Hello Habr. Ina gama jerin kasidu, sadaukar domin kaddamar da kwas ta OTUS, Yin amfani da fasahar VxLAN EVPN don kewayawa a cikin masana'anta da amfani da Firewall don ƙuntata shiga tsakanin sabis na ciki
Za a iya samun sassan jerin abubuwan da suka gabata a mahaɗa masu zuwa:
A yau za mu ci gaba da yin nazarin dabaru na kwatance a cikin masana'antar VxLAN. A cikin ɓangaren da ya gabata, mun kalli hanyar intra-fabric a cikin VRF guda ɗaya. Koyaya, ana iya samun adadi mai yawa na sabis na abokin ciniki a cikin hanyar sadarwar, kuma duka dole ne a rarraba su zuwa VRF daban-daban don bambance damar shiga tsakanin su. Baya ga rabuwar hanyar sadarwa, kasuwanci na iya buƙatar haɗa Firewall don taƙaita shiga tsakanin waɗannan ayyukan. Haka ne, ba za a iya kiran wannan mafi kyawun bayani ba, amma gaskiyar zamani na buƙatar "maganin zamani".
Bari mu yi la'akari da zaɓuɓɓuka biyu don kewayawa tsakanin VRFs:
- Gudanarwa ba tare da barin masana'anta na VxLAN ba;
- Gudanarwa akan kayan aiki na waje.
Bari mu fara da dabarar sarrafa bayanai tsakanin VRFs. Akwai takamaiman adadin VRFs. Don hanya tsakanin VRFs, kuna buƙatar zaɓar na'ura a cikin hanyar sadarwar da za ta san duk VRFs (ko sassan da ake buƙata tsakanin su) Irin wannan na'urar na iya zama, misali, ɗaya daga cikin Canjin Leaf (ko duka gaba ɗaya). . Wannan topology zai yi kama da haka:
Menene rashin amfanin wannan topology?
Haka ne, kowane Leaf yana buƙatar sanin duk VRFs (da duk bayanan da ke cikin su) akan hanyar sadarwar, wanda ke haifar da asarar ƙwaƙwalwar ajiya da haɓaka ƙimar cibiyar sadarwa. Bayan haka, sau da yawa kowane Canjin Leaf baya buƙatar sanin duk abin da ke kan hanyar sadarwa.
Koyaya, bari muyi la'akari da wannan hanyar dalla-dalla, tunda ga ƙananan cibiyoyin sadarwa wannan zaɓin ya dace sosai (idan babu takamaiman buƙatun kasuwanci)
A wannan lokaci, kuna iya samun tambaya game da yadda ake canja wurin bayanai daga VRF zuwa VRF, saboda ma'anar wannan fasaha shine daidai cewa ya kamata a iyakance yada bayanai.
Kuma amsar ta ta'allaka ne a cikin ayyuka kamar fitarwa da shigo da bayanan hanyar sadarwa (kafa wannan fasaha an yi la'akari da shi sassa na zagayowar). Bari in maimaita a takaice:
Lokacin saita VRF a cikin AF, dole ne ka saka route-target don shigo da bayanan hanyar fitar da kaya. Kuna iya tantance shi ta atomatik. Sannan ƙimar za ta haɗa da ASN BGP da L3 VNI masu alaƙa da VRF. Wannan ya dace idan kuna da ASN guda ɗaya a masana'antar ku:
vrf context PROD20
address-family ipv4 unicast
route-target export auto ! В автоматическом режиме экспортируется RT-65001:99000
route-target import autoKoyaya, idan kuna da ASN fiye da ɗaya kuma kuna buƙatar canja wurin hanyoyi tsakanin su, to, saitin hannu zai zama zaɓi mafi dacewa kuma mai ƙima. route-target. Shawarwari don saitin hannu shine lamba ta farko, yi amfani da wacce ta dace da ku, misali, 9999.
Ya kamata a saita na biyu don daidaita VNI don waccan VRF.
Mu tsara shi kamar haka:
vrf context PROD10
address-family ipv4 unicast
route-target export 9999:99000
route-target import 9999:99000
route-target import 9999:77000 ! Пример 1 import из другого VRF
route-target import 9999:88000 ! Пример 2 import из другого VRFGa abin da yake kama a cikin tebur mai tuƙi:
Leaf11# sh ip route vrf prod
<.....>
192.168.20.0/24, ubest/mbest: 1/0
*via 10.255.1.20%default, [200/0], 00:24:45, bgp-65001, internal, tag 65001
(evpn) segid: 99000 tunnelid: 0xaff0114 encap: VXLAN ! префикс доступен через L3VNI 99000Bari mu yi la'akari da zaɓi na biyu don kewayawa tsakanin VRFs - ta hanyar kayan aiki na waje, misali Firewall.
Akwai zaɓuɓɓuka da yawa don aiki ta na'urar waje:
- Na'urar ta san abin da VxLAN yake kuma za mu iya ƙara shi zuwa wani ɓangare na masana'anta;
- Na'urar ta san komai game da VxLAN.
Ba za mu zauna a kan zaɓi na farko ba, tun da ma'anar za ta kasance kusan iri ɗaya kamar yadda aka nuna a sama - muna kawo duk VRFs zuwa Firewall kuma saita hanyar sadarwa tsakanin VRFs akan shi.
Bari mu yi la'akari da zaɓi na biyu, lokacin da Firewall ɗinmu bai san kome ba game da VxLAN (yanzu, ba shakka, kayan aiki tare da tallafin VxLAN suna bayyana. Misali, Checkpoint ya sanar da goyan bayan sa a cikin sigar R81. Kuna iya karantawa game da shi. , duk da haka, wannan duka a matakin gwaji ne kuma babu tabbacin kwanciyar hankali na aiki).
Lokacin haɗa na'urar waje, muna samun zane mai zuwa:
Kamar yadda kake gani daga zane, ƙwanƙwasa yana bayyana a wurin dubawa tare da Firewall. Dole ne a yi la'akari da wannan a nan gaba lokacin tsara hanyar sadarwa da inganta zirga-zirgar hanyar sadarwa.
Koyaya, bari mu koma ga ainihin matsala ta hanyar kewayawa tsakanin VRFs. Sakamakon ƙara Firewall, mun zo ga ƙarshe cewa Firewall dole ne ya sani game da duk VRFs. Don yin wannan, duk VRFs kuma dole ne a daidaita su akan Leafs na kan iyaka, kuma dole ne a haɗa Firewall zuwa kowane VRF tare da hanyar haɗi daban.
A sakamakon haka, shirin tare da Firewall:
Wato, akan Firewall kana buƙatar saita hanyar sadarwa zuwa kowane VRF da ke kan hanyar sadarwa. Gabaɗaya, ma'anar ba ta da rikitarwa kuma kawai abin da ba na so a nan shi ne ɗimbin hanyoyin musaya akan Wuta, amma a nan lokaci ya yi da za a yi tunani game da aiki da kai.
Lafiya. Mun haɗa Firewall kuma mun ƙara shi zuwa duk VRFs. Amma ta yaya za mu iya tilasta zirga-zirga daga kowace Leaf don shiga cikin wannan Firewall?
A kan Leaf da ke da alaƙa da Firewall, babu wata matsala da za ta taso, tunda duk hanyoyin gida ne:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.254.13.55, [1/0], 6w5d, static ! маршрут по-умолчанию через FirewallKoyaya, menene game da Leafs masu nisa? Yadda za a wuce su tsohuwar hanyar waje?
Wannan daidai ne, ta hanyar nau'in hanyar EVPN-nau'in 5, kamar kowane prefix akan masana'anta VxLAN. Koyaya, wannan ba mai sauƙi bane (idan muna magana ne game da Cisco, kamar yadda ban bincika tare da sauran dillalai ba)
Dole ne a tallata hanyar da ta dace daga Leaf ɗin da aka haɗa Firewall zuwa gare ta. Koyaya, don watsa hanyar, Leaf dole ne ya san shi da kansa. Kuma a nan wata matsala ta taso (wataƙila a gare ni kawai), hanyar dole ne a yi rajista a tsaye a cikin VRF inda kake son tallata irin wannan hanyar:
vrf context PROD10
ip route 0.0.0.0/0 10.254.13.55Na gaba, a cikin tsarin BGP, saita wannan hanya a cikin AF IPv4:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0Duk da haka, ba wannan ke nan ba. Ta wannan hanyar ba za a haɗa tsohuwar hanyar a cikin iyali ba l2vpn evpn. Baya ga wannan, kuna buƙatar saita sake rarrabawa:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0
redistribute static route-map COMMON_OUTMuna nuna waɗanne prefixes ne za su shiga BGP ta hanyar sake rarrabawa
route-map COMMON_OUT permit 10
match ip address prefix-list COMMON_OUT
ip prefix-list COMMON_OUT seq 10 permit 0.0.0.0/0Yanzu prefix 0.0.0.0/0 ya faɗi cikin hanyar EVPN-nau'in 5 kuma ana watsa shi zuwa sauran Leaf:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.255.1.5%default, [200/0], 5w6d, bgp-65001, internal, tag 65001, segid: 99000 tunnelid: 0xaff0105 encap: VXLAN
! 10.255.1.5 - Виртуальный адрес Leaf(так как Leaf выступают в качестве VPС пары), к которому подключен FirewallA cikin tebur na BGP kuma zamu iya lura da sakamakon hanyar-nau'in 5 tare da tsohuwar hanyar ta 10.255.1.5:
* i[5]:[0]:[0]:[0]:[0.0.0.0]/224
10.255.1.5 100 0 i
*>i 10.255.1.5 100 0 iWannan ya ƙare jerin labaran da aka keɓe ga EVPN. A nan gaba, zan yi ƙoƙarin yin la'akari da aikin VxLAN tare da Multicast, tun da ana ɗaukar wannan hanya mafi girma (a halin yanzu sanarwa mai rikitarwa)
Idan har yanzu kuna da tambayoyi / shawarwari kan batun, la'akari da kowane aikin EVPN - rubuta, za mu ƙara yin la'akari da shi.
source: www.habr.com