|
Multi-chassis Link Aggregation IEEE802.3ad是一种很好的方式去移除生成树网络中,但是IEEE802.3ad不能工作在一对二的环境中,而MC-LAG就是这样的一种技术,两台路由器通过形成逻辑的一台路由器与下游的路由器或交换机配置8023ad,面对下层的设备是完全透明的; MC-LAG在服务提供商中提供链路级和节点级的冗余,如在VPLS实例中,当一台设备出现故障时,达到节点的冗余;企业环境中,当有多台路由器对下游来配置802.3ad时,不用再启用生成树协议; MC-LAG允许客户端(路由器或交换机)来穿过两台分开的Chassis来确定IEEE802.3ad,主要的不同的在于MC-LAG维护独立的控制面板,而MC-VC则是虚拟成一个单的控制面板;当设备IEEE802.3ad时,只增加了链路的的冗余及多余的带宽,并没有节点的冗余,而MC-LAG则提供了这一种环境; 普通的IEEE802.3ad: 从这个图可知,CE1---PE1,做了IEEE802.3当其中的一条链路断了的时候,流量还是正常的,当PE1挂了的时候,就无法再转发正常的流量了; 若运行MC-LAG: 从图显而易见,MC-LAG的优势在于不需要起生成树了,而下游设备只需要配置普通的802.3ad即可; MC-LAG具有内置的防环机制,在后面会提到; 当实现MC-LAG,需要考虑MC-LAG的实现状态,像LACP有Active状态,普通的冗余协议也有Active和Standby状态,像MC-LAG也不例外,MC-LAG可以处于active-activeor active-standby 状态,当使用AS(active-standby的简称,下面AA也是如此),可以确定流量的转发性,但是带宽得不到充分的利用,当然可以通过部署多个AS,而AA状态带宽得到充分利用,但流量转发具有不确定性; MC-LAG active-standby 当操作在AS状态时,只有一台路由器在MC-LAG RG组中数据面板流针对下游设备,而不转发流量的那一条链路通过命令:showlacp interface 时,看到的是attached状态;【大部分用户都实现AS状态,因为流量具有转发确定性】 MC-LAG active-active 当在AA状态时,通过命令时看的接口状态是“CollectingDistributing”状态,允许CE设备在两条链路上转发数据,在AA状态时,需要额外配置ICL,(Inter-chassisdate link),用来在PE之间转发数据的。 MC-LAG family support 在Junos11.4中,MC-LAG仅仅支持二层Familyes,而三层需要支持间接的路由接口或VRRP在同一个桥接域中; 桥接的话通过命令:familybridge 在后续的配置中会看到; VPLS也是一样的,VPLS只支持AS状态; 而CCC(Cross-ConnectCircuits CCC) 提供的是一种透明传输的点到点链路,用于ISP-ISP或接口到-ISP,and so on. Family CCC并不直接支持,而是通过encapsulationethernet-ccc or encapsulation vlan-ccc 来无拘无束; MC-LAG Versus MX-VC 最大的不同在于MC-LAG只是一种简单的协议运行在PE之间,去提供IEEE802.3AD技术,而MC-VC是一种强壮的协议通过虚拟化多个Chassis来形成一个逻辑折Chassis来提供IEEE802.3AD技术,相比,MC-VC可以更快的接收一些新的特性,因为只有一个Chassis,而MC-LAG则不行,需要一步一步来支持新特性,这些新特性需要嵌入到MC-LAG协议中,保护和维护在PE两台路由器之间;MC-LAG在配置时不需要作什么太大的改变,而VC则需要重启设备,并会中断客户之间的流量;相比来说,当MC-VC中出现误配置,则会影响全局,而MC-LAG则不会影响另外一台设备; Inter-chassis control protocol(ICCP) ICCP是一种简单轻量级运行在TCP/IP之间的协议,用来维护状态,触发故障切换,确保MC-LAG的配置匹配等等;当出现误配置时,MC-LAG并不会工作。ICCP协议只是一种简单的控制协议,并不能作为转发流量在PE之间,如果需要转发流量,则需要配置另外的链路; ICCP配置基线: ICCP:在PE路由器之间提供交流的一种控制协议,维护状态,触发故障切换,确保配置之类的; Service identifier : 由于ICCP作为一种扩展协议,所以在路由器或交换机上有可能会出出现多个路由实例或逻辑路由器,而服务ID则作来在相同的实现或逻辑路由器的一种标识,但目前来说,只支持默认实现,两端必须匹配; PE Router:两个对等体; Redundancy Groups : RG组是一种聚合共享相同VLAN-ID的一种标识在MC-LAG中,例如:在PE1的RG1组中MC-AE1,有VLAN-ID-LIST1-999,当一个新的MAC地址学习到了,那么,PE2则只会更新RG1中的MAC地址,而不会更新其他组的;【在QFX中没有RG的配置选项】; Multi-chassis AggregatedEethernet-id (mc-ae-id): MC-AE-Id在PE之间操作,当配置逻辑MC-LAG接口在分离不同的PE时,MC-AE-ID必须匹配;也就是相当同一条逻辑链路的感觉; Chassis-id : 这个Chassis-id被用来在ICCP协议的控制报文中来唯一的标识每一台PE路由器,只有0、1; Aggregated ethernet : Ae接口简单的映射MC-AE-ID,包括803.AD和二层的配置(放通VLAN); LACP System id and admin-key : 因为两台PE路由器是分离的控制面板,LACP属性需要穿过PE进行同步system-idand admin-key ,这个值其实无所谓,只要匹配就行; Status control : 若两台设备同时引导启动时,需要一台成为Active,而另外一台是Standby; 【Note:so far,MC-LAG only support between two pe routers ,其他的拓扑都不支持;】 HOW TO CONFIGURE ICCP 配置ICCP非常简单,唯一的要求就是PE之间需要二层或三层的可达性,最好的方式是实现二层和三层都可达,通过环回接口地址或接口地址;二层需要在PE之间运行Trunk,环回接口需要重分发或通告之类的; 1.配置服务ID 2.配置二层和三层的可达性; 3.配置ICCP协议; 增加CE的拓扑; 通过命令:showiccp 查看TCP连接状态,及备份活性检测和RG组是否UP; 通过命令:showbfd session detail 查看BFD会话是否建立起来; 确认BFD是运行在PEF还是运行有RE上的命令:Show ppmtransmissions detail ; 有关Single-hop和Mulit-hop的问题,详细看MX系列书; ICCP配置基线: ICCP是一种用来设计相当严格部署的协议,具有很强的灵活性和扩展性的协议,在一些方面,必须确保合适的去配置ICCP: Service-id must match between thetwo PE routers ; Redundancy groups id list mustmath between the two PE routers ; [Any misconfiguration will resultin ICCP or MC-LAG not operating properly ] Each PE router must have a uniquechassis-id ; When assigning a mc-ae-id to anaggregated ethernet interface , it must match on both PE routers so that thatthe same-ae-id is presented to ce ; The mc-ae-id must be the same,but ae interface there's no requirement ; A single bridge-domain cannotcorrespond to two different redundancy groups. Recall that a redundancy groupacts as a broadcast medium for a collection of MCLAG interfaces. Thus a singlebridge-domain can span multiple MC-LAG interfaces, but must be part of the sameredundancy group. MC-LAG interfaces belonging tothe same mc-ae-id need to have matching LACP system-id and admin-key ICCP Split Brain 当ICCP分离时,分产生怎样的现象? 第一道防线:环回接口地址,当ICCP的对等体地址是环回接口地址,ICCP断了,但环回接口地址之间还是备用链路; 第二道防线:是明确的定义当ICCP链路失败后; 第三道防线:通过配置PE路由器当ICCP断了之后怎样做; 每一个MCAE接口有一个选项:prefer-status-control-actve; 这个选项仅仅配置在Status-control为Active的一方; 看原文:Thepreferred MC-LAG member retains the configured LACP System ID while the otherMC-LAG member falls back to its local LACP System ID; 通过这个图可知,当ICCP断了的时候,一直为Active状态的仍为Active; For example, if both the activeand standby MC-LAG members are up, but the ICCP is down and the ICL is up, theMC-LAG member configured as status-control active will remain as active; MC-LAG MODES: Active-Active and Acitve-standby 当MC-LAG技术刚推出的时候,只有AS技术,可以工作在DPC /MPC 线卡上,当AA出现后,它只在MPC线卡上得到支持; AS: 这个AS模式将选择一台PE作为Acitve,另一台为Standby,仅仅只有Active用来转发流量;当PE是Acitve,通过发送信号给LACP给CE,子链路可以转发流量; Show lacp interface Show interfaces mc-ae AA: AA没啥好说的,该说的都说了,不支持老版本的线卡DPC,两台PE都能转发数据; 值得流量的时,AA下,要配置ICL,ICL链路是简单的一个802.3Q 链路; 配置ICL: 在PE之间配置ICL非常简单,是标准的IEEE802.3QIFL,包含的桥接域需要保护;有两种模式去配置ICL,分别是IFL,和IFD在这个MC-LAG接口上; IFD Level: Set interfaces ae1flexible-vlan-tagging ; Set interfaces ae1multi-chassis-protection 10.8.0.1 interface ae0 ; Set interfaces ae1 encapsulationflexible-ethernet-services ; IFL level: Set interfaces ae1 unit 99multi-chassis-protection 10.8.0.1 interface ae0.0 通过命令:showinterfaces mc-ae 查看MCP是否up; MAC 地址同步 看图: 当CE1需要访问H2,PE2将会广播这个ARP请求给H2,在所有接口上所关联的桥接域上,H2将会响应这个ARP请求,PE2使用ICCP 去安装H2的MAC的地址给PE1, PE2转发ARP 的回复给CE1; showbridge mac-table ;当在PE1上收到从CE1去往H2的数据包时,通过ICL直接转发给PE2; showl2-learning redundancy-group remote-macs ; Case Study : 逻辑接口及环回地址: Layer 2 : 分别在R1,R2,R3,R4上建立四个IRB接口地址; 环路保护: MC-LAG在协议里有自身的环回保护机制,所以不需要再启用相应的生成树协议; MC-LAG环回保护分布在两个地方:ICL的入方向和MC-AE接口的出方向;这种特性在MC-LAG环回保护中被称为:mclag-color,and check-mclag-color ; ICL只有在配置AA模式下才会需要; Input : 查看mclag-color特性: The first step is to find the IFLindex number for the interface ae0.0 >request pfe execute targetfpx2 command "show interfaces " | match ae0 通过此命令发现ae0.0的index ; >request pfe execute targetfpc2 command "show jnh if 324 input " Output: 查看出特性需要查看特定的子接口而不再是逻辑接口; >request pfe execute targetfpc2 command "show interfaces " | match xe-0/0/2 >request pfe execute targetfpc2 command "show jnh if 347 output " 环路保护确认: >request pfe execute targetfpc2 command "show jnh 0 exceptions " 再往下的配置就是相当流程化了,在IRB接口上配置VRRP,在相应的接口上配置LACP; Layer 3:IS-IS Level-2 Only,IS-ISArea 49.0001 ; R1作为示例配置: Set protocols isisreference-bandwidth 100g; Set protocols isis level 1disable ; Set protocols isis interfaceae0.1 point-to-point; Set protocols isis interfaceae0.3 point-to-point; Set protocols isis irb.100passive ; Set protocols isis irb.200passive ; Set protocols isis lo0.0 passive; >show isis adj >show isis interfaces >show route pro isis BFD: 进行确认: #show config proto isis | displayinheritance #run show bfd session #run show bfd session extensive |no-more VRRP 配置(略); MC-LAG配置: ICCP 配置(略); MC-AE接口配置(略); 确认: 确认的时候,假若从S1----S2,有两条路线可走,终究走哪一条,通过在PE上查看相应的ARP表MAC地址来进行分析; 详细的见MX系列书; 【ICCP是MC-LAG的心脏和灵魂】 MC-LAG: 多机箱式的链路聚合协议,实现节点冗余和链路的冗余; 网络拓扑图: QFX交换机配置: 1.开启服务ID: root@SW01# show switch-options |display set set switch-options service-id 1 【两端必须一样,若没配置,当配置VRRP时,VRRP正常,ICCP正常,BFD正常,接口正常,就是无法Ping通虚拟网关】 2.配置二层和三层的可达性:【建立最好采用同一个二层和三层的接口属性进行配 置】 root@SW01# show | display set |match vlan500 set vlans vlan500 vlan-id 500 set vlans vlan500 l3-interfaceirb.500 {master:0}[edit] root@SW01# show interfacesirb.500 | display set set interfaces irb unit 500family inet address 3.3.3.2/24 root@SW01# show interfaces ae0 |display set set interfaces ae0 mtu 1500 set interfaces ae0 aggregated-ether-optionslacp active set interfaces ae0 unit 0 familyethernet-switching interface-mode trunk set interfaces ae0 unit 0 familyethernet-switching vlan members 100 set interfaces ae0 unit 0 familyethernet-switching vlan members 200 set interfaces ae0 unit 0 familyethernet-switching vlan members 500 测试连接性: {master:0}[edit] root@SW01# run ping 3.3.3.3source 3.3.3.2 PING 3.3.3.3 (3.3.3.3): 56 databytes 64 bytes from 3.3.3.3: icmp_seq=0ttl=64 time=11.292 ms ^C --- 3.3.3.3 ping statistics --- 1 packets transmitted, 1 packetsreceived, 0% packet loss round-trip min/avg/max/stddev =11.292/11.292/11.292/0.000 ms 3.配置ICCP root@SW01# show protocols iccp |display set set protocols iccp local-ip-addr3.3.3.2 set protocols iccp peer 3.3.3.3 session-establishment-hold-time50 set protocols iccp peer 3.3.3.3liveness-detection minimum-interval 150 set protocols iccp peer 3.3.3.3liveness-detection multiplier 3 set protocols iccp traceoptionsfile iccp 【在QFX中没有RG组的配置,在MX上有针对RG组的命令配置】 查看ICCP状态: root@SW01# run show iccp Redundancy Group Information forpeer 3.3.3.3 TCP Connection : Established Liveliness Detection : Up Client Application:l2ald_iccpd_client Client Application: MCSNOOPD Client Application: lacpd {master:0}[edit] root@SW01# run show bfd session Detect Transmit Address StateInterface Time Interval Multiplier 3.3.3.3 Up 0.450 0.150 3 1 sessions, 1 clients Cumulative transmit rate 6.7 pps,cumulative receive rate 6.7 pps {master:0}[edit] root@SW01# run show bfd sessionextensive Detect Transmit Address State Interface TimeInterval Multiplier 3.3.3.3 Up 0.450 0.150 3 Client ICCP realm 3.3.3.3, TXinterval 0.150, RX interval 0.150 Session up time 00:04:57 Local diagnostic None, remotediagnostic None Remote state Up, version 1 Session type: Multi hop BFD Min async interval 0.150, minslow interval 1.000 Adaptive async TX interval 0.150,RX interval 0.150 Local min TX interval 0.150,minimum RX interval 0.150, multiplier 3 Remote min TX interval 0.150, min RXinterval 0.150, multiplier 3 Local discriminator 20, remotediscriminator 17 Echo mode disabled/inactive Multi-hop route table 0,local-address 3.3.3.2 Session ID: 0x0 1 sessions, 1 clients Cumulative transmit rate 6.7 pps,cumulative receive rate 6.7 pps 4.配置ICL保护: {master:0}[edit multi-chassis] root@SW01# show | display set set multi-chassismulti-chassis-protection 3.3.3.3 interface ae0 5.配置下联LACP ,MC-AE: {master:0}[edit] root@SW01# show interfaces ae1 |display set set interfaces ae1 mtu 1500 set interfaces ae1aggregated-ether-options lacp active set interfaces ae1aggregated-ether-options lacp system-id 00:00:00:00:00:01 set interfaces ae1aggregated-ether-options lacp admin-key 1 set interfaces ae1aggregated-ether-options mc-ae mc-ae-id 1 set interfaces ae1 aggregated-ether-optionsmc-ae chassis-id 0 set interfaces ae1aggregated-ether-options mc-ae mode active-active set interfaces ae1aggregated-ether-options mc-ae status-control active set interfaces ae1aggregated-ether-options mc-ae init-delay-time 240 set interfaces ae1 unit 0family ethernet-switching interface-mode trunk set interfaces ae1 unit 0 familyethernet-switching vlan members 100 set interfaces ae1 unit 0 familyethernet-switching vlan members 200 查看LACP状态: {master:0}[edit] root@SW01# run show lacpinterfaces Aggregated interface: ae0 LACP state: Role Exp Def Dist ColSyn Aggr Timeout Activity xe-0/0/0 Actor No No Yes Yes YesYes Fast Active xe-0/0/0 Partner No No Yes YesYes Yes Fast Active xe-0/0/1 Actor No No Yes Yes YesYes Fast Active xe-0/0/1 Partner No No Yes YesYes Yes Fast Active LACP protocol: Receive StateTransmit State Mux State xe-0/0/0 Current Fast periodicCollecting distributing xe-0/0/1 Current Fast periodicCollecting distributing Aggregated interface: ae1 LACP state: Role Exp Def Dist ColSyn Aggr Timeout Activity xe-0/0/2 Actor No No Yes Yes YesYes Fast Active xe-0/0/2 Partner No No Yes YesYes Yes Fast Active LACP protocol: Receive StateTransmit State Mux State xe-0/0/2 Current Fast periodicCollecting distributing 6.配置VLAN、IRB,VRRP root@SW01# show vlans | displayset set vlans vlan100 vlan-id 100 set vlans vlan100 l3-interfaceirb.100 set vlans vlan200 vlan-id 200 set vlans vlan200 l3-interfaceirb.200 set vlans vlan500 vlan-id 500 set vlans vlan500 l3-interfaceirb.500 {master:0}[edit] root@SW01# show interfaces |display set | match irb set interfaces irb unit 100family inet address 192.168.100.1/24 vrrp-group 100 virtual-address192.168.100.3 set interfaces irb unit 100family inet address 192.168.100.1/24 vrrp-group 100 priority 200 set interfaces irb unit 100family inet address 192.168.100.1/24 vrrp-group 100 preempt set interfaces irbunit 100 family inet address 192.168.100.1/24 vrrp-group 100 accept-data set interfaces irb unit 200family inet address 192.168.200.1/24 vrrp-group 200 virtual-address192.168.200.3 set interfaces irb unit 200family inet address 192.168.200.1/24 vrrp-group 200 priority 90 set interfacesirb unit 200 family inet address 192.168.200.1/24 vrrp-group 200 accept-data set interfaces irb unit 500family inet address 3.3.3.2/24 查看状态: {master:0}[edit] root@SW01# run show vrrp brief Interface State Group VR state VRMode Timer Type Address irb.100 up 100 master Active A 0.315 lcl 192.168.100.1 vip 192.168.100.3 irb.200 up 200 backup Active D 3.066lcl 192.168.200.1 vip 192.168.200.3 mas 192.168.200.2 全局配置: root@SW01# show | display set set version 14.1X53-D15.2 set system host-name SW01 set chassis aggregated-devicesethernet device-count 10 set interfaces ge-0/0/0 unit 0family inet dhcp vendor-id Juniper-qfx5100-48c-6q set interfaces xe-0/0/0ether-options 802.3ad ae0 set interfaces ge-0/0/1 unit 0family inet dhcp vendor-id Juniper-qfx5100-48c-6q set interfaces xe-0/0/1ether-options 802.3ad ae0 set interfaces ge-0/0/2 unit 0family inet dhcp vendor-id Juniper-qfx5100-48c-6q set interfaces xe-0/0/2ether-options 802.3ad ae1 set interfaces ae0aggregated-ether-options lacp active set interfaces ae0 unit 0 familyethernet-switching interface-mode trunk set interfaces ae0 unit 0 familyethernet-switching vlan members 100 set interfaces ae0 unit 0 familyethernet-switching vlan members 200 set interfaces ae0 unit 0 familyethernet-switching vlan members 500 set interfaces ae1aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-optionslacp system-id 00:00:00:00:00:01 set interfaces ae1aggregated-ether-options lacp admin-key 1 set interfaces ae1aggregated-ether-options mc-ae mc-ae-id 1 set interfaces ae1aggregated-ether-options mc-ae chassis-id 0 set interfaces ae1 aggregated-ether-optionsmc-ae mode active-active set interfaces ae1aggregated-ether-options mc-ae status-control active set interfaces ae1aggregated-ether-options mc-ae init-delay-time 240 set interfaces ae1 unit 0 familyethernet-switching interface-mode trunk set interfaces ae1 unit 0 familyethernet-switching vlan members 100 set interfaces ae1 unit 0 familyethernet-switching vlan members 200 set interfaces irb unit 100family inet address 192.168.100.1/24 vrrp-group 100 virtual-address192.168.100.3 set interfaces irb unit 100family inet address 192.168.100.1/24 vrrp-group 100 priority 200 set interfaces irb unit 100family inet address 192.168.100.1/24 vrrp-group 100 preempt set interfaces irbunit 100 family inet address 192.168.100.1/24 vrrp-group 100 accept-data set interfaces irb unit 200family inet address 192.168.200.1/24 vrrp-group 200 virtual-address192.168.200.3 set interfaces irb unit 200family inet address 192.168.200.1/24 vrrp-group 200 priority 90 set interfaces irb unit 200family inet address 192.168.200.1/24 vrrp-group 200 accept-data set interfaces irb unit 500family inet address 3.3.3.2/24 set multi-chassismulti-chassis-protection 2.2.2.2 interface ae0 set protocols iccp local-ip-addr3.3.3.2 set protocols iccp peer 3.3.3.3session-establishment-hold-time 50 set protocols iccp peer 3.3.3.3liveness-detection minimum-interval 150 set protocols iccp peer 3.3.3.3liveness-detection multiplier 3 set protocols iccp traceoptionsfile iccp set protocols lldp interface all set protocols lldp-med interfaceall set protocols igmp-snooping vlandefault set protocols rstp disable set switch-options service-id 1 set vlans vlan100 vlan-id 100 set vlans vlan100 l3-interfaceirb.100 set vlans vlan200 vlan-id 200 set vlans vlan200 l3-interfaceirb.200 set vlans vlan500 vlan-id 500 set vlans vlan500 l3-interfaceirb.500 {master:0}[edit]
| 
发表于 2021-4-9 18:11:29
