CISCO SD-WAN Catalyst Segmentation User Guide

Hlokomela Ho fihlela ho nolofatsa le ho tsitsisa, tharollo ea Cisco SD-WAN e rehiloe lebitso hape e le Cisco Catalyst SD-WAN. Ho phaella moo, ho tloha ho Cisco IOS XE SD-WAN Release 17.12.1a le Cisco Catalyst SD-WAN Release 20.12.1, liphetoho tse latelang tsa likarolo li sebetsa: Cisco vManage ho Cisco Catalyst SD-WAN Manager, Cisco vAnalyticsto Cisco CatalystSD-WAN Analytics, Cisco vBondto Cisco CatalystSD-WAN Validator, le Cisco vSmart ho Cisco Catalyst SD-WAN Controller. Sheba Lintlha tsa Phatlalatso tsa morao-rao bakeng sa lenane le felletseng la liphetoho tsa mabitso a mofuta oa karolo. Ha re ntse re fetohela ho mabitso a macha, ho ka 'na ha e-ba le ho se lumellane ho itseng litokomaneng tse behiloeng ka lebaka la mokhoa o fokolang oa lintlafatso tsa sebopeho sa basebelisi ba sehlahisoa sa software.

Karohano ea marang-rang e bile teng ka lilemo tse fetang leshome 'me e sebelisitsoe ka mefuta le libopeho tse ngata.
Boemong ba eona bo sa tloaelehang, karohano e fana ka khethollo ea sephethephethe. Mefuta e atileng haholo ea ho arola marang-rang ke li-LAN tsa sebele, kapa li-VLAN, bakeng sa tharollo ea Layer 2, le mokhoa oa ho tsamaisa le ho fetisa, kapa VRF, bakeng sa tharollo ea Layer 3.
Ho na le lisebelisoa tse ngata bakeng sa ho arola:

Sebelisa Maemo ho Arola

Khoebo e batla ho boloka mekhoa e fapaneng ea khoebo e arohane (mohlalaample, forsecurity or audit reasons).

Lefapha la IT le batla ho boloka basebelisi ba netefalitsoeng ba arohane le basebelisi ba baeti.
Lebenkele la mabenkele le batla ho arola sephethephethe sa tlhahlobo ea video ho sephethephethe sa transaction.

Khoebo e batla ho fa balekane ba khoebo monyetla oa ho fumana likarolo tse ling tsa marang-rang feela.
Ts'ebeletso kapa khoebo e hloka ho tiisa hore ho latela melao ea tsamaiso, joalo ka ho latela HIPAA, US.
Health Insurance Portability and Accountability Act, kapa ka ditekanyetso tsa tshireletso tsa Indasteri ya Payment Card (PCI).

Mofani oa litšebeletso o batla ho fana ka litšebeletso tsa VPN ho likhoebo tsa eona tse mahareng.

Mefokolo ea Karohano

Moeli o mong oa tlhaho oa karohano ke boholo ba eona. Litharollo tsa karohano li rarahane kapa li lekanyelitsoe ho sesebelisoa se le seng kapa lisebelisoa tse hokahaneng ka sebopeho. Joalo ka mohlalaample, Karolo ea 3 ea Layer e fana ka tse latelang:

Bokhoni ba ho hlophisa li-prefixes hore e be tafole e ikhethang ea litsela (RIB kapa FIB).
Bokhoni ba ho amahanya sebopeho le tafole ea litsela e le hore sephethe-phethe se fetang sehokelong se tsamaee ho ipapisitsoe le li-prefixes tse tafoleng eo ea litsela.

Ena ke ts'ebetso e sebetsang, empa boholo ba eona bo lekanyelitsoe ho sesebelisoa se le seng. Ho eketsa ts'ebetso ho pholletsa le marang-rang, tlhahisoleseding ea karohano e lokela ho isoa lintlheng tse amehang marang-rang.

Mokhoa oa ho nolofalletsa Karolo ea Network-Wide

Ho na le mekhoa e 'meli ea ho fana ka karolo ena ea marang-rang:

Hlalosa pholisi ea lihlopha sesebelisoa se seng le se seng le sehokelong se seng le se seng sa marang-rang (ha e le hantle, u etsa Mehato ea 1 le ea 2 ka holimo ho sesebelisoa se seng le se seng).

Hlalosa pholisi ea lihlopha lipheletsong tsa karolo, ebe u kenya tlhahisoleseling ea karohano ka har'a lipakete bakeng sa li-node tse mahareng ho sebetsana le tsona.

Mokhoa oa pele o molemo haeba sesebelisoa se seng le se seng e le sebaka sa ho kena kapa sa ho tsoa bakeng sa karolo, eo ka kakaretso e seng joalo ka marang-rang a mahareng le a maholo. Mokhoa oa bobeli o senyeha haholo mme o boloka marang-rang a lipalangoang a se na likarolo le ho rarahana.

Karohano ho Cisco Catalyst SD-WAN,
Li-VRF tse Sebelisitsoeng Karolong ea Cisco Catalyst SD-WAN,
Lokisa VRF U Sebelisa Li-template tsa Cisco SD-WAN Manager,
Lokisa li-VPN u sebelisa li-template tsa Cisco SD-WAN Manager,
Lokisa karohano u sebelisa CLI,
Segmentation CLI Reference,

Karohano ho Cisco Catalyst SD-WAN

Ka Cisco Catalyst SD-WAN marangrang a holim'a marang-rang, li-VRF li arola marang-rang ka likarolo tse fapaneng.
Cisco Catalyst SD-WAN e sebelisa mokhoa o atileng le o ka senyehang oa ho theha likarolo. Ha e le hantle,
karohano e etsoa mathōkong a router, 'me tlhahisoleseling ea karohano e kenngoa ka har'a lipakete.
sebopeho sa sesupo.
Palo e bonts'a phatlalatso ea tlhaiso-leseling ka har'a VRF.
Setšoantšo sa 1: Phatlalatso ea Boitsebiso ba Tsela ka hare ho VRF

Setšoantšong sena:

Router-1 e ingolisa ho li-VRF tse peli, tse khubelu le tse putsoa.
VRF e khubelu e lumellana le sehlohlolong sa 10.1.1.0/24 (ebang ke ka ho toba ka sebopeho se hokahaneng kapa se ithutoang ka ho sebelisa IGP kapa BGP).

VRF e putsoa e lumellana le sehlohlolong sa 10.2.2.0/24 (ebang ke ka ho toba ka sehokelo se hokahaneng kapa se ithutoang ka ho sebelisa IGP kapa BGP).
Router-2 e ingolisa ho VRF e khubelu.
- VRF ena e ipapisitse le sehlongwapele 192.168.1.0/24 (ebang ke ka ho toba ka sehokelo se hoketsweng kapa ho ithutwa ho sebedisa IGP kapa BGP).
Router-3 e ingolisa ho VRF e putsoa.
- VRF ena e ipapisitse le sehlongwapele 192.168.2.0/24 (ebang ke ka ho toba ka sehokelo se hoketsweng kapa ho ithutwa ho sebedisa IGP kapa BGP).

Hobane router ka 'ngoe e na le khokahanyo ea Overlay Management Protocol (OMP) holim'a kotopo ea TLS ho Cisco SD-WAN Controller, e phatlalatsa tlhahisoleseding ea eona ea ho tsamaisa ho Cisco SD-WAN Controller. Ho Cisco SD-WAN Controller, molaoli oa marang-rang a ka qobella maano a ho theola litsela, ho fetola li-TLOC, tse koahelang li-hops tse latelang, bakeng sa boenjiniere ba sephethephethe kapa ketane ea litšebeletso. Mookameli oa marang-rang a ka sebelisa maano ana e le maano a kenang le a tsoang ho Cisco SD-WAN Controller.
Li-prefixes tsohle tsa VRF e le 'ngoe li bolokiloe tafoleng e fapaneng ea litsela. Sena se fana ka karohano ea Layer 3 e hlokahalang bakeng sa likarolo tse fapaneng tsa marang-rang. Kahoo, Router-1 e na le litafole tse peli tsa litsela tsa VRF, 'me Router-2 le Router-3 ka' ngoe e na le tafole e le 'ngoe ea litsela. Ntle le moo, Cisco SD-WAN Controller e boloka maemo a VRF a prefix ka 'ngoe.
Litafole tsa litsela tse arohaneng li fana ka ho itšehla thajana sebakeng se le seng. Joale litaba tsa routing li phatlalatsoa joang marang-rang?
Ka tharollo ea Cisco Catalyst SD-WAN, sena se etsoa ho sebelisoa li-identifiers tsa VRF, joalokaha ho bontšitsoe setšoantšong se ka tlase. ID ea VRF, e tsamaisoang ka pakete, e khetholla VRF ka 'ngoe sehokelong. Ha o lokisa VRF ho router, VRF e na le letšoao le amanang le eona. Router e romela label, hammoho le VRFID, ho Cisco SD-WAN Controller. Cisco SD-WAN Controller e phatlalatsa lintlha tsena tsa 'mapa tsa ID ea router-to-VRF ho li-routers tse ling tse sebakeng seo. Li-routers tse hole li sebelisa lengolo lena ho romella sephethephethe ho VRF e loketseng. Li-routers tsa lehae, ha li amohela data ka leibole ea VRF ID, li sebelisa leibole ho fokotsa bongata ba sephethephethe sa data. Sena se tšoana le kamoo li-label tsa MPLS li sebelisoang kateng. Moralo ona o ipapisitse le li-RFC tse tloaelehileng 'me o lumellana le mekhoa ea taolo joalo ka PCI le HIPAA.

Setšoantšo sa 2: VRF Identifiers

Hlokomela Marang-rang a lipalangoang a hokahanyang li-routers ha a tsebe ho hang ka li-VRF. Ke li-routers feela tse tsebang ka li-VRF; marang-rang a mang a latela mekhoa e tloaelehileng ea IP.

Li-VRF tse Sebelisitsoeng ho Cisco Catalyst SD-WAN Segmentation

Tharollo ea Cisco Catalyst SD-WAN e kenyelletsa tšebeliso ea li-VRF ho arola sephethephethe.

Lefatšeng ka bophara VRF

VRF ea lefats'e e sebelisoa bakeng sa lipalangoang. Ho tiisa karohano ea tlhaho lipakeng tsa lits'ebeletso (tse joalo ka lihlomathiso tseo e leng tsa khoebo) le lipalangoang (marang-rang a hokahanyang li-routers), likhokahano tsohle tsa lipalangoang, ke hore, li-TLOC kaofela, li bolokiloe VRF ea lefats'e. Sena se tiisa hore marang-rang a lipalangoang a ke ke a fihla marang-rang a litšebeletso ka ho sa feleng. Likarolo tse ngata tsa lipalangoang li ka ba tsa VRF e le 'ngoe, 'me liphutheloana li ka fetisetsoa ho tloha le ho tsoa liphatlalatsong tsa lipalangoang.
VRF ea lefats'e e na le lihokelo tsohle tsa sesebelisoa, ntle le sebopeho sa taolo, 'me likhokahano tsohle li koetsoe. E le hore sefofane sa taolo se iketsetse e le hore marang-rang a holim'a marang-rang a sebetse, o tlameha ho lokisa li-interfaces ho VRF ea lefats'e. Bakeng sa sehokelo se seng le se seng ho VRF ea lefats'e, o tlameha ho seta aterese ea IP, 'me u thehe khokahano ea kotopo e behang' mala le encapsulation bakeng sa khokahano ea lipalangoang tsa WAN. (The encapsulation e sebelisetsoa ho fetisetsa sephethephethe sa data.) Mekhahlelo ena e meraro-aterese ea IP, 'mala, le encapsulation-e hlalosa TLOC (sebaka sa lipalangoang) ho router. Seboka sa OMP se sebetsang kotopong e 'ngoe le e' ngoe se romela TLOC ho Batsamaisi ba Cisco SD-WAN e le hore ba ka ithuta topology ea marang-rang a holimo.

Tšehetso ea Dual-Stack ho li-VPN tsa Lipalangoang

Ho VRF ea lefats'e, lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN le Cisco SD-WAN Controller li tšehetsa li-stack tse peli. Ho nolofalletsa li-dual stack, lokisa aterese ea IPv4 le aterese ea IPv6 holim'a sebopeho sa kotopo. Router e ithuta ho Cisco SD-WAN Controller hore na sebaka seo u eang ho sona se tšehetsa liaterese tsa IPv4 kapa IPv6. Ha o fetisetsa sephethephethe, router e khetha IPv4 kapa IPv6 TLOC, ho latela aterese eo e eang ho eona. Empa IPv4 e lula e ratoa ha e hlophisitsoe.

Tsamaiso ea VRF

Mgmt-Intf ke tsamaiso ea lisebelisoa tsa VRFon Cisco IOS XE CatalystSD-WAN. E hlophisitsoe 'me e nolofalitsoe ke kamehla. E tsamaisa sephethephethe sa taolo ea marang-rang se kantle ho sehlopha har'a lisebelisoa tsa marang-rang a overlay. U ka fetola tlhophiso ena, haeba ho hlokahala.

Lokisa VRF U Sebelisa Lithempleite tsa Motsamaisi oa Cisco SD-WAN

Ho Cisco SD-WAN Manager, sebelisa template ea CLI ho lokisa VRF bakeng sa sesebelisoa. Bakeng sa VRF e 'ngoe le e' ngoe, lokisa sebopeho se senyenyane 'me u hokahanye sebopeho se senyenyane ho VRF. O ka hlophisa li-VRF tse ka bang 300.
Ha o sutumetsa template ea CLI ho sesebelisoa, Cisco SD-WAN Manager e hlakola tlhophiso e teng sesebelisoa ebe e kenya tlhophiso e hlalositsoeng ho template ea CLI. Ka lebaka leo, template e ke ke ea fana feela ka litaba tse ncha tse hlophisitsoeng, joalo ka VRFs. Setšoantšo sa CLI se tlameha ho kenyelletsa lintlha tsohle tsa tlhophiso tse hlokoang ke sesebelisoa. Ho hlahisa lintlha tse nepahetseng tsa tlhophiso sesebelisoa, sebelisa taelo ea show sdwan running-config.
Bakeng sa lintlha tse mabapi le ho theha le ho sebelisa litempele tsa CLI, le bakeng sa exampmabapi le ho hlophisa li-VRF, bona litempele tsa CLI bakeng sa Cisco IOS XE Catalyst SD-WAN Routers khaolo ea Tsamaiso le Interfaces Configuration Guide, Cisco IOS XE Release 17.x.
Tse latelang ke lisebelisoa tse tšehetsoeng:

Cisco ASR1001-HX
ASR1002-HX

Lokisa li-VPN u sebelisa li-template tsa Cisco SD-WAN Manager

Etsa template ea VPN

Hlokomela Lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN li sebelisa li-VRF bakeng sa ho arola le ho itšehla thajana. Leha ho le joalo, mehato e latelang e ntse e sebetsa haeba u ntse u lokisa karohano ea lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN ka Cisco SD-WAN Manager. Ha o qeta ho hlophisa, sistimi e fetolela li-VPN ka bo eona ho li-VRF bakeng sa lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN.

Hlokomela U ka lokisa tsela e tsitsitseng ka template ea VPN.

Mohato oa 1 Ho tswa ho Cisco SD-WAN Manager menu, khetha Configuration > Templates.
Mohato oa 2 Tobetsa Lithempleite tsa Sesebelisoa, ebe o tobetsa Etsa Template.
Tlhokomeliso Ho Cisco vManage Release 20.7.x mme e lokolloe pele ho Lithempleite tsa Sesebelisoa e bitsoa Sesebelisoa.
Mohato oa 3 Ho tsoa lethathamong le theolelang la Theha Template, khetha From Feature Template.
Mohato oa 4 Ho tsoa lethathamong le theohang la Mohlala oa Sesebelisoa, khetha mofuta oa sesebelisoa seo u lakatsang ho se etsetsa template.
Mohato oa 5 Ho etsa template ea VPN 0 kapa VPN 512:
a. Tobetsa Transport & Management VPN, kapa tsamaisetsa karolong ea Lipalangoang le Tsamaiso ea VPN.
b. Ho tsoa lenaneng le theolelang la VPN 0 kapa VPN 512, tobetsa Theha Template. Ho hlaha foromo ea template ea VPN.
Foromo e na le libaka tsa ho reha template, le libaka tsa ho hlalosa maemo a VPN.
Mohato oa 6 Ho theha template bakeng sa VPNs 1 ho isa ho 511, le 513 ho isa ho 65527:
a. Tobetsa Tšebeletso ea VPN, kapa tsamaisetsa karolong ea Tšebeletso ea VPN.
b. Tobetsa lenane le theohang la Tšebeletso ea VPN.
c. Ho tsoa lenaneng le theohang la VPN, tlanya Etsa Template. Sebopeho sa template sa VPN sea hlaha.
Foromo e na le libaka tsa ho reha template, le libaka tsa ho hlalosa maemo a VPN.
Mohato oa 7 Ka Lebitso la Template, kenya lebitso la thempleite. Lebitso le ka ba le litlhaku tse 128 'me le ka ba le litlhaku tsa alphanumeric feela.
Mohato oa 8 Ho Tlhaloso ea Template, kenya tlhaloso ea thempleite. Tlhaloso e ka ba litlhaku tse 2048 'me e ka ba le litlhaku tsa alphanumeric feela.

Lokisa li-Parameters tsa Basic VPN

Ho lokisa maemo a mantlha a VPN, khetha Tlhophiso ea Motheo ebe o lokisa liparamente tse latelang.
Li-parameter tse tšoailoeng ka linaleli lia hlokahala ho hlophisa VPN.

Lebitso la Parameter	Tlhaloso
VPN	Kenya nomoro ea ho tsebahatsa VPN. Range bakeng sa lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN: 0 ho isa 65527 Boleng ba Cisco Catalyst SD-WAN Controller le Cisco SD-WAN Manager lisebelisoa: 0, 512
Lebitso	Kenya lebitso bakeng sa VPN. Hlokomela Bakeng sa lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN, u ke ke ua kenya lebitso le ikhethileng la sesebelisoa bakeng sa VPN.
Ntlafatsa senotlolo sa ECMP	Tobetsa On ho thusa ho sebelisa senotlolo sa ECMP hash sa Layer 4 mohloli le likou tsa moo u eang teng, ntle le ho kopanngoa ha mohloli, le liaterese tsa IP, joalo ka senotlolo sa ECMP hash. ECMP keying ke E tima ka ho sa feleng.

Hlokomela Ho phethela tlhophiso ea VPN ea lipalangoang ho router, o tlameha ho lokisa bonyane sebopeho se le seng ho VPN 0.

Ho boloka sebopeho sa sebopeho, tobetsa Boloka.

Lokisa algorithm ea ho leka-lekanya mojaro o sebelisa CLI

Hlokomela

Ho qala ho Cisco IOS XE Catalyst SD-WAN Release 17.8.1a, o hloka template ea CLI ho lokisa src-feela load-sharing algorithm bakeng sa IPv4 le IPv6 Cisco CatalystSD-WAN le sephethephethe sa Cisco CatalystSD-WAN. Bakeng sa lintlha tse felletseng mabapi le algorithm ea ho arolelana meroalo CLI, bona Litaelo tsa IP lethathamo.

Sena se latelang se fana ka litlhophiso tsa CLI bakeng sa ho khetha algorithm ea ho leka-lekanya mojaro ea Cisco ExpressForwarding bakeng sa sephethephethe sa Cisco CatalystSD-WAN IPv4 le IPv6. O ka nolofalletsa ECMPkeying ho romela litlhophiso tsa IPv4 le IPv6 ka bobeli.
Device# config-transaction
Device(config)# ip cef load-sharing algorithm {universal [id] | include-ports [ source [id]
| destination [id]] |
src-only [id]}

Device# config-transaction
Device(config)# ipv6 cef load-sharing algorithm {universal [id] | include-ports [ source
[id] | destination [id]] |
src-only [id]}

Sena se latelang se fana ka litlhophiso tsa CLI bakeng sa ho nolofalletsa algorithm ea ho leka-lekanya mojaro ho sebopeho sa Cisco Catalyst SD-WAN IPv4 le IPv6 sephethephethe. O ka nolofalletsa ECMP keying ho romela litlhophiso tsa IPv4 le IPv6 ka bobeli.

Device# config-transaction
Device(config)# sdwan
Device(config-sdwan)# ip load-sharing algorithm {ip-and-ports | src-dst-ip | src-ip-only}
Device# config-transaction
Device(config)# sdwan
Device(config-sdwan)# ipv6 load-sharing algorithm {ip-and-ports | src-dst-ip | src-ip-only}

Lokisa Mosebetsi oa Motheo oa Sehokelo

Ho hlophisa ts'ebetso ea mantlha ea sebopeho ho VPN, khetha Tlhophiso ea Motheo 'me u lokise liparamente tse latelang:

Hlokomela Liparamente tse tšoailoeng ka linaleli lia hlokahala ho lokisa sebopeho.

Lebitso la Parameter	IPv4 kapa IPv6	Dikgetho	Tlhaloso
Koala*	Tobetsa Che ho nolofalletsa sebopeho.
Lebitso la sebopeho*	Kenya lebitso bakeng sa sebopeho. Bakeng sa lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN, u tlameha ho: Hlalosa mabitso a sebopeho ka botlalo (mohlalaample, GigabitEthernet0/0/0). Lokisa li-interfaces tsohle tsa router, le haeba u sa li sebelise, e le hore li lokisoe maemong a ho koala le hore litekanyetso tsohle tsa kamehla tsa tsona li lokisoe.
Tlhaloso	Kenya tlhaloso bakeng sa sebopeho.
IPv4/IPv6	Tobetsa IPv4 ho lokisa sebopeho sa IPv4 VPN. Tobetsa IPv6 ho lokisa sebopeho sa IPv6.
Matla	Tobetsa Matla ho seta sebopeho e le moreki oa Dynamic Host Configuration Protocol (DHCP), e le hore sebopeho se fumana aterese ea sona ea IP ho tsoa ho seva sa DHCP.
	Ka bobeli	DHCP Sebaka	Ka boikhethelo, kenya boleng ba sebaka sa tsamaiso bakeng sa litsela tseo u ithutileng tsona ho tsoa ho seva sa DHCP. Hangata ke 1.
	IPv6	DHCP Itlamo ka Potlako	Ka boikhethelo, lokisa seva sa lehae sa DHCP IPv6 ho ts'ehetsa DHCP Rapid Commit, ho nolofalletsa tlhophiso le netefatso ea bareki ka potlako libakeng tse phetheselang. Tobetsa On ho thusa DHCP ho itlama ka potlako. Tobetsa E tima ho tsoela pele ho sebelisa mokhoa o tloaelehileng oa boitlamo.
E tsitsitseng	Tobetsa E tsitsitseng ho kenya aterese ea IP e sa fetoheng.
	IPv4	IPv4 Aterese	Kenya aterese ea IPv4 e sa fetoheng.
	IPv6	IPv6 Aterese	Kenya aterese ea IPv6 e sa fetoheng.
Aterese ea bobeli ea IP	IPv4	Tobetsa Eketsa ho kenya liaterese tse fihlang ho tse 'ne tsa IPv4 bakeng sa sebopeho sa lehlakore la litšebeletso.
IPv6 Aterese	IPv6	Tobetsa Eketsa ho kenya liaterese tse fihlang ho tse peli tsa bobeli tsa IPv6 bakeng sa sebopeho sa lehlakore la litšebeletso.
Mothusi oa DHCP	Ka bobeli	Ho khetha sebopeho e le mothusi oa DHCP ho router, kenya liaterese tsa IP tse fihlang ho tse robeli, tse arohaneng ka li-commas, bakeng sa li-server tsa DHCP marang-rang. Sehokelo sa mothusi sa DHCP se fetisetsa Boot P (phatlalatso) DHCP e kopa hore e e fumane ho tsoa ho li-server tse boletsoeng tsa DHCP.
Thibela IP eo e seng ea Mohloli	Ee / Che	Tobetsa Ee ho ba le sephethephethe sa ho ea pele ha feela aterese ea IP ea mohloli oa sephethephethe e bapa le mofuta oa prefix ea IP. Tobetsa Che ho dumella sephethephethe se seng.

Theha Sehokelo sa Tunnel

Ho lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN, o ka hlophisa li-interfaces tse fihlang ho tse robeli. Sena se bolela hore router ka 'ngoe ea Cisco IOS XE Catalyst SD-WAN e ka ba le li-TLOC tse ka bang robeli. Ho Cisco Catalyst SD-WAN Controllers le Cisco SD-WAN Manager, o ka lokisa sebopeho se le seng sa kotopo.
E le hore sefofane sa taolo se iketsetse e le hore marang-rang a holimo a khone ho sebetsa, o tlameha ho lokisa li-interface tsa WAN tsa lipalangoang ho VPN 0. Sebopeho sa WAN se tla nolofalletsa ho phalla ha sephethephethe sa kotopo ho ea holimo. U ka eketsa liparamente tse ling tse bontšitsoeng tafoleng e ka tlase feela ka mor'a hore u lokise sebopeho sa WAN e le sebopeho sa kotopo.
Ho lokisa sebopeho sa kotopo, khetha Interface Tunnel 'me u lokise liparamente tse latelang:

Lebitso la Parameter	Tlhaloso
Tunnel Interface	Tobetsa On ho theha sebopeho sa kotopo.
Mmala	Khetha 'mala bakeng sa TLOC.
Port Hop	Tobetsa On ho bulela port hopping, kapa tobetsa E tima ho e tima. Haeba port hopping e lumelletsoe lefats'eng ka bophara, o ka e tima ho TLOC (sehokelo sa kotopo). Ho laola ho tsubella ha koung lefatšeng ka bophara, sebelisa Tsamaiso template ea tlhophiso. Ea kamehla: E nolofalitse Cisco SD-WAN Manager le Cisco Catalyst SD-WAN Controller default: E holofetse
TCP MSS	TCP MSS e ama pakete efe kapa efe e nang le hlooho ea pele ea TCP e phallang ka har'a router. Ha e hlophisitsoe, TCP MSS e hlahlojoa khahlano le MSS e fapanyetsanoang ka ho ts'oarana ka matsoho ka litsela tse tharo. MSS e hloohong e theoleloa ha boemo ba TCP MSS bo hlophisitsoeng bo le tlase ho feta MSS hloohong. Haeba boleng ba hlooho ea MSS bo se bo le tlase ho feta TCP MSS, lipakete li phalla ka tsela e sa fetoloang. Moamoheli qetellong ea kotopo o sebelisa maemo a tlase a mabotho a mabeli. Haeba TCP MSS e lokela ho hlophisoa, e lokela ho behoa ho li-byte tse 40 ka tlaase ho tsela e fokolang ea MTU. Hlalosa MSS ea lipakete tsa TPC SYN tse fetang ka sesebelisoa sa Cisco IOS XE Catalyst SD-WAN. Ka nako e sa lekanyetsoang, MSS e fetoloa ka matla ho latela sebopeho kapa kotopo ea MTU hoo lipakete tsa TCP SYN li se keng tsa arohana. Sebaka: 552 ho isa ho 1460 li-byte Ea kamehla: Ha ho letho
Hlakile-U se ke Ua Sekhechana	Hlophisa Hlakile-U se ke Ua Sekhechana bakeng sa lipakete tse fihlang sebopehong se nang le Don't Fragment e hlophisitsoeng. Haeba lipakete tsena li le kholo ho feta seo MTU e se lumellang, lia theoha. Haeba u hlakola "Do not Fragment bit", lipakete li arotsoe ebe lia romelloa. Tobetsa On ho hlakola karoloana ea Dont Fragment ka har'a sehlooho sa pakete ea IPv4 bakeng sa lipakete tse fetisoang ka ntle ho sebopeho. Ha karoloana ea Dont Fragment e hlakotsoe, lipakete tse kholo ho feta MTU ea sebopeho li arotsoe pele li romeloa. Hlokomela Hlakile-U se ke Ua Sekhechana e hlakola karoloana ea Dont Fragment mme karolo ea Dont Fragment e behiloe. Bakeng sa lipakete tse sa hlokeng ho arohana, karoloana ea Dont Fragment ha e amehe.
Dumella Tshebeletso	Khetha On or E tima bakeng sa ts'ebeletso e 'ngoe le e 'ngoe ho lumella kapa ho hana litšebeletso ho sebopeho.

Ho lokisa liparamente tse ling tsa sehokelo sa tunnel, tobetsa Likhetho tse Tsoetseng Pele:

Lebitso la Parameter	Tlhaloso
Mojari	Kgetha lebitso la mosebeletsi kapa sesupo sa poraefete sa netweke ho se amahanya le thanele. Boleng: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default Ka ho feletseng: kamehla
Nako ea ho nchafatsa ea NAT	Kenya sebaka pakeng tsa lipakete tsa ho khatholla tsa NAT tse rometsoeng ka khokahanyo ea lipalangoang tsa DTLS kapa TLS WAN. Range: metsotsoana e 1 ho isa ho e 60 Kamehla: metsotsoana e 5
Hello Interval	Kenya sebaka pakeng tsa lipakete tsa Hello tse rometsoeng ka khokahanyo ea lipalangoang tsa DTLS kapa TLS WAN. Range: 100 ho isa ho 10000 milliseconds Ka ho feletseng: 1000 milliseconds (1 motsotsoana)
Hello Mamello	Kenya nako ea ho emela pakete ea Hello ho khokahanyo ea lipalangoang tsa DTLS kapa TLS WAN pele u phatlalatsa hore kotopo ea lipalangoang e theohile. Range: metsotsoana e 12 ho isa ho e 60 Kamehla: metsotsoana e 12

Lokisa DNS le Static Hostname Mapping

Ho lokisa liaterese tsa DNS le 'mapa o sa fetoheng oa lebitso la moamoheli, tobetsa DNS 'me u lokise liparamente tse latelang:

Lebitso la Parameter	Dikgetho	Tlhaloso
Aterese ea mantlha ea DNS	Tobetsa leha e le efe IPv4 or IPv6, 'me u kenye aterese ea IP ea seva sa mantlha sa DNS ho VPN ena.
Aterese e Ncha ea DNS	Tobetsa Aterese e Ncha ea DNS 'me u kenye aterese ea IP ea seva sa bobeli sa DNS ho VPN ena. Sebaka sena se hlaha feela haeba u boletse aterese ea mantlha ea DNS.
	Tšoaea e le Mola oa Boikhethelo	Hlahloba Tšoaea e le Mola oa Boikhethelo hlahloba lebokose ho tšoaea sena tlhophiso joalo ka sesebediswa se itseng. Ho kenyelletsa peakanyo ena bakeng sa sesebediswa, kenya maemo a feto-fetohang a kopilweng ha o hokela thempleite ya sesebediswa ho sesebediswa, kapa o etsa dithempleite tse fetofetohang spreadsheet ho sebedisa diphapano.
	Lebitso la moamoheli	Kenya lebitso la moamoheli la seva sa DNS. Lebitso le ka ba le litlhaku tse 128.
	Lethathamo la liaterese tsa IP	Kenya liaterese tsa IP tse fihlang ho tse robeli ho hokahanya le lebitso la moamoheli. Arola kenyeletso ka lifehelo.
Ho boloka tlhophiso ea seva ea DNS, tobetsa Eketsa.

Ho boloka sebopeho sa sebopeho, tobetsa Boloka.

Ho etsa 'mapa oa Mabitso a Moamoheli ho Liaterese tsa IP

! IP DNS-based host name-to-address translation is enabled ip domain lookup
! Specifies hosts 192.168.1.111 and 192.168.1.2 as name servers ip name-server 192.168.1.111 192.168.1.2
! Defines cisco.com as the default domain name the device uses to complete
! Set the name for unqualified host names ip domain name cisco.com

Lokisa karohano ka ho sebelisa CLI

Lokisa li-VRF U sebelisa CL

Ho arola marang-rang a basebelisi le sephethephethe sa data sebakeng se seng le se seng le ho hokela libaka tsa basebelisi marang-rang a marang-rang, u theha li-VRF ho lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN. Ho nolofalletsa ho phalla ha sephethephethe sa data, o hokahanya likhokahano le VRF ka 'ngoe, o fana ka aterese ea IP ho sehokelo se seng le se seng. Likhokahano tsena li hokahana le marang-rang a sebaka sa lehae, eseng marung a lipalangoang a WAN. Ho e 'ngoe le e 'ngoe ea li-VRF tsena, u ka seta lisebelisoa tse ling tse ikhethileng, 'me u ka hlophisa likarolo tse ikhethileng bakeng sa karolo ea mosebelisi, joalo ka BGP le OSPF routing, VRRP, QoS, sebopeho sa sephethephethe, le sepolesa.
Ho lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN, VRF ea lefats'e e sebelisoa bakeng sa lipalangoang. Lisebelisoa tsohle tsa Cisco IOS XE Catalyst SD-WAN li na le Mgmt-intf e le VRF ea kamehla ea tsamaiso.
Ho lokisa li-VRF ho lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN, latela mehato ena

Hlokomela

Sebelisa taelo ea config-transaction ho bula mokhoa oa tlhophiso oa CLI. Taelo ea config terminal ha e tšehetsoe ho lisebelisoa tsa Cisco IOS XE Catalyst SD-WAN.
VRF ID e ka ba palo leha e le efe pakeng tsa 1 ho ea ho 511 le 513 ho ea ho 65535. Linomoro 0 le 512 li boloketsoe Cisco SD-WAN Manager le Cisco SD-WAN Controller.

Hlophisa litšebeletso tsa VRFs.
config-transaction
vrf definition 10
rd 1:10
address-family ipv4
exit-address-family
exit
address-family ipv6
exit-address-family
exit
exit
Beakanya sebopeho sa thanele se tla sebelisoa bakeng sa khokahanyo ea likoahelo. Khokahano e 'ngoe le e' ngoe ea kotopo e tlama ho e le 'ngoe
WAN interface. Bakeng sa mohlalaample, haeba sebopeho sa router ke Gig0/0/2, nomoro ea sebopeho sa kotopo ke 2.
config-transaction
interface Tunnel 2
no shutdown
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
exit
Haeba router e sa kopane le seva sa DHCP, lokisa aterese ea IP ea sebopeho sa WAN.
interface Gigabi tEthernet 1
no shutdown
ip address dhcp

Beakanya liparamente tsa kotopo.
config-transaction
sdwan
interface GigabitEthernet 2
tunnel-interface
encapsulation ipsec
color lte
end Hlokomela
Haeba aterese ea IP e hlophisitsoe ka letsoho ho router, lokisa tsela ea kamehla joalokaha ho bontšitsoe ka tlase. Aterese ea IP
ka tlase ho bontša aterese ea IP e latelang.
config-transactionip route 0.0.0.0 0.0.0.0 192.0.2.25
Numella OMP ho bapatsa likarolo tsa VRF vroutes.
sdwan
omp
no shutdown
graceful-restart
no as-dot-notation
timers
holdtime 15
graceful-restart-timer 120
exit
address-family ipv4
advertise ospf external
advertise connected
advertise static
exit
address-family ipv6
advertise ospf external
advertise connected
advertise static
exit
address-family ipv4 vrf 1
advertise bgp
exit
exit
Lokisa sebopeho sa tšebeletso sa VRF.
config-transaction
interface GigabitEthernet 2
no shutdown
vrf forwarding 10
ip address 192.0.2.2 255.255.255.0
exit

Netefatsa Tlhophiso

Matha pontšo ip vrf taelo e khutšoanyane ea ho view lintlha tse mabapi le sebopeho sa VRF.

Sesebelisoa # sh ip vrf e khuts'oane

Lebitso	RD ea kamehla	Li-interface
10	1:10	Gi4
11	1:11	Gi3
30	1:30
65528		Lo65528

Segmentation (VRFs) Configuration Examples

Ba bang ba tobaneng le exampLintlha tsa ho theha le ho hlophisa li-VRF ho u thusa ho utloisisa ts'ebetso ea tlhophiso ea ho arola marang-rang.

Tlhophiso ho Cisco Catalyst SD-WAN Controller

Ho Cisco Catalyst SD-WAN Controller, o lokisa mekhoa e tloaelehileng ea tsamaiso le VPNs tse peli- VPN 0 bakeng sa lipalangoang tsa WAN le VPN 512 bakeng sa tsamaiso ea marang-rang-joalokaha u entse Cisco IOS XE Catalyst SD-WAN sesebelisoa. Hape, ka kakaretso u theha leano la taolo e bohareng e laolang hore na sephethephethe sa VPN se phatlalatsoa joang ka marang-rang kaofela. Ho ena e khethehileng example, re theha leano la bohareng, le bontšitsoeng ka tlase, ho theola li-prefixes tse sa batleheng hore li se ke tsa phatlalatsoa har'a marang-rang kaofela. U ka sebelisa leano le le leng la Cisco Catalyst SD-WAN Controller ho tiisa maano ho pholletsa le marang-rang.

Mehato ea ho theha leano la taolo ho Cisco Catalyst SD-WAN Controller ke ena:

Theha lethathamo la li-ID tsa libaka bakeng sa libaka tseo u batlang ho lihela li-prefixes tse sa batleheng:
vSmart(config)# policy lists site-list 20-30 site-id 20
vSmart(config-site-list-20-30)# site-id 30
Etsa lethathamo la lihlongoa pele bakeng sa lihlongoana tseo u sa batleng ho li phatlalatsa:
vSmart(config)# policy lists prefix-list drop-list ip-prefix 10.200.1.0/24

Theha leano la taolo:
vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 match route
prefix-list drop-list
vSmart(config-match)# top
vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 action reject
vSmart(config-action)# top
vSmart(config)# policy control-policy drop-unwanted-routes sequence 10 default-action
accept
vSmart(config-default-action)# top
Sebelisa leano ho li-prefixes tse kenang ho Cisco Catalyst SD-WAN Controller controller:
vSmart(config)# apply-policy site-list 20-30 control-policy drop-unwanted-routes in

Mona ke tlhophiso e felletseng ea leano la Cisco Catalyst SD-WAN Controller controller:

apply-policy
site-list 20-30
control-policy drop-unwanted-routes in
!
!
policy
lists
site-list 20-30
site-id 20
site-id 30
!
prefix-list drop-list
ip-prefix 10.200.1.0/24
!
!
control-policy drop-unwanted-routes
sequence 10
match route
prefix-list drop-list
!
action reject
!
!
default-action accept
!
!

Segmentation CLI Reference

CLI e laela karohano ea ho beha leihlo (VRFs).

bonts'a dhcp
bonts'a ipv6 dhcp
bonts'a ip vrf e khuts'oane
bonts'a litaelo tsa igmp
bonts'a lihlopha tsa ip igmp
bonts'a litaelo tsa pim

Litokomane / Lisebelisoa

CISCO SD-WAN Catalyst Segmentation [pdf] Bukana ea Mosebelisi
SD-WAN, SD-WAN Catalyst Segmentation, Catalyst Segmentation, Segmentation

Litšupiso

Bukana ea Mosebelisi

Karohano