驗證ACI Shared Services - Shared Service Consumer PcTag 14
目錄
簡介
本文檔介紹在ACI中配置和驗證Shared Services配置與Shared BD的步驟。
背景資訊
Shared Services配置支援在ACI交換矩陣內的不同VRF間進行EPG之間的通訊。
Shared Services充分利用3個PcTag類別:
| 類別名稱 | PcTag範圍 |
| 系統 | 1 - 15 |
| 全域性 | 16 - 16385 |
| 本地 | 16386 - 65535 |
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
設定
網路圖表
配置亮點
- 子網上的「VRF間共用」子網範圍需要洩漏出去,192.168.10.1/24
- 由於EPG在同一個租戶中,合約必須至少具有「租戶」作用域。
- 如果EPG位於不同的租戶中,則合約必須具有「全球」範圍
- 如果在提供商EPG下定義共用子網,則只需在EPG上提供合約,以便在EPG上共用和使用,以便使用。
或
- 如果在提供商BD下定義了共用子網,則合約必須由EPG提供,並且僅由BD上的EPG和子網使用。隨著更多分割槽規則的程式設計,這將使用更多的TCAM空間。
驗證
場景1 - EPG到EPG:在提供商EPG中定義的共用子網
在此示例場景中,共用子網在EPG-2下配置。
此選項可最佳化TCAM利用率並完成Shared Services配置。TCAM已最佳化,因為分割槽規則只需在使用者VRF中進行程式設計。在此場景中,使用者VRF僅位於枝葉101上。
EPG-1到EPG-2流量跟蹤
消費者枝葉101
枝葉101使用者VRF PJ:VRF-1上的路由資訊顯示了通過VNID 226092(即提供商VRF PJ:VRF-2)的192.168.10.10路由:
leaf101# show ip route 192.168.10.10 vrf PJ:VRF-1 IP Route Table for VRF "PJ:VRF-1" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%' in via output denotes VRF
192.168.10.0/24, ubest/mbest: 1/0, attached, direct, pervasive *via 10.0.240.33%overlay-1, [1/0], 23:06:11, static, tag 4294967294, rwVnid: vxlan-2260992 recursive next hop: 10.0.240.33/32%overlay-1
可以使用使用者枝葉101上的ELAM驗證流量流,以對抗從來源10.10.10.10到目的地192.168.10.1的ICMP請求
leaf101# vsh_lc
module-1# trigger reset
module-1# trigger init in-select 6 out-select 1
module-1# set outer ipv4 src_ip 10.10.10.10 dst_ip 192.168.10.10
module-1# start
module-1# ereport
...
-----------------------------------------------------------------------------------------------------------------------------------
Outer L3 Header
-----------------------------------------------------------------------------------------------------------------------------------
...
IP Protocol Number : ICMP
IP CheckSum : 37262( 0x918E )
Destination IP : 192.168.10.10
Source IP : 10.10.10.10
-----------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
-----------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 2048( 0x800 )
L4 Dst Port : 16568( 0x40B8 )
sclass (src pcTag) : 16388( 0x4004 )
dclass (dst pcTag) : 10930( 0x2AB2 )
src pcTag is from local table : yes
derived from a local table on this node by the lookup of src IP or MAC
Unknown Unicast / Flood Packet : no
If yes, Contract is not applied here because it is flooded
-----------------------------------------------------------------------------------------------------------------------------------
Contract Result
-----------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : yes
Contract Hit : yes
Contract Aclqos Stats Index : 81874
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874" )
報告顯示,該合約應用於消費者枝葉101,並且已分配Src pcTag 16388(EPG-1)和Dst PcTAG 10930(EPG-2)。
這些值可以與Consumer VRF PJ:VRF-1(VNID 3080192)中的已程式設計分割槽規則進行比較,以確定所命中的規則ID:
leaf101# show zoning-rule scope 3080192 +---------+--------+--------+----------+----------------+---------+---------+--------------+----------+------------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+----------------+---------+---------+--------------+----------+------------------------+ | 4117 | 10930 | 0 | implicit | uni-dir | enabled | 3080192 | | deny,log | shsrc_any_any_deny(12) | | 4108 | 10930 | 16388 | 8 | uni-dir-ignore | enabled | 3080192 | PJ:EPG1-EPG2 | permit | fully_qual(7) | | 4118 | 16388 | 10930 | 8 | bi-dir | enabled | 3080192 | PJ:EPG1-EPG2 | permit | fully_qual(7) | +---------+--------+--------+----------+----------------+---------+---------+--------------+----------+------------------------+
EPG-2至EPG-1流量跟蹤
提供程式分葉102
提供商VRF PJ:VRF-2的枝葉102上的路由資訊顯示10.10.10.10通過VNID 3080192(即消費者VRF PJ:VRF-1)的路由:
leaf102# show ip route 10.10.10.10 vrf PJ:VRF-2
IP Route Table for VRF "PJ:VRF-2"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%' in via output denotes VRF
10.10.10.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 10.0.240.33%overlay-1, [1/0], 1d22h, static, tag 4294967294, rwVnid: vxlan-3080192
recursive next hop: 10.0.240.33/32%overlay-1
流量流可以使用提供程式枝葉101上的ELAM進行驗證,以抵抗從源192.168.10.10到目標10.10.10的ICMP請求:
leaf102# trigger reset
module-1# trigger init in-select 6 out-select 1
module-1# set outer ipv4 src_ip 192.168.10.10 dst_ip 10.10.10.10
module-1# start
module-1# ereport
... ----------------------------------------------------------------------------------------------------------------------------------- Outer L3 Header ----------------------------------------------------------------------------------------------------------------------------------- ... IP Protocol Number : ICMP IP CheckSum : 37262( 0x918E ) Destination IP : 10.10.10.10 Source IP : 192.168.10.10 ----------------------------------------------------------------------------------------------------------------------------------- Contract Lookup Key ----------------------------------------------------------------------------------------------------------------------------------- IP Protocol : ICMP( 0x1 ) L4 Src Port : 0( 0x0 ) L4 Dst Port : 18616( 0x48B8 ) sclass (src pcTag) : 10930( 0x2AB2 ) dclass (dst pcTag) : 14( 0xE ) src pcTag is from local table : yes derived from a local table on this node by the lookup of src IP or MAC Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ----------------------------------------------------------------------------------------------------------------------------------- Contract Result ----------------------------------------------------------------------------------------------------------------------------------- Contract Drop : no Contract Logging : no Contract Applied : no Contract Hit : yes Contract Aclqos Stats Index : 81873 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81873" )
在此報告中,請注意class和dclass都是非本地值。
共用服務提供商EPG-2現在驅動的全域性PcTag為10930。
分配給此資料包的類是Shared Service Consumer PcTag 14。PcTag 14是為VRF間流量保留的系統PcTag。
請觀察在Provider EPG2 PcTag 10930和Shared Service Consumer System PcTag 14之間的Provider Leaf 102上編寫了一個特殊的Zoning-Rule,其「操作」設定為「permit_override」。 此規則允許匹配的流轉發到使用者枝葉以進行最終策略查詢:
leaf102# show zoning-rule +---------+--------+--------+----------+---------+---------+----------+------+-----------------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+---------+---------+----------+------+-----------------+----------------------+ | 4113 | 10930 | 14 | implicit | uni-dir | enabled | 2260992 | | permit_override | src_dst_any(9) | +---------+--------+--------+----------+---------+---------+----------+------+-----------------+----------------------+
場景2 - BD到BD:在提供商BD中定義的共用子網。
在此示例場景中,共用子網僅在BD-2中配置。
要完成Shared Services配置,必須在兩個EPG(EPG-1和EPG-2)上同時使用和提供合約。
EPG-1到EPG-2流量跟蹤
當共用服務合約在兩個EPG上提供和使用時,EPG-1(枝葉101)和EPG-2(枝葉102)之間的資料包流會觀察到以下屬性:
- EPG-1被視為提供商
- EPG-2被視為消費者
- 葉102是消費者葉,因此在此處應用最終策略。
路由資訊與場景1相同。
「提供商」枝葉101:
Leaf101# vsh_lc
module-1# trigger reset
module-1# trigger init in-select 6 out-select 1
module-1# set outer ipv4 src_ip 10.10.10.10 dst_ip 192.168.10.10
module-1# start
module-1# status
module-1# ereport
... ----------------------------------------------------------------------------------------------------------------------------------- Outer L3 Header ----------------------------------------------------------------------------------------------------------------------------------- ... IP Protocol Number : ICMP IP CheckSum : 23304( 0x5B08 ) Destination IP : 192.168.10.10 Source IP : 10.10.10.10 ----------------------------------------------------------------------------------------------------------------------------------- Contract Lookup Key ----------------------------------------------------------------------------------------------------------------------------------- IP Protocol : ICMP( 0x1 ) L4 Src Port : 2048( 0x800 ) L4 Dst Port : 59074( 0xE6C2 ) sclass (src pcTag) : 18( 0x12 ) dclass (dst pcTag) : 14( 0xE ) src pcTag is from local table : yes derived from a local table on this node by the lookup of src IP or MAC Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ----------------------------------------------------------------------------------------------------------------------------------- Contract Result ----------------------------------------------------------------------------------------------------------------------------------- Contract Drop : no Contract Logging : no Contract Applied : no Contract Hit : yes Contract Aclqos Stats Index : 81873 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81873" )
觀察是否分配了14類。這表示允許流量通過「permit_override」規則繼續,以便消費者枝葉可以驅動最終策略查詢。
「消費者」枝葉102
Leaf102# vsh_lc
module-1# trigger reset
module-1# trigger init in-select 14 out-select 1
module-1# set inner ipv4 src_ip 10.10.10.10 dst_ip 192.168.10.10
module-1# start
module-1# ereport
...
----------------------------------------------------------------------------------------------------------------------------------- Inner L3 Header ----------------------------------------------------------------------------------------------------------------------------------- ... IP Protocol Number : ICMP Destination IP : 192.168.10.10 Source IP : 10.10.10.10 ----------------------------------------------------------------------------------------------------------------------------------- Contract Lookup Key ----------------------------------------------------------------------------------------------------------------------------------- IP Protocol : ICMP( 0x1 ) L4 Src Port : 2048( 0x800 ) L4 Dst Port : 26203( 0x665B ) sclass (src pcTag) : 18( 0x12 ) dclass (dst pcTag) : 10930( 0x2AB2 ) src pcTag is from local table : no derived from group-id in iVxLAN header of incoming packet Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ----------------------------------------------------------------------------------------------------------------------------------- Contract Result ----------------------------------------------------------------------------------------------------------------------------------- Contract Drop : no Contract Logging : no Contract Applied : yes Contract Hit : yes Contract Aclqos Stats Index : 81874 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874" )
觀察EPG-1和EPG-2現在都擁有全域性PcTags;EPG-1是PcTag 18,EPG-2是PcTag 10938。
EPG-2至EPG-1流量跟蹤
當共用服務合約在兩個EPG上提供和使用時,EPG-2(枝葉102)和EPG-1(枝葉101)之間的資料包流觀察到以下屬性:
- EPG-2被視為提供商
- EPG-1被視為消費者
- 葉101是消費者葉,因此在此處應用最終策略。
路由資訊與場景1相同。
「提供商」枝葉102
Leaf102# vsh_lc
module-1# trigger reset
module-1# trigger init in-select 6 out-select 1
module-1# set outer ipv4 src_ip 192.168.10.10 dst_ip 10.10.10.10
module-1# start
module-1# ereport
... ----------------------------------------------------------------------------------------------------------------------------------- Outer L3 Header ----------------------------------------------------------------------------------------------------------------------------------- ... IP Protocol Number : ICMP IP CheckSum : 23308( 0x5B0C ) Destination IP : 10.10.10.10 Source IP : 192.168.10.10 ----------------------------------------------------------------------------------------------------------------------------------- Contract Lookup Key ----------------------------------------------------------------------------------------------------------------------------------- IP Protocol : ICMP( 0x1 ) L4 Src Port : 0( 0x0 ) L4 Dst Port : 56682( 0xDD6A ) sclass (src pcTag) : 10930( 0x2AB2 ) dclass (dst pcTag) : 14( 0xE ) src pcTag is from local table : yes derived from a local table on this node by the lookup of src IP or MAC Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ----------------------------------------------------------------------------------------------------------------------------------- Contract Result ----------------------------------------------------------------------------------------------------------------------------------- Contract Drop : no Contract Logging : no Contract Applied : no Contract Hit : yes Contract Aclqos Stats Index : 81873 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81873" )
觀察是否分配了14類。這表示允許流量通過「permit_override」規則繼續,以便消費者枝葉可以驅動最終策略查詢。
「消費者」枝葉101
Leaf101# vsh_lc
module-1# trigger reset
module-1# trigger init in-select 6 out-select 1
module-1# set outer ipv4 src_ip 192.168.10.10 dst_ip 10.10.10.10
module-1# start
module-1# ereport
----------------------------------------------------------------------------------------------------------------------------------- Inner L3 Header ----------------------------------------------------------------------------------------------------------------------------------- L3 Type : IPv4 DSCP : 0 Don't Fragment Bit : 0x0 TTL : 254 IP Protocol Number : ICMP Destination IP : 10.10.10.10 Source IP : 192.168.10.10 ----------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------- Contract Lookup Key ----------------------------------------------------------------------------------------------------------------------------------- IP Protocol : ICMP( 0x1 ) L4 Src Port : 0( 0x0 ) L4 Dst Port : 22874( 0x595A ) sclass (src pcTag) : 10930( 0x2AB2 ) dclass (dst pcTag) : 18( 0x12 ) src pcTag is from local table : no derived from group-id in iVxLAN header of incoming packet Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ----------------------------------------------------------------------------------------------------------------------------------- Contract Result ----------------------------------------------------------------------------------------------------------------------------------- Contract Drop : no Contract Logging : no Contract Applied : yes Contract Hit : yes Contract Aclqos Stats Index : 81874 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874" )
TCAM使用突出顯示
在BD到BD的情形中,請觀察分割槽規則增加了一倍,因為EPG-1和EPG-2都是共用服務合約消費者:
Leaf101# show zoning-rule scope 3080192 +---------+--------+--------+----------+----------------+---------+---------+--------------+-----------------+------------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+----------------+---------+---------+--------------+-----------------+------------------------+ | 4117 | 10930 | 0 | implicit | uni-dir | enabled | 3080192 | | deny,log | shsrc_any_any_deny(12) | | 4129 | 18 | 14 | implicit | uni-dir | enabled | 3080192 | | permit_override | src_dst_any(9) | | 4128 | 10930 | 18 | 8 | bi-dir | enabled | 3080192 | PJ:EPG1-EPG2 | permit | fully_qual(7) | | 4127 | 18 | 10930 | 8 | uni-dir-ignore | enabled | 3080192 | PJ:EPG1-EPG2 | permit | fully_qual(7) | +---------+--------+--------+----------+----------------+---------+---------+--------------+-----------------+------------------------+
Leaf102# show zoning-rule scope 2260992 +---------+--------+--------+----------+----------------+---------+---------+--------------+-----------------+------------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+----------------+---------+---------+--------------+-----------------+------------------------+ | 4113 | 10930 | 14 | implicit | uni-dir | enabled | 2260992 | | permit_override | src_dst_any(9) | | 4123 | 18 | 10930 | 8 | bi-dir | enabled | 2260992 | PJ:EPG1-EPG2 | permit | fully_qual(7) | | 4124 | 18 | 0 | implicit | uni-dir | enabled | 2260992 | | deny,log | shsrc_any_any_deny(12) | | 4122 | 10930 | 18 | 8 | uni-dir-ignore | enabled | 2260992 | PJ:EPG1-EPG2 | permit | fully_qual(7) | +---------+--------+--------+----------+----------------+---------+---------+--------------+-----------------+------------------------+
結論
這兩種配置方案都能實現Shared Services功能,但是BD到BD方法的成本是額外的TCAM消耗。
參考和有用連結
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
2.0 |
19-Oct-2022 |
固定的Cisco Live Link |
1.0 |
13-Sep-2022 |
初始版本 |
意見