#はじめに
この記事はシスコの有志による Cisco Systems Japan Advent Calendar 2021 (一枚目) の 17日目として投稿しています
2017年版: https://qiita.com/advent-calendar/2017/cisco
2018年版: https://qiita.com/advent-calendar/2018/cisco
2019年版: https://qiita.com/advent-calendar/2019/cisco
2020年版: https://qiita.com/advent-calendar/2020/cisco
2020年版(2枚目): https://qiita.com/advent-calendar/2020/cisco2
2021年版: https://qiita.com/advent-calendar/2021/cisco ⇦今ここ
2021年版(2枚目): https://qiita.com/advent-calendar/2021/cisco2
#概要
Cisco SD-Accessと言えばグループベースのアクセス制御を実現する”マイクロセグメンテーション機能”に注目が集まりがちですが、実は“自動化”機能もすごいんです。
この記事ではCisco SD-Accessの自動化のどのへんがどうすごいのかをバッチリ解説します。Cisco SD-Accessがなんなのか知らなくても全く問題ありません。とりあえず読んでみましょう。
ではレッツゴー!
#いきなり完成形を語る
非常にシンプルなパターンで示すと、SD-Accessは以下のような姿をしています。
上の方から順に登場人物を説明しましょう。
DNAC: いわゆるCisco DNA Centerです。略してDNAC(ディーナック)と呼ばれます。私も以後DNACという言葉で説明していきます。ネットワーク機器を操ったり、情報を吸い取ったりします。非常によく吸い取ります。本記事の主役です。
ISE: いわゆるCisco Identity Services Engineです。略してISE(アイス)と呼ばれます。ネットワークに接続される端末を認証したり、マイクロセグメンテーションのルールを配布したりします。今回はあまり関係ないので無視して良いです。
Fusion: これは一般的にはVRF機能をもつBGPルータです。後述するボーダーノードとeBGPでピアリングすることにより、SD-Accessの各仮想ネットワークにPureなIP世界の経路を注入、またはその逆を行います。
○にCのマーク: SD-Accessのコントロールプレーンであることを示します。(以後コントロールプレーンと呼ぶ)コントロールプレーンはSD-Accessのルーティングを実現するための機構です。普通冗長化のために複数設置します。
○にBのマーク: SD-Accessのボーダーノードであることを示します。(以後ボーダーノードと呼ぶ)ボーダーノードとはSD-Access内で使用されているデータプレーン(VXLAN)を普通のIPパケットに変換して送信、またはその逆を行います。通常Fusionルータに接続されます。
コントロールプレーンとボーダーノードは一つの筐体に同居することが多いです。そのため一つの機器に両方のマークが書いてあるというわけです。
○にEのマーク: Edgeノードと呼ばれます。(以後エッジノードと呼ぶ)エッジノードは端末を接続して、SD-Accessネットワークに収容します。普通はこのエッジノードが売るほど並んでいるはずです。
さてSD-Accessの構成要素がわかったと思いますので、次は「このネットワークを構築するのにどのぐらい苦労するか」を一緒に疑似体験していきましょう!
#STEP1 最初の機器をDNACに登録する
まずはSD-Accessの一番端っこの装置をDNACに登録します。下の絵で言うと下部の青い二台の装置です。
DNACへ装置を登録するためには、DNACと装置がIPリーチャブルであることが必要です。Fusionルータとボーダーノード間でeBGPを張り、DNACのセグメントとボーダーノード間をルーティングできるようにしておきます。
また、DNACはSSHとSNMPで装置を支配しようとするため、装置へのログイン情報(user名、login, enable, snmp communityの各パスワード)が必要です。まずDNACに装置のログイン情報を登録しておきます。
具体的にはDNAC上で下図のようなGUIでログイン情報(Credentialと呼ばれる)を設定します。ボーダーノードのほうではここでの設定とおなじユーザ名、パスワードを設定しておきます。
##ボーダーノード側のConfigについて
今回は大体の感触を掴んでいただくのが趣旨なので細かい説明はしませんが、実際に動作させたときのコンフィグの一例を以下に記述しておきます。大体の作業量の目安として捉えてください。(上位のFusionルータが一台しかない場合の設定になっています)
IGP(ISIS)の設定だけやたら気合いが入っているのは後述するLAN Automation機能を使うための準備です。LAN Automationを使わない場合はもっと適当な設定でも良いです。
ここはSD-Accessには関係ない通常のIPネットワーキングの範疇ですのでいろんな設定パターンがあって良いです。
サンプルコンフィグ
hostname C9300-C1
system mtu 9100 <-- SDA内ではVXLAN headerが付くのでMTUを大きくしておく
ip routing
aaa new-model
aaa authorization exec default local
enable secret xxxxxxxx <-- 秘密です。ウフフフ
ip domain name fsl.local
crypto key generate rsa modulus 2048
username user1 privilege 15 algorithm-type scrypt secret xxxxxxx
interface Loopback0 <-- Loopbackは必須です
ip address 172.17.255.3 255.255.255.255
ip router isis
no shut
vlan 123
interface vlan123 <-- これがFusionルータとの接続用SVI
ip address 172.17.123.3 255.255.255.0
no shut
interface GigabitEthernet1/0/4 <-- 隣接のボーダーノード間用リンク
no switchport
dampening
ip address 172.17.90.1 255.255.255.0
no ip redirects
ip pim sparse-mode
ip router isis
load-interval 30
bfd interval 250 min_rx 250 multiplier 3
clns mtu 1400
isis network point-to-point
no shut
interface GigabitEthernet1/0/48 <-- これがFusionルータとの接続用物理IF
switchport
switchport mode trunk
switchport trunk allowed vlan add 123
no shut
ip ssh version 2
ip route 172.17.88.0 255.255.255.0 null 0 <-- この経路はBGPでSD-Access側のサマリールートを流すために使う
router isis <-- IGP設定。LAN Automationを使う場合はISISを使用
net 49.0000.1720.1725.5003.00
metric-style wide
bfd all-interfaces
router bgp 65002
bgp router-id interface Loopback0
neighbor 172.17.123.2 remote-as 65001 <-- Fusionルータ向け
neighbor 172.17.123.2 update-source vlan123
address-family ipv4
network 172.17.88.0 mask 255.255.255.0
network 172.17.255.3 mask 255.255.255.255
aggregate-address 172.17.88.0 255.255.255.0 summary-only
neighbor 172.17.123.2 activate
neighbor 172.17.123.2 weight 40000
end
##Discover
DNACと装置がIPリーチャブルになったら、いよいよDNACに装置を登録します。これはDNACが装置にSSHでログインすることにより完了します。対象装置のIPアドレスをレンジで指定することにより、一度の操作で複数の装置を登録することができます。下図が二台まとめてDiscoverさせて成功したところの画面です。
Discoverに必要な設定はCLI、SNMPの情報と対象装置のIPアドレスぐらいなものなのでさほどチマチマした操作はいらないです。Discoverに成功すると、下図のように装置がInventoryとして登録されます。
カラムの"Site"が"Assign"という青い文字になっているのに注目してください。これは装置がまだどの場所に設置されるのかという情報が割り当てられていない事を意味します。
野球(ボールを投げたり棒で叩いたりするスポーツの一種)でたとえるなら、チームに入団はしたがまだポジションが与えられていない状態です。なのでDNAC監督からは何の指示も与えられません。
事実この時点で装置に追加されたコンフィグは以下の二行だけです。
> snmp-server community xxxxxxx RW
> netconf-yang
これではただのベンチ要員なのでポジションを与えます。それがAssign。
##Assign
Assignする場所はあらかじめDNACに設定しておきます。以下のように、それらの場所は地理的・場所的な階層で用意します。
各階層(例えば図中のTMT等)にはそれぞれの場所に応じた共通設定(syslogサーバ、CLI情報など)が用意されており、装置がAssignされるとそれらの設定が仕込まれます。しつこく野球でたとえると、ようやく仲間と認められて、背番号をもらったり、あだ名が付けられたりLINEグループに登録してもらったりする段階です。
Assignが終わると、下図のようにカラムの"Site"に情報が入ります。
実際にAssignされた装置に追加されたConfigが以下です。見たいという人はどうぞ。
DNAC監督はマイクロマネージメント派なのでTelemetry系の設定が嫌というほど入っているのが分かると思います。一時間おきに「今どこ?」とか聞いてくるタイプです。
参考までに監督のIPアドレスは192.168.100.1です。
Assignしたときに追加されたConfig
> device-tracking tracking
> !
> device-tracking policy IPDT_POLICY
> no protocol udp
> tracking enable
> !
> !
> flow exporter 192.168.100.1
> destination 192.168.100.1
> transport udp 6007
> !
> crypto pki trustpoint DNAC-CA
> enrollment mode ra
> enrollment terminal
> usage ssl-client
> revocation-check crl none
> !
> crypto pki trustpoint sdn-network-infra-iwan
> enrollment url http://192.168.100.1:80/ejbca/publicweb/apply/scep/sdnscep
> fqdn C9300-C1.fsl.local
> subject-name CN=C9300-48U_FCW2135G042_sdn-network-infra-iwan
> subject-alt-name C9300-C1.fsl.local
> revocation-check crl
> source interface Loopback0
> rsakeypair sdn-network-infra-iwan
> auto-enroll 80 regenerate
> !
> crypto pki certificate chain DNAC-CA
> certificate ca 62C7F8D0AE9E1090FF5A5FF564C4AB871F5A61CC
> -- 省略 --
> 7D474C82 6C7713C7 0C
> quit
> crypto pki certificate chain sdn-network-infra-iwan
> certificate 5D5AC440AADBA060
> -- 省略 --
> 51FA4F09 8E389005 9B8C9F30 272ECF8E E78F5322 4113145F 9F1BC4CE 8176
> quit
> certificate ca 0F59736FAFC72DD4
> -- 省略 --
> C8B86E16 F855C2
> quit
> license smart transport off
> device-tracking attach-policy IPDT_POLICY
> ip http client source-interface Loopback0
> ip ssh source-interface Loopback0
> logging source-interface Loopback0
> logging host 192.168.100.1
> snmp-server trap-source Loopback0
> snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
> snmp-server enable traps flowmon
> snmp-server enable traps entity-perf throughput-notif
> snmp-server enable traps call-home message-send-fail server-fail
> snmp-server enable traps tty
> snmp-server enable traps ospf state-change
> snmp-server enable traps ospf errors
> snmp-server enable traps ospf retransmit
> snmp-server enable traps ospf lsa
> snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
> snmp-server enable traps ospf cisco-specific state-change shamlink interface
> snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
> snmp-server enable traps ospf cisco-specific errors
> snmp-server enable traps ospf cisco-specific retransmit
> snmp-server enable traps ospf cisco-specific lsa
> snmp-server enable traps eigrp
> snmp-server enable traps auth-framework sec-violation
> snmp-server enable traps rep
> snmp-server enable traps vtp
> snmp-server enable traps vlancreate
> snmp-server enable traps vlandelete
> snmp-server enable traps port-security
> snmp-server enable traps license
> snmp-server enable traps smart-license
> snmp-server enable traps cpu threshold
> snmp-server enable traps memory bufferpeak
> snmp-server enable traps stackwise
> snmp-server enable traps udld link-fail-rpt
> snmp-server enable traps udld status-change
> snmp-server enable traps fru-ctrl
> snmp-server enable traps flash insertion removal lowspace
> snmp-server enable traps energywise
> snmp-server enable traps power-ethernet group 1 threshold 80
> snmp-server enable traps power-ethernet police
> snmp-server enable traps entity
> snmp-server enable traps pw vc
> snmp-server enable traps mvpn
> snmp-server enable traps envmon
> snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
> snmp-server enable traps lisp
> snmp-server enable traps isis
> snmp-server enable traps ipsla
> snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
> snmp-server enable traps bfd
> snmp-server enable traps ike policy add
> snmp-server enable traps ike policy delete
> snmp-server enable traps ike tunnel start
> snmp-server enable traps ike tunnel stop
> snmp-server enable traps ipsec cryptomap add
> snmp-server enable traps ipsec cryptomap delete
> snmp-server enable traps ipsec cryptomap attach
> snmp-server enable traps ipsec cryptomap detach
> snmp-server enable traps ipsec tunnel start
> snmp-server enable traps ipsec tunnel stop
> snmp-server enable traps ipsec too-many-sas
> snmp-server enable traps config-copy
> snmp-server enable traps config
> snmp-server enable traps config-ctid
> snmp-server enable traps dhcp
> snmp-server enable traps event-manager
> snmp-server enable traps hsrp
> snmp-server enable traps ipmulticast
> snmp-server enable traps msdp
> snmp-server enable traps ospfv3 state-change
> snmp-server enable traps ospfv3 errors
> snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
> snmp-server enable traps bridge newroot topologychange
> snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
> snmp-server enable traps syslog
> snmp-server enable traps bgp
> snmp-server enable traps bgp cbgp2
> snmp-server enable traps nhrp nhs
> snmp-server enable traps nhrp nhc
> snmp-server enable traps nhrp nhp
> snmp-server enable traps nhrp quota-exceeded
> snmp-server enable traps mpls rfc ldp
> snmp-server enable traps mpls ldp
> snmp-server enable traps mpls rfc traffic-eng
> snmp-server enable traps mpls traffic-eng
> snmp-server enable traps mpls fast-reroute protected
> snmp-server enable traps local-auth
> snmp-server enable traps vlan-membership
> snmp-server enable traps errdisable
> snmp-server enable traps rf
> snmp-server enable traps transceiver all
> snmp-server enable traps bulkstat collection transfer
> snmp-server enable traps mac-notification change move threshold
> snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
> snmp-server enable traps mpls vpn
> snmp-server enable traps mpls rfc vpn
> snmp-server host 192.168.100.1 version 2c fslFSL1;
> snmp-server host 192.168.100.3 version 2c fslFSL1;
> telemetry ietf subscription 500
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/poe_port_detail
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 60000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 501
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/poe_module
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 60000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 502
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/poe_stack
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 60000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 503
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/poe_switch
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 60000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 550
> encoding encode-tdl
> filter tdl-uri /services;serviceName=smevent/sessionevent
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy on-change
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 551
> encoding encode-tdl
> filter tdl-uri /services;serviceName=sessmgr_oper/session_context_data
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 360000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 552
> encoding encode-tdl
> filter tdl-uri /services;serviceName=iosevent/sisf_mac_oper_state
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy on-change
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 553
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/sisf_db_wired_mac
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 360000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 554
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 360000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 555
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy on-change
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 600
> encoding encode-tdl
> filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 60000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 601
> encoding encode-tdl
> filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy on-change
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 750
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_emul_oper/environment_sensor
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 30000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 751
> encoding encode-tdl
> filter tdl-uri /services;serviceName=ios_oper/platform_component
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 30000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry ietf subscription 8882
> encoding encode-tdl
> filter tdl-transform trustSecCounterDelta
> receiver-type protocol
> source-address 172.17.255.3
> stream native
> update-policy periodic 90000
> receiver name DNAC_ASSURANCE_RECEIVER
> telemetry receiver protocol DNAC_ASSURANCE_RECEIVER
> host ip-address 192.168.100.1 25103
> protocol tls-native profile sdn-network-infra-iwan
> telemetry transform trustSecCounterDelta
> input table cts_rolebased_policy
> field dst_sgt
> field src_sgt
> field sgacl_name
> field monitor_mode
> field num_of_sgacl
> field policy_life_time
> field total_deny_count
> field last_updated_time
> field total_permit_count
> join-key cts_role_based_policy_key
> logical-op and
> type mandatory
> uri /services;serviceName=ios_emul_oper/cts_rolebased_policy
> operation 1
> output-field 1
> field cts_rolebased_policy.src_sgt
> output-field 2
> field cts_rolebased_policy.dst_sgt
> output-field 3
> field cts_rolebased_policy.total_permit_count
> output-op type delta
> output-field 4
> field cts_rolebased_policy.total_deny_count
> output-op type delta
> output-field 5
> field cts_rolebased_policy.sgacl_name
> output-field 6
> field cts_rolebased_policy.monitor_mode
> output-field 7
> field cts_rolebased_policy.num_of_sgacl
> output-field 8
> field cts_rolebased_policy.policy_life_time
> output-field 9
> field cts_rolebased_policy.last_updated_time
> specified
あと二台装置を追加する必要がありますが、それらはここまでよりもっと簡単に作業が完了できます。LAN Automationというタネも仕掛けもあるマジックを使います。
それではSTEP2、いってみましょう!
#STEP2 エッジノード用の装置をDNACに登録する
#LAN Automation
LAN Automationを使うと、なにも設定されていない工場出荷状態の装置を自動的にDNACに登録してくれます。早速手順を確認しましょう。
###手順1 装置にケーブルを接続し、電源をいれる
意外かもしれませんがDNACはケーブルを自動的に接続してくれません。あなたがやってください。電源ONもです! (このとき装置には何もコンフィグが入っていないことが重要ですよ!)
###手順2 DNACからLAN Automation開始を指示する
LAN Automationを実行するには、DNACに登録済みの装置を"Seed"として選択する必要があります。Seedと同じポジションに冗長構成として隣接している装置がある場合は"Peer"としてそれを選択します。この記事の例でいうとSTEP1で登録した二台の装置をそれぞれSeedとPeerに指定します。
さらに、Seedの装置において、これから登録しようとしている装置が接続されるインタフェースを指定します。以下のようなGUIでパラメータを指定後、"Start"で開始です。
LAN Automationが設定に使用するIPアドレスのレンジはIP Poolという形であらかじめ指定しておきます。図中の"Main IP Pool"という項目がそれです。この画面からはわかりませんが、TMT_LANAUTOというPoolには172.17.88.0/24が指定されています。LAN AutomationはこのレンジからIPアドレスを切り崩して装置に設定していきます。
LAN Automationはなにをしているのか?
LAN Automation開始後、以下のようなイベントが水面下で発生します。
- DNACがSeedにint vlan1の設定と、DHCPサーバの設定を行う
- 新設装置はConfigが空っぽなのでDHCPで得たDNACのアドレスをPnPサーバとして認識し、DNACに接続してくる
- DNACが新設装置用のConfigを生成し、新設装置に適用する
- もし特定のIOSイメージがGolden Imageとして指定されており、かつ新設装置のIOSイメージがそれと異なる場合、自動的にIOSのアップグレードを実施する
Cisco IOSのPnPの仕組みを知っている人であれば「あぁなんだそういうことか」となると思います。そういうことです。まさにイリュージョンですね。参考までにSeedに設定されたDHCPサーバ設定を以下に貼っておきます。この設定はLAN Automationが終了すると消去されます。
Seed上のDHCPサーバ設定
ip dhcp excluded-address 172.17.88.1
!
ip dhcp pool nw_orchestration_pool
network 172.17.88.0 255.255.255.192
option 43 ascii 5A1D;B2;K4;I192.168.100.1;J80; <-- PnPサーバとしてDNACを指定している
default-router 172.17.88.1
class ciscopnp
address range 172.17.88.2 172.17.88.62
!
!
ip dhcp class ciscopnp
option 60 ^ciscopnp
##手順3 LAN Automationをやめる
実はDNACはいつLAN Automationをやめればいいのかわかりません。人間が"STOP"をかけないといつまでも頑張り続けます。
ではいつSTOPさせればいいのかというと、追加したい装置への処理が完了したらです。
以下のようにLAN Automationの進捗を確認し、目的の装置のStatusが"Completed"になったらSTOPしてOKです。
この段階でDNACが生成するConfigは主に、
- ログイン情報(ユーザ名、パスワード等)
- マルチキャスト設定
- 証明書類
- Telemetry設定(Telemetry, snmp, syslog等)
- Interface設定
- IGP(ISIS)設定
です。一応DNACが生成したConfigを貼っておきます。注目していただきたいのはIGP(ISIS)の設定ですね。STEP1でISISの設定がやたら細かかったのは、このLAN AutomationでDNACが生成するIGP設定と合わせるためです。
インタフェースのアドレスに/31を使うのも特徴といえば特徴です。
LAN Automationによって生成されたConfig
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
service call-home
platform punt-keepalive disable-kernel-core
!
hostname Switch-172-17-88-68
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 9 $9hd2zE$4amWo3g.NvN5zYxmDOl3iy.lMNoS4BUs9hhC2XBcvaU
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
switch 1 provision c9300-48u
!
!
!
!
ip routing
!
!
!
!
!
ip multicast-routing
!
!
!
login on-success log
!
!
!
!
!
!
!
vtp mode transparent
device-tracking tracking
!
device-tracking policy IPDT_POLICY
no protocol udp
tracking enable
!
!
flow exporter 192.168.100.1
destination 192.168.100.1
transport udp 6007
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-576806192
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-576806192
revocation-check none
rsakeypair TP-self-signed-576806192
!
crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
!
crypto pki trustpoint sdn-network-infra-iwan
enrollment url http://192.168.100.1:80/ejbca/publicweb/apply/scep/sdnscep
fqdn Switch-172-17-88-68
subject-name CN=C9300-48U_FCW2135G046_sdn-network-infra-iwan
revocation-check crl
source interface Loopback0
rsakeypair sdn-network-infra-iwan
auto-enroll 80 regenerate
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
-- 中略 --
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-576806192
certificate self-signed 01
-- 中略 --
38AFD88E DE985A8F 17DCDBDB 3FFEFC0E 31D4
quit
crypto pki certificate chain DNAC-CA
certificate ca 62C7F8D0AE9E1090FF5A5FF564C4AB871F5A61CC
-- 中略 --
7D474C82 6C7713C7 0C
quit
crypto pki certificate chain sdn-network-infra-iwan
certificate 69969324F1BA980A
-- 中略 --
quit
certificate ca 0F59736FAFC72DD4
-- 中略 --
quit
!
system mtu 9100
license boot level network-advantage addon dna-advantage
license smart transport off
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
archive
log config
logging enable
logging size 500
memory free low-watermark processor 131749
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause link-monitor-failure
errdisable recovery cause oam-remote-failure
errdisable recovery cause loopback
errdisable recovery cause psp
errdisable recovery cause mrp-miscabling
errdisable recovery cause loopdetect
username user1 privilege 15 secret 9 $ZGZmp1RtWk$8wkD8iH/.0v4LYfc6MHmBne8sYiDRZ.1Mn0unQnIKPk
!
redundancy
mode sso
!
!
!
!
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description Fabric Node Router ID
ip address 172.17.88.68 255.255.255.255
ip pim sparse-mode
ip router isis
clns mtu 1400
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
description Fabric Physical Link
no switchport
dampening
ip address 172.17.88.67 255.255.255.254
no ip redirects
ip pim sparse-mode
ip router isis
load-interval 30
bfd interval 250 min_rx 250 multiplier 3
clns mtu 1400
isis network point-to-point
!
interface GigabitEthernet1/0/2
description Fabric Physical Link
no switchport
dampening
ip address 172.17.88.75 255.255.255.254
no ip redirects
ip pim sparse-mode
ip router isis
load-interval 30
bfd interval 250 min_rx 250 multiplier 3
clns mtu 1400
isis network point-to-point
!
interface GigabitEthernet1/0/3
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/0/4
device-tracking attach-policy IPDT_POLICY
!
--- 中略 -------
interface GigabitEthernet1/0/48
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/1
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/2
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/3
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/4
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/1
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/2
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/3
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/4
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/5
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/6
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/7
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/8
device-tracking attach-policy IPDT_POLICY
!
interface FortyGigabitEthernet1/1/1
device-tracking attach-policy IPDT_POLICY
!
interface FortyGigabitEthernet1/1/2
device-tracking attach-policy IPDT_POLICY
!
interface TwentyFiveGigE1/1/1
device-tracking attach-policy IPDT_POLICY
!
interface TwentyFiveGigE1/1/2
device-tracking attach-policy IPDT_POLICY
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
ip dhcp client client-id ascii FCW2135G046
no ip address
!
router isis
net 49.0000.1720.1708.8068.00
metric-style wide
log-adjacency-changes
nsf ietf
bfd all-interfaces
!
ip forward-protocol nd
ip pim rp-address 172.17.88.65
ip pim register-source Loopback0
ip pim ssm default
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface Loopback0
ip tftp source-interface Vlan1
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
!
!
logging source-interface Loopback0
logging host 192.168.100.1
!
!
snmp-server community xxxxxxx RO
snmp-server trap-source Loopback0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps entity-perf throughput-notif
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps eigrp
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps license
snmp-server enable traps smart-license
snmp-server enable traps cpu threshold
snmp-server enable traps memory bufferpeak
snmp-server enable traps stackwise
snmp-server enable traps udld link-fail-rpt
snmp-server enable traps udld status-change
snmp-server enable traps fru-ctrl
snmp-server enable traps flash insertion removal lowspace
snmp-server enable traps energywise
snmp-server enable traps power-ethernet group 1 threshold 80
snmp-server enable traps power-ethernet police
snmp-server enable traps entity
snmp-server enable traps pw vc
snmp-server enable traps mvpn
snmp-server enable traps envmon
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps lisp
snmp-server enable traps isis
snmp-server enable traps ipsla
snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
snmp-server enable traps bfd
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dhcp
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps bgp cbgp2
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps mpls rfc ldp
snmp-server enable traps mpls ldp
snmp-server enable traps mpls rfc traffic-eng
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls fast-reroute protected
snmp-server enable traps local-auth
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server enable traps rf
snmp-server enable traps transceiver all
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server enable traps mpls vpn
snmp-server enable traps mpls rfc vpn
snmp-server host 192.168.100.1 version 2c xxxxxxx
snmp-server host 192.168.100.3 version 2c xxxxxxx
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0 1
length 0
transport preferred none
transport input ssh
line vty 2 4
transport preferred none
transport input ssh
line vty 5 15
transport preferred none
transport input ssh
line vty 16 31
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
telemetry ietf subscription 500
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_port_detail
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 501
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_module
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 502
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_stack
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 503
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_switch
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 550
encoding encode-tdl
filter tdl-uri /services;serviceName=smevent/sessionevent
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 551
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/session_context_data
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 552
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/sisf_mac_oper_state
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 553
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/sisf_db_wired_mac
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 554
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 555
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 600
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 601
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 750
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/environment_sensor
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 751
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/platform_component
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 8882
encoding encode-tdl
filter tdl-transform trustSecCounterDelta
receiver-type protocol
source-address 172.17.88.68
stream native
update-policy periodic 90000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry receiver protocol DNAC_ASSURANCE_RECEIVER
host ip-address 192.168.100.1 25103
protocol tls-native profile sdn-network-infra-iwan
telemetry transform trustSecCounterDelta
input table cts_rolebased_policy
field dst_sgt
field src_sgt
field sgacl_name
field monitor_mode
field num_of_sgacl
field policy_life_time
field total_deny_count
field last_updated_time
field total_permit_count
join-key cts_role_based_policy_key
logical-op and
type mandatory
uri /services;serviceName=ios_emul_oper/cts_rolebased_policy
operation 1
output-field 1
field cts_rolebased_policy.src_sgt
output-field 2
field cts_rolebased_policy.dst_sgt
output-field 3
field cts_rolebased_policy.total_permit_count
output-op type delta
output-field 4
field cts_rolebased_policy.total_deny_count
output-op type delta
output-field 5
field cts_rolebased_policy.sgacl_name
output-field 6
field cts_rolebased_policy.monitor_mode
output-field 7
field cts_rolebased_policy.num_of_sgacl
output-field 8
field cts_rolebased_policy.policy_life_time
output-field 9
field cts_rolebased_policy.last_updated_time
specified
netconf-yang
end
- 機器に振られるIPアドレスが指定できない。前もってしることもできない
- IGPにISISしか使えない
**朗報:**上に挙げた点が嫌な人はLAN Automationを使わないでも結構です!(怒っているわけではないですよ)手動で自由に設定してもOKです!
#STEP3 SD-Accessのコンポーネントを設定する
さあここまででいわゆる”アンダーレイ”の部分、つまりPure IP通信でDNACおよび各装置が相互に疎通できるようになりました。ここからいよいよSD-Accessのコンポーネントを設定していきます。
このシナリオではボーダーノードにコントロールプレーンが同居していますから、まず装置にコントロールプレーンの設定をするところからはじめます。
##Provision
SD-Accessのコンポーネントになる装置は一度DNACからProvisionされている必要があります。大した手間ではないのでやってください。
やり方は簡単。Inventoryの画面で機器を選択して、メニューからProvisionを選ぶだけです。そのあと何枚かGUI画面が遷移しますが大抵"Next"連打でOKです。簡単ですね!
###Provisonはなにをプロビジョンしたのか?
とはいえいったい何を設定したのか気になりますよね。貼っときます。
ご覧のように特に妖しい設定は無く、SD-Accessで必要なAAAサーバの設定とかが入ります。
Provisionによって生成されたConfig
> service password-encryption
> aaa group server radius dnac-client-radius-group
> server name dnac-radius_192.168.100.31
> ip radius source-interface Loopback0
> !
> aaa authentication login default local
> aaa authentication login dnac-cts-list group dnac-client-radius-group local
> aaa authentication dot1x default group dnac-client-radius-group
> aaa authorization network default group dnac-client-radius-group
> aaa authorization network dnac-cts-list group dnac-client-radius-group
> aaa accounting update newinfo periodic 2880
> aaa accounting identity default start-stop group dnac-client-radius-group
> aaa server radius dynamic-author
> client 192.168.100.31 server-key 7 110F0A093121275D5F
> ip name-server 192.168.100.6
> ip domain lookup source-interface Loopback0
> !
> access-session mac-move deny
> cts authorization list dnac-cts-list
> service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
> linksec policy must-secure
> service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
> linksec policy should-secure
> service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
> voice vlan
> service-template DEFAULT_CRITICAL_DATA_TEMPLATE
> service-template webauth-global-inactive
> inactivity-timer 3600
> dot1x system-auth-control
> !
> ip http max-connections 16
> ip access-list extended ACL_WEBAUTH_REDIRECT
> 70 deny ip any host 192.168.100.31
> 500 permit tcp any any eq www
> 600 permit tcp any any eq 443
> 700 permit tcp any any eq 8443
> 800 deny udp any any eq domain
> 900 deny udp any eq bootpc any eq bootps
> ip radius source-interface Loopback0
> radius-server attribute 6 on-for-login-auth
> radius-server attribute 6 support-multiple
> radius-server attribute 8 include-in-access-req
> radius-server attribute 25 access-request include
> radius-server attribute 31 mac format ietf upper-case
> radius-server attribute 31 send nas-port-detail mac-only
> radius-server dead-criteria time 5 tries 3
> radius-server deadtime 3
> !
> radius server dnac-radius_192.168.100.31
> address ipv4 192.168.100.31 auth-port 1812 acct-port 1813
> timeout 4
> retransmit 3
> automate-tester username dummy ignore-acct-port probe-on
> pac key 7 07093240683A35544C
> ntp source Loopback0
> ntp server 192.168.100.3
###コントロールプレーンの設定
実はいままで黙っていましたが、コントロールプレーンというのはLISPでいうところのMS/MRサーバです。なのでLISPの設定をすることになります。ではコントロールプレーンを設定するにあたって、あなたにもとめられるLISP設定の知識はどのくらいでしょうか?
答:0 (ゼロ。零。無)
コントロールプレーンの設定は以下のようにGUI上のスイッチをクリックするだけです! 以上終了!
秒速でコントロールプレーンの設定が終わりましたがまだ帰らないでください。ボーダーノードの設定も一緒にやってしまいます。
###ボーダーノードの設定
ボーダーノードはFusionルータとBGPでピアリングする必要があります。その目的はSD-Access内の仮想ネットワーク(VRF)内の経路と外部のIPネットワークの経路を交換するためです。なのであなたはSD-Access内で設定した仮想ネットワークの数だけeBGP peerの設定をする必要があります。かつ、それぞれの仮想ネットワークで使われているIP Prefixを正しく配布する必要があります。
さて、あなたにもとめらるBGP設定の知識はどのくらいでしょうか?
答:0 (ゼロ。零。無)
ボーダーノードの設定は以下のようにGUI上のスイッチをクリックしてVLAN番号を指定するだけです! 以上終了!
下の図では、INFRA_VN, VN1, VN2という三つの仮想ネットワークにそれぞれVLAN番号を割り当てています。このVLANはFusionルータにdot1qトランクされる際に使用されます。
この設定から以下のようなBGP設定が自動で生成されます。
(BGPのAS番号、使用されるIPアドレスについては別途 Transitと呼ばれる設定をDNACにしておきます。今回は対向ASが65001、自ASが65002、使用アドレスが172.17.99.0/24という設定です)
DNACによって生成されたBGP設定
router bgp 65002
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp graceful-restart
neighbor 172.17.99.2 remote-as 65001
neighbor 172.17.99.2 update-source Vlan3003
neighbor 172.17.123.2 remote-as 65001
neighbor 172.17.123.2 update-source Vlan123
neighbor FD00:172:17:99::2 remote-as 65001
neighbor FD00:172:17:99::2 update-source Vlan3003
!
address-family ipv4
bgp aggregate-timer 0
network 172.17.88.0 mask 255.255.255.0
network 172.17.200.1 mask 255.255.255.255
network 172.17.255.3 mask 255.255.255.255
aggregate-address 172.17.200.0 255.255.255.0 summary-only
aggregate-address 172.17.88.0 255.255.255.0 summary-only
redistribute lisp metric 10
neighbor 172.17.99.2 activate
neighbor 172.17.99.2 weight 65535
neighbor 172.17.99.2 advertisement-interval 0
neighbor 172.17.123.2 activate
neighbor 172.17.123.2 weight 40000
no neighbor FD00:172:17:99::2 activate
exit-address-family
!
address-family ipv6
redistribute lisp metric 10
neighbor FD00:172:17:99::2 activate
neighbor FD00:172:17:99::2 weight 65535
neighbor FD00:172:17:99::2 advertisement-interval 0
exit-address-family
!
address-family ipv4 vrf VN1
bgp aggregate-timer 0
network 172.17.1.1 mask 255.255.255.255
network 172.17.11.1 mask 255.255.255.255
network 172.17.99.4 mask 255.255.255.252
aggregate-address 172.17.11.0 255.255.255.0 summary-only
aggregate-address 172.17.1.0 255.255.255.0 summary-only
redistribute lisp metric 10
neighbor 172.17.99.6 remote-as 65001
neighbor 172.17.99.6 update-source Vlan3004
neighbor 172.17.99.6 activate
neighbor 172.17.99.6 weight 65535
exit-address-family
!
address-family ipv6 vrf VN1
redistribute lisp metric 10
bgp aggregate-timer 0
network FD00:172:17:1::1/128
network FD00:172:17:11::1/128
network FD00:172:17:99::4/126
aggregate-address FD00:172:17:11::/64 summary-only
aggregate-address FD00:172:17:1::/64 summary-only
neighbor FD00:172:17:99::6 remote-as 65001
neighbor FD00:172:17:99::6 update-source Vlan3004
neighbor FD00:172:17:99::6 activate
neighbor FD00:172:17:99::6 weight 65535
exit-address-family
!
address-family ipv4 vrf VN2
bgp aggregate-timer 0
network 172.17.2.1 mask 255.255.255.255
network 172.17.12.1 mask 255.255.255.255
network 172.17.99.8 mask 255.255.255.252
aggregate-address 172.17.12.0 255.255.255.0 summary-only
aggregate-address 172.17.2.0 255.255.255.0 summary-only
redistribute lisp metric 10
neighbor 172.17.99.10 remote-as 65001
neighbor 172.17.99.10 update-source Vlan3005
neighbor 172.17.99.10 activate
neighbor 172.17.99.10 weight 65535
exit-address-family
!
address-family ipv6 vrf VN2
redistribute lisp metric 10
bgp aggregate-timer 0
network FD00:172:17:2::1/128
network FD00:172:17:12::1/128
network FD00:172:17:99::8/126
aggregate-address FD00:172:17:12::/64 summary-only
aggregate-address FD00:172:17:2::/64 summary-only
neighbor FD00:172:17:99::A remote-as 65001
neighbor FD00:172:17:99::A update-source Vlan3005
neighbor FD00:172:17:99::A activate
neighbor FD00:172:17:99::A weight 65535
exit-address-family
このようにボーダーノードのBGP設定はDNACがやってくれますのでいくら宛先ネイバーがあろうとも間違いなく設定が完了します。
ですが一つ悲しいおしらせがあります。Fusionルータ側のBGP設定は手動です!
FusionルータはSD-AccessのコンポーネントではないのでDNACから設定を行うことはしません。そのため手動で設定する必要があります。Fusionルータ側のBGPを設定するためには、DNACがボーダーノードに設定したBGPの設定を裏返してConfigする必要があります。具体的には以下の設定に沿ったNeighbor設定をします。
BGP neighborの設定は針の穴に糸を通すようなもので、VLAN番号と自アドレス、対向アドレス、AS番号を間違えないように設定しないとうまく繋がりません。たぶん何回か間違えると思います。
つまりボーダーノードとFusionルータの間には三途の川が流れていてFusionルータ側では賽の河原でNeighborを設定することになるという理解で合っています。
なので作業者が二人いてFusionルータの設定係とボーダーノードの設定係に別れるなら全力でボーダーノードを選択してください。作業者はここでDNACの自動化のありがたみを知るのです。
(上図の情報はAPIで取得できますのでFusionルータのBGP設定をスクリプトで作成するのは比較的容易です。Fusionルータ係になってもあきらめないで!)
###エッジノードの設定
さて最後のコンポーネント、エッジノードの設定です。エッジノードにはdot1x等の認証機構とLISPの設定が必要です。また、使用する仮想ネットワークに応じてVRFを設定する必要があります。わざとらしいですがあえてまた聞きましょう。さて、あなたにもとめらるLISP, 認証機構設定の能力はどのくらいでしょうか?
答:0 (ゼロ。零。無)
エッジノードの設定は以下のようにGUI上のスイッチをクリックするだけです! 以上終了!
エッジノードに投入されるコンフィグがどんな感じか知りたい人の為に実際にDNACが生成したものを貼っておきます。たいていの場合エッジノードは徒党を組んでいっぱいいますからこれがワンクリックで設定できるのは非常に嬉しいと思います。
これを100台分、いや10台でも絶対間違わずに手動で設定しろと言われたら...考えるだけでも恐ろしいです。絶対あってはならないことです。
DNACが生成したエッジノードのConfig
> vrf definition VN1
> !
> address-family ipv4
> exit-address-family
> !
> address-family ipv6
> exit-address-family
> !
> vrf definition VN2
> !
> address-family ipv4
> exit-address-family
> !
> address-family ipv6
> exit-address-family
> !
> ip dhcp relay information option
> ip dhcp snooping vlan 1021,1101-1102,1111-1112
> ip dhcp snooping
> ipv6 unicast-routing
> !
> device-sensor filter-list lldp list iseLLDP
> tlv name system-name
> tlv name system-description
> tlv name system-capabilities
> !
> device-sensor filter-list dhcp list iseDHCP
> option name host-name
> option name parameter-request-list
> option name class-identifier
> !
> device-sensor filter-list cdp list iseCDP
> tlv name device-name
> tlv name capabilities-type
> tlv name version-type
> tlv name platform-type
> device-sensor filter-spec dhcp include list iseDHCP
> device-sensor filter-spec lldp include list iseLLDP
> device-sensor filter-spec cdp include list iseCDP
> device-sensor notify all-changes
> mpls label mode all-vrfs protocol all-afs per-vrf
> parameter-map type subscriber attribute-to-service BUILTIN_DEVICE_TO_TEMPLATE
> 60 map device-type regex "Cisco-AIR-AP"
> 20 interface-template AP_INTERFACE_TEMPLATE
> 70 map device-type regex "Cisco-AIR-LAP"
> 20 interface-template LAP_INTERFACE_TEMPLATE
> 110 map device-type regex "Cisco-CAT-LAP"
> 10 interface-template LAP_INTERFACE_TEMPLATE
> !
> access-session attributes filter-list list Def_Acct_List
> cdp
> lldp
> dhcp
> http
> access-session accounting attributes filter-spec include list Def_Acct_List
> access-session interface-template sticky timer 30
> access-session acl default passthrough
> service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> service-template DefaultCriticalVoice_SRV_TEMPLATE
> voice vlan
> service-template DefaultCriticalAccess_SRV_TEMPLATE
> access-group IPV4_CRITICAL_AUTH_ACL
> access-group IPV6_CRITICAL_AUTH_ACL
> dot1x critical eapol
> device classifier
> vlan configuration 1101-1102,1111-1112
> ipv6 nd raguard
> ipv6 dhcp guard
> !
> vlan 1021
> name 172_17_200_0-INFRA_VN
> !
> vlan 1101
> name 172_17_1_0-VN1
> !
> vlan 1102
> name 172_17_2_0-VN2
> !
> vlan 1111
> name 172_17_11_0-VN1
> !
> vlan 1112
> name 172_17_12_0-VN2
> !
> vlan 2046
> name VOICE_VLAN
> lldp run
> !
> class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
> match authorization-status authorized
> match result-type aaa-timeout
> !
> class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
> match authorization-status unauthorized
> match result-type aaa-timeout
> !
> class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL
> match authorization-status unauthorized
> match result-type success
> !
> class-map type control subscriber match-all DOT1X
> match method dot1x
> !
> class-map type control subscriber match-all DOT1X_FAILED
> match method dot1x
> match result-type method dot1x authoritative
> !
> class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
> match authorizing-method-priority gt 20
> !
> class-map type control subscriber match-all DOT1X_NO_RESP
> match method dot1x
> match result-type method dot1x agent-not-found
> !
> class-map type control subscriber match-all DOT1X_TIMEOUT
> match method dot1x
> match result-type method dot1x method-timeout
> !
> class-map type control subscriber match-any IN_CRITICAL_AUTH
> match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
> !
> class-map type control subscriber match-any IN_CRITICAL_AUTH_CLOSED_MODE
> match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
> !
> class-map type control subscriber match-all MAB
> match method mab
> !
> class-map type control subscriber match-all MAB_FAILED
> match method mab
> match result-type method mab authoritative
> !
> class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
> match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
> !
> class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH_CLOSED_MODE
> match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
> !
> policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
> event session-started match-all
> 10 class always do-until-failure
> 10 authenticate using dot1x retries 2 retry-time 0 priority 10
> event authentication-failure match-first
> 5 class DOT1X_FAILED do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
> 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> 20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
> 30 authorize
> 40 pause reauthentication
> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
> 10 pause reauthentication
> 20 authorize
> 30 class DOT1X_NO_RESP do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 40 class MAB_FAILED do-until-failure
> 10 terminate mab
> 20 authentication-restart 60
> 50 class DOT1X_TIMEOUT do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 60 class always do-until-failure
> 10 terminate dot1x
> 20 terminate mab
> 30 authentication-restart 60
> event aaa-available match-all
> 10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
> 10 clear-session
> 20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
> 10 resume reauthentication
> event agent-found match-all
> 10 class always do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> event inactivity-timeout match-all
> 10 class always do-until-failure
> 10 clear-session
> event authentication-success match-all
> event violation match-all
> 10 class always do-until-failure
> 10 restrict
> event authorization-failure match-all
> 10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
> 10 authentication-restart 60
> !
> policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_MAB_1X
> event session-started match-all
> 10 class always do-until-failure
> 10 authenticate using mab priority 20
> event authentication-failure match-first
> 5 class DOT1X_FAILED do-until-failure
> 10 terminate dot1x
> 20 authentication-restart 60
> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
> 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> 20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
> 30 authorize
> 40 pause reauthentication
> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
> 10 pause reauthentication
> 20 authorize
> 30 class MAB_FAILED do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> 40 class DOT1X_NO_RESP do-until-failure
> 10 terminate dot1x
> 20 authentication-restart 60
> 50 class DOT1X_TIMEOUT do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 60 class always do-until-failure
> 10 terminate mab
> 20 terminate dot1x
> 30 authentication-restart 60
> event aaa-available match-all
> 10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
> 10 clear-session
> 20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
> 10 resume reauthentication
> event agent-found match-all
> 10 class always do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> event inactivity-timeout match-all
> 10 class always do-until-failure
> 10 clear-session
> event authentication-success match-all
> event violation match-all
> 10 class always do-until-failure
> 10 restrict
> event authorization-failure match-all
> 10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
> 10 authentication-restart 60
> !
> policy-map type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
> event session-started match-all
> 10 class always do-until-failure
> 10 authenticate using dot1x retries 2 retry-time 0 priority 10
> event authentication-failure match-first
> 5 class DOT1X_FAILED do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
> 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> 20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
> 25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
> 30 authorize
> 40 pause reauthentication
> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
> 10 pause reauthentication
> 20 authorize
> 30 class DOT1X_NO_RESP do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 40 class MAB_FAILED do-until-failure
> 10 terminate mab
> 20 authentication-restart 60
> 50 class DOT1X_TIMEOUT do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 60 class always do-until-failure
> 10 terminate dot1x
> 20 terminate mab
> 30 authentication-restart 60
> event aaa-available match-all
> 10 class IN_CRITICAL_AUTH do-until-failure
> 10 clear-session
> 20 class NOT_IN_CRITICAL_AUTH do-until-failure
> 10 resume reauthentication
> event agent-found match-all
> 10 class always do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> event inactivity-timeout match-all
> 10 class always do-until-failure
> 10 clear-session
> event authentication-success match-all
> event violation match-all
> 10 class always do-until-failure
> 10 restrict
> event authorization-failure match-all
> 10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
> 10 authentication-restart 60
> !
> policy-map type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_MAB_1X
> event session-started match-all
> 10 class always do-until-failure
> 10 authenticate using mab priority 20
> event authentication-failure match-first
> 5 class DOT1X_FAILED do-until-failure
> 10 terminate dot1x
> 20 authentication-restart 60
> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
> 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> 20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
> 25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
> 30 authorize
> 40 pause reauthentication
> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
> 10 pause reauthentication
> 20 authorize
> 30 class MAB_FAILED do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> 40 class DOT1X_NO_RESP do-until-failure
> 10 terminate dot1x
> 20 authentication-restart 60
> 50 class DOT1X_TIMEOUT do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 60 class always do-until-failure
> 10 terminate mab
> 20 terminate dot1x
> 30 authentication-restart 60
> event aaa-available match-all
> 10 class IN_CRITICAL_AUTH do-until-failure
> 10 clear-session
> 20 class NOT_IN_CRITICAL_AUTH do-until-failure
> 10 resume reauthentication
> event agent-found match-all
> 10 class always do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> event inactivity-timeout match-all
> 10 class always do-until-failure
> 10 clear-session
> event authentication-success match-all
> event violation match-all
> 10 class always do-until-failure
> 10 restrict
> event authorization-failure match-all
> 10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
> 10 authentication-restart 60
> !
> policy-map type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
> event session-started match-all
> 10 class always do-until-failure
> 10 authenticate using dot1x retries 2 retry-time 0 priority 10
> event authentication-failure match-first
> 5 class DOT1X_FAILED do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
> 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> 20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
> 30 authorize
> 40 pause reauthentication
> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
> 10 pause reauthentication
> 20 authorize
> 30 class DOT1X_NO_RESP do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 40 class MAB_FAILED do-until-failure
> 10 terminate mab
> 20 authentication-restart 60
> 50 class DOT1X_TIMEOUT do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 60 class always do-until-failure
> 10 terminate dot1x
> 20 terminate mab
> 30 authentication-restart 60
> event aaa-available match-all
> 10 class IN_CRITICAL_AUTH do-until-failure
> 10 clear-session
> 20 class NOT_IN_CRITICAL_AUTH do-until-failure
> 10 resume reauthentication
> event agent-found match-all
> 10 class always do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> event inactivity-timeout match-all
> 10 class always do-until-failure
> 10 clear-session
> event authentication-success match-all
> event violation match-all
> 10 class always do-until-failure
> 10 restrict
> event authorization-failure match-all
> 10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
> 10 authentication-restart 60
> !
> policy-map type control subscriber PMAP_DefaultWiredDot1xOpenAuth_MAB_1X
> event session-started match-all
> 10 class always do-until-failure
> 10 authenticate using mab priority 20
> event authentication-failure match-first
> 5 class DOT1X_FAILED do-until-failure
> 10 terminate dot1x
> 20 authentication-restart 60
> 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
> 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
> 20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
> 30 authorize
> 40 pause reauthentication
> 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
> 10 pause reauthentication
> 20 authorize
> 30 class MAB_FAILED do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> 40 class DOT1X_NO_RESP do-until-failure
> 10 terminate dot1x
> 20 authentication-restart 60
> 50 class DOT1X_TIMEOUT do-until-failure
> 10 terminate dot1x
> 20 authenticate using mab priority 20
> 60 class always do-until-failure
> 10 terminate mab
> 20 terminate dot1x
> 30 authentication-restart 60
> event aaa-available match-all
> 10 class IN_CRITICAL_AUTH do-until-failure
> 10 clear-session
> 20 class NOT_IN_CRITICAL_AUTH do-until-failure
> 10 resume reauthentication
> event agent-found match-all
> 10 class always do-until-failure
> 10 terminate mab
> 20 authenticate using dot1x retries 2 retry-time 0 priority 10
> event inactivity-timeout match-all
> 10 class always do-until-failure
> 10 clear-session
> event authentication-success match-all
> event violation match-all
> 10 class always do-until-failure
> 10 restrict
> event authorization-failure match-all
> 10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
> 10 authentication-restart 60
> !
> autoconf enable
> !
> template AP_INTERFACE_TEMPLATE
> switchport mode trunk
> switchport nonegotiate
> service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
> !
> template ApAutzTemplate
> switchport access vlan 1021
> switchport mode access
> access-session interface-template sticky timer 10
> !
> template DMP_INTERFACE_TEMPLATE
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> switchport block unicast
> !
> template DefaultWiredDot1xClosedAuth
> dot1x pae authenticator
> dot1x timeout supp-timeout 7
> dot1x max-req 3
> switchport mode access
> switchport voice vlan 2046
> mab
> access-session closed
> access-session port-control auto
> authentication periodic
> authentication timer reauthenticate server
> service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
> !
> template DefaultWiredDot1xLowImpactAuth
> dot1x pae authenticator
> dot1x timeout supp-timeout 7
> dot1x max-req 3
> switchport mode access
> switchport voice vlan 2046
> mab
> access-session port-control auto
> authentication periodic
> authentication timer reauthenticate server
> service-policy type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
> !
> template DefaultWiredDot1xOpenAuth
> dot1x pae authenticator
> dot1x timeout supp-timeout 7
> dot1x max-req 3
> switchport mode access
> switchport voice vlan 2046
> mab
> access-session port-control auto
> authentication periodic
> authentication timer reauthenticate server
> service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
> !
> template IP_CAMERA_INTERFACE_TEMPLATE
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> switchport block unicast
> !
> template IP_PHONE_INTERFACE_TEMPLATE
> storm-control broadcast level pps 1k
> storm-control multicast level pps 2k
> storm-control action trap
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> switchport block unicast
> load-interval 30
> ip dhcp snooping limit rate 15
> !
> template LAP_INTERFACE_TEMPLATE
> storm-control broadcast level pps 1k
> storm-control multicast level pps 2k
> storm-control action trap
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport access vlan 1021
> switchport mode access
> switchport block unicast
> load-interval 30
> ip dhcp snooping limit rate 15
> !
> template TP_INTERFACE_TEMPLATE
> storm-control broadcast level pps 1k
> storm-control multicast level pps 2k
> storm-control action trap
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> switchport port-security aging type inactivity
> switchport port-security
> load-interval 30
> ip dhcp snooping limit rate 15
> !
> interface LISP0
> !
> interface LISP0.4097
> !
> interface LISP0.4099
> !
> interface LISP0.4100
> !
> interface L2LISP0
> !
> interface L2LISP0.8188
> !
> interface L2LISP0.8189
> !
> interface L2LISP0.8190
> !
> interface L2LISP0.8191
> !
> interface L2LISP0.8192
> !
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> switchport mode access
> dot1x timeout tx-period 7
> dot1x max-reauth-req 3
> source template DefaultWiredDot1xClosedAuth
> spanning-tree portfast
> spanning-tree bpduguard enable
> interface Vlan1021
> description Configured from Cisco DNA-Center
> mac-address 0000.0c9f.ffbe
> ip address 172.17.200.1 255.255.255.0
> ip helper-address global 192.168.100.3
> no ip redirects
> ip route-cache same-interface
> no lisp mobility liveness test
> lisp mobility 172_17_200_0-INFRA_VN-IPV4
> !
> interface Vlan1101
> description Configured from Cisco DNA-Center
> mac-address 0000.0c9f.f58c
> vrf forwarding VN1
> ip address 172.17.1.1 255.255.255.0
> ip helper-address 192.168.100.3
> no ip redirects
> ip route-cache same-interface
> no lisp mobility liveness test
> lisp mobility 172_17_1_0-VN1-IPV4
> lisp mobility 172_17_1_0-VN1-IPV6
> ipv6 address FD00:172:17:1::1/64
> ipv6 enable
> ipv6 nd dad attempts 0
> ipv6 nd prefix FD00:172:17:1::/64 2592000 604800 no-autoconfig
> ipv6 nd managed-config-flag
> ipv6 nd other-config-flag
> ipv6 nd router-preference High
> ipv6 dhcp relay destination FD00:192:168:100::3
> ipv6 dhcp relay source-interface Vlan1101
> ipv6 dhcp relay trust
> !
> interface Vlan1102
> description Configured from Cisco DNA-Center
> mac-address 0000.0c9f.f3e6
> vrf forwarding VN2
> ip address 172.17.2.1 255.255.255.0
> ip helper-address 192.168.100.3
> no ip redirects
> ip route-cache same-interface
> no lisp mobility liveness test
> lisp mobility 172_17_2_0-VN2-IPV4
> lisp mobility 172_17_2_0-VN2-IPV6
> ipv6 address FD00:172:17:2::1/64
> ipv6 enable
> ipv6 nd dad attempts 0
> ipv6 nd prefix FD00:172:17:2::/64 2592000 604800 no-autoconfig
> ipv6 nd managed-config-flag
> ipv6 nd other-config-flag
> ipv6 nd router-preference High
> ipv6 dhcp relay destination FD00:192:168:100::3
> ipv6 dhcp relay source-interface Vlan1102
> ipv6 dhcp relay trust
> !
> interface Vlan1111
> description Configured from Cisco DNA-Center
> mac-address 0000.0c9f.ff58
> vrf forwarding VN1
> ip address 172.17.11.1 255.255.255.0
> ip helper-address 192.168.100.3
> no ip redirects
> ip route-cache same-interface
> no lisp mobility liveness test
> lisp mobility 172_17_11_0-VN1-IPV4
> lisp mobility 172_17_11_0-VN1-IPV6
> ipv6 address FD00:172:17:11::1/64
> ipv6 enable
> ipv6 nd dad attempts 0
> ipv6 nd prefix FD00:172:17:11::/64 2592000 604800 no-autoconfig
> ipv6 nd managed-config-flag
> ipv6 nd other-config-flag
> ipv6 nd router-preference High
> ipv6 dhcp relay destination FD00:192:168:100::3
> ipv6 dhcp relay source-interface Vlan1111
> ipv6 dhcp relay trust
> !
> interface Vlan1112
> description Configured from Cisco DNA-Center
> mac-address 0000.0c9f.f39b
> vrf forwarding VN2
> ip address 172.17.12.1 255.255.255.0
> ip helper-address 192.168.100.3
> no ip redirects
> ip route-cache same-interface
> no lisp mobility liveness test
> lisp mobility 172_17_12_0-VN2-IPV4
> lisp mobility 172_17_12_0-VN2-IPV6
> ipv6 address FD00:172:17:12::1/64
> ipv6 enable
> ipv6 nd dad attempts 0
> ipv6 nd prefix FD00:172:17:12::/64 2592000 604800 no-autoconfig
> ipv6 nd managed-config-flag
> ipv6 nd other-config-flag
> ipv6 nd router-preference High
> ipv6 dhcp relay destination FD00:192:168:100::3
> ipv6 dhcp relay source-interface Vlan1112
> ipv6 dhcp relay trust
> !
> router lisp
> locator-table default
> locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> IPv4-interface Loopback0 priority 10 weight 10
> exit-locator-set
> !
> locator default-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> service ipv4
> encapsulation vxlan
> itr map-resolver 172.17.255.3
> itr map-resolver 172.17.255.4
> etr map-server 172.17.255.3 key 7 110A4C0143140A
> etr map-server 172.17.255.3 proxy-reply
> etr map-server 172.17.255.4 key 7 130642165F0A05
> etr map-server 172.17.255.4 proxy-reply
> etr
> sgt
> no map-cache away-eids send-map-request
> use-petr 172.17.255.3
> use-petr 172.17.255.4
> proxy-itr 172.17.88.68
> exit-service-ipv4
> !
> service ipv6
> encapsulation vxlan
> itr map-resolver 172.17.255.3
> itr map-resolver 172.17.255.4
> etr map-server 172.17.255.3 key 7 06055A25184808
> etr map-server 172.17.255.3 proxy-reply
> etr map-server 172.17.255.4 key 7 070C74481A0F18
> etr map-server 172.17.255.4 proxy-reply
> etr
> sgt
> no map-cache away-eids send-map-request
> use-petr 172.17.255.3
> use-petr 172.17.255.4
> proxy-itr 172.17.88.68
> exit-service-ipv6
> !
> service ethernet
> itr map-resolver 172.17.255.3
> itr map-resolver 172.17.255.4
> itr
> etr map-server 172.17.255.3 key 7 04585E025B274D
> etr map-server 172.17.255.3 proxy-reply
> etr map-server 172.17.255.4 key 7 094F1B0D4D0316
> etr map-server 172.17.255.4 proxy-reply
> etr
> exit-service-ethernet
> !
> instance-id 4097
> remote-rloc-probe on-route-change
> dynamic-eid 172_17_200_0-INFRA_VN-IPV4
> database-mapping 172.17.200.0/24 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> service ipv4
> eid-table default
> exit-service-ipv4
> !
> service ipv6
> eid-table default
> exit-service-ipv6
> !
> exit-instance-id
> !
> instance-id 4099
> remote-rloc-probe on-route-change
> dynamic-eid 172_17_12_0-VN2-IPV4
> database-mapping 172.17.12.0/24 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> dynamic-eid 172_17_12_0-VN2-IPV6
> database-mapping FD00:172:17:12::/64 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> dynamic-eid 172_17_2_0-VN2-IPV4
> database-mapping 172.17.2.0/24 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> dynamic-eid 172_17_2_0-VN2-IPV6
> database-mapping FD00:172:17:2::/64 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> service ipv4
> eid-table vrf VN2
> map-cache 0.0.0.0/0 map-request
> exit-service-ipv4
> !
> service ipv6
> eid-table vrf VN2
> map-cache ::/0 map-request
> exit-service-ipv6
> !
> exit-instance-id
> !
> instance-id 4100
> remote-rloc-probe on-route-change
> dynamic-eid 172_17_11_0-VN1-IPV4
> database-mapping 172.17.11.0/24 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> dynamic-eid 172_17_11_0-VN1-IPV6
> database-mapping FD00:172:17:11::/64 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> dynamic-eid 172_17_1_0-VN1-IPV4
> database-mapping 172.17.1.0/24 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> dynamic-eid 172_17_1_0-VN1-IPV6
> database-mapping FD00:172:17:1::/64 locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-dynamic-eid
> !
> service ipv4
> eid-table vrf VN1
> map-cache 0.0.0.0/0 map-request
> exit-service-ipv4
> !
> service ipv6
> eid-table vrf VN1
> map-cache ::/0 map-request
> exit-service-ipv6
> !
> exit-instance-id
> !
> instance-id 8188
> remote-rloc-probe on-route-change
> service ethernet
> eid-table vlan 1021
> database-mapping mac locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-service-ethernet
> !
> exit-instance-id
> !
> instance-id 8189
> remote-rloc-probe on-route-change
> service ethernet
> eid-table vlan 1111
> database-mapping mac locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-service-ethernet
> !
> exit-instance-id
> !
> instance-id 8190
> remote-rloc-probe on-route-change
> service ethernet
> eid-table vlan 1101
> database-mapping mac locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-service-ethernet
> !
> exit-instance-id
> !
> instance-id 8191
> remote-rloc-probe on-route-change
> service ethernet
> eid-table vlan 1112
> database-mapping mac locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-service-ethernet
> !
> exit-instance-id
> !
> instance-id 8192
> remote-rloc-probe on-route-change
> service ethernet
> eid-table vlan 1102
> database-mapping mac locator-set rloc_5e5d0b97-5929-43a6-a6eb-4a3fe352d0b8
> exit-service-ethernet
> !
> exit-instance-id
> !
> ipv4 locator reachability minimum-mask-length 32 proxy-etr-only
> ipv4 source-locator Loopback0
> ipv6 locator reachability minimum-mask-length 128 proxy-etr-only
> ipv6 source-locator Loopback0
> exit-router-lisp
> !
> ip access-list extended IPV4_CRITICAL_AUTH_ACL
> 10 permit ip any any
> ip access-list extended IPV4_PRE_AUTH_ACL
> 10 permit udp any any eq bootpc
> 20 permit udp any any eq bootps
> 30 permit udp any any eq domain
> 40 deny ip any any
> ip sla 1
> icmp-echo 172.17.255.4 source-ip 172.17.88.68
> threshold 3
> ip sla schedule 1 life forever start-time now
> ip sla 2
> icmp-echo 172.17.255.3 source-ip 172.17.88.68
> threshold 3
> ip sla schedule 2 life forever start-time now
> ip sla 3
> icmp-echo 192.168.100.31 source-ip 172.17.88.68
> threshold 3
> ip sla schedule 3 life forever start-time now
> ipv6 access-list IPV6_CRITICAL_AUTH_ACL
> sequence 10 permit ipv6 any any
> !
> ipv6 access-list IPV6_PRE_AUTH_ACL
> sequence 10 permit udp any any eq bootpc
> sequence 20 permit udp any any eq bootps
> sequence 30 permit udp any any eq domain
> sequence 40 deny ipv6 any any
> !
> cts role-based sgt-map vlan-list 1101 sgt 18
> cts role-based sgt-map vlan-list 1111 sgt 19
> cts role-based sgt-map vlan-list 1102 sgt 20
> cts role-based sgt-map vlan-list 1112 sgt 21
> cts role-based enforcement
> cts role-based enforcement vlan-list 1021,1101-1102,1111-1112
###STEP3のまとめ
さてこのSTEPでどのくらいCLI設定を行ったでしょうか?
答:0 (ゼロ。零。無)
(注:Fusionルータの設定を除く。。。)
全体を通して装置にCLI設定が必要だったのはSTEP1の最初だけでした。つまりSD-AccessはCLIの知識が無くても簡単にしかも間違わずに設定できるのです!
完成図
#全体まとめ
###インテントベースなGUI
これまで見てきたとおり、SD-Accessの設定の大部分はGUIで完結します。しかもそのGUI設定は必要最低限です。GUI化されていたとしてもほぼCLIコンフィグと同量のパラメータ設定をいちいちブラウザ経由で設定しなければならないとしたら、それはただ面倒なだけですが、SD-Accessの場合はソリューションの動作に必要不可欠な情報だけ設定するようになっています。
たとえるならユーザは「塩ラーメン、メンマ無しで」というだけで最適なメンマなし塩ラーメンをもってくるのがDNACです。いわゆるインテントベースです。鍋のサイズがスライダーで決められたり、茹でるお湯の温度をリストボックスから選択できます、という次元ではないのです。
###Config自体を自動生成するメリット
装置へのConfig投入の自動化はもちろんのこと、DNAC(SD-Access)は装置のConfigそのものを自動で生成します。そのため、管理者はどのようなロジック・方針でConfigを組むか悩む必要がありません。
またDNACが生成したConfigは実際に装置に適用する前にユーザが確認できる、いわゆるドライランできるようになっていますのでどのような変更が行われるのかをエンジニア的視点で事前に知ることもできますから、ブラックボックス化の心配もありません。
###戦略級の自動化
そしてSD-Accessの自動化が活躍するのは初期設定時だけではありません。仮想ネットワークの追加や、新装置追加時に、影響があるすべての装置の設定を自動的にアップデートします。装置単体を指定して設定を流し込む戦術級の自動化ではなく、ソリューションに加えられた変更を必要な機器に漏れなく行う戦略級の自動化、これがSD-Accessの提供する自動化なのです。
それではみなさん良いお年をお迎えください。メリークリスマス!
#免責事項
本サイトおよび対応するコメントにおいて表明される意見は、投稿者本人の個人的意見であり、シスコの意見ではありません。本サイトの内容は、情報の提供のみを目的として掲載されており、シスコや他の関係者による推奨や表明を目的としたものではありません。各利用者は、本Webサイトへの掲載により、投稿、リンクその他の方法でアップロードした全ての情報の内容に対して全責任を負い、本Web サイトの利用に関するあらゆる責任からシスコを免責することに同意したものとします。