iWAN – PfRv3

PfRv3 áttekintése röviden, a CVD alapján:

Router szerepek:
MC – Master Controller: döntéseket hoz a BR-ektől kapott információk alapján, és irányítja a forgalmat a definiált policy-k alapján.
BR – Border Router: a forgalom átfolyik rajta, és gyűjti az információkat, amelyeket továbbít az MC-nek, hogy az döntéseket tudjon hozni.

Négy különböző szerep lehetséges:
1.) Hub Master Controller: WAN aggregációs site-n (HQ) helyezkedik el. Minden PfRv3 policy konfiguráció ezen az eszközön történik, amelyet leszór a többi MC-nek. Egy iWAN domain-ben csak egy hub MC lehet. Nagyobb hálózatoknál a Cisco javaslata egy dedikált router az MC szerepre a CPU terheltség miatt. Kisebb hálózatoknál lehet egy BR-re is konfigurálni.
2.) Hub Border Router: BR a hub MC site-n. A branch WAN kapcsolatok itt végződnek. Több WAN interface is lehet egy routernek. Egy vagy több hub BR is lehet egy site-n. Az alábbi konfiguráció szükséges:
– A helyi MC IP-je
– A külső interface-k-nek nevet kell adni, ez látszik majd a PfR-ben (pl. MPLS, INET)
3.) Branch Master Controller: branch site MC. Nincs rajta külön policy konfiguráció, a hub MC-től kapja meg. MC-ként viselkedik az adott site-ra és path optimization döntéseket hoz.
4.) Branch Border Router: branch site-n BR. BR funkció engedélyezése, és a local MC címét kell megadni, nem a HQ MC-ét. A WAN interface(k) automatikusan felismerésre kerül(nek).

A Cisco ajánlása a Loopnack cím használata a peering-hez a MC és BR között, így a fizikai interface hibák nem érintik az MC-BR TCP kapcsolatokat.

Enterprise prefix-ek konfigurációja szükséges, ezekre fog a PfR intelligens döntéseket hozni. Ha egy prefix nincs benne a listában, a PfR nem hoz rá döntéseket, de load-balancing-ot alkalmaz.

Vannak előre definiált policy-k a Cisco által, amelyeket használhatunk. Ezeket fogom én is használni, nálam ezek lesznek:

Class 10 – ICMP – policy voice (DSCP EF)

Class 20 – AF41 – low latency data

policy

A topológia még mindig ugyanaz, erről van szó:

iwan-final

R1 konfigurációja alább. Az EF DSCP értékkel színezett csomagok mindig az MPLS, az AF41-esek mindig a publikus internet felé mennek, (azért, mert így döntöttem :)).

Enterprise prefix list-nek a teljes /16-ot megadtam.

ip prefix-list PFR_PREFIX_SITE permit 192.168.0.0/16
domain PFR
 vrf default
 master hub
 source-interface Lo0
 site-prefixes prefix-list PFR_PREFIX_SITE
 password fkuris
 enterprise-prefix prefix-list PFR_PREFIX_SITE
 load-balance
 class ICMP seq 10
 match dscp ef policy voice
 path-preference MPLS fallback INET
 class BULK seq 20
 match dscp af41 policy low-latency-data
 path-preference INET fallback MPLS

Policy-k ellenőrzése a hub MC-n:

R1-HUB-MC#sh domain PFR master policy
 No Policy publish pending
--------------------------------------------------------------------------------
class ICMP sequence 10
 path-preference MPLS fallback INET
 class type: Dscp Based
 match dscp ef policy voice
 priority 2 packet-loss-rate threshold 1.0 percent
 priority 1 one-way-delay threshold 150 msec
 priority 3 jitter threshold 30000 usec
 priority 2 byte-loss-rate threshold 1.0 percent
class BULK sequence 20
 path-preference MPLS fallback INET
 class type: Dscp Based
 match dscp af41 policy low-latency-data
 priority 2 packet-loss-rate threshold 5.0 percent
 priority 1 one-way-delay threshold 100 msec
 priority 2 byte-loss-rate threshold 5.0 percent
class default
 match dscp all
--------------------------------------------------------------------------------

R2 – Hub BR konfigurációja

domain PFR
 vrf default
 border
 source-int lo0
 master 1.1.1.1
 pass fkuris
 int Tunnel1
 domain PFR path MPLS

R3 – HUB BR

domain PFR
 vrf default
 border
 source-int lo0
 master 1.1.1.1
 pass fkuris
 int Tunnel2
 domain PFR path INET
R2#sh domain PFR border status
Mon Nov 09 15:30:05.030
--------------------------------------------------------------------
 **** Border Status ****
Instance Status: UP
Present status last updated: 00:00:07 ago
Loopback: Configured Loopback0 UP (2.2.2.2)
Master: 1.1.1.1
Master version: 0
Connection Status with Master: UP
Route-Control: Enabled
Asymmetric Routing: Disabled
Minimum Mask length: 28
Sampling: off
Minimum Requirement: Not Met
 Peering Db Absent
 PMI update: Not received
 Globals Update: Not received
 (Will attempt shut/no-shut if min requirement not meet in 293 secs)
External Wan interfaces:
Auto Tunnel information:
Name:Tunnel0 if_index: 16
 Borders reachable via this tunnel:
--------------------------------------------------------------------
R2#
R1-HUB-MC#sh domain PFR master status
*** Domain MC Status ***
Master VRF: Global
Instance Type: Hub
 Instance id: 0
 Operational status: Up
 Configured status: Up
 Loopback IP Address: 1.1.1.1
 Load Balancing:
 Admin Status: Enabled
 Operational Status: Up
 Enterprise top level prefixes configured: 1
 Max Calculated Utilization Variance: 0%
 Last load balance attempt: never
 Last Reason: Variance less than 20%
 Total unbalanced bandwidth:
 External links: 0 Kbps Internet links: 0 Kbps
 Route Control: Enabled
 Mitigation mode Aggressive: Disabled
 Policy threshold variance: 20
 Minimum Mask Length: 28
Borders:
 IP address: 3.3.3.3
 Version: 2
 Connection status: CONNECTED (Last Updated 00:01:52 ago )
 Interfaces configured:
 Name: Tunnel2 | type: external | Service Provider: INET | Status: UP | Zero-SLA: NO
 Number of default Channels: 0
 Tunnel if: Tunnel0
IP address: 2.2.2.2
 Version: 2
 Connection status: CONNECTED (Last Updated 00:00:14 ago )
 Interfaces configured:
 Name: Tunnel1 | type: external | Service Provider: MPLS | Status: UP | Zero-SLA: NO
 Number of default Channels: 0
 Tunnel if: Tunnel0
--------------------------------------------------------------------------------
R1-HUB-MC#

Branch – R13

conf t
domain PFR
 vrf default
 master branch
 source-int lo0
 password fkuris
 hub 1.1.1.1
 border
 source-int lo0
 master local
 password fkuris
R13#sh domain PFR master policy
--------------------------------------------------------------------------------
class ICMP sequence 10
 path-preference MPLS fallback INET
 class type: Dscp Based
 match dscp ef policy voice
 priority 2 packet-loss-rate threshold 1.0 percent
 priority 1 one-way-delay threshold 150 msec
 priority 3 jitter threshold 30000 usec
 priority 2 byte-loss-rate threshold 1.0 percent
class BULK sequence 20
 path-preference INET fallback MPLS
 class type: Dscp Based
 match dscp af41 policy low-latency-data
 priority 2 packet-loss-rate threshold 5.0 percent
 priority 1 one-way-delay threshold 100 msec
 priority 2 byte-loss-rate threshold 5.0 percent
class default
 match dscp all
--------------------------------------------------------------------------------
R13#
R13#sh domain PFR border status
Tue Nov 10 09:45:50.023
--------------------------------------------------------------------
 **** Border Status ****
Instance Status: UP
Present status last updated: 00:27:05 ago
Loopback: Configured Loopback0 UP (13.13.13.13)
Master: 13.13.13.13
Master version: 2
Connection Status with Master: UP
MC connection info: CONNECTION SUCCESSFUL
Connected for: 00:27:05
Route-Control: Enabled
Asymmetric Routing: Disabled
Minimum Mask length: 28
Sampling: off
Minimum Requirement: Met
External Wan interfaces:
 Name: Tunnel2 Interface Index: 16 SNMP Index: 13 SP: INET Status: UP Zero-SLA: NO Path-id List: 0:0
 Name: Tunnel1 Interface Index: 15 SNMP Index: 12 SP: MPLS Status: UP Zero-SLA: NO Path-id List: 0:0
Auto Tunnel information:
Name:Tunnel0 if_index: 19
 Borders reachable via this tunnel:
--------------------------------------------------------------------
R13#
R13#show domain PFR master status
*** Domain MC Status ***
Master VRF: Global
Instance Type: Branch
 Instance id: 0
 Operational status: Up
 Configured status: Up
 Loopback IP Address: 13.13.13.13
 Load Balancing:
 Operational Status: Up
 Max Calculated Utilization Variance: 0%
 Last load balance attempt: never
 Last Reason: Variance less than 20%
 Total unbalanced bandwidth:
 External links: 0 Kbps Internet links: 0 Kbps
 Route Control: Enabled
 Mitigation mode Aggressive: Disabled
 Policy threshold variance: 20
 Minimum Mask Length: 28
 Minimum Requirement: Met
Borders:
 IP address: 13.13.13.13
 Version: 2
 Connection status: CONNECTED (Last Updated 00:27:20 ago )
 Interfaces configured:
 Name: Tunnel2 | type: external | Service Provider: INET | Status: UP | Zero-SLA: NO
 Number of default Channels: 0
Path-id list: 0:0
Name: Tunnel1 | type: external | Service Provider: MPLS | Status: UP | Zero-SLA: NO
 Number of default Channels: 0
Path-id list: 0:0
Tunnel if: Tunnel0
--------------------------------------------------------------------------------
R13#

R14

domain PFR
 vrf default
 master branch
 source-int lo0
 password fkuris
 hub 1.1.1.1
 border
 source-int lo0
 master local
 password fkuris

R15 – Az MC RF14, nem R1!

domain PFR
 vrf default
 border
 source-int lo0
 master 14.14.14.14
 password fkuris

Csinálok alias-okat, hogy ne kelljen mindig a hosszú parancsokat beírni 🙂

R1-HUB-MC#sh run | i alias
alias exec pfr show domain PFR
alias exec pfrsum show domain PFR m traffic-classes summ 
alias exec pfref show domain PFR m traffic-classes dscp ef
alias exec pfraf show domain PFR m traffic-classes dscp af41
alias exec pfrdef show domain PFR m traffic-classes dscp def R1-HUB-MC#

A teszthez az alábbi parancsokat használom. Chargen, sima pingek, és ToS mezőt megváltoztató pingek.

ToS 184 = DSCP EF, ToS 136 = DSCP AF41

SW3#telnet 192.168.2.1 chargen
R13#ping 192.168.3.1 repea 2147483647
R15#ping 192.168.1.1 repea 2147483647
R14#ping 192.168.3.1 tos 184 repe 2147483647
SW16#ping 192.168.10.10 tos 136 repe 2147483647

Nézzük a hub MC-n, milyen forgalmakat látunk, még a tesztek elindítása előtt. Figyeljük meg, hogy

  • Default forgalmak között egyik Tu1 (MPLS), másik Tu2 (INET) felé megy (load balancing)
  • AF41 a kérésemnek megfelelően INET-en megy (Tu2)

Alább láthatjuk a traffic class részleteket, mennyi sávszélességet használ, stb.

R1-HUB-MC#show domain PFR m traffic-classes summ
APP - APPLICATION, TC-ID - TRAFFIC-CLASS-ID, APP-ID - APPLICATION-ID
SP - SERVICE PROVIDER, PC = PRIMARY CHANNEL ID,
BC - BACKUP CHANNEL ID, BR - BORDER, EXIT - WAN INTERFACE
UC - UNCONTROLLED, PE - PICK-EXIT, CN - CONTROLLED, UK - UNKNOWN
Dst-Site-Pfx Dst-Site-Id APP DSCP TC-ID APP-ID State SP PC/BC BR/EXIT
192.168.10.0/24 14.14.14.14 N/A default 24 N/A CN MPLS 9/NA 2.2.2.2/Tunnel1
192.168.10.0/24 14.14.14.14 N/A ef 30 N/A CN MPLS 31/32 2.2.2.2/Tunnel1
192.168.10.0/24 14.14.14.14 N/A af41 31 N/A CN INET 34/33 3.3.3.3/Tunnel2
192.168.201.0/24 14.14.14.14 N/A default 29 N/A CN INET 10/9 3.3.3.3/Tunnel2
 Total Traffic Classes: 4 Site: 4 Internet: 0
R1-HUB-MC#
R1-HUB-MC#pfrdef
Dst-Site-Prefix: 192.168.10.0/24 DSCP: default [0] Traffic class id:24
 Clock Time: 11:51:50 (UTC) 11/10/2015
 TC Learned: 00:41:18 ago
 Present State: CONTROLLED
 Current Performance Status: not monitored (default class)
 Current Service Provider: MPLS since 00:37:06
 Previous Service Provider: INET pfr-label: 0:0 | 0:0 [0x0] for 221 sec
 BW Used: 55 Kbps
 Present WAN interface: Tunnel1 in Border 2.2.2.2
 Present Channel (primary): 9 MPLS pfr-label:0:0 | 0:0 [0x0]
 Backup Channel: none
 Destination Site ID bitmap: 0
 Destination Site ID: 14.14.14.14
 Class-Sequence in use: default
 Class Name: default
 BW Updated: 00:00:18 ago
 Reason for Latest Route Change: Unreachable
 Route Change History:
 Date and Time Previous Exit Current Exit Reason
1: 11:14:44 (UTC) 11/10/2015 INET/3.3.3.3/Tu2 (Ch:10) MPLS/2.2.2.2/Tu1 (Ch:9) Unreachable
 2: 11:11:02 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:10) Out-of-policy (No policy for TC)
--------------------------------------------------------------------------------
Dst-Site-Prefix: 192.168.201.0/24 DSCP: default [0] Traffic class id:29
 Clock Time: 11:51:50 (UTC) 11/10/2015
 TC Learned: 00:15:48 ago
 Present State: CONTROLLED
 Current Performance Status: not monitored (default class)
 Current Service Provider: INET since 00:15:18
 Previous Service Provider: Unknown
 BW Used: 80 Kbps
 Present WAN interface: Tunnel2 in Border 3.3.3.3
 Present Channel (primary): 10 INET pfr-label:0:0 | 0:0 [0x0]
 Backup Channel: 9 MPLS pfr-label:0:0 | 0:0 [0x0]
 Destination Site ID bitmap: 0
 Destination Site ID: 14.14.14.14
 Class-Sequence in use: default
 Class Name: default
 BW Updated: 00:00:19 ago
 Reason for Latest Route Change: Uncontrolled to Controlled Transition
 Route Change History:
 Date and Time Previous Exit Current Exit Reason
1: 11:36:31 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:10) Uncontrolled to Controlled Transition
--------------------------------------------------------------------------------
 Total Traffic Classes: 2 Site: 2 Internet: 0
R1-HUB-MC#
R1-HUB-MC#pfraf
Dst-Site-Prefix: 192.168.10.0/24 DSCP: af41 [34] Traffic class id:31
 Clock Time: 11:52:05 (UTC) 11/10/2015
 TC Learned: 00:03:04 ago
 Present State: CONTROLLED
 Current Performance Status: in-policy
 Current Service Provider: INET since 00:02:33
 Previous Service Provider: Unknown
 BW Used: 61 Kbps
 Present WAN interface: Tunnel2 in Border 3.3.3.3
 Present Channel (primary): 34 INET pfr-label:0:0 | 0:0 [0x0]
 Backup Channel: 33 MPLS pfr-label:0:0 | 0:0 [0x0]
 Destination Site ID bitmap: 0
 Destination Site ID: 14.14.14.14
 Class-Sequence in use: 20
 Class Name: BULK using policy low-latency-data
 BW Updated: 00:00:04 ago
 Reason for Latest Route Change: Uncontrolled to Controlled Transition
 Route Change History:
 Date and Time Previous Exit Current Exit Reason
1: 11:49:32 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:34) Uncontrolled to Controlled Transition
--------------------------------------------------------------------------------
 Total Traffic Classes: 1 Site: 1 Internet: 0
R1-HUB-MC#
R1-HUB-MC#pfref
Dst-Site-Prefix: 192.168.10.0/24 DSCP: ef [46] Traffic class id:30
 Clock Time: 11:52:17 (UTC) 11/10/2015
 TC Learned: 00:04:45 ago
 Present State: CONTROLLED
 Current Performance Status: in-policy
 Current Service Provider: MPLS since 00:04:14
 Previous Service Provider: Unknown
 BW Used: 81 Kbps
 Present WAN interface: Tunnel1 in Border 2.2.2.2
 Present Channel (primary): 31 MPLS pfr-label:0:0 | 0:0 [0x0]
 Backup Channel: 32 INET pfr-label:0:0 | 0:0 [0x0]
 Destination Site ID bitmap: 0
 Destination Site ID: 14.14.14.14
 Class-Sequence in use: 10
 Class Name: ICMP using policy voice
 BW Updated: 00:00:15 ago
 Reason for Latest Route Change: Uncontrolled to Controlled Transition
 Route Change History:
 Date and Time Previous Exit Current Exit Reason
1: 11:48:03 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) MPLS/2.2.2.2/Tu1 (Ch:31) Uncontrolled to Controlled Transition
--------------------------------------------------------------------------------
 Total Traffic Classes: 1 Site: 1 Internet: 0
R1-HUB-MC#

Redundancia teszt: R15 Tunnel2 interface-t lelövöm, teszteljük, hogy átállunk -e a backup (MPLS) irányba.

Alább a PfR kimenet, melyből látszik, hogy már az MPLS vonalat használjuk:

R1-HUB-MC#pfraf
Dst-Site-Prefix: 192.168.10.0/24 DSCP: af41 [34] Traffic class id:31
 Clock Time: 11:57:15 (UTC) 11/10/2015
 TC Learned: 00:08:14 ago
 Present State: CONTROLLED
 Current Performance Status: in-policy
 Current Service Provider: MPLS since 00:00:48 (hold until 41 sec)
 Previous Service Provider: Unknown
 (A fallback provider. Primary provider will be re-evaluated 00:02:14 later)
 BW Used: 135 Kbps
 Present WAN interface: Tunnel1 in Border 2.2.2.2
 Present Channel (primary): 33 MPLS pfr-label:0:0 | 0:0 [0x0]
 Backup Channel: none
 Destination Site ID bitmap: 0
 Destination Site ID: 14.14.14.14
 Class-Sequence in use: 20
 Class Name: BULK using policy low-latency-data
 BW Updated: 00:00:14 ago
 Reason for Latest Route Change: Uncontrolled to Controlled Transition
 Route Change History:
 Date and Time Previous Exit Current Exit Reason
1: 11:56:27 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) MPLS/2.2.2.2/Tu1 (Ch:33) Uncontrolled to Controlled Transition
 2: 11:55:56 (UTC) 11/10/2015 INET/3.3.3.3/Tu2 (Ch:34) None/0.0.0.0/None (Ch:0) No Channels Available
 3: 11:49:32 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:34) Unreachable
--------------------------------------------------------------------------------
 Total Traffic Classes: 1 Site: 1 Internet: 0
R1-HUB-MC#

Visszaengedjük a Tunnelt, és kis idő múlva újra az INET vonalon megy a forgalom.

R1-HUB-MC#pfraf
Dst-Site-Prefix: 192.168.10.0/24 DSCP: af41 [34] Traffic class id:31
 Clock Time: 11:59:37 (UTC) 11/10/2015
 TC Learned: 00:10:36 ago
 Present State: CONTROLLED
 Current Performance Status: in-policy
 Current Service Provider: INET since 00:00:09 (hold until 80 sec)
 Previous Service Provider: MPLS pfr-label: 0:0 | 0:0 [0x0] for 181 sec
 BW Used: 97 Kbps
 Present WAN interface: Tunnel2 in Border 3.3.3.3
 Present Channel (primary): 34 INET pfr-label:0:0 | 0:0 [0x0]
 Backup Channel: 33 MPLS pfr-label:0:0 | 0:0 [0x0]
 Destination Site ID bitmap: 0
 Destination Site ID: 14.14.14.14
 Class-Sequence in use: 20
 Class Name: BULK using policy low-latency-data
 BW Updated: 00:00:06 ago
 Reason for Latest Route Change: Backup to Primary path preference transition
 Route Change History:
 Date and Time Previous Exit Current Exit Reason
1: 11:59:28 (UTC) 11/10/2015 MPLS/2.2.2.2/Tu1 (Ch:33) INET/3.3.3.3/Tu2 (Ch:34) Backup to Primary path preference transition
 2: 11:56:27 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) MPLS/2.2.2.2/Tu1 (Ch:33) Uncontrolled to Controlled Transition
 3: 11:55:56 (UTC) 11/10/2015 INET/3.3.3.3/Tu2 (Ch:34) None/0.0.0.0/None (Ch:0) No Channels Available
 4: 11:49:32 (UTC) 11/10/2015 None/0.0.0.0/None (Ch:0) INET/3.3.3.3/Tu2 (Ch:34) Unreachable
--------------------------------------------------------------------------------
 Total Traffic Classes: 1 Site: 1 Internet: 0
R1-HUB-MC#

Nem lettem expert iWAN-ból, mert laborban persze teljesen más egy ilyet megcsinálni, mint élesben, de már láttam működés közben, és tetszik a technológia.