ENSP PRO LAB笔记:配置SRv6(Part3)

2023-11-09 04:59
文章标签 配置 笔记 ensp pro lab part3 srv6

本文主要是介绍ENSP PRO LAB笔记:配置SRv6(Part3),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

八、SRv6 TE Flow Group测试

8.1 测试拓扑

8.2 测试说明

  • PE1配置2条SRv6 TE Policy,命名为policy10(color10)、policy11(color11)
  • PE4 vpn1配置测试loopback100、loopback101,用于ping测试
  • PE4发布vpn路由172.30.0.0/16
  • PE1配置Mapping policy,用于DSCP引流
  • PE1接收EVPN路由172.30.0.0/16时对此路由进行染色,通过DSCP引流的方式,将业务流量引入动态创建的SRv6 TE Flow Group
  • 由于目前模拟路由器不支持DSCP标记,在CE1 ping 测试时,设置相应DSCP(支持linux ping)
  • CE1 ping相同网段(172.30.0.0/16)的不同地址,PE1根据DSCP,选择不同的SRv6 TE Policy进行传输

8.3 测试步骤

8.3.1 配置SRv6 TE Policy

PE1配置:

segment-routing ipv6

 segment-list list10

  index 5 sid ipv6 3001:2::10:0

  index 10 sid ipv6 3001:4::10:0

 segment-list list11

  index 5 sid ipv6 3001:3::10:0

  index 10 sid ipv6 3001:4::10:0

 srv6-te policy policy10 endpoint 2001:4::1 color 10

  binding-sid 3001:1::90:0

  candidate-path preference 100

   segment-list list10

 srv6-te policy policy11 endpoint 2001:4::1 color 11

  binding-sid 3001:1::91:0

  candidate-path preference 100

   segment-list list11

#

8.3.2 查看SRv6 TE Policy信息

[PE1]dis srv6-te policy
PolicyName : policy10
Color                   : 10                             Endpoint             : 2001:4::1
TunnelId                : 1                              Binding SID          : 3001:1::90:0(Insert)
TunnelType              : SRv6-TE Policy                 DelayTimerRemain     : -
Policy State            : Up                             State Change Time    : 2023-09-27 04:56:39
Admin State             : Up                             Traffic Statistics   : Disable
Backup Hot-Standby      : Disable                        BFD                  : Disable
Interface Index         : -                              Interface Name       : -
Interface State         : -                              Encapsulation Mode   : Insert
Candidate-path Count    : 1                             Candidate-path Preference : 100Path State             : Active                         Path Type            : PrimaryProtocol-Origin        : Configuration(30)              Originator           : 0, 0.0.0.0Discriminator          : 100                            Binding SID          : 3001:1::90:0GroupId                : 1                              Policy Name          : policy10Template ID            : 0                              Path Verification    : EnableDelayTimerRemain       : -                              Network Slice ID     : -Segment-List Count     : 1Segment-List          : list10Segment-List ID      : 1                              XcIndex              : 2  List State           : Up                             DelayTimerRemain     : -Verification State   : Up                             SuppressTimeRemain   : -PMTU                 : 9600                           Active PMTU          : 9600Weight               : 1                              BFD State            : -Network Slice ID     : -                             Binding SID          : -Reverse Binding SID  : -                             SID :3001:2::10:0                              3001:4::10:0                              PolicyName : policy11
Color                   : 11                             Endpoint             : 2001:4::1
TunnelId                : 2                              Binding SID          : 3001:1::91:0(Insert)
TunnelType              : SRv6-TE Policy                 DelayTimerRemain     : -
Policy State            : Up                             State Change Time    : 2023-09-27 04:54:41
Admin State             : Up                             Traffic Statistics   : Disable
Backup Hot-Standby      : Disable                        BFD                  : Disable
Interface Index         : -                              Interface Name       : -
Interface State         : -                              Encapsulation Mode   : Insert
Candidate-path Count    : 1                             Candidate-path Preference : 100Path State             : Active                         Path Type            : PrimaryProtocol-Origin        : Configuration(30)              Originator           : 0, 0.0.0.0Discriminator          : 100                            Binding SID          : 3001:1::91:0GroupId                : 2                              Policy Name          : policy11Template ID            : 0                              Path Verification    : EnableDelayTimerRemain       : -                              Network Slice ID     : -Segment-List Count     : 1Segment-List          : list11Segment-List ID      : 2                              XcIndex              : 1  List State           : Up                             DelayTimerRemain     : -Verification State   : Up                             SuppressTimeRemain   : -PMTU                 : 9600                           Active PMTU          : 9600Weight               : 1                              BFD State            : -Network Slice ID     : -                             Binding SID          : -Reverse Binding SID  : -                             SID :3001:3::10:0                              3001:4::10:0   

8.3.3 配置测试Loopback地址

PE4创建两个loopback地址,分别配置测试网段172.30.1.0/24, 172.30.2.0/24,但对外只发布172.30.0.0/16的路由。

PE4:

#

interface LoopBack100

 ip binding vpn-instance vpn1

 ip address 172.30.1.1 255.255.255.0

#

interface LoopBack101

 ip binding vpn-instance vpn1

 ip address 172.30.2.1 255.255.255.0

#

8.3.4 发布VPN路由

PE4上,bgp ipv4 vpn实例vpn1在引入直连路由时,不引入loopback100/loopback101直连路由,通过引入静态路由方式,引入172.30.0.0/16,并发给PE1,这样做的目的是:PE1的vpn1都通过172.30.0.0/16访问172.30.1.1和172.30.2.1,并通过dscp对应不同的小color,迭代到不同的policy转发路径。

PE4配置

#

bgp 100

 #

 ipv4-family vpn-instance vpn1

  import-route direct route-policy p1

  import-route static

 #

route-policy p1 permit node 10

 if-match interface Ethernet3/0/0 (只允许局域端口的直连路由)

#

ip route-static vpn-instance vpn1 172.30.0.0 255.255.0.0 NULL0

#

 执行完以上步骤后,在PE1用以下命令查看,172.30.0.0/16未染色之前,走SRv6 BE路径:

[PE1]dis ip routing-table vpn-instance vpn1

8.3.5 配置SRv6 Mapping Policy

8.3.5.1 功能说明

通过配置SRv6 Mapping Policy,设备利用业务路由(即VPN路由或私网路由)Color属性去匹配相同Color的SRv6 Mapping Policy,如果SRv6 Mapping Policy存在,则设备动态生成一个SRv6 TE Flow Group,供业务转发使用。该SRv6 TE Flow Group里存在多个Color属性不同,但EndPoint相同的SRv6 TE Policy。

8.3.5.2 DSCP说明
源IP地址目的IP地址模拟数据流DSCP设置Color
172.10.1.10172.30.1.1数据流1AF31(DSCP:26,011010)10
172.10.1.10172.30.2.1数据流2AF21(DSCP:18,010010)11
8.3.5.3 配置Mapping policy

PE1配置:

#

segment-routing ipv6

 mapping-policy p1 color 1000

  match-type dscp

   index 100 dscp ipv4 26 match srv6-te-policy color 10

   index 200 dscp ipv4 18 match srv6-te-policy color 11

#

8.3.6 配置DSCP引流

#

route-policy p1 permit node 10

 if-match ip-prefix 1

 apply extcommunity color 0:101

#

route-policy p1 permit node 20

 if-match ip-prefix 2

 apply extcommunity color 0:1000

#

route-policy p1 permit node 30

#

ip ip-prefix 1 index 10 permit 172.20.1.0 24

ip ip-prefix 2 index 10 permit 172.30.0.0 16

#

#

tunnel-policy tnl-1

 tunnel select-seq ipv6 srv6-te-policy load-balance-number 1

#

tunnel-policy tnl-2

 tunnel select-seq ipv6 srv6-te-flow-group srv6-te-policy load-balance-number 1 unmix

#

#

ip vpn-instance vpn1

 ipv4-family

  tnl-policy tnl-2 evpn

#

8.3.7 查看SRv6 TE Flow Group信息

[PE1]dis srv6-te flow-groupSRv6-TE Flow Group Information
----------------------------------------------------------------------------------------------
Group Name            :
Color                 : 1000                          Endpoint            : 2001:4::1
Group Tunnel ID       : 4                             Group Tunnel Type   : SRv6-TE Flow Group
Group Tunnel State    : Up                            State Change Time   : 2023-09-27 04:54:43
Interface Index       : -                             Interface Name      : -
Interface State       : -                             
Delay Timer Remain    : -                             UP/ALL Num          : 2/2Index                : 100                           AfType              : IPv4DSCP                 : 26Match Tunnel         : SRv6-TE Policy                State               : UpColor                : 10                            Tunnel Id           : 1Index                : 200                           AfType              : IPv4DSCP                 : 18Match Tunnel         : SRv6-TE Policy                State               : UpColor                : 11                            Tunnel Id           : 2
[PE1]

8.3.8 查看VPN实例vpn1的路由

查看VPN实例IPv4路由表信息,可以看到私网路由已经成功迭代到SRv6 TE Flow Group。

[PE1]dis ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpn1Destinations : 7        Routes : 7         Destination/Mask    Proto   Pre  Cost        Flags NextHop                                  Interface127.0.0.0/8   Direct  0    0             D   127.0.0.1                                InLoopBack0172.10.1.0/24  Direct  0    0             D   172.10.1.1                               Ethernet3/0/2172.10.1.1/32  Direct  0    0             D   127.0.0.1                                Ethernet3/0/2172.10.1.255/32  Direct  0    0             D   127.0.0.1                                Ethernet3/0/2172.20.1.0/24  IBGP    255  0             RD  2001:4::1                                policy1172.30.0.0/16  IBGP    255  0             RD  2001:4::1                                SRv6-TE Flow Group
255.255.255.255/32  Direct  0    0             D   127.0.0.1                                InLoopBack0
[PE1]

8.3.9 Ping测试

8.3.9.1 测试说明

由于目前ENSP Pro的NE路由器版本不支持QoS,所以在PC侧设置DSCP值。
ping -Q 104 (设置DSCP为26,即AF31)
ping -Q 72 (设置DSCP为18(010010),即AF21, 计算方式:IP ToS为1个字节,共8个bit, 7到2bit位为:010010,补充1-0bit位:00,01001000换算10进制为72)

8.3.9.2 查看DSCP是否正确设置

CE1 ping测试时,在PE1-Eth3/0/2抓包,查看DSCP是否正确设置。
ping -Q 104 172.30.1.1 (设置DSCP为26(AF31)),抓包结果符合预期:

Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: b2:e0:61:ae:0e:be (b2:e0:61:ae:0e:be), Dst: 38:03:00:11:03:02 (38:03:00:11:03:02)
Internet Protocol Version 4, Src: 172.10.1.10, Dst: 172.30.1.10100 .... = Version: 4.... 0101 = Header Length: 20 bytes (5)Differentiated Services Field: 0x68 (DSCP: AF31, ECN: Not-ECT)0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (26).... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)Total Length: 84Identification: 0xe123 (57635)010. .... = Flags: 0x2, Don't fragment...0 0000 0000 0000 = Fragment Offset: 0Time to Live: 64Protocol: ICMP (1)Header Checksum: 0xfee9 [validation disabled][Header checksum status: Unverified]Source Address: 172.10.1.10Destination Address: 172.30.1.1
Internet Control Message Protocol

ping -Q 72 172.30.2.1 (设置DSCP为18(AF21)),抓包结果符合预期:

Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: b2:e0:61:ae:0e:be (b2:e0:61:ae:0e:be), Dst: 38:03:00:11:03:02 (38:03:00:11:03:02)
Internet Protocol Version 4, Src: 172.10.1.10, Dst: 172.30.2.10100 .... = Version: 4.... 0101 = Header Length: 20 bytes (5)Differentiated Services Field: 0x48 (DSCP: AF21, ECN: Not-ECT)0100 10.. = Differentiated Services Codepoint: Assured Forwarding 21 (18).... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)Total Length: 84Identification: 0x21f7 (8695)010. .... = Flags: 0x2, Don't fragment...0 0000 0000 0000 = Fragment Offset: 0Time to Live: 64Protocol: ICMP (1)Header Checksum: 0xbd36 [validation disabled][Header checksum status: Unverified]Source Address: 172.10.1.10Destination Address: 172.30.2.1
Internet Control Message Protocol
8.3.9.3 CE1 ping -Q 104 172.30.1.1

在PE1-3/0/0和3/0/1同时抓包,结果能正常ping通,3/0/0能抓到发出的包,3/0/1没有抓到发出的包。经过抓包分析,此数据流通过SRv6 TE Policy policy10传输,符合预期:

Frame 2: 194 bytes on wire (1552 bits), 194 bytes captured (1552 bits)
Ethernet II, Src: 38:03:00:11:03:00 (38:03:00:11:03:00), Dst: 38:06:00:11:03:01 (38:06:00:11:03:01)
Internet Protocol Version 6, Src: ::, Dst: 3001:2::10:00110 .... = Version: 6.... 1111 1111 .... .... .... .... .... = Traffic Class: 0xff (DSCP: Unknown, ECN: CE).... 1111 11.. .... .... .... .... .... = Differentiated Services Codepoint: Unknown (63).... .... ..11 .... .... .... .... .... = Explicit Congestion Notification: Congestion Experienced (3).... 0000 0000 0000 0000 0001 = Flow Label: 0x00001Payload Length: 140Next Header: Routing Header for IPv6 (43)Hop Limit: 63Source Address: ::Destination Address: 3001:2::10:0Routing Header for IPv6 (Segment Routing)Next Header: IPIP (4)Length: 6[Length: 56 bytes]Type: Segment Routing (4)Segments Left: 2Last Entry: 2Flags: 0x00Tag: 0000Address[0]: 3001:4::4001:0Address[1]: 3001:4::10:0Address[2]: 3001:2::10:0
Internet Protocol Version 4, Src: 172.10.1.10, Dst: 172.30.1.10100 .... = Version: 4.... 0101 = Header Length: 20 bytes (5)Differentiated Services Field: 0x68 (DSCP: AF31, ECN: Not-ECT)0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (26).... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)Total Length: 84Identification: 0xac39 (44089)010. .... = Flags: 0x2, Don't fragment...0 0000 0000 0000 = Fragment Offset: 0Time to Live: 63Protocol: ICMP (1)Header Checksum: 0x34d4 [validation disabled][Header checksum status: Unverified]Source Address: 172.10.1.10Destination Address: 172.30.1.1
Internet Control Message Protocol
8.3.9.4 CE1 ping -Q 72 172.30.2.1

在PE1-3/0/0和3/0/1同时抓包,结果能正常ping通,3/0/1能抓到发出的包,3/0/0没有抓到发出的包。经过抓包分析,此数据流通过SRv6 TE Policy policy11传输,符合预期:

Frame 2: 194 bytes on wire (1552 bits), 194 bytes captured (1552 bits)
Ethernet II, Src: 38:03:00:11:03:01 (38:03:00:11:03:01), Dst: 38:02:00:11:03:01 (38:02:00:11:03:01)Destination: 38:02:00:11:03:01 (38:02:00:11:03:01)Source: 38:03:00:11:03:01 (38:03:00:11:03:01)Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: ::, Dst: 3001:3::10:00110 .... = Version: 6.... 1111 1111 .... .... .... .... .... = Traffic Class: 0xff (DSCP: Unknown, ECN: CE).... 1111 11.. .... .... .... .... .... = Differentiated Services Codepoint: Unknown (63).... .... ..11 .... .... .... .... .... = Explicit Congestion Notification: Congestion Experienced (3).... 0000 0000 0000 0000 0001 = Flow Label: 0x00001Payload Length: 140Next Header: Routing Header for IPv6 (43)Hop Limit: 63Source Address: ::Destination Address: 3001:3::10:0Routing Header for IPv6 (Segment Routing)Next Header: IPIP (4)Length: 6[Length: 56 bytes]Type: Segment Routing (4)Segments Left: 2Last Entry: 2Flags: 0x00Tag: 0000Address[0]: 3001:4::4001:0Address[1]: 3001:4::10:0Address[2]: 3001:3::10:0
Internet Protocol Version 4, Src: 172.10.1.10, Dst: 172.30.2.10100 .... = Version: 4.... 0101 = Header Length: 20 bytes (5)Differentiated Services Field: 0x48 (DSCP: AF21, ECN: Not-ECT)0100 10.. = Differentiated Services Codepoint: Assured Forwarding 21 (18).... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)Total Length: 84Identification: 0x3819 (14361)010. .... = Flags: 0x2, Don't fragment...0 0000 0000 0000 = Fragment Offset: 0Time to Live: 63Protocol: ICMP (1)Header Checksum: 0xa814 [validation disabled][Header checksum status: Unverified]Source Address: 172.10.1.10Destination Address: 172.30.2.1
Internet Control Message Protocol

这篇关于ENSP PRO LAB笔记:配置SRv6(Part3)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/374081

相关文章

SpringCloud动态配置注解@RefreshScope与@Component的深度解析

《SpringCloud动态配置注解@RefreshScope与@Component的深度解析》在现代微服务架构中,动态配置管理是一个关键需求,本文将为大家介绍SpringCloud中相关的注解@Re... 目录引言1. @RefreshScope 的作用与原理1.1 什么是 @RefreshScope1.

SpringBoot日志配置SLF4J和Logback的方法实现

《SpringBoot日志配置SLF4J和Logback的方法实现》日志记录是不可或缺的一部分,本文主要介绍了SpringBoot日志配置SLF4J和Logback的方法实现,文中通过示例代码介绍的非... 目录一、前言二、案例一:初识日志三、案例二:使用Lombok输出日志四、案例三:配置Logback一

springboot security之前后端分离配置方式

《springbootsecurity之前后端分离配置方式》:本文主要介绍springbootsecurity之前后端分离配置方式,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的... 目录前言自定义配置认证失败自定义处理登录相关接口匿名访问前置文章总结前言spring boot secu

一文详解SpringBoot响应压缩功能的配置与优化

《一文详解SpringBoot响应压缩功能的配置与优化》SpringBoot的响应压缩功能基于智能协商机制,需同时满足很多条件,本文主要为大家详细介绍了SpringBoot响应压缩功能的配置与优化,需... 目录一、核心工作机制1.1 自动协商触发条件1.2 压缩处理流程二、配置方案详解2.1 基础YAML

springboot简单集成Security配置的教程

《springboot简单集成Security配置的教程》:本文主要介绍springboot简单集成Security配置的教程,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,... 目录集成Security安全框架引入依赖编写配置类WebSecurityConfig(自定义资源权限规则

SpringBoot中封装Cors自动配置方式

《SpringBoot中封装Cors自动配置方式》:本文主要介绍SpringBoot中封装Cors自动配置方式,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐教... 目录SpringBoot封装Cors自动配置背景实现步骤1. 创建 GlobalCorsProperties

Spring Boot结成MyBatis-Plus最全配置指南

《SpringBoot结成MyBatis-Plus最全配置指南》本文主要介绍了SpringBoot结成MyBatis-Plus最全配置指南,包括依赖引入、配置数据源、Mapper扫描、基本CRUD操... 目录前言详细操作一.创建项目并引入相关依赖二.配置数据源信息三.编写相关代码查zsRArly询数据库数

SpringBoot配置Ollama实现本地部署DeepSeek

《SpringBoot配置Ollama实现本地部署DeepSeek》本文主要介绍了在本地环境中使用Ollama配置DeepSeek模型,并在IntelliJIDEA中创建一个Sprin... 目录前言详细步骤一、本地配置DeepSeek二、SpringBoot项目调用本地DeepSeek前言随着人工智能技

如何自定义Nginx JSON日志格式配置

《如何自定义NginxJSON日志格式配置》Nginx作为最流行的Web服务器之一,其灵活的日志配置能力允许我们根据需求定制日志格式,本文将详细介绍如何配置Nginx以JSON格式记录访问日志,这种... 目录前言为什么选择jsON格式日志?配置步骤详解1. 安装Nginx服务2. 自定义JSON日志格式各

使用Python实现网络设备配置备份与恢复

《使用Python实现网络设备配置备份与恢复》网络设备配置备份与恢复在网络安全管理中起着至关重要的作用,本文为大家介绍了如何通过Python实现网络设备配置备份与恢复,需要的可以参考下... 目录一、网络设备配置备份与恢复的概念与重要性二、网络设备配置备份与恢复的分类三、python网络设备配置备份与恢复实