2009-12-30

Cisco - HSRP spolu s PBR

Stal jsem pred ukolem, abych stavajicich nekolik routeru (historicka zalezitost) spojil v jedinej box, kterej bude routovat vsechno vsem - ale protoze to bude SPOF, tak aby ta krabice byla redundantni. To se lehko rekne, ale hur udela... Nakonec se ale povedlo! Snad nekomu pomuze podrobnejsi popis jak na to ;-)

Takze k jadru problemu: chtel jsem provozovat HSRP spolecne s nekolika routovacima tabulema/instancema. Myslel jsem si, ze VRF je to, co hledam, ale pri detailnejsim cteni Cisco dokumentu a snaze to nastavit v testovacim prostredi silne znejistel, nacez jsem se nakonec na VRF vykaslal a vrhnul se na PBR. Cili nasleduje popis (na obrazky jsem linej) testovaciho prostredi plus samozrejme vycuc konfigurace obou switchu:

VLAN 1 - 192.168.10.0/24
.1 - cat3560_1
.2 - cat3560_2
.10 - hsrp virtual ip

VLAN 2 - 192.168.20.0/24
.1 - cat3560_1
.2 - cat3560_2
.20 - hsrp virtual ip

VLAN 3 - 192.168.30.0/24
.1 - cat3560_1
.2 - cat3560_2
.10 - next-hop for VLAN 1
.20 - next-hop for VLAN 2
.30 - hsrp virtual ip
.254 - default gw for both cat3560

V tomhle testu jsem se snazil routovat provoz z VLAN 1 via 192.168.30.10 a provoz z VLAN 2 via 192.168.30.20. Nejdriv jsem si zprovoznil samotnej inter-vlan routing a HSRP pro vsechny VLANy (konfigurace pro prvni switch, druhej si laskave ctenarstvo domysli, komentare asi netreba):

----- hsrp -----

ip routing
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
standby 1 ip 192.168.10.10
standby 1 timers 2 5
standby 1 priority 101
standby 1 preempt
standby 1 authentication md5 key-string hsrp_vlan1_1
!
interface Vlan2
ip address 192.168.20.1 255.255.255.0
standby 2 ip 192.168.20.20
standby 2 timers 2 5
standby 2 priority 101
standby 2 preempt
standby 2 authentication md5 key-string hsrp_vlan2_2
!
interface Vlan3
ip address 192.168.30.1 255.255.255.0
standby 3 ip 192.168.30.30
standby 3 timers 2 5
standby 3 priority 101
standby 3 preempt
standby 3 authentication md5 key-string hsrp_vlan3_3

----------------

Kdyz uz jsem mel inter-vlan routing, taxem se vrhnul na PBR. Kazdej dokument vam rekne, ze jsou treba tri veci: ACLka pro selekci provozu, route-mapy pro definovani next-hopu (a dalsich veci) a aplikovani policy na iface. Takze poporadku, nejdriv ACL (tentokrat s komentarem):

--- pbr - alc ---

! all traffic from VLAN 1
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
!
! all traffic from VLAN 2
!
access-list 2 permit 192.168.20.0 0.0.0.255
!
!
! traffic to the Cat3560 - VLAN 1
! (both hosts & hsrp virtual ip)
!
access-list 101 permit ip any host 192.168.10.1
access-list 101 permit ip any host 192.168.10.2
access-list 101 permit ip any host 192.168.10.10
access-list 101 permit icmp any host 192.168.10.1
access-list 101 permit icmp any host 192.168.10.2
access-list 101 permit icmp any host 192.168.10.10
!
!
! traffic to the Cat3560 - VLAN 2
! (both hosts & hsrp virtual ip)
!
access-list 102 permit ip any host 192.168.20.1
access-list 102 permit ip any host 192.168.20.2
access-list 102 permit ip any host 192.168.20.20
access-list 102 permit icmp any host 192.168.20.1
access-list 102 permit icmp any host 192.168.20.2
access-list 102 permit icmp any host 192.168.20.20

-----------------

Pro uplnost dodam, ze ty dva extended ACL nepotrebujete, pokud z prislusnych VLAN nepotrebujete pristupovat primo na Catalyst (ssh, ping, etc.), ale o tom nize :) Takze ALCka mame, ted je treba vyrobit route-mapy (tentokrat komentar az posleze):

--- pbr - rm ---

route-map rm1 permit 10
match ip address 101
!
route-map rm1 permit 20
match ip address 1
set ip next-hop 192.168.30.10
!
route-map rm2 permit 10
match ip address 102
!
route-map rm2 permit 20
match ip address 2
set ip next-hop 192.168.30.20
!

----------------

Vysvetlim ty route-mapy. Kazda route-mapa se zpracovava stylem fisrt-match postupne podle cisel za permit (prip. deny), takze 'route-map rm1 permit 10' necha traffic z ACL 101 bez povsimnuti (jen match, zadnej set) - to je ten traffic smerujici primo na Catalyst. Nasledne 'route-map rm1 permit 20' presmeruje veskery provoz z VLAN 1 na next-hop 192.168.30.10 (je z toho samozrejme excludovanej traffic z ALC 101, panc ten se matchnul uz v predchozim proku). Oboji pak analogicky pro VLAN 2 dela route-map rm2.

Posledni krok, kterej nam zbejva je aplikovat politiky na prislusny iface. Aby to bylo mozny, je treba v konfig modu pustit tenhle prikaz: 'sdm prefer routing', kterej zajisti, ze switch bude vetsinu prostredku venovat routingu (viz odkazy na konci). To vyzaduje reload a pak uz muzeme aplikovat route-mapu na interface:

--- pbr - pol ---

interface Vlan1
!
interface Vlan2
ip policy route-map rm2

-----------------

Tim mame hotovo a muzeme zkusit, kudy tece traffic z obou VLANu. Nasleduje souhrnej vycuc configu prvniho switche:

----- cat3560_1 -----

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.30.254
!
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip policy route-map rm1
standby 1 ip 192.168.10.10
standby 1 timers 2 5
standby 1 priority 101
standby 1 preempt
standby 1 authentication md5 key-string hsrp_vlan1_1
!
interface Vlan2
ip address 192.168.20.1 255.255.255.0
ip policy route-map rm2
standby 2 ip 192.168.20.20
standby 2 timers 2 5
standby 2 priority 101
standby 2 preempt
standby 2 authentication md5 key-string hsrp_vlan2_2
!
interface Vlan3
ip address 192.168.30.1 255.255.255.0
standby 3 ip 192.168.30.30
standby 3 timers 2 5
standby 3 priority 101
standby 3 preempt
standby 3 authentication md5 key-string hsrp_vlan3_3
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
access-list 2 permit 192.168.20.0 0.0.0.255
!
access-list 101 permit ip any host 192.168.10.1
access-list 101 permit ip any host 192.168.10.2
access-list 101 permit ip any host 192.168.10.10
access-list 101 permit icmp any host 192.168.10.1
access-list 101 permit icmp any host 192.168.10.2
access-list 101 permit icmp any host 192.168.10.10
!
access-list 102 permit ip any host 192.168.20.1
access-list 102 permit ip any host 192.168.20.2
access-list 102 permit ip any host 192.168.20.20
access-list 102 permit icmp any host 192.168.20.1
access-list 102 permit icmp any host 192.168.20.2
access-list 102 permit icmp any host 192.168.20.20
!
!
route-map rm1 permit 10
match ip address 101
!
route-map rm1 permit 20
match ip address 1
set ip next-hop 192.168.30.10
!
route-map rm2 permit 10
match ip address 102
!
route-map rm2 permit 20
match ip address 2
set ip next-hop 192.168.30.20
!

---------------------

Uff, taxem to sepsal a doufam, ze jsem to moc nepokonil. Podotykam, ze jsem Cisco samouk, takze dost mozna existuje elegantejsi cesta, jak nastavit to, o co jsem se snazil, v tom pripade budu vdecny tomu, kdo ji zna a alespon mi ji nastini :)

Jdu se vozrat! `-)


P.S. - Jeste par odkazu:

HSRP - [http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swhsrp.html]
PBR - [http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml]
SDM - [http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swsdm.html]

1 komentář:

  1. Na formatovani......uz ted nemam silu, jsem rad, ze jsem to alespon sepsal :) Snad nekdy jindy...

    OdpovědětVymazat

Mazat komentáře nehodlám, výjimky však tvoří vulgární a off-topic komentáře!