HPE switch NQA與靜態路由透過Track連動

HPE switch NQA與靜態路由透過Track連動

NQA(Netork Quality Analyzer)可以透過switch偵測網路上的狀態，可以依據不同的偵測狀態
與Track連動，再透過設定Track與靜態路由連動的方式，可以達到依照不同NQA測試的結果
執行靜態路由/不執行靜態路由

以ICMP的NQA為例

#nqa entry admin ping 設定nqa entry的Administrator名稱與operation tag

#type icmp-echo 設定nqa的類型為ICMP

#destination ip 8.8.8.8 設定目的IP

#frequency 1000 執行間隔為1000毫秒

#history-record enable 啟用歷史紀錄

#source ip 192.168.1.254 設定來源IP

#next-hop ip 192.168.0.1 設定下一跳為192.168.0.1

#reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only設定
reaction 1，觸發條件是當偵測失敗兩次(ping不到兩次)

接著設定track

#track 1 nqa entry admin ping reaction 1  設定track1與nqa entry admin ping reaction 1連動

可以設定多個track與不同的reaction連動

#ip route-static 0.0.0.0 0 192.168.0.1 track 1

#ip route-static 0.0.0.0 0 192.168.0.2 pre 70

指定兩筆預設路由，其中一筆與track 1連動，preference預設值(60)，另外一筆是正常的預設路由，
preference調整成70

在NQA偵測正常時，會觸發Track，使Track成為Positive的狀態

可以透過指定display track all來檢視

當Track為Positive時(透過192.168.0.1可以ping到8.8.8.8)，會觸發
路由ip route-static 0.0.0.0 0 192.168.0.1

由於此筆路由preference較高，會蓋過ip route-static 0.0.0.0 0 192.168.0.2，所以在路由表上只會
顯示ip route-static 0.0.0.0 0 192.168.0.1此筆路由

當Track為negtive時(透過192.168.0.1不可以ping到8.8.8.8)，會取消
路由ip route-static 0.0.0.0 0 192.168.0.1

此時路由表上就會出現ip route-static 0.0.0.0 0 192.168.0.2此筆路由

透過NQA-Track-靜態路由的連動，可以實現192.168.0.1服務正常時，路由走192.168.0.1，但
當192.168.0.1服務不正常時，會走192.168.0.2

HPE switch NQA設定

HPE switch NQA設定

NQA(Netork Quality Analyzer)，與IP-SLA功能相若，通過發送封包，可以監控並檢測網路狀態

設定步驟

1.創建NQA entry，並設定相關參數

2.排定NQA執行的時程

DNS解析

#nqa entry admin dns 設定nqa entry的Administrator名稱與operation tag

#type dns 設定nqa的類型為dns

#destination ip 8.8.8.8 DNS的目的IP為8.8.8.8

#frequency 5000 執行間隔為5000毫秒

#resolve-target www.lealeagroup.com.tw 解析網址為www.lealeagroup.com.tw

HTTP解析

#nqa entry admin http 設定nqa entry的Administrator名稱與operation tag

#type http 設定nqa的類型為http

#frequency 5000 執行間隔為5000毫秒

#history-record enable 啟用歷史紀錄

#source ip 10.10.10.13 設定來源IP

#url http://webmail.lealeagroup.com.tw/ 設定要解析的網址

ICMP解析

#nqa entry admin ping 設定nqa entry的Administrator名稱與operation tag

#type icmp-echo 設定nqa的類型為ICMP

#destination ip 10.10.10.254 設定目的IP

#frequency 1000 執行間隔為1000毫秒

#history-record enable 啟用歷史紀錄

#history-record number 10 設定歷史紀錄10次

#probe count 10

#probe timeout 500

#source ip 10.10.10.13 設定來源IP

設定好之後排定NQA執行的時程，通常都是立即開始持續偵測

nqa schedule admin dns start-time now lifetime forever

nqa schedule admin http start-time now lifetime forever

nqa schedule admin ping start-time now lifetime forever

在NQA開始偵測的時候，就不能修改NQA的設定了，要修改設定必須要停用偵測

undo nqa schedule admin dns

undo nqa schedule admin http

undo nqa schedule admin ping

之後可以透過指令檢視偵測的結果

display nqa history

display nqa result

vxlan with Aruba2930F and HPE5930

vxlan with Aruba2930F and HPE5930

架構圖

目的:SiteA、SiteB、SiteC建立vxlan tunnel，各點可以L2互通

使用設備型號版本

5930-2Slot+2QSFP+        5930-cmw710-boot-r2609

2930F-48G-PoEP-4SFPP                WC.16.04.0011

2930F-24G-PoE+-4SFP+                 WC.16.06.0006

一.5930與2930F(siteC)設定vxlan

1.前置設定

端口設定IP，指定靜態路由使VTEP(5930與2930F)路由可達，新增client vlan

#interface Ten-GigabitEthernet1/1/3    進入端口1/1/3

port link-mode route                          設定成route port

ip address 10.13.13.59 255.255.255.0      設定IP

#ip route-static 10.11.11.0 24 10.13.13.1   指定靜態路由(siteB)

#ip route-static 10.12.12.0 24 10.13.13.1   指定靜態路由(siteA)

1.啟用l2vpn並創造tunnel 1

#l2vpn enable

#interface Tunnel1 mode vxlan

source 10.13.13.59

destination 10.12.12.29

3.創造vsi200與vxlan200，並將剛剛的tunnel 1綁入 (注意與對端的vsi與vxlan ID需相同)

#vsi 200

#vxlan 200

#tunnel 1

4.要接Client的端口設，綁入vsi 200

interface Ten-GigabitEthernet1/1/4

port link-mode bridge

#

service-instance 2

 encapsulation default

 xconnect vsi 200

二.2930F(siteC)與5930建立vxlan

1.前置設定，端口設定IP，指定靜態路由使VTEP(5930與2930F)路由可達，並創造vlan50

#vlan 12

  untagged 1

  ip address 10.12.12.29 255.255.255.0

#ip route 0.0.0.0 0.0.0.0 10.12.12.1

2.啟用vxlan並創造tunnel 12

vxlan enable

interface tunnel 12

  tunnel name "VXLAN_Tunnel01"

  tunnel mode vxlan

  tunnel source 10.12.12.29

  tunnel destination 10.13.13.59

  exit

3.創造vsi，將vxlan id與vlanid連結，再將vlan50分進tunnel 12裡

virtual-network 200 50 "200"

vxlan tunnel 12 overlay-vlan 50

三.檢視siteA與siteC的vxlan狀態

在5930上讓我們依序檢視tunnel的狀態->vsi的狀態->service instance的狀態

1.display vxlan tunnel，可以看到Tunnel 1的狀態是UP

2.display l2vpn vsi，可以看到vsi 200的狀態是up

3.display l2vpn service-instance verbose，可以看到狀態是UP

4.display l2vpn mac-address，可以看到在vxlan網路內的MAC

在2930F上檢視

show vxlan有enable

show int tunnel可以看到tunnel有UP

四.5930與2930F(siteB)設定vxlan

1.創造tunnel 2

#interface Tunnel1 mode vxlan

source 10.13.13.59

destination 10.12.12.29

2.創造vsi200與vxlan200，並將剛剛的tunnel 1綁入 (注意與對端的vsi與vxlan ID需相同)

#vsi 200

vxlan 200

tunnel 2

五.2930F(siteB)與5930設定vxlan

1.前置設定，端口設定IP，指定靜態路由使VTEP(5930與2930F)路由可達，並創造vlan50

#vlan 50

#vlan 11

  untagged 1

  ip address 10.11.11.29 255.255.255.0

#ip route 0.0.0.0 0.0.0.0 10.11.11.1

2.啟用vxlan並創造tunnel 13

vxlan enable

interface tunnel 13

  tunnel mode vxlan

  tunnel source 10.11.11.29

  tunnel destination 10.13.13.59

  exit

3.創造vsi，將vxlan id與vlanid連結，再將vlan50分進tunnel 12裡

virtual-network 200 50 "200"

vxlan tunnel 12 overlay-vlan 50

六.檢視siteA與siteB的vxlan狀態

在5930上讓我們依序檢視tunnel的狀態->vsi的狀態->service instance的狀態

1.display vxlan tunnel，可以看到Tunnel 2的狀態是UP

2.display l2vpn vsi，可以看到vsi 200的狀態是up

3.display l2vpn service-instance verbose，可以看到狀態是UP

4.display l2vpn mac-address，可以看到在vxlan網路內的MAC

七.Client測試

可以L2透通

ARP table

收的到ARP封包

HPE switch設定Tacacs認證(使用CPPM)

HPE switch設定Tacacs認證(使用CPPM)

CPPM版本:6.7.7.109065

HPE switch版本:7.1.045 3113P05

A.HPE switch設定

1.HPE switch啟用ssh登入

2.HPE 設定Tacacs server認證

B.CPPM設定

1.local user新增write帳號與read帳號

新增帳號read，給予TACACS Read-only Admin的role

新增write帳號，給予TACACS Network Admin的role

2.Network->Device

新增設備，設定Share key與指定Vendor Name

3.新增Enforcement profile

HPE-write與HPE-read

當帳號符合條件時，回傳相對應的數值給switch

4.新增Enforcement policy

當認證帳號的Role=Read-only Admin時，使用HPE-read的Enforcement proflie回傳數值

當認證帳號的Role=Network Admin時，使用HPE-write的Enforcement proflie回傳數值

5.新增服務，此處命中條件寬鬆，設定只要符合週一到週日來認證就命中，可以修改為特定IP來認證或是特定牌子設備來認證

認證源使用local SQL DB

Enforcement policy選擇剛剛設定好的HPE

C.驗證

1.使用SSH連線switch，並開啟Tacacs相關的Debug

2.在switch上可以透過Debug log看到驗證成功的過程

<HPE>*Jan  3 00:31:26:008 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authentication.

*Jan  3 00:31:26:009 2013 HPE TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authentication.

*Jan  3 00:31:26:009 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START

*Jan  3 00:31:26:016 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.

*Jan  3 00:31:26:016 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=172.16.13.13, server-port=49, VPN instance=--(public).

*Jan  3 00:31:26:017 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...

*Jan  3 00:31:26:019 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.

*Jan  3 00:31:26:019 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=172.16.13.13, port=49, VPN instance=--(public).

*Jan  3 00:31:26:019 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication request packet.

*Jan  3 00:31:26:019 2013 HPE TACACS/7/send_packet:

version: 0xc0  type: AUTHEN_REQUEST  seq_no: 1 flag: ENCRYPTED_FLAG

session-id: 0xc72e2ad5

length of payload: 49

action: LOGIN  priv_lvl: 0 authen_type: ASCII  service: LOGIN

user_len: 5   port_len: 16 rem_len: 15   data_len: 5

user: write

port: Vlan-interface13

rem_addr: 192.168.170.169

data: ******

*Jan  3 00:31:26:036 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Jan  3 00:31:26:037 2013 HPE TACACS/7/recv_packet:

version: 0xc0  type: AUTHEN_REPLY  seq_no: 2 flag: ENCRYPTED_FLAG

session-id: 0xc72e2ad5

length of payload: 16

status: STATUS_GETPASS  flags: NOECHO

server_msg len: 10  data len: 0

server_msg: Password:

data:

*Jan  3 00:31:26:037 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.

*Jan  3 00:31:26:038 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.

*Jan  3 00:31:26:038 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 2.

*Jan  3 00:31:26:040 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: CONTINUE

*Jan  3 00:31:26:040 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authentication continue request packet.

*Jan  3 00:31:26:041 2013 HPE TACACS/7/EVENT: PAM_TACACS: Sending authentication continue request packet.

*Jan  3 00:31:26:041 2013 HPE TACACS/7/send_packet:

version: 0xc0  type: AUTHEN_CONTINUE  seq_no: 3 flag: ENCRYPTED_FLAG

session-id: 0xc72e2ad5

length of payload: 10

user_msg len: ******  data_len: 0 flags: CONTINUE AUTHEN

user_msg: ******

data:

*Jan  3 00:31:26:096 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Jan  3 00:31:26:097 2013 HPE TACACS/7/recv_packet:

version: 0xc0  type: AUTHEN_REPLY  seq_no: 4 flag: ENCRYPTED_FLAG

session-id: 0xc72e2ad5

length of payload: 6

status: STATUS_PASS  flags: ECHO

server_msg len: 0  data len: 0

server_msg:

data:

*Jan  3 00:31:26:097 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authentication reply packet.

*Jan  3 00:31:26:097 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.

*Jan  3 00:31:26:098 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed authentication reply message, resultCode: 0.

*Jan  3 00:31:26:099 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS authentication succeeded.認證成功

*Jan  3 00:31:26:109 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS authorization.

*Jan  3 00:31:26:109 2013 HPE TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: authorization.

*Jan  3 00:31:26:109 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START

*Jan  3 00:31:26:110 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.

*Jan  3 00:31:26:110 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=172.16.13.13, server-port=49, VPN instance=--(public).

*Jan  3 00:31:26:113 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...

*Jan  3 00:31:26:114 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.

*Jan  3 00:31:26:115 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=172.16.13.13, port=49, VPN instance=--(public).

*Jan  3 00:31:26:115 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating authorization request packet.

*Jan  3 00:31:26:116 2013 HPE TACACS/7/send_packet:

version: 0xc0  type: AUTHOR_REQUEST  seq_no: 1 flag: ENCRYPTED_FLAG

session-id: 0xd714f859

length of payload: 63

authen_method: TACACSPLUS  priv_lvl: 0 authen_type: ASCII  authen_service: LOGIN

user_len: 5   port_len: 16 rem_len: 15   arg_cnt: 2

arg0_len: 13    arg1_len: 4

user: write

port: Vlan-interface13

rem_addr: 192.168.170.169

arg0: service=shell  arg1: cmd*

*Jan  3 00:31:26:120 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Jan  3 00:31:26:120 2013 HPE TACACS/7/recv_packet:

version: 0xc0  type: AUTHOR_REPLY  seq_no: 2 flag: ENCRYPTED_FLAG

session-id: 0xd714f859

length of payload: 18

Status: STATUS_PASS_ADD  arg_cnt: 1 server_msg len: 0  data len: 0

arg0_len: 11

server_msg:

data:

arg0: priv-lvl=15 看到回傳值15

*Jan  3 00:31:26:127 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing authorization reply packet.

*Jan  3 00:31:26:127 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed authorization reply message, resultCode: 0.

*Jan  3 00:31:26:129 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS authorization succeeded.授權成功

*Jan  3 00:31:26:132 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.

%Jan  3 00:31:26:150 2013 HPE SSHS/6/SSHS_LOG: Accepted password for write from 192.168.170.169 port 52002 ssh2.

%Jan  3 00:31:26:257 2013 HPE SSHS/6/SSHS_CONNECT: SSH user write (IP: 192.168.170.169) connected to the server successfully.

*Jan  3 00:31:26:622 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing TACACS start-accounting.

*Jan  3 00:31:26:623 2013 HPE TACACS/7/EVENT: PAM_TACACS: Dispatching request, Primitive: accounting-start.

*Jan  3 00:31:26:623 2013 HPE TACACS/7/EVENT: PAM_TACACS: Creating request data, data type: START

*Jan  3 00:31:26:624 2013 HPE TACACS/7/EVENT: PAM_TACACS: Session successfully created.

*Jan  3 00:31:26:624 2013 HPE TACACS/7/EVENT: PAM_TACACS: Getting available server, server-ip=172.16.13.13, server-port=49, VPN instance=--(public).

*Jan  3 00:31:26:625 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connecting to server...

*Jan  3 00:31:26:635 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLOUT event.

*Jan  3 00:31:26:635 2013 HPE TACACS/7/EVENT: PAM_TACACS: Connection succeeded, server-ip=172.16.13.13, port=49, VPN instance=--(public).

*Jan  3 00:31:26:636 2013 HPE TACACS/7/EVENT: PAM_TACACS: Encapsulating accounting request packet.

*Jan  3 00:31:26:636 2013 HPE TACACS/7/send_packet:

version: 0xc0  type: ACCOUNT_REQUEST  seq_no: 1 flag: ENCRYPTED_FLAG

session-id: 0xffd71dbe

length of payload: 68

flags: START

authen_method: NONE  authen_service: LOGIN

user_len: 5   port_len: 4 rem_len: 15   arg_cnt: 3

arg0_len: 9     arg1_len: 10 arg2_len: 13

user: write

port: vty0

rem_addr: 192.168.170.169

arg0: task_id=0  arg1: timezone=0

arg2: service=shell

*Jan  3 00:31:26:641 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply SocketFd received EPOLLIN event.

*Jan  3 00:31:26:641 2013 HPE TACACS/7/recv_packet:

version: 0xc0  type: ACCOUNT_REPLY  seq_no: 2 flag: ENCRYPTED_FLAG

session-id: 0xffd71dbe

length of payload: 5

server_msg len: 0  data len: 0 status: STATUS_SUCCESS

server_msg:

data:

*Jan  3 00:31:26:642 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processing accounting reply packet.

*Jan  3 00:31:26:642 2013 HPE TACACS/7/EVENT: PAM_TACACS: Reply message successfully sent.

*Jan  3 00:31:26:643 2013 HPE TACACS/7/EVENT: PAM_TACACS: Processed accounting-start reply message, resultCode: 0.

*Jan  3 00:31:26:644 2013 HPE TACACS/7/EVENT: PAM_TACACS: TACACS start-accounting succeeded.計費成功

%Jan  3 00:31:28:046 2013 HPE SHELL/5/SHELL_LOGIN: write logged in from 192.168.170.169.

2.display users觀看user狀態

3.在CPPM上的Access Tracker檢視成功訊息