Sawubona, Habr. Ngiqedela uchungechunge lwezihloko, esinikezelwe ukwethulwa kwesifundo ngu-OTUS, kusetshenziswa ubuchwepheshe be-VxLAN EVPN bomzila ngaphakathi kwendwangu nokusebenzisa i-Firewall ukukhawulela ukufinyelela phakathi kwamasevisi angaphakathi.
Izingxenye zangaphambilini zochungechunge zingatholakala kulezi zixhumanisi ezilandelayo:
Namuhla sizoqhubeka nokufunda i-logic yomzila ngaphakathi kwendwangu ye-VxLAN. Engxenyeni edlule, sibheke umzila wendwangu ngaphakathi kwe-VRF eyodwa. Nokho, kungase kube nenani elikhulu lezinsizakalo zeklayenti kunethiwekhi, futhi zonke kufanele zisakazwe kuma-VRF ahlukene ukuze kuhlukaniswe ukufinyelela phakathi kwawo. Ngokungeziwe ekuhlukaniseni inethiwekhi, ibhizinisi kungase kudingeke ukuthi lixhume i-Firewall ukuze likhawulele ukufinyelela phakathi kwalawa masevisi. Yebo, lokhu akukwazi ukubizwa ngokuthi isixazululo esingcono kakhulu, kodwa amaqiniso anamuhla adinga "izixazululo zesimanje".
Ake sicabangele izinketho ezimbili zomzila phakathi kwama-VRF:
- Umzila ngaphandle kokushiya indwangu ye-VxLAN;
- Umzila ezintweni zangaphandle.
Ake siqale nge-logic yomzila phakathi kwama-VRF. Kunenombolo ethile yama-VRF. Ukuze uhambise phakathi kwama-VRF, udinga ukukhetha idivayisi kunethiwekhi ezokwazi ngawo wonke ama-VRF (noma izingxenye lapho kudingeka khona umzila). Idivayisi enjalo ingaba, isibonelo, enye yamaswishi eLeaf (noma konke ngesikhathi esisodwa) . Le topology izobukeka kanje:
Yibuphi ububi bale topology?
Kulungile, wonke amaLeaf adinga ukwazi ngawo wonke ama-VRF (nalo lonke ulwazi olukuwo) kunethiwekhi, okuholela ekulahlekeni kwememori nokwanda komthwalo wenethiwekhi. Phela, ngokuvamile i-Leaf switch ngayinye ayidingi ukwazi ngakho konke okukunethiwekhi.
Kodwa-ke, ake sicabangele le ndlela ngokuningiliziwe, ngoba kumanethiwekhi amancane le nketho ifaneleka impela (uma zingekho izidingo ezithile zebhizinisi)
Kuleli qophelo, ungase ube nombuzo mayelana nendlela yokudlulisa ulwazi kusuka ku-VRF kuya ku-VRF, ngoba iphuzu lalobu buchwepheshe liwukuthi ukusabalalisa kolwazi kufanele kube nomkhawulo.
Futhi impendulo ilele emisebenzini efana nokuthekelisa kanye nokungeniswa kolwazi lomzila (ukusetha lobu buchwepheshe bekucatshangelwa ku izingxenye zomjikelezo). Ake ngiphinde kafushane:
Uma usetha i-VRF ku-AF, kufanele ucacise route-target ngolwazi lokungenisa nokuthekelisa lomzila. Ungayicacisa ngokuzenzakalelayo. Bese inani lizofaka i-ASN BGP ne-L3 VNI ehlotshaniswa ne-VRF. Lokhu kulula uma une-ASN eyodwa kuphela efekthri yakho:
vrf context PROD20
address-family ipv4 unicast
route-target export auto ! Π Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΠ΅ΠΆΠΈΠΌΠ΅ ΡΠΊΡΠΏΠΎΡΡΠΈΡΡΠ΅ΡΡΡ RT-65001:99000
route-target import autoKodwa-ke, uma une-ASN engaphezu kweyodwa futhi udinga ukudlulisa imizila phakathi kwayo, khona-ke ukucushwa okwenziwa ngesandla kuzoba inketho elula nengakala. route-target. Isincomo sokusetha okwenziwa ngesandla inombolo yokuqala, sebenzisa ekulungele, isibonelo, 9999.
Eyesibili kufanele isethwe ukuze ilingane ne-VNI yaleyo VRF.
Masiyilungiselele ngendlela elandelayo:
vrf context PROD10
address-family ipv4 unicast
route-target export 9999:99000
route-target import 9999:99000
route-target import 9999:77000 ! ΠΡΠΈΠΌΠ΅Ρ 1 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRF
route-target import 9999:88000 ! ΠΡΠΈΠΌΠ΅Ρ 2 import ΠΈΠ· Π΄ΡΡΠ³ΠΎΠ³ΠΎ VRFIndlela ebukeka ngayo kuthebula lomzila:
Leaf11# sh ip route vrf prod
<.....>
192.168.20.0/24, ubest/mbest: 1/0
*via 10.255.1.20%default, [200/0], 00:24:45, bgp-65001, internal, tag 65001
(evpn) segid: 99000 tunnelid: 0xaff0114 encap: VXLAN ! ΠΏΡΠ΅ΡΠΈΠΊΡ Π΄ΠΎΡΡΡΠΏΠ΅Π½ ΡΠ΅ΡΠ΅Π· L3VNI 99000Ake sicabangele inketho yesibili yomzila phakathi kwama-VRF - ngokusebenzisa izinto zokusebenza zangaphandle, isibonelo i-Firewall.
Kunezinketho ezimbalwa zokusebenza ngedivayisi yangaphandle:
- Idivayisi iyazi ukuthi i-VxLAN iyini futhi singayifaka engxenyeni yendwangu;
- Idivayisi ayazi lutho nge-VxLAN.
Ngeke sigxile ekukhetheni kokuqala, njengoba ingqondo izocishe ifane naleyo eboniswe ngenhla - siletha wonke ama-VRF ku-Firewall futhi silungiselela umzila phakathi kwama-VRF kuyo.
Ake sicabangele inketho yesibili, lapho i-Firewall yethu ingazi lutho nge-VxLAN (manje, vele, imishini esekelwa i-VxLAN iyavela. Isibonelo, i-Checkpoint imemezele ukwesekwa kwayo enguqulweni engu-R81. Ungafunda ngayo ngakho. , noma kunjalo, konke lokhu kusesigabeni sokuhlola futhi akukho ukuzethemba ekuzinzeni kokusebenza).
Lapho uxhuma idivayisi yangaphandle, sithola umdwebo olandelayo:
Njengoba ubona emdwebeni, kuvela ibhodlela kusixhumi esibonakalayo esine-Firewall. Lokhu kufanele kucatshangelwe esikhathini esizayo lapho uhlela inethiwekhi futhi uthuthukisa ithrafikhi yenethiwekhi.
Nokho, ake sibuyele enkingeni yokuqala yomzila phakathi kwama-VRF. Njengomphumela wokwengeza i-Firewall, sifinyelela esiphethweni sokuthi i-Firewall kumele yazi ngawo wonke ama-VRF. Ukuze wenze lokhu, wonke ama-VRF kufanele amiswe ku-Leafs emngceleni, futhi i-Firewall kufanele ixhunywe ku-VRF ngayinye ngesixhumanisi esihlukile.
Ngenxa yalokho, uhlelo olune-Firewall:
Okusho ukuthi, ku-Firewall udinga ukumisa isixhumi esibonakalayo ku-VRF ngayinye etholakala kunethiwekhi. Ngokuvamile, ingqondo ayibukeki iyinkimbinkimbi futhi okuwukuphela kwento engingayithandi lapha inombolo enkulu ye-interfaces ku-Firewall, kodwa nansi isikhathi sokucabanga ngokuzenzakalelayo.
Kuhle. Sixhume i-Firewall futhi siyengeza kuwo wonke ama-VRF. Kodwa manje singaphoqa kanjani ukuthi ithrafikhi esuka kuLeaf ngalinye idlule kule Firewall?
KuLeaf elixhunywe ku-Firewall, azikho izinkinga ezizovela, njengoba yonke imizila ingeyasendaweni:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.254.13.55, [1/0], 6w5d, static ! ΠΌΠ°ΡΡΡΡΡ ΠΏΠΎ-ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ ΡΠ΅ΡΠ΅Π· FirewallNokho, kuthiwani ngamaLeaf akude? Ungawadlulisela kanjani umzila wangaphandle ozenzakalelayo?
Kulungile, ngohlobo 5 lwe-EVPN, njenganoma yisiphi esinye isiqalo phezu kwendwangu ye-VxLAN. Kodwa-ke, lokhu akulula kangako (uma sikhuluma ngeCisco, njengoba ngingazange ngihlole nabanye abathengisi)
Umzila omisiwe kufanele ukhangiswe kusukela ku-Leaf lapho kuxhunywe khona i-Firewall. Nokho, ukuze adlulisele umzila, iLeaf kumelwe iwazi ngokwayo. Futhi lapha kuphakama inkinga ethile (mhlawumbe kimi kuphela), umzila kufanele ubhaliswe ngokwezibalo ku-VRF lapho ufuna ukukhangisa khona lo mzila:
vrf context PROD10
ip route 0.0.0.0/0 10.254.13.55Okulandelayo, ekucushweni kwe-BGP, setha lo mzila ku-AF IPv4:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0Nokho, akugcini lapho. Ngale ndlela umzila ozenzakalelayo ngeke ufakwe emndenini l2vpn evpn. Ngaphezu kwalokhu, udinga ukumisa ukusabalalisa kabusha:
router bgp 65001
vrf prod
address-family ipv4 unicast
network 0.0.0.0/0
redistribute static route-map COMMON_OUTSikhombisa ukuthi yiziphi iziqalo ezizongena ku-BGP ngokusabalalisa kabusha
route-map COMMON_OUT permit 10
match ip address prefix-list COMMON_OUT
ip prefix-list COMMON_OUT seq 10 permit 0.0.0.0/0Manje isiqalo 0.0.0.0/0 iwela ohlotsheni 5 lwe-EVPN futhi idluliselwa kuyo yonke iLeaf:
0.0.0.0/0, ubest/mbest: 1/0
*via 10.255.1.5%default, [200/0], 5w6d, bgp-65001, internal, tag 65001, segid: 99000 tunnelid: 0xaff0105 encap: VXLAN
! 10.255.1.5 - ΠΠΈΡΡΡΠ°Π»ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ Leaf(ΡΠ°ΠΊ ΠΊΠ°ΠΊ Leaf Π²ΡΡΡΡΠΏΠ°ΡΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ VPΠ‘ ΠΏΠ°ΡΡ), ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ FirewallKuthebula le-BGP singaphinda sibheke uhlobo lomzila 5 oluvelayo ngomzila ozenzakalelayo nge-10.255.1.5:
* i[5]:[0]:[0]:[0]:[0.0.0.0]/224
10.255.1.5 100 0 i
*>i 10.255.1.5 100 0 iLokhu kuphetha uchungechunge lwama-athikili anikelwe ku-EVPN. Esikhathini esizayo, ngizozama ukucabangela ukusebenza kwe-VxLAN ngokubambisana ne-Multicast, njengoba le ndlela ibhekwa njengeyingozi kakhulu (okwamanje isitatimende esiphikisanayo)
Uma usenemibuzo/iziphakamiso ngesihloko, cabanga noma yikuphi ukusebenza kwe-EVPN - bhala, sizokucubungula ngokuqhubekayo.
Source: www.habr.com