L4-L7与传输交换矩阵对等路由 — 配置漫游
简介
本文档介绍具有路由对等的L4-L7服务图的配置演练,其中消费者和提供商都位于以应用为中心的基础设施(ACI)交换矩阵外部。
作者:思科高级服务工程师Zahid Hassan。
先决条件
要求
Cisco 建议您了解以下主题:
- 静态VLAN池,用于外部设备和ACI交换矩阵之间的封装VLAN。
- 外部物理域和路由域,将外部设备的位置(枝叶节点/路径)与VLAN池连接在一起
- 第3层到外部网络的连接(L3Out)
本文档未涵盖前面的交换矩阵访问和L3Out配置步骤,并且假定这些步骤已经完成。
使用的组件
本文档中的信息基于以下软件版本:
- 思科应用策略基础设施控制器(思科APIC) — 1.2(1m)
- 自适应安全设备(ASA)设备包 — 1.2.4.8
- ASA 5585 - 9.5(1)
- Nexus 3064 - 6.0(2)U3(7)
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
背景信息
路由对等功能使负载均衡器或防火墙等服务设备能够通过ACI交换矩阵向外部网络通告其可达性。
此处介绍的使用案例是作为双臂服务图部署在两个L3Out或外部终端组(EPG)之间的物理防火墙。 服务图与枝叶101(N3K-1)上的外部EPG和枝叶102(N3K-2)上的外部EPG之间的合同关联。 ACI交换矩阵为路由器(N3K-1和N3K-2)提供中转服务,并使用路由对等(以开放最短路径优先(OSPF)作为路由协议)在防火墙和ACI交换矩阵之间交换路由。
配置
网络图
下图显示路由对等如何端到端工作:
配置
步骤1.配置虚拟路由和转发1(VRF1)、VRF2、网桥域1(BD1)和BD2。将BD1关联到VRF1,将BD2关联到VRF2,如图所示:
步骤2.在L4-L7设备下上传ASA设备包,如图所示:
为物理ASA 5585(路由)配置L4-L7设备,如图所示:
步骤3.为N3K-1配置L3Out并与BD1和VRF1关联。
外部路由网络用于指定ACI交换矩阵中用于路由对等的路由配置,如图所示:
为N3K-1 L3Out外部EPG配置子网上的导入/导出路由控制,如图所示:
为ASA外部接口配置L3Out并与BD1和VRF1关联,如图所示:
为ASA外部L3Out外部EPG配置子网上的导入/导出路由控制,如图所示:
为ASA-Internal配置L3out并与BD2和VRF2关联,如图所示:
为ASA — 内部L3Out外部EPG配置子网上的导入/导出路由控制,如图所示:
为N3K-2配置L3Out并与BD2和VRF2关联,如图所示:
为外部EPG的N3K-2 L3Out配置子网上的导入/导出路由控制,如图所示:
步骤4.创建函数配置文件组并从现有模板配置函数配置文件,如图所示:
步骤5.创建合同并将范围字段修改为租户,如图所示:
步骤6.如图所示,创建L4-L7服务图模板,其中服务图关联涉及将外部路由网络策略和路由器配置与设备选择策略关联。
:
用于指定将在服务设备(ASA 5585)上使用的路由器ID的路由器配置,如图所示:
将邻接类型从L2更改为L3,如图所示:
应用服务图模板,如图所示:
将服务图附加到合同,如图所示:
根据需要添加/更改L4-L7参数,如图所示:
步骤 7:路由标记策略,配置VRF1的路由标记策略(标记:100),如图所示:
配置VRF2的路由标记策略(标记:200),如图所示:
步骤 8::检查状态并验证设备选择策略,如图所示:
验证已部署的图形实例,如图所示:
验证与故障排除
租户的APIC配置:
apic1# sh running-config tenant T1
# Command: show running-config tenant T1
# Time: Thu Feb 25 16:05:14 2016
tenant T1
access-list PERMIT_ALL
match ip
exit
contract PERMIT_ALL
scope tenant
subject PERMIT_ALL
access-group PERMIT_ALL both
l4l7 graph ASA5585_SGT
exit
exit
vrf context VRF1
exit
vrf context VRF2
exit
l3out ASA_IN_L3OUT
vrf member VRF2
exit
l3out ASA_OUT_L3OUT
vrf member VRF1
exit
l3out N3K-1_L3OUT
vrf member VRF1
exit
l3out N3K-2_L3OUT
vrf member VRF2
exit
bridge-domain BD1
vrf member VRF1
exit
bridge-domain BD2
vrf member VRF2
exit
application AP1
epg EPG1
bridge-domain member BD1
exit
epg EPG2
bridge-domain member BD2
exit
exit
external-l3 epg ASA_IN_EXT_NET l3out ASA_IN_L3OUT
vrf member VRF2
match ip 10.10.10.0/24
exit
external-l3 epg ASA_OUT_EXT_NET l3out ASA_OUT_L3OUT
vrf member VRF1
match ip 20.20.20.0/24
exit
external-l3 epg N3K-1_EXT_NET l3out N3K-1_L3OUT
vrf member VRF1
match ip 10.10.10.0/24
contract consumer PERMIT_ALL
exit
external-l3 epg N3K-2_EXT_NET l3out N3K-2_L3OUT
vrf member VRF2
match ip 20.20.20.0/24
contract provider PERMIT_ALL
exit
interface bridge-domain BD1
exit
interface bridge-domain BD2
exit
l4l7 cluster name ASA5585 type physical vlan-domain T1_PHY service FW function go-to
cluster-device ASA5585_Device_1
cluster-interface inside
member device ASA5585_Device_1 device-interface GigabitEthernet0/1
interface ethernet 1/2 leaf 106
exit
exit
cluster-interface outside
member device ASA5585_Device_1 device-interface GigabitEthernet0/0
interface ethernet 1/2 leaf 105
exit
exit
exit
l4l7 graph ASA5585_SGT contract PERMIT_ALL
service N1 device-cluster-tenant T1 device-cluster ASA5585 mode FW_ROUTED
connector consumer cluster-interface outside
l4l7-peer tenant T1 out ASA_OUT_L3OUT epg ASA_OUT_EXT_NET redistribute bgp,ospf
exit
connector provider cluster-interface inside
l4l7-peer tenant T1 out ASA_IN_L3OUT epg ASA_IN_EXT_NET redistribute bgp,ospf
exit
rtr-cfg ASA5585
exit
connection C1 terminal consumer service N1 connector consumer
connection C2 terminal provider service N1 connector provider
exit
rtr-cfg ASA5585
router-id 3.3.3.3
exit
exit
apic1#
[an error occurred while processing this directive]
检验枝叶101上的OSPF邻居关系和路由表:
leaf101# show ip ospf neighbors vrf T1:VRF1 OSPF Process ID default VRF T1:VRF1 Total number of neighbors: 2 Neighbor ID Pri State Up Time Address Interface 1.1.1.1 1 FULL/BDR 02:07:19 192.168.1.1 Vlan8 3.3.3.3 1 FULL/BDR 00:38:35 192.168.1.5 Vlan9[an error occurred while processing this directive]
leaf101# show ip route vrf T1:VRF1
IP Route Table for VRF "T1:VRF1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.10.10.0/24, ubest/mbest: 1/0
*via 192.168.1.1, vlan8, [110/8], 01:59:50, ospf-default, intra
20.20.20.0/24, ubest/mbest: 1/0
*via 192.168.1.5, vlan9, [110/22], 00:30:20, ospf-default, inter
100.100.100.100/32, ubest/mbest: 2/0, attached, direct
*via 100.100.100.100, lo1, [1/0], 02:21:22, local, local
*via 100.100.100.100, lo1, [1/0], 02:21:22, direct
192.168.1.0/30, ubest/mbest: 1/0, attached, direct
*via 192.168.1.2, vlan8, [1/0], 02:35:53, direct
192.168.1.2/32, ubest/mbest: 1/0, attached
*via 192.168.1.2, vlan8, [1/0], 02:35:53, local, local
192.168.1.4/30, ubest/mbest: 1/0, attached, direct
*via 192.168.1.6, vlan9, [1/0], 02:20:53, direct
192.168.1.6/32, ubest/mbest: 1/0, attached
*via 192.168.1.6, vlan9, [1/0], 02:20:53, local, local
192.168.1.8/30, ubest/mbest: 1/0
*via 192.168.1.5, vlan9, [110/14], 00:30:20, ospf-default, intra
200.200.200.200/32, ubest/mbest: 1/0
*via 192.168.1.5, vlan9, [110/15], 00:30:20, ospf-default, intra
检验枝叶102上的OSPF邻居关系和路由表:
leaf102# show ip ospf neighbors vrf T1:VRF2
OSPF Process ID default VRF T1:VRF2
Total number of neighbors: 2
Neighbor ID Pri State Up Time Address Interface
3.3.3.3 1 FULL/BDR 00:37:07 192.168.1.9 Vlan14
2.2.2.2 1 FULL/BDR 02:09:59 192.168.1.13 Vlan15
leaf102# show ip route vrf T1:VRF2
IP Route Table for VRF "T1:VRF2"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.10.10.0/24, ubest/mbest: 1/0
*via 192.168.1.9, vlan14, [110/22], 00:35:22, ospf-default, inter
20.20.20.0/24, ubest/mbest: 1/0
*via 192.168.1.13, vlan15, [110/8], 02:08:13, ospf-default, intra
192.168.1.4/30, ubest/mbest: 1/0
*via 192.168.1.9, vlan14, [110/14], 00:35:22, ospf-default, intra
192.168.1.8/30, ubest/mbest: 1/0, attached, direct
*via 192.168.1.10, vlan14, [1/0], 02:14:29, direct
192.168.1.10/32, ubest/mbest: 1/0, attached
*via 192.168.1.10, vlan14, [1/0], 02:14:29, local, local
192.168.1.12/30, ubest/mbest: 1/0, attached, direct
*via 192.168.1.14, vlan15, [1/0], 02:09:04, direct
192.168.1.14/32, ubest/mbest: 1/0, attached
*via 192.168.1.14, vlan15, [1/0], 02:09:04, local, local
200.200.200.200/32, ubest/mbest: 2/0, attached, direct
*via 200.200.200.200, lo4, [1/0], 02:10:02, local, local
*via 200.200.200.200, lo4, [1/0], 02:10:02, direct
[an error occurred while processing this directive]
检验ASA 5585上的配置、OSPF邻居关系和路由表:
ASA5585# sh run interface
!
interface GigabitEthernet0/0
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.101
nameif externalIf
security-level 50
ip address 192.168.1.5 255.255.255.252
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.102
nameif internalIf
security-level 100
ip address 192.168.1.9 255.255.255.252
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 172.23.97.1 255.255.254.0
ASA5585# sh run router
router ospf 1
router-id 3.3.3.3
network 192.168.1.4 255.255.255.252 area 0
network 192.168.1.8 255.255.255.252 area 0
area 0
log-adj-changes
!
ASA5585# sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
100.100.100.100 1 FULL/DR 0:00:38 192.168.1.6 externalIf
200.200.200.200 1 FULL/DR 0:00:33 192.168.1.10 internalIf
ASA5585# sh route ospf
Routing Table: T1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
O IA 10.10.10.0 255.255.255.0
[110/18] via 192.168.1.6, 00:22:57, externalIf
O IA 20.20.20.0 255.255.255.0
[110/18] via 192.168.1.10, 00:22:47, internalIf
O 200.200.200.200 255.255.255.255
[110/11] via 192.168.1.10, 00:22:47, internalIf
ASA5585# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list access-list-inbound; 3 elements; name hash: 0xcb5bd6c7
access-list access-list-inbound line 1 extended permit tcp any any eq www (hitcnt=0) 0xc873a747
access-list access-list-inbound line 2 extended permit tcp any any eq https (hitcnt=0) 0x48bedbdd
access-list access-list-inbound line 3 extended permit icmp any any (hitcnt=6) 0xe4b5a75d[an error occurred while processing this directive]
检验N3K-1上的配置、OSPF邻居关系和路由表:
N3K-1# sh run ospf
!Command: show running-config ospf
!Time: Thu Feb 25 15:40:55 2016
version 6.0(2)U3(7)
feature ospf
router ospf 1
router-id 1.1.1.1
interface Ethernet1/21
ip router ospf 1 area 0.0.0.1
interface Ethernet1/47
ip router ospf 1 area 0.0.0.1
N3K-1# sh ip ospf neighbors
OSPF Process ID 1 VRF default
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
100.100.100.100 1 FULL/DR 01:36:24 192.168.1.2 Eth1/47
N3K-1# sh ip ospf route
OSPF Process ID 1 VRF default, Routing Table
(D) denotes route is directly attached (R) denotes route is in RIB
10.10.10.0/24 (intra)(D) area 0.0.0.1
via 10.10.10.0/Eth1/21* , cost 4
20.20.20.0/24 (inter)(R) area 0.0.0.1
via 192.168.1.2/Eth1/47 , cost 62
100.100.100.100/32 (intra)(R) area 0.0.0.1
via 192.168.1.2/Eth1/47 , cost 41
192.168.1.0/30 (intra)(D) area 0.0.0.1
via 192.168.1.1/Eth1/47* , cost 40
[an error occurred while processing this directive]
检验N3K-2上的配置、OSPF邻居关系和路由表:
N3K-2# sh run ospf
!Command: show running-config ospf
!Time: Thu Feb 25 15:44:47 2016
version 6.0(2)U3(7)
feature ospf
router ospf 1
router-id 2.2.2.2
interface loopback0
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
interface Ethernet1/21
ip router ospf 1 area 0.0.0.1
interface Ethernet1/47
ip router ospf 1 area 0.0.0.1
N3K-2# sh ip ospf neighbors
OSPF Process ID 1 VRF default
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
200.200.200.200 1 FULL/DR 01:43:50 192.168.1.14 Eth1/47
N3K-2# sh ip ospf route
OSPF Process ID 1 VRF default, Routing Table
(D) denotes route is directly attached (R) denotes route is in RIB
2.2.2.0/30 (intra)(D) area 0.0.0.0
via 2.2.2.0/Lo0* , cost 1
10.10.10.0/24 (inter)(R) area 0.0.0.1
via 192.168.1.14/Eth1/47 , cost 62
20.20.20.0/24 (intra)(D) area 0.0.0.1
via 20.20.20.0/Eth1/21* , cost 4
192.168.1.12/30 (intra)(D) area 0.0.0.1
via 192.168.1.13/Eth1/47* , cost 40
[an error occurred while processing this directive]
验证枝叶上的合同过滤器规则和数据包命中计数:。
leaf101# show system internal policy-mgr stats Requested Rule Statistics [CUT] Rule (4107) DN (sys/actrl/scope-3112964/rule-3112964-s-32773-d-49158-f-33) Ingress: 1316, Egress: 0, Pkts: 0 RevPkts: 0 Rule (4108) DN (sys/actrl/scope-3112964/rule-3112964-s-49158-d-32773-f-33) Ingress: 1317, Egress: 0, Pkts: 0 RevPkts: 0 leaf101# show system internal policy-mgr stats Requested Rule Statistics [CUT] Rule (4107) DN (sys/actrl/scope-3112964/rule-3112964-s-32773-d-49158-f-33) Ingress: 2317, Egress: 0, Pkts: 0 RevPkts: 0 Rule (4108) DN (sys/actrl/scope-3112964/rule-3112964-s-49158-d-32773-f-33) Ingress: 2317, Egress: 0, Pkts: 0 RevPkts: 0[an error occurred while processing this directive]
leaf102# show system internal policy-mgr stats Requested Rule Statistics [CUT] Rule (4103) DN (sys/actrl/scope-2752520/rule-2752520-s-49156-d-6019-f-default) Ingress: 3394, Egress: 0, Pkts: 0 RevPkts: 0 Rule (4104) DN (sys/actrl/scope-2752520/rule-2752520-s-6019-d-49156-f-default) Ingress: 3394, Egress: 0, Pkts: 0 RevPkts: 0 [CUT] leaf102# show system internal policy-mgr stats Requested Rule Statistics [CUT] Rule (4103) DN (sys/actrl/scope-2752520/rule-2752520-s-49156-d-6019-f-default) Ingress: 4392, Egress: 0, Pkts: 0 RevPkts: 0 Rule (4104) DN (sys/actrl/scope-2752520/rule-2752520-s-6019-d-49156-f-default) Ingress: 4392, Egress: 0, Pkts: 0 RevPkts: 0 [CUT]
N3K-1和N3K-2之间的连通性测试:
N3K-1# ping 20.20.20.1 source 10.10.10.1 PING 20.20.20.1 (20.20.20.1) from 10.10.10.1: 56 data bytes 64 bytes from 20.20.20.1: icmp_seq=0 ttl=250 time=2.098 ms 64 bytes from 20.20.20.1: icmp_seq=1 ttl=250 time=0.922 ms 64 bytes from 20.20.20.1: icmp_seq=2 ttl=250 time=0.926 ms 64 bytes from 20.20.20.1: icmp_seq=3 ttl=250 time=0.893 ms 64 bytes from 20.20.20.1: icmp_seq=4 ttl=250 time=0.941 ms --- 20.20.20.1 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.893/1.156/2.098 ms N3K-2# ping 10.10.10.1 source 20.20.20.1 PING 10.10.10.1 (10.10.10.1) from 20.20.20.1: 56 data bytes 64 bytes from 10.10.10.1: icmp_seq=0 ttl=250 time=2.075 ms 64 bytes from 10.10.10.1: icmp_seq=1 ttl=250 time=0.915 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=250 time=0.888 ms 64 bytes from 10.10.10.1: icmp_seq=3 ttl=250 time=1.747 ms 64 bytes from 10.10.10.1: icmp_seq=4 ttl=250 time=0.828 ms --- 10.10.10.1 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.828/1.29/2.075 ms[an error occurred while processing this directive]
附加的是租户和ASA功能配置文件的XML配置文件,用于本演示。
反馈