🚝 🧓🏼 😜 إنشاء بنية تحتية لتكنولوجيا المعلومات تتحمل الأخطاء. الجزء 4. نشر Cisco 3850 Switches لتوجيه البوابة 🦃 🤜🏼 🥥

الغرض من هذه المقالة هو تعريفك بعملية إدخال مفاتيح التبديل من المستوى الثالث في البنية التحتية للشبكة الحالية ، وهي موجهة بشكل أساسي إلى مسؤولي الشبكة والمهندسين. يتحدث عن تكوين مجموعة من مفتاحي Cisco 3850 ، واستخدامهما لتنظيم توجيه أكثر كفاءة وأكثر تحملاً للخطأ لحركة المرور بين الشبكات الداخلية.

المقدمة

بعد نشر المقالة الثالثة ، التي تناولت تكوين التوجيه الداخلي والخارجي باستخدام أجهزة التوجيه الافتراضية VyOS ، ورد في التعليقات أن الرسم التخطيطي للشبكة أعلاه غير صحيح ، لأنه لا يمكنه التعامل مع تدفق كبير لحركة المرور ، وكذلك ما سبق قد تكون البنية التحتية العاملة لنقل L3 إلى معدات أخرى مشكلة.

, – , , , .

, , , "" , , , , , , . , , , , .

, .
VyOS 2 vCPU 1 Gb vRAM, 20 () , 220 .
:

5 ;
500 /;
200 /, .

BGP full view , VyOS, «».

, - , VyOS 40-50%, , - .

, :

10 20;
~120 ~220;
.

, , , - . , , :

, - , / - . , , , - , - .

– , , .

Cisco 2960RX;
~20-30 ;
, ;
.

, VyOS, . , , , , , .

, VyOS , , - . , VyOS – vCPU vRAM, , .

, ( - – ) Cisco 3850, - - . , , , .

, – vCPU. - Cisco 3850 – . , 1 / 10 / Cisco 3850 , 480 /, 10 / , .

, , , , Cisco 3850. , , .

, L3, , – . , .

, , , :

Cisco 3850
Cisco 3850
Cisco 2960R Cisco 3850
PBR
VyOS' Cisco 3850
OSPF

Cisco 3850

1
source-based PBR

– L3, VLAN34 VLAN35, , – 172.16.3.0/24.

VLAN17 – 172.20.1.0/24, (IPMI, management)
VLAN30 – 172.16.1.0/24, «» , VyOS1, VyOS2 Provider-1
VLAN31 – 172.16.2.0/24, «» , VyOS2, VyOS1 Provider-2
VLAN32 – 172.20.32.0/23, – PROD
VLAN34 – 172.20.34.0/24, – DEV
VLAN35 – 172.20.35.0/24, – DMZ
VLAN36 – 172.16.10.8/30, «» P2P , Provider-1 Provider-3
VLAN37 – 172.16.10.12/30, «» P2P , Provider-2 Provider-3
VLAN38 – 172.16.3.0/24, «» ,
VLAN40 – 172.20.40.0/23, – TEST

2
destination-based OSPF

L3, VLAN34 VLAN35 , VLAN33 VyOS L3. , – 172.16.3.0/24.

VLAN17 – 172.20.1.0/24, (IPMI, management)
VLAN30 – 172.16.1.0/24, «» , VyOS1, VyOS2 Provider-1
VLAN31 – 172.16.2.0/24, «» , VyOS2, VyOS1 Provider-2
VLAN32 – 172.20.32.0/23, – PROD
VLAN33 – 172.20.133.0/24, VyOS2, VyOS1 3850
VLAN34 – 172.20.34.0/24, – DEV
VLAN35 – 172.20.35.0/24, – DMZ
VLAN36 – 172.16.10.8/30, «» P2P , Provider-1 Provider-3
VLAN37 – 172.16.10.12/30, «» P2P , Provider-2 Provider-3
VLAN38 – 172.16.3.0/24, «» ,
VLAN40 – 172.20.40.0/23, – TEST-

, oVirt – VLAN33, VLAN34, VLAN35, CentOS 7 x86/64 1810 Minimal ( ):

test-IM34 – 1 Gb RAM, 1 CPU, 10 Gb HDD
- VLAN34, IP – 172.20.34.239/24, Gateway – 172.20.34.1
test-IM35 – 1 Gb RAM, 1 CPU, 10 Gb HDD
- VLAN35, IP – 172.20.35.239/24, Gateway – 172.20.35.1

, , IP .

VyOS VLAN34 VLAN35, vrrp HAIP .

VyOS1

set interfaces ethernet eth5 address '172.20.34.253/24'
set interfaces ethernet eth5 description 'VLAN34'

set interfaces ethernet eth6 address '172.20.35.253/24'
set interfaces ethernet eth6 description 'VLAN35'

set high-availability vrrp group haip-4 vrid 40
set high-availability vrrp group haip-4 interface eth5
set high-availability vrrp group haip-4 virtual-address 172.20.34.1/24
set high-availability vrrp group haip-4 priority '200'
set high-availability vrrp group haip-4 authentication type 'plaintext-password'
set high-availability vrrp group haip-4 authentication password 'b65495f9'
set high-availability vrrp group haip-4 preempt 2
set high-availability vrrp group haip-4 advertise-interval '1'

set high-availability vrrp group haip-5 vrid 40
set high-availability vrrp group haip-5 interface eth6
set high-availability vrrp group haip-5 virtual-address 172.20.35.1/24
set high-availability vrrp group haip-5 priority '200'
set high-availability vrrp group haip-5 authentication type 'plaintext-password'
set high-availability vrrp group haip-5 authentication password 'b65495f9'
set high-availability vrrp group haip-5 preempt 2
set high-availability vrrp group haip-5 advertise-interval '1'

commit

VyOS2

set interfaces ethernet eth5 address '172.20.34.254/24'
set interfaces ethernet eth5 description 'VLAN34'

set interfaces ethernet eth6 address '172.20.35.254/24'
set interfaces ethernet eth6 description 'VLAN35'

set high-availability vrrp group haip-4 vrid 40
set high-availability vrrp group haip-4 interface eth5
set high-availability vrrp group haip-4 virtual-address 172.20.34.1/24
set high-availability vrrp group haip-4 priority '199'
set high-availability vrrp group haip-4 authentication type 'plaintext-password'
set high-availability vrrp group haip-4 authentication password 'b65495f9'
set high-availability vrrp group haip-4 preempt 2
set high-availability vrrp group haip-4 advertise-interval '1'

set high-availability vrrp group haip-5 vrid 40
set high-availability vrrp group haip-5 interface eth6
set high-availability vrrp group haip-5 virtual-address 172.20.35.1/24
set high-availability vrrp group haip-5 priority '199'
set high-availability vrrp group haip-5 authentication type 'plaintext-password'
set high-availability vrrp group haip-5 authentication password 'b65495f9'
set high-availability vrrp group haip-5 preempt 2
set high-availability vrrp group haip-5 advertise-interval '1'

commit

Cisco 3850

, Cisco 3850, , – WS-C3850-24T-E, 24 x 1 GE, 350 W no PoE, 4 x 1 GE, 2 x 10 GE, :

STACK-T1-50CM= StackWise, 480 /,
CAB-SPWR-30CM= StackPower, , , .

Cisco 3850

1) , .

, StackWise StackPower, – Catalyst 3850 Switch Getting Started Guide.

, StackWise StackPower , :

() ;
.

, L3, . PBR (policy based routing), IP Services.

LAN Base
;
;
: ACL, 802.1x, DHCP snooping, DAI, IPSG;
: Ingress policing, AutoQoS, Trust Boundary, DSCP mapping.
IP Base
;
;
;
;
Mobility controller Flexible NetFlow ( 3650/3850);
StackPower EEM.
IP Services
;
(PBR, EIGRP, OSPF, BGP, VRF-lite ..);
;
;
Mobility controller Flexible NetFlow ( 3650/3850);
StackPower, EEM, IPSLA.

2) 3850 .

, , :

USB RJ-45 , : 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Windows, Putty, Linux, minicom.

, :

sh ver | beg Switch Ports Model
Switch  Ports   Model               SW Version          SW Image                    Mode
------  -----           -----               ----------                  ----------                  ----
*    1  32      WS-C3850-24T        16.6.7              CAT3K_CAA-UNIVERSALK9   INSTALL
     2  32      WS-C3850-24T        16.6.7              CAT3K_CAA-UNIVERSALK9   INSTALL

sh license right-to-use
Slot#       License Name          Type   Period left
----------------------------------------------------
    1         ipservices     Permanent      Lifetime
----------------------------------------------------
License Level on Reboot: ipservices

Slot#       License Name          Type   Period left
----------------------------------------------------
    2         ipservices     Permanent      Lifetime
----------------------------------------------------
License Level on Reboot: ipservices

enable  
 switch 1 priority 15
 switch 2 priority 14

conf t 
 hostname 3850-stack
 no ip domain-lookup
 no service pad
 service timestamps debug datetime msec
 service timestamps log datetime localtime show-timezone msec
 no service password-encryption
 service sequence-numbers
 logging buffered 16384

 stack-mac persistent timer 0
 stack-power stack Powerstack-1
 mode redundant

 clock timezone MSK 3
 vtp mode transparent
 ip subnet-zero

 spanning-tree mode rapid-pvst
 spanning-tree etherchannel guard misconfig
 spanning-tree extend system-id
 spanning-tree vlan 1,17,30-40 root primary
 spanning-tree loopguard default
 port-channel load-balance src-dst-ip
 errdisable recovery cause bpduguard
 errdisable recovery cause loopback
 errdisable recovery interval 60

line con 0
 session-timeout 60
 exec-timeout 60 0
 logging synchronous
line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 logging synchronous

 ip http server
 ip http secure-server
 exit

wr mem
reload

3850-stack>enable
3850-stack#show switch detail
Switch/Stack Mac Address : b090.7ebd. - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
-------------------------------------------------------------------------------------
*1       Active   b090.7ebd. 15     V02     Ready
 2       Standby  b090.7ef3. 14     V02     Ready

         Stack Port Status             Neighbors
Switch#  Port 1     Port 2           Port 1   Port 2
--------------------------------------------------------
  1         OK         OK               2        2
  2         OK         OK               1        1

3850-stack#show switch stack-ring speed
Stack Ring Speed        : 480G
Stack Ring Configuration: Full
Stack Ring Protocol     : StackWise

3850-stack#show switch stack-ports
Switch#   Port1     Port2
----------------------------
1         OK        OK
2         OK        OK

3850-stack#show switch neighbors
  Switch #    Port 1       Port 2
  --------    ------       ------
      1         2             2
      2         1             1

3850-stack#show stack-power
Power Stack           Stack   Stack    Total   Rsvd    Alloc   Sw_Avail   Num  Num
Name                  Mode    Topolgy  Pwr(W)  Pwr(W)  Pwr(W)   Pwr(W)    SW   PS
--------------------  ------  -------  ------  ------  ------  ------  ----- ----
Powerstack-1          SP-R    Ring     1400    380     460     560       2    4

3850-stack#show stack-power detail
Power Stack           Stack   Stack    Total   Rsvd    Alloc   Sw_Avail   Num  Num
Name                  Mode    Topolgy  Pwr(W)  Pwr(W)  Pwr(W)   Pwr(W)    SW   PS
--------------------  ------  -------  ------  ------  ------  ------  ----- ----
Powerstack-1          SP-R    Ring     1400    380     460     560       2    4

Power stack name: Powerstack-1
    Stack mode: Redundant
    Stack topology: Ring
    Switch 1:
        Power budget: 230
        Power allocated: 230
        Low port priority value: 21
        High port priority value: 12
        Switch priority value: 3
        Port 1 status: Connected
        Port 2 status: Connected
        Neighbor on port 1: Switch 2 - b090.7ef3.
        Neighbor on port 2: Switch 2 - b090.7ef3.
    Switch 2:
        Power budget: 230
        Power allocated: 230
        Low port priority value: 22
        High port priority value: 13
        Switch priority value: 4
        Port 1 status: Connected
        Port 2 status: Connected
        Neighbor on port 1: Switch 1 - b090.7ebd.
        Neighbor on port 2: Switch 1 - b090.7ebd.

3850-stack#show stack-power neighbors
Power Stack           Stack   Stack    Total   Rsvd    Alloc   Sw_Avail   Num  Num
Name                  Mode    Topolgy  Pwr(W)  Pwr(W)  Pwr(W)   Pwr(W)    SW   PS
--------------------  ------  -------  ------  ------  ------  ------  ----- ----
Powerstack-1          SP-R    Ring     1400    380     460     560       2    4
    Power Stack           Port 1  Port 1             Port 2  Port 2
SW  Name                  Status  Neighbor SW:MAC    Status  Neighbor SW:MAC
--  --------------------  ------  ----------------   ------  ----------------
1   Powerstack-1          Conn    2:b090.7ef3. Conn    2:b090.7ef3.
2   Powerstack-1          Conn    1:b090.7ebd. Conn    1:b090.7ebd.

3850-stack#sh env all
Switch 1 FAN 1 is OK
Switch 1 FAN 2 is OK
Switch 1 FAN 3 is OK
FAN PS-1 is OK
FAN PS-2 is OK
Switch 2 FAN 1 is OK
Switch 2 FAN 2 is OK
Switch 2 FAN 3 is OK
FAN PS-1 is OK
FAN PS-2 is OK
Switch 1: SYSTEM TEMPERATURE is OK
Inlet Temperature Value: 20 Degree Celsius
Temperature State: GREEN
Yellow Threshold : 46 Degree Celsius
Red Threshold    : 56 Degree Celsius

Hotspot Temperature Value: 39 Degree Celsius
Temperature State: GREEN
Yellow Threshold : 105 Degree Celsius
Red Threshold    : 125 Degree Celsius
Switch 2: SYSTEM TEMPERATURE is OK
Inlet Temperature Value: 20 Degree Celsius
Temperature State: GREEN
Yellow Threshold : 46 Degree Celsius
Red Threshold    : 56 Degree Celsius

Hotspot Temperature Value: 38 Degree Celsius
Temperature State: GREEN
Yellow Threshold : 105 Degree Celsius
Red Threshold    : 125 Degree Celsius
SW  PID                            Serial#          Status         Sys Pwr      PoE Pwr     Watts
--  ------------------             ----------        ----------     -------     -------     -----
1A  PWR-C1-350WAC       ART2244F8  OK              Good       Good        350
1B  PWR-C1-350WAC       ART2248FL  OK              Good       Good        350
2A  PWR-C1-350WAC       ART2244F9  OK              Good       Good        350
2B  PWR-C1-350WAC       ART2248FL  OK              Good       Good        350

, - VLAN', ssh, IP , ..

enable
conf t
vlan 17
 name 172.20.1.0/24
vlan 32
 name 172.20.32.0/23
vlan 33
vlan 34
 name 172.20.34.0/24
vlan 35
 name 172.20.35.0/24
vlan 36
vlan 37
vlan 38
vlan 39
vlan 40
 name 172.20.40.0/23

interface Vlan1
 no ip address
 shutdown
 exit

interface vlan 17
 ip address 172.20.1.2 255.255.255.0

crypto key generate rsa

ip ssh version 2
ip ssh time-out 90

line vty 0 4
 session-timeout 60
 exec-timeout 60 0
 privilege level 15
 logging synchronous
 transport input ssh

line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 privilege level 15
 logging synchronous
 transport input ssh
snmp-server community Public RO
snmp-server location Moscow, Russia

aaa new-model
aaa authentication login default local 
username cisco privilege 15 secret mysecretpassword

enable secret myenablepassword
service password-encryption

ntp server 85.21.78.8 prefer
ntp server 89.221.207.113
ntp server 185.22.60.71
ntp server 192.36.143.130
ntp server 185.209.85.222

exit
wr mem

Cisco 3850 .

Cisco 2960R Cisco 3850

L2 Cisco 2960R Cisco 3850, - , Etherchannel:

2960X Gi1/0/42 <-> 3850-stack Gi1/0/21
2960X Gi2/0/42 <-> 3850-stack Gi1/0/23
2960X Gi1/0/44 <-> 3850-stack Gi2/0/21
2960X Gi2/0/44 <-> 3850-stack Gi2/0/23

Etherchannel Cisco 2960R

enable
conf t

interface Port-channel 9
 description Channel->3850-stack
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 spanning-tree link-type point-to-point

interface GigabitEthernet1/0/44
 shut
 description Channel -> 3850-stack Gi1/0/21
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 spanning-tree link-type point-to-point
 channel-group 9 mode active

interface GigabitEthernet1/0/48
 shut
 description Channel -> 3850-stack Gi2/0/21
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 spanning-tree link-type point-to-point
 channel-group 9 mode active

interface GigabitEthernet2/0/44
 shut
 description Channel -> 3850-stack Gi1/0/23
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 spanning-tree link-type point-to-point
 channel-group 9 mode active

interface GigabitEthernet2/0/48
 shut
 description Channel -> 3850-stack Gi2/0/23
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 spanning-tree link-type point-to-point
 channel-group 9 mode active

exit
wr mem

Etherchannel Cisco 3850

enable
conf t

interface Port-channel 2
 description Channel -> 2960X-stack1
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 spanning-tree link-type point-to-point

interface GigabitEthernet1/0/21
 description Channel -> 2960X-stack1 Gi1/0/44 
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 channel-group 2 mode active
 no shut

interface GigabitEthernet1/0/23
 description Channel -> 2960X-stack1 Gi2/0/44
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 channel-group 2 mode active
 no shut

interface GigabitEthernet2/0/21
 description Channel -> 2960X-stack1 Gi1/0/48
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 channel-group 2 mode active
 no shut

interface GigabitEthernet2/0/23
 description Channel -> 2960X-stack1 Gi2/0/48
 switchport trunk allowed vlan 1,17,30-40
 switchport mode trunk
 channel-group 2 mode active
 no shut

exit
wr mem

, Etherchannel 2960 3850-stack

3850-stack#sh etherchannel summary | beg Po2
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port
        A - formed by Auto LAG
2      Po2(SU)         LACP      Gi1/0/21(P) Gi1/0/23(P) Gi2/0/21(P)
                                 Gi2/0/23(P)

3850-stack#show lacp internal | beg Channel group 2
Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode
Channel group 2
                            LACP port     Admin     Oper    Port        Port
Port      Flags   State     Priority      Key       Key     Number      State
Gi1/0/21  SA      bndl      32768         0x2       0x2     0x116       0x3D
Gi1/0/23  SA      bndl      32768         0x2       0x2     0x118       0x3D
Gi2/0/21  SA      bndl      32768         0x2       0x2     0x216       0x3D
Gi2/0/23  SA      bndl      32768         0x2       0x2     0x218       0x3D

- , :

sh logging

, Etherchanel , Cisco 3850 , , VyOS IP 172.20.1.2 ssh.

, .

destination-based , .. , , 3- . ( ) , .

VyOS:

,
VyOS , , Cisco 3850.

, , . , - VyOS.

source-based , .. , , , , . VyOS , Cisco 3850 PBR (policy based routing). , Cisco 3850, VyOS.

PBR (policy based routing)

VLAN' Cisco 3850, SVI (Switch Virtual Interface)

enable
conf t

ip routing

interface Vlan17
 ip address 172.20.1.2 255.255.255.0

interface Vlan32
 ip address 172.20.32.2 255.255.254.0

interface Vlan34
 ip address 172.20.34.2 255.255.255.0

interface Vlan35
 ip address 172.20.35.2 255.255.255.0

interface Vlan40
 ip address 172.20.40.2 255.255.254.0

exit
wr mem

, SVI, . , PBR (policy-based routing).

Disclaimer

PBR , , , 3850 . , , 3850, , PBR, :

3850, VyOS ;
3850 VyOS, HAIP vrrp.

, PBR ;
, , - overhead' .
, , ;
- , , .

disclaimer' , , PBR 3850. , , , OSPF.

PBR Cisco 3850,

enable
conf t

ip access-list extended Access_to_External
 permit ip any 0.0.0.0 127.255.255.255
 permit ip any 128.0.0.0 31.255.255.255
 permit ip any 160.0.0.0 7.255.255.255
 permit ip any 168.0.0.0 3.255.255.255
 permit ip any 172.0.0.0 0.15.255.255
 permit ip any 172.16.0.0 0.3.255.255
 permit ip any 172.20.0.0 0.0.0.255
 permit ip any 172.20.2.0 0.0.1.255
 permit ip any 172.20.4.0 0.0.3.255
 permit ip any 172.20.8.0 0.0.7.255
 permit ip any 172.20.16.0 0.0.15.255
 permit ip any 172.20.36.0 0.0.3.255
 permit ip any 172.20.42.0 0.0.1.255
 permit ip any 172.20.44.0 0.0.3.255
 permit ip any 172.20.48.0 0.0.15.255
 permit ip any 172.20.64.0 0.0.63.255
 permit ip any 172.20.128.0 0.0.127.255
 permit ip any 172.21.0.0 0.0.255.255
 permit ip any 172.22.0.0 0.1.255.255
 permit ip any 172.24.0.0 0.7.255.255
 permit ip any 172.32.0.0 0.31.255.255
 permit ip any 172.64.0.0 0.63.255.255
 permit ip any 172.128.0.0 0.127.255.255
 permit ip any 173.0.0.0 0.255.255.255
 permit ip any 174.0.0.0 1.255.255.255
 permit ip any 176.0.0.0 15.255.255.255
 permit ip any 192.0.0.0 31.255.255.255

route-map VLAN17PBR permit 10
 match ip address Access_to_External
 set ip next-hop 172.20.1.1

route-map VLAN32PBR permit 10
 match ip address Access_to_External
 set ip next-hop 172.20.32.1

route-map VLAN34PBR permit 10
 match ip address Access_to_External
 set ip next-hop 172.20.34.1

route-map VLAN35PBR permit 10
 match ip address Access_to_External
 set ip next-hop 172.20.35.1

route-map VLAN40PBR permit 10
 match ip address Access_to_External
 set ip next-hop 172.20.40.1

interface Vlan17
 ip policy route-map VLAN17PBR
 ip route-cache policy

interface Vlan32
 ip policy route-map VLAN32PBR
 ip route-cache policy

interface Vlan34
 ip policy route-map VLAN34PBR
 ip route-cache policy

interface Vlan35
 ip policy route-map VLAN35PBR
 ip route-cache policy

interface Vlan40
 ip policy route-map VLAN40PBR
 ip route-cache policy

exit
wr mem

, Access_to_External, :

172.20.1.0/24
172.20.32.0/23 
172.20.34.0/24 
172.20.35.0/24 
172.20.40.0/23

, SVI, , .

, , , SVI Cisco 3850, , .

, Cisco 3850, , , ACL, PBR, QoS ., :

3850-stack#show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC  [0]
 Table                                              Max Values        Used Values
 --------------------------------------------------------------------------------
 Unicast MAC addresses                              32768/512         429/22
 L3 Multicast entries                               4096/512           0/7
 L2 Multicast entries                               4096/512           0/9
 Directly or indirectly connected routes            16384/7168        477/23
 QoS Access Control Entries                         2560                86
 Security Access Control Entries                    3072               133
 Netflow ACEs                                        768                15
 Policy Based Routing ACEs                          1024               134
 Flow SPAN ACEs                                      512                 5
 Output Flow SPAN ACEs                               512                 8
 Control Plane Entries                               512               208
 Tunnels                                             256                17
 Lisp Instance Mapping Entries                       256                 3
 Input Security Associations                         256                 4
 Output Security Associations and Policies           256                 5
 SGT_DGT                                            4096/512           0/1
 CLIENT_LE                                          4096/256           0/0
 INPUT_GROUP_LE                                     6144                 0
 OUTPUT_GROUP_LE                                    6144                 0
 Macsec SPD                                          256                 2

L3, .. ACL SVI (), PBR, SVI. , :

sh processes | inc CPU
sh processes cpu sort | exclude 0.00
sh processes cpu history
sh ip route summary
sh memory summary
sh route-map  (       ,   )

, , , , – Troubleshooting TechNotes.

, Cisco 3850, Zabbix. .

VyOS' Cisco 3850

, , , , 172.20..1 172.20..2 – , .

, , , , , Ansible, ssh.

, IP SVI isco 3850 HAIP , VyOS.

isco 3850, , IP VLAN 17, 32, 34, 35, 40 ( 172.20.1.1, 172.20.32.1, 172.20.34.1, 172.20.35.1, 172.20.40.1) VyOS isco 3850.
, 172.20.1.2, 172.20.32.2, 172.20.34.2, 172.20.35.2, 172.20.40.2 isco 3850 VyOS.

, – 172.20.1.0/24, VLAN 17, .

, IP 172.20.1.1 VyOS isco 3850, VLAN17.

3850

en 
conf t
interface Vlan17
 no ip address 172.20.1.2 255.255.255.0
 no ip route-cache policy
 no ip policy route-map VLAN17PBR
 shut
 exit

 no route-map VLAN17PBR

VyOS1/2

configure
 delete high-availability vrrp group haip-1 virtual-address '172.20.1.1/24'
 set high-availability vrrp group haip-1 virtual-address '172.20.1.2/24'
 commit

3850

route-map VLAN17PBR permit 10
 match ip address Access_to_External
 set ip next-hop 172.20.1.2

interface Vlan17
 ip address 172.20.1.1 255.255.255.0
 ip route-cache policy
 ip policy route-map VLAN17PBR
 no shut
 exit
wr mem

, , 10-15 VLAN 17, 172.20.1.1, isco 3850.

– 172.20.32.2, 172.20.34.2, 172.20.35.2 172.20.40.2 isco 3850, VyOS. , , , – isco 3850. , , – isco 3850, VyOS , . , - , , .

isco 3850 , , , VyOS, , 172.20.1.0/24 VLAN 17:

VyOS1/2

configure
 delete high-availability vrrp group haip-1 virtual-address '172.20.1.2/24'
 set high-availability vrrp group haip-1 virtual-address '172.20.1.1/24'
 commit

, VyOS, , isco 3850.

, – , - . . , - , , , , , , .

, 4 ( ) Vmware vSphere Enterprise Plus, Vcenter Server Standard, 4 ( ) – Veeam B&R Enterprise. , , , , , 44.000 USD VMware 10.000 USD Veeam ( ).

, , , , ( , ).

, , IT – , . , , , .

IT , oVirt, :

– , , ;
DevOps, Iaa (Infrastructure as a Code) – , , Docker Swarm, -, , .., .

, , , . Iaa , , .

oVirt/RHEV Iaa, Terraform, Ansible.
, , Terraform Ansible, Cobbler, .

IT , , , - , ..

, , DevOps, Iaa, oVirt / VMware vSphere.

P.S.
- , , .

, , / PBR Cisco 3850 (.. source-based ), "" , destination-based .

, , , :

VyOS ;
Cisco 3850 , PBR.

OSPF

Cisco 3850

– Chapter: Configuring IP Unicast Routing

PBR, :

route-map' : VLAN17, VLAN32, VLAN34, VLAN35, VLAN40
route-map': VLAN17PBR, VLAN32PBR, VLAN34PBR, VLAN35PBR, VLAN40PBR
access-list Access_to_External
VyOS OSPF, VLAN33, .

Cisco 3850

interface Vlan33
 ip address 172.20.133.1 255.255.255.0
 ip ospf dead-interval 4
 ip ospf hello-interval 1
 ip ospf priority 100

interface Loopback0
 ip address 10.1.1.3 255.255.255.255

router ospf 1
 router-id 10.1.1.3
 network 10.1.1.3 255.255.255.255 area 0.0.0.0
 network 172.20.133.0 0.0.0.255 area 0.0.0.0
 network 172.20.1.0 0.0.0.255 area 0.0.0.0
 network 172.20.32.0 0.0.1.255 area 0.0.0.0
 network 172.20.34.0 0.0.0.255 area 0.0.0.0
 network 172.20.35.0 0.0.0.255 area 0.0.0.0
 network 172.20.40.0 0.0.1.255 area 0.0.0.0
 log-adjacency-changes
 passive-interface default
 no passive-interface Vlan33

VyOS

— OSPF VyOS

Cisco 3850 PBR, :

vrrp ;
, VLAN32, VLAN34, VLAN35, VLAN40;
: VLAN17, VLAN32, VLAN34, VLAN35, VLAN40;
oVirt;
Cisco 3850 OSPF, eth0, VLAN33, .

VyOS1

set interfaces loopback lo address '10.1.1.1/32'

set interfaces ethernet eth0 address '172.20.133.253/24'
set interfaces ethernet eth0 description 'VLAN33'
set interfaces ethernet eth0 ip ospf dead-interval '4'
set interfaces ethernet eth0 ip ospf hello-interval '1'
set interfaces ethernet eth0 ip ospf priority '1'
set interfaces ethernet eth0 ip ospf retransmit-interval '5'
set interfaces ethernet eth0 ip ospf transmit-delay '1'

set protocols ospf area 0.0.0.0 network '172.20.133.0/24'
set protocols ospf area 0.0.0.0 network '10.1.1.1/32'
set protocols ospf default-information originate metric '10'
set protocols ospf default-information originate metric-type '2'
set protocols ospf log-adjacency-changes
set protocols ospf neighbor 172.20.133.1 poll-interval '5'
set protocols ospf neighbor 172.20.133.1 priority '1'
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.1.1.1'
set protocols ospf passive-interface 'default'
set protocols ospf passive-interface-exclude 'eth0'
set protocols ospf redistribute static metric '5'
set protocols ospf redistribute static metric-type '2'

VyOS2

set interfaces loopback lo address '10.1.1.2/32'

set interfaces ethernet eth0 address '172.20.133.254/24'
set interfaces ethernet eth0 description 'VLAN33'
set interfaces ethernet eth0 ip ospf dead-interval '4'
set interfaces ethernet eth0 ip ospf hello-interval '1'
set interfaces ethernet eth0 ip ospf priority '1'
set interfaces ethernet eth0 ip ospf retransmit-interval '5'
set interfaces ethernet eth0 ip ospf transmit-delay '1'

set protocols ospf area 0.0.0.0 network '172.20.133.0/24'
set protocols ospf area 0.0.0.0 network '10.1.1.2/32'
set protocols ospf default-information originate metric '20'
set protocols ospf default-information originate metric-type '2'
set protocols ospf log-adjacency-changes
set protocols ospf neighbor 172.20.133.1 poll-interval '5'
set protocols ospf neighbor 172.20.133.1 priority '1'
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.1.1.2'
set protocols ospf passive-interface 'default'
set protocols ospf passive-interface-exclude 'eth0'
set protocols ospf redistribute static metric '10'
set protocols ospf redistribute static metric-type '1'

OSPF, :

sh ip ospf interface
sh ip ospf neighbor
show ip ospf
show ip route
show ip route ospf

إنشاء بنية تحتية لتكنولوجيا المعلومات تتحمل الأخطاء. الجزء 4. نشر Cisco 3850 Switches لتوجيه البوابة

المقدمة

Cisco 3850

Cisco 3850

Cisco 2960R Cisco 3850

PBR (policy based routing)

VyOS' Cisco 3850

OSPF

More articles: