CISCO SD-WAN Catalyst Segmentation

CISCO SD-WAN Catalyst Segmentation

Zviri mukati hide
1 Segmentation
2 Segmentation muCisco Catalyst SD-WAN
3 VRFs Anoshandiswa muCisco Catalyst SD-WAN Segmentation
4 Rongedza VRF Uchishandisa Cisco SD-WAN Manager Matemplate
5 Rongedza VPNs Uchishandisa Cisco SD-WAN Maneja Matemplate
6 Gadzirisa Basic VPN Parameters
7 Gadzirisa Basic Interface Kushanda
8 Gadzira Tunnel Interface
9 Gadzirisa DNS uye Static Hostname Mapping
10 Gadzirisa Segmentation Uchishandisa iyo CLI
11 Segmentation (VRFs) Configuration Examples
12 Segmentation CLI Reference
13 Zvinyorwa / Zvishandiso
13.1 References
14 Related Posts

Segmentation

Symbol Cherechedza Kuti uwane kurerutsa uye kuenderana, iyo Cisco SD-WAN mhinduro yakadzokororwa seCisco Catalyst SD-WAN. Mukuwedzera, kubva kuCisco IOS XE SD-WAN Release 17.12.1a uye Cisco Catalyst SD-WAN Release 20.12.1, iyo inotevera chikamu shanduko inoshandiswa: Cisco vManage kuCisco Catalyst SD-WAN Manager, Cisco vAnalyticsto Cisco CatalystSD-WAN Analytics, Cisco vBondto Cisco CatalystSD-WAN Validator, uye Cisco vSmart kuCisco Catalyst SD-WAN Controller. Ona azvino Manotsi ekuburitsa kuti uwane yakazara runyorwa rwese chikamu chemhando yemhando shanduko. Tichiri kuchinjisa kumazita matsva, kumwe kusapindirana kunogona kunge kuripo muzvinyorwa zvakaiswa nekuda kwemaitiro akapatsanurwa kumashandisirwo emashandisirwo echigadzirwa chesoftware.

Network segmentation yave iripo kweanopfuura makore gumi uye yakaitwa mumhando dzakawanda uye maumbirwo.
Payakanyanya rudimentary level, segmentation inopa kuparadzaniswa kwetraffic. Mafomu akajairika ekuparadzanisa network ndeyemaLAN chaiwo, kana maVLAN, eLayer 2 mhinduro, uye chaiyo nzira nekutumira, kana VRF, yeLayer 3 mhinduro.
Kune akawanda ekushandisa makesi ekuparadzanisa:

Shandisa Cases for Segmentation

  • Bhizinesi rinoda kuchengetedza mitsara yakasiyana yebhizinesi yakaparadzana (yeexample, chengetedzo kana zvikonzero zvekuongorora).
  • Idhipatimendi reIT rinoda kuchengetedza vashandisi vane chokwadi vakaparadzana nevashandisi vevaenzi.
  • Chitoro chekutengesa chinoda kupatsanura vhidhiyo yekutarisa traffic kubva kune transaction traffic.
  • Bhizinesi rinoda kupa vanodyidzana navo bhizinesi mukana wekusarudza chete kune zvimwe zvikamu zvetiweki.
  • Sevhisi kana bhizinesi rinoda kumanikidza kutevedzwa kwemitemo, sekutevedzera HIPAA, iyo US.
    Health Insurance Portability uye Accountability Act, kana nePayment Card Indasitiri (PCI) chengetedzo zviyero.
  • Mupi webasa anoda kupa VPN masevhisi kumabhizinesi ayo epakati nepakati.

Kuganhurirwa kweSegmentation

Imwe yenhaka yekuganhurirwa yezvikamu ndeye chiyero chayo. Segmentation mhinduro ingave yakaoma kana inogumira kune imwechete mudziyo kana maviri emidziyo yakabatana uchishandisa interface. Sezvo example, Layer 3 segmentation inopa zvinotevera:

  1. Kugona kuunganidza prefixes mune yakasarudzika nzira tafura (RIB kana FIB).
  2. Kugona kubatanidza chinongedzo netafura yenzira kuitira kuti traffic inofamba neiyo interface ifambiswe zvichienderana ne prefixes muiyo nzira tafura.

Uku kunoshanda kunobatsira, asi chiyero chayo chinogumira kune imwechete mudziyo. Kuti uwedzere kushanda kwese network, iyo segmentation ruzivo inoda kuendeswa kune akakodzera mapoinzi munetiweki.

Maitiro ekugonesa Network-Wide Segmentation

Pane nzira mbiri dzekupa iyi network-wide segmentation:

  • Tsanangura mutemo wemapoka pamudziyo wese uye pane zvese zvinongedzo munetiweki (chaizvoizvo, iwe unoita Matanho 1 uye 2 pamusoro pamudziyo wese).
  • Tsanangura mutemo wemapoka kumacheto echikamu, uye wotakura ruzivo rwezvikamu mumapakiti epakati node kubata.

Maitiro ekutanga anobatsira kana mudziyo wega wega uri wekupinda kana wekubuda pachikamu, izvo zvisingawanzo kuitika mumanetiweki epakati uye makuru. Yechipiri nzira yakanyanya scalable uye inochengeta network yekufambisa isina zvikamu uye kuoma.

  • Segmentation muCisco Catalyst SD-WAN,
  • VRFs Anoshandiswa muCisco Catalyst SD-WAN Segmentation,
  • Gadzirisa VRF Uchishandisa Cisco SD-WAN Manager Matemplate,
  • Gadzirisa VPNs Uchishandisa Cisco SD-WAN Manager Matemplate,
  • Gadzirisa Segmentation Uchishandisa iyo CLI,
  • Segmentation CLI Reference,

Segmentation muCisco Catalyst SD-WAN

MuCisco Catalyst SD-WAN overlay network, maVRF anokamura network muzvikamu zvakasiyana.
Cisco Catalyst SD-WAN inoshandisa iyo yakanyanya kuwanda uye scalable modhi yekugadzira zvikamu. Chaizvoizvo,
kupatsanurwa kunoitwa kumicheto ye router, uye iyo segmentation ruzivo inotakurwa mumapaketi mu.
chimiro chechiziviso.
Iyo nhamba inoratidza kupararira kweruzivo rwekufambisa mukati meVRF.
Mufananidzo 1: Kuparidzirwa Kwemashoko Ekufambisa Mukati meVRF
Kuparidzirwa Kweruzivo rweKufambisa Mukati meA Vrf

Mumufananidzo uyu:

  • Router-1 inonyoresa kune maviri maVRF, tsvuku nebhuruu.
  • VRF tsvuku inobata kune prefix 10.1.1.0/24 (zvichida zvakananga kuburikidza nekubatana kwakabatana kana kudzidza uchishandisa IGP kana BGP).
  • VRF yebhuruu inobata kune prefix 10.2.2.0/24 (zvichida zvakananga kuburikidza nechinhu chakabatana kana kudzidza uchishandisa IGP kana BGP).
  • Router-2 inonyorera kune tsvuku VRF.
    • VRF iyi inobata chivakashure 192.168.1.0/24 (zvichida zvakananga kuburikidza nechinhu chakabatana kana kudzidza uchishandisa IGP kana BGP).
  • Router-3 inonyorera kune yebhuruu VRF.
    • VRF iyi inobata chivakashure 192.168.2.0/24 (zvichida zvakananga kuburikidza nechinhu chakabatana kana kudzidza uchishandisa IGP kana BGP).

Nekuti yega yega router ine Overlay Management Protocol (OMP) yekubatanidza pamusoro peTLS mugero kune Cisco SD-WAN Controller, inoparadzira ruzivo rwayo rwekufambisa kuCisco SD-WAN Controller. PaCisco SD-WAN Controller, maneja wetiweki anogona kumanikidza marongero ekudonhedza nzira, kushandura maTLOCs, ayo ari pamusoro pehops inotevera, yeinjiniya yetraffic kana sevhisi cheni. Netiweki maneja anogona kushandisa aya marongero seanopinda uye anobuda marongero paCisco SD-WAN Controller.
Ese maprefixes eimwe VRF anochengetwa mune imwe nzira tafura. Izvi zvinopa iyo Layer 3 yekuzviparadzanisa nevamwe inodiwa kune akasiyana zvikamu mune network. Saka, Router-1 ine maviri VRF nzira matafura, uye Router-2 uye Router-3 imwe neimwe ine imwe nzira tafura. Uye zvakare, iyo Cisco SD-WAN Controller inochengetedza iyo VRF mamiriro ekutanga ega ega.
Matafura enzira akasiyana anopa kuparadzaniswa pane imwe node. Saka ruzivo rwekufambisa runoparadzirwa sei kune network?
MuCisco Catalyst SD-WAN mhinduro, izvi zvinoitwa uchishandisa VRF zviziviso, sezvakaratidzwa mumufananidzo uri pazasi. VRF ID, iyo inotakurwa mupaketi, inozivisa VRF yega yega pane chinongedzo. Paunogadzirisa VRF pane router, iyo VRF ine label yakabatana nayo. Iyo router inotumira iyo label, pamwe neVRFID, kuCisco SD-WAN Controller. Iyo Cisco SD-WAN Controller inoparadzira iyi router-ku-VRF ID yemepu ruzivo kune mamwe ma router ari mudura. Iwo ma routers ari kure anobva ashandisa iyi label kutumira traffic kune yakakodzera VRF. Marouter emunharaunda, pakugamuchira iyo data neVRF ID label, shandisa iyo label kuti demultiplex iyo data traffic. Izvi zvakafanana nemashandisirwo anoitwa mapepa eMPLS. Iyi dhizaini yakavakirwa payakajairwa maRFCs uye inoenderana nemaitiro ekudzora akadai sePCI neHIPAA.

Mufananidzo 2: VRF Identifiers
VRF Identifiers

Symbol Cherechedza Iyo network yekutakura inobatanidza ma routers haitombozivi nezveVRFs. Chete ma routers anoziva nezveVRFs; iyo yakasara yetiweki inoteera yakajairwa IP routing.

VRFs Anoshandiswa muCisco Catalyst SD-WAN Segmentation

Iyo Cisco Catalyst SD-WAN mhinduro inosanganisira kushandiswa kweVRF kuparadzanisa traffic.

Global VRF

Iyo VRF yepasi rose inoshandiswa pakufambisa. Kumanikidza kupatsanurwa kwemukati pakati pesevhisi (senge prefixes ndeye bhizinesi) uye yekufambisa (network inobatanidza ma router), ese ekufambisa, kureva, ese maTLOC, anochengetwa muVRF yepasi rose. Izvi zvinovimbisa kuti network yekufambisa haigone kusvika kune network yebasa nekukasira. Mazhinji ekufambisa ekufambisa anogona kunge ari eVRF imwechete, uye mapaketi anogona kuendeswa kune uye kubva kune ekufambisa nzvimbo.
VRF yepasi rose ine zvese zvinosanganisirwa zvechishandiso, kunze kweiyo manejimendi interface, uye ese mainterface akaremara. Kuti ndege yekudzora igadzirise yega kuitira kuti iyo yakavharika network ishande, iwe unofanirwa kugadzirisa tunnel interfaces muVRF yepasi rose. Kune yega yega interface muVRF yepasirese, iwe unofanirwa kuseta IP kero, uye kugadzira mugero wekubatanidza unoseta ruvara uye encapsulation yeWAN yekufambisa yekubatanidza. (Iyo encapsulation inoshandiswa pakutumira data traffic.) Aya maparameter matatu-IP kero, ruvara, uye encapsulation-inotsanangura TLOC (nzvimbo yekufambisa) pane router. Iyo OMP chikamu chinomhanya pamugero wega wega unotumira iyo TLOC kuCisco SD-WAN Controllers kuti vadzidze pamusoro peiyo network topology.

Dual-Stack Tsigiro paTransport VPNs 

MuVRF yepasi rose, Cisco IOS XE Catalyst SD-WAN zvishandiso uye Cisco SD-WAN Controller inotsigira mbiri stack. Kuti ugone kugonesa mbiri mbiri, gadzira IPv4 kero uye IPv6 kero pane tunnel interface. Iyo router inodzidza kubva kuCisco SD-WAN Controller kana kwainoenda kunotsigira IPv4 kana IPv6 kero. Kana uchitumira traffic, router inosarudza IPv4 kana IPv6 TLOC, zvichienderana nekero yekuenda. Asi IPv4 inogara ichidiwa kana yakagadziriswa.

Management VRF

Mgmt-Intf ndiye maneja VRFon Cisco IOS XE CatalystSD-WAN zvishandiso. Iyo inogadziriswa uye inogoneswa neiyo default. Iyo inotakura kunze-kwe-bhendi manejimendi manejimendi traffic pakati pezvishandiso zviri mu overlay network. Iwe unogona kugadzirisa iyi gadziriso, kana zvichidikanwa.

Rongedza VRF Uchishandisa Cisco SD-WAN Manager Matemplate

MuCisco SD-WAN Maneja, shandisa CLI template kugadzirisa maVRF emudziyo. Kune yega yega VRF, gadzira sub interface uye batanidza iyo sub interface kuVRF. Iwe unogona kugadzirisa kusvika ku300 VRFs.
Paunosundidzira template yeCLI kune mudziyo, Cisco SD-WAN Maneja anodzoreredza gadziriso iripo pachishandiso uye anotakura iyo inotsanangurwa muCLI template. Nekuda kweizvozvo, iyo template haingogone kupa izvo zvitsva zviri kugadziridzwa, senge VRFs. Iyo CLI template inofanira kusanganisira zvese zvigadziriso zvinodikanwa nemudziyo. Kuti uratidze ruzivo rwakakodzera rwekugadzirisa pane chimwe chinhu, shandisa show sdwan running-config command.
Kuti uwane ruzivo nezve kugadzira uye kushandisa CLI matemplate, uye e exampyekugadzirisa VRFs, ona CLI Matemplate eCisco IOS XE Catalyst SD-WAN Routers chitsauko che MaSystem uye Interfaces Configuration Guide, Cisco IOS XE Release 17.x.
Izvi zvinotevera zvishandiso zvinotsigirwa:

  • Cisco ASR1001-HX
  • ASR1002-HX

Rongedza VPNs Uchishandisa Cisco SD-WAN Maneja Matemplate

Gadzira VPN template 

Symbol Cherechedza Cisco IOS XE Catalyst SD-WAN madivayiri anoshandisa maVRF ekukamura uye nekuzviparadzanisa netiweki. Nekudaro, matanho anotevera achiri kushanda kana uri kugadzirisa chikamu cheCisco IOS XE Catalyst SD-WAN zvishandiso kuburikidza neCisco SD-WAN Maneja. Paunopedza kugadzirisa, sisitimu inoshandura otomatiki maVPN kuVRFs eCisco IOS XE Catalyst SD-WAN zvishandiso.

Symbol Cherechedza Iwe unogona kugadzirisa static nzira kuburikidza neVPN template.

  • Danho 1 Kubva kuCisco SD-WAN Maneja menyu, sarudza Configuration> Matemplate.
  • Danho 2 Dzvanya Device Matemplate, uye tinya Gadzira Template.
    Cherechedza MuCisco vManage Release 20.7.x uye kare yakabudiswa Device Templates inonzi Device.
  • Danho 3 Kubva pane Gadzira Template yekudonha-pasi rondedzero, sarudza Kubva Feature Template.
  • Danho 4 Kubva pane iyo Device Model yekudonha-pasi runyorwa, sarudza rudzi rwechishandiso chaunoda kugadzira template.
  • Danho 5 Kugadzira template yeVPN 0 kana VPN 512:
    a. Dzvanya Kutakura & Kutungamira VPN, kana skira kune Kutakura & Management VPN chikamu.
    b. Kubva pane VPN 0 kana VPN 512 yekudonha-pasi runyorwa, tinya Gadzira Template. Iyo VPN template fomu inooneka.
    Iyo fomu ine minda yekutumidza template, uye minda yekutsanangura VPN paramita.
  • Danho 6 Kugadzira template yeVPNs 1 kusvika 511, uye 513 kusvika 65527:
    a. Dzvanya Sevhisi VPN, kana skira kuSevhisi VPN chikamu.
    b. Dzvanya iyo Service VPN yekudonha-pasi runyorwa.
    c. Kubva pane VPN yekudonha-pasi runyorwa, tinya Gadzira template. Iyo VPN template fomu inoratidza.
    Iyo fomu ine minda yekutumidza template, uye minda yekutsanangura VPN paramita.
  • Danho 7 MuZita reTemplate, isa zita retemplate. Iro zita rinogona kuita mabhii anosvika zana nemakumi maviri nemasere uye rinogona kunge riine mavara ealphanumeric chete.
  • Danho 8 Mune Tsanangudzo Yetemplate, isa tsananguro yetemplate. Tsananguro yacho inogona kusvika ku2048 uye inogona kuve nealphanumeric characters chete.

Gadzirisa Basic VPN Parameters

Kugadzirisa zvakakosha VPN paramita, sarudza Basic Configuration uye wozogadzirisa zvinotevera paramita.
Maparamita akanyorwa neasterisk anodiwa kugadzirisa VPN.

Parameter Zita Tsanangudzo
VPN Isa nhamba yezvinozivisa yeVPN.
Range yeCisco IOS XE Catalyst SD-WAN zvishandiso: 0 kusvika 65527
Kukosha kweCisco Catalyst SD-WAN Controller uye Cisco SD-WAN Maneja zvishandiso: 0, 512
Zita Isa zita reVPN.
Cherechedza YeCisco IOS XE Catalyst SD-WAN zvishandiso, haugone kuisa zita-rakanangana nemudziyo weVPN.
Wedzera ECMP keying Dzvanya On kugonesa kushandiswa muECMP hashi kiyi yeLayer 4 sosi uye kwekuenda madoko, mukuwedzera kune kusanganiswa kwekwakabva, uye kwekuenda IP kero, seECMP hashi kiyi.
ECMP keying ndeye Off by default.

Symbol Cherechedza Kuti upedze kurongeka kweiyo yekufambisa VPN pane router, unofanirwa kugadzirisa kanenge imwe interface muVPN 0.

Kuti uchengetedze chimiro chetemplate, tinya Sevha.

Rongedza Load-Bancing Algorithm Uchishandisa iyo CLI

Symbol Cherechedza

Kutanga kubva kuCisco IOS XE Catalyst SD-WAN Release 17.8.1a, unoda CLI template kuti ugadzirise src-chete load-sharing algorithm ye IPv4 uye IPv6 Cisco CatalystSD-WAN uye isiri Cisco CatalystSD-WAN traffic. Kuti uwane ruzivo rwakakwana pane iyo mutoro-kugovera algorithm CLI, ona IP Commands list.

Izvi zvinotevera zvinopa CLI zvigadziriso zvekusarudza Cisco ExpressForwarding mutoro-kuyeresa algorithm kune isiri Cisco CatalystSD-WAN IPv4 uye IPv6 traffic. Unogona kugonesa ECMPkeying kutumira zvigadziriso zveese IPv4 uye IPv6.
Device# config-transaction
Device(config)# ip cef load-sharing algorithm {universal [id] | include-ports [ source [id]
| destination [id]] |
src-only [id]}

Device# config-transaction
Device(config)# ipv6 cef load-sharing algorithm {universal [id] | include-ports [ source
[id] | destination [id]] |
src-only [id]}

Izvi zvinotevera zvinopa CLI zvigadziriso zvekugonesa kuyera kuyera algorithm pane chinongedzo cheCisco Catalyst SD-WAN IPv4 uye IPv6 traffic. Unogona kugonesa ECMP keying kutumira zvigadziriso zveese IPv4 uye IPv6.

Device# config-transaction
Device(config)# sdwan
Device(config-sdwan)# ip load-sharing algorithm {ip-and-ports | src-dst-ip | src-ip-only}
Device# config-transaction
Device(config)# sdwan
Device(config-sdwan)# ipv6 load-sharing algorithm {ip-and-ports | src-dst-ip | src-ip-only}

Gadzirisa Basic Interface Kushanda

Kuti ugadzirise basa rekutanga muVPN, sarudza Basic Configuration uye gadzirisa zvinotevera paramita:

Symbol Cherechedza Maparamita akanyorwa neasterisk anodiwa kuti ugadzirise interface.

Parameter Zita IPv4 kana IPv6 Options Tsanangudzo
Vhara* Dzvanya Aihwa kugonesa iyo interface.
Interface name* Isa zita rekushandisa.

Kune Cisco IOS XE Catalyst SD-WAN zvishandiso, unofanirwa:

  • Nyora mazita echiratidziro zvizere (yeexample, GigabitEthernet0/0/0).
  • Rongedza ese mainterfaces e router, kunyangwe iwe usiri kuashandisa, kuitira kuti agadziriswe munzvimbo yekuvhara uye kuitira kuti ese akasarudzika maitiro ekuti agadziriswe.
Tsanangudzo Pinda tsananguro yeiyo interface.
IPv4/IPv6 Dzvanya IPv4 kugadzirisa IPv4 VPN interface. Dzvanya IPv6 kugadzirisa IPv6 interface.
Dynamic Dzvanya Dynamic kuseta iyo interface seDynamic Host Configuration Protocol (DHCP) mutengi, kuitira kuti iyo interface igamuchire kero yayo yeIP kubva kuDHCP server.
Zvose DHCP

Distance

 Sarudzo, isa kukosha kwechinhambwe chekutonga kune nzira dzakadzidzwa kubva kuDHCP server. Default ndeye 1.
IPv6 DHCP

Kurumidza Kuzvipira

 Sarudzo, gadzirisa iyo DHCP IPv6 yemunharaunda sevha kuti itsigire DHCP Rapid Commit, kugonesa kukurumidza kugadziridzwa kwevatengi uye kusimbiswa munzvimbo dzakabatikana.
Dzvanya On kugonesa DHCP kukurumidza kuzvipira.
Dzvanya Off kuti uenderere mberi nekushandisa yakajairika kuita maitiro.
Static Dzvanya Static kuisa IP kero isingachinji.
IPv4 IPv4 Kero Isa kero ye IPv4 isingachinji.
IPv6 IPv6 Kero Isa kero ye IPv6 isingachinji.
Sekondari IP Kero IPv4 Dzvanya Wedzera kuisa anosvika mana echipiri IPv4 kero kune sevhisi-padivi interface.
IPv6 Kero IPv6 Dzvanya Wedzera kuisa anosvika maviri echipiri IPv6 kero kune sevhisi-padivi interface.
DHCP Mubatsiri Zvose Kuti usarudze iyo interface semubatsiri weDHCP pane router, isa anosvika masere IP kero, akapatsanurwa nemakoma, kune DHCP maseva mune network. Mubatsiri weDHCP anoendesa Boot P (nhepfenyuro) DHCP inokumbira kuti igamuchire kubva kumaseva eDHCP akataurwa.
Block Kwete-Mabviro IP Ehe / Aihwa Dzvanya Ehe kuve neiyo interface yekumberi traffic chete kana sosi IP kero yetraffic inoenderana neiyo IP prefix renji. Dzvanya Aihwa kubvumira mamwe traffic.

Gadzira Tunnel Interface

PaCisco IOS XE Catalyst SD-WAN madivayiri, unogona kugadzirisa anosvika sere tunnel interfaces. Izvi zvinoreva kuti imwe neimwe Cisco IOS XE Catalyst SD-WAN mudziyo router inogona kusvika masere maTLOC. PaCisco Catalyst SD-WAN Controllers uye Cisco SD-WAN Maneja, unogona kugadzirisa imwe tunnel interface.
Kuti ndege yekudzora igadzirise pachayo kuitira kuti network overlay inogona kushanda, unofanirwa kugadzirisa WAN transport interfaces muVPN 0. Iyo WAN interface ichagonesa kuyerera kwetunnel traffic kune yakavharika. Iwe unogona kuwedzera mamwe maparamendi anoratidzwa mutafura iri pazasi chete mushure mekugadzirisa iyo WAN interface senge tunnel interface.
Kuti ugadzirise tunnel interface, sarudza Interface Tunnel uye gadzirisa zvinotevera paramita:

Parameter Zita Tsanangudzo
Tunnel Interface Dzvanya On kugadzira tunnel interface.
Color Sarudza ruvara rweTLOC.
Vadivelu Comedy Port Hop Dzvanya On kugonesa port hopping, kana kudzvanya Off kuidzima. Kana port hopping ikagoneswa pasi rose, unogona kuidzima pane yega TLOC (tunnel interface). Kuti udzore kusvetuka kwechiteshi padanho repasi rose, shandisa iyo System configuration template.

Default: Inogonesa Cisco SD-WAN Maneja uye Cisco Catalyst SD-WAN Controller default: Yakaremara
TCP MSS TCP MSS inobata chero pakiti ine yekutanga TCP musoro inoyerera kuburikidza ne router. Kana yagadziriswa, TCP MSS inoongororwa ichipesana neMSS yakatsinhaniswa munzira-nhatu kubata maoko. Iyo MSS mumusoro inodzikiswa kana iyo yakagadziriswa TCP MSS yekumisikidza yakaderera pane iyo MSS mumusoro. Kana iyo MSS yemusoro kukosha yatove yakaderera pane TCP MSS, mapaketi anoyerera neasina kuchinjwa. Muridzi ari kumagumo emugero anoshandisa gadziriro yepasi yevaviri ava. Kana iyo TCP MSS ichizogadziriswa, inofanirwa kuiswa pa40 bytes yakaderera pane yakaderera nzira MTU.
Rondedzera iyo MSS yeTPC SYN mapaketi anopfuura neCisco IOS XE Catalyst SD-WAN mudziyo. Nekumisikidza, iyo MSS inogadziriswa zvine simba zvichibva pane iyo interface kana tunnel MTU zvekuti TCP SYN mapaketi haatombo kupatsanurwa. Range: 552 kusvika 1460 bytes Default: Hapana
Clear-Dont-Fregment Configure Clear-Dont-Fregment emapaketi anosvika pane chinongedzo chine Don't Fragment yakagadziridzwa. Kana aya mapaketi akakura kupfuura izvo MTU inobvumira, anodonhedzwa. Kana iwe ukabvisa iyo Usaite Chimedu chidimbu, mapaketi anopatsanurwa uye anotumirwa.

Dzvanya On kujekesa iyo Dont Fragment bit muIPv4 packet header yemapaketi ari kutumirwa kunze kweiyo interface. Kana iyo Dont Fragment bit ikacheneswa, mapaketi akakura kupfuura iyo MTU yeiyo interface inoparadzaniswa isati yatumirwa.

Cherechedza Clear-Dont-Fregment inobvisa iyo Dont Fragment bit uye iyo Dont Fragment bit yakaiswa. Kune mapaketi asingade kupatsanurwa, iyo Dont Fragment bit haina kukanganiswa.
Bvumira Basa Sarudza On or Off kuti sevhisi yega yega ibvumire kana kusatendera sevhisi pane iyo interface.

Kuti ugadzirise mamwe tunnel interface paramita, tinya Advanced Options:

Parameter Zita Tsanangudzo
Mutakuri Sarudza zita remutakuri kana yakavanzika network identifier kuti ubatanidze nemugero.

Zvinokosha: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default
Default: default
NAT Refresh Interval Pinda nguva pakati peNAT refresh mapaketi anotumirwa paDTLS kana TLS WAN yekufambisa yekubatanidza.
Range: 1 kusvika 60 masekondi
Default: 5 seconds
Mhoro Interval Pinda nguva pakati peMhoro mapaketi anotumirwa paDTLS kana TLS WAN yekufambisa yekubatanidza.
Range: 100 kusvika 10000 milliseconds
Default: 1000 milliseconds (1 sekondi)
Mhoro Tolerance Pinda nguva yekumirira Hello packet paDTLS kana TLS WAN yekufambisa yekubatanidza usati wataura kuti mugero wekufambisa wadzikira.
Range: 12 kusvika 60 masekondi
Default: 12 seconds

Gadzirisa DNS uye Static Hostname Mapping

Kugadzirisa kero dzeDNS uye static hostname mepu, tinya DNS uye gadzirisa zvinotevera paramita:

Parameter Zita Options Tsanangudzo
Yekutanga DNS Kero Dzvanya kana IPv4 or IPv6, uye isa IP kero yekutanga DNS server muVPN iyi.
Nyowani DNS Kero Dzvanya Nyowani DNS Kero uye isa IP kero yechipiri DNS server mune iyi VPN. Iyi ndima inongowanikwa chete kana wataura kero yekutanga yeDNS.
Maka seOptional Row Check the Maka seOptional Row tarisa bhokisi kuratidza izvi

configuration semudziyo-chaiwo. Kuti ubatanidze iyi gadziriso yemudziyo, isa iyo yakakumbirwa chinja kukosha paunobatanidza template yemudziyo kune mudziyo, kana kugadzira template variables spreadsheet kuti ushandise zvinoshanduka.
Zita remugamuchiri Isa zita remugamuchiri weDNS server. Zita racho rinogona kusvika kumavara zana nemakumi maviri nemasere.
Rondedzero yeIP Kero Pinda anosvika masere IP kero kuti ubatanidze nezita remugamuchiri. Kupatsanura zvinyorwa nemakoma.
Kuti uchengetedze iyo DNS server kumisikidza, tinya Wedzera.

Kuti uchengetedze chimiro chetemplate, tinya Sevha.

Kumepu Mazita ekugamuchira kune IP Kero

! IP DNS-based host name-to-address translation is enabled ip domain lookup
! Specifies hosts 192.168.1.111 and 192.168.1.2 as name servers ip name-server 192.168.1.111 192.168.1.2
! Defines cisco.com as the default domain name the device uses to complete
! Set the name for unqualified host names ip domain name cisco.com

Gadzirisa Segmentation Uchishandisa iyo CLI

Gadzirisa VRFs Uchishandisa iyo CL

Kuisa zvikamu zvevashandisi network uye mushandisi data traffic munharaunda panzvimbo yega yega uye kubatanidza masaiti evashandisi pane inovharika network, unogadzira maVRF paCisco IOS XE Catalyst SD-WAN zvishandiso. Kugonesa kuyerera kwe data traffic, unosanganisa mainterface neVRF yega yega, uchipa IP kero kune yega yega interface. Aya mainterface anobatana kune emunharaunda-saiti network, kwete kune WAN yekufambisa makore. Kune imwe neimwe yeaya maVRF, unogona kuseta imwe interface-chaiyo zvivakwa, uye iwe unogona kugadzirisa zvinhu zvakanangana nechikamu chemushandisi, senge BGP uye OSPF nzira, VRRP, QoS, traffic shape, uye mapurisa.
PaCisco IOS XE Catalyst SD-WAN zvishandiso, VRF yepasi rose inoshandiswa pakufambisa. Yese Cisco IOS XE Catalyst SD-WAN zvishandiso zvine Mgmt-intf seye default manejimendi VRF.
Kugadzirisa maVRF paCisco IOS XE Catalyst SD-WAN zvishandiso, tevera matanho aya

Symbol Cherechedza

  • Shandisa iyo config-transaction command kuvhura CLI configuration mode. Iyo config terminal command haitsigirwe paCisco IOS XE Catalyst SD-WAN zvishandiso.
  • VRF ID inogona kuva chero nhamba pakati pe1 kusvika 511 uye 513 kusvika 65535. Nhamba 0 ne512 dzakachengeterwa Cisco SD-WAN Manager uye Cisco SD-WAN Controller.
  1. Gadzirisa sevhisi VRFs.
    config-transaction
    vrf definition 10
    rd 1:10
    address-family ipv4
    exit-address-family
    exit
    address-family ipv6
    exit-address-family
    exit
    exit
  2. Gadzirisa iyo tunnel interface kuti ishandiswe kune pamusoro pekubatanidza. Imwe neimwe tunnel interface inosunga kune imwechete
    WAN interface. For example, kana iyo router interface iri Gig0/0/2, iyo tunnel interface nhamba ndeye 2.
    config-transaction
    interface Tunnel 2
    no shutdown
    ip unnumbered GigabitEthernet1
    tunnel source GigabitEthernet1
    tunnel mode sdwan
    exit
  3. Kana iyo router isina kubatana neDHCP server, gadzirisa IP kero yeWAN interface.
    interface Gigabi tEthernet 1
    no shutdown
    ip address dhcp
  4. Rongedza tunnel parameters.
    config-transaction
    sdwan
    interface GigabitEthernet 2
    tunnel-interface
    encapsulation ipsec
    color lte
    end
    Symbol Cherechedza
    Kana IP kero yakagadziridzwa nemaoko pane router, gadzira nzira yekusagadzikana sezvakaratidzwa pasi apa. IP kero
    pazasi inoratidza inotevera-hop IP kero.
    config-transaction
    ip route 0.0.0.0 0.0.0.0 192.0.2.25
  5. Gonesa OMP kushambadza VRF chikamu vroutes.
    sdwan
    omp
    no shutdown
    graceful-restart
    no as-dot-notation
    timers
    holdtime 15
    graceful-restart-timer 120
    exit
    address-family ipv4
    advertise ospf external
    advertise connected
    advertise static
    exit
    address-family ipv6
    advertise ospf external
    advertise connected
    advertise static
    exit
    address-family ipv4 vrf 1
    advertise bgp
    exit
    exit
  6. Gadzirisa sevhisi VRF interface.
    config-transaction
    interface GigabitEthernet 2
    no shutdown
    vrf forwarding 10
    ip address 192.0.2.2 255.255.255.0
    exit

Verify Configuration

Mhanya iyo show ip vrf pfupi yekuraira kuti view ruzivo nezve VRF interface.

Mudziyo# sh ip vrf pfupi

Zita Default RD Interfaces
10 1:10 Gi4
11 1:11 Gi3
30 1:30
65528 Lo65528

Segmentation (VRFs) Configuration Examples

Vamwe vakananga exampZvisizvo zvekugadzira nekugadzirisa maVRFs kuti ikubatsire kunzwisisa maitiro ekumisikidza kwesegmenting network.

Kugadzirisa paCisco Catalyst SD-WAN Controller

PaCisco Catalyst SD-WAN Controller, unogadzirisa general system paramita uye maviri VPNs- VPN 0 yeWAN yekufambisa uye VPN 512 yekunetiweki manejimendi - sezvawakaitira Cisco IOS XE Catalyst SD-WAN mudziyo. Zvakare, iwe unowanzo gadzira centralized control policy inodzora kuti VPN traffic inoparadzirwa sei kuburikidza netiweki yese. Mune iyi example, tinogadzira mutemo wepakati, unoratidzwa pazasi, kudonhedza zvisingadiwe prefixes kubva mukuparadzira kuburikidza netiweki yese. Iwe unogona kushandisa imwe chete Cisco Catalyst SD-WAN Controller mutemo kusimbisa mitemo mukati metiweki.

Heano matanho ekugadzira iyo yekudzora mutemo paCisco Catalyst SD-WAN Controller:

  1. Gadzira runyoro rwemasaiti ID emasaiti kwaunoda kudonhedza zvisingadiwe prefixes:
    vSmart(config)# policy lists site-list 20-30 site-id 20
    vSmart(config-site-list-20-30)# site-id 30
  2. Gadzira prefix runyorwa rwe prefixes yausingadi kuparadzira:
    vSmart(config)# policy lists prefix-list drop-list ip-prefix 10.200.1.0/24
  3. Gadzira iyo control policy:
    vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 match route
    prefix-list drop-list
    vSmart(config-match)# top
    vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 action reject
    vSmart(config-action)# top
    vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 default-action
    accept
    vSmart(config-default-action)# top
  4. Isa mutemo kune prefixes inbound kune Cisco Catalyst SD-WAN Controller controller:
    vSmart(config)# apply-policy site-list 20-30 control-policy drop-unwanted-routes in

Heino iyo yakazara hurongwa hwekumisikidzwa paCisco Catalyst SD-WAN Controller controller:

apply-policy
site-list 20-30
control-policy drop-unwanted-routes in
!
!
policy
lists
site-list 20-30
site-id 20
site-id 30
!
prefix-list drop-list
ip-prefix 10.200.1.0/24
!
!
control-policy drop-unwanted-routes
sequence 10
match route
prefix-list drop-list
!
action reject
!
!
default-action accept
!
!

Segmentation CLI Reference

CLI inoraira yekutarisa segmentation (VRFs).

  • ratidza dhcp
  • ratidza ipv6 dhcp
  • ratidza ip vrf pfupi
  • ratidza igmp mirairo
  • ratidza ip igmp mapoka
  • ratidza pim mirairo

Zvinyorwa / Zvishandiso

CISCO SD-WAN Catalyst Segmentation [pdf] Bhuku reMushandisi
SD-WAN, SD-WAN Catalyst Segmentation, Catalyst Segmentation, Segmentation

References

Related Posts

Siya mhinduro

Yako email kero haizoburitswa. Nzvimbo dzinodiwa dzakamakwa *