使用EIGRP命名模式配置Easy虛擬網路
簡介
本文檔旨在演示使用EIGRP(增強型內部網關路由協定)命名模式配置EVN(簡易虛擬網路)。 它補充了Easy Virtual Network Configuration文檔,該文檔演示了OSPF(開放最短路徑優先)的使用以及VNET中繼清單和路由複製等其他高級主題。 EVN VNET旨在讓運營商比MPLS(多協定標籤交換)VPN(虛擬專用網路)或VRF-lite(虛擬路由和轉發)更易於部署多個VRF。 EVN VNET使用路由協定和VNET中繼介面的克隆配置概念來消除操作員的負擔並節省一些重複任務。 排除EIGRP、路由或CEF(思科快速轉發)故障不屬於本文檔的範圍,除非注意,否則您可以遵循正常的故障排除過程。
必要條件
需求
Cisco建議您瞭解EIGRP的基本知識。
IOS版本15.2之後的幾個版本提供此功能。要驗證是否支援使用EVN VNET的EIGRP命名模式,請檢查show ip eigrp plugins的輸出。 如果存在Easy Virtual Network 1.00.00或更高版本,則您的版本支援此功能。
R1#show eigrp plugins
EIGRP feature plugins:::
eigrp-release : 21.00.00 : Portable EIGRP Release
: 1.00.10 : Source Component Release(rel21)
parser : 2.02.00 : EIGRP Parser Support
igrp2 : 2.00.00 : Reliable Transport/Dual Database
bfd : 2.00.00 : BFD Platform Support
mtr : 1.00.01 : Multi-Topology Routing(MTR)
eigrp-pfr : 1.00.01 : Performance Routing Support
EVN/vNets : 1.00.00 : Easy Virtual Network (EVN/vNets)
ipv4-af : 2.01.01 : Routing Protocol Support
ipv4-sf : 1.02.00 : Service Distribution Support
vNets-parse : 1.00.00 : EIGRP vNets Parse Support
ipv6-af : 2.01.01 : Routing Protocol Support
ipv6-sf : 2.01.00 : Service Distribution Support
snmp-agent : 2.00.00 : SNMP/SNMPv2 Agent Support
採用元件
本文中的資訊是根據執行Cisco IOS版本15.6(1)S2的特定實驗環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
設定
網路圖表
組態
R3、R4、R5和R6的配置都很相似,因此被排除在文檔之外。它們僅配置為與R1或R2形成EIGRP鄰居,它們不知道R1和R2之間使用的是EVN VNET。
來自R1的相關配置
vrf definition orange
vnet tag 101
!
address-family ipv4
exit-address-family
!
vrf definition red
vnet tag 102
!
address-family ipv4
exit-address-family
!
interface Ethernet0/0
vnet trunk
ip address 10.12.12.1 255.255.255.0
!
interface Ethernet1/0
vrf forwarding orange
ip address 192.168.13.1 255.255.255.0
!
interface Ethernet2/0
vrf forwarding red
ip address 192.168.15.1 255.255.255.0
!
!
router eigrp named
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Ethernet0/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf orange autonomous-system 101
!
af-interface Ethernet1/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.13.0
exit-address-family
!
address-family ipv4 unicast vrf red autonomous-system 102
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.15.0
exit-address-family
來自R2的相關配置
vrf definition orange
vnet tag 101
!
address-family ipv4
exit-address-family
!
vrf definition red
vnet tag 102
!
address-family ipv4
exit-address-family
!
interface Ethernet0/0
vnet trunk
ip address 10.12.12.2 255.255.255.0
!
interface Ethernet1/0
vrf forwarding orange
ip address 192.168.24.2 255.255.255.0
!
interface Ethernet2/0
vrf forwarding red
ip address 192.168.26.2 255.255.255.0
!
!
router eigrp named
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Ethernet0/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf orange autonomous-system 101
!
af-interface Ethernet1/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.24.0
exit-address-family
!
address-family ipv4 unicast vrf red autonomous-system 102
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.26.0
exit-address-family
驗證
Easy Virtual Network的優點之一是配置簡單。 這是通過為每個VNET標籤自動配置VNET中繼實現的。 將EVN與VRF-lite進行比較,需要手動配置每個子介面。 Ethernet0/0是連線R1和R2的VNET中繼,並且為每個VNET自動建立VNET子介面,通過新增帶有dot1Q VNET標籤的幀來滿足EVN的流量分離要求。這些子介面在show running-configuration的輸出中不可見,但是在show derived-config中也可看到。
R1#show derived-config | sec Ethernet0/0
interface Ethernet0/0
vnet trunk
ip address 10.12.12.1 255.255.255.0
no ip redirects
no ip proxy-arp
interface Ethernet0/0.101
description Subinterface for VNET orange
encapsulation dot1Q 101
vrf forwarding orange
ip address 10.12.12.1 255.255.255.0
no ip proxy-arp
interface Ethernet0/0.102
description Subinterface for VNET red
encapsulation dot1Q 102
vrf forwarding red
ip address 10.12.12.1 255.255.255.0
no ip proxy-arp
同樣地,您可以看到EIGRP配置也是自動建立的:
R1#show derived-config | sec router eigrp
router eigrp named
!
address-family ipv4 unicast autonomous-system 100
!
af-interface Ethernet0/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf orange autonomous-system 101
!
af-interface Ethernet0/0.101
authentication mode hmac-sha-256 cisco
exit-af-interface
!
af-interface Ethernet1/0
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.13.0
exit-address-family
!
address-family ipv4 unicast vrf red autonomous-system 102
!
af-interface Ethernet0/0.102
authentication mode hmac-sha-256 cisco
exit-af-interface
!
topology base
exit-af-topology
network 10.0.0.0
network 192.168.15.0
exit-address-family
R1#
上面的輸出中有一個有趣的觀察結果,就是全域性vrf自治系統100中af-interface ethernet0/0對VNET子介面的繼承。 以下部分對此進行了更詳細的說明:
EIGRP命名模式的繼承
下圖將用於在對EVN VNET使用EIGRP命名模式時幫助直觀顯示繼承規則。
在上方示例中,有一個VNET中繼af-interface ethernet0/0,VNET子介面將從該中繼接收其派生配置。一些非預設值(如hello-interval、hold-time和身份驗證)的配置已用於演示繼承。 您還會注意到全域性EIGRP進程中的af-interface下的VNET子模式。 這是一種控制將哪些配置選項克隆到其EIGRP vrf配置中的每個VNET動態建立的af介面的方法。
例如,全域性路由表中Eth0/0的派生配置繼承自vnet global(hello-interval 30, hold-time 90)。 Eth0/0的authentication-mode hmac-sha-256直接在running-config中的此af介面上配置,並且派生配置輸出顯示Eth0/0已繼承該命令。 由於身份驗證模式是在VNET中繼af介面上配置的,因此所有VNET介面都會繼承該模式。
對於vrf橙色,VNET橙色在running-config中配置了hello間隔為15。在自主系統101中可以看到的VRF橙色派生配置中,在全域性進程中,hello間隔15取自af-interface eth0/0下的VNET子模式。 保持時間未被修改,並且是從使用預設值的af介面eth0/0克隆的。
VNET red與af介面Eth0/0沒有配置差異,因此它繼承預設計時器值和身份驗證模式。
這些配置選項允許操作員靈活地為每個VNET中繼子介面使用不同的引數。例如,不同的計時器值、身份驗證模式或被動介面。 要總結繼承規則,所有VNET都將從VNET中繼af介面繼承配置。 VNET子模式中的VNET特定配置也將由VNET中繼子介面繼承,並且優先於來自af介面的引數。
以下是用於驗證配置繼承的一些附加輸出:
R1#show eigrp address-family ipv4 interface detail e0/0
EIGRP-IPv4 VR(named) Address-Family Interfaces for AS(100)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0 1 0/0 0/0 6 0/2 50 0
Hello-interval is 30, Hold-time is 90
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 3/1
Hello's sent/expedited: 2959/3
Un/reliable mcasts: 0/4 Un/reliable ucasts: 5/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:
R1#show eigrp address-family ipv4 vrf orange interface detail e0/0.101
EIGRP-IPv4 VR(named) Address-Family Interfaces for AS(101)
VRF(orange)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0.101 1 0/0 0/0 5 0/2 50 0
Hello-interval is 15, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 4/1
Hello's sent/expedited: 2371/3
Un/reliable mcasts: 0/4 Un/reliable ucasts: 6/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:
R1#show eigrp address-family ipv4 vrf red interface detail e0/0.102
EIGRP-IPv4 VR(named) Address-Family Interfaces for AS(102)
VRF(red)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/0.102 1 0/0 0/0 4 0/2 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 6/1
Hello's sent/expedited: 2676/3
Un/reliable mcasts: 0/6 Un/reliable ucasts: 7/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 3 Out-of-sequence rcvd: 1
Topology-ids on interface - 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:
使用EIGRP名稱模式的路由複製
EVN的優勢之一是能夠在VNET之間複製路由。 例如,VRF紅色的R4可能需要到達192.168.13.0/24上的服務,該服務屬於VRF橙色。 這可通過使用下面的配置來實現。
R2#show run
vrf definition orange
vnet tag 101
!
address-family ipv4
exit-address-family
!
vrf definition red
vnet tag 102
!
address-family ipv4
route-replicate from vrf orange unicast eigrp 101 route-map filter
exit-address-family
!
<output removed>
!
ip prefix-list filter seq 5 permit 192.168.13.0/24
!
route-map filter permit 10
match ip address prefix-list filter
!
現在192.168.13.0/24字首為VRF紅色,但是ping不起作用,因為源地址不會路由複製到VNET橙色。
R2#show ip route vrf red
Routing Table: red
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.5.5.5/32 [90/1536640] via 10.12.12.1, 03:48:46, Ethernet0/0.102
D 10.6.6.6/32 [90/1024640] via 192.168.26.6, 03:48:37, Ethernet2/0
C 10.12.12.0/24 is directly connected, Ethernet0/0.102
L 10.12.12.2/32 is directly connected, Ethernet0/0.102
D + 192.168.13.0/24
[90/1536000] via 10.12.12.1 (orange), 03:48:46, Ethernet0/0.101
D 192.168.15.0/24 [90/1536000] via 10.12.12.1, 03:48:46, Ethernet0/0.102
192.168.26.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.26.0/24 is directly connected, Ethernet2/0
L 192.168.26.2/32 is directly connected, Ethernet2/0
R2#
R2#
R2#ping vrf red 192.168.13.1 source e2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.26.2
.....
Success rate is 0 percent (0/5)
在R1上從VRF紅色到VRF橙色的所有複製路由之後,使用類似的配置:
R2#ping vrf red 192.168.13.1 source e2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.26.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2#
路由上下文
EVN的另一個好處是路由上下文的概念。 這允許您在VRF red內執行命令,而不必在每個CLI中包含「vrf red」。 例如,使用路由上下文執行與上面相同的ping操作如下所示。
R2#routing-context vrf red
R2%red#ping 192.168.13.1 source e2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.26.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R2%red#
增強型traceroute
traceroute命令的輸出還將顯示VNET VRF名稱,這有助於進行故障排除,尤其是在涉及路由複製的情況下。
R6#traceroute 192.168.13.3
Type escape sequence to abort.
Tracing the route to 192.168.13.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.26.2 (red,orange/101) 1 msec 0 msec 0 msec
2 10.12.12.1 (orange/101,orange) 2 msec 1 msec 1 msec
3 192.168.13.3 0 msec * 1 msec
來自R2的相同跟蹤
R2#trace vrf red 192.168.13.3 source 192.168.26.2
Type escape sequence to abort.
Tracing the route to 192.168.13.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.12.12.1 (orange/101,orange) 1 msec 1 msec 0 msec
2 192.168.13.3 1 msec * 1 msec
在此輸出中,您可以看到,從R2,VRF橙色中的下一跳將直接到達192.168.13.0/24。
結論
採用EIGRP命名模式的EVN VNET配置為客戶提供了一種部署虛擬化網路環境的方法,並消除了與傳統MPLS VPN或VRF-lite相關的一些複雜性。 瞭解繼承規則是成功部署此功能並確保網路按預期運行的關鍵。
參考資料
Easy Virtual Networks白皮書
配置指南
意見