Ostatnio bardzo dużo słyszymy o wirtualizacji sieci. Warto zatem wrócić do jej podstaw kiedy to już wtedy w pewien sposób “wirtualizacja” była stosowana na urządzeniach, na których separuje się tablice routingu. Separacja ta jest ukryta pod nazwą VRF (Virtual Routing and Forwarding). Drugim wariatem na “wirtualizację” jest tworzenie tzw. wirtualnych systemów czy routerów. Dziś, kiedy to routery mają dużą moc obliczeniową możemy pozwolić sobie na tworzenie osobnych vrf’ów czy wirtualnych routerów per usługa czy klient.
W tej chwili skupimy się na Cisco.
Do tego laba wykorzystam Cisco CSR1000v uruchomione na w mym labie.
Założenia:
uruchamiamy 3 vrfy mgmt ,dc1 oraz Internet na jednym urządzeniu.
Konfiguracja:
tworzymy VFR’y:
VRF DC1
csr1kv01(config)#ip vrf dc1 csr1kv01(config-vrf)#rd 65000:2
VRF MGMT
csr1kv01(config)#ip vrf mgmt csr1kv01(config-vrf)#rd 65000:1
VRF Internet
csr1kv01(config)#ip vrf Internet csr1kv01(config-vrf)#rd 65000:99
Weryfikacja skonfigurowanych VRF’ów
csr1kv01#show vrf Name Default RD Protocols Interfaces Internet 65000:99 ipv4 dc1 65000:2 ipv4 mgmt 65000:1 ipv4
Konfigurujemy interfejsy:
Mała porada
Pamiętajmy, że najpierw przypisujemy interfejs do vrf’u, a następnie adresujemy interfejs. Jak zrobimy odwrotnie będziemy musieli jeszcze raz adresować interfejs.
interface GigabitEthernet1 ip vrf forwarding mgmt ip address 10.10.0.11 255.255.255.0
interface GigabitEthernet2.100 encapsulation dot1Q 100 ip vrf forwarding dc1 ip address 10.20.100.10 255.255.255.0
interface GigabitEthernet3 ip vrf forwarding Internet ip address 192.168.0.50 255.255.255.0
Wyświetlamy VRF’y z przypisaniem do Interfejsu oraz IP:
csr1kv01#show ip vrf int Interface IP-Address VRF Protocol Gi3 192.168.0.50 Internet up Gi2.100 10.20.100.10 dc1 up Gi1 10.10.0.11 mgmt up
Konfigurujemy routing:
ip route vrf mgmt 0.0.0.0 0.0.0.0 10.10.0.1 ip route vrf dc1 0.0.0.0 0.0.0.0 10.20.100.1
Wyświetlamy tablicę routingu dla vrf’ów:
csr1kv01#show ip route vrf mgmt Routing Table: mgmt Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.10.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.10.0.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.0.0/24 is directly connected, GigabitEthernet1 L 10.10.0.11/32 is directly connected, GigabitEthernet1
csr1kv01#show ip route vrf Internet Routing Table: Internet Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is not set 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet3 L 192.168.0.50/32 is directly connected, GigabitEthernet3
csr1kv01#show ip route vrf dc1 Routing Table: dc1 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.20.100.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.20.100.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.20.100.0/24 is directly connected, GigabitEthernet2.100 L 10.20.100.10/32 is directly connected, GigabitEthernet2.100
Konfigurujemy routing pomiędzy vrf’ami:
Są dwie metody łączenia vrf’ów. Najprostszą jest połączenie za pomocą kabla i interfejsu l3 pomiędzy vrfami oraz wklepanie routingu statycznego. Drugą metodą jest wykorzystanie MPBGP. Poniżej przedstawię jej konfigurację:
router bgp 65000 //konfigurujemy bgp z AS'em prywtnym bgp log-neighbor-changes address-family ipv4 vrf Internet //configurujemy vrf Internet redistribute connected //określamy jakie sieci mają być dystrybuwane exit-address-family address-family ipv4 vrf dc1 redistribute connected redistribute static exit-address-family address-family ipv4 vrf mgmt redistribute connected exit-address-family
Po skonfigurowaniu MP BGP przechodzimy do konfiguracji wymiany routingu pomiędzy VRF’ami
Konfigurujemy Import i Export dla VRF’ów:
Założenie: DC1 i MGMT mogą komunikować się ze sobą a Internet tylko z MGMT
ip vrf dc1 route-target export 65000:2 route-target import 65000:1 ip vrf mgmt route-target export 65000:1 route-target import 65000:2 route-target import 65000:99 ip vrf Internet rd 65000:99 route-target import 65000:1 route-target export 65000:99
Weryfikacja:
sprawdzamy sesję MPBGP
csr1kv01#show bgp vpnv4 unicast all BGP table version is 14, local router ID is 172.16.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65000:1 (default for vrf mgmt) *> 10.10.0.0/24 0.0.0.0 0 32768 ? *> 10.20.100.0/24 0.0.0.0 0 32768 ? *> 192.168.0.0 0.0.0.0 0 32768 ? Route Distinguisher: 65000:2 (default for vrf dc1) *> 10.10.0.0/24 0.0.0.0 0 32768 ? *> 10.20.100.0/24 0.0.0.0 0 32768 ? Route Distinguisher: 65000:99 (default for vrf Internet) *> 10.10.0.0/24 0.0.0.0 0 32768 ? *> 192.168.0.0 0.0.0.0 0 32768 ?
Wyświetlamy routing dla poszczególnych vrf’ów:
csr1kv01#show ip route vrf ? WORD VPN Routing/Forwarding instance name csr1kv01#show ip route vrf mgmt Routing Table: mgmt Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.10.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.10.0.1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.0.0/24 is directly connected, GigabitEthernet1 L 10.10.0.11/32 is directly connected, GigabitEthernet1 B 10.20.100.0/24 is directly connected, 00:05:33, GigabitEthernet2.100 L 10.20.100.10/32 is directly connected, GigabitEthernet2.100 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks B 192.168.0.0/24 is directly connected, 00:01:33, GigabitEthernet3 L 192.168.0.50/32 is directly connected, GigabitEthernet3
csr1kv01#show ip route vrf Internet Routing Table: Internet Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks B 10.10.0.0/24 is directly connected, 00:05:53, GigabitEthernet1 L 10.10.0.11/32 is directly connected, GigabitEthernet1 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, GigabitEthernet3 L 192.168.0.50/32 is directly connected, GigabitEthernet3
Routing Table: dc1 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.20.100.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.20.100.1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks B 10.10.0.0/24 is directly connected, 00:06:10, GigabitEthernet1 L 10.10.0.11/32 is directly connected, GigabitEthernet1 C 10.20.100.0/24 is directly connected, GigabitEthernet2.100 L 10.20.100.10/32 is directly connected, GigabitEthernet2.100
W kolejnym wpisie pokażę konfigurację VRF na innym urządzeniu.