向SDN过渡——跨越MPLS环境的Overlay动态专有网络

让人等得失去耐性的CCIE考场终于在九月份重新开放了。

不得不说,各个培训机构和平台都甚是消停,或许都在暗暗努力想办法吧。

鄙人向来不太谦虚,以分享学习和工作中的心得为乐趣,虽然我也在培训机构任职,但这并不妨碍我公开的分享一些心得。

今天为大家带来的课题不新不旧,不真不假。(每个考CCIE的人都会自动签署一项协议,考生不得泄露考题内容)

我们要探讨的课题,姑且理解为,在传统网络与SDN网络共存的新的网络形态下,传统网络向SDN过渡的一个应用场景罢。

这一内容,在 EI-CCIE v1.0 的考试中有所涉及,本着为中华之崛起而做培训的初心,将个人的一点心得分享出来。即使您不是我的学员,即使您是友商的讲师,哪怕是个技术爱好者。都可以参考一下,让大家多开拓眼界,多学技术才是真的好。(我说话伤人吧,不够稳重了吧,没事,伤就伤吧,秋后的蚂蚱,蹦跶不了几天了,要稳重你们稳重吧。)

本课题使用的仿真设备版本为 IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.8(3)M2, RELEASE SOFTWARE (fc2);

如果读者中有我的学员,可以关注一下本月12日开讲的 IE 理论课 ipsec专题,我会在课上对本案例做更详细的解读。

实验课题拓扑如下:

向SDN过渡——跨越MPLS环境的Overlay动态专有网络

网络规划介绍:

某企业的多个站点之间通过MPLS VVV互联;

PE与CE之间使用BGP协议;

企业规划两张业务网络,一个是内部雇员专用,一个是访客专用;(仅为说明业务而随便起的名字,并不要实际带入现网)

其中guest网络使用BGP协议提供路由服务;

同时,BGP协议将网关路由器的环回口路由注入BGP表,用于为雇员动态专网业务服务;

使用三台网关路由器的环回口为内部雇员建立动态专网服务;

employe网络使用EIGRP协议通过隧道接口更新路由;

使用ipsec对经由隧道转发的业务流量进行加固;


各个设备的关键配置展示如下:


MPLS_Core#show running-config
interface Loopback0
  ip address 100.100.100.100 255.255.255.255

interface GigabitEthernet0/1
  ip address 61.128.1.254 255.255.255.0

interface GigabitEthernet0/2
  ip address 202.100.1.254 255.255.255.0

interface GigabitEthernet0/3
  ip address 137.78.100.254 255.255.255.0


router bgp 1000
  neighbor 61.128.1.1 remote-as 100
  neighbor 137.78.100.1 remote-as 300
  neighbor 202.100.1.1 remote-as 200


HUB#show running-config

interface Loopback0
  ip address 10.1.1.1 255.255.255.255


interface GigabitEthernet0/0.1
  encapsulation dot1Q 101
  ip address 10.1.101.1 255.255.255.0


interface GigabitEthernet0/0.2
  encapsulation dot1Q 102
  ip address 10.1.102.1 255.255.255.0


interface GigabitEthernet0/1
  ip address 61.128.1.1 255.255.255.0


router bgp 100
  network 10.1.1.1 mask 255.255.255.255
  network 10.1.101.0 mask 255.255.255.0
  neighbor 61.128.1.254 remote-as 1000


crypto isakmp policy 10
  encr 3des
  hash sha256
  authentication pre-share
  group 2
crypto isakmp key cisco address 0.0.0.0       
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
  mode transport
crypto ipsec profile DM
  set transform-set IPSEC


interface Tunnel0
  ip address 10.0.123.1 255.255.255.0
  ip mtu 1400
  no ip next-hop-self eigrp 1
  no ip split-horizon eigrp 1
  ip nhrp network-id 1
  ip nhrp nhs 10.0.123.1
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel protection ipsec profile DM


router eigrp 1
  network 10.0.123.0 0.0.0.255
  network 10.1.102.0 0.0.0.255


Spoke1#show running-config

interface Loopback0
  ip address 10.2.1.1 255.255.255.255

interface GigabitEthernet0/0.1
  encapsulation dot1Q 101
  ip address 10.2.101.1 255.255.255.0

interface GigabitEthernet0/0.2
  encapsulation dot1Q 102
  ip address 10.2.102.1 255.255.255.0

interface GigabitEthernet0/1
  ip address 202.100.1.1 255.255.255.0

router bgp 200
  network 10.2.1.1 mask 255.255.255.255
  network 10.2.101.0 mask 255.255.255.0
  neighbor 202.100.1.254 remote-as 1000

crypto isakmp policy 10
  encr 3des
   hash sha256
   authentication pre-share
   group 2
  crypto isakmp key cisco address 0.0.0.0       
  crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
   mode transport
  crypto ipsec profile DM
   set transform-set IPSEC

interface Tunnel0
  ip address 10.0.123.2 255.255.255.0
  ip mtu 1400
  ip nhrp map 10.0.123.1 10.1.1.1
  ip nhrp map multicast 10.1.1.1
  ip nhrp network-id 1
  ip nhrp nhs 10.0.123.1
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel protection ipsec profile DM

router eigrp 1
  network 10.0.123.0 0.0.0.255
  network 10.2.102.0 0.0.0.255


Spoke2#show running-config

interface Loopback0
  ip address 10.3.1.1 255.255.255.255

interface GigabitEthernet0/0.1
  encapsulation dot1Q 101
  ip address 10.3.101.1 255.255.255.0

interface GigabitEthernet0/0.2
  encapsulation dot1Q 102
  ip address 10.3.102.1 255.255.255.0

interface GigabitEthernet0/1
  ip address 137.78.100.1 255.255.255.0

router bgp 300
  network 10.3.1.1 mask 255.255.255.255
  network 10.3.101.0 mask 255.255.255.0
  neighbor 137.78.100.254 remote-as 1000

crypto isakmp policy 10
  encr 3des
   hash sha256
   authentication pre-share
   group 2
  crypto isakmp key cisco address 0.0.0.0       
  crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
   mode transport
  crypto ipsec profile DM
   set transform-set IPSEC

interface Tunnel0
  ip address 10.0.123.3 255.255.255.0
  ip mtu 1400
  ip nhrp map 10.0.123.1 10.1.1.1
  ip nhrp map multicast 10.1.1.1
  ip nhrp network-id 1
  ip nhrp nhs 10.0.123.1
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel protection ipsec profile DM

router eigrp 1
  network 10.0.123.0 0.0.0.255
  network 10.3.102.0 0.0.0.255


上述配置完毕后,将有如下表项:


HUB#show dm   
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
         N - NATed, L - Local, X - No Socket
         T1 - Route Installed, T2 - Nexthop-override
         C - CTS Capable, I2 - Temporary
         # Ent --> Number of NHRP entries with same NBMA peer
         NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
         UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
      1 10.2.1.1             10.0.123.2    UP 00:52:29     D
      1 10.3.1.1             10.0.123.3    UP 00:52:28     D


HUB#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                    (sec)         (ms)       Cnt Num
1   10.0.123.3              Tu0                      11 00:52:39   31  1434  0  13
0   10.0.123.2              Tu0                      12 00:52:41   26  1434  0  13


HUB#show ip route | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
C        10.0.123.0/24 is directly connected, Tunnel0
L        10.0.123.1/32 is directly connected, Tunnel0
C        10.1.1.1/32 is directly connected, Loopback0
C        10.1.101.0/24 is directly connected, GigabitEthernet0/0.1
L        10.1.101.1/32 is directly connected, GigabitEthernet0/0.1
C        10.1.102.0/24 is directly connected, GigabitEthernet0/0.2
L        10.1.102.1/32 is directly connected, GigabitEthernet0/0.2
B        10.2.1.1/32 [20/0] via 61.128.1.254, 01:07:11
B        10.2.101.0/24 [20/0] via 61.128.1.254, 01:00:11
D        10.2.102.0/24 [90/26880256] via 10.0.123.2, 00:52:47, Tunnel0
B        10.3.1.1/32 [20/0] via 61.128.1.254, 01:06:40
B        10.3.101.0/24 [20/0] via 61.128.1.254, 00:59:28
D        10.3.102.0/24 [90/26880256] via 10.0.123.3, 00:52:52, Tunnel0
       61.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        61.128.1.0/24 is directly connected, GigabitEthernet0/1
L        61.128.1.1/32 is directly connected, GigabitEthernet0/1


其中注意观察,guest网络与employe网络虽然同是从一个物理链路转发,但实际上employe网络的流量将被ipsec加固处理。

站在已经完成这个实验的角度来观察,如果将f-vrf方案、i-vrf方案、策略路由、NBAR、MPLS标签控制、MPLS TE等纳入本案例进行比较综合的运用,将能够实现更加复杂的overlay网络需求。

在我看来,这也体现出了当下热火朝天的SDA和SDWAN解决方案与传统网络实现同样需求的优势所在。

如果使用传统网络环境,围绕这个课题结合实际业务需求并展开来探讨,我想至少讲它十天八天是有得讲的,而如果换成使用SDN环境,则我只需要花费三五天的时间,就能让大家从无到的掌握SDN控制器的操作及要点。

各位亲爱的网工朋友们,未来已来,让我们用我们的努力筑起对抗programmer的长城吧。

更多精彩心得分享,欢迎关注我哟。

上一篇:新型DDoS来袭 | 基于STUN协议的DDoS反射攻击分析


下一篇:CALayer CABasicAnimation