PfRv3 áttekintése röviden, a CVD alapján:
Router szerepek:
MC – Master Controller: döntéseket hoz a BR-ektől kapott információk alapján, és irányítja a forgalmat a definiált policy-k alapján.
BR – Border Router: a forgalom átfolyik rajta, és gyűjti az információkat, amelyeket továbbít az MC-nek, hogy az döntéseket tudjon hozni.
Négy különböző szerep lehetséges:
1.) Hub Master Controller: WAN aggregációs site-n (HQ) helyezkedik el. Minden PfRv3 policy konfiguráció ezen az eszközön történik, amelyet leszór a többi MC-nek. Egy iWAN domain-ben csak egy hub MC lehet. Nagyobb hálózatoknál a Cisco javaslata egy dedikált router az MC szerepre a CPU terheltség miatt. Kisebb hálózatoknál lehet egy BR-re is konfigurálni.
2.) Hub Border Router: BR a hub MC site-n. A branch WAN kapcsolatok itt végződnek. Több WAN interface is lehet egy routernek. Egy vagy több hub BR is lehet egy site-n. Az alábbi konfiguráció szükséges:
– A helyi MC IP-je
– A külső interface-k-nek nevet kell adni, ez látszik majd a PfR-ben (pl. MPLS, INET)
3.) Branch Master Controller: branch site MC. Nincs rajta külön policy konfiguráció, a hub MC-től kapja meg. MC-ként viselkedik az adott site-ra és path optimization döntéseket hoz.
4.) Branch Border Router: branch site-n BR. BR funkció engedélyezése, és a local MC címét kell megadni, nem a HQ MC-ét. A WAN interface(k) automatikusan felismerésre kerül(nek).
A Cisco ajánlása a Loopnack cím használata a peering-hez a MC és BR között, így a fizikai interface hibák nem érintik az MC-BR TCP kapcsolatokat.
Enterprise prefix-ek konfigurációja szükséges, ezekre fog a PfR intelligens döntéseket hozni. Ha egy prefix nincs benne a listában, a PfR nem hoz rá döntéseket, de load-balancing-ot alkalmaz.
Vannak előre definiált policy-k a Cisco által, amelyeket használhatunk. Ezeket fogom én is használni, nálam ezek lesznek:
Class 10 – ICMP – policy voice (DSCP EF)
Class 20 – AF41 – low latency data
A topológia még mindig ugyanaz, erről van szó:
R1 konfigurációja alább. Az EF DSCP értékkel színezett csomagok mindig az MPLS, az AF41-esek mindig a publikus internet felé mennek, (azért, mert így döntöttem :)).
Enterprise prefix list-nek a teljes /16-ot megadtam.
ip prefix-list PFR_PREFIX_SITE permit 192.168.0.0/16 domain PFR vrf default master hub source-interface Lo0 site-prefixes prefix-list PFR_PREFIX_SITE password fkuris enterprise-prefix prefix-list PFR_PREFIX_SITE load-balance class ICMP seq 10 match dscp ef policy voice path-preference MPLS fallback INET class BULK seq 20 match dscp af41 policy low-latency-data path-preference INET fallback MPLS
Policy-k ellenőrzése a hub MC-n:
R1-HUB-MC#sh domain PFR master policy No Policy publish pending -------------------------------------------------------------------------------- class ICMP sequence 10 path-preference MPLS fallback INET class type: Dscp Based match dscp ef policy voice priority 2 packet-loss-rate threshold 1.0 percent priority 1 one-way-delay threshold 150 msec priority 3 jitter threshold 30000 usec priority 2 byte-loss-rate threshold 1.0 percent class BULK sequence 20 path-preference MPLS fallback INET class type: Dscp Based match dscp af41 policy low-latency-data priority 2 packet-loss-rate threshold 5.0 percent priority 1 one-way-delay threshold 100 msec priority 2 byte-loss-rate threshold 5.0 percent class default match dscp all --------------------------------------------------------------------------------
R2 – Hub BR konfigurációja
domain PFR
vrf default
border
source-int lo0
master 1.1.1.1
pass fkuris
int Tunnel1
domain PFR path MPLS
R3 – HUB BR
domain PFR vrf default border source-int lo0 master 1.1.1.1 pass fkuris int Tunnel2 domain PFR path INET
R2#sh domain PFR border status Mon Nov 09 15:30:05.030 -------------------------------------------------------------------- **** Border Status **** Instance Status: UP Present status last updated: 00:00:07 ago Loopback: Configured Loopback0 UP (2.2.2.2) Master: 1.1.1.1 Master version: 0 Connection Status with Master: UP Route-Control: Enabled Asymmetric Routing: Disabled Minimum Mask length: 28 Sampling: off Minimum Requirement: Not Met Peering Db Absent PMI update: Not received Globals Update: Not received (Will attempt shut/no-shut if min requirement not meet in 293 secs) External Wan interfaces: Auto Tunnel information: Name:Tunnel0 if_index: 16 Borders reachable via this tunnel: -------------------------------------------------------------------- R2#
R1-HUB-MC#sh domain PFR master status *** Domain MC Status *** Master VRF: Global Instance Type: Hub Instance id: 0 Operational status: Up Configured status: Up Loopback IP Address: 1.1.1.1 Load Balancing: Admin Status: Enabled Operational Status: Up Enterprise top level prefixes configured: 1 Max Calculated Utilization Variance: 0% Last load balance attempt: never Last Reason: Variance less than 20% Total unbalanced bandwidth: External links: 0 Kbps Internet links: 0 Kbps Route Control: Enabled Mitigation mode Aggressive: Disabled Policy threshold variance: 20 Minimum Mask Length: 28 Borders: IP address: 3.3.3.3 Version: 2 Connection status: CONNECTED (Last Updated 00:01:52 ago ) Interfaces configured: Name: Tunnel2 | type: external | Service Provider: INET | Status: UP | Zero-SLA: NO Number of default Channels: 0 Tunnel if: Tunnel0 IP address: 2.2.2.2 Version: 2 Connection status: CONNECTED (Last Updated 00:00:14 ago ) Interfaces configured: Name: Tunnel1 | type: external | Service Provider: MPLS | Status: UP | Zero-SLA: NO Number of default Channels: 0 Tunnel if: Tunnel0 -------------------------------------------------------------------------------- R1-HUB-MC#
Branch – R13
conf t domain PFR vrf default master branch source-int lo0 password fkuris hub 1.1.1.1 border source-int lo0 master local password fkuris
R13#sh domain PFR master policy -------------------------------------------------------------------------------- class ICMP sequence 10 path-preference MPLS fallback INET class type: Dscp Based match dscp ef policy voice priority 2 packet-loss-rate threshold 1.0 percent priority 1 one-way-delay threshold 150 msec priority 3 jitter threshold 30000 usec priority 2 byte-loss-rate threshold 1.0 percent class BULK sequence 20 path-preference INET fallback MPLS class type: Dscp Based match dscp af41 policy low-latency-data priority 2 packet-loss-rate threshold 5.0 percent priority 1 one-way-delay threshold 100 msec priority 2 byte-loss-rate threshold 5.0 percent class default match dscp all -------------------------------------------------------------------------------- R13#
R13#sh domain PFR border status Tue Nov 10 09:45:50.023 -------------------------------------------------------------------- **** Border Status **** Instance Status: UP Present status last updated: 00:27:05 ago Loopback: Configured Loopback0 UP (13.13.13.13) Master: 13.13.13.13 Master version: 2 Connection Status with Master: UP MC connection info: CONNECTION SUCCESSFUL Connected for: 00:27:05 Route-Control: Enabled Asymmetric Routing: Disabled Minimum Mask length: 28 Sampling: off Minimum Requirement: Met External Wan interfaces: Name: Tunnel2 Interface Index: 16 SNMP Index: 13 SP: INET Status: UP Zero-SLA: NO Path-id List: 0:0 Name: Tunnel1 Interface Index: 15 SNMP Index: 12 SP: MPLS Status: UP Zero-SLA: NO Path-id List: 0:0 Auto Tunnel information: Name:Tunnel0 if_index: 19 Borders reachable via this tunnel: -------------------------------------------------------------------- R13#
R13#show domain PFR master status *** Domain MC Status *** Master VRF: Global Instance Type: Branch Instance id: 0 Operational status: Up Configured status: Up Loopback IP Address: 13.13.13.13 Load Balancing: Operational Status: Up Max Calculated Utilization Variance: 0% Last load balance attempt: never Last Reason: Variance less than 20% Total unbalanced bandwidth: External links: 0 Kbps Internet links: 0 Kbps Route Control: Enabled Mitigation mode Aggressive: Disabled Policy threshold variance: 20 Minimum Mask Length: 28 Minimum Requirement: Met Borders: IP address: 13.13.13.13 Version: 2 Connection status: CONNECTED (Last Updated 00:27:20 ago ) Interfaces configured: Name: Tunnel2 | type: external | Service Provider: INET | Status: UP | Zero-SLA: NO Number of default Channels: 0 Path-id list: 0:0 Name: Tunnel1 | type: external | Service Provider: MPLS | Status: UP | Zero-SLA: NO Number of default Channels: 0 Path-id list: 0:0 Tunnel if: Tunnel0 -------------------------------------------------------------------------------- R13#
R14
domain PFR vrf default master branch source-int lo0 password fkuris hub 1.1.1.1 border source-int lo0 master local password fkuris
R15 – Az MC RF14, nem R1!
domain PFR vrf default border source-int lo0 master 14.14.14.14 password fkuris
Csinálok alias-okat, hogy ne kelljen mindig a hosszú parancsokat beírni 🙂
R1-HUB-MC#sh run | i alias alias exec pfr show domain PFR alias exec pfrsum show domain PFR m traffic-classes summ alias exec pfref show domain PFR m traffic-classes dscp ef alias exec pfraf show domain PFR m traffic-classes dscp af41 alias exec pfrdef show domain PFR m traffic-classes dscp def R1-HUB-MC#
A teszthez az alábbi parancsokat használom. Chargen, sima pingek, és ToS mezőt megváltoztató pingek.
ToS 184 = DSCP EF, ToS 136 = DSCP AF41
SW3#telnet 192.168.2.1 chargen R13#ping 192.168.3.1 repea 2147483647 R15#ping 192.168.1.1 repea 2147483647 R14#ping 192.168.3.1 tos 184 repe 2147483647 SW16#ping 192.168.10.10 tos 136 repe 2147483647
Nézzük a hub MC-n, milyen forgalmakat látunk, még a tesztek elindítása előtt. Figyeljük meg, hogy
- Default forgalmak között egyik Tu1 (MPLS), másik Tu2 (INET) felé megy (load balancing)
- AF41 a kérésemnek megfelelően INET-en megy (Tu2)
Alább láthatjuk a traffic class részleteket, mennyi sávszélességet használ, stb.
R1-HUB-MC#show domain PFR m traffic-classes summ APP - APPLICATION, TC-ID - TRAFFIC-CLASS-ID, APP-ID - APPLICATION-ID SP - SERVICE PROVIDER, PC = PRIMARY CHANNEL ID, BC - BACKUP CHANNEL ID, BR - BORDER, EXIT - WAN INTERFACE UC - UNCONTROLLED, PE - PICK-EXIT, CN - CONTROLLED, UK - UNKNOWN Dst-Site-Pfx Dst-Site-Id APP DSCP TC-ID APP-ID State SP PC/BC BR/EXIT 192.168.10.0/24 14.14.14.14 N/A default 24 N/A CN MPLS 9/NA 2.2.2.2/Tunnel1 192.168.10.0/24 14.14.14.14 N/A ef 30 N/A CN MPLS 31/32 2.2.2.2/Tunnel1 192.168.10.0/24 14.14.14.14 N/A af41 31 N/A CN INET 34/33 3.3.3.3/Tunnel2 192.168.201.0/24 14.14.14.14 N/A default 29 N/A CN INET 10/9 3.3.3.3/Tunnel2 Total Traffic Classes: 4 Site: 4 Internet: 0 R1-HUB-MC#
R1-HUB-MC#pfrdef Dst-Site-Prefix: 192.168.10.0/24 DSCP: default [0] Traffic class id:24 Clock Time: 11:51:50 (UTC) 11/10/2015 TC Learned: 00:41:18 ago Present State: CONTROLLED Current Performance Status: not monitored (default class) Current Service Provider: MPLS since 00:37:06 Previous Service Provider: INET pfr-label: 0:0 | 0:0 [0x0] for 221 sec BW Used: 55 Kbps Present WAN interface: Tunnel1 in Border 2.2.2.2 Present Channel (primary): 9 MPLS pfr-label:0:0 | 0:0 [0x0] Backup Channel: none Destination Site ID bitmap: 0 Destination Site ID: 14.14.14.14 Class-Sequence in use: default Class Name: default BW Updated: 00:00:18 ago Reason for Latest Route Change: Unreachable Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:14:44 (UTC) 11/10/2015 INET/3.3.3.3/Tu2 (Ch:10) MPLS/2.2.2.2/Tu1 (Ch:9) Unreachable 2: 11:11:02 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:10) Out-of-policy (No policy for TC) -------------------------------------------------------------------------------- Dst-Site-Prefix: 192.168.201.0/24 DSCP: default [0] Traffic class id:29 Clock Time: 11:51:50 (UTC) 11/10/2015 TC Learned: 00:15:48 ago Present State: CONTROLLED Current Performance Status: not monitored (default class) Current Service Provider: INET since 00:15:18 Previous Service Provider: Unknown BW Used: 80 Kbps Present WAN interface: Tunnel2 in Border 3.3.3.3 Present Channel (primary): 10 INET pfr-label:0:0 | 0:0 [0x0] Backup Channel: 9 MPLS pfr-label:0:0 | 0:0 [0x0] Destination Site ID bitmap: 0 Destination Site ID: 14.14.14.14 Class-Sequence in use: default Class Name: default BW Updated: 00:00:19 ago Reason for Latest Route Change: Uncontrolled to Controlled Transition Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:36:31 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:10) Uncontrolled to Controlled Transition -------------------------------------------------------------------------------- Total Traffic Classes: 2 Site: 2 Internet: 0 R1-HUB-MC#
R1-HUB-MC#pfraf Dst-Site-Prefix: 192.168.10.0/24 DSCP: af41 [34] Traffic class id:31 Clock Time: 11:52:05 (UTC) 11/10/2015 TC Learned: 00:03:04 ago Present State: CONTROLLED Current Performance Status: in-policy Current Service Provider: INET since 00:02:33 Previous Service Provider: Unknown BW Used: 61 Kbps Present WAN interface: Tunnel2 in Border 3.3.3.3 Present Channel (primary): 34 INET pfr-label:0:0 | 0:0 [0x0] Backup Channel: 33 MPLS pfr-label:0:0 | 0:0 [0x0] Destination Site ID bitmap: 0 Destination Site ID: 14.14.14.14 Class-Sequence in use: 20 Class Name: BULK using policy low-latency-data BW Updated: 00:00:04 ago Reason for Latest Route Change: Uncontrolled to Controlled Transition Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:49:32 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:34) Uncontrolled to Controlled Transition -------------------------------------------------------------------------------- Total Traffic Classes: 1 Site: 1 Internet: 0 R1-HUB-MC#
R1-HUB-MC#pfref Dst-Site-Prefix: 192.168.10.0/24 DSCP: ef [46] Traffic class id:30 Clock Time: 11:52:17 (UTC) 11/10/2015 TC Learned: 00:04:45 ago Present State: CONTROLLED Current Performance Status: in-policy Current Service Provider: MPLS since 00:04:14 Previous Service Provider: Unknown BW Used: 81 Kbps Present WAN interface: Tunnel1 in Border 2.2.2.2 Present Channel (primary): 31 MPLS pfr-label:0:0 | 0:0 [0x0] Backup Channel: 32 INET pfr-label:0:0 | 0:0 [0x0] Destination Site ID bitmap: 0 Destination Site ID: 14.14.14.14 Class-Sequence in use: 10 Class Name: ICMP using policy voice BW Updated: 00:00:15 ago Reason for Latest Route Change: Uncontrolled to Controlled Transition Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:48:03 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) MPLS/2.2.2.2/Tu1 (Ch:31) Uncontrolled to Controlled Transition -------------------------------------------------------------------------------- Total Traffic Classes: 1 Site: 1 Internet: 0 R1-HUB-MC#
Redundancia teszt: R15 Tunnel2 interface-t lelövöm, teszteljük, hogy átállunk -e a backup (MPLS) irányba.
Alább a PfR kimenet, melyből látszik, hogy már az MPLS vonalat használjuk:
R1-HUB-MC#pfraf Dst-Site-Prefix: 192.168.10.0/24 DSCP: af41 [34] Traffic class id:31 Clock Time: 11:57:15 (UTC) 11/10/2015 TC Learned: 00:08:14 ago Present State: CONTROLLED Current Performance Status: in-policy Current Service Provider: MPLS since 00:00:48 (hold until 41 sec) Previous Service Provider: Unknown (A fallback provider. Primary provider will be re-evaluated 00:02:14 later) BW Used: 135 Kbps Present WAN interface: Tunnel1 in Border 2.2.2.2 Present Channel (primary): 33 MPLS pfr-label:0:0 | 0:0 [0x0] Backup Channel: none Destination Site ID bitmap: 0 Destination Site ID: 14.14.14.14 Class-Sequence in use: 20 Class Name: BULK using policy low-latency-data BW Updated: 00:00:14 ago Reason for Latest Route Change: Uncontrolled to Controlled Transition Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:56:27 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) MPLS/2.2.2.2/Tu1 (Ch:33) Uncontrolled to Controlled Transition 2: 11:55:56 (UTC) 11/10/2015 INET/3.3.3.3/Tu2 (Ch:34) None/0.0.0.0/None (Ch:0) No Channels Available 3: 11:49:32 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:34) Unreachable -------------------------------------------------------------------------------- Total Traffic Classes: 1 Site: 1 Internet: 0 R1-HUB-MC#
Visszaengedjük a Tunnelt, és kis idő múlva újra az INET vonalon megy a forgalom.
R1-HUB-MC#pfraf Dst-Site-Prefix: 192.168.10.0/24 DSCP: af41 [34] Traffic class id:31 Clock Time: 11:59:37 (UTC) 11/10/2015 TC Learned: 00:10:36 ago Present State: CONTROLLED Current Performance Status: in-policy Current Service Provider: INET since 00:00:09 (hold until 80 sec) Previous Service Provider: MPLS pfr-label: 0:0 | 0:0 [0x0] for 181 sec BW Used: 97 Kbps Present WAN interface: Tunnel2 in Border 3.3.3.3 Present Channel (primary): 34 INET pfr-label:0:0 | 0:0 [0x0] Backup Channel: 33 MPLS pfr-label:0:0 | 0:0 [0x0] Destination Site ID bitmap: 0 Destination Site ID: 14.14.14.14 Class-Sequence in use: 20 Class Name: BULK using policy low-latency-data BW Updated: 00:00:06 ago Reason for Latest Route Change: Backup to Primary path preference transition Route Change History: Date and Time Previous Exit Current Exit Reason 1: 11:59:28 (UTC) 11/10/2015 MPLS/2.2.2.2/Tu1 (Ch:33) INET/3.3.3.3/Tu2 (Ch:34) Backup to Primary path preference transition 2: 11:56:27 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) MPLS/2.2.2.2/Tu1 (Ch:33) Uncontrolled to Controlled Transition 3: 11:55:56 (UTC) 11/10/2015 INET/3.3.3.3/Tu2 (Ch:34) None/0.0.0.0/None (Ch:0) No Channels Available 4: 11:49:32 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:34) Unreachable -------------------------------------------------------------------------------- Total Traffic Classes: 1 Site: 1 Internet: 0 R1-HUB-MC#
Nem lettem expert iWAN-ból, mert laborban persze teljesen más egy ilyet megcsinálni, mint élesben, de már láttam működés közben, és tetszik a technológia.