CISCO SD-WAN Catalyst Segmentation

CISCO SD-WAN Catalyst Segmentation

Abubuwan da ke ciki boye
1 Rabewa
2 Rarraba a cikin Cisco Catalyst SD-WAN
3 VRFs da ake amfani da su a cikin Sisiko Catalyst SD-WAN Segmentation
4 Sanya VRF Ta Amfani da Samfuran Manajan Cisco SD-WAN
5 Sanya VPNs Ta amfani da Samfuran Manajan Cisco SD-WAN
6 Sanya Ma'auni na asali na VPN
7 Saita Aiki na Mahimman Bayanai
8 Ƙirƙiri Interface Tunnel
9 Sanya DNS da Taswirar Sunan Mai watsa shiri a tsaye
10 Saita Yanki Ta Amfani da CLI
11 Yanki (VRFs) Kanfigareshan Examples
12 Bayanin Rarraba CLI
13 Takardu / Albarkatu
13.1 Magana
14 Labarai masu alaka

Rabewa

Alama Lura Don cimma sauƙaƙawa da daidaito, Cisco SD-WAN bayani an sake sawa azaman Cisco Catalyst SD-WAN. Bugu da ƙari, daga Cisco IOS XE SD-WAN Release 17.12.1a da Cisco Catalyst SD-WAN Release 20.12.1, ana aiwatar da canje-canje masu zuwa: Cisco vManage zuwa Cisco Catalyst SD-WAN Manager, Cisco vAnalyticsto Cisco CatalystSD-WAN Analytics, Cisco vBondto Cisco CatalystSD-WAN Validator, da Cisco vSmart zuwa Cisco Catalyst SD-WAN Controller. Dubi sabon bayanin kula na Sakin don cikakken jerin duk abubuwan da suka canza sunan alama. Yayin da muke canzawa zuwa sababbin sunaye, wasu rashin daidaituwa na iya kasancewa a cikin saitin takaddun saboda tsarin da aka tsara don sabunta mu'amalar mai amfani na samfurin software.

Bangaren cibiyar sadarwa ya wanzu sama da shekaru goma kuma an aiwatar da shi ta nau'i da siffofi da yawa.
A mafi ƙarancin matakin sa, rarrabuwa yana ba da keɓewar zirga-zirga. Mafi yawan nau'ikan rarrabuwa na cibiyar sadarwa sune LANs na kama-da-wane, ko VLANs, don mafita na Layer 2, da kwatance da turawa, ko VRF, don mafita na Layer 3.
Akwai lokuta masu amfani da yawa don rarrabawa:

Yi amfani da Cases don Rabewa

  • Wani kamfani yana son kiyaye layin kasuwanci daban-daban (misaliample, tsaro ko dalilai na tantancewa).
  • Sashen IT yana son kiyaye ingantattun masu amfani daban daga masu amfani da baƙi.
  • Wani kantin sayar da kayayyaki yana son raba zirga-zirgar sa ido na bidiyo daga zirga-zirgar ma'amala.
  • Wani kamfani yana son bai wa abokan kasuwancin damar zaɓin dama ga wasu sassan cibiyar sadarwa kawai.
  • Sabis ko kasuwanci yana buƙatar tilasta bin ka'ida, kamar yarda da HIPAA, Amurka
    Dokar Haɓakawa da Inshorar Lafiya, ko tare da ma'aunin tsaro na Masana'antar Katin Biyan Kuɗi (PCI).
  • Mai bada sabis yana so ya samar da sabis na VPN ga manyan masana'antunsa.

Iyakokin Rabewa

Ɗayan ƙayyadaddun ƙayyadaddun rarrabuwa shine iyakarsa. Maganganun ɓangarori ko dai suna da sarƙaƙƙiya ko an iyakance su ga na'ura ɗaya ko biyu na na'urori da aka haɗa ta amfani da mu'amala. A matsayin example, Layer 3 segmentation samar da wadannan:

  1. Ikon rukuni na prefixes a cikin tebur na musamman (RIB ko FIB).
  2. Ƙarfin haɗa ma'amala tare da teburin hanya ta yadda zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa ta kasance bisa la'akari da prefixes a waccan teburin hanya.

Wannan aiki ne mai fa'ida, amma iyakar sa yana iyakance ga na'ura ɗaya. Don tsawaita ayyukan a cikin cibiyar sadarwar, ana buƙatar bayanan ɓarna zuwa wuraren da suka dace a cikin hanyar sadarwa.

Yadda Ake Kunna Rarraba Faɗin Sadarwar Sadarwa

Akwai hanyoyi guda biyu don samar da wannan yanki mai faɗin hanyar sadarwa:

  • Ƙayyade manufar haɗakarwa a kowace na'ura da kuma kan kowace hanyar haɗin yanar gizo (ainihin, kuna yin matakai na 1 da 2 a sama akan kowace na'ura).
  • Ƙayyade manufar haɗakarwa a gefuna na ɓangaren, sa'an nan kuma ɗaukar bayanin rarrabuwa a cikin fakiti don nodes na tsaka-tsaki don rikewa.

Hanya ta farko tana da amfani idan kowace na'ura ta kasance wurin shiga ko fita don ɓangaren, wanda gaba ɗaya ba haka yake ba a matsakaici da manyan cibiyoyin sadarwa. Hanya ta biyu ta fi girma kuma tana kiyaye hanyar sadarwar sufuri ba ta da sassa da rikitarwa.

  • Rarraba a cikin Cisco Catalyst SD-WAN,
  • VRFs da ake amfani da su a cikin Sisiko Catalyst SD-WAN Segmentation,
  • Sanya VRF Ta amfani da Samfuran Manajan Cisco SD-WAN,
  • Sanya VPNs Ta amfani da Samfuran Manajan Cisco SD-WAN,
  • Saita Sashe Ta Amfani da CLI,
  • Bayanin Rarraba CLI,

Rarraba a cikin Cisco Catalyst SD-WAN

A cikin cibiyar sadarwa ta Cisco Catalyst SD-WAN mai rufi, VRFs suna raba cibiyar sadarwa zuwa sassa daban-daban.
Cisco Catalyst SD-WAN yana amfani da mafi yaduwa da ƙirar ƙirƙira sassa. Mahimmanci,
Ana yin rarrabuwa a gefuna na na'ura mai ba da hanya tsakanin hanyoyin sadarwa, kuma ana ɗaukar bayanan ɓangarori a cikin fakiti a ciki.
sifar mai ganowa.
Hoton yana nuna yaɗa bayanan da ke kan hanyar sadarwa a cikin VRF.
Hoto 1: Yada Bayanin Tafiya Cikin VRF
Yada Bayanin Hanyar Hanya Cikin A Vrf

A cikin wannan adadi:

  • Router-1 yana biyan kuɗi zuwa VRF guda biyu, ja da shuɗi.
  • Jajayen VRF yana biyan prefix 10.1.1.0/24 (ko dai kai tsaye ta hanyar haɗin haɗin gwiwa ko koya ta amfani da IGP ko BGP).
  • VRF mai shuɗi yana biyan prefix 10.2.2.0/24 (ko dai kai tsaye ta hanyar haɗin haɗin gwiwa ko koya ta amfani da IGP ko BGP).
  • Router-2 yana biyan kuɗin VRF ja.
    • Wannan VRF yana biyan prefix 192.168.1.0/24 (ko dai kai tsaye ta hanyar haɗin haɗin gwiwa ko koya ta amfani da IGP ko BGP).
  • Router-3 yana biyan kuɗi zuwa blue VRF.
    • Wannan VRF yana biyan prefix 192.168.2.0/24 (ko dai kai tsaye ta hanyar haɗin haɗin gwiwa ko koya ta amfani da IGP ko BGP).

Saboda kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa yana da hanyar sadarwa ta OMP (overlay Management Protocol) akan ramin TLS zuwa Cisco SD-WAN Controller, yana yada bayanan tafiyarsa zuwa Cisco SD-WAN Controller. A kan Cisco SD-WAN Controller, mai gudanar da cibiyar sadarwa na iya tilasta manufofi don sauke hanyoyi, don canza TLOCs, waɗanda ke rufe hops na gaba, don aikin injiniya na zirga-zirga ko sarkar sabis. Mai gudanar da cibiyar sadarwa na iya amfani da waɗannan manufofin azaman manufofin shiga da waje akan Cisco SD-WAN Controller.
Duk prefixes na VRF guda ɗaya ana kiyaye su a cikin wani tebirin hanya daban. Wannan yana ba da keɓewar Layer 3 da ake buƙata don sassa daban-daban a cikin hanyar sadarwa. Don haka, na'ura mai ba da hanya tsakanin hanyoyin sadarwa-1 yana da allunan hanyoyin VRF guda biyu, kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa-2 da na'ura mai ba da hanya tsakanin hanyoyin sadarwa-3 kowanne yana da tebur na hanya daya. Bugu da kari, Cisco SD-WAN Controller yana kula da mahallin VRF na kowane prefix.
Teburan hanyoyi daban-daban suna ba da keɓewa akan kulli ɗaya. Don haka ta yaya ake yada bayanan kwatance a cikin hanyar sadarwa?
A cikin Cisco Catalyst SD-WAN bayani, ana yin wannan ta amfani da masu gano VRF, kamar yadda aka nuna a hoton da ke ƙasa. ID na VRF, wanda aka ɗauka a cikin fakiti, yana gano kowane VRF akan hanyar haɗi. Lokacin da kuka saita VRF akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, VRF yana da alamar da ke da alaƙa da shi. Mai ba da hanya tsakanin hanyoyin sadarwa yana aika lakabin, tare da VRFID, zuwa Cisco SD-WAN Controller. Cisco SD-WAN Controller yana yada wannan bayanin taswirar ID na na'ura mai ba da hanya tsakanin hanyoyin sadarwa-zuwa-VRF zuwa sauran hanyoyin sadarwa a yankin. Masu amfani da hanyoyin nesa suna amfani da wannan alamar don aika zirga-zirga zuwa VRF mai dacewa. Masu tuƙi na gida, akan karɓar bayanai tare da alamar VRF ID, suna amfani da lakabin don lalata zirga-zirgar bayanai. Wannan yayi kama da yadda ake amfani da alamun MPLS. Wannan ƙira ta dogara ne akan daidaitattun RFCs kuma yana dacewa da ƙa'idodin tsari kamar PCI da HIPAA.

Hoto 2: Masu Gano VRF
Masu Gano VRF

Alama Lura Cibiyar sadarwar sufuri da ke haɗa masu amfani da hanyar sadarwa ba ta da masaniya game da VRFs. Masu tuƙi ne kawai suka san game da VRFs; sauran hanyar sadarwar suna bin daidaitattun hanyoyin sadarwa na IP.

VRFs da ake amfani da su a cikin Sisiko Catalyst SD-WAN Segmentation

Maganin Cisco Catalyst SD-WAN ya ƙunshi amfani da VRFs don raba zirga-zirga.

VRF na Duniya

Ana amfani da VRF na duniya don sufuri. Don aiwatar da rarrabuwar kawuna tsakanin sabis (kamar prefixes na kamfani) da sufuri (cibiyar sadarwar da ke haɗa hanyoyin sadarwa), duk hanyoyin haɗin kai, wato, duk TLOCs, ana kiyaye su a cikin VRF na duniya. Wannan yana tabbatar da cewa hanyar sadarwar sufuri ba za ta iya isa cibiyar sadarwar sabis ta tsohuwa ba. Hanyoyin haɗin kai da yawa na iya kasancewa na VRF iri ɗaya, kuma ana iya tura fakiti zuwa kuma daga hanyoyin haɗin kai.
VRF na duniya yana ƙunshe da duk mu'amala don na'ura, sai dai na'ura mai sarrafa kanta, kuma duk mu'ujiza ba su da ƙarfi. Domin jirgin sama mai sarrafa kansa ya kafa kansa ta yadda cibiyar sadarwa mai rufi zata iya aiki, dole ne ka saita mu'amalar rami a cikin VRF na duniya. Ga kowane mai dubawa a cikin VRF na duniya, dole ne ku saita adireshin IP, kuma ƙirƙirar haɗin rami wanda ke saita launi da ɗaukar hoto don haɗin jigilar WAN. (Ana amfani da encapsulation don watsa bayanan zirga-zirgar bayanai.) Waɗannan sigogi guda uku - adireshi na IP, launi, da ɓoyewa - suna bayyana TLOC (wuri na sufuri) akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Zaman OMP da ke gudana akan kowane rami yana aika TLOC zuwa Cisco SD-WAN Controllers domin su iya koyan saman cibiyar sadarwa mai rufi.

Tallafin Dual-Stack akan VPNs na sufuri 

A cikin VRF na duniya, Cisco IOS XE Catalyst SD-WAN na'urorin da Cisco SD-WAN Controller suna goyan bayan tari biyu. Don kunna tari mai dual, saita adireshin IPv4 da adireshin IPv6 akan mahallin rami. Na'ura mai ba da hanya tsakanin hanyoyin sadarwa tana koya daga Cisco SD-WAN Controller ko maƙasudi yana goyan bayan adiresoshin IPv4 ko IPv6. Lokacin tura zirga-zirga, mai na'ura mai ba da hanya tsakanin hanyoyin sadarwa yana zaɓar ko dai IPV4 ko IPv6 TLOC, dangane da adireshin inda aka nufa. Amma IPV4 koyaushe ana fifita idan an daidaita shi.

Gudanar da VRF

Mgmt-Intf shine sarrafa VRFon Cisco IOS XE CatalystSD-WAN na'urorin. An saita shi kuma yana kunna ta ta tsohuwa. Yana gudanar da zirga-zirgar zirga-zirgar cibiyar sadarwa ta waje tsakanin na'urorin da ke cikin cibiyar sadarwa mai rufi. Kuna iya canza wannan tsarin, idan an buƙata.

Sanya VRF Ta Amfani da Samfuran Manajan Cisco SD-WAN

A cikin Cisco SD-WAN Manager, yi amfani da samfurin CLI don saita VRFs don na'ura. Ga kowane VRF, saita ƙaramin keɓancewa kuma haɗa ƙaramin haɗin zuwa VRF. Kuna iya saita har zuwa 300 VRFs.
Lokacin da kuka tura samfurin CLI zuwa na'ura, Cisco SD-WAN Manager ya sake rubuta tsarin da ke akwai akan na'urar kuma yana loda saitin da aka ayyana a cikin samfurin CLI. Saboda haka, samfurin ba zai iya samar da sabon abun ciki da aka saita kawai ba, kamar VRFs. Samfurin CLI dole ne ya haɗa da duk bayanan sanyi da na'urar ke buƙata. Don nuna cikakkun bayanai masu dacewa akan na'ura, yi amfani da umarnin sdwan run-config.
Don cikakkun bayanai game da ƙirƙira da amfani da samfuran CLI, da kuma tsohonampdon daidaita VRFs, duba Samfuran CLI don Cisco IOS XE Catalyst SD-WAN Routers babin na Jagorar Kanfigareshan Tsarukan Tsare-tsare da Mutulli, Sakin Cisco IOS XE 17.x.
Wadannan su ne na'urori masu tallafi:

  • Cisco ASR1001-HX
  • Saukewa: ASR1002-HX

Sanya VPNs Ta amfani da Samfuran Manajan Cisco SD-WAN

Ƙirƙiri Samfurin VPN 

Alama Lura Cisco IOS XE Catalyst SD-WAN na'urorin suna amfani da VRFs don rarrabuwa da keɓewar cibiyar sadarwa. Koyaya, waɗannan matakan har yanzu suna aiki idan kuna saita yanki don na'urorin Cisco IOS XE Catalyst SD-WAN ta hanyar Cisco SD-WAN Manager. Lokacin da ka kammala saitin, tsarin yana canza VPNs ta atomatik zuwa VRFs don na'urorin Cisco IOS XE Catalyst SD-WAN.

Alama Lura Kuna iya saita madaidaiciyar hanya ta samfurin VPN.

  • Mataki na 1 Daga Cisco SD-WAN Manager menu, zaɓi Kanfigareshan> Samfura.
  • Mataki na 2 Danna Samfuran Na'ura, kuma danna Ƙirƙiri Samfura.
    Bayanin kula A cikin Cisco vManage Sakin 20.7.x da farkon sakewa ana kiran Samfuran Na'ura Na'ura.
  • Mataki na 3 Daga Ƙirƙirar Samfuran da aka zazzage jeri, zaɓi Daga Samfuran Fasa.
  • Mataki na 4 Daga jerin abubuwan da aka saukar da Model na Na'ura, zaɓi nau'in na'urar da kuke son ƙirƙirar samfuri don ita.
  • Mataki na 5 Don ƙirƙirar samfuri don VPN 0 ko VPN 512:
    a. Danna Transport & Gudanarwa VPN, ko gungura zuwa sashin sufuri & Gudanarwa VPN.
    b. Daga jerin abubuwan saukarwa na VPN 0 ko VPN 512, danna Ƙirƙiri Samfura. Samfurin samfurin VPN ya bayyana.
    Fom ɗin ya ƙunshi filaye don sanyawa samfuri suna, da filayen ma'anar ma'anar VPN.
  • Mataki na 6 Don ƙirƙirar samfuri don VPNs 1 zuwa 511, da 513 ta 65527:
    a. Danna Sabis VPN, ko gungura zuwa sashin VPN Sabis.
    b. Danna jerin zaɓuka na Sabis na VPN.
    c. Daga cikin jerin saukarwa na VPN, danna Ƙirƙiri Samfura. Samfurin VPN yana nunawa.
    Fom ɗin ya ƙunshi filaye don sanyawa samfuri suna, da filayen ma'anar ma'anar VPN.
  • Mataki na 7 A cikin Sunan Samfura, shigar da suna don samfuri. Sunan na iya zama har haruffa 128 kuma yana iya ƙunsar haruffa haruffa kawai.
  • Mataki na 8 A cikin Siffar Samfura, shigar da bayanin samfuri. Bayanin na iya zama har zuwa haruffa 2048 kuma yana iya ƙunsar haruffa haruffa kawai.

Sanya Ma'auni na asali na VPN

Don saita sigogi na asali na VPN, zaɓi Basic Configuration sannan a saita sigogi masu zuwa.
Ana buƙatar sigina masu alamar alama don saita VPN.

Sunan Siga Bayani
VPN Shigar da mai gano lambar VPN.
Range don na'urorin Cisco IOS XE Mai haɓaka SD-WAN: 0 zuwa 65527
Darajoji na Cisco Catalyst SD-WAN Controller da Cisco SD-WAN Manager na'urorin: 0, 512
Suna Shigar da suna don VPN.
Lura Don na'urorin Cisco IOS XE Catalyst SD-WAN, ba za ku iya shigar da takamaiman suna na VPN ba.
Haɓaka maɓallin ECMP Danna On don ba da damar amfani da maɓallin hash na ECMP na tushen Layer 4 da tashar jiragen ruwa, ban da haɗin tushen, da adiresoshin IP masu zuwa, azaman maɓalli na ECMP.
Maɓallin ECMP shine Kashe ta tsohuwa.

Alama Lura Don kammala daidaitawar jigilar VPN akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, dole ne ku saita aƙalla dubawa ɗaya a cikin VPN 0.

Don ajiye samfurin fasalin, danna Ajiye.

Sanya Algorithm Load-Balancing Ta amfani da CLI

Alama Lura

Fara daga Cisco IOS XE Catalyst SD-WAN Release 17.8.1a, kuna buƙatar samfurin CLI don saita src-only load-sharing algorithm don IPV4 da IPV6 Cisco CatalystSD-WAN da wadanda ba Cisco CatalystSD-WAN zirga-zirga. Don cikakkun bayanai akan algorithm CLI na raba kaya, duba Dokokin IP jeri.

Wannan biyowa yana ba da saitunan CLI don zaɓar Cisco Expressing na daidaita ma'auni algorithm don wanda ba Cisco CatalystSD-WAN IPv4 da IPV6 zirga-zirga. Kuna iya kunna ECMPkeying don aika jeri don duka IPv4 da IPv6.
Device# config-transaction
Device(config)# ip cef load-sharing algorithm {universal [id] | include-ports [ source [id]
| destination [id]] |
src-only [id]}

Device# config-transaction
Device(config)# ipv6 cef load-sharing algorithm {universal [id] | include-ports [ source
[id] | destination [id]] |
src-only [id]}

Wannan mai biyowa yana ba da saitunan CLI don ba da damar daidaita ma'auni algorithm akan ma'amala don Cisco Catalyst SD-WAN IPv4 da zirga-zirgar IPv6. Kuna iya kunna maɓallin ECMP don aika saitunan duka IPv4 da IPv6.

Device# config-transaction
Device(config)# sdwan
Device(config-sdwan)# ip load-sharing algorithm {ip-and-ports | src-dst-ip | src-ip-only}
Device# config-transaction
Device(config)# sdwan
Device(config-sdwan)# ipv6 load-sharing algorithm {ip-and-ports | src-dst-ip | src-ip-only}

Saita Aiki na Mahimman Bayanai

Don saita ainihin aikin mu'amalar mu'amala a cikin VPN, zaɓi Babban Kanfigareshan kuma saita sigogi masu zuwa:

Alama Lura Ana buƙatar ma'auni masu alamar alama don saita mu'amala.

Sunan Siga IPv4 ya da IPv6 Zabuka Bayani
Rufewa* Danna A'a don kunna dubawa.
Sunan hanyar sadarwa* Shigar da suna don dubawa.

Don na'urorin Cisco IOS XE Catalyst SD-WAN, dole ne ku:

  • Rubuta sunaye gaba ɗaya (misaliample, GigabitEthernet0/0/0).
  • Saita duk hanyoyin sadarwa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ko da ba ka amfani da su, ta yadda za a daidaita su a cikin yanayin rufewa kuma ta yadda za a daidaita duk abubuwan da suka dace.
Bayani Shigar da bayanin don dubawa.
IPv4/IPv6 Danna IPv4 don saita hanyar sadarwa ta IPv4 VPN. Danna IPv6 don saita IPV6 dubawa.
Mai ƙarfi Danna Mai ƙarfi don saita dubawa azaman abokin ciniki na Tsarin Kanfigareshan Mai Sauƙi (DHCP), ta yadda mahaɗin ya karɓi adireshin IP ɗin sa daga sabar DHCP.
Duka DHCP

Nisa

 Na zaɓi, shigar da ƙimar nisa na gudanarwa don hanyoyin da aka koya daga uwar garken DHCP. Default shine 1.
IPv6 DHCP

Commitaddamar da sauri

 Zabi, saita DHCP IPv6 uwar garken gida don tallafawa DHCP Rapid Commit, don ba da damar daidaitawar abokin ciniki cikin sauri da tabbatarwa a cikin mahalli masu aiki.
Danna On don ba da damar DHCP da sauri.
Danna Kashe don ci gaba da amfani da tsarin ƙaddamarwa na yau da kullun.
A tsaye Danna A tsaye don shigar da adireshin IP wanda baya canzawa.
IPv4 IPv4 Adireshi Shigar da adireshi IPv4 a tsaye.
IPv6 IPv6 Adireshi Shigar da adireshi IPv6 a tsaye.
Adireshin IP na biyu IPv4 Danna Ƙara don shigar da adiresoshin IPv4 har guda huɗu don haɗin gefen sabis.
Adireshin IPv6 IPv6 Danna Ƙara don shigar da adiresoshin IPv6 har guda biyu don keɓancewar gefen sabis.
DHCP Taimako Duka Don zayyana mahaɗin a matsayin mataimaki na DHCP akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, shigar da adiresoshin IP har guda takwas, waɗanda aka ware ta waƙafi, don sabar DHCP a cikin hanyar sadarwa. Maɓallin mataimaka na DHCP yana tura buƙatun Boot P (watsawa) DHCP wanda yake karɓa daga ƙayyadaddun sabar DHCP.
Toshe Ba-Source IP Ee / A'a Danna Ee don samun hanyar isar da hanyoyin sadarwa kawai idan tushen adireshin IP na zirga-zirgar ya yi daidai da kewayon prefix na IP. Danna A'a don ba da damar sauran zirga-zirga.

Ƙirƙiri Interface Tunnel

A kan na'urorin Cisco IOS XE Catalyst SD-WAN, zaku iya saita mu'amalar ramuka har takwas. Wannan yana nufin cewa kowane Cisco IOS XE Catalyst SD-WAN na'ura mai ba da hanya tsakanin hanyoyin sadarwa na iya samun har zuwa takwas TLOCs. A kan Cisco Catalyst SD-WAN Controllers da Cisco SD-WAN Manager, za ka iya saita mahaɗin rami guda ɗaya.
Domin jirgin mai sarrafawa ya kafa kansa ta yadda cibiyar sadarwa mai rufi za ta iya aiki, dole ne ka saita hanyoyin haɗin kai na WAN a cikin VPN 0. Ƙwararren WAN zai ba da damar tafiyar da zirga-zirgar rami zuwa rufi. Kuna iya ƙara wasu sigogi da aka nuna a cikin teburin da ke ƙasa kawai bayan kun saita ƙirar WAN azaman hanyar tunnel.
Don saita ƙirar rami, zaɓi Tunnel Interface kuma saita sigogi masu zuwa:

Sunan Siga Bayani
Tunnel Interface Danna On don ƙirƙirar ƙirar rami.
Launi Zaɓi launi don TLOC.
Port Hop Danna On don kunna tashar jiragen ruwa, ko danna Kashe don kashe shi. Idan an kunna hopping tashar jiragen ruwa a duniya, zaku iya kashe ta akan TLOC ɗaya (tunnel interface). Don sarrafa hawan tashar jiragen ruwa a matakin duniya, yi amfani da Tsari samfurin sanyi.

Na baya: An kunna Cisco SD-WAN Manager da Cisco Catalyst SD-WAN Controller: An kashe
Farashin MSS TCP MSS yana rinjayar duk wani fakitin da ya ƙunshi maɓallin TCP na farko wanda ke gudana ta hanyar hanyar sadarwa. Lokacin da aka saita, ana bincika TCP MSS akan MSS da aka yi musanya a cikin musafaha ta hanyoyi uku. Ana saukar da MSS a cikin kan kai idan saitin TCP MSS da aka tsara ya yi ƙasa da MSS a cikin taken. Idan ƙimar taken MSS ta riga ta yi ƙasa da TCP MSS, fakitin suna gudana ta hanyar da ba a canza su ba. Mai watsa shiri a ƙarshen rami yana amfani da ƙananan saitin runduna biyu. Idan ana son daidaita TCP MSS, yakamata a saita shi a 40 bytes ƙasa da mafi ƙarancin hanyar MTU.
Ƙayyade MSS na fakitin TPC SYN masu wucewa ta na'urar Cisco IOS XE Catalyst SD-WAN. Ta hanyar tsohuwa, MSS ɗin ana daidaita su da ƙarfi dangane da dubawa ko rami MTU wanda fakitin TCP SYN ba su taɓa rarrabuwa ba. Kewaye: 552 zuwa 1460 bytes Na baya: Babu
Share-Kada-Yanki Sanya Share-Kada-Yanki don fakitin da suka isa wurin dubawa wanda aka tsara Don't Fragment. Idan waɗannan fakiti sun fi girma fiye da abin da MTU ke ba da izini, an jefa su. Idan kun share bit ɗin Kada ku ɓata, fakitin ana rarrabuwa kuma ana aika su.

Danna On don share ɓangarorin Dont a cikin jigon fakitin IPv4 don fakitin da ake watsawa daga wurin dubawa. Lokacin da aka share bit ɗin Dont Fragment, fakiti masu girma fiye da MTU na mu'amala suna rarrabuwa kafin a aika.

Lura Share-Kada-Yanki yana share ɗan ƙaramin Dont Fragment kuma an saita maɓallin Dont Fragment. Don fakitin da ba sa buƙatar rarrabuwa, ba a shafa bit ɗin Dont Fragment.
Bada Sabis Zaɓi On or Kashe don kowane sabis don ba da izini ko hana sabis ɗin akan hanyar sadarwa.

Don saita ƙarin sigogin mu'amala na rami, danna Zaɓuɓɓukan Babba:

Sunan Siga Bayani
Mai ɗaukar kaya Zaɓi sunan mai ɗauka ko mai gano hanyar sadarwa mai zaman kansa don haɗawa da rami.

Ƙimar: mai ɗaukar kaya1, mai ɗaukar kaya2, mai ɗaukar kaya3, mai ɗaukar kaya4, mai ɗaukar kaya5, mai ɗaukar kaya6, mai ɗaukar kaya7, mai ɗauka8, tsoho
Default: tsoho
Tazarar Wartsakewar NAT Shigar da tazara tsakanin fakitin shakatawa na NAT da aka aika akan haɗin kai DTLS ko TLS WAN.
Rage: 1 zuwa 60 seconds
Default: 5 seconds
Sannu tazara Shigar da tazara tsakanin fakitin Sannu da aka aika akan hanyar jigilar DTLS ko TLS WAN.
Rage: 100 zuwa 10000 millise seconds
Default: 1000 millise seconds (1 seconds)
Sannu Hakuri Shigar da lokacin don jira fakitin Sannu akan hanyar jigilar kayayyaki na DTLS ko TLS WAN kafin ayyana cewa ramin jigilar kaya ya ƙare.
Rage: 12 zuwa 60 seconds
Default: 12 seconds

Sanya DNS da Taswirar Sunan Mai watsa shiri a tsaye

Don saita adiresoshin DNS da taswirar sunan mai masauki, danna DNS kuma saita sigogi masu zuwa:

Sunan Siga Zabuka Bayani
Adireshin DNS na farko Danna ko dai IPv4 or IPv6, kuma shigar da adireshin IP na uwar garken DNS na farko a cikin wannan VPN.
Sabon Adireshin DNS Danna Sabon Adireshin DNS kuma shigar da adireshin IP na uwar garken DNS na biyu a cikin wannan VPN. Wannan filin yana bayyana ne kawai idan kun ƙayyade adireshin DNS na farko.
Yi alama azaman Layi na zaɓi Duba cikin Yi alama azaman Layi na zaɓi duba akwatin don yiwa wannan alama

daidaitawa azaman takamaiman na'urar. Don haɗa wannan saitin na na'ura, shigar da madaidaitan dabi'u da ake buƙata lokacin da kuka haɗa samfurin na'ura zuwa na'ura, ko ƙirƙiri maƙunsar maƙunsar samfuri don amfani da masu canji.
Sunan mai watsa shiri Shigar da sunan mai masaukin uwar garken DNS. Sunan na iya zama har haruffa 128.
Jerin adiresoshin IP Shigar da adiresoshin IP har guda takwas don haɗawa da sunan mai masauki. Ware shigarwar tare da waƙafi.
Don ajiye saitin uwar garken DNS, danna Ƙara.

Don ajiye samfurin fasalin, danna Ajiye.

Taswirar Sunayen Mai watsa shiri zuwa Adireshin IP

! IP DNS-based host name-to-address translation is enabled ip domain lookup
! Specifies hosts 192.168.1.111 and 192.168.1.2 as name servers ip name-server 192.168.1.111 192.168.1.2
! Defines cisco.com as the default domain name the device uses to complete
! Set the name for unqualified host names ip domain name cisco.com

Saita Yanki Ta Amfani da CLI

Sanya VRFs Amfani da CL

Don raba hanyoyin sadarwar mai amfani da zirga-zirgar bayanan mai amfani a cikin gida a kowane rukunin yanar gizo da kuma haɗa haɗin yanar gizon mai amfani a cikin hanyar sadarwa mai rufi, kuna ƙirƙirar VRFs akan na'urorin Cisco IOS XE Catalyst SD-WAN. Don ba da damar zirga-zirgar zirga-zirgar bayanai, kuna haɗa musaya tare da kowane VRF, kuna ba da adireshin IP ga kowane mai dubawa. Waɗannan hanyoyin sadarwa suna haɗawa da cibiyoyin sadarwar gida-gida, ba zuwa ga girgijen jigilar WAN ba. Ga kowane ɗayan waɗannan VRFs, zaku iya saita wasu ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun mu'amala, kuma kuna iya saita fasali na musamman don ɓangaren mai amfani, kamar su BGP da OSPF routing, VRRP, QoS, fasalin zirga-zirga, da aikin ɗan sanda.
A kan na'urorin Cisco IOS XE Catalyst SD-WAN, ana amfani da VRF na duniya don sufuri. Duk na'urorin Cisco IOS XE Catalyst SD-WAN suna da Mgmt-intf azaman tsoho gudanarwa VRF.
Don saita VRFs akan na'urorin Cisco IOS XE Catalyst SD-WAN, bi waɗannan matakan

Alama Lura

  • Yi amfani da umarnin daidaita-ma'amala don buɗe yanayin daidaitawar CLI. Ba a goyan bayan umarnin saitin tasha akan na'urorin Cisco IOS XE Catalyst SD-WAN.
  • ID na VRF na iya zama kowace lamba tsakanin 1 zuwa 511 da 513 ta hanyar 65535. Lambobin 0 da 512 an tanada su don Cisco SD-WAN Manager da Cisco SD-WAN Controller.
  1. Sanya sabis na VRFs.
    config-transaction
    vrf definition 10
    rd 1:10
    address-family ipv4
    exit-address-family
    exit
    address-family ipv6
    exit-address-family
    exit
    exit
  2. Saita hanyar tunnel ɗin da za a yi amfani da ita don haɗawa mai rufi. Kowace hanyar tunnel tana ɗaure zuwa guda ɗaya
    WAN interface. Domin misaliample, idan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ita ce Gig0/0/2, lambar ƙirar rami shine 2.
    config-transaction
    interface Tunnel 2
    no shutdown
    ip unnumbered GigabitEthernet1
    tunnel source GigabitEthernet1
    tunnel mode sdwan
    exit
  3. Idan ba a haɗa na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa uwar garken DHCP ba, saita adireshin IP na WAN interface.
    interface Gigabi tEthernet 1
    no shutdown
    ip address dhcp
  4. Sanya sigogin rami.
    config-ma'amala
    sdwan
    interface GigabitEthernet 2
    tunnel-interface
    encapsulation ipsec
    color lte
    end
    Alama Lura
    Idan an saita adireshin IP da hannu akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, saita tsohuwar hanya kamar yadda aka nuna a ƙasa. Adireshin IP
    kasa yana nuna adireshin IP na gaba.
    config-transaction
    ip route 0.0.0.0 0.0.0.0 192.0.2.25
  5. Kunna OMP don tallata ɓangaren VRF.
    sdwan
    omp
    no shutdown
    graceful-restart
    no as-dot-notation
    timers
    holdtime 15
    graceful-restart-timer 120
    exit
    address-family ipv4
    advertise ospf external
    advertise connected
    advertise static
    exit
    address-family ipv6
    advertise ospf external
    advertise connected
    advertise static
    exit
    address-family ipv4 vrf 1
    advertise bgp
    exit
    exit
  6. Saita hanyar sadarwar sabis na VRF.
    config-transaction
    interface GigabitEthernet 2
    no shutdown
    vrf forwarding 10
    ip address 192.0.2.2 255.255.255.0
    exit

Tabbatar da Kanfigareshan

Guda nunin ip vrf taƙaitaccen umarni zuwa view bayani game da haɗin gwiwar VRF.

Na'ura# sh ip vrf takaice

Suna Tsohuwar RD Hanyoyin sadarwa
10 1:10 Gi4
11 1:11 Gi3
30 1:30
65528 Farashin 65528

Yanki (VRFs) Kanfigareshan Examples

Wasu kai tsaye exampƘirƙiri da daidaita VRFs don taimaka muku fahimtar tsarin daidaitawa don rarraba cibiyoyin sadarwa.

Kanfigareshan akan Cisco Catalyst SD-WAN Controller

A kan Cisco Catalyst SD-WAN Controller, kuna saita sigogin tsarin gaba ɗaya da VPN guda biyu- VPN 0 don jigilar WAN da VPN 512 don sarrafa hanyar sadarwa-kamar yadda kuka yi don na'urar Cisco IOS XE Catalyst SD-WAN. Har ila yau, kuna ƙirƙiri tsarin kulawa mai mahimmanci wanda ke sarrafa yadda ake yada zirga-zirgar VPN ta sauran hanyar sadarwar. A cikin wannan musamman exampHar ila yau, mun ƙirƙiri manufofin tsakiya, wanda aka nuna a ƙasa, don sauke prefixes maras so daga yadawa ta sauran hanyar sadarwar. Kuna iya amfani da tsarin Cisco Catalyst SD-WAN Controller guda ɗaya don tilasta manufofi a cikin hanyar sadarwa.

Anan akwai matakai don ƙirƙirar manufofin sarrafawa akan Cisco Catalyst SD-WAN Controller:

  1. Ƙirƙiri jerin ID na rukunin yanar gizo don rukunin yanar gizon da kuke son jefar da prefixes maras so:
    vSmart(config)# policy lists site-list 20-30 site-id 20
    vSmart(config-site-list-20-30)# site-id 30
  2. Ƙirƙirar jeri na prefix don prefixes waɗanda ba ku son yadawa:
    vSmart(config)# policy lists prefix-list drop-list ip-prefix 10.200.1.0/24
  3. Ƙirƙiri tsarin sarrafawa:
    vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 match route
    prefix-list drop-list
    vSmart(config-match)# top
    vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 action reject
    vSmart(config-action)# top
    vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 default-action
    accept
    vSmart(config-default-action)# top
  4. Aiwatar da manufar zuwa prefixes masu shiga zuwa Cisco Catalyst SD-WAN Controller Controller:
    vSmart(config)# apply-policy site-list 20-30 control-policy drop-unwanted-routes in

Anan ga cikakken tsarin tsari akan Cisco Catalyst SD-WAN Controller Controller:

apply-policy
site-list 20-30
control-policy drop-unwanted-routes in
!
!
policy
lists
site-list 20-30
site-id 20
site-id 30
!
prefix-list drop-list
ip-prefix 10.200.1.0/24
!
!
control-policy drop-unwanted-routes
sequence 10
match route
prefix-list drop-list
!
action reject
!
!
default-action accept
!
!

Bayanin Rarraba CLI

Umurnin CLI don saka idanu kashi (VRFs).

  • nuna dhcp
  • nuna ipv6 dcp
  • nuna ip vrf takaice
  • nuna umarnin igmp
  • nuna ip igmp kungiyoyin
  • nuna umarnin pim

Takardu / Albarkatu

CISCO SD-WAN Catalyst Segmentation [pdf] Jagorar mai amfani
SD-WAN, SD-WAN Catalyst Segmentation, Rarraba Catalyst, Rarraba

Magana

Labarai masu alaka

Bar sharhi

Ba za a buga adireshin imel ɗin ku ba. Ana yiwa filayen da ake buƙata alama *