使用EIGRP命名模式配置Easy虚拟网络
简介
本文档旨在演示使用EIGRP(增强型内部网关路由协议)命名模式的EVN(简易虚拟网络)配置。 它是对Easy Virtual Network Configuration文档的补充,该文档演示了OSPF(开放最短路径优先)的使用,以及VNET中继列表和路由复制等其他高级主题。 EVN VNET旨在让运营商拥有比MPLS(多协议标签交换)VPN(虚拟专用网络)或VRF-lite(虚拟路由和转发)更易于部署多个VRF的选项。 EVN VNET使用路由协议和VNET中继接口的克隆配置概念来减轻操作员的负担并保存一些重复任务。 排除EIGRP、路由或CEF(思科快速转发)故障不在本文档的范围内,除非您注意到,否则您可以遵循正常的故障排除步骤。
先决条件
要求
Cisco建议您具备EIGRP的基本知识。
此功能在IOS版本15.2后的几个版本中可用。要验证是否支持带EVN VNET的EIGRP命名模式,请检查show ip eigrp plugins的输出。 如果存在Easy Virtual Network 1.00.00或更高版本,则您的版本支持此功能。
R1#show eigrp plugins
EIGRP feature plugins:::
eigrp-release : 21.00.00 : Portable EIGRP Release
: 1.00.10 : Source Component Release(rel21)
parser : 2.02.00 : EIGRP Parser Support
igrp2 : 2.00.00 : Reliable Transport/Dual Database
bfd : 2.00.00 : BFD Platform Support
mtr : 1.00.01 : Multi-Topology Routing(MTR)
eigrp-pfr : 1.00.01 : Performance Routing Support
EVN/vNets : 1.00.00 : Easy Virtual Network (EVN/vNets)
ipv4-af : 2.01.01 : Routing Protocol Support
ipv4-sf : 1.02.00 : Service Distribution Support
vNets-parse : 1.00.00 : EIGRP vNets Parse Support
ipv6-af : 2.01.01 : Routing Protocol Support
ipv6-sf : 2.01.00 : Service Distribution Support
snmp-agent : 2.00.00 : SNMP/SNMPv2 Agent Support
使用的组件
本文档中的信息是从运行Cisco IOS 15.6(1)S2版的特定实验环境中的设备创建的。本文档中使用的所有设备都以清除(默认)配置开始。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
配置
网络图
配置
R3、R4、R5和R6的配置都相似,因此不在本文档中。它们只是配置为与R1或R2形成EIGRP邻居,而且它们不知道R1和R2之间使用的EVN VNET。
R1的相关配置
vrf definition orange
vnet tag 101
!
address-family ipv4
exit-address-family
!
vrf definition red
vnet tag 102
!
address-family ipv4
exit-address-family
!
interface Ethernet0/0
vnet trunk
ip address 10.12.12.1 255.255.255.0
!
interface Ethernet1/0
vrf forwarding orange
ip address 192.168.13.1 255.255.255.0
!
interface Ethernet2/0
vrf forwarding red
ip address 192.168.15.1 255.255.255.0
!
!
router eigrp named
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Ethernet0/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf orange autonomous-system 101
!
af-interface Ethernet1/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.13.0
exit-address-family
!
address-family ipv4 unicast vrf red autonomous-system 102
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.15.0
exit-address-family
R2的相关配置
vrf definition orange
vnet tag 101
!
address-family ipv4
exit-address-family
!
vrf definition red
vnet tag 102
!
address-family ipv4
exit-address-family
!
interface Ethernet0/0
vnet trunk
ip address 10.12.12.2 255.255.255.0
!
interface Ethernet1/0
vrf forwarding orange
ip address 192.168.24.2 255.255.255.0
!
interface Ethernet2/0
vrf forwarding red
ip address 192.168.26.2 255.255.255.0
!
!
router eigrp named
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Ethernet0/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf orange autonomous-system 101
!
af-interface Ethernet1/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.24.0
exit-address-family
!
address-family ipv4 unicast vrf red autonomous-system 102
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.26.0
exit-address-family
验证
Easy Virtual Network的一个优点是配置简单。 这通过为每个VNET标记自动配置VNET中继来实现。 将EVN与VRF-lite进行比较,需要手动配置每个子接口。 Ethernet0/0是连接R1和R2的VNET中继,并且会为每个VNET自动创建VNET子接口,通过添加带dot1Q VNET标记的帧来满足EVN的流量分离要求。这些子接口在show running-config的输出中不可见,但在show derived-config中可以看到。
R1#show derived-config | sec Ethernet0/0
interface Ethernet0/0
vnet trunk
ip address 10.12.12.1 255.255.255.0
no ip redirects
no ip proxy-arp
interface Ethernet0/0.101
description Subinterface for VNET orange
encapsulation dot1Q 101
vrf forwarding orange
ip address 10.12.12.1 255.255.255.0
no ip proxy-arp
interface Ethernet0/0.102
description Subinterface for VNET red
encapsulation dot1Q 102
vrf forwarding red
ip address 10.12.12.1 255.255.255.0
no ip proxy-arp
同样,您可以看到EIGRP配置也是自动创建的:
R1#show derived-config | sec router eigrp
router eigrp named
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Ethernet0/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf orange autonomous-system 101
!
af-interface Ethernet0/0.101
authentication mode hmac-sha-256 cisco
exit-af-interface
!
af-interface Ethernet1/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.13.0
exit-address-family
!
address-family ipv4 unicast vrf red autonomous-system 102
!
af-interface Ethernet0/0.102
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.15.0
exit-address-family
R1#
上述输出中的有趣观察是全局vrf自治系统100中af-interface ethernet0/0中VNET子接口的af-interface继承。 以下部分将以更多详细信息对此进行说明:
使用EIGRP命名模式继承
下图将用于在EVN VNET中使用EIGRP命名模式时帮助可视化继承规则。
在上例中,有一个VNET中继af-interface ethernet0/0,VNET子接口将从中接收其派生配置。配置了一些非默认值(如hello间隔、保持时间和身份验证)来演示继承。 您还将注意到全局EIGRP进程中af-interface下的VNET子模式。 这是一种控制将哪些配置选项克隆到动态创建的VNET的EIGRP vrf配置中每个VNET的af-interface的方法。
例如,全局路由表中Eth0/0的派生配置是从vnet全局(hello间隔30,保持时间90)继承的。 Eth0/0的authentication-mode hmac-sha-256直接在running-config中的此af-interface上配置,而派生的配置输出显示Eth0/0已继承该命令。 由于身份验证模式在VNET中继af接口上配置,因此它由所有VNET接口继承。
对于vrf橙色,VNET橙色在running-config中配置了15的hello间隔。在您可以看到的自治系统101中VRF橙色的派生配置中,在全局进程中,hello间隔15取自VNET子模式af-interface eth0/0下。 保持时间未修改,是从使用默认值的af-interface eth0/0克隆的。
VNET红色与af接口Eth0/0没有配置差异,因此它继承默认计时器值和身份验证模式。
这些配置选项允许操作员为每个VNET中继子接口使用不同的参数。例如,不同的计时器值、身份验证模式或被动接口。 要总结继承规则,所有VNET将从VNET中继af-interface继承配置。 VNET子模式中的VNET特定配置也将由VNET中继子接口继承,并优先于af接口的参数。
以下是验证配置继承的一些附加输出:
R1#show eigrp address-family ipv4 interface detail e0/0
EIGRP-IPv4 VR(named) Address-Family Interfaces for AS(100)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0 1 0/0 0/0 6 0/2 50 0
Hello-interval is 30, Hold-time is 90
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 3/1
Hello's sent/expedited: 2959/3
Un/reliable mcasts: 0/4 Un/reliable ucasts: 5/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:
R1#show eigrp address-family ipv4 vrf orange interface detail e0/0.101
EIGRP-IPv4 VR(named) Address-Family Interfaces for AS(101)
VRF(orange)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0.101 1 0/0 0/0 5 0/2 50 0
Hello-interval is 15, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 4/1
Hello's sent/expedited: 2371/3
Un/reliable mcasts: 0/4 Un/reliable ucasts: 6/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:
R1#show eigrp address-family ipv4 vrf red interface detail e0/0.102
EIGRP-IPv4 VR(named) Address-Family Interfaces for AS(102)
VRF(red)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0.102 1 0/0 0/0 4 0/2 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 6/1
Hello's sent/expedited: 2676/3
Un/reliable mcasts: 0/6 Un/reliable ucasts: 7/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:
使用EIGRP名称模式路由复制
EVN的一个优势是能够在VNET之间复制路由。 例如,VRF红色的R4可能需要访问VRF橙色部分的192.168.13.0/24上的服务。 这可以通过以下配置实现。
R2#show run
vrf definition orange
vnet tag 101
!
address-family ipv4
exit-address-family
!
vrf definition red
vnet tag 102
!
address-family ipv4
route-replicate from vrf orange unicast eigrp 101 route-map filter
exit-address-family
!
<output removed>
!
ip prefix-list filter seq 5 permit 192.168.13.0/24
!
route-map filter permit 10
match ip address prefix-list filter
!
现在,192.168.13.0/24前缀以VRF红色显示,但ping不起作用,因为源地址没有路由复制到VNET橙色。
R2#show ip route vrf red
Routing Table: red
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.5.5.5/32 [90/1536640] via 10.12.12.1, 03:48:46, Ethernet0/0.102
D 10.6.6.6/32 [90/1024640] via 192.168.26.6, 03:48:37, Ethernet2/0
C 10.12.12.0/24 is directly connected, Ethernet0/0.102
L 10.12.12.2/32 is directly connected, Ethernet0/0.102
D + 192.168.13.0/24
[90/1536000] via 10.12.12.1 (orange), 03:48:46, Ethernet0/0.101
D 192.168.15.0/24 [90/1536000] via 10.12.12.1, 03:48:46, Ethernet0/0.102
192.168.26.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.26.0/24 is directly connected, Ethernet2/0
L 192.168.26.2/32 is directly connected, Ethernet2/0
R2#
R2#
R2#ping vrf red 192.168.13.1 source e2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.26.2
.....
Success rate is 0 percent (0/5)
在R1上从VRF红色复制到VRF橙色的所有路由后,使用类似的配置:
R2#ping vrf red 192.168.13.1 source e2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.26.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#
路由环境
EVN的另一个好功能是路由环境的概念。 这样,您就可以在VRF红色内执行命令,而无需在每个CLI中包含“vrf红色”。 例如,使用路由上下文执行与上述相同的ping操作如下所示。
R2#routing-context vrf red
R2%red#ping 192.168.13.1 source e2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.26.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2%red#
增强的traceroute
traceroute命令的输出还将显示VNET VRF名称,这有助于排除故障,特别是当涉及路由复制时。
R6#traceroute 192.168.13.3
Type escape sequence to abort.
Tracing the route to 192.168.13.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.26.2 (red,orange/101) 1 msec 0 msec 0 msec
2 10.12.12.1 (orange/101,orange) 2 msec 1 msec 1 msec
3 192.168.13.3 0 msec * 1 msec
来自R2的相同跟踪
R2#trace vrf red 192.168.13.3 source 192.168.26.2
Type escape sequence to abort.
Tracing the route to 192.168.13.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.12.12.1 (orange/101,orange) 1 msec 1 msec 0 msec
2 192.168.13.3 1 msec * 1 msec
在此输出中,您可以看到从R2,VRF橙色的下一跳直接到达192.168.13.0/24。
结论
EVN VNET配置与EIGRP命名模式相结合,为客户部署虚拟化网络环境提供了一种方法,并消除了与传统MPLS VPN或VRF-lite相关的一些复杂性。 了解继承规则是成功部署此功能并确保网络按预期运行的关键。
参考
Easy Virtual Networks白皮书
配置指南
反馈