SDA设备配置命令介绍
1.OSPF通常在fabric外,fusion router部分會用到OSPF
部分命令:
interface GigabitEthernet1/0/1
description to_FW_Switch
switchport trunk allowed vlan 301-304
switchport mode trunk
interface Vlan20
vrf forwarding underlay
ip dhcp relay information trusted
ip address 100.126.0.1 255.255.255.252
ip helper-address 10.127.0.1
ip ospf 31 area 0
!
interface Vlan301
vrf forwarding underlay
ip address 100.126.2.2 255.255.255.240
ip ospf 31 area 0
!
interface Vlan302
vrf forwarding campus
ip address 100.126.2.24 255.255.255.240
ip ospf 32 area 0
!
interface Vlan303
vrf forwarding guest
ip address 100.126.2.66 255.255.255.240
ip ospf 33 area 0
!
interface Vlan304
vrf forwarding iot
ip address 100.126.2.130 255.255.255.240
ip ospf 34 area 0
router ospf 31 vrf underlay
capability vrf-lite
redistribute static route-map static2bgp
redistribute bgp 65534 route-map b2o_underlay
!
router ospf 32 vrf campus
capability vrf-lite
redistribute bgp 65534 route-map b2o_campus
!
router ospf 33 vrf guest
capability vrf-lite
redistribute bgp 65534 route-map b2o_guest
!
router ospf 34 vrf iot
capability vrf-lite
redistribute bgp 65534 route-map b2o_iot
ip prefix-list 65533_permit seq 999 permit 0.0.0.0/0 le 32
!
ip prefix-list 65534_deny seq 5 permit 100.124.0.1/32
ip prefix-list 65534_deny seq 10 permit 100.124.0.2/32
!
ip prefix-list 65534_permit seq 999 permit 0.0.0.0/0 le 32
!
ip prefix-list B2O seq 3 permit 0.0.0.0/0 le 32
ip prefix-list B2O seq 5 permit 100.100.0.0/16
ip prefix-list B2O seq 10 permit 100.101.0.0/16
ip prefix-list B2O seq 15 permit 100.99.0.0/16
ip prefix-list B2O seq 20 permit 100.110.0.0/24
ip prefix-list B2O seq 25 permit 100.124.0.0/24 le 32
ip prefix-list B2O seq 30 permit 100.124.128.128/25 le 32
ip prefix-list B2O seq 35 permit 100.124.126.0/23 le 30
ip prefix-list B2O seq 40 permit 100.124.129.0/24
ip prefix-list B2O seq 45 permit 100.124.1.0/24 le 30
!
ip prefix-list O2B seq 5 deny 100.100.0.0/16
ip prefix-list O2B seq 10 deny 100.101.0.0/16
ip prefix-list O2B seq 15 deny 100.99.0.0/16
ip prefix-list O2B seq 20 deny 100.110.0.0/24
ip prefix-list O2B seq 25 deny 100.124.0.0/24 le 32
ip prefix-list O2B seq 30 deny 100.124.128.128/25 le 32
ip prefix-list O2B seq 35 deny 100.124.126.0/23 le 30
ip prefix-list O2B seq 40 deny 100.124.129.0/24
ip prefix-list O2B seq 45 deny 100.124.1.0/24 le 30
ip prefix-list O2B seq 888 permit 10.127.0.1/32
ip prefix-list O2B seq 999 permit 0.0.0.0/0
!
ip prefix-list b2o_campus seq 5 permit 100.100.0.0/16
ip prefix-list b2o_campus seq 10 permit 100.101.0.0/16
!
ip prefix-list b2o_guest seq 5 permit 100.99.0.0/16
!
ip prefix-list b2o_iot seq 5 permit 100.110.0.0/24
!
ip prefix-list b2o_underlay seq 5 permit 100.124.126.0/23 le 32
ip prefix-list b2o_underlay seq 10 permit 100.126.1.0/24
ip prefix-list b2o_underlay seq 15 permit 100.124.128.128/25
ip prefix-list b2o_underlay seq 20 permit 100.124.0.1/32
ip prefix-list b2o_underlay seq 25 permit 100.124.0.2/32
!
ip prefix-list default seq 5 permit 0.0.0.0/0
!
ip prefix-list static2bgp seq 5 permit 100.124.0.1/32
ip prefix-list static2bgp seq 10 permit 100.124.0.2/32
!
route-map b2o_guest permit 10
match ip address prefix-list b2o_guest
!
route-map b2o_iot permit 10
match ip address prefix-list b2o_iot
!
route-map to65534 deny 10
match ip address prefix-list 65534_deny
!
route-map to65534 permit 20
match ip address prefix-list 65534_permit
!
route-map to65533 permit 20
match ip address prefix-list 65533_permit
!
route-map o2b permit 10
match ip address prefix-list O2B
!
route-map b2o permit 10
match ip address prefix-list B2O
!
route-map static2bgp permit 10
match tag 999
!
route-map default permit 10
match ip address prefix-list default
!
route-map b2o_campus permit 10
match ip address prefix-list b2o_campus
!
route-map b2o_underlay permit 10
match ip address prefix-list b2o_underlay
上面ospf分别创建不同ospf进程绑定vrf,从bgp重定向路由条目过来,通过prefix-list和route-map结合筛选掉一些条目,在进入相应的ospf进程发送出去
2.BGP:
router bgp 65533
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp graceful-restart
neighbor 100.126.1.13 remote-as 65534
neighbor 100.126.1.13 update-source Vlan3011
!
address-family ipv4
bgp redistribute-internal #允许重分发 iBGP 路由到其他协议
bgp aggregate-timer 0 #立即生成聚合路由,不等待子路由收敛
network 100.124.0.2 mask 255.255.255.255
network 100.124.126.0 mask 255.255.254.0
network 100.124.128.129 mask 255.255.255.255
network 100.126.1.12 mask 255.255.255.252
aggregate-address 100.124.128.128 255.255.255.128 summary-only #对 IP 前缀 100.124.128.128/25 进行路由汇总(聚合)
summary-only 表示只发布聚合路由,不发布具体的子网路由
redistribute lisp metric 10 route-map LISP_TO_BGP #将 LISP 协议学习到的路由 注入到 BGP 中
neighbor 100.126.1.13 activate
neighbor 100.126.1.13 send-community both #向邻居发送 标准和扩展团体属性(community 和 extended-community),
neighbor 100.126.1.13 weight 65535 #设置从该邻居收到的所有路由的 weight 属性为 65535,Weight 是 Cisco 特有的 BGP 路径选择属性,数值越高优先级越高,常用于主备路径选择(例如:主链路 neighbor weight 65535,备份 neighbor 默认 weight)
neighbor 100.126.1.13 advertisement-interval 0 #设置向该邻居发送 UPDATE 消息的最小间隔时间为 0 秒(即立即发送)
exit-address-family
!
address-family vpnv4
bgp redistribute-internal
bgp aggregate-timer 0
exit-address-family
!
address-family ipv4 vrf Campus
bgp aggregate-timer 0
network 100.100.0.0 mask 255.255.0.0
network 100.101.0.0 mask 255.255.0.0
network 100.126.1.16 mask 255.255.255.252
network 100.126.10.28 mask 255.255.255.252
network 100.139.255.254 mask 255.255.255.255
network 100.150.0.1 mask 255.255.255.255
network 100.200.200.254 mask 255.255.255.255
aggregate-address 100.200.200.0 255.255.255.0 summary-only
aggregate-address 100.150.0.0 255.255.0.0 summary-only
aggregate-address 100.139.0.0 255.255.0.0 summary-only
aggregate-address 100.101.0.0 255.255.0.0 summary-only
aggregate-address 100.100.0.0 255.255.0.0 summary-only
redistribute lisp metric 10 route-map LISP_TO_BGP
neighbor 100.126.1.17 remote-as 65534
neighbor 100.126.1.17 update-source Vlan3012
neighbor 100.126.1.17 activate
neighbor 100.126.1.17 send-community both
neighbor 100.126.1.17 weight 65535
neighbor 100.126.10.29 remote-as 63901
neighbor 100.126.10.29 update-source Vlan635
neighbor 100.126.10.29 activate
neighbor 100.126.10.29 send-community both
neighbor 100.126.10.29 weight 65535
exit-address-family
!
address-family ipv4 vrf Guest
bgp aggregate-timer 0
network 100.99.0.0 mask 255.255.0.0
network 100.111.0.1 mask 255.255.255.255
network 100.126.1.20 mask 255.255.255.252
network 100.199.199.1 mask 255.255.255.255
aggregate-address 100.199.199.0 255.255.255.128 summary-only
aggregate-address 100.111.0.0 255.255.255.0 summary-only
aggregate-address 100.99.0.0 255.255.0.0 summary-only
redistribute lisp metric 10 route-map LISP_TO_BGP
neighbor 100.126.1.21 remote-as 65534
neighbor 100.126.1.21 update-source Vlan3013
neighbor 100.126.1.21 activate
neighbor 100.126.1.21 send-community both
neighbor 100.126.1.21 weight 65535
exit-address-family
!
address-family ipv4 vrf IOT
bgp aggregate-timer 0
network 100.110.0.0 mask 255.255.255.0
network 100.126.1.24 mask 255.255.255.252
aggregate-address 100.110.0.0 255.255.255.0 summary-only
redistribute lisp metric 10 route-map LISP_TO_BGP
neighbor 100.126.1.25 remote-as 65534
neighbor 100.126.1.25 update-source Vlan3014
neighbor 100.126.1.25 activate
neighbor 100.126.1.25 send-community both
neighbor 100.126.1.25 weight 65535
exit-address-family
3.SGT
1.cts role-based sgt-map vrf [VRF] [IP] sgt [number] 将 IP 映射到 SGT
2.cts role-based enforcement 启用基于 SGT 的策略执行
3.cts role-based enforcement vlan-list 1011,1022,1025-1026 指定应用策略的 VLAN 范围
4.查看当前 SGT 映射状态:show cts role-based sgt-map
5.查看策略执行统计信息:show cts role-based counters
4.isis
interface GigabitEthernet1/0/10
description Fabric Physical Link
no switchport
dampening #启用 接口抖动抑制(Flapping Dampening) ,防止频繁 UP/DOWN 导致路由震荡
ip address 100.124.126.8 255.255.255.254
no ip redirects #禁用 ICMP 重定向功能,防止路由器发送 ICMP Redirect 消息给主机
ip router isis
load-interval 30 #设置接口带宽利用率的统计时间间隔为 30 秒
no cts role-based enforcement #关闭 Cisco TrustSec 角色基础访问控制(RBAC)策略执行
bfd interval 250 min_rx 250 multiplier 3 #发送间隔:250 毫秒,最小接收间隔:250 毫秒,失败倍数:3 → 总检测超时时间为 250 * 3 = 750 毫秒
clns mtu 1492 #设置 CLNS(Connectionless Network Service)协议的最大传输单元(MTU)
isis network point-to-point 强制将该接口的 IS-IS 网络类型设为 点对点(P2P),避免 DR/BDR 选举过程,加快邻接建立速度
5.router isis
net 49.0000.25a1.b34f.9a2a.00
is-type level-2-only #将此路由器设置为 Level-2 路由器 ,只参与骨干域(backbone)的路由计算
metric-style wide #启用 Wide Metric(宽量度)模式 ,支持更大的链路开销值(最大可达 16,777,215),相比传统的 Narrow Metric(最大 63)更灵活。
log-adjacency-changes #当 IS-IS 邻居状态发生变化时(如 Up/Down),记录日志信息
nsf ietf #启用 NSF(Non-Stop Forwarding)当主控板切换(如 Supervisor 引擎切换)时,转发不中断
default-information originate #让该路由器向 IS-IS 域内 广播默认路由
bfd all-interfaces #在所有启用了 IS-IS 的接口上启用 BFD(Bidirectional Forwarding Detection)检测机制 ,实现毫秒级故障检测