Cisco SD-WAN
Cisco SD-WAN四平面,四组件
管理平面 ---vManage;提供了一个高度可视化的仪表板,可简化网络操作。它在整个 SD-WAN 结构中提供集中配置、管理、操作和监控
编排平面 ---vBond;协调器,主要负责协调管理平面,控制平面,数据平面之间的控制连接;主要负责授权连接
控制平面 ---vSmart;负责路由,控制,提供路由策略、QOS策略、流量工程等;vSmart与所有vEdge之间有OMP协议(上层管理协议),提供中心策略、负责实施策略
数据平面 ---vEdge;负责数据转发,产生路由,支持OSPF、BGP、VRRP
VPN
SD-WAN中的VPNs
VPN 512 主要用于网管(固定)
VPN 0 主要用于传输侧(固定)
VPN 1-511 主要用于业务VPN
当前需求
站点内Switch的loopback接口可以互通,
环境拓扑
该环境,只是用于实验而已,并非真实环境;
1.设备上线
1.1 vManage配置
vmanage(config)# system
vmanage(config-system)# host-name vmanage
vmanage(config-system)# system-ip 100.1.1.1
vmanage(config-system)# site-id 100
vmanage(config-system)# organization-name alex.com
vmanage(config-system)# vbond 10.1.1.2
vmanage(config-system)# commit
Commit complete.
vmanage(config-system)# exit
vmanage(config)# vpn 0
vmanage(config-vpn-0)# interface eth0
vmanage(config-interface-eth0)# ip address 10.1.1.1/24
vmanage(config-interface-eth0)# no shutdown
vmanage(config-interface-eth0)# exit
vmanage(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vmanage(config-vpn-0)# exit
vmanage(config)# vpn 512
vmanage(config-vpn-512)# interface eth1
vmanage(config-interface-eth1)# no shutdown
vmanage(config-interface-eth1)# ip address 172.16.30.155/16
vmanage(config-interface-eth1)# exit
vmanage(config-vpn-512)# ip route 0.0.0.0/0 172.16.30.254
vmanage(config-vpn-512)# commit
Commit complete.
vmanage(config-vpn-512)# end
1.2 vBond配置
vedge(config)# system
vedge(config-system)# host-name vbond
vedge(config-system)# system-ip 100.1.1.2
vedge(config-system)# site-id 100
vedge(config-system)# organization-name alex.com
vedge(config-system)# vbond 10.1.1.2 local vbond-only
vedge(config-system)# commit
Commit complete.
vbond(config-system)# exit
vbond(config)# vpn 0
vbond(config-vpn-0)# interface ge0/0
vbond(config-interface-ge0/0)# no shutdown
vbond(config-interface-ge0/0)# no tunnel-interface
vbond(config-interface-ge0/0)# ip address 10.1.1.2/24
vbond(config-interface-ge0/0)# exit
vbond(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vbond(config-vpn-0)# commit
Commit complete.
vbond(config-vpn-0)#
1.3 vSmart配置
vsmart(config)# system
vsmart(config-system)# host-name vsmart
vsmart(config-system)# system-ip 100.1.1.3
vsmart(config-system)# site-id 100
vsmart(config-system)# vbond 10.1.1.2
vsmart(config-system)# organization-name alex.com
vsmart(config-system)# commit
Commit complete.
vsmart(config-system)# exit
vsmart(config)# vpn 0
vsmart(config-vpn-0)# interface eth0
vsmart(config-interface-eth0)# no shutdown
vsmart(config-interface-eth0)# ip address 10.1.1.3/24
vsmart(config-interface-eth0)# exit
vsmart(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vsmart(config-vpn-0)# commit
Commit complete.
vsmart(config-vpn-0)#
vsmart(config-vpn-0)# end
1.4 vEdge配置
vEdge1:
vedge(config)# system
vedge(config-system)# host-name vEdge1
vedge(config-system)# system-ip 100.1.1.4
vedge(config-system)# site-id 100
vedge(config-system)# organization-name alex.com
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# commit
Commit complete.
vEdge1(config-system)# exit
vEdge1(config)# vpn 0
vEdge1(config-vpn-0)# interface ge0/0
vEdge1(config-interface-ge0/0)# no shutdown
vEdge1(config-interface-ge0/0)# no tunnel-interface
vEdge1(config-interface-ge0/0)# ip address 192.168.10.2/30
vEdge1(config-interface-ge0/0)# exit
vEdge1(config-vpn-0)# ip route 0.0.0.0/0 192.168.10.1
vEdge1(config-interface-ge0/0)# commit
Commit complete.
vEdge1(config-interface-ge0/0)#
vEdge2:
vedge(config)# system
vedge(config-system)# host-name vEdge2
vedge(config-system)# system-ip 102.1.1.1
vedge(config-system)# site-id 200
vedge(config-system)# organization-name alex.com
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# commit
Commit complete.
vEdge2(config-system)# exit
vEdge2(config)# vpn 0
vEdge2(config-vpn-0)# interface ge0/0
vEdge2(config-interface-ge0/0)# no shutdown
vEdge2(config-interface-ge0/0)# no tunnel-interface
vEdge2(config-interface-ge0/0)# ip address 192.168.20.1/24
vEdge2(config-interface-ge0/0)# exit
vEdge2(config-vpn-0)# ip route 0.0.0.0/0 192.168.20.254
vEdge2(config-vpn-0)# commit
Commit complete.
vEdge3:
vedge(config)# system
vedge(config-system)# host-name vEdge3
vedge(config-system)# system-ip 103.1.1.1
vedge(config-system)# site-id 300
vedge(config-system)# organization-name alex.com
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# commit
Commit complete.
vEdge3(config-system)# exit
vEdge3(config)# vpn 0
vEdge3(config-vpn-0)# interface ge0/0
vEdge3(config-interface-ge0/0)# no shutdown
vEdge3(config-interface-ge0/0)# no tunnel-interface
vEdge3(config-interface-ge0/0)# ip address 192.168.30.1/24
vEdge3(config-interface-ge0/0)# exit
vEdge3(config-vpn-0)# ip route 0.0.0.0/0 192.168.30.254
vEdge3(config-vpn-0)#
vEdge3(config-vpn-0)#
vEdge3(config-vpn-0)# commit
Commit complete.
1.5 Core-Switch配置
interface Ethernet0/0
switchport access vlan 30
switchport mode access
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
interface Vlan10
ip address 10.1.1.254 255.255.255.0
!
interface Vlan20
ip address 14.1.1.4 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Vlan30
ip address 192.168.10.1 255.255.255.252
Ip ospf 1 area 0
!
router ospf 1
router-id 4.4.4.4
network 10.1.1.0 0.0.0.255 area 0
1.6 ISP配置
Site100_CE:
vrf definition alex
rd 1:1
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 6 area 0
!
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 6 area 0
duplex auto
mpls bgp forwarding
mpls ip
!
interface Ethernet0/1
ip address 13.1.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 6 area 0
duplex auto
mpls bgp forwarding
mpls ip
!
interface Ethernet0/2
vrf forwarding alex
ip address 14.1.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
duplex auto
!
router ospf 1 vrf alex
redistribute bgp 100 subnets
!
router ospf 6
router-id 1.1.1.1
!
router bgp 100
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 100
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 route-reflector-client
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 route-reflector-client
exit-address-family
!
address-family ipv4 vrf alex
redistribute ospf 1
exit-address-family
Site200_CE:
vrf definition alex
rd 1:1
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 6 area 0
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip ospf network point-to-point
ip ospf 6 area 0
duplex auto
mpls bgp forwarding
mpls ip
!
interface Ethernet0/1
vrf forwarding alex
ip address 192.168.20.254 255.255.255.0
duplex auto
!
router ospf 6
router-id 2.2.2.2
!
router bgp 100
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf alex
redistribute connected
exit-address-family
Site300_CE:
vrf definition alex
rd 1:1
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf 6 area 0
!
interface Ethernet0/0
vrf forwarding alex
ip address 192.168.30.254 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 13.1.1.3 255.255.255.0
ip ospf network point-to-point
ip ospf 6 area 0
duplex auto
mpls bgp forwarding
mpls ip
!
router ospf 6
router-id 3.3.3.3
!
router bgp 100
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf alex
redistribute connected
exit-address-family
1.7 设备之间证书处理(这里利用vManage的Openssl来签名和发布证书)
1.7.1 生成根证书
vmanage# vshell
vmanage:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
....+++
e is 65537 (0x10001)
vmanage:~$
vmanage:~$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024\
> -subj "/C=CN/ST=HB/L=WH/O=alex.com/CN=ca.vmanage" \
> -out ROOTCA.pem
vmanage:~$ ls -l
total 12
-rw-r--r-- 1 admin admin 1679 Sep 5 14:49 ROOTCA.key
-rw-r--r-- 1 admin admin 1253 Sep 5 14:51 ROOTCA.pem
-rw-r--r-- 1 admin admin 394 Sep 5 14:23 archive_id_rsa.pub
vmanage:~$
1.7.2 在vManage、vBond、vSmart、vEdge上将原有根证书删除,安装新的根证书
vManage:
vmanage# request root-cert-chain uninstall
Successfully uninstalled the root certificate chain
vmanage#
vmanage# request root-cert-chain install home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Successfully installed the root certificate chain
vmanage#
vBond、vSmart、vEdge:
vbond# request root-cert-chain uninstall
Successfully uninstalled the root certificate chain
vbond#
vbond# request root-cert-chain install scp://admin@10.1.1.1:/home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@10.1.1.1:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added '10.1.1.1' (ECDSA) to the list of known hosts.
viptela 16.2.11
admin@10.1.1.1's password:
ROOTCA.pem 100% 1253 1.2KB/s 00:00
Successfully installed the root certificate chain
vbond#
1.7.3 以vBond为例查看证书
1.7.4 个人证书申请签发
产生证书请求
vManage:
vmanage# request csr upload home/admin/vmanage.csr
Uploading CSR via VPN 0
Enter organization name : alex.com
Re-enter organization name : alex.com
Generating private/public pair and CSR for this vmanage device
Generating CSR for this vmanage device ........[DONE]
Copying ... /home/admin/vmanage.csr via VPN 0
CSR upload successful
vBond、vSmart、vEdge:
vEdge1# request csr upload scp://admin@10.1.1.1:/home/admin/vedge1.csr
Uploading CSR via VPN 0
Enter organization-unit name : alex.com
Re-enter organization-unit name : alex.com
Generating private/public pair and CSR for this vedge device
Generating CSR for this vedge device ........[DONE]
Copying ... admin@10.1.1.1:/home/admin/vedge1.csr via VPN 0
Warning: Permanently added '10.1.1.1' (ECDSA) to the list of known hosts.
viptela 16.2.11
admin@10.1.1.1's password:
server.csr 100% 1212 32.2KB/s 00:00
CSR upload successful
vEdge1#
签发证书:
vmanage# vshell
vmanage:~$ ls -l
total 36
-rw-r--r-- 1 admin admin 1679 Sep 5 14:49 ROOTCA.key
-rw-r--r-- 1 admin admin 1253 Sep 5 14:51 ROOTCA.pem
-rw-r--r-- 1 admin admin 394 Sep 5 15:19 archive_id_rsa.pub
-rw-r--r-- 1 admin admin 1212 Sep 5 15:21 vbond.csr
-rw-r--r-- 1 admin admin 1212 Sep 5 15:04 vedge1.csr
-rw-r--r-- 1 admin admin 1212 Sep 5 15:05 vedge2.csr
-rw-r--r-- 1 admin admin 1212 Sep 5 15:05 vedge3.csr
-rw-r--r-- 1 root root 1216 Sep 5 15:03 vmanage.csr
-rw-r--r-- 1 admin admin 1212 Sep 5 15:22 vsmart.csr
vmanage:~$
vmanage:~$ openssl x509 -req -in vmanage.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vmanage.crt -days 500 -sha256
vmanage:~$ openssl x509 -req -in vbond.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vbond.crt -days 500 -sha256
vmanage:~$ openssl x509 -req -in vsmart.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vsmart.crt -days 500 -sha256
vmanage:~$ openssl x509 -req -in vedge1.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vedge1.crt -days 500 -sha256
vmanage:~$ openssl x509 -req -in vedge2.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vedge2.crt -days 500 -sha256
vmanage:~$ openssl x509 -req -in vedge3.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vedge3.crt -days 500 -sha256
vmanage:~$
vmanage:~$
vmanage:~$ ls -l
total 64
-rw-r--r-- 1 admin admin 1679 Sep 5 14:49 ROOTCA.key
-rw-r--r-- 1 admin admin 1253 Sep 5 14:51 ROOTCA.pem
-rw-r--r-- 1 admin admin 17 Sep 5 15:25 ROOTCA.srl
-rw-r--r-- 1 admin admin 394 Sep 5 15:19 archive_id_rsa.pub
-rw-r--r-- 1 admin admin 1298 Sep 5 15:25 vbond.crt
-rw-r--r-- 1 admin admin 1212 Sep 5 15:21 vbond.csr
-rw-r--r-- 1 admin admin 1298 Sep 5 15:25 vedge1.crt
-rw-r--r-- 1 admin admin 1212 Sep 5 15:04 vedge1.csr
-rw-r--r-- 1 admin admin 1298 Sep 5 15:25 vedge2.crt
-rw-r--r-- 1 admin admin 1212 Sep 5 15:05 vedge2.csr
-rw-r--r-- 1 admin admin 1298 Sep 5 15:25 vedge3.crt
-rw-r--r-- 1 admin admin 1212 Sep 5 15:05 vedge3.csr
-rw-r--r-- 1 admin admin 1302 Sep 5 15:25 vmanage.crt
-rw-r--r-- 1 root root 1216 Sep 5 15:03 vmanage.csr
-rw-r--r-- 1 admin admin 1298 Sep 5 15:25 vsmart.crt
-rw-r--r-- 1 admin admin 1212 Sep 5 15:22 vsmart.csr
vmanage:~$
安装证书:
vManage:
vmanage#
vmanage# request certificate install home/admin/vmanage.crt
Installing certificate via VPN 0
Copying ... /home/admin/vmanage.crt via VPN 0
Successfully installed the certificate
vmanage#
vBond、vSmart、vEdge:
vbond#
vbond# request certificate install scp://admin@10.1.1.1:/home/admin/vbond.crt
Installing certificate via VPN 0
Copying ... admin@10.1.1.1:/home/admin/vbond.crt via VPN 0
Warning: Permanently added '10.1.1.1' (ECDSA) to the list of known hosts.
viptela 16.2.11
admin@10.1.1.1's password:
vbond.crt 100% 1298 1.3KB/s 00:00
Successfully installed the certificate
vbond#
1.7.5 以vBond为例查看证书
1.8 vManage添加vBond、vSmart、vEdge设备
1.8.1 登录vManage配置Seting(此处or-name与前文设置不一致,因为环境更改的原因)
1.8.2 添加vBond和vSmart(注意要去勾选CSR,因为我们已经自签名了证书)
1.8.3 添加完成后,将证书推给vBond
1.8.4 vEdge授权文件导入
这里不做演示,这里需要Cisco Smart account申请,从而获得一个白名单文件
官方链接如下:
https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Configuration/Upload_the_vEdge_Serial_Number_File
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/SD-WAN-End-to-End-Deployment-Guide.pdf
1.9 此时vbond、vSmart、vEdge都已在vManage上线
2. 控制连接
2.1 查看设备之间的控制连接
3. 设备信息
3.1 以vManage为例查看系统信息,此时设备并没有被vManage纳管,包括vManage自身也是没有被纳管的一个状态
4. 纳管设备
4.1 纳管vManage
4.1.1 创建Feature模板,包含system模板,VPN 0模板,VPN 512模板,接口模板
System 模板,注意名字要修改为自己可读的名称,如下所示,Save即可:
VPN 0模板:
VPN 512模板:
VPN 0 接口模板:
VPN 512接口模板:
4.1.2 至此,我们已创建好足以纳管vManage的模板,接着我们创建Device模板
此时,可以看到模板配置与设备当前配置之间的前后差异,如没有问题,可直接点击configure devices下发配置;
4.1.3 Succes代表配置下发成功
4.1.4 此时可以通过vManage的SSH登录设备查看系统信息
4.1.5 此时vMange已被纳管
4.2 纳管vSmart
4.2.1 创建Feature模板,包含system模板,VPN 0模板,VPN 512模板,接口模板,OMP模板
System模板:
VPN0:
VPN512:
Vpn 0 接口模板:
Vpn 512接口模板:
OMP模板:
4.2.2 创建Device模板
4.2.3 Success
4.2.4 登录vSmart查看系统信息
4.2.5 至此vSmart已被vManage纳管
4.3 纳管vEdge
4.3.1 创建vEdge的system模板
4.3.2 创建vEdge的VPN 0模板
vEdge1:
vEdge2与vEdge3类似只不过修改了IPv4路由的下一跳而已,此处不再赘述;
4.3.3 创建vEdge的VPN512 模板
4.3.4 创建 VPN0 interface模板
4.3.5 因为vEdge连接业务侧使用的是子接口,因此需要将物理接口也划分指VPN0模板下,在这里需要创建业务侧物理接口模板
4.3.6 创建VPN512 interface模板
4.3.7 创建OMP模板(注意此处当前网络里没有IPv6因此需要将此处关闭,IPv4默认即可)
4.3.8 创建业务侧service VPN模板
4.3.9 创建Service VPN66的Interface模板
4.3.10 创建Service侧 OSPF模板
4.3.11 至此vEdge模板创建完毕,创建Device模板
vEdge1:
vEdge2、vEdge3与vEdge1类似,此处不再赘述;
4.3.12 登录vEdge查看系统信息
4.3.13 至此所有vEdge全部被vManage纳管
4.3.14 被纳管设备对于配置的修改只能在vManage上进行修改,本地无法修改
5. Site Switch
Switch_100:
interface Loopback0
ip address 123.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 66
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan66
mtu 1496
ip address 192.168.11.2 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
router ospf 1
router-id 123.1.1.1
Switch_200:
interface Loopback0
ip address 123.1.1.2 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 66
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan66
mtu 1496
ip address 192.168.21.2 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
router ospf 1
router-id 123.1.1.2
Switch_300:
interface Loopback0
ip address 123.1.1.3 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 66
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan66
ip address 192.168.31.2 255.255.255.0
!
router ospf 1
router-id 123.1.1.3
6. 路由信息
6.1 在vSmart上查看OMP邻居
6.2 在vSmart上查看OMP路由
Alex-vSmart# show omp routes
---------------------------------------------------
omp route entries for vpn 66 route 123.1.1.1/32
---------------------------------------------------
RECEIVED FROM:
peer 100.1.1.4
path-id 65
label 1002
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 100.1.1.4
type installed
tloc 100.1.1.4, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 100
preference not set
tag not set
origin-proto OSPF-intra-area
origin-metric 11
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 102.1.1.1
ADVERTISED TO:
peer 103.1.1.1
---------------------------------------------------
omp route entries for vpn 66 route 123.1.1.2/32
---------------------------------------------------
RECEIVED FROM:
peer 102.1.1.1
path-id 65
label 1002
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 102.1.1.1
type installed
tloc 102.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 200
preference not set
tag not set
origin-proto OSPF-intra-area
origin-metric 11
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 100.1.1.4
ADVERTISED TO:
peer 103.1.1.1
---------------------------------------------------
omp route entries for vpn 66 route 123.1.1.3/32
---------------------------------------------------
RECEIVED FROM:
peer 103.1.1.1
path-id 65
label 1002
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 103.1.1.1
type installed
tloc 103.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 300
preference not set
tag not set
origin-proto OSPF-intra-area
origin-metric 11
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 100.1.1.4
ADVERTISED TO:
peer 102.1.1.1
---------------------------------------------------
omp route entries for vpn 66 route 192.168.11.0/24
---------------------------------------------------
RECEIVED FROM:
peer 100.1.1.4
path-id 65
label 1002
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 100.1.1.4
type installed
tloc 100.1.1.4, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 100
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 102.1.1.1
ADVERTISED TO:
peer 103.1.1.1
---------------------------------------------------
omp route entries for vpn 66 route 192.168.21.0/24
---------------------------------------------------
RECEIVED FROM:
peer 102.1.1.1
path-id 65
label 1002
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 102.1.1.1
type installed
tloc 102.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 200
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 100.1.1.4
ADVERTISED TO:
peer 103.1.1.1
---------------------------------------------------
omp route entries for vpn 66 route 192.168.31.0/24
---------------------------------------------------
RECEIVED FROM:
peer 103.1.1.1
path-id 65
label 1002
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 103.1.1.1
type installed
tloc 103.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 300
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 100.1.1.4
ADVERTISED TO:
peer 102.1.1.1
Alex-vSmart#
6.3 在vEdge上查看OMP邻居信息
6.4 在vEdge上查看OMP路由信息
Alex-vEdge2# show omp routes
---------------------------------------------------
omp route entries for vpn 66 route 123.1.1.1/32
---------------------------------------------------
RECEIVED FROM:
peer 100.1.1.3
path-id 7
label 1002
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 100.1.1.4
type installed
tloc 100.1.1.4, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 100
preference not set
tag not set
origin-proto OSPF-intra-area
origin-metric 11
as-path not set
unknown-attr-len not set
---------------------------------------------------
omp route entries for vpn 66 route 123.1.1.2/32
---------------------------------------------------
RECEIVED FROM:
peer 0.0.0.0
path-id 65
label 1002
status C,Red,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 102.1.1.1
type installed
tloc 102.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 200
preference not set
tag not set
origin-proto OSPF-intra-area
origin-metric 11
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 100.1.1.3
---------------------------------------------------
omp route entries for vpn 66 route 123.1.1.3/32
---------------------------------------------------
RECEIVED FROM:
peer 100.1.1.3
path-id 5
label 1002
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 103.1.1.1
type installed
tloc 103.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 300
preference not set
tag not set
origin-proto OSPF-intra-area
origin-metric 11
as-path not set
unknown-attr-len not set
---------------------------------------------------
omp route entries for vpn 66 route 192.168.11.0/24
---------------------------------------------------
RECEIVED FROM:
peer 100.1.1.3
path-id 6
label 1002
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 100.1.1.4
type installed
tloc 100.1.1.4, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 100
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
---------------------------------------------------
omp route entries for vpn 66 route 192.168.21.0/24
---------------------------------------------------
RECEIVED FROM:
peer 0.0.0.0
path-id 65
label 1002
status C,Red,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 102.1.1.1
type installed
tloc 102.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 200
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
ADVERTISED TO:
peer 100.1.1.3
---------------------------------------------------
omp route entries for vpn 66 route 192.168.31.0/24
---------------------------------------------------
RECEIVED FROM:
peer 100.1.1.3
path-id 3
label 1002
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 103.1.1.1
type installed
tloc 103.1.1.1, default, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 300
preference not set
tag not set
origin-proto connected
origin-metric 0
as-path not set
unknown-attr-len not set
Alex-vEdge2#
6.5 在vEdge上查看全局路由
6.6 在站点Switch上查看路由
7. 连通性测试
7.1 测试Switch_200的环回口与Switch_300的环回口之间的连通性
7.2 使用traceroute追踪路由的路径
8. 注意点
- 在没有第三方证书服务器的情况下,一定要关闭VPN0下的tunnel-interface,使用本地的证书服务器,待证书都加载好之后,再开启tunnel-interface;
- 设备必须要配置vpn512并绑定,即使空着也行;
- 如果是使用的子接口,物理接口必须要划到VPN0下;
- 子接口一定要修改MTU为1496;
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)