让人等得失去耐性的CCIE考场终于在九月份重新开放了。
不得不说,各个培训机构和平台都甚是消停,或许都在暗暗努力想办法吧。
鄙人向来不太谦虚,以分享学习和工作中的心得为乐趣,虽然我也在培训机构任职,但这并不妨碍我公开的分享一些心得。
今天为大家带来的课题不新不旧,不真不假。(每个考CCIE的人都会自动签署一项协议,考生不得泄露考题内容)
我们要探讨的课题,姑且理解为,在传统网络与SDN网络共存的新的网络形态下,传统网络向SDN过渡的一个应用场景罢。
这一内容,在 EI-CCIE v1.0 的考试中有所涉及,本着为中华之崛起而做培训的初心,将个人的一点心得分享出来。即使您不是我的学员,即使您是友商的讲师,哪怕是个技术爱好者。都可以参考一下,让大家多开拓眼界,多学技术才是真的好。(我说话伤人吧,不够稳重了吧,没事,伤就伤吧,秋后的蚂蚱,蹦跶不了几天了,要稳重你们稳重吧。)
本课题使用的仿真设备版本为 IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.8(3)M2, RELEASE SOFTWARE (fc2);
如果读者中有我的学员,可以关注一下本月12日开讲的 IE 理论课 ipsec专题,我会在课上对本案例做更详细的解读。
实验课题拓扑如下:
网络规划介绍:
某企业的多个站点之间通过MPLS VVV互联;
PE与CE之间使用BGP协议;
企业规划两张业务网络,一个是内部雇员专用,一个是访客专用;(仅为说明业务而随便起的名字,并不要实际带入现网)
其中guest网络使用BGP协议提供路由服务;
同时,BGP协议将网关路由器的环回口路由注入BGP表,用于为雇员动态专网业务服务;
使用三台网关路由器的环回口为内部雇员建立动态专网服务;
employe网络使用EIGRP协议通过隧道接口更新路由;
使用ipsec对经由隧道转发的业务流量进行加固;
各个设备的关键配置展示如下:
MPLS_Core#show running-config
interface Loopback0
ip address 100.100.100.100 255.255.255.255
interface GigabitEthernet0/1
ip address 61.128.1.254 255.255.255.0
interface GigabitEthernet0/2
ip address 202.100.1.254 255.255.255.0
interface GigabitEthernet0/3
ip address 137.78.100.254 255.255.255.0
router bgp 1000
neighbor 61.128.1.1 remote-as 100
neighbor 137.78.100.1 remote-as 300
neighbor 202.100.1.1 remote-as 200
HUB#show running-config
interface Loopback0
ip address 10.1.1.1 255.255.255.255
interface GigabitEthernet0/0.1
encapsulation dot1Q 101
ip address 10.1.101.1 255.255.255.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 102
ip address 10.1.102.1 255.255.255.0
interface GigabitEthernet0/1
ip address 61.128.1.1 255.255.255.0
router bgp 100
network 10.1.1.1 mask 255.255.255.255
network 10.1.101.0 mask 255.255.255.0
neighbor 61.128.1.254 remote-as 1000
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DM
set transform-set IPSEC
interface Tunnel0
ip address 10.0.123.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp network-id 1
ip nhrp nhs 10.0.123.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile DM
router eigrp 1
network 10.0.123.0 0.0.0.255
network 10.1.102.0 0.0.0.255
Spoke1#show running-config
interface Loopback0
ip address 10.2.1.1 255.255.255.255
interface GigabitEthernet0/0.1
encapsulation dot1Q 101
ip address 10.2.101.1 255.255.255.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 102
ip address 10.2.102.1 255.255.255.0
interface GigabitEthernet0/1
ip address 202.100.1.1 255.255.255.0
router bgp 200
network 10.2.1.1 mask 255.255.255.255
network 10.2.101.0 mask 255.255.255.0
neighbor 202.100.1.254 remote-as 1000
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DM
set transform-set IPSEC
interface Tunnel0
ip address 10.0.123.2 255.255.255.0
ip mtu 1400
ip nhrp map 10.0.123.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 1
ip nhrp nhs 10.0.123.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile DM
router eigrp 1
network 10.0.123.0 0.0.0.255
network 10.2.102.0 0.0.0.255
Spoke2#show running-config
interface Loopback0
ip address 10.3.1.1 255.255.255.255
interface GigabitEthernet0/0.1
encapsulation dot1Q 101
ip address 10.3.101.1 255.255.255.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 102
ip address 10.3.102.1 255.255.255.0
interface GigabitEthernet0/1
ip address 137.78.100.1 255.255.255.0
router bgp 300
network 10.3.1.1 mask 255.255.255.255
network 10.3.101.0 mask 255.255.255.0
neighbor 137.78.100.254 remote-as 1000
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode transport
crypto ipsec profile DM
set transform-set IPSEC
interface Tunnel0
ip address 10.0.123.3 255.255.255.0
ip mtu 1400
ip nhrp map 10.0.123.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 1
ip nhrp nhs 10.0.123.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile DM
router eigrp 1
network 10.0.123.0 0.0.0.255
network 10.3.102.0 0.0.0.255
上述配置完毕后,将有如下表项:
HUB#show dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.2.1.1 10.0.123.2 UP 00:52:29 D
1 10.3.1.1 10.0.123.3 UP 00:52:28 D
HUB#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.0.123.3 Tu0 11 00:52:39 31 1434 0 13
0 10.0.123.2 Tu0 12 00:52:41 26 1434 0 13
HUB#show ip route | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
C 10.0.123.0/24 is directly connected, Tunnel0
L 10.0.123.1/32 is directly connected, Tunnel0
C 10.1.1.1/32 is directly connected, Loopback0
C 10.1.101.0/24 is directly connected, GigabitEthernet0/0.1
L 10.1.101.1/32 is directly connected, GigabitEthernet0/0.1
C 10.1.102.0/24 is directly connected, GigabitEthernet0/0.2
L 10.1.102.1/32 is directly connected, GigabitEthernet0/0.2
B 10.2.1.1/32 [20/0] via 61.128.1.254, 01:07:11
B 10.2.101.0/24 [20/0] via 61.128.1.254, 01:00:11
D 10.2.102.0/24 [90/26880256] via 10.0.123.2, 00:52:47, Tunnel0
B 10.3.1.1/32 [20/0] via 61.128.1.254, 01:06:40
B 10.3.101.0/24 [20/0] via 61.128.1.254, 00:59:28
D 10.3.102.0/24 [90/26880256] via 10.0.123.3, 00:52:52, Tunnel0
61.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 61.128.1.0/24 is directly connected, GigabitEthernet0/1
L 61.128.1.1/32 is directly connected, GigabitEthernet0/1
其中注意观察,guest网络与employe网络虽然同是从一个物理链路转发,但实际上employe网络的流量将被ipsec加固处理。
站在已经完成这个实验的角度来观察,如果将f-vrf方案、i-vrf方案、策略路由、NBAR、MPLS标签控制、MPLS TE等纳入本案例进行比较综合的运用,将能够实现更加复杂的overlay网络需求。
在我看来,这也体现出了当下热火朝天的SDA和SDWAN解决方案与传统网络实现同样需求的优势所在。
如果使用传统网络环境,围绕这个课题结合实际业务需求并展开来探讨,我想至少讲它十天八天是有得讲的,而如果换成使用SDN环境,则我只需要花费三五天的时间,就能让大家从无到的掌握SDN控制器的操作及要点。
各位亲爱的网工朋友们,未来已来,让我们用我们的努力筑起对抗programmer的长城吧。
更多精彩心得分享,欢迎关注我哟。