作者:Tony Liu 譯者:TF編譯組
Tungsten Fabric解決方案指南-Gateway MX
1 總覽
本指南介紹如何使用MX作為閘道器(gateway),為Tungsten Fabric(編者按:原文為Contrail,其開源版已更名為Tungsten Fabric,本文出現Contrail之處均以Tungsten Fabric替換)管理的overlay層提供external或underlay連線。
根據效能要求,閘道器可以連線到主幹(spine)或葉子(leaf)。
2 Underlay/INET
2.1 eBGP
在典型的IP結構中,所有葉子(leaves)、主幹(spines)和閘道器(gateways)都使用eBGP來建立underlay連線。
2.2 IBGP
對於iBGP,建議使用RR(路由反射器)以避免所有BGP節點之間的完全網狀對等連線。
3 Overlay/VPN
3.1 環回地址
在每個MX上都會分配並派發環回地址(loopback address)。它用於控制節點的BGP對等,以及vRouter的隧道(tunneling)。Tungsten Fabric和環回地址之間的連線由underlay提供。
如果將單獨的介面用於控制平面和資料平面,則當MX通告路由時,控制介面的地址將用作下一跳。要解決此問題,應將環回介面同時用於控制平面和資料平面。
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
3.2 BGP
3.2.1 AS
通常,閘道器具有一個全域性唯一ASN。
set routing-options autonomous-system 64031
3.2.2 EBGP AND IBGP
當Tungsten Fabric和閘道器位於不同的AS中時,將使用eBGP。
set protocols bgp group vpn-contrail type externalset protocols bgp group vpn-contrail multihopset protocols bgp group vpn-contrail local-address 10.6.0.31set protocols bgp group vpn-contrail keep allset protocols bgp group vpn-contrail family inet-vpn unicastset protocols bgp group vpn-contrail family evpn signalingset protocols bgp group vpn-contrail family route-targetset protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
當Tungsten Fabric和閘道器位於同一AS中時,將使用iBGP。
set protocols bgp group vpn-contrail type internalset protocols bgp group vpn-contrail local-address 10.6.0.31set protocols bgp group vpn-contrail keep allset protocols bgp group vpn-contrail family inet-vpn unicastset protocols bgp group vpn-contrail family evpn signalingset protocols bgp group vpn-contrail family route-targetset protocols bgp group vpn-contrail neighbor 10.6.11.1
當閘道器全域性ASN與Tungsten Fabric ASN不同時,可以使用local-as來啟用iBGP。
set protocols bgp group vpn-contrail type internalset protocols bgp group vpn-contrail local-address 10.6.0.31set protocols bgp group vpn-contrail local-as 64512set protocols bgp group vpn-contrail keep allset protocols bgp group vpn-contrail family inet-vpn unicastset protocols bgp group vpn-contrail family evpn signalingset protocols bgp group vpn-contrail family route-targetset protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
3.3 BGP Family
3.3.1 L3VPN
set protocols bgp group vpn-contrail family inet-vpn unicast
3.3.2 EVPN
set protocols bgp group vpn-contrail family evpn signaling
3.3.3 ROUTE TARGET
set protocols bgp group vpn-contrail family route-target
Family“route-target”是用於最佳化的。在MX上進行配置時,如果存在VRF匯入策略,MX將會發布route-target路由。在將VPN-IPv4路由釋出給鄰居之前,MX還會檢查route-target路由表。如果該路由中的route-target未被鄰居通告,則MX不會通告該路由。
如果控制平面和資料平面上的介面是分開的,則MX從Tungsten Fabric控制節點接收route-target路由。RT路由的下一跳是控制節點地址(在控制平面上)。MX會嘗試解決資料平面上MPLS表(inet.3)中的下一跳,但是會失敗。這樣,RT路由不會生效,而會被隱藏。結果是MX沒有釋出路由。為了解決這個問題,可以在inet.3中新增靜態路由,以使下一跳的控制介面可以被解析。然後,MX應用RT路由併發布路由。Tungsten Fabric沒有此類問題,因為它不會嘗試解析下一跳。
3.4 隧道(Tunnel)
Tunnel service是必須要啟用的。這裡有一個示例。
set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
3.4.1 MPLSOGRE隧道
對於L3VPN,在BGP收到INET-VPN路由並將其放在表bgp.l3vpn.0中之後,它將為該路由尋找MPLS路徑。BGP嘗試解析表inet.3中的路由。如果成功,將建立GRE隧道並在inet.3中新增MPLS路由。否則,該路由將會被隱藏在bgp.l3vpn.0中。
在啟用隧道後,destination-networks的路由將被新增到inet.3中。這裡是一個示例。
set routing-options dynamic-tunnels contrail source-address 10.6.0.31set routing-options dynamic-tunnels contrail greset routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
source-address is the loopback address.
這是表inet.3中GRE隧道路由的示例。
10.6.11.4/32 (1 entry, 1 announced) *Tunnel Preference: 300 Next hop type: Router, Next hop index: 0 Address: 0xd7a9210 Next-hop reference count: 3 Next hop: via gr-0/0/0.32769, selected Session Id: 0x0 State: Local AS: 64031 Age: 10 Validation State: unverified Task: DYN_TUNNEL Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task AS path: I
這是動態隧道資料庫。
> show dynamic-tunnels database *- Signal Tunnels #- PFE-downTable: inet.3 Destination-network: 10.6.11.0/24 Tunnel to: 10.6.11.1/32 State: Up (expires in 00:06:58 seconds) Reference count: 0 Next-hop type: gre Source address: 10.6.0.31 Next hop: gr-0/0/10.32769 State: Up Tunnel to: 10.6.11.7/32 State: Up Reference count: 2 Next-hop type: gre Source address: 10.6.0.31 Next hop: gr-0/0/10.32770 State: Up
3.4.2 MPLSOUDP TUNNEL
UDP隧道更適合於負載均衡。
set routing-options dynamic-tunnels contrail source-address 10.6.0.31set routing-options dynamic-tunnels contrail udpset routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
這是表inet.3中UDP隧道路由的示例。
10.6.11.4/32 (1 entry, 1 announced) *Tunnel Preference: 300 Next hop type: Tunnel Composite, Next hop index: 0 Address: 0xd7a87f0 Next-hop reference count: 2 Tunnel type: UDP, Reference count: 5, nhid: 0 Destination address: 10.6.11.4, Source address: 10.6.0.31 State: Local AS: 64031 Age: 24:46 Validation State: unverified Task: DYN_TUNNEL Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task AS path: I
當路由從VRF匯出到Tungsten Fabric時,需要新增策略(policy)來附加到封裝屬性(community)。
set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1set policy-options policy-statement vrf-export-provider-1 term t1 then community add encap-udpset policy-options policy-statement vrf-export-provider-1 term t1 then acceptset policy-options community provider-1 members target:64512:101set policy-options community encap-udp members encapsulation:64512:13
3.5 Routing Instance
3.5.1 VRF
RI的vrf型別用於保留L3路由。
set routing-instances provider-1 instance-type vrfset routing-instances provider-1 interface lo0.11set routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-target target:64512:101;set routing-instances provider-1 vrf-table-label
3.5.2 虛擬交換機
(略)
4 路由匯入/匯出
4.1 工作流
4.1.1 匯入(IMPORT)
-
首先,BGP與Tungsten Fabric建立對等關係。如果沒有任何VRF RI和匯入策略,則不會建立表bgp.l3vpn.0,並且BGP無法接收任何INET-VPN路由。
-
在建立VRF RI後(必須配置vrf-table-label),可以使用隱式策略(implicit policy)或顯式策略(explicit policy)。
- 配置vrf-target將啟用隱式策略,該策略將匯入具有特定RT community的路由,並匯出具有附加特定RT community的路由。
- 配置“vrf-import”和“vrf-export”以指定顯式策略,以備需要任何其它的操作。
-
使用任何VRF RI和匯入策略,將建立表bgp.l3vpn.0。
-
根據匯入策略,為每個RT建立一個RIB組vpn-unicast。
vpn-unicast target:64512:101, Address: 0xd7a8e40 Address Family: l3vpn, Flags: 0x4, References: 0 Export RIB: l3vpn.0 Import RIB: bgp.l3vpn.0 Secondary Import RIB: provider-1.inet.0
-
BGP嘗試解析表inet.3中的路由。如果成功,則分配GRE隧道。否則,該路由將被隱藏。
-
BGP接收到與匯入策略匹配的INET-VPN路由(route-target community),並將其放在表bgp.l3vpn.0中。路由也轉換為INET路由,並放置在VRF表中,該表是RIB組中的輔助匯入RIB。否則,路由將被丟棄。
這是表bgp.l3vpn.0中的INET-VPN路由示例。它是由BGP從Tungsten Fabric上通告的;路由識別符號10.6.11.4:2由vRouter的IP地址和vRouter分配的ID組成;從Tungsten Fabric控制節點10.6.11.1釋出;下一跳是透過動態GRE隧道介面gr-0/0/0.32769;MPLS標籤為25。
10.6.11.4:2:172.16.11.3/32 *[BGP/170] 00:03:11, MED 100, localpref 100, from 10.6.11.1 AS path: 64512 ?, validation-state: unverified > via gr-0/0/0.32769, Push 25
該路由將轉換為INET路由並放置在VRF中。
172.16.11.3/32 *[BGP/170] 02:35:37, MED 100, localpref 100, from 10.6.11.1 AS path: 64512 ?, validation-state: unverified > via gr-0/0/0.32769, Push 25
4.1.2 匯出(EXPORT)
- 要從VRF匯出路由,根據匯出策略,該路由將從INET轉換為INET-VPN,放入表bgp.l3vpn.0中,然後由BGP匯出。MPLS標籤將分配給在表mpls.0中的INET-VPN路由。
這是VRF中的環回介面,如表bgp.l3vpn.0所示。
64512:101:172.16.11.250/32 *[Direct/0] 00:43:14 > via lo0.11
The route is advertised with MPLS label 300624 showing by "show route advertising-protocol bgp 10.6.11.1 detail".
該路由用MPLS標籤300624釋出,透過 “show route advertising-protocol bgp 10.6.11.1 detail”可以顯示細節。
* 64512:101:172.16.11.250/32 (1 entry, 1 announced) BGP group vpn-contrail type External Route Distinguisher: 64512:101 VPN Label: 300624 Nexthop: Self Flags: Nexthop Change AS path: [64031] I
MPLS標籤在表mpls.0中分配。
300624 *[VPN/170] 00:55:34 receive table provider-1.inet.0, Pop
4.2 隱式VRF匯入/匯出策略
使用vrf-target,可以建立隱式匯入和匯出策略。
set routing-instances provider-1 instance-type vrfset routing-instances provider-1 vrf-table-labelset routing-instances provider-1 vrf-target target:64512:101;
隱式匯入策略將匯入帶有community“target:64540:100”的路由。其結果是,從Tungsten Fabric虛擬網路中釋出的帶有“target:64540:100”的路由,被匯入到此RI中。
> show policy __vrf-import-5b4s37-166-internal__ Policy __vrf-import-5b4s37-166-internal__: Term unnamed: from community __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ] then accept Term unnamed: then reject
隱式匯出策略將匯出帶有community“target:64540:100”的路由。其結果是,路由被髮布到Tungsten Fabric,並匯入到帶有“target:64540:100”的虛擬網路中。
> show policy __vrf-export-5b4s37-166-internal__ Policy __vrf-export-5b4s37-166-internal__: Term unnamed: then community + __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ] accept
4.3 顯式VRF匯入/匯出策略
策略可被顯式定義為匯入和匯出路由。在此示例中,從Tungsten Fabric虛擬網路中釋出的帶有“target:64540:91”和“target:64540:92”的路由被匯入RI。RI中的路由使用“target:64540:91”和“target:64540:92”進行通告,並匯入到兩個虛擬網路中。
set policy-options policy-statement provider-1-export term t1 then community add provider-1set policy-options policy-statement provider-1-export term t1 then acceptset policy-options policy-statement provider-1-import term t1 from community provider-1set policy-options policy-statement provider-1-import term t1 from community ext-hostset policy-options policy-statement provider-1-import term t1 then acceptset policy-options community ext-host members target:64510:101set policy-options community provider-1 members target:64512:101set routing-instances provider-1 instance-type vrfset routing-instances provider-1 interface lo0.11set routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-table-labelset routing-instances provider-1 vrf-import provider-1-importset routing-instances provider-1 vrf-export provider-1-export
5 External/Underlay連線
這裡想說的是——
-
在master RI中具有路由,以將ingress流量(從external/underlay到overlay)引導到VRF RI。
-
在VRF RI中具有路由,以將egress流量(從overlay到external/underlay)引導到master RI。
-
路由可能洩漏為靜態。
有兩個工作選項:
-
邏輯隧道(Logical tunnel)
-
RIB組和帶有下一表(next-table)的靜態路由
詳細資訊請見以下各小節內容。
5.1 邏輯隧道
邏輯隧道用於連線master路由例項和VRF路由例項。根據使用情況,這是可選的。由於頻寬限制,必須檢查需求和特定硬體上的隧道頻寬,以此來做出決定。
5.1.1 靜態
這是在邏輯隧道上使用靜態路由的示例。
set chassis fpc 0 pic 0 tunnel-servicesset interfaces lt-0/0/0 unit 100 encapsulation frame-relayset interfaces lt-0/0/0 unit 100 dlci 10set interfaces lt-0/0/0 unit 100 peer-unit 200set interfaces lt-0/0/0 unit 100 family inetset interfaces lt-0/0/0 unit 200 encapsulation frame-relayset interfaces lt-0/0/0 unit 200 dlci 10set interfaces lt-0/0/0 unit 200 peer-unit 100set interfaces lt-0/0/0 unit 200 family inetset routing-options static route 172.16.11.0/24 next-hop lt-0/0/0.100set routing-instances provider-1 interface lt-0/0/0.200set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.200
5.1.2 動態
這裡是一個示例,使用聚合路由在VRF和master之間配置BGP對等。
set chassis fpc 0 pic 0 tunnel-servicesset interfaces lt-0/0/0 unit 100 encapsulation frame-relayset interfaces lt-0/0/0 unit 100 dlci 10set interfaces lt-0/0/0 unit 100 peer-unit 200set interfaces lt-0/0/0 unit 100 family inet address 192.168.200.0/31set interfaces lt-0/0/0 unit 200 encapsulation frame-relayset interfaces lt-0/0/0 unit 200 dlci 10set interfaces lt-0/0/0 unit 200 peer-unit 100set interfaces lt-0/0/0 unit 200 family inet address 192.168.200.1/31set protocols bgp group vrf type internalset protocols bgp group vrf local-address 192.168.200.0set protocols bgp group vrf keep allset protocols bgp group vrf family inet unicastset protocols bgp group vrf export provider-1-exportset protocols bgp group vrf neighbor 192.168.200.1set policy-options policy-statement provider-1-export term t1 then community add provider-1set policy-options policy-statement provider-1-export term t1 then acceptset policy-options policy-statement provider-1-aggregate-export term 1 from protocol aggregateset policy-options policy-statement provider-1-aggregate-export term 1 from route-filter 172.16.11.0/24 exactset policy-options policy-statement provider-1-aggregate-export term 1 then next-hop selfset policy-options policy-statement provider-1-aggregate-export term 1 then acceptset policy-options community provider-1 members target:64512:101set routing-instances provider-1 instance-type vrfset routing-instances provider-1 interface lt-0/0/0.200set routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-import provider-1-importset routing-instances provider-1 vrf-export provider-1-exportset routing-instances provider-1 routing-options aggregate route 172.16.11.0/24set routing-instances provider-1 protocols bgp group master type internalset routing-instances provider-1 protocols bgp group master local-address 192.168.200.1set routing-instances provider-1 protocols bgp group master keep allset routing-instances provider-1 protocols bgp group master family inet unicastset routing-instances provider-1 protocols bgp group master export provider-1-aggregate-exportset routing-instances provider-1 protocols bgp group master neighbor 192.168.200.0
5.2 下一表(Next-table)
可以將路由表指定為路由下一跳。從概念上講,可以像下面的示例一樣,在inet.0和vrf.inet.0之間控制流量。
該解決方案的問題在於它將導致路由迴圈。例如,172.16.11.9的流量被導向vrf.inet.0。如果沒有任何特定的路由解析,它將透過預設路由返回到inet.0。為了避免這種路由迴圈,Junos不允許進行這種配置。
Junos也不允許配置第三張表(the third table)。
5.3 RIB組
RIB組通常用於洩漏路由表之間的路由。從概念上講,可以建立一個RIB組以將INET路由從vrf.inet.0匯入到inet.0,同時可以建立另一個RIB組以將INET路由從inet.0匯入到vrf.inet.0。
set routing-options rib-groups provider-1-master import-rib provider-1.inet.0set routing-options rib-groups provider-1-master import-rib inet.0set routing-options rib-groups master-provider-1 import-rib inet.0set routing-options rib-groups master-provider-1 import-rib provider-1.inet.0set protocols bgp group corp type externalset protocols bgp group corp family inet unicast rib-group master-provider-1set protocols bgp group corp export directset protocols bgp group corp neighbor 10.6.30.1 peer-as 64041set routing-instances provider-1 instance-type vrfset routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-import provider-1-importset routing-instances provider-1 vrf-export provider-1-exportset routing-instances provider-1 vrf-table-labelset routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
此配置將路由從inet.0洩漏到vpn.inet.0。但是從另一種角度來看,自Tungsten Fabric接收而來的路由,不會從vpn.inet.0洩漏到inet.0,原因是Junos的設計。這些路由已經從bgp.13vpn.0中洩漏,因此vpn.inet.0是這些路由的輔助RIB。輔助RIB中的路由不會再次洩漏。
5.4 RIB組和下一表(Next-table)
5.4.1 INGRESS
對於ingress流量,由於Junos不會洩漏從VRF到master的overlay/32路由,因此有兩個選擇。
- 在VRF中新增生成(聚合)路由,並使用RIB組洩漏從vrf.inet.0到inet.0的聚合路由。
set routing-options rib-groups provider-1-master import-rib provider-1.inet.0set routing-options rib-groups provider-1-master import-rib inet.0set routing-options rib-groups provider-1-master import-policy provider-1-master-importset routing-instances provider-1 instance-type vrfset routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-target target:64512:101set routing-instances provider-1 vrf-table-labelset routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0set routing-instances provider-1 routing-options generate route 172.16.11.0/24 next-table provider-1.inet.0set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
- 將帶有下一表(next-table)的靜態路由新增到master中的vrf.inet.0。
set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
建議使用選項2。
請注意,需要為路由協議更新匯出策略,以通告此類靜態路由。
5.4.2 EGRESS
對於egress流量,這裡有兩個選擇。
- 將帶有下一表(next-table)的靜態路由新增到VRF中的inet.0。
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
這裡的問題是,如果它是如上所述的預設路由,則會導致路由迴圈。例如,到172.16.11.5/32的ingress流量在vrf.int.0中並不存在,但它將在master和VRF之間迴圈。使用特定的路由可以避免路由迴圈,但這不是動態的並且不能擴充套件。
- master中路由協議接收到的路由洩漏到VRF。
set protocols bgp group corp type externalset protocols bgp group corp family inet unicast rib-group bgp-corp-provider-1set protocols bgp group corp export directset protocols bgp group corp neighbor 10.6.30.1 peer-as 64041set routing-options rib-groups bgp-corp-provider-1 import-rib inet.0set routing-options rib-groups bgp-corp-provider-1 import-rib provider-1.inet.0
同樣,由於Junos的限制,洩漏到VRF(輔助RIB)中的路由無法釋出給Tungsten Fabric。解決方案是新增預設拒絕路由。
set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
5.4.3 解決方案
作為結論,這裡是解決方案。
-
從mater洩漏路由到VRF,用於egress流量。
-
在master中新增靜態路由,用於ingress流量。
附錄A.1是完整的配置。
請注意,這不適用於MPLSoUDP。
5.5轉發過濾器和下一表(Next-table)
此解決方案是,使用轉發過濾器(forwarding filter)將ingress流量引導到VRF RI,並使用帶有下一表(next-table)的靜態路由將egress流量引導到master RI。
該解決方案有兩個問題。
- 由於Junos中的某些問題,它不適用於MPLSoUDP。
- 要向外部發布路由,必須新增指向閘道器本身的路由。Ingress流量將首先到達過濾器,因此靜態路由僅用於通告目的,對流量沒有影響。
5.6 VRF到VRF
附錄A.2是一個示例配置。
請注意,由於Family route-target,在Tungsten Fabric中,對於暴露的VN,必須將遠端VRF RT配置為匯入RT。否則,閘道器將不會從遠端VRF釋出INET-VPN路由。
5.7 Community
Tungsten Fabric中的路由有以下的community。
- route target
- encapsulation
- mac-mobility
- 0x8004 (security group)
- 0x8071 (origin VN)
根據使用情況(例如去往外部叢集或另一個Tungsten Fabric叢集的路由),這些community可能需要清理,也可能不需要。
附錄A.2中的配置是清理community的一個示例。
6 多叢集
單個閘道器可以支援多個叢集,它們本應該具有不同的ASN。
- 閘道器配置ASN。
- 叢集具有不同的專用ASN。
- 每個叢集內控制節點內的iBGP。
- 每個叢集的閘道器和控制節點之間的eBGP。
- 多個BGP組可以共享連線到不同鄰居組的同一介面。
- 如果每個叢集都位於單獨的網路中,則每個叢集都有一個動態隧道組。
- 每個叢集應具有單獨的公共地址空間。由於沒有地址衝突,因此一個VRF路由例項可以由多個叢集共享,並且所有叢集中的公共虛擬網路必須具有相同的路由目標(routing target)。結果,來自一個叢集的公共路由將洩漏到另一個叢集。
附錄
A.1 RIB組和下一表(Next-table)
set version 18.3R1.9set chassis fpc 0 pic 0 tunnel-servicesset interfaces ge-0/0/0 mac 52:54:00:8c:f9:2bset interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30set interfaces fxp0 unit 0 family inet address 10.6.8.31/24set interfaces lo0 unit 0 family inet address 10.6.0.31/32set interfaces lo0 unit 11 family inet address 172.16.11.250/32set interfaces lo0 unit 12 family inet address 172.16.12.250/32set routing-options interface-routes rib-group inet master-direct-vrfset routing-options static route 172.16.11.0/24 next-table provider-1.inet.0set routing-options static route 172.16.12.0/24 next-table provider-2.inet.0set routing-options rib-groups bgp-corp-vrf import-rib inet.0set routing-options rib-groups bgp-corp-vrf import-rib provider-1.inet.0set routing-options rib-groups bgp-corp-vrf import-rib provider-2.inet.0set routing-options rib-groups master-direct-vrf import-rib inet.0set routing-options rib-groups master-direct-vrf import-rib provider-1.inet.0set routing-options rib-groups master-direct-vrf import-rib provider-2.inet.0set routing-options rib-groups master-direct-vrf import-policy rib-import-master-vrfset routing-options route-distinguisher-id 10.6.0.31set routing-options autonomous-system 64031set routing-options dynamic-tunnels contrail source-address 10.6.0.31set routing-options dynamic-tunnels contrail greset routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24set protocols bgp group corp type externalset protocols bgp group corp family inet unicast rib-group bgp-corp-vrfset protocols bgp group corp export directset protocols bgp group corp neighbor 10.6.30.1 peer-as 64041set protocols bgp group fabric type externalset protocols bgp group fabric family inet unicastset protocols bgp group fabric export directset protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011set protocols bgp group vpn-contrail type externalset protocols bgp group vpn-contrail multihopset protocols bgp group vpn-contrail local-address 10.6.0.31set protocols bgp group vpn-contrail keep allset protocols bgp group vpn-contrail family inet-vpn unicastset protocols bgp group vpn-contrail family route-targetset protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512set policy-options policy-statement direct term t1 from protocol directset policy-options policy-statement direct term t1 from protocol aggregateset policy-options policy-statement direct term t1 then acceptset policy-options policy-statement direct term t2 from protocol staticset policy-options policy-statement direct term t2 from route-filter 172.16.11.0/24 exactset policy-options policy-statement direct term t2 then acceptset policy-options policy-statement direct term t3 from protocol staticset policy-options policy-statement direct term t3 from route-filter 172.16.12.0/24 exactset policy-options policy-statement direct term t3 then acceptset policy-options policy-statement rib-import-master-vrf term t2 from protocol directset policy-options policy-statement rib-import-master-vrf term t2 then acceptset policy-options policy-statement rib-import-master-vrf term end then rejectset policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1set policy-options policy-statement vrf-export-provider-1 term t1 then acceptset policy-options policy-statement vrf-export-provider-1 term end then rejectset policy-options policy-statement vrf-export-provider-2 term t1 then community add provider-2set policy-options policy-statement vrf-export-provider-2 term t1 then acceptset policy-options policy-statement vrf-export-provider-2 term end then rejectset policy-options policy-statement vrf-import-provider-1 term t1 from community provider-1set policy-options policy-statement vrf-import-provider-1 term t1 from community ext-hostset policy-options policy-statement vrf-import-provider-1 term t1 then acceptset policy-options policy-statement vrf-import-provider-1 term end then rejectset policy-options policy-statement vrf-import-provider-2 term t1 from community provider-2set policy-options policy-statement vrf-import-provider-2 term t1 from community ext-hostset policy-options policy-statement vrf-import-provider-2 term t1 then acceptset policy-options policy-statement vrf-import-provider-2 term end then rejectset policy-options community all-encaps members encapsulation:*:*set policy-options community all-origin-vns members 0x8071:*:*set policy-options community all-security-groups members 0x8004:*:*set policy-options community encap-udp members encapsulation:64512:13set policy-options community ext-host members target:64510:101set policy-options community provider-1 members target:64512:101set policy-options community provider-2 members target:64512:102set routing-instances provider-1 instance-type vrfset routing-instances provider-1 interface lo0.11set routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-import vrf-import-provider-1set routing-instances provider-1 vrf-export vrf-export-provider-1set routing-instances provider-1 vrf-table-labelset routing-instances provider-1 routing-options static route 0.0.0.0/0 rejectset routing-instances provider-2 instance-type vrfset routing-instances provider-2 interface lo0.12set routing-instances provider-2 route-distinguisher 64512:102set routing-instances provider-2 vrf-import vrf-import-provider-2set routing-instances provider-2 vrf-export vrf-export-provider-2set routing-instances provider-2 vrf-table-labelset routing-instances provider-2 routing-options static route 0.0.0.0/0 reject
A.2 VRF到VRF
set version 18.3R1.9set chassis fpc 0 pic 0 tunnel-servicesset interfaces ge-0/0/0 mac 52:54:00:8c:f9:2bset interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30set interfaces fxp0 unit 0 family inet address 10.6.8.31/24set interfaces lo0 unit 0 family inet address 10.6.0.31/32set routing-options route-distinguisher-id 10.6.0.31set routing-options autonomous-system 64031set routing-options dynamic-tunnels contrail source-address 10.6.0.31set routing-options dynamic-tunnels contrail greset routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24set routing-options dynamic-tunnels contrail destination-networks 10.6.0.0/16set protocols bgp group corp type externalset protocols bgp group corp family inet unicastset protocols bgp group corp export directset protocols bgp group corp neighbor 10.6.30.1 peer-as 64041set protocols bgp group fabric type externalset protocols bgp group fabric family inet unicastset protocols bgp group fabric export directset protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011set protocols bgp group vpn-contrail type externalset protocols bgp group vpn-contrail multihopset protocols bgp group vpn-contrail local-address 10.6.0.31set protocols bgp group vpn-contrail keep allset protocols bgp group vpn-contrail family inet-vpn unicastset protocols bgp group vpn-contrail family route-targetset protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512set protocols bgp group vpn-external type externalset protocols bgp group vpn-external multihopset protocols bgp group vpn-external local-address 10.6.0.31set protocols bgp group vpn-external keep allset protocols bgp group vpn-external family inet-vpn unicastset protocols bgp group vpn-external family route-targetset protocols bgp group vpn-external export vpn-external-exportset protocols bgp group vpn-external neighbor 10.6.0.41 peer-as 64041set policy-options policy-statement direct term t1 from protocol directset policy-options policy-statement direct term t1 then acceptset policy-options policy-statement provider-1-export term t1 then acceptset policy-options policy-statement provider-1-import term t1 from community provider-1set policy-options policy-statement provider-1-import term t1 from community ext-hostset policy-options policy-statement provider-1-import term t1 then acceptset policy-options policy-statement vpn-external-export term t1 from community provider-1set policy-options policy-statement vpn-external-export term t1 then community add ext-hostset policy-options policy-statement vpn-external-export term t1 then community delete all-encapsset policy-options policy-statement vpn-external-export term t1 then community delete all-security-groupsset policy-options policy-statement vpn-external-export term t1 then community delete all-origin-vnsset policy-options policy-statement vpn-external-export term t1 then acceptset policy-options community all-encaps members encapsulation:*:*set policy-options community all-origin-vns members 0x8071:*:*set policy-options community all-security-groups members 0x8004:*:*set policy-options community ext-host members target:64510:101set policy-options community provider-1 members target:64512:101set firewall family inet filter to-vrf term 1 from destination-address 172.16.11.0/24set firewall family inet filter to-vrf term 1 then routing-instance provider-1set firewall family inet filter to-vrf term default then acceptset routing-instances provider-1 instance-type vrfset routing-instances provider-1 route-distinguisher 64512:101set routing-instances provider-1 vrf-import provider-1-importset routing-instances provider-1 vrf-export provider-1-export
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/69957171/viewspace-2697847/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Tungsten Fabric解決方案指南-Kubernetes整合
- Tungsten Fabric入門寶典丨首次啟動和執行指南
- Tungsten Fabric架構解析丨詳解vRouter體系結構架構VR
- Tungsten Fabric與K8s整合指南丨建立隔離名稱空間K8S
- 利用DDP技術提升Tungsten Fabric vRouter效能VR
- TF實戰丨使用Vagrant安裝Tungsten Fabric
- Tungsten Fabric架構解析丨TF如何編排架構
- Tungsten Fabric架構解析丨TF支援API一覽架構API
- Tungsten Fabric架構解析丨TF怎麼運作?架構
- Tungsten Fabric入門寶典丨編排器整合
- Tungsten Fabric架構解析丨TF的服務鏈架構
- Tungsten Fabric架構解析丨vRouter的部署選項架構VR
- Tungsten Fabric架構解析丨TF如何收集、分析、部署?架構
- 終極自託管解決方案指南
- Hyperledger Fabric 智慧合約開發及 fabric-sdk-go/fabric-gateway 使用示例GoGateway
- Kubernetes Gateway API 深入解讀和落地指南GatewayAPI
- 基於i.MX6ULL的水質監測儀解決方案
- 最新版本|Tungsten Fabric 5.1要點速覽
- Tungsten Fabric架構解析|TF主要特點和用例架構
- Tungsten Fabric知識庫丨更多元件內部探秘元件
- Tungsten Fabric知識庫丨vRouter內部執行探秘VR
- Tungsten Fabric入門寶典丨TF元件的七種“武器”元件
- Tungsten Fabric入門寶典丨多編排器用法及配置
- Tungsten Fabric實戰:對接vMX虛擬路由平臺填坑路由
- Tungsten Fabric知識庫丨構建、安裝與公有云部署
- Tungsten Fabric知識庫丨測試2000個vRouter節點部署VR
- Tungsten Fabric入門寶典丨8個典型故障及排查Tips
- Tungsten Fabric入門寶典丨關於服務鏈、BGPaaS及其它
- 等你加入!Tungsten Fabric中文社群技術委員會會員徵集中
- Tungsten Fabric入門寶典丨關於叢集更新的那些事
- Tungsten Fabric入門寶典丨關於安裝的那些事(下)
- 實用指南:打造卓越企業BI實施解決方案
- Sentry 企業級資料安全解決方案 - Relay 操作指南
- freeswitch的gateway配置方案Gateway
- Tungsten Fabric入門寶典丨說說L3VPN及EVPN整合
- Tungsten Fabric架構解析丨TF基於應用程式的安全策略架構
- Tungsten Fabric入門寶典丨開始第二天的工作
- TF功能開發路線圖:盤點2021年Tungsten Fabric聚焦領域