diff options
author | L. Repetto <leanrepetto@gmail.com> | 2022-04-20 16:17:50 -0300 |
---|---|---|
committer | L. Repetto <leanrepetto@gmail.com> | 2022-04-20 16:17:50 -0300 |
commit | 86271c1d8358839c5815cb2fbe90a8495b330be7 (patch) | |
tree | 8269a91ee31d19ee82b822fa6ba744718121ca9a /docs/configexamples/inter-vrf-routing-vrf-lite.rst | |
parent | b51b7ad1f321cf77dddd06bb597442619ca836ff (diff) | |
download | vyos-documentation-86271c1d8358839c5815cb2fbe90a8495b330be7.tar.gz vyos-documentation-86271c1d8358839c5815cb2fbe90a8495b330be7.zip |
correct ident, remove titles and image.
Diffstat (limited to 'docs/configexamples/inter-vrf-routing-vrf-lite.rst')
-rw-r--r-- | docs/configexamples/inter-vrf-routing-vrf-lite.rst | 69 |
1 files changed, 44 insertions, 25 deletions
diff --git a/docs/configexamples/inter-vrf-routing-vrf-lite.rst b/docs/configexamples/inter-vrf-routing-vrf-lite.rst index d5c13e35..e109c12c 100644 --- a/docs/configexamples/inter-vrf-routing-vrf-lite.rst +++ b/docs/configexamples/inter-vrf-routing-vrf-lite.rst @@ -16,6 +16,8 @@ where you might need that some network can access other in a different VRF. The scope of this document is to cover such cases in a dynamic way without the use of MPLS-LDP. +General information about L3VPNs can be found in the :ref:`configuration/vrf/index:L3VPN VRFs` chapter. + ******** Overview ******** @@ -68,12 +70,14 @@ community(ies) into that prefix. ******** Topology ******** - .. image:: /_static/images/inter-vrf-routing-vrf-lite.png :width: 70% - :align: left + :align: center :alt: Network Topology Diagram + + + IP Schema ========= @@ -133,7 +137,8 @@ Step 1: VRF and Configurations to remote networks ------------------------------------------------- - Configuration -^^^^^^^^^^^^^^^ + + Set the VRF name and Table ID, set interface address and bind it to the VRF. Last add the static route to the remote network. @@ -153,7 +158,8 @@ Last add the static route to the remote network. set vrf name <VRF> protocols static route <NETWORK/CIDR> next-hop <REMOTE IP ADDRESS> - Verification -^^^^^^^^^^^^^^ + + Checking the routing table of the VRF should reveal both static and connected entries active. A PING test between the Core and remote router is a way to @@ -221,8 +227,10 @@ validate connectivity within the VRF. Step 2: BGP Configuration for VRF-Lite -------------------------------------- + - Configuration -^^^^^^^^^^^^^^^ + + Setting BGP global local-as as well inside the VRF. Redistribute static routes to inject configured networks into the BGP process but still inside the VRF. @@ -238,7 +246,8 @@ to inject configured networks into the BGP process but still inside the VRF. set vrf name <VRF> protocols bgp address-family <AF IPv4/IPv6> redistribute static - Verification -^^^^^^^^^^^^^^ + + Check the BGP VRF table and verify if the static routes are injected showing the correct next-hop information. @@ -277,8 +286,9 @@ the correct next-hop information. Step 3: VPN Configuration ------------------------- + - Configuration -^^^^^^^^^^^^^^^ + Within the VRF we set the Route-Distinguisher (RD) and Route-Targets (RT), then we enable the export/import VPN. @@ -308,7 +318,8 @@ There are some cases where this is not needed -for example, in some DDoS appliance- but most inter-vrf routing designs use the above configurations. - Verification -^^^^^^^^^^^^^^ + + After configured all the VRFs involved in this topology we take a deeper look at both BGP and Routing table for the VRF LAN1 @@ -410,10 +421,11 @@ installed, we can see -between round brackets- the exported VRF table. Step 4: End to End verification ------------------------------- + Now we perform some end-to-end testing - From Management to LAN1/LAN2 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + .. code-block:: none @@ -455,7 +467,8 @@ Now we perform some end-to-end testing rtt min/avg/max/mdev = 1.660/1.960/2.315/0.236 ms - From Management to Outside (fails as intended) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + .. code-block:: none @@ -505,7 +518,8 @@ Now we perform some end-to-end testing - LAN1 to Outside -^^^^^^^^^^^^^^^^^ + + .. code-block:: none @@ -559,7 +573,8 @@ Now we perform some end-to-end testing route and ping will fail. - LAN1 to LAN2 -^^^^^^^^^^^^^^ + + .. code-block:: none @@ -596,10 +611,10 @@ Appendix-A ********** Full configuration from all devices ------------------------------------ +=================================== - Core -^^^^^^ + .. code-block:: none @@ -684,7 +699,7 @@ Full configuration from all devices - LAN1 -^^^^^^ + .. code-block:: none @@ -696,9 +711,11 @@ Full configuration from all devices set protocols static route6 ::/0 next-hop 2001:db8::* - LAN2 -^^^^^^ + + .. code-block:: none + set interfaces dummy dum0 address '172.16.0.1/24' set interfaces dummy dum0 address '2001:db8:0:2::1/64' set interfaces ethernet eth0 hw-id '50:00:00:03:00:00' @@ -708,7 +725,7 @@ Full configuration from all devices set protocols static route6 ::/0 next-hop 2001:db8::2 - Management -^^^^^^^^^^^^ + .. code-block:: none @@ -720,7 +737,7 @@ Full configuration from all devices set protocols static route6 ::/0 next-hop 2001:db8::4 - ISP -^^^^^ + .. code-block:: none @@ -747,14 +764,16 @@ Appendix-B ********** Route-Filtering ---------------- +=============== + When importing routes using MP-BGP it is possible to filter a subset of them before are injected in the BGP table. One of the most common case is to use a route-map with an prefix-list. - Configuration -^^^^^^^^^^^^^^^ + + We create a prefix-list first and add all the routes we need to. @@ -794,11 +813,11 @@ actions inside the rules of the route-map. set policy route-map LAN2-Internet-v6 rule 1 match ipv6 address prefix-list 'LAN2-Internet-v6' We are using a "white list" approach by allowing only what is necessary. In case -that need to implement a "black list" approach you will ned to change the action -in the route-map for a deny BUT you need to add a rule that permit the rest due -to the implicit deny in the route-map. +that need to implement a "black list" approach then you will need to change the +action in the route-map for a deny BUT you need to add a rule that permits the +rest due to the implicit deny in the route-map. -Then we need to attach the policy into the bgp process. This needs to be under +Then we need to attach the policy to the BGP process. This needs to be under the import statement in the vrf we need to filter. .. code-block:: none @@ -808,7 +827,7 @@ the import statement in the vrf we need to filter. - Verification -^^^^^^^^^^^^^^ + .. code-block:: none |