為vEdge或cEdge配置首選預設路由或字首路由
目錄
簡介
本文說明如何配置軟體定義廣域網(SD-WAN)控制策略,以優先使用預設路由或字首。
需求
思科建議您瞭解以下主題:
- Cisco SD-WAN重疊管理通訊協定(OMP)。
- SD-WAN集中控制策略。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco cEdge版本17.3.3
- Cisco vEdge版本20.3.2
- 思科vSmart控制器版本20.4.2
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
為了進行本演示,本實驗在不同的端ID上設定5個cEdge/vEdge,其中Router01、Router02和Router03在VPN 1中配置了預設路由。
- vSmart system ip 10.1.1.7。
- cEdge Router01 system ip 10.70.70.1,站點ID 70。
- cEdge Router02 system ip 10.80.80.1,站點ID 80。
- cEdge Router03 system ip 10.80.80.2,站點ID 80。
- cEdge Router04系統ip 10.70.70.2,站點ID 40。
- vEdge Router05系統ip 10.20.20.1,站點ID 20。
Router04(10.70.70.2)和Router05(10.20.20.1)接收和安裝來自Router01(10.70.70.1)、Router02(10.80.80.1)和Router03(10.80.80.1)的預設路由。 沒有應用於裝置的活動集中策略或本地化策略,預設情況下為全網狀拓撲。
Router04和Router05從三個不同的裝置接收預設路由。
Router04# show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 29 1002 C,I,R installed 10.70.70.1 biz-internet ipsec -
10.1.1.7 30 1005 C,I,R installed 10.80.80.1 mpls ipsec -
10.1.1.7 31 1003 C,I,R installed 10.80.80.2 mpls ipsec -
Router05# show omp routes vpn 1
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 5 1002 C,I,R installed 10.70.70.1 biz-internet ipsec -
10.1.1.7 6 1005 C,I,R installed 10.80.80.1 mpls ipsec -
10.1.1.7 7 1003 C,I,R installed 10.80.80.2 mpls ipsec -
Router04(10.70.70.2)和Router05(10.20.20.1)安裝來自Router01(10.70.70.1)、Router02(10.80.80.1)和Router03(10.80.80.1)的預設路由。
Router04# show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.80.80.2 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.80.80.2, 00:05:02, Sdwan-system-intf
[251/0] via 10.80.80.1, 00:05:02, Sdwan-system-intf
[251/0] via 10.70.70.1, 00:05:02, Sdwan-system-intf
Router05# show ip routes vpn 1 0.0.0.0/0
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive, L -> import
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.70.70.1 biz-internet ipsec F,S
1 0.0.0.0/0 omp - - - - 10.80.80.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.80.80.2 mpls ipsec F,S
組態
解決方案1:使用集中控制策略優先使用來自特定遠端路由器Router04上Router01的預設路由
使用拓撲自定義控制元件並在OMP中應用預設路由的首選項。
使用路由規則而不是傳輸位置(TLOC)規則。
匹配條件
- 將策略清單中預定義的Router01 System-ip 10.70.70.1的建立者選項與字首清單進行匹配,字首為0.0.0.0/0。
- ip prefix-list 0.0.0.0/0僅匹配default-route並非所有路由,因此您可以將此字首用於字首清單。
- ip prefix-list 0.0.0.0/0 le 32匹配所有路由。
動作
將此策略應用於出站方向到Router04站點ID 40。
模板策略配置
您可以使用vManage GUI配置 Centralized Policy 使用 Control Policy.
在中配置控制策略 Topology,您可以選擇 Hub-and-Spoke中, Mesh,或 Custom Control 策略。
Custom Control(Route & TLOC)
Sequence typeSequence RuleOriginator
Accept Preference 為相同順序的操作設定,如圖所示。
Control Policy
CLI策略配置
您可以手動配置vSmart,而不是vManage GUI。
control-policy originatoronly
sequence 1
match route
originator 10.70.70.1
prefix-list Default_Route
!
action accept
set
preference 200
!
!
!
default-action accept
!
lists
prefix-list Default_Route
ip-prefix 0.0.0.0/0
!
site-list sitio40
site-id 40
!
!
!
apply-policy
site-list sitio40
control-policy originatoronly out <<<<<<<
!
!
vSmart僅將來自發起方Router01(10.70.70.1)且優先順序為200的預設路由傳送到Router04。
驗證
您可以使用 show running-config policy Control-Policy 已正確應用。
vsmart# show running-config policy control-policy
policy
control-policy originatoronly
sequence 1
match route
originator 10.70.70.1
prefix-list Default_Route
!
action accept
set
preference 200
!
!
!
default-action accept
!
!
使用 show running-config apply-policy Control-Policy 已應用。
vsmart# show running-config apply-policy apply-policy site-list sitio40 control-policy originatoronly out ! !
Router04(10.70.70.2)收到來自Router01(10.70.70.1)、Router02(10.80.80.1)和Router03(10.80.80.1)的所有預設路由,但來自Router01的default-route具有更高的優先順序(200)。
Router04# show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 29 1002 C,I,R installed 10.70.70.1 biz-internet ipsec 200 <<<<<<<<<<<<
10.1.1.7 30 1005 R installed 10.80.80.1 mpls ipsec -
10.1.1.7 31 1003 R installed 10.80.80.2 mpls ipsec -
Router04(10.70.70.2)僅將來自Router01(10.70.70.1)的路由安裝在IP路由表中。
Router04# show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.70.70.1 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.70.70.1, 00:13:25, Sdwan-system-intf
Router05(10.20.20.1)位於站點20,仍然接收和安裝來自Router01(10.70.70.1)、Router02(10.80.80.1)和Router03(10.80.80.1)的所有預設路由。
Router05# show omp routes vpn 1
Code:
C -> chosen
I -> installed
Red -> redistribute
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 5 1002 C,I,R installed 10.70.70.1 biz-internet ipsec - <<<<<< no preference
10.1.1.7 6 1005 C,I,R installed 10.80.80.1 mpls ipsec -
10.1.1.7 7 1003 C,I,R installed 10.80.80.2 mpls ipsec -
Router05# show ip routes vpn 1
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive, L -> import
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 omp - - - - 10.70.70.1 biz-internet ipsec F,S
1 0.0.0.0/0 omp - - - - 10.80.80.1 mpls ipsec F,S
1 0.0.0.0/0 omp - - - - 10.80.80.2 mpls ipsec F,S
解決方案2:使用集中控制策略優先使用從路由器01到全網狀所有路由器的預設路由
使用與 Solution 1 已使用,並將其應用於來自Router01站點ID 70的入站方向。
control-policy originatoronly
sequence 1
match route
originator 10.70.70.1
prefix-list Default_Route
!
action accept
set
preference 200
!
!
!
default-action accept
!
lists
prefix-list Default_Route
ip-prefix 0.0.0.0/0
!
site-list SiteList_70
site-id 70
!
!
!
apply-policy
site-list SiteList_70
control-policy originatoronly in <<<<<<<<<
!
!
驗證
如果您使用傳入方向,則Router04(10.70.70.2)和Router05(10.20.20.1)只會從Router01(10.70.70.1)接收和安裝預設路由。
Router04# show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 29 1002 C,I,R installed 10.70.70.1 biz-internet ipsec 200 <<<<<<<
Router05# show omp routes vpn 1
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 5 1002 C,I,R installed 10.70.70.1 biz-internet ipsec 200 <<<<<<<
兩種方案的考慮因素:入站或出站方向
如果丟失Router01(10.70.70.1),路由器會安裝所有沒有優先順序接收的預設路由。在此案例中,來自Router02(10.80.80.1)和Router03(10.80.80.2):
Router04# show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 36 1005 C,I,R installed 10.80.80.1 mpls ipsec -
10.1.1.7 37 1003 C,I,R installed 10.80.80.2 mpls ipsec -
Router05# show omp routes vpn 1
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 14 1005 C,I,R installed 10.80.80.1 mpls ipsec -
10.1.1.7 15 1003 C,I,R installed 10.80.80.2 mpls ipsec -
解決方案3:使用集中式控制策略優先使用來自路由器01的Default-Route以及來自其他路由器的備份Default-Route
在此解決方案中,路由器僅從Router01(10.70.70.1)接收預設路由器,但如果您丟失預設路由器,則希望遠端路由器安裝的備份預設路由來自Router02(10.80.80.1),而不是同時來自Router02(10.80.80.1)和Router03(10.80.80.1),如所示 Solution 1 和 Solution 2.
在同一控制策略上新增一個序列,並應用您從Router01 preference 200的default-route設定的較低首選項,但此優先順序高於預設首選項(100)。
對於從Router02(10.80.80.1)通告的預設路由,您可以將首選項設定為150。
control-policy originator
sequence 1
match route
originator 10.70.70.1
prefix-list Default_Route
!
action accept
set
preference 200
!
!
!
sequence 11 <<<<< new sequence
match route
originator 10.80.80.1 <<<<< Router02 system ip as originator
prefix-list Default_Route
!
action accept
set
preference 150 <<< lower preference of Router01
!
!
!
default-action accept
!
lists
prefix-list Default_Route
ip-prefix 0.0.0.0/0
!
site-list sitio40
site-id 40
!
!
!
apply-policy
site-list sitio40
control-policy originator out
!
!
驗證
路由器會收到首選項為200、150和預設首選項的預設路由。
Router04# show sdwa omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 36 1005 R installed 10.80.80.1 mpls ipsec 150 <<<<<<<<
10.1.1.7 37 1003 R installed 10.80.80.2 mpls ipsec -
10.1.1.7 38 1002 C,I,R installed 10.70.70.1 biz-internet ipsec 200 <<<<<<<<
Router04(10.70.70.2)只會將來自Router01(10.70.70.1)的預設路由新增到路由表中,且優先順序更高:
Router04# show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.70.70.1 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.70.70.1, 00:02:47, Sdwan-system-intf
如果遺失了Router01(10.70.70.1),Router04(10.70.70.2)只會安裝具有下一個較高優先順序的路由(來自Router02(10.80.80.1))。
Router04# show sdwa omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 36 1005 C,I,R installed 10.80.80.1 mpls ipsec 150 <<<<<<<
10.1.1.7 37 1003 R installed 10.80.80.2 mpls ipsec -
Router04# show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.80.80.1 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.80.80.1, 00:00:15, Sdwan-system-intf
如果丟失了Router02,Router04會安裝來自具有預設優先順序的路由器03(10.80.80.1)的預設路由。
解決方案4:集中控制策略使用以優先使用某些字首路由
如果您使用任何其他字首而不是預設路由字首,前面的所有解決方案都完全相同。
從Router01(10.70.70.1)通告到Router04(10.70.70.2)的字首10.40.40.0/24的範例。
control-policy originator
sequence 1
match route
originator 10.70.70.1
prefix-list prefix40
!
action accept
set
preference 200
!
!
!
default-action accept
!
lists
prefix-list prefix40
ip-prefix 10.40.40.0/24 <<<<<<<<<
!
site-list sitio40
site-id 40
!
!
!
apply-policy
site-list sitio40
control-policy originator out
!
!
驗證
Router04# show sdwan omp routes
Generating output, this might take time, please wait ...
Code:
C -> chosen
I -> installed
Red -> redistributed
Rej -> rejected
L -> looped
R -> resolved
S -> stale
Ext -> extranet
Inv -> invalid
Stg -> staged
IA -> On-demand inactive
U -> TLOC unresolved
PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 0.0.0.0/0 10.1.1.7 36 1005 C,I,R installed 10.80.80.1 mpls ipsec 150
10.1.1.7 37 1003 R installed 10.80.80.2 mpls ipsec -
1 10.40.40.0/24 10.1.1.7 13 1002 C,I,R installed 10.70.70.1 biz-internet ipsec 200 <<<<<<<<
10.1.1.7 15 1005 R installed 10.80.80.1 mpls ipsec -
10.1.1.7 16 1003 R installed 10.80.80.2 mpls ipsec -
Router04# show ip route vrf 1
Routing Table: 1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.80.80.1 to network 0.0.0.0
m* 0.0.0.0/0 [251/0] via 10.80.80.1, 00:11:55, Sdwan-system-intf
10.0.0.0/24 is subnetted, 1 subnets
m 10.40.40.0 [251/0] via 10.70.70.1, 00:02:17, Sdwan-system-intf <<<<<<
Router04#
相關資訊
適用於vEdge路由器、Cisco SD-WAN的策略配置指南
技術支援與文件 - Cisco Systems
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
30-Aug-2022 |
初始版本 |
意見