Technologie počítačových sítí - LS 2016/2017 Případová studie příklady syntaktických konstruktů Cisco IOS pro jednotlivé části případové studie. Petr Grygárek Obecné hostname XXX ping vrf V ipv6 <ip6-addr> Pro TEST POINT 1 IP adresování a IGP v SPCore a WANCore int g0/1 ip addr 1.1.1.1 255.255.255.252 ipv6 addr 2001:7:8:9::1/64 no shut router ospf 1 router-id x.x.x.x int g0/2 ip ospf 1 area 0 NEBO router ospf 1 router-id x.x.x.x network a.a.a.a 0.0.0.0 area 0! a.a.a.a je adresa na příslušném interface router isis 1 is-type level-1 net 49.aaaa.iiii.iiii.iiii.00 int g0/3 ip router isis 1
Pro TEST POINT 2 Základní konfigurace MPLS a LDP mpls ip mpls ldp router-id lo 1 int g0/x mpls ip Volitelně: access-list 1 permit <povoleny loopback1> no mpls ldp advertise-labels mpls ldp advertise-labels for 1 Pro TEST POINT 3 Základní konfigurace poboček (CE), VRF na CE a PE, routing PE-CE ve VRF. (+ příprava na L3 MPLS/VPN: vzájemná redistribuce pobočkového OSPF a WANCore IBGP) ipv6 unicast-routing vrf definition V rd AS:xxx route-target export AS:aaa route-target export AS:bbb route-target import AS:ccc route-target import AS:ddd! address-family ipv4 exit-address-family! address-family ipv6 exit-address-family router ospf 11 vrf V router-id x.x.x.x
domain-id d.d.d.d capability vrf-lite! na CE routeru, v databazi jinak Summary LSA jsou s Downward bitem a neuplatní se router ospfv3 12 router-id x.x.x.x address-family ipv6 uni vrf A capability vrf-lite! na CE routeru, v databazi jinak Summary LSA jsou s Downward bitem a neuplatní se interface g0/4.vvv encap dot VVV vrf forwarding V ip address ipv6 address ip ospf 11 area 1 ospfv3 12 ipv6 area 1 router bgp 65101 bgp router-id x.x.x.x address-family ipv4 vrf V network n.n.n.n mask m.m.m.m neighbor <ipv4-addr> remote-as AS address-family ipv6 vrf V network aaaa::/64 neighbor <ipv6-addr> remote-as AS! neighbor activate vznikne v konfiguraci sam (v obou AF) Pro TEST POINT 4 L3 MPLS/VPN přes WANCore Route Reflector: router bgp AS neighbor x.x.x.x remote-as AS neighbor x.x.x.x. update-source Loopback1 address-family vpnv4 unicast no auto-summary neighbor x.x.x.x activate neighbor x.x.x.x send-community extended
neighbor x.x.x.x route-reflector-client address-family vpnv6 unicast neighbor x.x.x.x activate neighbor x.x.x.x send-community extended neighbor x.x.x.x route-reflector-client! send-community extended musí být na vazbě k RR i na straně PEwanX router ospf 11 vrf V redistribute bgp AS subnets router ospfv3 12 address-family ipv6 unicast vrf V redistribute bgp AS router bgp AS address-family ipv4 vrf V (redistribute connected) redistribute ospf 11 address-family ipv6 vrf V (redistribute connected) redistribute ospf 12 address-family ipv4 unicast vrf W neighbor n.n.n.n remote-as ASx address-family ipv6 unicast vrf W neighbor nnnn:nnnn::n remote-as ASx Pro TEST POINT 5 BGP-free core / 6PE v SPCore router bgp AS neighbor x.x.x.x remote-as AS neighbor x.x.x.x update-source Loopback1 address-family ipv4 neighbor x.x.x.x activate neighbor x.x.x.x send-label neighbor x.x.x.x next-hop-self
network n.n.n.n mask m.m.m.m address-family ipv6 neighbor x.x.x.x activate neighbor x.x.x.x send-label neighbor x.x.x.x next-hop-self network nn/mm ip route vrf V x.x.x.x m.m.m.m <nexthop_addr_in_global> global ipv6 route vrf V xxxx/mm <nexthop_addr_in_global> nexthop-vrf default ip route x.x.x.x m.m.m.m <interface-in-vrf-v> ipv6 route vrf default xxxx/mm <interface-in-vrf-v> nexthop-vrf V Pro TEST POINT 6 AToM PW ukončený ve VRF A interface g0/1.v encap dot v xconnect r.r.r.r encapsulation mpls Pro TEST POINT 7 AToM PW ukončený ve vrf T, i/e s VRF A router bgp AS address-family ipv4/ipv6 vrf V redistribute static/connected! cestu od I/E z VRF T vidí router ve VRF A s AD 20 (external BGP), takže musíme s AD OSPF pod 20, aby sloužilo jen jako backup router ospf 11 vrf A distance 19
router ospfv3 12 address-family ipv6 unicast vrf A distance 19 Pro TEST POINT 8 IPSec + GRE tunely ve VRF B! clock set 14:15:00 7 feb 2017 Konfigurace IKE standardní. Návaznost konfigurace IPSec na profil: crypto ipsec profile PROF12 set transform-set TS12 interface Tun<GRE-N> tunnel mode gre ip tunnel source tunnel destination interface Tunnel<IPSecoverGRE-N> tunnel mode gre ip tunnel protection ipsec profile PROF12 Pro TEST POINT 9 6to4 ve VRF B interface tunnelx tunnel source lo 1 tunnel mode ipv6ip 6to4 vrf forwarding V ipv6 address 2002:<Lo1IP>:cccc::1/64
ipv6 route vrf B 2002::/16 tunnel 200 ipv6 route vrf B aaaa/nn 2002:<Lo1IP-otherSide>:cccc::1 Pro TEST POINT 10 ISATAP ve vrf B interface tunnelx tunnel source lo 1 tunnel mode ipv6ip isatap ipv6 address 2001:EEEE::5EFE:<loI1P-local>/64 ipv6 route vrf B aaaa/nn 2001:EEEE::5EFE:<Lo1IP-otherSide> Pro TEST POINT 11 Konfigurace IPSec a IPSec profile na tunnel interfaces standardní (viz také zadání pro Test point 8) Hub: interface TunnelX tunnel source lo 1 tunnel mode gre multipoint tunnel protection ipsec profile PROF-DMVPN no ip redirects ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp map multicast dynamic! ip nhrp redirect! ip nhrp shortcut no ip split-horizon
Spoke : interface TunnelX tunnel source lo 1 tunnel mode gre multipoint tunnel protection ipsec profile PROF-DMVPN no ip redirects ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 112.1.0.100 ip nhrp map 112.1.0.100 100.0.2.4 ip nhrp map multicast 100.0.2.4! ip nhrp shortcut router rip version 2 address-family ipv4 vrf V no auto-summary network x.x.x.x redistribute static! DMVPN Phase 3 - hub: ip summary-address rip. DMVPN pro IPv6 protokol Funguje i s konfigurací IPSec shodnou s IPv4 DMVPN tunely. Realizujte pro transportní enkapsulaci IPv4 (tunnel mode gre multipoint) Hub: interface TunnelX! Dle doporučení Cisco definovat i link-local adresu ipv6 nhrp network-id ipv6 nhrp holdtime ipv6 nhrp map multicast dynamic! ipv6 nhrp redirect
! ipv6 nhrp shortcut ipv6 router rip R redistribute connected no split-horizon int tunnel X ipv6 rip R enable Spoke: interface TunnelX ipv6 nhrp network-id ipv6 nhrp holdtime 120 no ipv6 redirects ipv6 nhrp nhs <overlay-ipv6-hub-addr> nbma <underlay-ipv4-hub-addr> multicast! ipv6 nhrp shortcut ipv6 rip vrf-mode enable ipv6 router rip R address-family ipv6 vrf B redistribute static int tunnel X ipv6 rip R enable