VRF-urile reprezinta o metoda de segregare a traficului IP, dar pot exista situatii in care dorim ca rutele din VRF-ul unui client sa fie vizibile in VRF-ul altui client. Voi descrie mai jos un astfel de setup, iar in plus voi exemplifica modalitatea prin care putem filtra rutele pe care le importam dintr-un VRF in altul.
Avem topologia de mai jos unde pe routerul PE-1 vom regasi configurate VRF-urile ALFA si BETA, iar pe PE-2 avem configurat doar VRF-ul ALFA. Pe routerul clientului din VRF-ul BETA avem configurate doua interfete loopback cu adresele IP 41.1.1.1/32, respectiv 42.1.1.1/32.
Topologie
Ne propunem ca pe routerul clientului din VRF-ul AFLA sa gasim o ruta catre interfata loopback 41.
Pentru a se intampla acest lucru trebuie sa parcurgem urmatorii pasi:
1. Facem route leaking intre VRF-uri configurand in fiecare dintre ele route-target import corespunzatoar a ceea ce este configurat ca route-target export in celalalt VRF.
2. Deoarece pe PE-2 avem configurat doar VRF AFLA, pe PE-1 este nevoie sa configuram un import map in VRF AFLA, care nu este altceva decat un route-map in care vom face match pe prefixurile pe care dorim sa le importam din VRF-ul BETA si carora le vom altera valoarea route-target export in valoarea configurata ca route-target import in VRF ALFA. Astfel, cand pefixele importate din VRF BETA vor fi transportate prin MP-BGP catre PE-2, acestea vor fi vizibile in VRF ALFA.
Configuratie PE-1
PE-1#show running-config vrf ALFA
vrf definition ALFA
rd 1:1
address-family ipv4
import map ALFA
route-target export 1:1
route-target import 1:1
route-target import 2:2
exit-address-family
!
router bgp 23
router bgp 23
address-family ipv4 vrf ALFA
redistribute connected
redistribute static
exit-address-family
!
ip route vrf ALFA 34.3.0.0 255.255.0.0 Null0
ip route vrf ALFA 34.3.0.0 255.255.0.0 Null0
ip route vrf ALFA 41.0.0.0 255.0.0.0 Null0
ip route vrf ALFA 42.0.0.0 255.0.0.0 Null0
PE-1#show route-map ALFA
route-map ALFA, permit, sequence 10
Match clauses:
ip address prefix-lists: BETA
Set clauses:
extended community RT:1:1 additive
Policy routing matches: 0 packets, 0 bytes
PE-1#show ip prefix-list BETA
ip prefix-list BETA: 2 entries
seq 5 permit 34.3.4.0/24
seq 10 permit 41.1.1.0/24
Deoarece in configul BGP de pe PE-1 am utilizat comanda redistribute static in VRF-ul ALFA si am pus doua rute statice catre Null0 pentru a anunta prefixele configurate pe ambele loopback-uri de pe CPE-BETA, routerul clientului din VRF BETA va primi ambele rute. Totusi, deoarece in prefix-list-ul folosit in import map-ul prin care specificam ce rute sa primim din VRF BETA e specificat doar prefixul 41.1.1.0/24, numai acesta va fi accesibil de pe routerul clientului din VRF ALFA.
PE-1#show running-config vrf BETA
vrf definition BETA
rd 2:2
address-family ipv4
import map BETA
route-target export 2:2
route-target import 2:2
route-target import 1:1
exit-address-family
!
interface FastEthernet1/1
interface FastEthernet1/1
vrf forwarding BETA
ip address 34.3.4.3 255.255.255.0
duplex auto
speed auto
!
router bgp 23
router bgp 23
!
address-family ipv4 vrf BETA
redistribute connected
redistribute static
neighbor 34.3.4.4 remote-as 34
neighbor 34.3.4.4 activate
neighbor 34.3.4.4 send-community both
exit-address-family
PE-1#show route-map BETA
route-map BETA, permit, sequence 10
Match clauses:
ip address prefix-lists: ALFA
Set clauses:
Policy routing matches: 0 packets, 0 bytes
PE-1#show ip prefix-list ALFA
ip prefix-list ALFA: 1 entries
seq 5 permit 12.1.2.0/24
Configuratie PE-2
PE-2#show running-config vrf ALFA
vrf definition ALFA
rd 1:1
address-family ipv4
route-target export 1:1
route-target import 1:1
exit-address-family
!
interface FastEthernet1/1
vrf forwarding ALFA
ip address 12.1.2.2 255.255.255.0
duplex auto
speed auto
!
router bgp 23
address-family ipv4 vrf ALFA
redistribute connected
redistribute static
neighbor 12.1.2.1 remote-as 12
neighbor 12.1.2.1 activate
neighbor 12.1.2.1 send-community both
exit-address-family
PE-2#show running-config vrf BETA
% No VRF named BETA
Verificare
CPE-ALFA#show ip route
CPE-ALFA#show ip route
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.1.2.0/24 is directly connected, FastEthernet1/1
L 12.1.2.1/32 is directly connected, FastEthernet1/1
34.0.0.0/16 is subnetted, 1 subnets
B 34.3.0.0 [20/0] via 12.1.2.2, 01:03:52
B 41.0.0.0/8 [20/0] via 12.1.2.2, 01:03:14
B 42.0.0.0/8 [20/0] via 12.1.2.2, 01:03:12
CPE-ALFA#ping 41.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 41.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/46/48 ms
CPE-ALFA#ping 42.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 42.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Fisierele laboratorului in GNS3 pot fi descarcate de aici.
Versiunea GNS3 folosita: 2.1.5
Imagine IOS: C7200-ADVENTERPRISEK9-M, Version 15.1(4)M2
Toate cele bune! :)
Niciun comentariu :
Trimiteți un comentariu