Moni, Habr. Ndikumaliza zolemba zingapo, odzipereka pakukhazikitsa maphunzirowa ndi OTUS, pogwiritsa ntchito ukadaulo wa VxLAN EVPN poyenda mkati mwa nsalu ndikugwiritsa ntchito Firewall kuletsa mwayi pakati pa ntchito zamkati
Mbali zam'mbuyo za mndandandawu zitha kupezeka pamalumikizidwe awa:
Lero tipitiriza kuphunzira ndondomeko yoyendetsera mkati mwa nsalu ya VxLAN. Mu gawo lapitalo, tidayang'ana njira zopangira nsalu mkati mwa VRF imodzi. Komabe, pakhoza kukhala kuchuluka kwa ntchito zamakasitomala pamanetiweki, ndipo zonse ziyenera kugawidwa mu ma VRF osiyanasiyana kuti asiyanitse mwayi pakati pawo. Kuphatikiza pakulekanitsa ma netiweki, bizinesi ingafunike kulumikiza Firewall kuti iletse mwayi pakati pa mautumikiwa. Inde, izi sizingatchedwe njira yabwino kwambiri, koma zenizeni zamakono zimafuna "njira zamakono".
Tiyeni tiwone njira ziwiri zosinthira pakati pa ma VRF:
- Kuyendetsa popanda kusiya nsalu ya VxLAN;
- Njira pazida zakunja.
Tiyeni tiyambe ndi njira zoyendetsera pakati pa ma VRF. Pali ma VRF angapo. Kuti muyende pakati pa ma VRF, muyenera kusankha chipangizo pa netiweki chomwe chidzadziwa za ma VRF onse (kapena magawo omwe amafunikira njira). . Topology iyi idzawoneka motere:
Kodi kuipa kwa topology iyi ndi chiyani?
Ndiko kulondola, Tsamba lililonse liyenera kudziwa za ma VRF onse (ndi zidziwitso zonse zomwe zili momwemo) pamaneti, zomwe zimabweretsa kukumbukira kukumbukira komanso kuchuluka kwa maukonde. Kupatula apo, nthawi zambiri switch iliyonse ya Leaf siyenera kudziwa chilichonse chomwe chili pa intaneti.
Komabe, tiyeni tilingalire njira iyi mwatsatanetsatane, chifukwa kwa maukonde ang'onoang'ono njira iyi ndiyoyenera (ngati palibe zofunikira zabizinesi)
Panthawiyi, mungakhale ndi funso la momwe mungasamutsire zambiri kuchokera ku VRF kupita ku VRF, chifukwa mfundo ya teknolojiyi ndiyoti kufalitsa chidziwitso kuyenera kukhala kochepa.
Ndipo yankho liri mu ntchito monga kutumiza kunja ndi kuitanitsa zidziwitso zamayendedwe (kukhazikitsa ukadaulo uwu kudaganiziridwa mu mbali za kuzungulira). Ndiroleni ndibwereze mwachidule:
Mukakhazikitsa VRF mu AF, muyenera kufotokoza route-target za zolowetsa ndi kutumiza kunja. Mutha kuzifotokoza zokha. Kenako mtengowo uphatikiza ASN BGP ndi L3 VNI yolumikizidwa ndi VRF. Izi ndi zabwino mukakhala ndi ASN imodzi yokha mufakitale yanu:
vrf context PROD20
address-family ipv4 unicast
route-target export auto ! Π Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΠΊΡΠΏΠΎΡΡΠΈΡΡΠ΅ΡΡΡ RT-65001:99000
route-target import autoKomabe, ngati muli ndi ASN yopitilira imodzi ndipo muyenera kusamutsa mayendedwe pakati pawo, ndiye kuti kasinthidwe kamanja kudzakhala njira yosavuta komanso yowopsa. route-target. Malangizo pakukhazikitsa pamanja ndi nambala yoyamba, gwiritsani ntchito yomwe ili yabwino kwa inu, mwachitsanzo, 9999.
Yachiwiri iyenera kukhazikitsidwa kuti ikhale yofanana ndi VNI ya VRF imeneyo.
Tiyeni tiyikonze motere:
vrf context PROD10
address-family ipv4 unicast
route-target export 9999:99000
route-target import 9999:99000
route-target import 9999:77000 ! ΠΡΠΈΠΌΠ΅Ρ 1 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRF
route-target import 9999:88000 ! ΠΡΠΈΠΌΠ΅Ρ 2 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRFMomwe zimawonekera pa tebulo lamayendedwe:
Leaf11# sh ip route vrf prod
<.....>
192.168.20.0/24, ubest/mbest: 1/0
*via 10.255.1.20%default, [200/0], 00:24:45, bgp-65001, internal, tag 65001
(evpn) segid: 99000 tunnelid: 0xaff0114 encap: VXLAN ! ΠΏΡΠ΅ΡΠΈΠΊΡ Π΄ΠΎΡΡΡΠΏΠ΅Π½ ΡΠ΅ΡΠ΅Π· L3VNI 99000Tiyeni tilingalire njira yachiwiri yoyendetsera ma VRF - kudzera pazida zakunja, mwachitsanzo Firewall.
Pali njira zingapo zogwirira ntchito pogwiritsa ntchito chipangizo chakunja:
- Chipangizochi chimadziwa kuti VxLAN ndi chiyani ndipo tikhoza kuwonjezera pa gawo la nsalu;
- Chipangizochi sichidziwa kanthu za VxLAN.
Sitidzakhala pa njira yoyamba, popeza malingaliro adzakhala ofanana ndi omwe tawonetsedwa pamwambapa - timabweretsa ma VRF onse ku Firewall ndikukonzekera njira pakati pa VRF pa izo.
Tiyeni tiganizire njira yachiwiri, pamene Firewall yathu sadziwa kanthu za VxLAN (tsopano, ndithudi, zipangizo zothandizidwa ndi VxLAN zikuwonekera. Mwachitsanzo, Checkpoint inalengeza kuthandizira kwake mu R81. Mukhoza kuwerenga za izo. , komabe, zonsezi zili pa siteji yoyesera ndipo palibe chidaliro pa kukhazikika kwa ntchito).
Tikalumikiza chipangizo chakunja, timapeza chithunzi chotsatirachi:
Monga mukuwonera pachithunzichi, botolo likuwoneka pamawonekedwe ndi Firewall. Izi ziyenera kuganiziridwa m'tsogolomu pokonzekera maukonde ndi kukhathamiritsa magalimoto apakompyuta.
Komabe, tiyeni tibwerere ku vuto loyambirira la njira pakati pa ma VRF. Chifukwa chowonjezera Firewall, timapeza kuti Firewall iyenera kudziwa za VRFs zonse. Kuti muchite izi, ma VRF onse ayenera kukonzedwanso pamalire a Leafs, ndipo Firewall iyenera kulumikizidwa ku VRF iliyonse ndi ulalo wosiyana.
Zotsatira zake, chiwembu chokhala ndi Firewall:
Ndiye kuti, pa Firewall muyenera kukonza mawonekedwe a VRF iliyonse yomwe ili pa netiweki. Kawirikawiri, malingalirowo samawoneka ovuta ndipo chinthu chokha chomwe sindimakonda apa ndi chiwerengero chachikulu cha mawonekedwe pa Firewall, koma ino ndi nthawi yoti muganizire za automation.
Chabwino. Tidalumikiza Firewall ndikuyiwonjezera ku ma VRF onse. Koma tsopano tingakakamize bwanji magalimoto kuchokera ku Tsamba lililonse kuti adutse pa Firewall iyi?
Pa Leaf yolumikizidwa ndi Firewall, palibe mavuto omwe angabwere, chifukwa misewu yonse ndi yakwanuko:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.254.13.55, [1/0], 6w5d, static ! ΠΌΠ°ΡΡΡΡΡ ΠΏΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ ΡΠ΅ΡΠ΅Π· FirewallKomabe, bwanji za akutali Leafs? Momwe mungawadutsire njira yakunja yosasinthika?
Ndiko kulondola, kudzera mu mtundu wa 5 wa EVPN, monga china chilichonse pansalu ya VxLAN. Komabe, izi sizophweka (ngati tikukamba za Cisco, popeza sindinayang'ane ndi ogulitsa ena)
Njira yokhazikika iyenera kulengezedwa kuchokera ku Leaf komwe Firewall imalumikizidwa. Komabe, kuti apereke njirayo, Leaf ayenera kuidziwa yekha. Ndipo apa pali vuto linalake (mwina kwa ine ndekha), njirayo iyenera kulembedwa mokhazikika mu VRF komwe mukufuna kutsatsa njira yotere:
vrf context PROD10
ip route 0.0.0.0/0 10.254.13.55Kenako, mukusintha kwa BGP, ikani njira iyi mu AF IPv4:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0Komabe, si zokhazo. Mwanjira iyi njira yokhazikika sidzaphatikizidwa m'banjamo l2vpn evpn. Kuphatikiza pa izi, muyenera kukonza kugawanso:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0
redistribute static route-map COMMON_OUTTikuwonetsa kuti ndi ma prefixes ati omwe angalowe mu BGP kudzera pakugawanso
route-map COMMON_OUT permit 10
match ip address prefix-list COMMON_OUT
ip prefix-list COMMON_OUT seq 10 permit 0.0.0.0/0Tsopano mawu oyamba 0.0.0.0/0 imagwera mumtundu wa 5 wa EVPN ndipo imafalikira ku Masamba onse:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.255.1.5%default, [200/0], 5w6d, bgp-65001, internal, tag 65001, segid: 99000 tunnelid: 0xaff0105 encap: VXLAN
! 10.255.1.5 - ΠΠΈΡΡΡΠ°Π»ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ Leaf(ΡΠ°ΠΊ ΠΊΠ°ΠΊ Leaf Π²ΡΡΡΡΠΏΠ°ΡΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ VPΠ‘ ΠΏΠ°ΡΡ), ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ FirewallPa tebulo la BGP titha kuwonanso mtundu wa 5 wotsatira wokhala ndi njira yokhazikika kudzera pa 10.255.1.5:
* i[5]:[0]:[0]:[0]:[0.0.0.0]/224
10.255.1.5 100 0 i
*>i 10.255.1.5 100 0 iIzi zikumaliza mndandanda wa zolemba zoperekedwa ku EVPN. M'tsogolomu, ndiyesera kulingalira za ntchito ya VxLAN pamodzi ndi Multicast, popeza njirayi imatengedwa kuti ndi yowonjezereka (panthawiyi mawu otsutsana)
Ngati mudakali ndi mafunso / malingaliro pamutuwu, lingalirani za magwiridwe antchito a EVPN - lembani, tidzakambirananso.
Source: www.habr.com