瞻博网络云原生路由器控制器 (cRPD)
阅读本章,了解瞻博网络云原生路由器控制器(云原生路由器控制器或 cRPD)、瞻博网络云原生路由器控制平面。
瞻博网络云原生路由器控制器的优势
cRPD 在瞻博网络云原生路由器解决方案中发挥着控制平面的作用。cRPD 为用户 (CLI) 和应用程序 (API) 等提供配置接口。您可以使用这些接口来配置或编程 JCNR-vRouter 转发平面。您可以使用 JCNR 控制器配置许多内容:
-
虚拟功能 (VF) 交换矩阵接口
-
VF 工作负载接口
-
中继接口
-
接入接口
-
L2 ACL(防火墙规则)
-
网桥域
-
以太网交换
-
Vlan
cRPD 会执行以下功能:
-
支持 JCNR-vRouter 作为转发平面
-
维护 vRouter 接口的配置,包括中继接口和接入接口、虚拟功能接口 (VF)、VLAN 等
-
维护网桥域的配置
-
维护 L2 防火墙的配置
-
维护网桥域、VLAN、虚拟交换机等的配置
-
通过 vRouter 代理将配置信息传递给 vRouter
-
存储许可证密钥信息
配置选项
在部署期间,您可以通过更改包含在软件分配 TAR 文件中的值.yaml 文件中的键:值对来配置 cRPD。
部署后,建议将 NETCONF 协议与 PyEZ 一起用于配置 cRPD。请参阅 https://www.juniper.net/documentation/us/en/software/junos-pyez/junos-pyez-developer/index.html ,了解有关 PyEZ 的详细信息。或者,您可以直接 SSH 到 TCP 端口 24 上的 cRPD,或者在 TCP 端口 830 上使用 NETCONF。最后,配置云原生路由器的另一个选项是使用 Kubernetes 命令访问 cRPD 上的 Junos CLI,以连接到 cRPD Pod。
访问 CLI
In this procedure we provide CLI commands that you run on the host server. We do not show a prompt before the commands so you can copy and paste the commands into your own cloud-native router.
kubectl get pods -A
The output should look like:
NAMESPACE NAME READY STATUS RESTARTS AGE contrail-deploy contrail-k8s-deployer-7b5dd699b9-smqgn 1/1 Running 0 37h contrail contrail-vrouter-masters-htcvt 3/3 Running 0 37h default delete-crpd-dirs--1-bjngd 0/1 Completed 0 37h default delete-vrouter-dirs--1-k5wgb 0/1 Completed 0 37h default odu-pktgen-trunkint 1/1 Running 0 24h default odu-subinterface-3003 1/1 Running 0 7d kube-system calico-kube-controllers-57b9767bdb-76fvw 1/1 Running 52 (8d ago) 107d kube-system calico-node-pgljp 1/1 Running 18 (8d ago) 107d kube-system coredns-8474476ff8-2nbnv 1/1 Running 38 (8d ago) 107d kube-system dns-autoscaler-7f76f4dd6-8b4w5 1/1 Running 18 (8d ago) 107d kube-system kube-apiserver-nodem27.englab.juniper.net 1/1 Running 45 (8d ago) 107d kube-system kube-controller-manager-nodem27.englab.juniper.net 1/1 Running 34 (8d ago) 107d kube-system kube-crpd-worker-ds-89wzg 1/1 Running 0 32h kube-system kube-multus-ds-amd64-f2pls 1/1 Running 0 8d kube-system kube-proxy-vrqjm 1/1 Running 18 (8d ago) 107d kube-system kube-scheduler-nodem27.englab.juniper.net 1/1 Running 35 (8d ago) 107d kube-system nodelocaldns-hm56k 1/1 Running 43 (8d ago) 107d kube-system syslog-ng-54749b7b77-tqvpk 1/1 Running 0 37h
The command to access the cRPD CLI has the form: kubectl exec -n kube-system -it <full cRPD Pod name> -- bash. If we use the output from above, the command appears as: kubectl exec -n kube-system -it kube-crpd-worker-ds-89wzg -- bash.
The output from the command above (when you use the full name of your cRPD Pod) should look like:
Defaulted container "kube-crpd-worker" out of: kube-crpd-worker, jcnr-crpd-config (init), install-cni (init)
===>
Containerized Routing Protocols Daemon (CRPD)
Copyright (C) 2020-2021, Juniper Networks, Inc. All rights reserved.
<===
This output indicates that you have attached to the cRPD CLI. At this point, your access level is root and you are in shell mode. Just as when you connect as root to any Junos OS-based device, you must enter the cli command to access the Junos CLI in operation mode.
有用的 CLI 命令
本节提供一些 CLI 命令及其输出示例。我们还提供一些命令完成示例输出。这些输出允许您查看可用的命令层次结构,您可以在云原生路由器系统上探索这些层次结构。
您可以看到带有命令的网桥命令层次结构, show bridge ? 如下所示。
show bridge ? Possible completions: mac-table Show media access control table statistics Show bridge statistics information
If you look further into the hierarchy, you see:
show bridge mac-table ? Possible completions: <[Enter]> Execute this command count Number of MAC address mac-address MAC address in the format XX:XX:XX:XX:XX:XX vlan-id Display MAC address learned on a specified VLAN or 'all-vlan' | Pipe through a command
If you use the <[Enter]> option, you see something like:
show bridge mac-table Routing Instance : default-domain:default-project:ip-fabric:__default__ Bridging domain VLAN id : 3002 MAC MAC Logical address flags interface 00:00:5E:00:53:01 D bond0
The show bridge mac-table command displays the L2 MAC table which is dynamically learned by the vRouter.
If you look at the other option, statistics, you see:
show bridge statistics ? Possible completions: <[Enter]> Execute this command vlan-id Display statistics for a particular vlan (1..4094) | Pipe through a command
If you use the <[Enter]> option, you see something like:
show bridge statistics
Bridge domain vlan-id: 100
Local interface: bond0
Broadcast packets Tx : 0 Rx : 0
Multicast packets Tx : 0 Rx : 0
Unicast packets Tx : 0 Rx : 0
Broadcast bytes Tx : 0 Rx : 0
Multicast bytes Tx : 0 Rx : 0
Unicast bytes Tx : 0 Rx : 0
Flooded packets : 0
Flooded bytes : 0
Local interface: ens1f0v1
Broadcast packets Tx : 0 Rx : 0
Multicast packets Tx : 0 Rx : 0
Unicast packets Tx : 0 Rx : 0
Broadcast bytes Tx : 0 Rx : 0
Multicast bytes Tx : 0 Rx : 0
Unicast bytes Tx : 0 Rx : 0
Flooded packets : 0
Flooded bytes : 0
Local interface: ens1f3v1
Broadcast packets Tx : 0 Rx : 0
Multicast packets Tx : 0 Rx : 0
Unicast packets Tx : 0 Rx : 0
Broadcast bytes Tx : 0 Rx : 0
Multicast bytes Tx : 0 Rx : 0
Unicast bytes Tx : 0 Rx : 0
Flooded packets : 0
The show bridge statistics command displays the L2 VLAN traffic statistics per interface within a bridge domain.
To see the firewall (ACL) configuration:
show configuration firewall:firewall
family {
bridge {
filter filter1 {
term t1 {
from {
destination-mac-address 10:30:30:30:30:31;
source-mac-address 10:30:30:30:30:30;
ether-type oam;
}
then {
discard;
}
}
}
}
}
Once configured, you must apply your firewall filters to a bridge domain using a cRPD configuration command similar to:set routing-instances vswitch bridge-domains bd3001 forwarding-options filter input filter1. Then you must commit the configuration for the firewall filter to take effect.
To see the how many packets matched the filter (per VLAN) you can use the cRPD CLI and issue the command:
show firewall filter filter1
The output from the above command looks like:
Filter : filter1 vlan-id : 3001 Term Packet t1 0
In this example we applied the filter to the bridge domain bd3001. The filter has not yet matched any packets.