Mhoro, Habr. Ndiri kupedza nhevedzano yezvinyorwa, yakatsaurirwa kutanga kwekosi na OTUS, uchishandisa VxLAN EVPN tekinoroji yekufambisa mukati mejira uye kushandisa Firewall kurambidza kupinda pakati pemukati masevhisi.
Zvakapfuura zvikamu zvenhevedzano zvinogona kuwanikwa pane anotevera links:
Nhasi tichaenderera mberi nekudzidza iyo routing logic mukati meVxLAN jira. Muchikamu chakapfuura, takatarisa intra-mucheka routing mukati meVRF imwechete. Nekudaro, panogona kunge paine huwandu hukuru hwevatengi masevhisi munetiweki, uye ese anofanirwa kugoverwa mumaVRF akasiyana kusiyanisa kuwana pakati pavo. Pamusoro pekuparadzaniswa kwenetiweki, bhizinesi rinogona kuda kubatanidza Firewall kurambidza kupinda pakati peaya masevhisi. Hongu, izvi hazvigoni kunzi ndiyo mhinduro yakanakisisa, asi chokwadi chemazuva ano chinoda "mhinduro dzemazuva ano".
Ngatitarisei sarudzo mbiri dzekufambisa pakati peVRFs:
- Kufambisa pasina kusiya jira reVxLAN;
- Routing pamidziyo yekunze.
Ngatitangei neiyo routing logic pakati peVRFs. Kune imwe nhamba yeVRFs. Kuti ufambe pakati peVRFs, unofanirwa kusarudza mudziyo uri munetiweki unozoziva nezvese maVRF (kana zvikamu pakati peinodiwa nzira) Mudziyo wakadaro unogona kunge uri, semuenzaniso, imwe yeLeaf switch (kana zvese kamwechete) . Iyi topology ichaita seizvi:
Ndezvipi zvisingabatsiri zveiyi topology?
Ndizvozvo, Leaf rega rega rinoda kuziva nezvese VRFs (uye ruzivo rwese rwuri mavari) panetiweki, izvo zvinotungamira mukurasikirwa kwendangariro uye kuwedzera network mutoro. Mushure mezvose, kazhinji kacho imwe neimwe yeLeaf switch haidi kuziva nezve zvese zviri pane network.
Nekudaro, ngatitarisei nzira iyi zvakadzama, nekuti kune madiki network iyi sarudzo yakanyatsokodzera (kana pasina chaiyo bhizinesi zvinodiwa)
Panguva ino, iwe unogona kunge uine mubvunzo nezve nzira yekuendesa ruzivo kubva kuVRF kuenda kuVRF, nekuti poindi yeiyi tekinoroji ndeyechokwadi kuti kuparadzira ruzivo kunofanira kushomeka.
Uye mhinduro iri mumabasa akadai sekutumira kunze kwenyika uye kuendesa ruzivo rwenzira (kumisikidza tekinoroji iyi yakatariswa mukati zvikamu zvekutenderera). Rega ndidzokorore muchidimbu:
Paunenge uchiisa VRF muAF, unofanirwa kutsanangura route-target yeruzivo rwekupinza uye kutumira kunze kwenyika. Unogona kuzvitsanangura otomatiki. Ipapo kukosha kuchasanganisira iyo ASN BGP uye L3 VNI yakabatana neVRF. Izvi zviri nyore kana uine ASN imwe chete mufekitori yako:
vrf context PROD20
address-family ipv4 unicast
route-target export auto ! Π Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΠΊΡΠΏΠΎΡΡΠΈΡΡΠ΅ΡΡΡ RT-65001:99000
route-target import autoNekudaro, kana iwe uine inodarika imwe ASN uye uchida kutamisa nzira pakati pavo, ipapo manyorero ekugadzirisa ichave iri nyore uye scalable sarudzo. route-target. Kurudziro yekuseta yemanyorero ndiyo nhamba yekutanga, shandisa imwe yakakunakira iwe, semuenzaniso, 9999.
Yechipiri inofanira kuiswa kuti ienzane neVNI yeVRF iyoyo.
Ngatigadzirisei sezvinotevera:
vrf context PROD10
address-family ipv4 unicast
route-target export 9999:99000
route-target import 9999:99000
route-target import 9999:77000 ! ΠΡΠΈΠΌΠ΅Ρ 1 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRF
route-target import 9999:88000 ! ΠΡΠΈΠΌΠ΅Ρ 2 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRFZvinotaridzika sei mutafura yekufambisa:
Leaf11# sh ip route vrf prod
<.....>
192.168.20.0/24, ubest/mbest: 1/0
*via 10.255.1.20%default, [200/0], 00:24:45, bgp-65001, internal, tag 65001
(evpn) segid: 99000 tunnelid: 0xaff0114 encap: VXLAN ! ΠΏΡΠ΅ΡΠΈΠΊΡ Π΄ΠΎΡΡΡΠΏΠ΅Π½ ΡΠ΅ΡΠ΅Π· L3VNI 99000Ngatitarisei sarudzo yechipiri yekufambisa pakati peVRFs - kuburikidza nemidziyo yekunze, semuenzaniso Firewall.
Pane akati wandei sarudzo dzekushanda kuburikidza nekunze mudziyo:
- Chigadzirwa chacho chinoziva kuti VxLAN chii uye tinogona kuwedzera kune chikamu chejira;
- Chishandiso hachizivi chinhu nezveVxLAN.
Isu hatisi kuzogara pane yekutanga sarudzo, sezvo iyo logic ichave yakafanana sezvakaratidzwa pamusoro - isu tinounza ese maVRF kuFirewall uye kugadzirisa nzira pakati peVRF pairi.
Ngatifungei nezvechisarudzo chechipiri, apo Firewall yedu haizivi chinhu pamusoro peVxLAN (ikozvino, chokwadi, midziyo ine VxLAN inotsigirwa iri kuonekwa. Somuenzaniso, Checkpoint yakazivisa kutsigira kwayo muR81. Unogona kuverenga nezvazvo. , zvisinei, izvi zvose zviri padanho rekuedza uye hapana chivimbo mukugadzikana kwekushanda).
Kana tichibatanidza mudziyo wekunze, tinowana dhayagiramu inotevera:
Sezvauri kuona kubva padhizaini, bhodhoro rinoonekwa pane interface neFirewall. Izvi zvinofanirwa kuverengerwa mune ramangwana pakuronga network uye nekugadzirisa network traffic.
Nekudaro, ngatidzokere kudambudziko rekutanga rekufambisa pakati peVRFs. Nekuda kwekuwedzera Firewall, tinosvika pakugumisa kuti Firewall inofanirwa kuziva nezvese maVRF. Kuti uite izvi, ese maVRF anofanirwawo kugadzirwa pamuganho Mashizha, uye Firewall inofanirwa kubatana kune yega yega VRF ine yakaparadzana chinongedzo.
Nekuda kweizvozvo, chirongwa chine Firewall:
Ndokunge, paFirewall iwe unofanirwa kugadzirisa interface kune yega yega VRF iri pane network. Kazhinji, pfungwa yacho haiite seyakaomarara uye chinhu chega chandisingade pano ihombe nhamba yenzvimbo paFirewall, asi heino nguva yekufunga nezve otomatiki.
Fine. Isu takabatanidza iyo Firewall ndokuiwedzera kune ese maVRF. Asi isu togona sei kumanikidza traffic kubva kune rimwe nerimwe Leaf kuti ipfuure neino Firewall?
PaLeaf rakabatana neFirewall, hapana matambudziko achamuka, sezvo nzira dzese dziri dzenzvimbo:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.254.13.55, [1/0], 6w5d, static ! ΠΌΠ°ΡΡΡΡΡ ΠΏΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ ΡΠ΅ΡΠ΅Π· FirewallZvisinei, zvakadini neMashizha ari kure? Nzira yekuvapfuudza sei iyo yakasarudzika yekunze nzira?
Ndizvozvo, kuburikidza neEVPN nzira-mhando yechishanu, senge chero imwe prefix pamusoro peVxLAN jira. Nekudaro, izvi hazvisi nyore (kana tiri kutaura nezveCisco, sezvo ini ndisina kutarisa nevamwe vatengesi)
Nzira yekusarudzika inofanirwa kushambadzwa kubva kuLeaf uko Firewall yakabatana. Nekudaro, kufambisa nzira, Leaf anofanira kuzviziva pachayo. Uye pano pane rimwe dambudziko rinomuka (zvichida kwandiri chete), nzira inofanirwa kunyoreswa statically muVRF kwaunoda kushambadza nzira yakadai:
vrf context PROD10
ip route 0.0.0.0/0 10.254.13.55Tevere, mukugadziriswa kweBGP, isa nzira iyi muAF IPv4:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0Zvisinei, handizvo zvoga. Nenzira iyi nzira yekusarudzika haizoverengerwe mumhuri l2vpn evpn. Pamusoro peizvi, iwe unofanirwa kugadzirisa redistribution:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0
redistribute static route-map COMMON_OUTIsu tinoratidza kuti ndeapi prefixes achapinda muBGP kuburikidza nekugoverazve
route-map COMMON_OUT permit 10
match ip address prefix-list COMMON_OUT
ip prefix-list COMMON_OUT seq 10 permit 0.0.0.0/0Zvino prefix 0.0.0.0/0 inowira muEVPN nzira-rudzi 5 uye inopfuudzwa kune yasara Leaf:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.255.1.5%default, [200/0], 5w6d, bgp-65001, internal, tag 65001, segid: 99000 tunnelid: 0xaff0105 encap: VXLAN
! 10.255.1.5 - ΠΠΈΡΡΡΠ°Π»ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ Leaf(ΡΠ°ΠΊ ΠΊΠ°ΠΊ Leaf Π²ΡΡΡΡΠΏΠ°ΡΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ VPΠ‘ ΠΏΠ°ΡΡ), ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ FirewallMutafura yeBGP tinokwanisawo kuona mhedzisiro yenzira-rudzi rwe5 ine default nzira kuburikidza ne10.255.1.5:
* i[5]:[0]:[0]:[0]:[0.0.0.0]/224
10.255.1.5 100 0 i
*>i 10.255.1.5 100 0 iIzvi zvinopedzisa nhevedzano yezvinyorwa zvakapihwa kuEVPN. Mune ramangwana, ini ndichaedza kufunga nezvekushanda kweVxLAN pamwe chete neMulticast, sezvo nzira iyi inoonekwa seyakanyanya scalable (panguva ino chirevo chinokakavadzana)
Kana iwe uchine mibvunzo / mazano pamusoro wenyaya, funga chero mashandiro eEVPN - nyora, isu tichazvifunga zvakare.
Source: www.habr.com