VXLAN综合场景-Service-Leaf独立部署,租户穿行防火墙

上张贴CrossGrave发表回复

场景说明:Servers模拟虚拟机,在ServerLeaf上有两个租户分别为租户A、租户B,他们购买了各自的防火墙,在ServiceLeaf下联,Spine和Border融合部署,要求租户访问互联网流量先经过租户的防火墙,再经过边界防火墙然后访问互联网。租户防火墙采用vsys方式部署

流量路径:

关于租户防火墙内流量路径:防火墙分为根墙、租户虚墙A、租户虚墙B,流量需要先经过租户虚墙后,然后在经过根墙然后转发给Spine。

Spine/Border-Leaf配置:

sysname SpineAndBorder-Leaf
#
vlan batch 3 to 4
#
evpn-overlay enable
#两个VRF Internet和Inside_Internet用于隔离内部和外部路由,然后通过防火墙打通两个VRF
ip vpn-instance Internet
 ipv4-family
  route-distinguisher 1:200
  vpn-target 1:200 export-extcommunity
  vpn-target 1:200 import-extcommunity
#
ip vpn-instance Inside_Internet
 ipv4-family
  route-distinguisher 1:201
  vpn-target 1:201 export-extcommunity
  vpn-target 1:201 import-extcommunity
#
bridge-domain 20000 //配置与外部互联的VXLAN
 vxlan vni 20000
 evpn
  route-distinguisher 1:20000
  vpn-target 1:20000 export-extcommunity
  vpn-target 1:20000 import-extcommunity
#
#
interface Vbdif20000 //承接外部流量的vxlan网关
 ip binding vpn-instance Inside_Internet
 ip address 10.0.255.254 255.255.255.0
#
interface Vlanif3 //与防火墙Untrust互联的接口
 ip binding vpn-instance Internet
 ip address 10.0.3.1 255.255.255.252
 ospf network-type p2p
#
interface Vlanif4 //与防火墙Trust互联的接口
 ip binding vpn-instance Inside_Internet
 ip address 10.0.4.1 255.255.255.252
 ospf network-type p2p
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.1.1 255.255.255.252
 ospf network-type p2p
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 10.0.1.5 255.255.255.252
 ospf network-type p2p
#
interface GE1/0/2
 undo shutdown
#
interface GE1/0/8 //与Internet互联的接口
 undo portswitch
 undo shutdown
 ip binding vpn-instance Internet
 ip address 100.1.1.2 255.255.255.252
#
interface GE1/0/9 //与旁路防火墙互联的接口
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3 to 4
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
interface Nve1 //配置vtep与头端复制方式
 source 1.1.1.1
 vni 20000 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100 instance EVPN //配置BGP EVPN,这里模拟器有BUG,采用peer group方式配置的话,会出现邻居关系无法正常建立的情况。
 peer 1.1.1.2 as-number 100
 peer 1.1.1.2 connect-interface LoopBack0
 peer 1.1.1.3 as-number 100
 peer 1.1.1.3 connect-interface LoopBack0
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.2 enable
  peer 1.1.1.2 advertise irb //通告irb路由,如果不配置该命令,则无法正常传递主机路由
  peer 1.1.1.2 reflect-client
  peer 1.1.1.3 enable
  peer 1.1.1.3 advertise irb //通告irb路由,如果不配置该命令,则无法正常传递主机路由
  peer 1.1.1.3 reflect-client
#
ospf 1  //Underlay层通讯使用OSPF打通
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 10.0.1.0 0.0.0.3
  network 10.0.1.4 0.0.0.3
#
ospf 100 vpn-instance Inside_Internet //与防火墙Trust互联的OSPF
 import-route static
 vpn-instance-capability simple
 area 0.0.0.0
  network 10.0.4.0 0.0.0.3
  network 100.1.0.0 0.0.0.255
  network 100.2.0.0 0.0.0.255
#
ospf 101 vpn-instance Internet //与防火墙Untrust互联的OSPF
 default-route-advertise
 area 0.0.0.0
  network 10.0.3.0 0.0.0.3
#
ip route-static vpn-instance Internet 0.0.0.0 0.0.0.0 100.1.1.1
ip route-static vpn-instance Inside_Internet 100.1.0.0 255.255.255.0 10.0.255.1 //回程路由到租户防火墙
ip route-static vpn-instance Inside_Internet 100.2.0.0 255.255.255.0 10.0.255.1 //回程路由到租户防火墙

Server-Leaf配置:

sysname Server-Leaf
#
vlan batch 10 20
#
evpn-overlay enable
#
evpn
#
ip vpn-instance A //配置租户A的VRF
 ipv4-family
  route-distinguisher 1:1000
  vpn-target 1:1000 export-extcommunity
  vpn-target 1:1000 export-extcommunity evpn //这里一定要配置带EVPN的RT值,如果不配置,那么5类路由不会加入路由表
  vpn-target 1:1000 import-extcommunity
  vpn-target 1:1000 import-extcommunity evpn
 vxlan vni 1000 //L3 VNI
#
ip vpn-instance B //配置租户B的VRF
 ipv4-family
  route-distinguisher 1:2000
  vpn-target 1:2000 export-extcommunity
  vpn-target 1:2000 export-extcommunity evpn //这里一定要配置带EVPN的RT值,如果不配置,那么5类路由不会加入路由表
  vpn-target 1:2000 import-extcommunity
  vpn-target 1:2000 import-extcommunity evpn
 vxlan vni 2000 //L3 VNI
#
bridge-domain 10010
 vxlan vni 10010
 evpn
  route-distinguisher 1:10010
  vpn-target 1:10010 export-extcommunity
  vpn-target 1:1000 export-extcommunity //配置租户A的RT交叉
  vpn-target 1:10010 import-extcommunity
#
bridge-domain 10020
 vxlan vni 10020
 evpn
  route-distinguisher 1:10020
  vpn-target 1:10020 export-extcommunity
  vpn-target 1:2000 export-extcommunity
  vpn-target 1:10020 import-extcommunity
#
interface Vbdif10010
 ip binding vpn-instance A
 ip address 192.168.10.254 255.255.255.0
 arp collect host enable //配置通过ARP表项来生成32位主机路由
#
interface Vbdif10020
 ip binding vpn-instance B
 ip address 192.168.20.254 255.255.255.0
 arp collect host enable //配置通过ARP表项来生成32位主机路由
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 10.0.1.2 255.255.255.252
 ospf network-type p2p
#
interface GE1/0/9
 undo shutdown
 port link-type trunk
#
interface GE1/0/9.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10010
#
interface GE1/0/9.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 10020
#
interface LoopBack0
 ip address 1.1.1.2 255.255.255.255
#
interface Nve1
 source 1.1.1.2
 vni 10010 head-end peer-list protocol bgp
 vni 10020 head-end peer-list protocol bgp
#
interface NULL0
#
bgp 100
 undo default ipv4-unicast
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.1 enable
 #
 l2vpn-family evpn
  policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
#
ospf 1
 area 0.0.0.0
  network 1.1.1.2 0.0.0.0
  network 10.0.1.0 0.0.0.3
#

Service-Leaf配置:

sysname Service-Leaf
#
evpn-overlay enable
#
ip vpn-instance A
 ipv4-family
  route-distinguisher 1:1000
  vpn-target 1:1000 export-extcommunity
  vpn-target 1:1000 export-extcommunity evpn
  vpn-target 1:1000 import-extcommunity
  vpn-target 1:1000 import-extcommunity evpn
 vxlan vni 1000
#
ip vpn-instance B
 ipv4-family
  route-distinguisher 1:2000
  vpn-target 1:2000 export-extcommunity
  vpn-target 1:2000 export-extcommunity evpn
  vpn-target 1:2000 import-extcommunity
  vpn-target 1:2000 import-extcommunity evpn
 vxlan vni 2000
#
bridge-domain 10100
 vxlan vni 10100
 evpn
  route-distinguisher 1:10100
  vpn-target 1:10100 export-extcommunity
  vpn-target 1:1000 export-extcommunity //配置租户的交叉ERT
  vpn-target 1:10100 import-extcommunity
#
bridge-domain 10200
 vxlan vni 10200
 evpn
  route-distinguisher 1:10200
  vpn-target 1:10200 export-extcommunity
  vpn-target 1:2000 export-extcommunity //配置租户的交叉ERT
  vpn-target 1:10200 import-extcommunity
#
bridge-domain 20000 //与外部通讯的vxlan20000
 vxlan vni 20000
 evpn
  route-distinguisher 1:20000
  vpn-target 1:20000 export-extcommunity
  vpn-target 1:20000 import-extcommunity
#
interface Vbdif10100
 ip binding vpn-instance A
 ip address 10.0.100.254 255.255.255.0
 arp collect host enable
#
interface Vbdif10200
 ip binding vpn-instance B
 ip address 10.0.200.254 255.255.255.0
#
interface MEth0/0/0
 undo shutdown
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.0.1.6 255.255.255.252
 ospf network-type p2p
#
interface GE1/0/9
 undo shutdown
 port link-type trunk
#
interface GE1/0/9.100 mode l2
 encapsulation dot1q vid 100
 bridge-domain 10100
#
interface GE1/0/9.200 mode l2
 encapsulation dot1q vid 200
 bridge-domain 10200
#
interface GE1/0/9.255 mode l2
 encapsulation dot1q vid 255
 bridge-domain 20000
#
interface LoopBack0
 ip address 1.1.1.3 255.255.255.255
#
interface Nve1
 source 1.1.1.3
 vni 20000 head-end peer-list protocol bgp
#
bgp 100
 undo default ipv4-unicast
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo peer 1.1.1.1 enable
 #
 ipv4-family vpn-instance A //配置租户的路由,且允许引入默认路由,并且允许将租户路由通过EVPN方式通告
  default-route imported
  import-route static
  advertise l2vpn evpn
 #
 ipv4-family vpn-instance B //配置租户的路由,且允许引入默认路由,并且允许将租户路由通过EVPN方式通告
  default-route imported
  import-route static
  advertise l2vpn evpn
 #
 l2vpn-family evpn
  policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise irb
#
ospf 1
 area 0.0.0.0
  network 1.1.1.3 0.0.0.0
  network 10.0.1.4 0.0.0.3
#
ip route-static vpn-instance A 0.0.0.0 0.0.0.0 10.0.100.1 //将流量引流到租户防火墙
ip route-static vpn-instance B 0.0.0.0 0.0.0.0 10.0.200.1 //将流量引流到租户防火墙
#
return

租户防火墙配置:

!Software Version V500R005C00SPC100
#
sysname Tenant_FW
#
vsys enable
#
vsys name A 1 //创建虚墙A并分配相应端口和公网IP
 assign interface GigabitEthernet1/0/0.100
 assign global-ip 100.1.0.100 100.1.0.200 exclusive
#
vsys name B 2 //创建虚墙B并分配相应端口和公网IP
 assign interface GigabitEthernet1/0/0.200
 assign global-ip 100.2.0.100 100.2.0.200 exclusive
#
ip vpn-instance A
 ipv4-family
#
ip vpn-instance B
 ipv4-family
#
ip vpn-instance default
 ipv4-family
#配置根墙、虚墙所归属的子接口
interface GigabitEthernet1/0/0.100
 vlan-type dot1q 100
 ip binding vpn-instance A
 ip address 10.0.100.1 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/0.200
 vlan-type dot1q 200
 ip binding vpn-instance B
 ip address 10.0.200.1 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/0.255
 vlan-type dot1q 255
 ip address 10.0.255.1 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
#
interface GigabitEthernet1/0/2
 undo shutdown
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface Virtual-if0 //这里防火墙虚拟内联口需要配置地址才会生成路由,可以是根墙和虚墙可以同子网地址也可以是不同子网地址。
 ip address 1.1.1.1 255.255.255.0
#
interface Virtual-if1
 ip address 1.1.1.2 255.255.255.0
#
interface Virtual-if2
 ip address 1.1.3.1 255.255.255.0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface Virtual-if0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0.255
#
firewall zone dmz
 set priority 50
#
api
#
ip route-static 0.0.0.0 0.0.0.0 10.0.255.254
ip route-static 100.1.0.0 255.255.255.0 vpn-instance A //配置虚墙A的回程路由
ip route-static 100.2.0.0 255.255.255.0 vpn-instance B //配置虚墙B的回程路由
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  source-address 100.1.0.0 mask 255.255.255.0
  source-address 100.2.0.0 mask 255.255.255.0
  action permit

#############################################虚墙A的配置##################################################
switch vsys A
#
interface GigabitEthernet1/0/0.100
 vlan-type dot1q 100
 ip binding vpn-instance A
 ip address 10.0.100.1 255.255.255.0
 service-manage ping permit
#
interface Virtual-if1
 ip address 1.1.1.2 255.255.255.0
#
sa
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0.100
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
firewall zone dmz
 set priority 50
#
location
#
nat address-group SNAT 1
 mode pat
 route enable
 section 0 100.1.0.100 100.1.0.100
#
 multi-linkif
 mode proportion-of-weight
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name Local_Trust_Permit
  source-zone local
  destination-zone trust
  action permit
#
nat-policy //将租户VPC内地址转换为公网地址SNAT方式
 rule name Trust_Untrust_SNAT
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action source-nat address-group SNAT
#
ip route-static 0.0.0.0 0.0.0.0 public //配置去往根墙的路由
ip route-static 192.168.10.0 255.255.255.0 10.0.100.254 //回程路由
#
return
#

#############################################虚墙B的配置##################################################
switch vsys B
#
interface GigabitEthernet1/0/0.200
 vlan-type dot1q 200
 ip binding vpn-instance B
 ip address 10.0.200.1 255.255.255.0
 service-manage ping permit
#
interface Virtual-if2
 ip address 1.1.3.1 255.255.255.0
#
sa
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0.200
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
firewall zone dmz
 set priority 50
#
location
#
nat address-group SNAT 0
 mode pat
 route enable
 section 0 100.2.0.100 100.2.0.100
#
 multi-linkif
 mode proportion-of-weight
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  source-address 192.168.20.0 mask 255.255.255.0
  action permit
 rule name Local_Trust_Permit
  source-zone local
  destination-zone trust
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy //将租户VPC内地址转换为公网地址SNAT方式
 rule name Trust_Untrust_SNAT
  source-zone trust
  destination-zone untrust
  source-address 192.168.20.0 mask 255.255.255.0
  action source-nat address-group SNAT
#
proxy-policy
#
pcp-policy
#
ip route-static 0.0.0.0 0.0.0.0 public //配置去往根墙的路由
ip route-static 192.168.20.0 255.255.255.0 10.0.200.254 //回程路由
#
return

实验结果:

两个租户均可以访问互联网
边界防火墙上租户的NAT转换后的会话

配置要点:主要的要点是在租户防火墙和Service-Leaf,一个是Service-Leaf需要引导租户流量进入防火墙的配置,另外一个就是租户防火墙内虚墙和根墙的流量处理,这里比较简单。另外一个就是模拟器虚墙有BUG,虚墙接口不主动相应ARP,需要先通过虚墙ping一下对应的vxlan网关才可以正常通讯。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据