manual or controller-based	Configure the interface to borrow the IP address of Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the interface.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets.	N/A
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	Manual or controller-based	Specify advertisable TLVs on the interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/26	interface HundredGigE1/0/26	Manual or controller-based	Enter the view of the physical interface connected to Spine B.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface loopback 0	ip address unnumbered interface loopback 0	Manual or controller-based	Configure the interface to borrow the IP address of Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the interface.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode. In this mode, LLDP both sends and receives CDP packets.	N/A
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	lldp tlv-enable basic-tlv management-address-tlv interface loopback 0	Manual or controller-based	Specify advertisable TLVs on the interface.	N/A

Configuring the distributed EVPN gateway

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
l2vpn enable	l2vpn enable	Manual or controller-based	Enable L2VPN.	N/A
l2vpn m-lag peer-link ac-match-rule vxlan-mapping	l2vpn m-lag peer-link ac-match-rule vxlan-mapping	Manual or controller-based	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the peer link. Perform this task when the M-LAG system uses a direct physical link as the peer link.	N/A
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	Manual or controller-based	Disable remote ARP/ND learning. This setting avoids the conflict between automatically learned ARP/ND entries and ARP/ND entries advertised through BGP EVPN.	N/A
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual or controller-based	Disable remote MAC address learning. This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through BGP EVPN.	N/A
vxlan default-decapsulation source interface loopback 0	vxlan default-decapsulation source interface loopback 0	Manual or controller-based	Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them.	N/A
vlan all	vlan all	Manual or controller-based	Create VLANs 1 through 4094.	N/A
evpn m-lag group 197.32.241.67	evpn m-lag group 197.32.241.67	Manual or controller-based	Enable EVPN M-LAG and set the virtual VTEP address.	N/A
evpn m-lag local 197.32.241.45 remote 197.32.241.46	evpn m-lag local 197.32.241.46 remote 197.32.241.45	Manual or controller-based	Specify the IP addresses of the local and peer VTEPs in the M-LAG system.	This step is required if the M-LAG system uses an Ethernet aggregate link as the peer link and has ACs attached to only one of the member devices.
evpn global-mac 0c3a-fa36-b035	evpn global-mac 0c3a-fa36-b035	Manual or controller-based	Configure an EVPN global MAC address.	N/A
interface Vsi-interface13342	interface Vsi-interface13342	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for compute servers.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for compute servers.	N/A
ip address 197.32.42.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1042::/64 no-advertise ipv6 address FD00:0:97B0:1042::FFFF/64	ip address 197.32.42.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1042::/64 no-advertise ipv6 address FD00:0:97B0:1042::FFFF/64	Manual or controller-based	Assign an IPv4 address and an IPv6 address to the VSI interface.	N/A
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway.	N/A
arp route-direct advertise ipv6 nd route-direct advertise	arp route-direct advertise ipv6 nd route-direct advertise	Manual or controller-based	Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes.	N/A
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
vsi SDN_VSI_13342	vsi SDN_VSI_13342	Manual or controller-based	Create a VSI to provide access services for the attached compute servers.	N/A
gateway vsi-interface 13342	gateway vsi-interface 13342	Manual or controller-based	Specify the gateway interface for the VSI.	N/A
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP/ND flood suppression.	N/A
vxlan 13342	vxlan 13342	Manual or controller-based	Create VXLAN 13342.	N/A
quit	quit	Manual or controller-based	Return to VSI view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.	N/A
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.	N/A
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.	N/A
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.	N/A
quit quit	quit quit	Manual or controller-based	Return to system view.	N/A
interface Vsi-interface13316	interface Vsi-interface13316	Manual or controller-based	Create the VSI interface to be used as a distributed EVPN gateway member for compute servers.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for compute servers.	N/A
ip address 197.32.162 54 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1016::/64 no-advertise ipv6 address FD00:0:97B0:1016::FFFF/64	ip address 197.32.16.254 255.255.255.0 sub ipv6 nd ra prefix FD00:0:97B0:1016::/64 no-advertise ipv6 address FD00:0:97B0:1016::FFFF/64	Manual or controller-based	Assign an IPv4 address and an IPv6 address to the VSI interface.	N/A
mac-address 6805-ca21-d6e5	mac-address 6805-ca21-d6e5	Manual or controller-based	Assign a MAC address to the distributed EVPN gateway.	N/A
arp route-direct advertise ipv6 nd route-direct advertise	arp route-direct advertise ipv6 nd route-direct advertise	Manual or controller-based	Enable ARP/ND direct route advertisement. Enabled with this feature, ARP/ND advertises ARP/ND entries to the route management module to generate direct routes.	N/A
distributed-gateway local	distributed-gateway local	Manual or controller-based	Enable distributed gateway service on the VSI interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
vsi SDN_VSI_13316	vsi SDN_VSI_13316	Manual or controller-based	Create a VSI to provide access services for the attached compute servers.	N/A
gateway vsi-interface 13316	gateway vsi-interface 13316	Manual or controller-based	Specify the gateway interface for the VSI.	N/A
arp suppression enable ipv6 nd suppression enable	arp suppression enable ipv6 nd suppression enable	Manual or controller-based	Enable ARP/ND flood suppression.	N/A
vxlan 13316	vxlan 13316	Manual or controller-based	Create VXLAN 13313.	N/A
quit	quit	Manual or controller-based	Return to VSI view.	N/A
evpn encapsulation vxlan	evpn encapsulation vxlan	Manual or controller-based	Create a VXLAN EVPN instance on the VSI.	N/A
route-distinguisher auto	route-distinguisher auto	Manual or controller-based	Configure the device to automatically generate an RD for the EVPN instance.	N/A
vpn-target auto export-extcommunity	vpn-target auto export-extcommunity	Manual or controller-based	Configure the device to automatically generate an export RT for the EVPN instance.	N/A
vpn-target auto import-extcommunity	vpn-target auto import-extcommunity	Manual or controller-based	Configure the device to automatically generate an import RT for the EVPN instance.	N/A
quit quit	quit quit	Manual or controller-based	Return to system view.	N/A
interface Vsi-interface10001	interface Vsi-interface10001	Manual or controller-based	Create the VSI interface for L3 connectivity to firewall NS.	N/A
ip binding vpn-instance ZHTESTCTFWNS01VRF	ip binding vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall NS.	N/A
l3-vni 10001	l3-vni 10001	Manual or controller-based	Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.	N/A
interface Vsi-interface10002	interface Vsi-interface10002	Manual or controller-based	Create the VSI interface for L3 connectivity to firewall EW.	N/A
ip binding vpn-instance ZHTESTCTFWEW01VRF	ip binding vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Associate the VSI interface with the VPN instance for firewall EW.	N/A
l3-vni 10002	l3-vni 10002	Manual or controller-based	Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.	N/A
interface Vsi-interface10000	interface Vsi-interface10000	Manual or controller-based	Create the VSI interface for L3 connectivity to compute servers.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Associate the VSI interface with the VPN instance for compute servers.	N/A
l3-vni 10000	l3-vni 10000	Manual or controller-based	Assign an L3VNI (also called an L3 VXLAN ID) to the VSI interface.	N/A
ipv6 address auto link-local	ipv6 address auto link-local	Manual or controller-based	Automatically generate a link-local address for the VSI interface.	N/A
bgp 65530	bgp 65530	Manual or controller-based	Enable the specified BGP instance and enter its view.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable BGP non-stop routing (NSR).	N/A
router-id 197.32.241.45	router-id 197.32.241.46	Manual or controller-based	Specify a unique router ID for the BGP instance on each BGP device.	N/A
group evpn internal	group evpn internal	Manual or controller-based	Create an IBGP peer group named evpn.	N/A
peer evpn connect-interface loopback 0	peer evpn connect-interface loopback 0	Manual or controller-based	Specify a source interface for establishing TCP connections to a peer or peer group.	N/A
peer 197.32.241.37 group evpn	peer 197.32.241.37 group evpn	Manual or controller-based	Add node Spine A to IBGP group evpn.	N/A
peer 197.32.241.38 group evpn	peer 197.32.241.38 group evpn	Manual or controller-based	Add node Spine B to IBGP group evpn.	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual or controller-based	Create the BGP EVPN address family and enter its view.	N/A
peer evpn enable	peer evpn enable	Manual or controller-based	Enable BGP to exchange BGP EVPN routes with IBGP peer group evpn.	N/A
quit	quit	Manual or controller-based	Return to BGP instance view.	N/A
ip vpn-instance ZHTESTCTFWEW01VRF	ip vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains firewall EW, and enter BGP-VPN instance view.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
quit	quit	Manual or controller-based	Return to BGP instance view.	N/A
ip vpn-instance ZHTESTCTFWNS01VRF	ip vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains firewall NS, and enter BGP-VPN instance view.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
quit	quit	Manual or controller-based	Return to BGP instance view.	N/A
ip vpn-instance ZHTESTCTVRF	ip vpn-instance ZHTESTCTVRF	Manual or controller-based	Create a BGP-VPN instance for the VPN instance that contains compute servers, and enter BGP-VPN instance view.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Create the BGP-VPN IPv4 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255 network 197.32.42.9 255.255.255.255	network 197.32.42.0 255.255.255.0 network 197.32.42.254 255.255.255.255 network 197.32.42.9 255.255.255.255	Manual or controller-based	Specify the local networks to be advertised by BGP.	N/A
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Create the BGP-VPN IPv6 unicast address family and enter its view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128	network FD00:0:97B0:1042:: 64 network FD00:0:97B0:1042::FFFF 128	Manual or controller-based	Specify the local networks to be advertised by BGP.	N/A

Configuring ACs

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
interface Twenty-FiveGigE 1/0/2	interface Twenty-FiveGigE 1/0/6	Manual or controller-based	Enter the view of the physical port connected to compute servers.	N/A
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of the physical port to trunk.	N/A
undo port trunk permit vlan 1	undo port trunk permit vlan 1	Manual or controller-based	Remove the port from VLAN 1.	N/A
port trunk permit vlan 3342	port trunk permit vlan 3316	Manual or controller-based	Assign the port to a VLAN.	N/A
port trunk pvid vlan 3342	port trunk pvid vlan 3316	Manual or controller-based	Set the PVID of the port.	N/A
service-instance 3342	service-instance 3316	Manual or controller-based	Create an Ethernet service instance.	N/A
encapsulation untagged	encapsulation untagged	Manual or controller-based	Configure the Ethernet service instance to match any frames that do not have an 802.1Q VLAN tag.	N/A
xconnect vsi SDN_VSI_13342 access-mode ethernet	xconnect vsi SDN_VSI_13316 access-mode ethernet	Manual or controller-based	Map the Ethernet service instance to the specified VSI.	N/A

Configuring border devices (Border1 and Border2)

Procedure summary

· Configuring the device modes

· Configuring the routing protocols on the underlay network

· Configuring L3VPNs

· Setting up the M-LAG system and the peer link

· Configuring the M-LAG aggregate links connecting border devices to the Layer 3 device on the external network

· Configuring the links connecting border devices to spine devices

· Configuring the EVPN distributed gateways

Configuring the device modes

For how to configure the device modes, see ADDC solution deployment guides. The mode-related configurations might include the following types:

· Hardware resource mode configuration (for example, the hardware-resource switch-mode command on S6850 switches).

· Support for IPv6 routes with the prefix longer than 64 bits (for example, the hardware-resource routing-mode ipv6-128 command on S6850 switches).

· VXLAN hardware resource mode configuration (for example, the hardware-resource vxlan command on S6850 switches).

Configuring the routing protocols on the underlay network

Border1 (S6850)	Border2 (S6850)	Configuration method	Description	Remarks
router id 197.32.241.47	router id 197.32.241.48	Manual or controller-based	Configure a router ID.	N/A
ospf 65530	ospf 65530	Manual or controller-based	Enable OSPF process 65530.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable OSPF NSR.	N/A
stub-router include-stub on-startup 900	stub-router include-stub on-startup 900	Manual or controller-based	Configure the router as a stub router during reboot and specify the timeout time. Specify the cost of the stub links (link type 3) in Router LSAs to the maximum value 65535.	Execute this command to accelerate network convergence.
area 0.0.0.0	area 0.0.0.0	Manual or controller-based	Create OSPF area 0.0.0.0.	N/A
interface LoopBack0	interface LoopBack0	Manual or controller-based	Create interface Loopback 0 and enter its view.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface LoopBack2	interface LoopBack2	Manual or controller-based	Create interface Loopback 2 and enter its view.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 2.	N/A

Configuring L3VPNs

Border1 (S6850)	Border2 (S6850)	Configuration method	Description	Remarks
interface LoopBack0	interface LoopBack0	Manual or controller-based	Configure interface Loopback 0.	N/A
ip address 197.32.241.47 255,255,255,255	ip address 197.32.241.48 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface LoopBack2	interface LoopBack2	Manual or controller-based	Configure interface Loopback 2.	N/A
ip address 197.32.241.86 255,255,255,255	ip address 197.32.241.86 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 2.	N/A
ip vpn-instance auto-online-mlag	ip vpn-instance auto-online-mlag	Manual or controller-based	Create a VPN instance for the M-LAG keepalive link.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance mgmt	ip vpn-instance mgmt	Manual or controller-based	Create a VPN instance for the management port.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTVRF route-distinguisher 7:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTVRF route-distinguisher 8:10000 address-family ipv4 vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit address-family ipv6 route-replicate from vpn-instance ZHTESTCTVRF protocol vlink-direct vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity address-family evpn vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 import-extcommunity vpn-target 0:10000 1:10000 0.39.18.0:10000 0.39.17.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for user services. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 7:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTFWNS01VRF route-distinguisher 8:10001 address-family ipv4 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10001 1:10001 0.39.17.0:10000 import-extcommunity vpn-target 0:10001 1:10001 0.39.17.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for the north-south firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
quit	quit	Manual or controller-based	Return to system view.	N/A
ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 7:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit	ip vpn-instance ZHTESTCTFWEW01VRF route-distinguisher 8:10002 address-family ipv4 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family ipv6 vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit address-family evpn vpn-target 0:10002 1:10002 0.39.18.0:10000 import-extcommunity vpn-target 0:10002 1:10002 0.39.18.0:10000 export-extcommunity quit	Manual or controller-based	Configure the VPN instance for the east-west firewall service. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family.	For two devices to learn routes from each other in the VPN instance, make sure the import RTs on one device match the export RTs on the other.
ip vpn-instance external_vpn_1001 route-distinguisher 1:1001 address-family ipv4 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family ipv6 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family evpn vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity	ip vpn-instance external_vpn_1001 route-distinguisher 2:1001 address-family ipv4 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family ipv6 vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity address-family evpn vpn-target 0:1001 1:1001 1:10000 import-extcommunity vpn-target 1:1001 export-extcommunity	Manual or controller-based	Configure the VPN instance for the external network users. Set an RD for the VPN instance, and set the import and export RTs for the VPN instance IPv4 address family and EVPN address family.	N/A
ip route-static vpn-instance ZHTESTCTVRF 0.0.0.0 0 vpn-instance external_vpn_1001 197.32.224.18	ip route-static vpn-instance ZHTESTCTVRF 0.0.0.0 0 vpn-instance external_vpn_1001 197.32.224.18	Manual or controller-based	Configure the default IPv4 route from the VPN instance of the user services to the Layer 3 devices in the VPN instance of the external network.	N/A
ipv6 route-static vpn-instance ZHTESTCTVRF :: 0 vpn-instance external_vpn_1001 FD00:0:97B0:2::F description SDN_ROUTE	ipv6 route-static vpn-instance ZHTESTCTVRF :: 0 vpn-instance external_vpn_1001 FD00:0:97B0:2::F description SDN_ROUTE	Manual or controller-based	Configure the default IPv6 route from the VPN instance of the user services to the Layer 3 devices in the VPN instance of the external network.	N/A

Setting up the M-LAG system and the peer link

Border1 (S6850)	Border2 (S6850)	Configuration method	Description	Remarks
m-lag system-mac 0c3a-fa38-9c5f	m-lag system-mac 0c3a-fa38-9c5f	Manual or controller-based	Set the MAC address of the M-LAG system.	You must assign the same M-LAG system MAC address to the member devices in an M-LAG system.
m-lag system-number 1	m-lag system-number 2	Manual or controller-based	Set the M-LAG system number.	You must assign different M-LAG system numbers to the member devices in an M-LAG system.
m-lag system-priority 10	m-lag system-priority 10	Manual or controller-based	Set the M-LAG system priority.	You must set the same M-LAG system priority on the member devices in an M-LAG system.
m-lag keepalive ip destination 197.32.241.94 source 197.32.241.93 vpn-instance auto-online-mlag	m-lag keepalive ip destination 197.32.241.93 source 197.32.241.94 vpn-instance auto-online-mlag	Manual or controller-based	Configure the destination and source IP addresses of keepalive packets.	The source and destination IP addresses specified on one member device must be the destination and source IP addresses specified on the other, respectively.
m-lag restore-delay 300	m-lag restore-delay 300	Manual or controller-based	Set the data restoration interval. This parameter specifies the maximum amount of time for the secondary M-LAG member device to synchronize data with the primary M-LAG member device during M-LAG system setup.	To avoid packet loss and forwarding failure, increase the data restoration interval if the amount of data is large, for example, when the device has a large number of routes and interfaces.
m-lag mad default-action none	m-lag mad default-action none	Manual or controller-based	Set the M-LAG MAD action to none.	When the M-LAG system splits, M-LAG MAD will not shut down any network interfaces, except the interfaces configured manually or by the system to be shut down by M-LAG MAD.
m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26	m-lag mad include interface HundredGigE1/0/25 m-lag mad include interface HundredGigE1/0/26	Manual or controller-based	Configure M-LAG MAD to shut down the uplink interfaces when the M-LAG system splits.	N/A
interface Twenty-FiveGigE 1/0/54	interface Twenty-FiveGigE 1/0/54	Manual or controller-based	Enter the interface view for the keepalive link.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the interface for the keepalive link to operate in route mode as a Layer 3 interface.	N/A
ip binding vpn-instance auto-online-mlag	ip binding vpn-instance auto-online-mlag	Manual or controller-based	Associate the interface for the keepalive link with a VPN instance.	N/A
ip address 197.32.241.93 255,255,255,252	ip address 197.32.241.94 255.255.255.252	Manual or controller-based	Assign an IP address to the interface for the keepalive link.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Create the Layer 2 aggregate interface to be used as peer-link interface, and enter interface view.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface to operate in dynamic aggregation mode.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/31	interface HundredGigE1/0/31	Manual or controller-based	Enter the view of the physical port for the peer link.	N/A
port link-aggregation group 256	port link-aggregation group 256	Manual or controller-based	Assign the physical port for the peer link to the aggregation group (aggregation group 256).	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface bridge-aggregation 256	interface bridge-aggregation 256	Manual or controller-based	Create the Layer 2 aggregate interface to be used as peer-link interface, and enter interface view.	N/A
port m-lag peer-link 1	port m-lag peer-link 1	Manual or controller-based	Specify the aggregate interface (Bridge-Aggregation 256) as the peer-link interface.	N/A
port trunk pvid vlan 4094	port trunk pvid vlan 4094	Manual or controller-based	Set the PVID of the trunk port to 4094.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable the static source check feature on the interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface Vlan-interface 4094	interface Vlan-interface 4094	Manual or controller-based	Create a VLAN interface on each of the M-LAG member devices to establish Layer 3 connectivity for forwarding packets from devices single-homed to only one M-LAG interface. This example uses VLAN-interface 4094.	N/A
ip address 197.32.241.147 255.255.255.0	ip address 197.32.241.148 255.255.255.0	Manual or controller-based	Assign an IP address to VLAN-interface 4094.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Configure OSPF on VLAN-interface 4094.	N/A

Configuring the M-LAG aggregate links connecting border devices to the Layer 3 device on the external network

Border1 (S6850)	Border2 (S6850)	Configuration method	Description	Remarks
interface bridge-aggregation 257	interface bridge-aggregation 257	Manual or controller-based	Create an M-LAG aggregate interface connecting to the Layer 3 device on the external network.	N/A
link-aggregation mode dynamic	link-aggregation mode dynamic	Manual or controller-based	Configure the aggregate interface connecting to the Layer 3 device on the external network to operate in dynamic aggregation mode.	N/A
port m-lag group 1	port m-lag group 1	Manual or controller-based	Assign the aggregate interface (Bridge-Aggregation 257) to M-LAG group 1.	N/A
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type of M-LAG aggregate interface 257 to trunk.	N/A
port trunk permit vlan 1 1001	port trunk permit vlan 1 1001	Manual or controller-based	Assign M-LAG aggregate interface 257 to VLAN 1001.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/51	interface HundredGigE1/0/51	Manual or controller-based	Enter the view of the physical interface connecting to the Layer 3 device on the external network.	N/A
port link-type trunk	port link-type trunk	Manual or controller-based	Set the link type to trunk for the physical interface connecting to the Layer 3 device on the external network.	N/A
port trunk permit vlan 1 1001	port trunk permit vlan 1 1001	Manual or controller-based	Assign the physical interface connecting to the Layer 3 device on the external network to VLAN 1001.	N/A
port link-aggregation group 257	port link-aggregation group 257	Manual or controller-based	Assign the physical interface connecting to the Layer 3 device on the external network to aggregation group 257.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface Vlan-interface1001	interface Vlan-interface1001	N/A	Configure the VLAN interface connecting to the Layer 3 device on the external network.	N/A
ip binding vpn-instance external_vpn_1001	ip binding vpn-instance external_vpn_1001	N/A	Associate the VLAN interface connecting to the Layer 3 device on the external network with a VPN instance, which is different from the VPN instance of user services.	N/A
ip address 197.32.224.17 255.255.255.252 sub	ip address 197.32.224.17 255.255.255.252 sub	N/A	Configure the IP address for connecting to the Layer 3 device on the external network to implement a dual-active gateway.	N/A
mac-address 3c8c-404e-dd46	mac-address 3c8c-404e-dd46	N/A	Assign a MAC address to the interface connecting to the Layer 3 device on the external network.	N/A
ipv6 address FD00:0:97B0:2::1/64	ipv6 address FD00:0:97B0:2::1/64	N/A	Assign an IPv6 address to the interface connecting to the Layer 3 device on the external network.	N/A

Configuring the links connecting border devices to spine devices

Border1 (S6850)	Border2 (S6850)	Configuration method	Description	Remarks
interface HundredGigE1/0/25	interface HundredGigE1/0/25	Manual or controller-based	Enter the view of the uplink interface, the physical interface connecting to Spine A.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the uplink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the uplink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the uplink interface.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable source MAC check on the uplink interface.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode.	In this mode, LLDP both sends and receives CDP packets.
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	Manual or controller-based	Configure advertisable TLVs on the interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/26	interface HundredGigE1/0/26	Manual or controller-based	Enter the view of the uplink interface, the physical interface connecting to Spine B.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the uplink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the uplink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the uplink interface.	N/A
undo mac-address static source-check enable	undo mac-address static source-check enable	Manual or controller-based	Disable source MAC check on the uplink interface.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode.	In this mode, LLDP both sends and receives CDP packets.
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	Manual or controller-based	Configure advertisable TLVs on the interface.	N/A

Configuring the EVPN distributed gateways

Border1 (S6850)	Border2 (S6850)	Configuration method	Description	Remarks
l2vpn enable	l2vpn enable	Manual or controller-based	Enable L2VPN.	N/A
l2vpn m-lag peer-link ac-match-rule vxlan-mapping	l2vpn m-lag peer-link ac-match-rule vxlan-mapping	Manual or controller-based	Enable the device to create frame match criteria based on VXLAN IDs for the dynamic ACs on the peer link. Perform this task when the M-LAG system uses a direct physical link as the peer link.	N/A
vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	vxlan tunnel arp-learning disable vxlan tunnel nd-learning disable	Manual or controller-based	Disable remote ARP/ND learning.	This setting avoids the conflict between automatically learned ARP/ND entries and ARP/ND entries advertised through EVPN.
vxlan tunnel mac-learning disable	vxlan tunnel mac-learning disable	Manual or controller-based	Disable remote MAC address learning.	This setting avoids the conflict between automatically learned MAC address entries and MAC address entries advertised through EVPN.
vxlan default-decapsulation source interface LoopBack0	vxlan default-decapsulation source interface LoopBack0	Manual or controller-based	Enable the device to always decapsulate the VXLAN packets destined for the IP address of Loopback 0, whether or not it has a VXLAN tunnel for them.	N/A
vlan all	vlan all	Manual or controller-based	Bulk create VLANs 1 through 4094.	N/A
evpn m-lag group 197.32.241.86	evpn m-lag group 197.32.241.86	Manual or controller-based	Enable EVPN M-LAG and specify the virtual VTEP address.	N/A
evpn global-mac 0c3a-fa38-2211	evpn global-mac 0c3a-fa38-2211	Manual or controller-based	Configure an EVPN global MAC address.	N/A
interface Vsi-interface1001	interface Vsi-interface1001	Manual or controller-based	Create the VSI interface to be associated with the L3VNI of the external network device.	N/A
ip binding vpn-instance external_vpn_1001	ip binding vpn-instance external_vpn_1001	Manual or controller-based	Bind the interface to the VPN instance of the external network device.	N/A
l3-vni 1001	l3-vni 1001	Manual or controller-based	Associate the interface with an L3VNI.	N/A
interface Vsi-interface 10001	interface Vsi-interface 10001	Manual or controller-based	Create the VSI interface to be associated with the L3VNI of the north-south firewall.	N/A
ip binding vpn-instance ZHTESTCTFWNS01VRF	ip binding vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Bind the interface to the VPN instance of the north-south firewall.	N/A
l3-vni 10001	l3-vni 10001	Manual or controller-based	Associate the interface with an L3VNI.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface Vsi-interface 10002	interface Vsi-interface 10002	Manual or controller-based	Create the VSI interface to be associated with the L3VNI of the east-west firewall.	N/A
ip binding vpn-instance ZHTESTCTFWEW01VRF	ip binding vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Bind the interface to the VPN instance of the east-west firewall.	N/A
l3-vni 10002	l3-vni 10002	Manual or controller-based	Associate the interface with an L3VNI.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface Vsi-interface10000	interface Vsi-interface10000	Manual or controller-based	Create the VSI interface to be associated with the L3VNI of the server.	N/A
ip binding vpn-instance ZHTESTCTVRF	ip binding vpn-instance ZHTESTCTVRF	Manual or controller-based	Bind the interface to the VPN instance of the server.	N/A
l3-vni 10000	l3-vni 10000	Manual or controller-based	Associate the interface with an L3VNI.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
bgp 65530	bgp 65530	Manual or controller-based	Enable the BGP instance and enter BGP instance view.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable BGP NSR.	N/A
router-id 197.32.241.47	router-id 197.32.241.48	Manual or controller-based	Specify a router ID for the BGP instance.	N/A
group evpn internal	group evpn internal	Manual or controller-based	Create an IBGP peer group named evpn.	N/A
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual or controller-based	Specify a source interface for establishing TCP connections to the peer group.	N/A
peer 197.32.241.37 group evpn	peer 197.32.241.37 group evpn	Manual or controller-based	Add node Spine A to IBGP group evpn.	N/A
peer 197.32.241.38 group evpn	peer 197.32.241.38 group evpn	Manual or controller-based	Add node Spine B to IBGP group evpn.	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual or controller-based	Create the BGP EVPN address family and enter its view.	N/A
peer evpn enable	peer evpn enable	Manual or controller-based	Enable BGP to exchange BGP EVPN routes with peer group evpn.	N/A
nexthop evpn-m-lag group-address	nexthop evpn-m-lag group-address	Manual or controller-based	Enable the device to replace the next hop in advertised BGP EVPN routes with the virtual VTEP address.	Execute this command on the border M-LAG system to advertise its virtual address tunnel.
ip vpn-instance ZHTESTCTFWEW01VRF	ip vpn-instance ZHTESTCTFWEW01VRF	Manual or controller-based	Enter the view of the BGP-VPN instance of the east-west firewall.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Enter BGP-VPN IPv4 unicast address family view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Enter BGP-VPN IPv6 unicast address family view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
ip vpn-instance ZHTESTCTFWNS01VRF	ip vpn-instance ZHTESTCTFWNS01VRF	Manual or controller-based	Enter the view of the BGP-VPN instance of the north-south firewall.	N/A
address-family ipv4 unicast	address-family ipv4 unicast	Manual or controller-based	Enter BGP-VPN IPv4 unicast address family view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
address-family ipv6 unicast	address-family ipv6 unicast	Manual or controller-based	Enter BGP-VPN IPv6 unicast address family view.	N/A
balance 4	balance 4	Manual or controller-based	Enable load balancing and set the maximum number of BGP ECMP routes for load balancing.	N/A
ip vpn-instance ZHTESTCTVRF	ip vpn-instance ZHTESTCTVRF	Manual or controller-based	Enter the view of the BGP-VPN instance of the server.	N/A
address-family ipv4 unicast default-route imported balance 4 import-route static	address-family ipv4 unicast default-route imported balance 4 import-route static	Manual or controller-based	Enter BGP-VPN IPv4 unicast address family view and configure routes to be redistributed into BGP.	N/A
address-family ipv6 unicast default-route imported balance 4 import-route static	address-family ipv6 unicast default-route imported balance 4 import-route static	Manual or controller-based	Enter BGP-VPN IPv6 unicast address family view and configure routes to be redistributed into BGP.	N/A
ip vpn-instance external_vpn_1001 address-family ipv4 unicast balance 4 network 197.32.224.16 255.255.255.252 network 197.32.224.18 255.255.255.255 address-family ipv6 unicast balance 4 network FD00:0:97B0:2:: 64 network FD00:0:97B0:2::F 128	ip vpn-instance external_vpn_1001 address-family ipv4 unicast balance 4 network 197.32.224.16 255.255.255.252 network 197.32.224.18 255.255.255.255 address-family ipv6 unicast balance 4 network FD00:0:97B0:2:: 64 network FD00:0:97B0:2::F 128	Manual or controller-based	Enter the view of the BGP-VPN instance connecting to the Layer 3 device on the external network. Enter BGP-VPN IPv4/IPv6 unicast address family view. Inject networks to the BGP routing table and configure BGP to advertise the networks.	N/A

Configuring the spine devices

Procedure summary

· Configuring the routing protocols on the underlay network

· Configuring the links connecting spine devices to leaf/border devices

· Configuring the spine devices as route reflectors

Configuring the routing protocols on the underlay network

Spine A (S12500X)	Spine B (S12500X)	Configuration method	Description	Remarks
interface LoopBack0	interface LoopBack0	Manual or controller-based	Create interface Loopback 0 and enter its view.	N/A
ip address 197.32.241.37 255.255.255.255	ip address 197.32.241.38 255.255.255.255	Manual or controller-based	Assign an IP address to interface Loopback 0.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
router id 197.32.241.37	router id 197.32.241.38	Manual or controller-based	Configure a router ID.	N/A
ospf 65530	ospf 65530	Manual or controller-based	Enable OSPF process 65530.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable OSPF NSR.	N/A
stub-router include-stub on-startup 900	stub-router include-stub on-startup 900	Manual or controller-based	Configure the router as a stub router during reboot and specify the timeout time. Specify the cost of the stub links (link type 3) in Router LSAs to the maximum value 65535.	Execute this command to accelerate network convergence.
area 0.0.0.0	area 0.0.0.0	Manual or controller-based	Create OSPF area 0.0.0.0.	N/A
quit quit	quit quit	Manual or controller-based	Return to system view.	N/A
interface LoopBack0	interface LoopBack0	Manual or controller-based	Create interface Loopback 0 and enter its view.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on interface Loopback 0.	N/A

Configuring the links connecting spine devices to leaf/border devices

Spine A (S12500X)	Spine B (S12500X)	Configuration method	Description	Remarks
interface HundredGigE1/0/1	interface HundredGigE1/0/1	Manual or controller-based	Enter the view of the downlink interface, the physical interface connecting to Leaf 1.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the downlink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the downlink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the downlink interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/2	interface HundredGigE1/0/2	Manual or controller-based	Enter the view of the downlink interface, the physical interface connecting to Leaf 2.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the downlink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the downlink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the downlink interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/3	interface HundredGigE1/0/3	Manual or controller-based	Enter the view of the downlink interface, the physical interface connecting to Leaf 3.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the downlink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the downlink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the downlink interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/4	interface HundredGigE1/0/4	Manual or controller-based	Enter the view of the downlink interface, the physical interface connecting to Leaf 4.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the downlink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the downlink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the downlink interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/5	interface HundredGigE1/0/5	Manual or controller-based	Enter the view of the downlink interface, the physical interface connecting to Leaf 5.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the downlink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the downlink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the downlink interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/6	interface HundredGigE1/0/6	Manual or controller-based	Enter the view of the downlink interface, the physical interface connecting to Leaf 6.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the downlink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the downlink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the downlink interface.	N/A
quit	quit	Manual or controller-based	Return to system view.	N/A
interface HundredGigE1/0/7	interface HundredGigE1/0/7	Manual or controller-based	Enter the view of the uplink interface, the physical interface connecting to Border1.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the uplink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the uplink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the uplink interface.	N/A
quit	quit	Manual or controller-based	N/A	N/A
interface HundredGigE1/0/8	interface HundredGigE1/0/8	Manual or controller-based	Enter the view of the uplink interface, the physical interface connecting to Border2.	N/A
port link-mode route	port link-mode route	Manual or controller-based	Configure the uplink interface to operate in route mode as a Layer 3 interface.	N/A
ip address unnumbered interface LoopBack0	ip address unnumbered interface LoopBack0	Manual or controller-based	Configure the uplink interface to borrow the IP address of interface Loopback 0.	N/A
ospf network-type p2p	ospf network-type p2p	Manual or controller-based	Set the OSPF network type of the interface to P2P.	N/A
ospf 65530 area 0.0.0.0	ospf 65530 area 0.0.0.0	Manual or controller-based	Enable OSPF on the uplink interface.	N/A
quit	quit	Manual or controller-based	N/A	N/A
interface range HundredGigE1/0/1 to HundredGigE1/0/8	interface range HundredGigE1/0/1 to HundredGigE1/0/8	Manual or controller-based	Enter the view of the interfaces connecting to leaf devices.	N/A
lldp compliance admin-status cdp txrx	lldp compliance admin-status cdp txrx	Manual or controller-based	Configure CDP-compatible LLDP to operate in TxRx mode.	In this mode, LLDP both sends and receives CDP packets.
lldp management-address arp-learning	lldp management-address arp-learning	Manual or controller-based	Enable the device to generate an ARP entry after it receives an LLDP frame that contains a management address TLV on the interface.	N/A
lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	lldp tlv-enable basic-tlv management-address-tlv interface LoopBack0	Manual or controller-based	Configure advertisable TLVs on the interface.	N/A

Configuring the spine devices as route reflectors

Spine A (S12500X)	Spine B (S12500X)	Configuration method	Description	Remarks
bgp 65530	bgp 65530	Manual or controller-based	Enable the BGP instance and enter BGP instance view.	N/A
non-stop-routing	non-stop-routing	Manual or controller-based	Enable BGP NSR.	N/A
router-id 197.32.241.37	router-id 197.32.241.38	Manual or controller-based	Specify a router ID for the BGP instance.	N/A
group evpn internal	group evpn internal	Manual or controller-based	Create an IBGP peer group named evpn.	N/A
peer evpn connect-interface LoopBack0	peer evpn connect-interface LoopBack0	Manual or controller-based	Specify a source interface for establishing TCP connections to the peer group.	N/A
peer 197.32.241.41 group evpn	peer 197.32.241.41 group evpn	Manual or controller-based	Added Leaf 1 to peer group evpn.	N/A
peer 197.32.241.42 group evpn	peer 197.32.241.42 group evpn	Manual or controller-based	Added Leaf 2 to peer group evpn.	N/A
peer 197.32.241.43 group evpn	peer 197.32.241.43 group evpn	Manual or controller-based	Added Leaf 3 to peer group evpn.	N/A
peer 197.32.241.44 group evpn	peer 197.32.241.44 group evpn	Manual or controller-based	Added Leaf 4 to peer group evpn.	N/A
peer 197.32.241.45 group evpn	peer 197.32.241.45 group evpn	Manual or controller-based	Added Leaf 5 to peer group evpn.	N/A
peer 197.32.241.46 group evpn	peer 197.32.241.46 group evpn	Manual or controller-based	Added Leaf 6 to peer group evpn.	N/A
peer 197.32.241.47 group evpn	peer 197.32.241.47 group evpn	Manual or controller-based	Added Border 1 to peer group evpn.	N/A
peer 197.32.241.48 group evpn	peer 197.32.241.48 group evpn	Manual or controller-based	Added Border 2 to peer group evpn.	N/A
address-family l2vpn evpn	address-family l2vpn evpn	Manual or controller-based	Create the BGP EVPN address family and enter its view.	N/A
undo policy vpn-target	undo policy vpn-target	Manual or controller-based	Disable route target-based filtering of incoming BGP EVPN routes.	N/A
peer evpn enable	peer evpn enable	Manual or controller-based	Enable BGP to exchange BGP EVPN routes with peer group evpn.	N/A
peer evpn reflect-client	peer evpn reflect-client	Manual or controller-based	Configure the spine node as a route reflector and specify peer group evpn as a client.	N/A

Configuring the links connecting the east-west/north-south firewalls to leaf devices

East-west firewall	North-south firewall	Configuration method	Description	Remarks
vlan 999 1000	vlan 997 998	Manual or controller-based	Bulk create VLANs 1 through 4094.	N/A
interface Vlan-interface 999 ip address 197.32.224.30 255.255.255.252 ipv6 address FD00:0:97B0:102::F/64 quit	interface Vlan-interface 997 ip address 197.32.224.22 255.255.255.252 ipv6 address FD00:0:97B0:100::F/64 quit	Manual or controller-based	Configure a VLAN interface for forwarding packets at Layer 3.	N/A
interface Vlan-interface1000 ip address 197.32.224.34 255.255.255.252 ipv6 address FD00:0:97B0:103::F/64 quit	interface Vlan-interface 998 ip address 197.32.224.26 255.255.255.252 ipv6 address FD00:0:97B0:101::F/64 quit	Manual or controller-based	Configure a VLAN interface for forwarding packets at Layer 3.	N/A
interface Bridge-Aggregation257 port link-type trunk port trunk permit vlan all link-aggregation mode dynamic quit	interface Bridge-Aggregation258 port link-type trunk port trunk permit vlan all link-aggregation mode dynamic quit	Manual or controller-based	Configure the firewall to access the M-LAG system formed by leaf devices through an aggregate interface.	N/A
interface HundredGigE2/0/29 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 257 quit	interface HundredGigE3/0/29 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 258 quit	Manual or controller-based	Assign the physical interface connecting to Leaf 1 to an aggregation group.	N/A
interface HundredGigE2/0/30 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 257 quit	interface HundredGigE3/0/30 port link-mode bridge port link-type trunk port trunk permit vlan all flow-interval 5 port link-aggregation group 258 quit	Manual or controller-based	Assign the physical interface connecting to Leaf 2 to an aggregation group.	N/A
ip route-static 197.32.0.0 16 197.32.224.33 ipv6 route-static FD00:0:97B0::/24 FD00:0:97B0:103::1	ip route-static 197.32.0.0 16 197.32.224.25 ipv6 route-static FD00:0:97B0::/24 FD00:0:97B0:101::1	Manual or controller-based	Create static routes for routing traffic back to the connected M-LAG system at the leaf tier.	This setting is for illustration only. In a real deployment, you can configure a firewall by using any method as long as the firewall can return the traffic to the VXLAN network back to the leaf device connected to it.

Configuring the links connecting L3 devices and border devices

L3 device	Configuration method	Description	Remarks
vlan all	Manual or controller-based	Bulk create VLANs 1 through 4094.	N/A
interface Vlan-interface1001	Manual or controller-based	Configure VLAN-interface 1001 for forwarding packets at Layer 3 to the external network.	N/A
ip address 197.32.225.18 255.255.255.252	Manual or controller-based	Assign an IPv4 address to an interface.	N/A
ipv6 address FD00:1:97B0:2::F/64	Manual or controller-based	Assign an IPv6 address to an interface.	N/A
interface Bridge-Aggregation257 port link-type trunk port trunk permit vlan 1001 link-aggregation mode dynamic quit	Manual or controller-based	Configure the aggregate interface to access the M-LAG system formed by border devices.	N/A
interface HundredGigE4/0/29 port link-mode bridge port link-type trunk port trunk permit vlan 1001 flow-interval 5 port link-aggregation group 257 quit	Manual or controller-based	Assign the physical interface connecting to Border1 to an aggregation group.	N/A
interface HundredGigE4/0/30 port link-mode bridge port link-type trunk port trunk permit vlan1001 flow-interval 5 port link-aggregation group 257 quit	Manual or controller-based	Assign the physical interface connecting to Border2 to an aggregation group.	N/A
ip route-static 197.32.0.0 16 197.32.224.17 ipv6 route-static FD00:: 16 FD00:0:97B0:2::1	Manual or controller-based	Create static routes for routing traffic back to the connected leaf devices.	N/A

Configuring the DHCP server (single-homed to Leaf 5)

Attach a virtual DHCP server to Twenty-FiveGigE 1/0/2 of Leaf 5. The DHCP server runs Windows Server 2012 and is assigned IP address 197.32.42.9.

To add the DHCP role on Windows Server 2012:

1. As shown in Figure 2, click Add Role and Features.

Figure 2 Server management page

2. On the Add Role and Features Wizard page, select options as shown in Figure 3, Figure 4, and Figure 5. Click Next until the DHCP service is installed.

Figure 3 Add Role and Features Wizard (I)

Figure 4 Add Role and Features Wizard (II)

Figure 5 Add Role and Features Wizard (III)

3. Enable the DHCP service, and configure the DHCP address pool to allocate IP addresses in the range of 197.32.13.50 and 197.32.13.100.

Figure 6 Configuring the DHCP address pool

Configuring DHCP relay (with DHCP clients single-homed to Leaf 3)

Configuring service leaf nodes (Leaf 1 and Leaf 2)

Leaf 1 (S6850)	Leaf 2 (S6850)	Configuration method	Description
dhcp enable	dhcp enable	Manual or controller-based	Enable DHCP.
dhcp relay mac-forward enable	dhcp relay mac-forward enable	Manual or controller-based	Enable MAC address table lookup for DHCP replies that do not have request forwarding information.

Configuring DHCP client-attached leaf nodes (Leaf 3 and Leaf 4)

Leaf 3 (S6850)	Leaf 4 (S6850)	Configuration method	Description	Remarks
dhcp enable	dhcp enable	Manual or controller-based	Enable DHCP.	N/A
dhcp relay mac-forward enable	dhcp relay mac-forward enable	Manual or controller-based	Enable MAC address table lookup for DHCP replies that do not have request forwarding information.	This setting is required on devices that provide both distributed EVPN gateway and DHCP relay services.
interface Vsi-interface13313	interface Vsi-interface13313	Manual or controller-based	Enter the view of the VSI interface that provides distributed gateway service for attached servers.	N/A
dhcp select relay	dhcp select relay	Manual or controller-based	Enable the VSI interface to operate as a DHCP relay agent.	N/A
dhcp relay server-address 197.32.42.9	dhcp relay server-address 197.32.42.9	Manual or controller-based	Specify the IP address of the DHCP server for the DHCP relay agent.	N/A
dhcp relay request-from-tunnel discard	dhcp relay request-from-tunnel discard	Manual or controller-based	Configure the DHCP relay agent to discard the DHCP requests received from VXLAN tunnels.	N/A

Configuring DHCP server-attached leaf nodes (Leaf 5 and Leaf 6)

Leaf 5 (S6850)	Leaf 6 (S6850)	Configuration method	Description	Remarks
dhcp enable	dhcp enable	Manual or controller-based	Enable DHCP.	N/A
dhcp relay mac-forward enable	dhcp relay mac-forward enable	Manual or controller-based	Enable MAC address table lookup for DHCP replies that do not have request forwarding information.	This setting is required on devices that provide both distributed EVPN gateway and DHCP relay services.

Configuring IPv4/IPv6 microsegments and service chains

Configuring service leaf nodes (Leaf 1 and Leaf 2)

Configuring Leaf 3 and Leaf 4

Configuring Leaf 5 and Leaf 6

Configuring border nodes (Border 1 and Border 2)

Verifying the configuration

Verification commands

Command	Description
display m-lag role	Displays M-LAG role information.
display m-lag summary	Displays summary information about the peer-link interface and M-LAG interfaces in the M-LAG system.
display ospf peer	Displays information about OSPF neighbors.
display bgp peer l2vpn evpn	Displays BGP EVPN peer or peer group information.
display bgp l2vpn evpn	Displays BGP EVPN routes.
display l2vpn vsi	Displays information about VSIs.
display microsegment	Displays the configuration and status of microsegments.

Procedure

1. Verify that the M-LAG systems at the leaf tier are operating correctly.

The following information uses node Leaf 1 for example to show the procedure.

# Verify that nodes Leaf 1 and Leaf 2 has established an M-LAG system.

<Leaf1> display m-lag role

Effective role information

Factors Local Peer

Effective role Secondary Primary

Initial role None None

MAD DOWN state Yes Yes

Health level 0 0

Role priority 32768 32768

Bridge MAC 703a-a6e9-a00a 0440-a9df-98d0

Effective role trigger: Peer link calculation

Effective role reason: Bridge MAC

Configured role information

Factors Local Peer

Configured role Secondary Primary

Role priority 32768 32768

Bridge MAC 703a-a6e9-a00a 0440-a9df-98d0

<Leaf1> display m-lag summary

Flags: A -- Aggregate interface down, B -- No peer M-LAG interface configured

C -- Configuration consistency check failed

Peer-link interface: BAGG256

Peer-link interface state (cause): UP

Keepalive link state (cause): UP

M-LAG interface information

M-LAG IF M-LAG group Local state (cause) Peer state Remaining down time(s)

BAGG256 1 UP UP -

# Verify that node Leaf 1 has established OSPF neighbor relationships and BGP EVPN peer relationships with the spine nodes.

<Leaf1> display ospf peer

OSPF Process 65530 with Router ID 197.32.241.41

Neighbor Brief Information

Area: 0.0.0.0

Router ID Address Pri Dead-Time State Interface

197.32.241.37 197.32.241.37 1 38 Full/ - HGE1/0/25

197.32.241.38 197.32.241.38 1 34 Full/ - HGE1/0/26

197.32.241.42 197.32.241.142 1 31 Full/DR Vlan4094

<Leaf1> display bgp peer l2vpn evpn

BGP local router ID: 197.32.241.41

Local AS number: 65530

Total number of peers: 2 Peers in established state: 2

* - Dynamically created peer

^ - Peer created through link-local address

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

197.32.241.37 65530 6273 5374 0 340 0080h32m Established

197.32.241.38 65530 5175 5041 0 340 0080h34m Established

2. On node Leaf 1, verify that the configuration and status of microsegments are all correct.

<Leaf1>display microsegment

Microsegment status : Enabled

Total microsegments : 4

Microsegment list

Microsegment ID Members Microsegment name

10001 87 SDN_EPG_10001

10002 8 SDN_EPG_10002

10003 2 SDN_EPG_10003

10004 2 SDN_EPG_10004

3. On the DHCP client side, verify that the Windows 7 and Linux DHCP clients attached to node Leaf 3 can obtain IP addresses from the DHCP server. (Details not shown.)

4. On the DHCP server, verify that the IP addresses have been assigned to the DHCP clients. (Details not shown.)

Border 1 (S6850)	Border 2 (S6850)	Configuration method	Description
microsegment enable	microsegment enable	Manual or controller-based	Enable microsegmentation.
microsegment 10001 name SDN_EPG_10001	microsegment 10001 name SDN_EPG_10001	Manual or controller-based	Create microsegment 10001 and enter its view.
member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF	member ipv4 197.32.14.0 255.255.255.0 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv4 member to microsegment 10001.
member ipv4 197.32.14.0 255.255.255.0 vpn-instance external_vpn_1001	member ipv4 197.32.14.0 255.255.255.0 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv4 member to microsegment 10001.
member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF	member ipv4 197.32.16.0 255.255.255.0 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv4 member to microsegment 10001.
member ipv4 197.32.16.0 255.255.255.0 vpn-instance external_vpn_1001	member ipv4 197.32.16.0 255.255.255.0 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv4 member to microsegment 10001.
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF	member ipv6 FD00:0:97B0:1014:: 64 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv6 member to microsegment 10001.
member ipv6 FD00:0:97B0:1014:: 64 vpn-instance external_vpn_1001	member ipv6 FD00:0:97B0:1014:: 64 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv6 member to microsegment 10001.
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF	member ipv6 FD00:0:97B0:1016:: 64 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv6 member to microsegment 10001.
member ipv6 FD00:0:97B0:1016:: 64 vpn-instance external_vpn_1001	member ipv6 FD00:0:97B0:1016:: 64 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv6 member to microsegment 10001.
microsegment 10002 name SDN_EPG_10002	microsegment 10002 name SDN_EPG_10002	Manual or controller-based	Create microsegment 10002 and enter its view.
member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF	member ipv4 197.32.42.0 255.255.255.0 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv4 member to microsegment 10002.
member ipv4 197.32.42.0 255.255.255.0 vpn-instance external_vpn_1001	member ipv4 197.32.42.0 255.255.255.0 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv4 member to microsegment 10002.
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF	member ipv6 FD00:0:97B0:1042:: 64 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv6 member to microsegment 10002.
member ipv6 FD00:0:97B0:1042:: 64 vpn-instance external_vpn_1001	member ipv6 FD00:0:97B0:1042:: 64 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv6 member to microsegment 10002.
microsegment 10003 name SDN_EPG_10003	microsegment 10003 name SDN_EPG_10003	Manual or controller-based	Create microsegment 10003 and enter its view.
member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF	member ipv4 0.0.0.0 0.0.0.0 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv4 member to microsegment 10003.
member ipv4 0.0.0.0 0.0.0.0 vpn-instance external_vpn_1001	member ipv4 0.0.0.0 0.0.0.0 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv4 member to microsegment 10003.
member ipv6 :: 0 vpn-instance ZHTESTCTVRF	member ipv6 :: 0 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv6 member to microsegment 10003.
member ipv6 :: 0 vpn-instance external_vpn_1001	member ipv6 :: 0 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv6 member to microsegment 10003.
microsegment 10004 name SDN_EPG_10004	microsegment 10004 name SDN_EPG_10004	Manual or controller-based	Create microsegment 10004 and enter its view.
member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF	member ipv4 197.32.42.9 255.255.255.255 vpn-instance ZHTESTCTVRF	Manual or controller-based	Add an IPv4 member to microsegment 10004.
member ipv4 197.32.42.9 255.255.255.255 vpn-instance external_vpn_1001	member ipv4 197.32.42.9 255.255.255.255 vpn-instance external_vpn_1001	Manual or controller-based	Add an IPv4 member to microsegment 10004.
acl advanced name 1001_1	acl advanced name 1001_1	Manual or controller-based	Create IPv4 ACL 1001_1 and enter its view. This ACL will be applied to IPv4 PBR policy node 0 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001	rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001	Manual or controller-based	Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10003 to microsegment 10001.
acl advanced name 1001_2	acl advanced name 1001_2	Manual or controller-based	Create IPv4 ACL 1001_2 and enter its view. This ACL will be applied to IPv4 PBR policy node 1 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002	rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002	Manual or controller-based	Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10003 to microsegment 10002.
acl advanced name 1001_3	acl advanced name 1001_3	Manual or controller-based	Create IPv4 ACL 1001_3 and enter its view. This ACL will be applied to IPv4 PBR policy node 2 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004	rule 0 permit ip vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004	Manual or controller-based	Create a rule for the ACL. This rule matches IPv4 traffic transmitted from microsegment 10003 to microsegment 10004.
acl advanced name 1001_4	acl advanced name 1001_4	Manual or controller-based	Create IPv4 ACL 1001_4 and enter its view. This ACL will be applied to IPv4 PBR policy node 3 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ip	rule 0 permit ip	Manual or controller-based	Create a rule for the ACL. This rule permits all IPv4 traffic.
acl ipv6 advanced name 1001_1	acl ipv6 advanced name 1001_1	Manual or controller-based	Create IPv6 ACL 1001_1 and enter its view. This ACL will be applied to IPv6 PBR policy node 0 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001	rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10001	Manual or controller-based	Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10003 to microsegment 10001.
acl ipv6 advanced name 1001_2	acl ipv6 advanced name 1001_2	Manual or controller-based	Create IPv6 ACL 1001_2 and enter its view. This ACL will be applied to IPv6 PBR policy node 1 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002	rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10002	Manual or controller-based	Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10003 to microsegment 10002.
acl ipv6 advanced name 1001_3	acl ipv6 advanced name 1001_3	Manual or controller-based	Create IPv6 ACL 1001_3 and enter its view. This ACL will be applied to IPv6 PBR policy node 2 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004	rule 0 permit ipv6 vpn-instance external_vpn_1001 source microsegment 10003 destination microsegment 10004	Manual or controller-based	Create a rule for the ACL. This rule matches IPv6 traffic transmitted from microsegment 10003 to microsegment 10004.
acl ipv6 advanced name 1001_4	acl ipv6 advanced name 1001_4	Manual or controller-based	Create IPv6 ACL 1001_4 and enter its view. This ACL will be applied to IPv6 PBR policy node 3 in VPN external_vpn_1001 VLAN 1001.
rule 0 permit ipv6	rule 0 permit ipv6	Manual or controller-based	Create a rule for the ACL. This rule permits all IPv6 traffic.
policy-based-route SDN_SC_VLAN_1001 permit node 0	policy-based-route SDN_SC_VLAN_1001 permit node 0	Manual or controller-based	Create node 0 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_1	if-match acl name 1001_1	Manual or controller-based	Configure IPv4 ACL 1001_1 as an ACL match criterion for IPv4 PBR policy node 0.
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26	apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26	Manual or controller-based	Set a next hop for packets that match IPv4 PBR policy node 0.
apply service-chain path-id 8388609 path-index 1	apply service-chain path-id 8388609 path-index 1	Manual or controller-based	Set service chain information for packets that match IPv4 PBR policy node 0.
policy-based-route SDN_SC_VLAN_1001 permit node 1	policy-based-route SDN_SC_VLAN_1001 permit node 1	Manual or controller-based	Create node 1 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_2	if-match acl name 1001_2	Manual or controller-based	Configure IPv4 ACL 1001_2 as an ACL match criterion for IPv4 PBR policy node 1.
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26	apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26	Manual or controller-based	Set a next hop for packets that match IPv4 PBR policy node 1.
apply service-chain path-id 8388609 path-index 1	apply service-chain path-id 8388609 path-index 1	Manual or controller-based	Set service chain information for packets that match IPv4 PBR policy node 1.
policy-based-route SDN_SC_VLAN_1001 permit node 2	policy-based-route SDN_SC_VLAN_1001 permit node 2	Manual or controller-based	Create node 2 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_3	if-match acl name 1001_3	Manual or controller-based	Configure IPv4 ACL 1001_3 as an ACL match criterion for IPv4 PBR policy node 2.
apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26	apply next-hop vpn-instance ZHTESTCTFWNS01VRF 197.32.224.26	Manual or controller-based	Set a next hop for packets that match IPv4 PBR policy node 2.
apply service-chain path-id 8388609 path-index 1	apply service-chain path-id 8388609 path-index 1	Manual or controller-based	Set service chain information for packets that match IPv4 PBR policy node 2.
policy-based-route SDN_SC_VLAN_1001 permit node 3	policy-based-route SDN_SC_VLAN_1001 permit node 3	Manual or controller-based	Create node 3 for IPv4 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_4	if-match acl name 1001_4	Manual or controller-based	Configure IPv4 ACL 1001_4 as an ACL match criterion for IPv4 PBR policy node 3.
apply output-interface NULL0	apply output-interface NULL0	Manual or controller-based	Set NULL0 as the output interface for packets that match IPv4 PBR policy node 3. These packets will be discarded.
interface Vlan-interface1001	interface Vlan-interface1001	Manual or controller-based	Create VLAN-interface 1001 for VPN external_vpn_1001 VLAN 1001 and enter its view.
ip policy-based-route SDN_SC_VLAN_1001	ip policy-based-route SDN_SC_VLAN_1001	Manual or controller-based	Deploy IPv4 PBR policy SDN_SC_VLAN_1001 on VLAN-interface 1001.
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 0	ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 0	Manual or controller-based	Create node 0 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_1	if-match acl name 1001_1	Manual or controller-based	Configure IPv6 ACL 1001_1 as an ACL match criterion for IPv6 PBR policy node 0.
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F	apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F	Manual or controller-based	Set a next hop for packets that match IPv6 PBR policy node 0.
apply service-chain path-id 8388609 path-index 1	apply service-chain path-id 8388609 path-index 1	Manual or controller-based	Set service chain information for packets that match IPv6 PBR policy node 0.
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 1	ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 1	Manual or controller-based	Create node 1 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_2	if-match acl name 1001_2	Manual or controller-based	Configure IPv6 ACL 1001_2 as an ACL match criterion for IPv6 PBR policy node 1.
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F	apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F	Manual or controller-based	Set a next hop for packets that match IPv6 PBR policy node 1.
apply service-chain path-id 8388609 path-index 1	apply service-chain path-id 8388609 path-index 1	Manual or controller-based	Set service chain information for packets that match IPv6 PBR policy node 1.
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 2	ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 2	Manual or controller-based	Create node 2 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_3	if-match acl name 1001_3	Manual or controller-based	Configure IPv6 ACL 1001_3 as an ACL match criterion for IPv6 PBR policy node 2.
apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F	apply next-hop vpn-instance ZHTESTCTFWNS01VRF FD00:0:97B0:101::F	Manual or controller-based	Set a next hop for packets that match IPv6 PBR policy node 2.
apply service-chain path-id 8388609 path-index 1	apply service-chain path-id 8388609 path-index 1	Manual or controller-based	Set service chain information for packets that match IPv6 PBR policy node 2.
ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 3	ipv6 policy-based-route SDN_SC_VLAN_1001 permit node 3	Manual or controller-based	Create node 3 for IPv6 PBR policy SDN_SC_VLAN_1001 and enter its view.
if-match acl name 1001_4	if-match acl name 1001_4	Manual or controller-based	Configure IPv6 ACL 1001_4 as an ACL match criterion for IPv6 PBR policy node 3.
apply output-interface NULL0	apply output-interface NULL0	Manual or controller-based	Set NULL0 as the output interface for packets that match IPv6 PBR policy node 3. These packets will be discarded.
interface Vlan-interface1001	interface Vlan-interface1001	Manual or controller-based	Create VLAN-interface 1001 for VPN external_vpn_1001 VLAN 1001 and enter its view.
ipv6 policy-based-route SDN_SC_VLAN_1001	ipv6 policy-based-route SDN_SC_VLAN_1001	Manual or controller-based	Deploy IPv6 PBR policy SDN_SC_VLAN_1001 on VLAN-interface 1001.

H3C Data Center Switches M-LAG Configuration Guide-6W100

Restrictions and guidelines

Configuring the device modes

Configuring the underlay routing protocol

Configuring the firewall-attached M-LAG interfaces on the leaf devices

Configuring distributed EVPN gateways

Configuring L3VPN

Configuring ACs

Configuring L3VPN

Configuring the spine devices

Configuring DHCP relay (with DHCP clients single-homed to Leaf 3)

Configuring service leaf nodes (Leaf 1 and Leaf 2)

Configuring DHCP server-attached leaf nodes (Leaf 5 and Leaf 6)

Configuring IPv4/IPv6 microsegments and service chains

Configuring service leaf nodes (Leaf 1 and Leaf 2)

Configuring Leaf 3 and Leaf 4

Configuring border nodes (Border 1 and Border 2)

Verifying the configuration

Verification commands

Procedure

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us