2024-11-03 Cat9000V GIR 機能検証

提供:hkatou_Lab
2024年11月3日 (日) 10:09時点におけるHkatou (トーク | 投稿記録)による版 (ページの作成:「Nexus で採用され Catalyst 9000 から実装された GIR について、機能検証を実施しました。 このページにラボシナリオとして、コンフィグや確認コマンド、疎通確認のポイントなどをまとめています。 検証対象として Catalyst 9000V Q200 を使用していますが、実機の Catalyst 9000 シリーズでも同様の動作をするはずです。 == 目的 == GIR の動作について理解を深…」)
(差分) ← 古い版 | 最新版 (差分) | 新しい版 → (差分)

Nexus で採用され Catalyst 9000 から実装された GIR について、機能検証を実施しました。

このページにラボシナリオとして、コンフィグや確認コマンド、疎通確認のポイントなどをまとめています。

検証対象として Catalyst 9000V Q200 を使用していますが、実機の Catalyst 9000 シリーズでも同様の動作をするはずです。

目的

GIR の動作について理解を深められること。

通信要件

GIR : BGP / OSPF / HSRP

  • GIR を開始したホストを経路迂回すること
  • GIR を停止したホストに経路復旧すること

検証環境

Cisco Catalyst 9000V Q200 : IOS-XE 17.12.1 x6

構成図

  • Catalyst 3850 : PE01 , CE01 , CE02 , CORE01 , CORE02 , CPE01

PE01 を WAN の機器、CE01 , CE02 , CORE01 , CORE02 , CPE を LAN の機器とする。

 
Catalyst PBR Feature Test Network Diagram

IP アドレッシング

文書用例示アドレス (8.8.8.8 を除く)
大種別 小種別 ネットワーク アドレス ホスト インターフェース ホスト アドレス 備考
グローバルアドレス WAN グローバルアドレス 203.0.113.128/30 PE01 Gi1/0/1 203.0.113.129/30 BGP でデフォルトルートを広報
CE01 Gi1/0/23 203.0.113.130/30 PE ルータからデフォルトルートを受信
203.0.113.132/30 PE01 Gi1/0/1 203.0.113.133/30 BGP でデフォルトルートを広報
CE02 Gi1/0/23 203.0.113.134/30 PE ルータからデフォルトルートを受信
198.51.100.0/24 PE01 Lo0 198.51.100.1/32 上り方向 ping の宛先
LAN グローバル アドレス CE01 Lo0 198.51.100.11/32 iBGP ピア用
CE02 Lo0 198.51.100.12/32 iBGP ピア用
CORE01 Lo0 198.51.100.21/32
CORE02 Lo0 198.51.100.22/32
203.0.113.128/25 CE01 Po21 203.0.113.137/30 CE01 <-> CE02 間わたり OSPF P2P リンク

迂回経路用

CE02 Po21 203.0.113.138/30
CE01 Gi1/0/1 203.0.113.141/30 CE01 <-> CORE01 間 OSPF P2P リンク
CORE01 Gi1/0/23 203.0.113.142/30
CE02 Gi1/0/2 203.0.113.145/30 CE02 <-> CORE02 間 OSPF P2P リンク
CORE02 Gi1/0/24 203.0.113.146/30
CE01 Po21 203.0.113.149/30 CORE01 <-> CORE02 間 OSPF P2P リンク

迂回経路用

CE02 Po21 203.0.113.150/30
203.0.113.0/25 CE01 Vlan1 203.0.113.2/25

HSRP .1

CPE 収容 SVI
CE02 Vlan1 203.0.113.3/25

HSRP .1

CPE 収容 SVI
CPE Vlan1 203.0.113.101/25 CPE01 用ホストアドレス
プライベートアドレス LAN プライベート アドレス なし

コンフィギュレーション

ここではプロトコル・ホスト別にコンフィギュレーションを簡単に解説します。

自分でコンフィグを組んでみたい人向けに、デフォルトでは表示しません。

PE01

PE01 コンフィグ
プロトコル PE01 コンフィグ 解説
eBGP
PE01#show run | s back0|net1/0/[1-2]$|router bgp|ip route 0

interface Loopback0
 ip address 198.51.100.1 255.255.255.255

interface GigabitEthernet1/0/1
 description CE01_Gi1/0/23
 no switchport
 ip address 203.0.113.129 255.255.255.252

interface GigabitEthernet1/0/2
 description CE02_Gi1/0/23
 no switchport
 ip address 203.0.113.133 255.255.255.252

router bgp 64496
 bgp router-id 198.51.100.1
 bgp log-neighbor-changes
 bgp deterministic-med
 timers bgp 10 30
 neighbor 203.0.113.130 remote-as 64512
 neighbor 203.0.113.130 description CE01
 neighbor 203.0.113.130 default-originate
 neighbor 203.0.113.130 soft-reconfiguration inbound
 neighbor 203.0.113.134 remote-as 64512
 neighbor 203.0.113.134 description CE02
 neighbor 203.0.113.134 default-originate
 neighbor 203.0.113.134 soft-reconfiguration inbound

ip route 0.0.0.0 0.0.0.0 Null0 254
CE01 , 02 と eBGP ピアを張るための設定

CE01 , 02

CE01 , 02 コンフィグ
プロトコル CE01 コンフィグ CE02 コンフィグ 解説
eBGP
CE01#show run | s back0|net1/0/23$|^router bgp|route-map

interface Loopback0
 ip address 198.51.100.11 255.255.255.255

interface GigabitEthernet1/0/23
 description PE01_Gi1/0/1
 no switchport
 ip address 203.0.113.130 255.255.255.252

router bgp 64512
 bgp router-id 198.51.100.11
 bgp log-neighbor-changes
 bgp deterministic-med
 network 203.0.113.0 mask 255.255.255.128
 timers bgp 10 30
 neighbor 198.51.100.12 remote-as 64512
 neighbor 198.51.100.12 description CE02
 neighbor 198.51.100.12 update-source Loopback0
 neighbor 198.51.100.12 next-hop-self
 neighbor 198.51.100.12 soft-reconfiguration inbound
 neighbor 203.0.113.129 remote-as 64496
 neighbor 203.0.113.129 description PE01
 neighbor 203.0.113.129 soft-reconfiguration inbound
 neighbor 203.0.113.129 route-map LP300 in
 neighbor 203.0.113.129 route-map MED100 out

route-map LP300 permit 10
 set local-preference 300

route-map MED100 permit 10
 set metric 100
CE02#show run | s back0|net1/0/23$|^router bgp|route-map

interface Loopback0
 ip address 198.51.100.12 255.255.255.255

interface GigabitEthernet1/0/23
 description PE01_Gi1/0/2
 no switchport
 ip address 203.0.113.134 255.255.255.252

router bgp 64512
 bgp router-id 198.51.100.12
 bgp log-neighbor-changes
 bgp deterministic-med
 network 203.0.113.0 mask 255.255.255.128
 timers bgp 10 30
 neighbor 198.51.100.11 remote-as 64512
 neighbor 198.51.100.11 description CE01
 neighbor 198.51.100.11 update-source Loopback0
 neighbor 198.51.100.11 next-hop-self
 neighbor 198.51.100.11 soft-reconfiguration inbound
 neighbor 203.0.113.133 remote-as 64496
 neighbor 203.0.113.133 description PE01
 neighbor 203.0.113.133 soft-reconfiguration inbound
 neighbor 203.0.113.133 route-map LP100 in
 neighbor 203.0.113.133 route-map MED300 out

route-map MED300 permit 10
 set metric 300

route-map LP100 permit 10
 set local-preference 100
PE01 と eBGP ピア、

CE01 と CE02 で iBGP ピアを 張るコンフィグ route-map LP300 LP300 で上りトラフィックを優先する 値が高いほうが優先 route-map MED100 MED100 で下りトラフィックを優先する 値が低いほうが優先

OSPF
CE01#show run | s net1/0/1$|net1/0/2[1-2]$|el21|^router ospf

interface Port-channel21
 description CE02_Po21
 no switchport
 ip address 203.0.113.137 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 100

interface GigabitEthernet1/0/1
 description CORE01_Gi1/0/23
 no switchport
 ip address 203.0.113.141 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 1

interface GigabitEthernet1/0/21
 description CE02_Gi1/0/21
 no switchport
 no ip address
 channel-group 21 mode active

interface GigabitEthernet1/0/22
 description CE02_Gi1/0/22
 no switchport
 no ip address
 channel-group 21 mode active

router ospf 1
 router-id 198.51.100.11
 passive-interface default
 no passive-interface GigabitEthernet1/0/1
 no passive-interface Port-channel21
 network 198.51.100.11 0.0.0.0 area 0.0.0.0
 network 203.0.113.136 0.0.0.3 area 0.0.0.0
 network 203.0.113.140 0.0.0.3 area 0.0.0.0
 default-information originate metric 1 metric-type 1
CE02#show run | s net1/0/2$|net1/0/2[1-2]$|el21|^router ospf

interface Port-channel21
 description CE01_Po21
 no switchport
 ip address 203.0.113.138 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 100

interface GigabitEthernet1/0/2
 description CORE02_Gi1/0/24
 no switchport
 ip address 203.0.113.145 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 40

interface GigabitEthernet1/0/21
 description CE01_Gi1/0/21
 no switchport
 no ip address
 channel-group 21 mode active

interface GigabitEthernet1/0/22
 description CE01_Gi1/0/22
 no switchport
 no ip address
 channel-group 21 mode active

router ospf 1
 router-id 198.51.100.12
 passive-interface default
 no passive-interface GigabitEthernet1/0/2
 no passive-interface Port-channel21
 network 198.51.100.12 0.0.0.0 area 0.0.0.0
 network 203.0.113.144 0.0.0.3 area 0.0.0.0
 network 203.0.113.128 0.0.0.127 area 0.0.0.0
 default-information originate metric 100 metric-type 1
CE01 , 02 間

CE01 , 02 <-> CORE01 , 02 間 OSPF iBGP で使用する Loopback を広報する

GIR
CE01#show run | s mainte
maintenance-template BGP_OSPF
 router bgp 64512
 router ospf 1
system mode maintenance
 template BGP_OSPF
CE02#show run | s mainte
maintenance-template BGP_OSPF
 router bgp 64512
 router ospf 1
system mode maintenance
 template BGP_OSPF
CORE01 , 02 コンフィグ
種別 CORE01 コンフィグ CORE02 コンフィグ 解説
OSPF
CORE01#show run | s net1/0/2[1-2]$|el21|^router ospf

interface Port-channel21
 description CORE02_Po21
 no switchport
 ip address 203.0.113.149 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 50

interface GigabitEthernet1/0/21
 description CORE02_Gi1/0/21
 no switchport
 no ip address
 channel-group 21 mode active

interface GigabitEthernet1/0/22
 description CORE02_Gi1/0/22
 no switchport
 no ip address
 channel-group 21 mode active

router ospf 1
 router-id 198.51.100.21
 passive-interface default
 no passive-interface GigabitEthernet1/0/23
 no passive-interface Port-channel21
 network 198.51.100.21 0.0.0.0 area 0.0.0.0
 network 203.0.113.0 0.0.0.127 area 0.0.0.0
 network 203.0.113.140 0.0.0.3 area 0.0.0.0
 network 203.0.113.148 0.0.0.3 area 0.0.0.0
CORE02#show run | s net1/0/2[1-2]$|el21|^router ospf

interface Port-channel21
 description CORE01_Po21
 no switchport
 ip address 203.0.113.150 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 50

interface GigabitEthernet1/0/21
 description CORE01_GI1/0/21
 no switchport
 no ip address
 channel-group 21 mode active

interface GigabitEthernet1/0/22
 description CORE01_GI1/0/22
 no switchport
 no ip address
 channel-group 21 mode active

router ospf 1
 router-id 198.51.100.22
 passive-interface default
 no passive-interface GigabitEthernet1/0/24
 no passive-interface Port-channel21
 network 198.51.100.22 0.0.0.0 area 0.0.0.0
 network 203.0.113.0 0.0.0.127 area 0.0.0.0
 network 203.0.113.144 0.0.0.3 area 0.0.0.0
 network 203.0.113.148 0.0.0.3 area 0.0.0.0
HSRP
CORE01#show run | s net1/0/1$|Vlan1$
interface GigabitEthernet1/0/1
 description CPE01_Gi1/0/23
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable

interface Vlan1
 ip address 203.0.113.2 255.255.255.128
 standby version 2
 standby 1 ip 203.0.113.1
 standby 1 priority 110
 standby 1 preempt
CORE02#show run | s net1/0/1$|Vlan1$
interface GigabitEthernet1/0/1
 description CPE01_Gi1/0/24
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable

interface Vlan1
 ip address 203.0.113.3 255.255.255.128
 standby version 2
 standby 1 ip 203.0.113.1
 standby 1 priority 105
 standby 1 preempt
GIR
CORE01#show run | s mainte
maintenance-template OSPF_HSRP
 router ospf 1
 hsrp Vlan1 1

system mode maintenance
 template OSPF_HSRP
CORE02#show run | s mainte
maintenance-template OSPF_HSRP
 router ospf 1
 hsrp Vlan1 1

system mode maintenance
 template OSPF_HSRP
CPE01 コンフィグ
種別 CPE01 コンフィグ 解説
ホスト
CPE01#show run | s net1/0/2[3-4]|Vlan1|ip route 0

interface GigabitEthernet1/0/23
 description CORE01_Gi1/0/1
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable

interface GigabitEthernet1/0/24
 description CORE02_Gi1/0/1
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable

interface Vlan1
 ip address 203.0.113.101 255.255.255.128

ip route 0.0.0.0 0.0.0.0 203.0.113.1

疎通・経路確認

コマンドリスト

PE01

PE01#ping 203.0.113.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 70/87/103 ms
PE01#
PE01#traceroute 203.0.113.101
Type escape sequence to abort.
Tracing the route to 203.0.113.101
VRF info: (vrf in name/id, vrf out name/id)
  1 203.0.113.130 40 msec 40 msec 38 msec
  2 203.0.113.142 81 msec 54 msec 61 msec
  3 203.0.113.101 [AS 64512] 103 msec *  105 msec

通常時は CE01 -> CORE01 -> CPE01 を経由する。

show ip bgp

CPE01

CPE01#ping 198.51.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 77/87/109 ms
CPE01#
CPE01#traceroute 198.51.100.1
Type escape sequence to abort.
Tracing the route to 198.51.100.1
VRF info: (vrf in name/id, vrf out name/id)
  1 203.0.113.2 40 msec 41 msec 72 msec
  2 203.0.113.141 63 msec 66 msec 69 msec
  3 203.0.113.129 89 msec *  84 msec

通常時は CORE01 -> CE01 -> PE01 を経由する。

CE01 GIR BGP + OSPF 動作確認

CE01#start maintenance
Template BGP_OSPF will be applied. Do you want to continue?[confirm]
CE01#
Nov  3 2024 00:43:52 UTC: %MMODE-6-MMODE_SNAPSHOT_CREATE_ENTER_MMODE: Generating current snapshot 'before_maintenance'
Nov  3 2024 00:43:52 UTC: %MMODE-6-MMODE_CLIENT_TRANSITION_START: Maintenance Isolate start for router bgp 64512
Nov  3 2024 00:44:23 UTC: %MMODE-6-MMODE_CLIENT_TRANSITION_COMPLETE: Maintenance Isolate complete for router bgp 64512
Nov  3 2024 00:44:23 UTC: %MMODE-6-MMODE_CLIENT_TRANSITION_START: Maintenance Isolate start for router ospf 1
Nov  3 2024 00:44:53 UTC: %MMODE-6-MMODE_CLIENT_TRANSITION_COMPLETE: Maintenance Isolate complete for router ospf 1
Nov  3 2024 00:44:53 UTC: %MMODE-6-MMODE_ISOLATED: System is in Maintenance
CE01 BGP + OSPF GIR 動作確認
確認 PE01 経路確認 CPE01 経路確認 備考
BGP
PE01#show ip bgp
BGP table version is 8, local router ID is 198.51.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
      0.0.0.0          0.0.0.0                                0 i
 *>   203.0.113.0/25   203.0.113.134          300             0 64512 i
通常時

経路確認

L3SW01(tcl)#tclsh
L3SW01(tcl)#foreach address {
+> 8.8.8.8
+> 203.0.113.249
+> 203.0.113.250
+> 198.51.100.253
+> 198.51.100.5
+> 198.51.100.6
+> 198.51.100.9
+> 198.51.100.10
+> 198.51.100.13
+> 198.51.100.14
+> 198.51.100.17
+> 198.51.100.18
+> 198.51.100.21
+> 198.51.100.22
+> 198.51.100.252
+>} { traceroute $address source Lo1 }
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 2 msec 3 msec
  2 203.0.113.249 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 203.0.113.249
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 2 msec
  2  *
    203.0.113.249 3 msec *
Type escape sequence to abort.
Tracing the route to 203.0.113.250
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.253
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 4 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.5
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 4 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.6
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 3 msec
  2 198.51.100.6 2 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.9
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 4 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.10
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 3 msec
  2 198.51.100.10 2 msec 2 msec 1 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.13
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  4 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.14
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 2 msec
  2 198.51.100.14 2 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.17
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.18
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 4 msec 2 msec 3 msec
  2 198.51.100.18 2 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.21
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.22
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.22 3 msec *  2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.252
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.252 2 msec *  2 msec
L3SW01(tcl)#
L3SW01(tcl)#tclsh
L3SW01(tcl)#foreach address {
+> 8.8.8.8
+> 203.0.113.249
+> 203.0.113.250
+> 198.51.100.253
+> 198.51.100.5
+> 198.51.100.6
+> 198.51.100.9
+> 198.51.100.10
+> 198.51.100.13
+> 198.51.100.14
+> 198.51.100.17
+> 198.51.100.18
+> 198.51.100.21
+> 198.51.100.22
+> 198.51.100.252
+>} { traceroute $address source Lo2 }
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 2 msec
  2 198.51.100.10 1 msec 2 msec 2 msec
  3 198.51.100.5 3 msec 3 msec 3 msec
  4 203.0.113.249 3 msec *  4 msec
Type escape sequence to abort.
Tracing the route to 203.0.113.249
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 2 msec
  2 198.51.100.10 1 msec 2 msec 2 msec
  3 198.51.100.5 3 msec 3 msec 3 msec
  4  *
    203.0.113.249 4 msec *
Type escape sequence to abort.
Tracing the route to 203.0.113.250
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 3 msec
  2 198.51.100.10 2 msec 3 msec 1 msec
  3 198.51.100.5 3 msec *  4 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.253
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.5
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.6
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 4 msec
  2 198.51.100.6 2 msec 3 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.9
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.10
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 3 msec
  2 198.51.100.10 2 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.13
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.14
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 3 msec
  2 198.51.100.14 2 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.17
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.18
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 13 msec 3 msec 2 msec
  2 198.51.100.18 1 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.21
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.22
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.22 3 msec *  2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.252
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.252 2 msec *  2 msec
L3SW01(tcl)#
PBR next-hop 1 つめ

障害時 経路確認

L3SW01(tcl)#foreach address {
+> 8.8.8.8
+> 203.0.113.249
+> 203.0.113.250
+> 198.51.100.253
+> 198.51.100.5
+> 198.51.100.6
+> 198.51.100.9
+> 198.51.100.10
+> 198.51.100.13
+> 198.51.100.14
+> 198.51.100.17
+> 198.51.100.18
+> 198.51.100.21
+> 198.51.100.22
+> 198.51.100.252
+>} { traceroute $address source Lo1 }
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 2 msec 2 msec
  2 203.0.113.249 3 msec *  2 msec
Type escape sequence to abort.
Tracing the route to 203.0.113.249
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 2 msec 3 msec
  2  *
    203.0.113.249 3 msec *
Type escape sequence to abort.
Tracing the route to 203.0.113.250
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  5 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.253
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.5
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2  *  *
Type escape sequence to abort.
Tracing the route to 198.51.100.6
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2
Type escape sequence to abort.
Tracing the route to 198.51.100.9
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2
Type escape sequence to abort.
Tracing the route to 198.51.100.10
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *
Type escape sequence to abort.
Tracing the route to 198.51.100.13
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 4 msec *  4 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.14
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 3 msec
  2 198.51.100.14 2 msec 2 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.17
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.18
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 2 msec
  2 198.51.100.18 1 msec 3 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.21
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.22
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.22 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.252
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.252 2 msec *  2 msec
L3SW01(tcl)#
L3SW01(tcl)#tclsh
L3SW01(tcl)#foreach address {
+> 8.8.8.8
+> 203.0.113.249
+> 203.0.113.250
+> 198.51.100.253
+> 198.51.100.5
+> 198.51.100.6
+> 198.51.100.9
+> 198.51.100.10
+> 198.51.100.13
+> 198.51.100.14
+> 198.51.100.17
+> 198.51.100.18
+> 198.51.100.21
+> 198.51.100.22
+> 198.51.100.252
+>} { traceroute $address source Lo2 }
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 2 msec
  2 198.51.100.18 2 msec 2 msec 2 msec
  3 198.51.100.13 2 msec 2 msec 2 msec
  4 203.0.113.249 3 msec *  4 msec
Type escape sequence to abort.
Tracing the route to 203.0.113.249
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 2 msec 2 msec
  2 198.51.100.18 2 msec 2 msec 2 msec
  3 198.51.100.13 2 msec 3 msec 4 msec
  4  *
    203.0.113.249 4 msec *
Type escape sequence to abort.
Tracing the route to 203.0.113.250
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 3 msec 6 msec
  2 198.51.100.18 2 msec 3 msec 2 msec
  3 198.51.100.13 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.253
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 2 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.5
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2
Type escape sequence to abort.
Tracing the route to 198.51.100.6
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *
Type escape sequence to abort.
Tracing the route to 198.51.100.9
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *
Type escape sequence to abort.
Tracing the route to 198.51.100.10
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2
Type escape sequence to abort.
Tracing the route to 198.51.100.13
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 4 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.14
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec 2 msec 3 msec
  2 198.51.100.14 2 msec 1 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.17
VRF info: (vrf in name/id, vrf out name/id)
  1  *
    198.51.100.21 3 msec *
Type escape sequence to abort.
Tracing the route to 198.51.100.18
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 4 msec 3 msec 2 msec
  2 198.51.100.18 2 msec 3 msec 2 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.21
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.21 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.22
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.22 3 msec *  3 msec
Type escape sequence to abort.
Tracing the route to 198.51.100.252
VRF info: (vrf in name/id, vrf out name/id)
  1 198.51.100.252 2 msec *  2 msec
L3SW01(tcl)#

エントリ確認

エントリ確認
プロトコル CE01 通常時 CE01 Gi1/0/13 障害時` 備考
PBR
CE01(config-if)#do sh run | s route-map
 ip policy route-map RM_NAT_PBR
route-map RM_NAT_PBR deny 10
 match ip address ACL_NO_NAT
route-map RM_NAT_PBR permit 20
 match ip address ACL_NAT
 set ip next-hop 198.51.100.10 198.51.100.18

CE01(config-if)#do sh ip route 198.51.100.10 255.255.255.252
Load for five secs: 5%/0%; one minute: 5%; five minutes: 5%
Time source is NTP, 15:54:08.189 JST Wed Sep 25 2024

Routing entry for 198.51.100.8/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Vlan20
      Route metric is 0, traffic share count is 1


CE01(config-if)#do sh ip route 198.51.100.18
Load for five secs: 7%/0%; one minute: 5%; five minutes: 6%
Time source is NTP, 15:38:42.872 JST Wed Sep 25 2024

Routing entry for 198.51.100.16/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Vlan21
      Route metric is 0, traffic share count is 1
CE01(config-if)#
CE01(config-if)#do sh run | s route-map
 ip policy route-map RM_NAT_PBR
route-map RM_NAT_PBR deny 10
 match ip address ACL_NO_NAT
route-map RM_NAT_PBR permit 20
 match ip address ACL_NAT
 set ip next-hop 198.51.100.10 198.51.100.18

CE01(config-if)#do sh ip route 198.51.100.10 255.255.255.252
Load for five secs: 4%/0%; one minute: 6%; five minutes: 5%
Time source is NTP, 15:52:51.641 JST Wed Sep 25 2024

% Subnet not in table
CE01(config-if)#


CE01(config-if)#do sh ip route 198.51.100.18
Load for five secs: 5%/0%; one minute: 5%; five minutes: 6%
Time source is NTP, 15:39:33.129 JST Wed Sep 25 2024

Routing entry for 198.51.100.16/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Vlan21
      Route metric is 0, traffic share count is 1
PBR の next-hop 切替時は、障害が発生した direct connect の L3 インターフェースがダウンしており、該当のコネクテッド ルートが存在しなくなる必要がある
スタティック ルーティング
CE01(config-if)#do sh run | in ip route [0-9].*6 name
ip route 198.51.100.240 255.255.255.248 Vlan10 198.51.100.6 name NAT-RT01_NAT_Pool
CE01(config-if)#do sh ip route 198.51.100.240 255.255.255.248
Load for five secs: 5%/0%; one minute: 7%; five minutes: 6%
Time source is NTP, 15:37:27.052 JST Wed Sep 25 2024

Routing entry for 198.51.100.240/29
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 198.51.100.6, via Vlan10
      Route metric is 0, traffic share count is 1
CE01(config-if)#do sh run | in ip route [0-9].*5 name
ip route 198.51.100.240 255.255.255.248 Vlan11 198.51.100.14 5 name NAT-RT01_NAT_Pool
CE01(config-if)#do sh ip route 198.51.100.240 255.255.255.248
Load for five secs: 7%/0%; one minute: 6%; five minutes: 6%
Time source is NTP, 15:37:48.825 JST Wed Sep 25 2024

Routing entry for 198.51.100.240/29
  Known via "static", distance 5, metric 0
  Routing Descriptor Blocks:
  * 198.51.100.14, via Vlan11
      Route metric is 0, traffic share count is 1
NAT-RT01 グローバル アドレス プール宛スタティックルートが障害切り替えされている

動作確認 - ホスト別コマンドリスト

Catalyst の PBR は設定した機器で動作確認するコマンドがほぼ存在しない。

  • ACL カウンターは動作しない
  • show route-map のカウンタもハードウェア転送では動作しない
  • 一応 ip local policy route-map で自発トラフィックに PBR がかかるため、これで動作確認することは一応可能
    • 下手な設定をすると OSPF がダウンしたりするため、少なくとも商用機で未検証のコンフィグを試すのはやらない方が良い

このため、下位側の機器で ping / traceroute を実施するのが動作確認としてマストとなる。

CE01

  • show ip policy

L3SW01

  • ping
  • traceroute

リファレンス

Cisco

IP Routing Configuration Guide, Cisco IOS XE Gibraltar 16.12.x (Catalyst 3850 Switches)

脚注