Nexus 7000配置和驗證LISP IGP協助擴充子網模式
目錄
簡介
本文檔介紹如何使用Nexus 7000部署LISP IGP協助擴展子網模式(ESM)
拓撲
拓撲詳細資訊
- DC1和DC2是OTV擴展的兩個位置
- Vlan 144、145和244在所有聚合、接入層和OTV交換機上配置
- 這些Vlan的SVI在Agg交換機上配置。SVI 144和244位於VRF租戶1中;SVI 145位於VRF tenant-2中。
- 部署LISP IGP Assist時,SVI不必位於VRF中;此示例使用多個VRF來說明所需的配置更改(在每個相關VRF上下文下);所有SVI都可以位於同一個VRF中,並且仍然可以使用LISP IGP輔助
- HSRP在Vlan144、145和244中配置;在此拓撲中配置了FHRP隔離,這意味著總共4台交換機將運行HSRP,並且兩端將具有活動/備用對。FHRP隔離通過過濾HSRP Hello消息來實現。
- DC1-agg1和DC2-Agg2是vPC對;同樣適用於DC2-Agg1和DC2-Agg2
- LISP配置應用於SVI 144、145和244
- EIGRP鄰居關係是每個VRF從Agg到核心交換機建立的。從每個VRF的Agg交換機到核心交換機運行子介面,並在這些子介面上形成EIGRP鄰居關係。
- 遠端路由器(分支)也是同一個IGP域的一部分。
- 使用LISP IGP Assist時,沒有LISP封裝/解封裝,因此LISP路由必須重新分發到IGP(這裡是EIGRP)。 對於本文檔中描述的此部署模型,分支路由器將不具有任何LISP配置。
採用元件
- agg,核心交換機是運行8.2(4)NXOS版本的SUP2E、F3/M3的Nexus 7000
- 分支機構路由器是ASR1ks
- 這些Nexus 7000交換機上的另一個VDC中配置了OTV;OTV和LISP必須在不同的VDC上。共用VDC不是選項。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
AGG交換機上的必需配置
DC1-Agg1和DC1-Agg2上的LISP特定配置
Common Configuration on both DC1-Agg1 and DC1-Agg2
feature lisp
vrf context tenant-1 # This example is based on SVI 144 in VRF- tenant-1 and SVI 145 in VRF- tenant-2
ip lisp etr # This is needed to initialize LISP and only etr is needed on a IGP assist mode Environment
lisp instance-id 2 # Instance-ID should be unique per VRF
ip lisp locator-vrf default # Locator Is specified in Default VRF
lisp dynamic-eid VLAN144 # Dynamic EID definition for Vlan 144
database-mapping 172.16.144.0/24 10.10.10.1 priority 50 weight 50 # Database-mapping for 172.16.144.0/24 which is the Vlan 144; IP-> 10.10.10.1 is the Loopback100 IP address(which is the unique IP on DC1-AGG1)
database-mapping 172.16.144.0/24 10.10.10.2 priority 50 weight 50 # Database-mapping for 172.16.144.0/24 which is the Vlan 144; IP-> 10.10.10.2 is the Loopback100 IP address(which is the unique IP on DC1-AGG2)
map-notify-group 239.254.254.254 # Multicast group that will be used by LISP enabled switches to communicate about new EID learns or periodic EID notification messages
no route-export away-dyn-eid # This is a hidden command required to stop advertising any null0 /32 route for a remote host to the IGP
lisp dynamic-eid VLAN244 # Dynamic EID definition for Vlan 244
database-mapping 172.16.244.0/24 10.10.10.1 priority 50 weight 50
database-mapping 172.16.244.0/24 10.10.10.2 priority 50 weight 50
map-notify-group 239.254.254.254
no route-export away-dyn-eid
vrf context tenant-2
ip lisp etr
lisp instance-id 3
ip lisp locator-vrf default
lisp dynamic-eid VLAN145
database-mapping 172.16.145.0/24 10.10.10.1 priority 50 weight 50
database-mapping 172.16.145.0/24 10.10.10.2 priority 50 weight 50
map-notify-group 239.254.254.254
no route-export away-dyn-eid
Configuration on DC1-Agg1
interface Vlan144
no shutdown
vrf member tenant-1
lisp mobility VLAN144
lisp extended-subnet-mode # SVI needs to be in ESM Mode-Extended subnet mode
ip address 172.16.144.250/24
ip pim sparse-mode
hsrp 144
preempt
priority 254
ip 172.16.144.254
interface Vlan145
no shutdown
vrf member tenant-2
lisp mobility VLAN145
lisp extended-subnet-mode
ip address 172.16.145.250/24
ip pim sparse-mode
hsrp 145
preempt
priority 254
ip 172.16.145.254
interface Vlan244
no shutdown
vrf member tenant-1
lisp mobility VLAN244
lisp extended-subnet-mode
ip address 172.16.244.250/24
hsrp 244
preempt
priority 254
ip 172.16.244.254
interface loopback100
ip address 10.10.10.1/32
ip router eigrp 100
ip pim sparse-mode
Configuration on DC1-Agg2
interface Vlan144
no shutdown
vrf member tenant-1
lisp mobility VLAN144
lisp extended-subnet-mode
ip address 172.16.144.251/24
ip pim sparse-mode
hsrp 144
ip 172.16.144.254
interface Vlan145
no shutdown
vrf member tenant-2
lisp mobility VLAN145
lisp extended-subnet-mode
ip address 172.16.145.251/24
ip pim sparse-mode
hsrp 145
ip 172.16.145.254
interface Vlan244
no shutdown
vrf member tenant-1
lisp mobility VLAN244
lisp extended-subnet-mode
no ip redirects
ip address 172.16.244.251/24
hsrp 244
ip 172.16.244.254
interface loopback100
ip address 10.10.10.2/32
ip router eigrp 100
ip pim sparse-mode
#資料庫對映必須這樣提供:在一端,需要指定DC1-Agg1和DC1-Agg2環回IP地址;在DC2-Agg1和DC2-Agg2中,必須建立唯一的環回,並將其放入資料庫對映中。
#在IGP輔助模式下,如果使用configuration-> "ip lisp itr-etr",將導致為未啟用LISP的Vlan注入/32 null0主機路由;因此,IGP輔助模式的正確配置是「ip lisp etr」。
DC2-Agg1和DC2-Agg2上的LISP特定配置
Common Configuration on both DC2-Agg1 and DC2-Agg2
feature lisp
vrf context tenant-1
ip lisp etr
lisp instance-id 2
ip lisp locator-vrf default
lisp dynamic-eid VLAN144
database-mapping 172.16.144.0/24 10.10.20.1 priority 50 weight 50 # Note that the IP addresses used in DC2 Agg switches are 10.10.20.1 and 10.10.20.2(Which are Loopbacks Configured on DC2-Agg switches)
database-mapping 172.16.144.0/24 10.10.20.2 priority 50 weight 50
map-notify-group 239.254.254.254
no route-export away-dyn-eid
lisp dynamic-eid VLAN244
database-mapping 172.16.244.0/24 10.10.20.1 priority 50 weight 50
database-mapping 172.16.244.0/24 10.10.20.2 priority 50 weight 50
map-notify-group 239.254.254.254
no route-export away-dyn-eid
vrf context tenant-2
ip lisp etr
lisp instance-id 3
ip lisp locator-vrf default
lisp dynamic-eid VLAN145
database-mapping 172.16.145.0/24 10.10.20.1 priority 50 weight 50
database-mapping 172.16.145.0/24 10.10.20.2 priority 50 weight 50
map-notify-group 239.254.254.254
no route-export away-dyn-eid
Configuration on DC2-Agg1
interface Vlan144
no shutdown
vrf member tenant-1
lisp mobility VLAN144
lisp extended-subnet-mode
ip address 172.16.144.252/24
ip pim sparse-mode
hsrp 144
preempt
priority 254
ip 172.16.144.254
interface Vlan145
no shutdown
vrf member tenant-2
lisp mobility VLAN145
lisp extended-subnet-mode
ip address 172.16.145.252/24
ip pim sparse-mode
hsrp 145
preempt
priority 254
ip 172.16.145.254
interface Vlan244
no shutdown
vrf member tenant-1
lisp mobility VLAN244
lisp extended-subnet-mode
ip redirects
ip address 172.16.244.252/24
hsrp 244
preempt
priority 254
ip 172.16.244.254
interface loopback100
ip address 10.10.20.1/32
ip router eigrp 100
ip pim sparse-mode
Configuration on DC2-Agg2
interface Vlan144
no shutdown
vrf member tenant-1
lisp mobility VLAN144
lisp extended-subnet-mode
ip address 172.16.144.253/24
ip pim sparse-mode
hsrp 144
ip 172.16.144.254
interface Vlan145
no shutdown
vrf member tenant-2
lisp mobility VLAN145
lisp extended-subnet-mode
ip address 172.16.145.253/24
ip pim sparse-mode
hsrp 145
ip 172.16.145.254
interface Vlan244
no shutdown
vrf member tenant-1
lisp mobility VLAN244
lisp extended-subnet-mode
no ip redirects
ip address 172.16.244.253/24
hsrp 244
preempt
ip 172.16.244.254
interface loopback100
ip address 10.10.20.2/32
ip router eigrp 100
ip pim sparse-mode
#DC1和DC2 Agg LISP配置之間的區別是「資料庫對映」中定義的環回。 在DC1配置中,將使用DC1-Agg1和DC1-Agg2的環回來定義資料庫對映;對於DC2,將使用DC2-Agg1和DC2-Agg2中的環回來定義資料庫對映
#下面顯示的其他IGP/路由對映/字首清單配置將相似(為介面分配的IP地址確實不同)
IGP特定
router eigrp 100
address-family ipv4 unicast
vrf tenant-1
distance 90 245 # External EIGRP Routes have to have an AD which is higher than the default LISP AD(which is 240); Reason being, if the redistributed route from dc1-agg1 comes back to dc1-agg2 via eigrp, default EIGRP External is 170 which will override LISP route causing problems
redistribute lisp route-map lisp-to-eigrp # This command is to redistribute LISP /32 routes only to the IGP(EIGRP In this example)
redistribute direct route-map direct # This is needed so that the direct routes(/24 SVI routes in LISP) are redistributed to the IGP; This will be needed if there is some device that is trying to communicate to a silent host in the LISP enabled Vlan
vrf tenant-2
distance 90 245
redistribute lisp route-map lisp-to-eigrp
redistribute direct route-map direct
#啟用LISP的AGG VDC也會與核心端形成IGP鄰居關係
#在本示例中,使用屬於每個租戶VRF的子介面形成面向核心的鄰居關係,如下所示。
interface Ethernet3/6.111 encapsulation dot1q 111 vrf member tenant-1 ip address 192.168.98.1/30 ip router eigrp 100 no shutdown interface Ethernet3/6.212 encapsulation dot1q 212 vrf member tenant-2 ip address 192.168.198.1/30 ip router eigrp 100 no shutdown
路由對映/字首清單
ip prefix-list lisp-to-eigrp seq 5 permit 0.0.0.0/0 ge 32 # This is the prefix list that is matching any /32 routes which are to be redistributed from LISP To IGP route-map direct permit 10 # This is for the Direct routes route-map lisp-to-eigrp deny 10 # This is to prevent any null0 routes from being redistributed to IGP from LISP match interface Null0 route-map lisp-to-eigrp permit 20 # This is to allow redistribution of /32 host routes match ip address prefix-list lisp-to-eigrp
#所有AGG交換機(DC1和DC2)都需要上述所有配置。 請記住,為SVI、環回和HSRP VIP提供唯一的IP地址對於所有SVI都是相同的
OTV VDC配置
HSRP過濾
#對於IGP輔助部署,當通過OTV或任何其他機制擴展時,必須建立FHRP隔離;
#通過在OTV VDC中過濾FHRP Hello消息來完成此操作
#在本示例中,使用了N7k OTV,因此應用了以下配置來過濾OTV VDC中的FHRP資料包。
ip access-list ALL_IPs
10 permit ip any any
mac access-list ALL_MACs
10 permit any any
ip access-list HSRP_IP
10 permit udp any 224.0.0.2/32 eq 1985
20 permit udp any 224.0.0.102/32 eq 1985
mac access-list HSRP_VMAC
10 permit 0000.0c07.ac00 0000.0000.00ff any
20 permit 0000.0c9f.f000 0000.0000.0fff any
arp access-list HSRP_VMAC_ARP
10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00
20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
30 permit ip any mac any
vlan access-map HSRP_Localization 10
match mac address HSRP_VMAC
match ip address HSRP_IP
action drop
vlan access-map HSRP_Localization 20
match mac address ALL_MACs
match ip address ALL_IPs
action forward
vlan filter HSRP_Localization vlan-list 144-145
ip arp inspection filter HSRP_VMAC_ARP vlan 144-145
mac-list OTV_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
mac-list OTV_HSRP_VMAC_deny seq 11 deny 0000.0c9f.f000 ffff.ffff.f000
mac-list OTV_HSRP_VMAC_deny seq 20 permit 0000.0000.0000 0000.0000.0000
route-map OTV_HSRP_filter permit 10
match mac-list OTV_HSRP_VMAC_deny
otv-isis default
vpn Overlay0
redistribute filter route-map OTV_HSRP_filter
#僅在OTV VDC上需要FHRP過濾配置;如果使用ASR OTV部署,則過濾機制應根據ASR配置指南的相關內容進行使用和記錄。
OTV抑制ARP
#禁用OTV VDC上的ARP和快取功能
interface Overlay0 no otv suppress-arp-nd >>>>>
由於LISP配置的路由填充
DC1-AGG1# show ip route lisp vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.0/25, ubest/mbest: 1/0
*via Null0, [240/1], 07:22:30, lisp, dyn-eid
172.16.144.128/25, ubest/mbest: 1/0
*via Null0, [240/1], 07:22:30, lisp, dyn-eid
#當SVI 144上啟用LISP時,將會自動建立兩個Null0路由;SVI 144是/24子網,因此第一條null0路由來自172.16.144.0/25,第二條null0路由來自172.16.144.128/25,如上所述。
#這是預期的,也是設計好的;這樣做是為了確保來自未發現主機的資料包觸發RPF異常,這將導致資料包被傳送到CPU,並最終有助於主機檢測(EID)
主機在啟用LISP的SVI內聯機時的事件序列
#啟用LISP的介面上的主機檢測基於從資料庫對映配置中指定的範圍內的IP地址接收L3流量。
為了方便檢測主機,請注意,在介面上啟用LISP時:
# RPF異常在介面上啟用,以便由未知源生成的資料包觸發異常
# LISP來源的Null0路由被安裝,以確保未知來源觸發RPF異常
由於此解決方案依賴OTV在兩個資料中心之間進行L2擴展,因此ARP信令不能直接用於檢測IP主機,因為在許多情況下會廣播給所有交換機。
但是,ARP訊號用作LISP可能存在未檢測到的主機的指示。由於主機可以駐留在OTV網橋的任何一側,LISP在學習新的IP-MAC繫結後啟動本地化機制。
定位機制的工作原理如下:
#交換機獲知新的IP-MAC繫結(通過GARP、RARP或ARP請求)。
#用作活動HSRP的交換機向主機傳送回應要求但源自HSRP VIP地址
#主機對回應請求作出回覆,但在OTV中進行FHRP隔離後,僅在主機所在的DC站點上收到回應回覆
#由於回應應答是L3資料包,因此LISP會檢測到主機。
#如果在任何啟用了LISP的SVI上收到IP資料包,則該資料包自身將向LISP進程傳送通知,通知該端點為本地;將不會傳送任何ICMP ECHO要求以進一步確認主機是否為本地主機。因此,必須注意的是,從DC2主機到DC1-AGG SVI IP地址執行Ping操作會導致終端標識損壞,這也會導致ping丟失或流量黑洞,因為主機現在被標識為DC1中的本地EID,而不是DC2。因此,Ping操作不應從LISP環境中的SVI IP地址發出,因為這可能損壞路由表並導致流量黑洞。如果啟用LISP的Vlan中的主機嘗試對SVI IP地址執行ping,也會發生相同的問題;對VIP執行ping操作應該沒問題,因為兩端都存在且處於活動狀態,而站點本地將捕獲資料包。
以下是DC1中主機聯機時的路由表條目示例:
DC1-AGG1# show ip route 172.16.144.1 vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.1/32, ubest/mbest: 1/0, attached
*via 172.16.144.1, Vlan144, [240/1], 3d05h, lisp, dyn-eid
via 172.16.144.1, Vlan144, [250/0], 3d05h, am
DC1-AGG2# sh ip route 172.16.144.1 vr tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.1/32, ubest/mbest: 1/0, attached
*via 172.16.144.1, Vlan144, [240/1], 3d05h, lisp, dyn-eid
via 172.16.144.1, Vlan144, [250/0], 3d05h, am
#如上所示,有兩條路由;一個通過LISP進程,管理距離為240,另一個通過AM->鄰接管理器(由ARP進程填充),其AD為250。
#DC1中的兩台Agg交換機將具有相同的條目。
#此外,LISP將在動態EID表中列出主機的相同條目,如下所示。
DC1-AGG1# show lisp dynamic-eid detail vrf tenant-1 | in 144.1, nex 1
172.16.144.1, Vlan144, uptime: 3d05h, last activity: 00:14:38
Discovered by: packet reception
DC1-AGG2# show lisp dynamic-eid detail vrf tenant-1 | in 144.1, nex 1
172.16.144.1, Vlan144, uptime: 3d05h, last activity: 00:00:37
Discovered by: site-based Map-Notify
#發現這兩種情況都不同;HSRP活動的DC1-AGG1通過「資料包接收」方式記錄條目,這基本上意味著有一個資料包傳入並新增為EID
#一旦Agg1得知某個EID,它就從源IP-> Loopback100 IP地址(在資料庫對映下定義)向組 — > 239.254.254.254(配置如上所述)傳送組播消息,vPC對等交換機也會收到該消息,並相應地填充該條目,由於資料庫對映具有dc1-agg1和dc1-agg2的IP地址,因此該條目被視為本地EID。該組播資料包也將通過OTV到達遠端站點;但是,遠端站點會檢查資料庫對映,並且由於此資料包來自與「資料庫對映」不同的IP地址,因此DC2 AGg交換機不會將其視為本地EID。
對映通知消息
#當啟用LISP的SVI檢測到主機時,觸發的「map-notify」消息將傳送到相應動態EID配置下定義的組播組
#除了觸發的對映通知消息外,該vlan中的HSRP Active(或FHRP active)交換機還會定期傳送對映通知消息;
#對映通知消息的PCAP如下所示。
將LISP/32路由重分發到IGP
#這是IGP協助模式的關鍵;任何/32 LISP路由都將重新分發到IGP;這可以通過在EIGRP下應用的「redistribute LISP」命令實現。
#重新分發後,任何/32主機路由都會被視為EIGRP外部路由。為了提高EIGRP管理距離,已對其進行調整。這是為了確保LISP路由停留在URIB中,而不是傳入的EIGRP外部路由。如;DC1-Agg1和DC1-Agg2是具有DC1-core的EIGRP鄰居。DC1-AGG1通過重分發將/32路由注入到DC1-Core。既然DC1-Core是DC1-Agg2的EIGRP鄰居,那麼相同的路由可能返回DC1-Agg2,如果EIGRP AD為170,則有機會贏取LISP路由(其AD為240);因此,為了避免這種情況,EIGRP外部路由AD已修改為245。
#由DC1-Agg交換機獲知的/32路由被重新分發到EIGRP,而DC1-core條目如下所示。
DC1-CORE# sh ip route 172.16.144.1
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.1/32, ubest/mbest: 2/0
*via 192.168.98.1, Eth3/20.111, [170/51456], 00:00:01, eigrp-100, external
*via 192.168.98.5, Eth3/22.112, [170/51456], 18:14:51, eigrp-100, external
#該路由存在於全域性路由表中,並且在核心端未配置VRF。
#由於在AGG交換機上配置了「redistribute direct」,核心層還將為父子網提供/24 ECMP路由,如下所示。這將有助於為無提示主機(沒有/32路由)吸引流量。
DC1-CORE# sh ip route 172.16.144.10 # Checking for a non existent Host 172.16.144.10
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.0/24, ubest/mbest: 2/0
*via 192.168.98.1, Eth3/20.111, [170/51456], 00:02:13, eigrp-100, external
*via 192.168.98.5, Eth3/22.112, [170/51456], 18:17:03, eigrp-100, external
#此外,DC1和DC2核心都可看到/24 ECMP路由
Branch1-Router# sh ip route 172.16.144.10
Routing entry for 172.16.144.0/24
Known via "eigrp 100", distance 170, metric 51712, type external
Redistributing via eigrp 100
Last update from 192.168.99.2 on GigabitEthernet0/0/1, 00:00:17 ago
Routing Descriptor Blocks:
192.168.99.2, from 192.168.99.2, 00:00:17 ago, via GigabitEthernet0/0/1 # 192.168.99.2 is DC2-Core
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
* 192.168.99.1, from 192.168.99.1, 00:00:17 ago, via GigabitEthernet0/0/1 # 192.168.99.1 is DC1-Core
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
#此路由可確保分支主機可以到達位於任一位置的靜默主機。
VLAN內DC間的資料包路徑
#當DC1-Host1 -> 172.16.144.1嘗試到達DC2-Host1-> 172.16.144.2時,這是VLAN內資料中心間流量。DC1-Host 1發出一個ARP請求,該請求將一直穿過OTV並到達DC2-Host1
# DC2-Host1使用返回到DC1-Host1的ARP應答進行響應
#後續ICMP資料包通過OTV傳送
VLAN間DC的資料包路徑(從Vlan 144到Vlan 244)
#當DC1-Host1-> 172.16.144.1嘗試到達DC2-Host2-> 172.16.244.2時,資料包不會在DC1中從VLAN 144路由到244;相反,它遵循從DC1-Agg到DC1-Core的路由路徑,然後到達DC2-Core,最終路由將由DC2-Agg交換機完成到目標Vlan-244的路由。
#從DC1-Host1到DC2-Host2的traceroute如下所示。
DC1-HOST# traceroute 172.16.244.2 vrf vlan144 traceroute to 172.16.244.2 (172.16.244.2), 30 hops max, 40 byte packets 1 172.16.144.250 (172.16.144.250) 1.149 ms 0.841 ms 0.866 ms # DC1-AGG1 2 192.168.98.2 (192.168.98.2) 1.004 ms 0.67 ms 0.669 ms # DC1-CORE 3 192.168.99.2 (192.168.99.2) 0.756 ms 0.727 ms 0.714 ms # DC2-CORE 4 192.168.94.5 (192.168.94.5) 1.041 ms 0.937 ms 192.168.94.1 (192.168.94.1) 1.144 ms # DC2-Agg1/DC2-Agg2 5 172.16.244.2 (172.16.244.2) 2.314 ms * 2.046 ms # DC2-Host2
VLAN間DC的資料包路徑(從VRF租戶–1到VRF租戶–2)
#這將遵循與一個VLAN到另一個VLAN的VLAN間DC通訊相同的方式(上一個示例)
#當DC1-host1-> 172.16.144.1嘗試到達DC2-Host3-> 172.16.145.2時,這是源自Vlan 144(VRF租戶–1)且目的地為Vlan 145(VRF租戶–2)的DC間流量。 與常規N7k OTV部署不同,此流量的處理方式略有不同。DC1端不會發生任何vlan間路由;相反,此流量將被路由並傳送到DC1-core,核心層會進一步通過IGP路由到DC2-Core
#在本檔案中,VRF間洩漏是由核心交換機在每個站點完成的。可以是任何裝置(如防火牆);如果VRF間洩漏存在,則從LISP配置的角度不會有任何更改。
DC1-AGG1# sh ip route 172.16.145.2 vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.145.2/32, ubest/mbest: 1/0
*via 192.168.98.2, Eth3/6.111, [245/51968], 00:00:46, eigrp-100, external
#從DC1-Host1到DC2-Host3的Traceroute將同樣顯示其not-inter-vlan路由,而不是第3層通過核心路由。簡而言之,VLAN間流量將不會使用OTV。
DC1-HOST# traceroute 172.16.145.2 vrf vlan144 traceroute to 172.16.145.2 (172.16.145.2), 30 hops max, 40 byte packets 1 172.16.144.250 (172.16.144.250) 1.049 ms 0.811 ms 0.81 ms # DC1-AGG1 2 192.168.98.2 (192.168.98.2) 0.844 ms 0.692 ms 0.686 ms # DC1-CORE 3 192.168.99.2 (192.168.99.2) 0.814 ms 0.712 ms 0.735 ms # DC2-CORE 4 192.168.194.1 (192.168.194.1) 0.893 ms 0.759 ms 192.168.194.5 (192.168.194.5) 0.89 ms # DC2-Agg1/DC2-Agg2 5 172.16.145.2 (172.16.145.2) 1.288 ms * 1.98 ms # DC2-Host3 DC1-HOST#
Branch-1主機嘗試到達DC2中的靜默主機時資料包的路徑
# Branch-1-172.17.200.1中的主機嘗試到達DC2-Silent Host- 172.16.144.119。由於主機處於靜默狀態,因此DC2中將不存在任何/32路由。
DC2-AGG1# show ip route 172.16.144.119 vr tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.0/25, ubest/mbest: 1/0
*via Null0, [240/1], 20:48:29, lisp, dyn-eid
DC2-AGG2# show ip route 172.16.144.119 vr tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.0/25, ubest/mbest: 1/0
*via Null0, [240/1], 20:48:13, lisp, dyn-eid
#根據LISP設計,路由172.16.144.119將匹配到172.16.144.0/25 null0路由。
#當Branch路由器收到目的IP為172.16.144.119的資料包時,URIB具有到DC1-core和DC2-core的ECMP /24路由。這基本上意味著該資料包將傳送到核心層交換機之一。
Branch1-Router# sh ip route 172.16.144.119
Routing entry for 172.16.144.0/24
Known via "eigrp 100", distance 170, metric 51712, type external
Redistributing via eigrp 100
Last update from 192.168.99.2 on GigabitEthernet0/0/1, 00:08:54 ago
Routing Descriptor Blocks:
192.168.99.2, from 192.168.99.2, 00:08:54 ago, via GigabitEthernet0/0/1
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
* 192.168.99.1, from 192.168.99.1, 00:08:54 ago, via GigabitEthernet0/0/1
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
Branch1-Router#sh ip cef exact-route 172.17.200.1 172.16.144.119 dest-port 1
172.17.200.1 -> 172.16.144.119 =>IP adj out of GigabitEthernet0/0/1, addr 192.168.99.1
#根據CEF的資料包正在雜湊到192.168.99.1(即DC1-Core)
# DC1-Core有2個ECMP路徑;一個指向DC1-Agg1(HSRP活動),另一個指向DC1-Agg2(HSRP備用)。 在路由雜湊中,所選路徑將是DC1-Agg2。
DC1-CORE# sh routing hash 172.17.200.1 172.16.144.119 1 1
Load-share parameters used for software forwarding:
load-share mode: address source-destination port source-destination
Universal-id seed: 0xfdba3ebe
Hash for VRF "default"
Hash Type is 1
Hashing to path *192.168.98.5 Eth3/22.112
For route:
172.16.144.0/24, ubest/mbest: 2/0
*via 192.168.98.1, Eth3/20.111, [170/51456], 00:19:57, eigrp-100, external
*via 192.168.98.5, Eth3/22.112, [170/51456], 18:34:47, eigrp-100, external
DC1-CORE# sh cdp nei int e3/22
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute
Device-ID Local Intrfce Hldtme Capability Platform Port ID
DC1-AGG2(JAF1534CHCJ)
Eth3/22 172 R S s N7K-C7009 Eth3/7
#由於DC1-Agg2在URIB中沒有任何條目,因此將收集資料包並將其傳送到CPU,這將迫使DC1-Agg2從SVI IP地址生成ARP請求,如下所示。
2020-02-18 15:09:05.673165 172.17.200.1 -> 172.16.144.119 ICMP 114 Echo (ping) request id=0x0022, seq=0/0, ttl=254
2020-02-18 15:09:05.675041 de:ad:20:19:22:22 -> Broadcast ARP 60 Who has 172.16.144.119? Tell 172.16.144.251
#此ARP請求是一個廣播,它通過OTV擴展在包括DC2的整個第2層域中傳播。
# DC2-Silent主機現在響應來自DC1-Agg2的ARP請求
# DC1-Agg2收到來自靜默主機的此ARP應答
2020-02-18 15:09:05.675797 64:12:25:97:46:41 -> de:ad:20:19:22:22 ARP 60 172.16.144.119 is at 64:12:25:97:46:41
#當收到的資料包是ARP(作為LISP的提示)時,會生成從HSRP VIP-> 172.16.144.254發源併發往靜默主機 — > 172.16.144.119的ICMP ECHO請求。從HSRP VIP發源資料包的意圖是瞭解主機是本地還是遠端。如果主機是遠端主機,則遠端資料中心中也存在FHRP Active,它將捕獲來自主機的ICMP ECHO應答資料包,因此這會導致DC2-Agg2(即HSRP Active)獲知此條目,並且LISP進程現在將基於此IP資料包進行EID Learn。最初來源為來自HSRP VIP的ICMP ECHO請求的DC1-Agg2永遠不會收到響應,因此在DC1端永遠不會進行終端學習;而是DC2端。
DC2-AGG2# show lisp dynamic-eid detail vrf tenant-1
LISP Dynamic EID Information for VRF "tenant-1"
Dynamic-EID name: VLAN144
Database-mapping [2] EID-prefix: 172.16.144.0/24, LSBs: 0x00000003
Locator: 10.10.20.1, priority: 50, weight: 50
Uptime: 21:50:32, state: up
Locator: 10.10.20.2, priority: 50, weight: 50
Uptime: 21:50:13, state: up, local
Registering more-specific dynamic-EIDs
Registering routes: disabled
Allowed-list filter: none applied
Map-Server(s): none configured, use global Map-Server
Site-based multicast Map-Notify group: 239.254.254.254
Extended Subnet Mode configured on 1 interfaces
Number of roaming dynamic-EIDs discovered: 3
Last dynamic-EID discovered: 172.16.144.254, 00:01:10 ago
Roaming dynamic-EIDs:
172.16.144.2, Vlan144, uptime: 19:09:07, last activity: 00:05:21
Discovered by: packet reception
172.16.144.119, Vlan144, uptime: 00:05:55, last activity: 00:05:55 Discovered by: packet reception
172.16.144.252, Vlan144, uptime: 3d21h, last activity: 00:01:10
Discovered by: packet reception
Secure-handoff pending for sources: none
#一旦LISP進程知道DC2-Agg2(HSRP活動)上的EID,它將
a)本地安裝/32
b)將路由重新分發到DC2-Core
c)在Vlan中作為組播消息傳送基於站點的通知(在本示例中,消息將發往組 — > 239.254.254.254)
DC2-AGG1# show lisp dynamic-eid detail vrf tenant-1
LISP Dynamic EID Information for VRF "tenant-1"
Dynamic-EID name: VLAN144
Database-mapping [2] EID-prefix: 172.16.144.0/24, LSBs: 0x00000003
Locator: 10.10.20.1, priority: 50, weight: 50
Uptime: 21:52:39, state: up, local
Locator: 10.10.20.2, priority: 50, weight: 50
Uptime: 21:52:08, state: up
Registering more-specific dynamic-EIDs
Registering routes: disabled
Allowed-list filter: none applied
Map-Server(s): none configured, use global Map-Server
Site-based multicast Map-Notify group: 239.254.254.254
Extended Subnet Mode configured on 1 interfaces
Number of roaming dynamic-EIDs discovered: 4
Last dynamic-EID discovered: 172.16.144.254, 00:03:07 ago
Roaming dynamic-EIDs:
172.16.144.2, Vlan144, uptime: 19:11:04, last activity: 00:00:21
Discovered by: site-based Map-Notify
172.16.144.110, Vlan144, uptime: 20:04:09, last activity: 20:04:09
Discovered by: site-based Map-Notify
172.16.144.119, Vlan144, uptime: 00:07:52, last activity: 00:00:21 Discovered by: site-based Map-Notify
172.16.144.252, Vlan144, uptime: 21:50:51, last activity: 00:00:21
Discovered by: site-based Map-Notify
Secure-handoff pending for sources: none
#最後,Branch-router1將接收到此/32路由,這將導致Branch路由器將流量傳送到正確的DC2核心交換機。
Branch1-Router# sh ip route 172.16.144.119
Routing entry for 172.16.144.119/32
Known via "eigrp 100", distance 170, metric 51712, type external
Redistributing via eigrp 100
Last update from 192.168.99.2 on GigabitEthernet0/0/1, 00:06:25 ago
Routing Descriptor Blocks:
* 192.168.99.2, from 192.168.99.2, 00:06:25 ago, via GigabitEthernet0/0/1
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
主機從DC1移動到DC2時的事件序列(漫遊)
#考慮到在此拓撲上配置了L2擴展,主機可以從DC1移動到DC2。
#主機 — > 172.16.144.100最初位於Vlan 144和DC1中。
#當主機在DC1中聯機時,DC1-Agg1和DC1-Agg2交換機內的路由將如下所示
DC1-AGG1# sh ip route 172.16.144.100 vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.100/32, ubest/mbest: 1/0, attached
*via 172.16.144.100, Vlan144, [240/1], 00:05:03, lisp, dyn-eid
via 172.16.144.100, Vlan144, [250/0], 00:05:05, am
DC1-AGG2# sh ip route 172.16.144.100 vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.100/32, ubest/mbest: 1/0, attached
*via 172.16.144.100, Vlan144, [240/1], 00:08:05, lisp, dyn-eid
via 172.16.144.100, Vlan144, [250/0], 00:08:07, am
#分支路由器的路由指向DC1-Core(如下所示),而traceroute將指向DC1核心/agg交換機以到達DC1中的主機
Branch1-Router#sh ip route 172.16.144.100
Routing entry for 172.16.144.100/32
Known via "eigrp 100", distance 170, metric 51712, type external
Redistributing via eigrp 100
Last update from 192.168.99.1 on GigabitEthernet0/0/1, 00:00:06 ago
Routing Descriptor Blocks:
* 192.168.99.1, from 192.168.99.1, 00:00:06 ago, via GigabitEthernet0/0/1
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
Branch1-Router#traceroute 172.16.144.100 source 172.17.200.1
Type escape sequence to abort.
Tracing the route to 172.16.144.100
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.99.1 1 msec 1 msec 0 msec # DC1-Core
2 192.168.98.5 1 msec 1 msec # DC1-Agg2
192.168.98.1 1 msec # DC1-Agg1
3 172.16.144.100 1 msec 0 msec 1 msec # DC1-Host
#當主機移動到DC2時,它會在Vlan 144中傳送GARP。這在DC2-Agg交換機上可見
2020-02-24 22:23:05.024902 Cisco_5a:4a:e7 -> Broadcast ARP 60 Gratuitous ARP for 172.16.144.100 (Request)
#一旦收到帶有ARP/GARP/RARP的資料包,就會觸發本地化機制,向源自VIP的主機發出一個ICMP回應請求
2020-02-24 22:23:05.026781 172.16.144.254 -> 172.16.144.100 ICMP 60 Echo (ping) request id=0xac10, seq=0/0, ttl=128
# Host-172.16.144.100現在將響應HSRP VIP
2020-02-24 22:23:07.035292 172.16.144.100 -> 172.16.144.254 ICMP 60 Echo (ping) reply id=0xac10, seq=0/0, ttl=255
#一旦在DC2-Agg1收到IP資料包,就會導致LISP檢測EID,並在主機路由表中建立一個條目,並開始向EIGRP重分發過程
DC2-AGG1# sh ip route 172.16.144.100 vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.100/32, ubest/mbest: 1/0, attached
*via 172.16.144.100, Vlan144, [240/1], 00:00:30, lisp, dyn-eid
via 172.16.144.100, Vlan144, [250/0], 00:00:32, am
#在重分發到位後,DC1-agg站點(此主機的原始所有者)現在會看到RIB中指向EIGRP的更改
DC1-AGG1# sh ip route 172.16.144.100 vrf tenant-1
IP Route Table for VRF "tenant-1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.144.100/32, ubest/mbest: 1/0
*via 192.168.98.2, Eth3/6.111, [245/51968], 00:03:47, eigrp-100, external
#遠端分支路由器現在將看到路由更改,traceroute將反映DC2核心/Agg交換機的路徑更改,如下所示
Branch1-Router#sh ip route 172.16.144.100
Routing entry for 172.16.144.100/32
Known via "eigrp 100", distance 170, metric 51712, type external
Redistributing via eigrp 100
Last update from 192.168.99.2 on GigabitEthernet0/0/1, 00:00:00 ago
Routing Descriptor Blocks:
* 192.168.99.2, from 192.168.99.2, 00:00:00 ago, via GigabitEthernet0/0/1
Route metric is 51712, traffic share count is 1
Total delay is 1020 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1492 bytes
Loading 1/255, Hops 2
Branch1-Router#traceroute 172.16.144.100 source 172.17.200.1
Type escape sequence to abort.
Tracing the route to 172.16.144.100
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.99.2 1 msec 0 msec 1 msec # DC2-Core
2 192.168.94.1 1 msec 1 msec 1 msec # DC2-Agg1
3 172.16.144.100 0 msec 0 msec 1 msec # Host-after move to DC2
有用的驗證命令
# show lisp dynamic-eid detail vrf <VRF Name>
# Show ip route lisp vrf <VRF Name>
# show lisp dynamic-eid summary vrf <VRF Name>
意見