Nyob zoo, Habr. Kuv tabtom ua tiav cov kab lus, mob siab rau lub community launch los ntawm OTUS, siv VxLAN EVPN thev naus laus zis rau kev taug kev hauv cov ntaub thiab siv Firewall txwv kev nkag mus ntawm cov kev pabcuam sab hauv
Yav dhau los qhov chaw ntawm koob tuaj yeem pom ntawm qhov txuas hauv qab no:
Niaj hnub no peb yuav txuas ntxiv mus kawm cov txheej txheem kev coj ua hauv VxLAN ntaub. Hauv ntu dhau los, peb tau saib ntawm kev sib txuas hauv cov ntaub hauv ib qho VRF. Txawm li cas los xij, tej zaum yuav muaj ntau tus neeg siv kev pabcuam hauv lub network, thiab txhua tus ntawm lawv yuav tsum tau muab faib ua VRFs sib txawv kom sib txawv ntawm lawv. Ntxiv nrog rau kev sib cais ntawm lub network, ib lub lag luam yuav xav tau txuas Firewall kom txwv kev nkag mus ntawm cov kev pabcuam no. Yog lawm, qhov no tsis tuaj yeem hu ua qhov kev daws teeb meem zoo tshaj plaws, tab sis qhov tseeb niaj hnub xav tau "kev daws teeb meem niaj hnub".
Cia peb xav txog ob txoj hauv kev rau kev sib txuas ntawm VRFs:
- Routing tsis tawm ntawm VxLAN ntaub;
- Routing ntawm cov khoom siv sab nraud.
Cia peb pib nrog qhov kev sib txuas lus ntawm VRFs. Muaj qee tus lej ntawm VRFs. Txhawm rau taug kev ntawm VRFs, koj yuav tsum xaiv ib lub cuab yeej hauv lub network uas yuav paub txog tag nrho VRFs (lossis qhov nruab nrab ntawm qhov yuav tsum tau ua). Cov cuab yeej zoo li no tuaj yeem yog, piv txwv li, ib qho ntawm nplooj hloov pauv (lossis tag nrho ib zaug) . Qhov topology no yuav zoo li no:
Dab tsi yog qhov tsis zoo ntawm no topology?
Yog lawm, txhua nplooj ntawv yuav tsum paub txog tag nrho cov VRFs (thiab tag nrho cov ntaub ntawv uas muaj nyob hauv lawv) ntawm lub network, uas ua rau nco tsis tau thiab nce network load. Tom qab tag nrho, feem ntau txhua nplooj hloov tsis tas yuav tsum paub txog txhua yam uas nyob hauv lub network.
Txawm li cas los xij, cia peb xav txog cov qauv no hauv kev nthuav dav ntxiv, vim rau cov tes hauj lwm me me qhov kev xaiv no zoo heev (yog tias tsis muaj kev lag luam tshwj xeeb)
Lub sijhawm no, koj yuav muaj lus nug txog yuav hloov cov ntaub ntawv ntawm VRF mus rau VRF li cas, vim hais tias lub ntsiab lus ntawm cov cuab yeej no yog qhov tseeb tias kev tshaj tawm cov ntaub ntawv yuav tsum raug txwv.
Thiab cov lus teb yog nyob rau hauv lub zog xws li export thiab ntshuam cov ntaub ntawv routing (teeb tsa lub tshuab no tau txiav txim siab hauv qhov chaw ntawm lub voj voog). Cia kuv rov hais dua luv luv:
Thaum teeb tsa VRF hauv AF, koj yuav tsum qhia meej route-target rau import thiab export routing cov ntaub ntawv. Koj tuaj yeem teev nws tau. Tom qab ntawd tus nqi yuav suav nrog ASN BGP thiab L3 VNI cuam tshuam nrog VRF. Qhov no yooj yim thaum koj tsuas muaj ib qho ASN hauv koj lub Hoobkas:
vrf context PROD20
address-family ipv4 unicast
route-target export auto ! Π Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΠΊΡΠΏΠΎΡΡΠΈΡΡΠ΅ΡΡΡ RT-65001:99000
route-target import autoTxawm li cas los xij, yog tias koj muaj ntau tshaj ib qho ASN thiab xav tau hloov txoj hauv kev ntawm lawv, ces kev teeb tsa ntawm phau ntawv yuav yog qhov kev xaiv yooj yim dua thiab muaj peev xwm. route-target. Cov lus pom zoo rau kev teeb tsa phau ntawv yog thawj tus lej, siv ib qho yooj yim rau koj, piv txwv li, 9999.
Qhov thib ob yuav tsum tau teem kom sib npaug VNI rau VRF ntawd.
Cia peb configure nws raws li nram no:
vrf context PROD10
address-family ipv4 unicast
route-target export 9999:99000
route-target import 9999:99000
route-target import 9999:77000 ! ΠΡΠΈΠΌΠ΅Ρ 1 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRF
route-target import 9999:88000 ! ΠΡΠΈΠΌΠ΅Ρ 2 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRFYuav ua li cas nws zoo li nyob rau hauv lub routing table:
Leaf11# sh ip route vrf prod
<.....>
192.168.20.0/24, ubest/mbest: 1/0
*via 10.255.1.20%default, [200/0], 00:24:45, bgp-65001, internal, tag 65001
(evpn) segid: 99000 tunnelid: 0xaff0114 encap: VXLAN ! ΠΏΡΠ΅ΡΠΈΠΊΡ Π΄ΠΎΡΡΡΠΏΠ΅Π½ ΡΠ΅ΡΠ΅Π· L3VNI 99000Cia peb xav txog qhov kev xaiv thib ob rau kev sib txuas ntawm VRFs - los ntawm cov khoom siv sab nraud, piv txwv li Firewall.
Muaj ntau txoj kev xaiv rau kev ua haujlwm los ntawm ib qho khoom siv sab nraud:
- Cov cuab yeej paub tias VxLAN yog dab tsi thiab peb tuaj yeem ntxiv nws rau ib feem ntawm cov ntaub;
- Cov cuab yeej tsis paub dab tsi txog VxLAN.
Peb yuav tsis nyob ntawm qhov kev xaiv thawj zaug, txij li cov logic yuav luag zoo ib yam li qhia saum toj no - peb nqa tag nrho VRFs rau Firewall thiab teeb tsa kev sib txuas ntawm VRFs ntawm nws.
Cia peb xav txog qhov kev xaiv thib ob, thaum peb Firewall tsis paub dab tsi txog VxLAN (tam sim no, tau kawg, cov khoom siv nrog VxLAN txhawb nqa tau tshwm sim. Piv txwv li, Checkpoint tshaj tawm nws cov kev txhawb nqa hauv version R81. Koj tuaj yeem nyeem txog nws , txawm li cas los xij, qhov no yog tag nrho ntawm theem kev sim thiab tsis muaj kev ntseeg siab rau kev ruaj ntseg ntawm kev ua haujlwm).
Thaum txuas ib qho khoom siv sab nraud, peb tau txais daim duab hauv qab no:
Raws li koj tuaj yeem pom los ntawm daim duab qhia, lub raj xa dej tshwm ntawm qhov cuam tshuam nrog Firewall. Qhov no yuav tsum tau coj mus rau hauv tus account yav tom ntej thaum npaj lub network thiab optimizing network tsheb.
Txawm li cas los xij, cia peb rov qab mus rau qhov teeb meem qub ntawm routing ntawm VRFs. Raws li qhov tshwm sim ntawm kev ntxiv Firewall, peb tuaj rau qhov xaus tias Firewall yuav tsum paub txog tag nrho VRFs. Txhawm rau ua qhov no, tag nrho VRFs yuav tsum tau teeb tsa rau ntawm nplooj ntawv ciam teb, thiab Firewall yuav tsum tau txuas nrog txhua VRF nrog ib qho sib txuas.
Yog li ntawd, lub tswv yim nrog Firewall:
Ntawd yog, ntawm Firewall koj yuav tsum teeb tsa lub interface rau txhua VRF nyob rau hauv lub network. Feem ntau, cov logic tsis zoo li nyuaj thiab tib yam kuv tsis nyiam ntawm no yog cov neeg coob coob ntawm kev cuam tshuam ntawm Firewall, tab sis ntawm no nws yog lub sijhawm los xav txog automation.
Zoo. Peb txuas nrog Firewall thiab ntxiv rau tag nrho VRFs. Tab sis yuav ua li cas tam sim no peb tuaj yeem yuam kev tsheb los ntawm txhua Nplooj mus hla qhov Firewall?
Ntawm nplooj ntawv txuas nrog Firewall, tsis muaj teeb meem yuav tshwm sim, vim tias txhua txoj hauv kev yog hauv zos:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.254.13.55, [1/0], 6w5d, static ! ΠΌΠ°ΡΡΡΡΡ ΠΏΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ ΡΠ΅ΡΠ΅Π· FirewallTxawm li cas los xij, yuav ua li cas rau cov nplooj ntoo nyob deb? Yuav ua li cas hla lawv lub neej ntawd sab nraud txoj kev?
Yog lawm, los ntawm EVPN txoj kev-hom 5, zoo li lwm yam ua ntej ntawm VxLAN ntaub. Txawm li cas los xij, qhov no tsis yooj yim li (yog tias peb tham txog Cisco, vim kuv tsis tau kuaj nrog lwm tus neeg muag khoom)
Txoj hauv kev ua ntej yuav tsum tau tshaj tawm los ntawm Nplooj nplooj uas Firewall txuas nrog. Txawm li cas los xij, txhawm rau kis txoj kev, Nplooj yuav tsum paub nws tus kheej. Thiab ntawm no muaj qee qhov teeb meem tshwm sim (tej zaum tsuas yog rau kuv), txoj hauv kev yuav tsum tau sau npe nyob rau hauv VRF qhov koj xav tshaj tawm txoj hauv kev:
vrf context PROD10
ip route 0.0.0.0/0 10.254.13.55Tom ntej no, hauv BGP teeb tsa, teeb tsa txoj hauv kev no hauv AF IPv4:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0Txawm li cas los xij, tsis yog txhua yam. Ua li no txoj hauv kev yuav tsis suav nrog tsev neeg l2vpn evpn. Ntxiv rau qhov no, koj yuav tsum teeb tsa redistribution:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0
redistribute static route-map COMMON_OUTPeb qhia tias qhov twg ua ntej yuav nkag mus rau hauv BGP los ntawm kev xa rov qab
route-map COMMON_OUT permit 10
match ip address prefix-list COMMON_OUT
ip prefix-list COMMON_OUT seq 10 permit 0.0.0.0/0Tam sim no lub prefix 0.0.0.0/0 poob rau hauv EVPN txoj kev-hom 5 thiab kis mus rau tus so ntawm Nplooj:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.255.1.5%default, [200/0], 5w6d, bgp-65001, internal, tag 65001, segid: 99000 tunnelid: 0xaff0105 encap: VXLAN
! 10.255.1.5 - ΠΠΈΡΡΡΠ°Π»ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ Leaf(ΡΠ°ΠΊ ΠΊΠ°ΠΊ Leaf Π²ΡΡΡΡΠΏΠ°ΡΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ VPΠ‘ ΠΏΠ°ΡΡ), ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ FirewallNyob rau hauv lub rooj BGP peb kuj tuaj yeem soj ntsuam qhov tshwm sim-hom 5 nrog rau txoj hauv kev ua ntej ntawm 10.255.1.5:
* i[5]:[0]:[0]:[0]:[0.0.0.0]/224
10.255.1.5 100 0 i
*>i 10.255.1.5 100 0 iQhov no xaus cov kab lus uas tau mob siab rau EVPN. Nyob rau hauv lub neej yav tom ntej, kuv yuav sim xav txog kev ua haujlwm ntawm VxLAN ua ke nrog Multicast, vim tias txoj kev no suav hais tias muaj ntau dua (tam sim no cov lus tsis txaus ntseeg)
Yog tias koj tseem muaj lus nug / lus qhia ntawm lub ncauj lus, xav txog kev ua haujlwm ntawm EVPN - sau, peb yuav xav txog nws ntxiv.
Tau qhov twg los: www.hab.com