|
z**r
发帖数: 17771 | 2 先不要急着1、2、3、4、5,先花些时间把A和B的网络搞清楚,这个算0吧。很多公司的
IP space是基于RFC1918,所以很可能相互重叠,先设计一个过渡期的方案,比如弄一
些tunnel,在某些地方做NAT什么的,如果网络比较大,还可以使用MPLS VPN来简化重
新设计,比如直接把B的网络放在一个VRF里,然后有选择性的leak routes就可以了。 |
|
w***s
发帖数: 321 | 3 500K or 50K OSPF Route? 没人这么疯狂吧,想搞死路由器没有比把BGP重分布到
IGP里更容易的事情了。
我倒是不担心MPLS Label空间不够,因为大家都在减少Label数量,就Cisco
而言,没有per vrf/router label前很痛苦。 |
|
w***s
发帖数: 321 | 4 那就只能停留在实验室阶段了。记得Light Reading测试过一次Edge router OSPF
performance, 当时的条件是50000左右的LSA,其中主要是Type 5, 其他的也就2K
以下。关键是没人拿自己的工作开玩笑。
MPLS Label的来源有几个:
1. LDP/IGP, 一般都设计成只分配PE RouterID label, 不该超过1K
2. TE/FRR, 大规模部署也就1k ~ 10k左右
3. VPN label,这个才是大头,不过如果支持per VRF label,也没多少。
所以安啦;-)
problems |
|
z**r
发帖数: 17771 | 5 一个multicast architecture已经很老了,基本上是全网打开,造成core router大量
mroutes,费力不讨好。
现在要转到mVPN上,可是一个VRF里的不同CE对于Multicast需求不太一样,有的要求
1mbps带宽的streaming就可以,有的需要2m或者3m甚至更高,这些高要求的在访问高带
宽的stream失败的时候,会自动去尝试低一些的stream,但是只有较低资源的CE不能访
问高带宽的stream,以前的方法是放不同级别的multicast source比如content engine
到不同的地方,然后做大量boundary,很不scalable。现在的情况下,有什么更好的办
法可以解决这个问题嘛?
不知道说清楚没有,需要其他细节的,请提问。 |
|
s*****g
发帖数: 1055 | 6 I can understand using mVPN to reduce multicast states on core routers, but
I don't know how vrf solution would be able to make any difference in terms
of application's bandwidth selection. |
|
z**r
发帖数: 17771 | 7 CPOC胜利结束,其中对于next gen multicast也有了新的方案。最后没有走backdoor的
方式,俺实在不喜欢。最后的方法是在靠近video source的地方做boundary,这样不需
要在receiver端做大量的boundary,只不过在source一端需要给每个mVPN一个入口,也
就是create多个VRF,确保每个mVPN都可以有机会接收所有stream,该block哪个stream
,只要在boudary上限制一下就可以。
开始试了在data mdt上加个access list,但是怎么也不成功,哪位说说为什么? |
|
s*******8
发帖数: 12734 | 8 ISP side,PE router上配RIPv2,MPLS,iBGP,一个口配vrf,
layer 3,就有2个routing protocol了,如果都配上,router会用哪个呢?还是不能都
配上?
Q2:我知道现实中不可能,实验环境下,如果一个boarder router,一边是rip,一边
是BGP,那么需要redistribute,如果我另一边再配一个rip,那么是不是不需要
redistribute了?
不好意思,小弟新人,问题有点傻,包涵。 |
|
s*******8
发帖数: 12734 | 9 配PE router的一个interface成vrf,
同一个VPN里面,2边的RD和route-target是不是一样的?我觉得就一条线的话,光有RD
不就行了,为什么还有route-target,这个忽略掉可以么? |
|
t*******r
发帖数: 3271 | 10 是这样, 从6.1开始, JUNIPER推出了logical-system的solution, 那会儿叫logical-
router.
本意就是一台路由器当多台用, 但是和VRF还有VR都不一样. logical-system是逻辑上
分离的, 从本意上来讲
其实就是多台路由器了. 路由进程,表项都是独立的, 不过scaling number还是受到总
路由器的上限的限制.
现在JUNIPER有一些开发的方向主要是同一个logical system下的系统资源的分配管理(
memory,cpu
cycle,etc)(UI的单独管理和权限分配是早就有了的)
其实有很多应用, 把router的数量增加反而能解决一些问题. 业务流量的隔离就是最简
单的例子.
SINET当年买几十台T640, 每台当5台router用, 据说价格上就没怎么打折扣. 呵呵
不得不说小日本用JUNIPER路由器用的还是有些创意. |
|
z**r
发帖数: 17771 | 11 ios-xr下叫SDR, secure domain router,至于多少个SDR,取决于你的slot number,
一般一个SDR最少需要一个RP和一个linecard,SDR是physically成了不同的router,只
是share一些power supply, fabric card, fan, etc.
其实virtual router用IOS也可以轻易实现,那就是VRF :),当然不是一个级别的
virtual router了 |
|
w***s
发帖数: 321 | 12 LR -> SDR
VR -> vSDR
VRF就没有任何硬件资源的隔离。 |
|
s*******8
发帖数: 12734 | 13 一咬牙,58刀,one day shipping买了一本书。
同一个vpn,vrf name,rd和route-target可以设一样么?
thanks |
|
s*******8
发帖数: 12734 | 14 VRF这个东西我总是觉得特难理解,本来想发上来问问的,怕被tony嘲笑就翻了一下书
,发现书上说得明明白白,写的确实好啊。 |
|
m********d
发帖数: 188 | 15
那就开考吧,啥是vrf?
用这个问题每年考自己一次... |
|
s*******8
发帖数: 12734 | 16 就是VPN是isolated的,多个VPN之间要相互通信,需要一个机制去执行,如果直接ip
prefix弄,那么不能保证同一个ip prefix可以被不同的VPN用,而且造成大量的计算,
vrf提供了这个便利。 |
|
m********d
发帖数: 188 | 17 来自主题: EmergingNetworking版 - 一个面试题 这更像一个工程问题,而不是一个或几个纯技术点的问题。从工程角度说,MPLS/VPN
core完成后,就开始安排用户迁移方案,先做几个测试用户,然后按一晚上几个用户开
始做就是了。开始所有的用户都在全局路由表里,然后逐个用户作vpn配置,把全局路
由表leak到每个vrf不可行,所以需要仔细些。几个用户做下来后,就可以有不同的模
板,然后再用用script,边做边排错和优化core,有几个月就做晚了,不应该出太大的
问题。没有大的技术难度,但是排错和优化的过程中还是比较考验水平的。 |
|
z**r
发帖数: 17771 | 18 来自主题: EmergingNetworking版 - 一个面试题 你这个肯定不行,transition的时候要求在VRF里的和在GRT里的都能互相通信 |
|
z**r
发帖数: 17771 | 19 来自主题: EmergingNetworking版 - 一个面试题 so you use vrf-lite?
network,
back
VLAN/ |
|
W****2
发帖数: 297 | 20 来自主题: EmergingNetworking版 - 一个面试题 简单点:就用vrf加default route(另一个逻辑接口),行不?升级完毕把所以的
default route和逻辑接口都删掉。 |
|
|
c*****i
发帖数: 631 | 22 差不多是这样啦。我们当时做的是在cat6k上面用vrf把lan和wan分开,然后中间是
firewall,ips是 transparent mode在firewall前面。不过是好几年前搞的东西了。
better |
|
a***n
发帖数: 262 | 23 You are apparently way ahead than me :-).
I just did some thing very similar to what you described several
weeks ago on cat6500. I did stateless firewall failover with
symmetric routing w/ eBGP. Firewall stateless because we do not want
to have layer 2 adjacency for the two firewalls in two geographically
separated locations.
差不多是这样啦。我们当时做的是在cat6k上面用vrf把lan和wan分开,然后中间是
firewall,ips是 transparent mode在firewall前面。不过是好几年前搞的东西了。
better |
|
l******2
发帖数: 18 | 24 我搞了2个PE,每个上有2个网,红和黑,vrf routing table 看上去正常了。
接着,我在一个PE上,红的VRF里,来个静态的route, 再redistribute 一下。
不知为啥,在这个route 在第2个PE的红VRF里没有,
有谁有经验给说一说,大概问题会在那里?
给我的感觉是,在PE1 上的connected network, 可以传到PE2 的VRF里,pe1上的静态route 不行。 |
|
j*a
发帖数: 14423 | 25 ip route vrf red x.x.x.x
ip route x.x.x.x
,pe1上的静态route 不行。 |
|
a***n
发帖数: 262 | 26 router bgp 12345
address family ipv4 vrf red
default-information originate
redistribute static
to inject static default into bgp. |
|
z**r
发帖数: 17771 | 27 那是自然,ios上俺做一个VRF也可以network virtualization,区别都挺大,本质上都
是一个目的 |
|
s*****g
发帖数: 1055 | 28
This does not make much sense to me, so if a softphone needs to make a call
to a phone in next cube, the audio traffic has to traverse all the way to
trunk and then come back again? the same would be true for wired/wireless
softphones to access voice gateways when you, presumably, put voice gateways in voip VRF, correct? the same is true for the connection between your voice mail server and Exchange server?
I really don't see the benefit of L3VPN deployment (the so called
virtualization?) in a... 阅读全帖 |
|
a***n
发帖数: 262 | 29
call
gateways in voip VRF, correct? the same is true for the connection between
your voice mail server and Exchange server?
All the above are true :-). Most of our workstations are in global routing
table. Only selected group of things like PCI, VoIP, Wireless are segregated
into L3VPN.
will
Yeah, network virtualization :-). We are using ACLs on almost all non L3VPN
VLANs on campus. But run into tcam issue on catalyst 6500. If you are using
this network virtualization, only firewall rules on th... 阅读全帖 |
|
z**r
发帖数: 17771 | 30 I hate ACLs
call
gateways in voip VRF, correct? the same is true for the connection between
your voice mail server and Exchange server?
will |
|
a***n
发帖数: 262 | 31 This probably is to allow spoke-hub-spoke communications without default
from hub to spokes.
http://forum.nil.com/viewtopic.php?f=10&t=47
one vrf on the hub might work if you could inject a default from hub to
spokes. |
|
K****s
发帖数: 59 | 32 问一个MPLS-VPN的问题:
需求是: 终端的CE需要跟远程data center通信,但是CE之间不可以通信。
可以想到的解法是data center可以跟每个ce之间用唯一的RD标识一个VPN连接,在CE端
可以用RT来控制接受数据,但是如果CE数目多的话,DATA CENTER的VRF数目也会增加。
请问什么解法效率最高? |
|
s*****g
发帖数: 1055 | 33 Yes, but if PE1 has two or more CEs attached, then the two CEs will be able
to communicate with each other without going to hub unless you use different
VRF, which is not scalable. You need "scalable MPLS-VPN hub-spoke" feature
to circumvent this limitation. |
|
t*******r
发帖数: 3271 | 34 最好不要把VRF policy改来改去的, 你要想控制访问, 用ACL不就得了.
网络的原则不就是KEEP IT SIMPLE AND STUPID嘛 |
|
t*******r
发帖数: 3271 | 35 你觉得如果有5000个CE的话, PE得多少个呢?
你确认你动一动其中一个PE的vrf policy不会影响5000个CE中的一部分? 哪怕是十分之
一也有500个CE....
你是觉得动了某个CE的ACL以后, 只有这个CE的site的访问受影响好呢, 还是你动一下
某台PE
然后500个CE所连接的site受影响好呢 |
|
x*********n
发帖数: 28013 | 36 搭车问一下,VRF可以直接assign到每个CE上么?
还是只能PE到PE?
小托的KISS是不是IRA里面看来的?哈哈哈。 |
|
z**r
发帖数: 17771 | 37 没仔细看,但是这个和VRF-Lite 有什么区别? |
|
z**r
发帖数: 17771 | 38 俺对这个功能不是很看好,感觉是生把H-VPLS那套硬往L3VPN上套,但是L3VPN可以用RR
, or VRF-Lite 等解决类似的问题,感觉不是说不行,有点画蛇添足。看文档,draft
已经过期了,成为正式的了吗? |
|
l***y
发帖数: 791 | 39 谢谢几位提醒走PE的方向PTX不适合,其实我们根本没想现在或者以后在上头run VRF的 |
|
a***n
发帖数: 262 | 40 So each site is multi-homed to the same or different ISPs?
In either case you won't have control
over the ISP's internal routing since you mentioned over public internet
and you might have control over the exit/entry point from/to you?
Cisco PfR if Cisco?
http://www.cisco.com/en/US/products/ps8787/products_ios_protoco
or put certain prefixes in different VRF on each site to measure the
performance of different path or PBR, then adjust your internal routing in
Linux?
doing
has
I |
|
a***n
发帖数: 262 | 41 So each site is multi-homed to the same or different ISPs?
In either case you won't have control
over the ISP's internal routing since you mentioned over public internet
and you might have control over the exit/entry point from/to you?
Cisco PfR if Cisco?
http://www.cisco.com/en/US/products/ps8787/products_ios_protoco
or put certain prefixes in different VRF on each site to measure the
performance of different path or PBR, then adjust your internal routing in
Linux?
doing
has
I |
|
I********x
发帖数: 858 | 42 We are university and 10GE is too expensive on ASR.
Recently we want to push layer3 to buildings along with mpls/Vpn function
but bloody 4500 series do not support it well and with internal Cisco haters
we are planning on using qfx 4600 from J.
VRF with multiple p2p interfaces on the aggregator creates configuration
complexity and without extra cost we think it is fine to build PE on the
building aggregators.
There are about 90 buildings and we want a pair in VC VSS in each building.
[在 LieHear... 阅读全帖 |
|
I********x
发帖数: 858 | 43 We are university and 10GE is too expensive on ASR.
Recently we want to push layer3 to buildings along with mpls/Vpn function
but bloody 4500 series do not support it well and with internal Cisco haters
we are planning on using qfx 4600 from J.
VRF with multiple p2p interfaces on the aggregator creates configuration
complexity and without extra cost we think it is fine to build PE on the
building aggregators.
There are about 90 buildings and we want a pair in VC VSS in each building.
[在 LieHear... 阅读全帖 |
|
I********x
发帖数: 858 | 44 It is not about what the product is for, it is about why the vendor sells
this product to us. I think the pre sale engineers should be careful before
they proposed THIS product to us.
I recommended VRF lite on the edge, which is a very safe option, but team
mate thinks with J product can fulfil better feature with lower price.
Now our team is in a ugly position. |
|
发帖数: 1 | 45 https://github.com/SolomonYang/pysession
在pexpecect之上开发的,说起来很简单,就是login router/switch and run
commands. 好处是,比较handy
可以standalone运行,例如
./pysession.py -s 'telnet 1.1.1.1 2001; ssh [email protected]/* */' -c 'show ver;
show ip route' -p pswd -e enablepswd'
login "telnet 1.1.1.1 2001" and "ssh [email protected]/* */", execute commands - "
show ver" and "show ip route"
或者用作library, like
import pysession
rtr = pysession(session='telnet 10.1.1.1', user="admin", password="password")
output ... 阅读全帖 |
|
l***y
发帖数: 791 | 46 a more expensive solution, which is also very old, i think, is VPN.
software VPN will setup a tunnel from your side to server side. this
will work whether or not you have a home/small office private network.
for a scattered number of small office routers that needs to talk to
each other, networking VPN will give each SOHO a private routing table(vrf),
only including the networks they need access. also, from the public network
nothing can get to the networks behind these SOHO routers. This will p |
|
f********7
发帖数: 89 | 47 GE appliance, a Haier company have job openings for HVAC (Heating
ventilation and Air Conditioning department)
If you have ME degree and willing to develop your career in HVAC area, this
will be a great opportunity to start.
This job requires to strong communicate to customer in US as well as our
factory partner in China, and bilingual in English and Mandarin Chinese
desired.
To learn more about the roles please visit our career website at
https://recruiting2.ultipro.com/GEN1026/JobBoard/396d19f... 阅读全帖 |
|
J*******s
发帖数: 251 | 48 来自主题: _D_SupportGroup版 - 呵呵 最近换了一个新的工作,又接触了很多很的东西。
几年前,我进入hw公司的时候,做的是路由器,虽然我tcp/ip功底还行,但是接触的全
是新名词,什么lr, vr, vrf, grace restart, nsr, nsf... 太多了,重要的概念至少
上百个,所有的背景知识我一点点都不了解。tcp/ip也只是学了一点书上的东西,感觉
自己如坠云雾,不知道自己做的那么一小块到底和谁交互。就好比我知道我是在龙泽这
个地方,但是龙泽附近的地理,包括龙泽在北京,北京在中国,中国在北半球,我一概
不知道,我的地图上只标明了两个位置,一个是“龙泽”,一个是“地球”,至于美国
和龙泽有什么关系,我搞不清楚。所以我很焦虑,我很想把工作做好,可是我了解的太
少。所以我拼命学习,几年过去了,我的地图慢慢清晰,我的焦虑也慢慢减轻。
现在我又碰到同样的问题了,现在的做的是通信相关的,3G相关,3G相关的背景知识对
我而言是一片空白,我以前是学习计算机的,通信压根就没接触过。什么bts, bcs,
RAN, CN, HSS, HLR, IMS, PSTN... 这些术语虽然看了简单解释,但是总感觉没
有真正理解他 |
|
