译者:TF编译组
1 总览
本指南介绍如何使用MX作为网关(gateway),为Tungsten Fabric(编者按:原文为Contrail,其开源版已更名为Tungsten Fabric,本文出现Contrail之处均以Tungsten Fabric替换)管理的overlay层提供external或underlay连接。
根据性能要求,网关可以连接到主干(spine)或叶子(leaf)。
2 Underlay/INET
2.1 eBGP
在典型的IP结构中,所有叶子(leaves)、主干(spines)和网关(gateways)都使用eBGP来建立underlay连接。
2.2 iBGP
对于iBGP,建议使用RR(路由反射器)以避免所有BGP节点之间的完全网状对等连接。
3 Overlay/VPN
3.1 环回地址
在每个MX上都会分配并派发环回地址(loopback address)。它用于控制节点的BGP对等,以及vRouter的隧道(tunneling)。Tungsten Fabric和环回地址之间的连接由underlay提供。
如果将单独的接口用于控制平面和数据平面,则当MX通告路由时,控制接口的地址将用作下一跳。要解决此问题,应将环回接口同时用于控制平面和数据平面。
代码语言:javascript复制set interfaces lo0 unit 0 family inet address 10.6.0.31/32
3.2 BGP
3.2.1 AS
通常,网关具有一个全局唯一ASN。
代码语言:javascript复制set routing-options autonomous-system 64031
3.2.2 eBGP and iBGP
当Tungsten Fabric和网关位于不同的AS中时,将使用eBGP。
代码语言:javascript复制set protocols bgp group vpn-contrail type external
set protocols bgp group vpn-contrail multihop
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family evpn signaling
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
当Tungsten Fabric和网关位于同一AS中时,将使用iBGP。
代码语言:javascript复制set protocols bgp group vpn-contrail type internal
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family evpn signaling
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1
当网关全局ASN与Tungsten Fabric ASN不同时,可以使用local-as来启用iBGP。
代码语言:javascript复制set protocols bgp group vpn-contrail type internal
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail local-as 64512
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family evpn signaling
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
3.3 BGP Family
3.3.1 L3VPN
代码语言:javascript复制set protocols bgp group vpn-contrail family inet-vpn unicast
3.3.2 EVPN
代码语言:javascript复制set protocols bgp group vpn-contrail family evpn signaling
3.3.3 Route Target
代码语言:javascript复制set protocols bgp group vpn-contrail family route-target
Family“route-target”是用于优化的。在MX上进行配置时,如果存在VRF导入策略,MX将会发布route-target路由。在将VPN-IPv4路由发布给邻居之前,MX还会检查route-target路由表。如果该路由中的route-target未被邻居通告,则MX不会通告该路由。
如果控制平面和数据平面上的接口是分开的,则MX从Tungsten Fabric控制节点接收route-target路由。RT路由的下一跳是控制节点地址(在控制平面上)。MX会尝试解决数据平面上MPLS表(inet.3)中的下一跳,但是会失败。这样,RT路由不会生效,而会被隐藏。结果是MX没有发布路由。为了解决这个问题,可以在inet.3中添加静态路由,以使下一跳的控制接口可以被解析。然后,MX应用RT路由并发布路由。Tungsten Fabric没有此类问题,因为它不会尝试解析下一跳。
3.4 隧道(Tunnel)
Tunnel service是必须要启用的。这里有一个示例。
代码语言:javascript复制set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
3.4.1 MPLSoGRE隧道
对于L3VPN,在BGP收到INET-VPN路由并将其放在表bgp.l3vpn.0中之后,它将为该路由寻找MPLS路径。BGP尝试解析表inet.3中的路由。如果成功,将创建GRE隧道并在inet.3中添加MPLS路由。否则,该路由将会被隐藏在bgp.l3vpn.0中。
在启用隧道后,destination-networks的路由将被添加到inet.3中。这里是一个示例。
代码语言:javascript复制set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
source-address is the loopback address.
这是表inet.3中GRE隧道路由的示例。
代码语言:javascript复制10.6.11.4/32 (1 entry, 1 announced)
*Tunnel Preference: 300
Next hop type: Router, Next hop index: 0
Address: 0xd7a9210
Next-hop reference count: 3
Next hop: via gr-0/0/0.32769, selected
Session Id: 0x0
State: <Active>
Local AS: 64031
Age: 10
Validation State: unverified
Task: DYN_TUNNEL
Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task
AS path: I
这是动态隧道数据库。
代码语言:javascript复制> show dynamic-tunnels database
*- Signal Tunnels #- PFE-down
Table: inet.3
Destination-network: 10.6.11.0/24
Tunnel to: 10.6.11.1/32 State: Up (expires in 00:06:58 seconds)
Reference count: 0
Next-hop type: gre
Source address: 10.6.0.31
Next hop: gr-0/0/10.32769
State: Up
Tunnel to: 10.6.11.7/32 State: Up
Reference count: 2
Next-hop type: gre
Source address: 10.6.0.31
Next hop: gr-0/0/10.32770
State: Up
3.4.2 MPLSoUDP Tunnel
UDP隧道更适合于负载均衡。
代码语言:javascript复制set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail udp
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
这是表inet.3中UDP隧道路由的示例。
代码语言:javascript复制10.6.11.4/32 (1 entry, 1 announced)
*Tunnel Preference: 300
Next hop type: Tunnel Composite, Next hop index: 0
Address: 0xd7a87f0
Next-hop reference count: 2
Tunnel type: UDP, Reference count: 5, nhid: 0
Destination address: 10.6.11.4, Source address: 10.6.0.31
State: <Active>
Local AS: 64031
Age: 24:46
Validation State: unverified
Task: DYN_TUNNEL
Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task
AS path: I
当路由从VRF导出到Tungsten Fabric时,需要添加策略(policy)来附加到封装属性(community)。
代码语言:javascript复制set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1
set policy-options policy-statement vrf-export-provider-1 term t1 then community add encap-udp
set policy-options policy-statement vrf-export-provider-1 term t1 then accept
set policy-options community provider-1 members target:64512:101
set policy-options community encap-udp members encapsulation:64512:13
3.5 Routing Instance
3.5.1 VRF
RI的vrf类型用于保留L3路由。
代码语言:javascript复制set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-target target:64512:101;
set routing-instances provider-1 vrf-table-label
3.5.2 虚拟交换机
(略)
4 路由导入/导出
4.1 工作流
4.1.1 导入(Import)
·首先,BGP与Tungsten Fabric建立对等关系。如果没有任何VRF RI和导入策略,则不会创建表bgp.l3vpn.0,并且BGP无法接收任何INET-VPN路由。
·在创建VRF RI后(必须配置vrf-table-label),可以使用隐式策略(implicit policy)或显式策略(explicit policy)。
o配置vrf-target将启用隐式策略,该策略将导入具有特定RT community的路由,并导出具有附加特定RT community的路由。
o配置“vrf-import”和“vrf-export”以指定显式策略,以备需要任何其它的操作。
·使用任何VRF RI和导入策略,将创建表bgp.l3vpn.0。
·根据导入策略,为每个RT创建一个RIB组vpn-unicast。
代码语言:javascript复制vpn-unicast target:64512:101, Address: 0xd7a8e40
Address Family: l3vpn, Flags: 0x4, References: 0
Export RIB: l3vpn.0
Import RIB: bgp.l3vpn.0
Secondary Import RIB: provider-1.inet.0
·BGP尝试解析表inet.3中的路由。如果成功,则分配GRE隧道。否则,该路由将被隐藏。
·BGP接收到与导入策略匹配的INET-VPN路由(route-target community),并将其放在表bgp.l3vpn.0中。路由也转换为INET路由,并放置在VRF表中,该表是RIB组中的辅助导入RIB。否则,路由将被丢弃。
这是表bgp.l3vpn.0中的INET-VPN路由示例。它是由BGP从Tungsten Fabric上通告的;路由标识符10.6.11.4:2由vRouter的IP地址和vRouter分配的ID组成;从Tungsten Fabric控制节点10.6.11.1发布;下一跳是通过动态GRE隧道接口gr-0/0/0.32769;MPLS标签为25。
代码语言:javascript复制10.6.11.4:2:172.16.11.3/32
*[BGP/170] 00:03:11, MED 100, localpref 100, from 10.6.11.1
AS path: 64512 ?, validation-state: unverified
> via gr-0/0/0.32769, Push 25
该路由将转换为INET路由并放置在VRF中。
代码语言:javascript复制172.16.11.3/32 *[BGP/170] 02:35:37, MED 100, localpref 100, from 10.6.11.1
AS path: 64512 ?, validation-state: unverified
> via gr-0/0/0.32769, Push 25
4.1.2 导出(Export)
·要从VRF导出路由,根据导出策略,该路由将从INET转换为INET-VPN,放入表bgp.l3vpn.0中,然后由BGP导出。MPLS标签将分配给在表mpls.0中的INET-VPN路由。
这是VRF中的环回接口,如表bgp.l3vpn.0所示。
代码语言:javascript复制64512:101:172.16.11.250/32
*[Direct/0] 00:43:14
> via lo0.11
The route is advertised with MPLS label 300624 showing by "show route advertising-protocol bgp 10.6.11.1 detail".
该路由用MPLS标签300624发布,通过 “show route advertising-protocol bgp 10.6.11.1 detail”可以显示细节。
代码语言:javascript复制* 64512:101:172.16.11.250/32 (1 entry, 1 announced)
BGP group vpn-contrail type External
Route Distinguisher: 64512:101
VPN Label: 300624
Nexthop: Self
Flags: Nexthop Change
AS path: [64031] I
MPLS标签在表mpls.0中分配。
代码语言:javascript复制300624 *[VPN/170] 00:55:34
receive table provider-1.inet.0, Pop
4.2 隐式VRF导入/导出策略
使用vrf-target,可以创建隐式导入和导出策略。
代码语言:javascript复制set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 vrf-target target:64512:101;
隐式导入策略将导入带有community“target:64540:100”的路由。其结果是,从Tungsten Fabric虚拟网络中发布的带有“target:64540:100”的路由,被导入到此RI中。
代码语言:javascript复制> show policy __vrf-import-5b4s37-166-internal__
Policy __vrf-import-5b4s37-166-internal__:
Term unnamed:
from community __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ]
then accept
Term unnamed:
then reject
隐式导出策略将导出带有community“target:64540:100”的路由。其结果是,路由被发布到Tungsten Fabric,并导入到带有“target:64540:100”的虚拟网络中。
代码语言:javascript复制> show policy __vrf-export-5b4s37-166-internal__
Policy __vrf-export-5b4s37-166-internal__:
Term unnamed:
then community __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ] accept
4.3 显式VRF导入/导出策略
策略可被显式定义为导入和导出路由。在此示例中,从Tungsten Fabric虚拟网络中发布的带有“target:64540:91”和“target:64540:92”的路由被导入RI。RI中的路由使用“target:64540:91”和“target:64540:92”进行通告,并导入到两个虚拟网络中。
代码语言:javascript复制set policy-options policy-statement provider-1-export term t1 then community add provider-1
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-import term t1 from community provider-1
set policy-options policy-statement provider-1-import term t1 from community ext-host
set policy-options policy-statement provider-1-import term t1 then accept
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
5 External/Underlay连接
这里想说的是——
·在master RI中具有路由,以将ingress流量(从external/underlay到overlay)引导到VRF RI。
·在VRF RI中具有路由,以将egress流量(从overlay到external/underlay)引导到master RI。
·路由可能泄漏为静态。
有两个工作选项:
1.逻辑隧道(Logical tunnel)
2.RIB组和带有下一表(next-table)的静态路由
详细信息请见以下各小节内容。
5.1 逻辑隧道
逻辑隧道用于连接master路由实例和VRF路由实例。根据使用情况,这是可选的。由于带宽限制,必须检查需求和特定硬件上的隧道带宽,以此来做出决定。
5.1.1 静态
这是在逻辑隧道上使用静态路由的示例。
代码语言:javascript复制set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 100 encapsulation frame-relay
set interfaces lt-0/0/0 unit 100 dlci 10
set interfaces lt-0/0/0 unit 100 peer-unit 200
set interfaces lt-0/0/0 unit 100 family inet
set interfaces lt-0/0/0 unit 200 encapsulation frame-relay
set interfaces lt-0/0/0 unit 200 dlci 10
set interfaces lt-0/0/0 unit 200 peer-unit 100
set interfaces lt-0/0/0 unit 200 family inet
set routing-options static route 172.16.11.0/24 next-hop lt-0/0/0.100
set routing-instances provider-1 interface lt-0/0/0.200
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.200
5.1.2 动态
这里是一个示例,使用聚合路由在VRF和master之间配置BGP对等。
代码语言:javascript复制set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 100 encapsulation frame-relay
set interfaces lt-0/0/0 unit 100 dlci 10
set interfaces lt-0/0/0 unit 100 peer-unit 200
set interfaces lt-0/0/0 unit 100 family inet address 192.168.200.0/31
set interfaces lt-0/0/0 unit 200 encapsulation frame-relay
set interfaces lt-0/0/0 unit 200 dlci 10
set interfaces lt-0/0/0 unit 200 peer-unit 100
set interfaces lt-0/0/0 unit 200 family inet address 192.168.200.1/31
set protocols bgp group vrf type internal
set protocols bgp group vrf local-address 192.168.200.0
set protocols bgp group vrf keep all
set protocols bgp group vrf family inet unicast
set protocols bgp group vrf export provider-1-export
set protocols bgp group vrf neighbor 192.168.200.1
set policy-options policy-statement provider-1-export term t1 then community add provider-1
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-aggregate-export term 1 from protocol aggregate
set policy-options policy-statement provider-1-aggregate-export term 1 from route-filter 172.16.11.0/24 exact
set policy-options policy-statement provider-1-aggregate-export term 1 then next-hop self
set policy-options policy-statement provider-1-aggregate-export term 1 then accept
set policy-options community provider-1 members target:64512:101
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lt-0/0/0.200
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
set routing-instances provider-1 routing-options aggregate route 172.16.11.0/24
set routing-instances provider-1 protocols bgp group master type internal
set routing-instances provider-1 protocols bgp group master local-address 192.168.200.1
set routing-instances provider-1 protocols bgp group master keep all
set routing-instances provider-1 protocols bgp group master family inet unicast
set routing-instances provider-1 protocols bgp group master export provider-1-aggregate-export
set routing-instances provider-1 protocols bgp group master neighbor 192.168.200.0
5.2 下一表(Next-table)
可以将路由表指定为路由下一跳。从概念上讲,可以像下面的示例一样,在inet.0和vrf.inet.0之间控制流量。
代码语言:javascript复制 -------------------------------------- -----------------------------
| inet.0 | | vrf.inet.0 |
| 172.16.11.0/24 next-table vrf.inet.0 |-->| |
| |<--| 0.0.0.0/0 next-table inet.0 |
-------------------------------------- -----------------------------
该解决方案的问题在于它将导致路由循环。例如,172.16.11.9的流量被导向vrf.inet.0。如果没有任何特定的路由解析,它将通过默认路由返回到inet.0。为了避免这种路由循环,Junos不允许进行这种配置。
Junos也不允许配置第三张表(the third table)。
5.3 RIB组
RIB组通常用于泄漏路由表之间的路由。从概念上讲,可以创建一个RIB组以将INET路由从vrf.inet.0导入到inet.0,同时可以创建另一个RIB组以将INET路由从inet.0导入到vrf.inet.0。
代码语言:javascript复制set routing-options rib-groups provider-1-master import-rib provider-1.inet.0
set routing-options rib-groups provider-1-master import-rib inet.0
set routing-options rib-groups master-provider-1 import-rib inet.0
set routing-options rib-groups master-provider-1 import-rib provider-1.inet.0
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group master-provider-1
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
此配置将路由从inet.0泄漏到vpn.inet.0。但是从另一种角度来看,自Tungsten Fabric接收而来的路由,不会从vpn.inet.0泄漏到inet.0,原因是Junos的设计。这些路由已经从bgp.13vpn.0中泄漏,因此vpn.inet.0是这些路由的辅助RIB。辅助RIB中的路由不会再次泄漏。
5.4 RIB组和下一表(Next-table)
5.4.1 Ingress
对于ingress流量,由于Junos不会泄漏从VRF到master的overlay/32路由,因此有两个选择。
1.在VRF中添加生成(聚合)路由,并使用RIB组泄漏从vrf.inet.0到inet.0的聚合路由。
代码语言:javascript复制set routing-options rib-groups provider-1-master import-rib provider-1.inet.0
set routing-options rib-groups provider-1-master import-rib inet.0
set routing-options rib-groups provider-1-master import-policy provider-1-master-import
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-target target:64512:101
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances provider-1 routing-options generate route 172.16.11.0/24 next-table provider-1.inet.0
set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
2.将带有下一表(next-table)的静态路由添加到master中的vrf.inet.0。
代码语言:javascript复制set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
建议使用选项2。
请注意,需要为路由协议更新导出策略,以通告此类静态路由。
5.4.2 Egress
对于egress流量,这里有两个选择。
1.将带有下一表(next-table)的静态路由添加到VRF中的inet.0。
代码语言:javascript复制set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
这里的问题是,如果它是如上所述的默认路由,则会导致路由循环。例如,到172.16.11.5/32的ingress流量在vrf.int.0中并不存在,但它将在master和VRF之间循环。使用特定的路由可以避免路由循环,但这不是动态的并且不能扩展。
2.master中路由协议接收到的路由泄漏到VRF。
代码语言:javascript复制set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group bgp-corp-provider-1
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set routing-options rib-groups bgp-corp-provider-1 import-rib inet.0
set routing-options rib-groups bgp-corp-provider-1 import-rib provider-1.inet.0
同样,由于Junos的限制,泄漏到VRF(辅助RIB)中的路由无法发布给Tungsten Fabric。解决方案是添加默认拒绝路由。
代码语言:javascript复制set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
5.4.3 解决方案
作为结论,这里是解决方案。
·从mater泄漏路由到VRF,用于egress流量。
·在master中添加静态路由,用于ingress流量。
附录A.1是完整的配置。
请注意,这不适用于MPLSoUDP。
5.5转发过滤器和下一表(Next-table)
此解决方案是,使用转发过滤器(forwarding filter)将ingress流量引导到VRF RI,并使用带有下一表(next-table)的静态路由将egress流量引导到master RI。
该解决方案有两个问题。
1.由于Junos中的某些问题,它不适用于MPLSoUDP。
2.要向外部发布路由,必须添加指向网关本身的路由。Ingress流量将首先到达过滤器,因此静态路由仅用于通告目的,对流量没有影响。
5.6 VRF到VRF
附录A.2是一个示例配置。
请注意,由于Family route-target,在Tungsten Fabric中,对于暴露的VN,必须将远程VRF RT配置为导入RT。否则,网关将不会从远程VRF发布INET-VPN路由。
5.7 Community
Tungsten Fabric中的路由有以下的community。
·route target
·encapsulation
·mac-mobility
·0x8004 (security group)
·0x8071 (origin VN)
根据使用情况(例如去往外部集群或另一个Tungsten Fabric集群的路由),这些community可能需要清理,也可能不需要。
附录A.2中的配置是清理community的一个示例。
6 多集群
单个网关可以支持多个集群,它们本应该具有不同的ASN。
·网关配置ASN。
·集群具有不同的专用ASN。
·每个集群内控制节点内的iBGP。
·每个集群的网关和控制节点之间的eBGP。
·多个BGP组可以共享连接到不同邻居组的同一接口。
·如果每个集群都位于单独的网络中,则每个集群都有一个动态隧道组。
·每个集群应具有单独的公共地址空间。由于没有地址冲突,因此一个VRF路由实例可以由多个集群共享,并且所有集群中的公共虚拟网络必须具有相同的路由目标(routing target)。结果,来自一个集群的公共路由将泄漏到另一个集群。
附录
A.1 RIB组和下一表(Next-table)
代码语言:javascript复制set version 18.3R1.9
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/0 mac 52:54:00:8c:f9:2b
set interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30
set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41
set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30
set interfaces fxp0 unit 0 family inet address 10.6.8.31/24
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
set interfaces lo0 unit 11 family inet address 172.16.11.250/32
set interfaces lo0 unit 12 family inet address 172.16.12.250/32
set routing-options interface-routes rib-group inet master-direct-vrf
set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
set routing-options static route 172.16.12.0/24 next-table provider-2.inet.0
set routing-options rib-groups bgp-corp-vrf import-rib inet.0
set routing-options rib-groups bgp-corp-vrf import-rib provider-1.inet.0
set routing-options rib-groups bgp-corp-vrf import-rib provider-2.inet.0
set routing-options rib-groups master-direct-vrf import-rib inet.0
set routing-options rib-groups master-direct-vrf import-rib provider-1.inet.0
set routing-options rib-groups master-direct-vrf import-rib provider-2.inet.0
set routing-options rib-groups master-direct-vrf import-policy rib-import-master-vrf
set routing-options route-distinguisher-id 10.6.0.31
set routing-options autonomous-system 64031
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group bgp-corp-vrf
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric export direct
set protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011
set protocols bgp group vpn-contrail type external
set protocols bgp group vpn-contrail multihop
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
set policy-options policy-statement direct term t1 from protocol direct
set policy-options policy-statement direct term t1 from protocol aggregate
set policy-options policy-statement direct term t1 then accept
set policy-options policy-statement direct term t2 from protocol static
set policy-options policy-statement direct term t2 from route-filter 172.16.11.0/24 exact
set policy-options policy-statement direct term t2 then accept
set policy-options policy-statement direct term t3 from protocol static
set policy-options policy-statement direct term t3 from route-filter 172.16.12.0/24 exact
set policy-options policy-statement direct term t3 then accept
set policy-options policy-statement rib-import-master-vrf term t2 from protocol direct
set policy-options policy-statement rib-import-master-vrf term t2 then accept
set policy-options policy-statement rib-import-master-vrf term end then reject
set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1
set policy-options policy-statement vrf-export-provider-1 term t1 then accept
set policy-options policy-statement vrf-export-provider-1 term end then reject
set policy-options policy-statement vrf-export-provider-2 term t1 then community add provider-2
set policy-options policy-statement vrf-export-provider-2 term t1 then accept
set policy-options policy-statement vrf-export-provider-2 term end then reject
set policy-options policy-statement vrf-import-provider-1 term t1 from community provider-1
set policy-options policy-statement vrf-import-provider-1 term t1 from community ext-host
set policy-options policy-statement vrf-import-provider-1 term t1 then accept
set policy-options policy-statement vrf-import-provider-1 term end then reject
set policy-options policy-statement vrf-import-provider-2 term t1 from community provider-2
set policy-options policy-statement vrf-import-provider-2 term t1 from community ext-host
set policy-options policy-statement vrf-import-provider-2 term t1 then accept
set policy-options policy-statement vrf-import-provider-2 term end then reject
set policy-options community all-encaps members encapsulation:*:*
set policy-options community all-origin-vns members 0x8071:*:*
set policy-options community all-security-groups members 0x8004:*:*
set policy-options community encap-udp members encapsulation:64512:13
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set policy-options community provider-2 members target:64512:102
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import vrf-import-provider-1
set routing-instances provider-1 vrf-export vrf-export-provider-1
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
set routing-instances provider-2 instance-type vrf
set routing-instances provider-2 interface lo0.12
set routing-instances provider-2 route-distinguisher 64512:102
set routing-instances provider-2 vrf-import vrf-import-provider-2
set routing-instances provider-2 vrf-export vrf-export-provider-2
set routing-instances provider-2 vrf-table-label
set routing-instances provider-2 routing-options static route 0.0.0.0/0 reject
A.2 VRF到VRF
代码语言:javascript复制set version 18.3R1.9
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/0 mac 52:54:00:8c:f9:2b
set interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30
set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41
set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30
set interfaces fxp0 unit 0 family inet address 10.6.8.31/24
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
set routing-options route-distinguisher-id 10.6.0.31
set routing-options autonomous-system 64031
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
set routing-options dynamic-tunnels contrail destination-networks 10.6.0.0/16
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric export direct
set protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011
set protocols bgp group vpn-contrail type external
set protocols bgp group vpn-contrail multihop
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
set protocols bgp group vpn-external type external
set protocols bgp group vpn-external multihop
set protocols bgp group vpn-external local-address 10.6.0.31
set protocols bgp group vpn-external keep all
set protocols bgp group vpn-external family inet-vpn unicast
set protocols bgp group vpn-external family route-target
set protocols bgp group vpn-external export vpn-external-export
set protocols bgp group vpn-external neighbor 10.6.0.41 peer-as 64041
set policy-options policy-statement direct term t1 from protocol direct
set policy-options policy-statement direct term t1 then accept
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-import term t1 from community provider-1
set policy-options policy-statement provider-1-import term t1 from community ext-host
set policy-options policy-statement provider-1-import term t1 then accept
set policy-options policy-statement vpn-external-export term t1 from community provider-1
set policy-options policy-statement vpn-external-export term t1 then community add ext-host
set policy-options policy-statement vpn-external-export term t1 then community delete all-encaps
set policy-options policy-statement vpn-external-export term t1 then community delete all-security-groups
set policy-options policy-statement vpn-external-export term t1 then community delete all-origin-vns
set policy-options policy-statement vpn-external-export term t1 then accept
set policy-options community all-encaps members encapsulation:*:*
set policy-options community all-origin-vns members 0x8071:*:*
set policy-options community all-security-groups members 0x8004:*:*
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set firewall family inet filter to-vrf term 1 from destination-address 172.16.11.0/24
set firewall family inet filter to-vrf term 1 then routing-instance provider-1
set firewall family inet filter to-vrf term default then accept
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export