Technical documentation
发布日期:2023-07-20 浏览次数:1624 来源:崔志鹏
SRV6 Policy L3 VPN-WOLFLAB实验室HCIE培训课程理论笔记
HCIE Datacom培训课程-选择WOLFLAB网络技术实验室,课程循环开班,联系网站客服预约免费试听!
WOLFLAB官方微信:17316362402
WOLFLAB官方QQ:2569790740
HCIE Datacom培训课程-SRV6 BE存在的问题:
假设CX1和CX4之间还有一根链路,此时CX1会将AR1访问AR2的报文加上一层IPV6的头部sip:192.168.1.1 dip:192.168.2.1 | sipv6:2001::1 dipv6:2044::44,因为CX1去往CX4的2044::/64出接口为E1/0/2接口,此时报文会走CX1和CX4之间的最短路径进行转发,无法实现流量工程,SRV6 BE本质上依赖于IGP进行选路;
问题:如何在不改变底层IGP cost值的基础上,让AR1访问AR2的流量,按照管理的意愿走CX1-CX2-CX3-CX4呢?
此时就需要使用SRV6 Policy
HCIE Datacom培训课程-SRV6 Policy的设计思想:
①在原有的SRV6 BE的基础之上做扩展,原来的SRV6 BE配置几乎不动;
②每台设备都需要配置一个IPV6的地址池(locator),locator的规划如图,并且通过IGP协议向外发布,让四台设备彼此都学习locator对应网段的路由;
③手动的配置end,end跟end-dt4一样也是基于地址池生成,end的作用就是用一个IPV6地址来标识各台设备,假设CX1手动配置的end是::111,CX2手动配置的end是::222,CX3手动配置的end是::333,CX4手动配置的end是::444,此时CX1的标识就是2011::111,CX2的标识就是2022::222,CX3的标识就是2033::333,CX4的标识就是2044::444;
④CX4在将192.168.2.0/24的路由通告给CX1的时候,除了需要携带RD、RT、end-dt4还需要通过路由策略,让该路由携带一个扩展的团体属性,color一起发给CX1,这个color就是一个数值,有点像tag值,假设color=100;
route-policy CX4-CX1 permit node 10
apply extcommunity color 0:100
#
bgp 100
ipv4-family vpnv4
peer 2001::1 route-policy CX4-CX1 export
⑤在流量的头端节点指定segment-list,这个segment-list就是流量要经过的路径:
segment-list:
index 5 sid ipv6 2022::222
index 10 sid ipv6 2033::333
index 15 sid ipv6 2044::444
⑥配置流量策略,就是将color和segment-list做绑定,当CX1收到一个报文,被color=100的路由192.168.2.0/24所匹配,此时就按照segment-list指定的路径做转发;
⑦配置隧道策略,此时CX1收到去往dip:192.168.2.1的报文,被192.168.2.0/24的路由所匹配,可以走最短路径的SRV6 BE,也可以走SRV6 TE Polciy的CX1-CX2-CX3-CX4,默认SRV6 BE优先于srv6-te-policy,此时需要调整隧道策略让srv6-te-policy优先于SRV6 BE,SRV6 BE作为srv6-te-policy的备份,如果srv6-te-policy的路径有设备出现了故障;
流量分析:
①CX1收到sip:192.168.1.1 dip:192.168.2.1的报文,匹配了192.168.2.0/24的路由,此时可以走SRV6 BE也可以也可以根据color=100走srv6-te-policy,因为配置了隧道策略,所以走srv6-te-policy;
②CX1会为报文增加一个基础的IPV6头部,也会为这个基础的IPV6头部增加一个扩展头部用来实现流量工程,这个头部就是SRH;(为了实现分片需要携带分片的扩展头部是一个道理),CX1根据添加的IPV6头部查路由表,将报文发送给CX2;
DIPv6:2022::222 SIPv6:2001::1 |
SRH(SL=3) seq0:2044::44(end-dt4) seq1:2044::444(end) seq2:2033::333(end) seq3:2022::222(end) |
DIP:192.168.1.2 SIP:192.168.1.1 |
icmp request |
③CX2收到该报文后,根据DIPV6判断是否是发给自己的(end或者是end.x)发现SL=3就知道SRH当中的seq3已经被处理完成了,CX2会将报文中的DIPV6改成seq2中的IPV6地址,并将SL-1,查自己的路由表发送给CX3;
DIPv6:2033::333 SIPv6:2001::1 |
SRH(SL=2) seq0:2044::44(end-dt4) seq1:2044::444(end) seq2:2033::333(end) seq3:2022::222(end) |
DIP:192.168.1.2 SIP:192.168.1.1 |
icmp request |
④CX3收到该报文后,发现SL=2就知道SRH当中的seq2已经被处理完成了,CX3会将报文中的DIPV6改成seq1中的IPV6地址,并将SL-1,查自己的路由表发送给CX4;
DIPv6:2044::444 SIPv6:2001::1 |
SRH(SL=1) seq0:2044::44(end-dt4) seq1:2044::444(end) seq2:2033::333(end) seq3:2022::222(end) |
DIP:192.168.1.2 SIP:192.168.1.1 |
icmp request |
⑤CX4收到该报文后,发现SL=1就知道SRH当中的seq1已经被处理完成了,CX4处理seq0,发现是自己分配的私网标签,根据seq0查自己的A2路由表,做报文的转发;
重点:
源节点选择一条路径并在报文中压入一个有序的Segment List,网络中的其他节点按照报文封装的Segment List进行转发,我们称为源路由,源路由就是SR的重要设计思想。
SRH:
第一步:CX1/CX2/CX3/CX4配置locator且手动分配end
CX1:
segment-routing ipv6
encapsulation source-address 2001::1
locator wolf ipv6-prefix 2011:: 64 static 64
opcode ::111 end //手动配置end
opcode ::11 end-dt4 vpn-instance A1
#
isis 1
#
ipv6 enable topology ipv6
segment-routing ipv6 locator wolf auto-sid-disable //自动分配要关了,否则end就是IGP自动分配了;
CX2:
segment-routing ipv6
encapsulation source-address 2002::2
locator wolf ipv6-prefix 2022:: 64 static 64
opcode ::222 end //CX2和CX3就不用配置end-dt4
#
isis 1
#
ipv6 enable topology ipv6
segment-routing ipv6 locator wolf auto-sid-disable
CX3:
segment-routing ipv6
encapsulation source-address 2003::3
locator wolf ipv6-prefix 2033:: 64 static 64
opcode ::333 end
#
isis 1
#
ipv6 enable topology ipv6
segment-routing ipv6 locator wolf auto-sid-disable
CX4:
segment-routing ipv6
encapsulation source-address 2004::4
locator wolf ipv6-prefix 2044:: 64 static 64
opcode ::444 end
opcode ::44 end-dt4 vpn-instance A2
#
isis 1
#
ipv6 enable topology ipv6
segment-routing ipv6 locator wolf auto-sid-disable
第二步:CX1和CX4给对方传递路由时,携带color为100
CX4:
acl number 2000
rule 5 permit source 192.168.2.0 0
#
route-policy CX4-CX1 permit node 10
if-match acl 2000
apply extcommunity color 0:100
#
bgp 100
ipv4-family vpnv4
peer 2001::1 route-policy CX4-CX1 export
CX1:
acl number 2000
rule 5 permit source 192.168.2.0 0
#
route-policy CX1-CX4 permit node 10
if-match acl 2000
apply extcommunity color 0:100
#
bgp 100
ipv4-family vpnv4
peer 2001::1 route-policy CX1-CX4 export
第三步:在CX1和CX4配置segment-list:
CX1:
segment-routing ipv6
segment-list CX1-CX4
index 5 sid ipv6 2022::222
index 10 sid ipv6 2033::333
index 15 sid ipv6 2044::444
CX4:
segment-routing ipv6
segment-list CX4-CX1
index 5 sid ipv6 2033::333
index 10 sid ipv6 2022::222
index 15 sid ipv6 2011::111
第四步:配置流量策略
CX1:
srv6-te policy CX1-CX4 endpoint 2004::4 color 100
candidate-path preference 100
segment-list CX1-CX4
CX4:
srv6-te policy CX4-CX1 endpoint 2001::1 color 100
candidate-path preference 100
segment-list CX4-CX1
第五步:配置隧道策略
CX1:
tunnel-policy CX1-CX4
tunnel select-seq ipv6 srv6-te-policy load-balance-number 1
#
ip vpn-instance vpna
ipv4-family
tnl-policy CX1-CX4
CX4:
tunnel-policy CX4-CX1
tunnel select-seq ipv6 srv6-te-policy load-balance-number 1
#
ip vpn-instance vpna
ipv4-family
tnl-policy CX4-CX1
第六步:VRF下将原来的BE改成TE和BE共存
CX1:
bgp 1234
#
ipv4-family vpn-instance A1
segment-routing ipv6 traffic-engineer best-effort
CX4:
bgp 1234
#
ipv4-family vpn-instance A2
segment-routing ipv6 traffic-engineer best-effort
注意:还可以手动配置end.x,通常用不上,相当于SR-MPLS TE中的Adjacency SID,实现对路径更加精细化的管理;
欢迎关注WOLFLAB(沃尔夫)网络实验室,华为认证HCIE认证讲师:崔志鹏
WOLFLAB官方微信:17316362402
WOLFLAB官方QQ:2569790740