lunes, 16 de marzo de 2015

Enrutamiento de multiples VRFs - Route Leaking VRFs

El uso de  virtual routing and forwarding (VRF) ayuda mucho en entornos donde tenemos que aislar tablas de enrutamiento por cada instancia o por cada cliente, todo bien, hasta que por alguna necesidad en especial queremos que  una VRF se comuniquen con otra VRF, el escenario se complica mas cuando queremos que solo ciertas redes se comuniquen con la otra, es ahí donde necesitamos importar y exportar prefijos o rutas. Para lograr esto tenemos muchas formas de hacerlo los cuales iremos desarrollando y  aumentando el nivel de complejidad.

TOPOLOGIA

En este escenario tendremos 2 routers los cuales tendrán las siguientes redes:


Route distinguisher (RD) para las VRFs

VRF CLIENTE1 RD 1:1
VRF CLIENTE2 RD 2:2
VRF CLIENTE3 RD 3:3

Nota. la interfaz loopback 0 no pertenece a ninguna vrf al igual que la interfaz f0/0.
          Habilitaremos MPLS en las interfaces f0/0 con sus valores por defecto.

R1                                                                          R2
hostname R1
!        
ip vrf CLIENTE1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf CLIENTE2
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
ip vrf CLIENTE3
 rd 3:3
 route-target export 3:3
 route-target import 3:3
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip vrf forwarding CLIENTE1
 ip address 10.1.1.1 255.255.255.255
!
interface Loopback2
 ip vrf forwarding CLIENTE2
 ip address 10.1.2.1 255.255.255.255
!
interface Loopback3
 ip vrf forwarding CLIENTE3
 ip address 10.1.3.1 255.255.255.255
!
interface Loopback11
 ip vrf forwarding CLIENTE1
 ip address 10.1.11.1 255.255.255.255
!
interface Loopback22
 ip vrf forwarding CLIENTE2
 ip address 10.1.22.1 255.255.255.255
!
interface Loopback33
 ip vrf forwarding CLIENTE3
 ip address 10.1.33.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 172.16.0.1 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
router ospf 10
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 172.16.0.0 0.0.0.3 area 0
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 2.2.2.2 activate
 neighbor 2.2.2.2 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CLIENTE3
 redistribute connected
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CLIENTE2
 redistribute connected
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CLIENTE1
 redistribute connected
 no synchronization
 exit-address-family
hostname R2
!
ip vrf CLIENTE1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf CLIENTE2
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
ip vrf CLIENTE3
 rd 3:3
 route-target export 3:3
 route-target import 3:3
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip vrf forwarding CLIENTE1
 ip address 10.2.1.1 255.255.255.255
!
interface Loopback2
 ip vrf forwarding CLIENTE2
 ip address 10.2.2.1 255.255.255.255
!
interface Loopback3
 ip vrf forwarding CLIENTE3
 ip address 10.3.3.1 255.255.255.255
!
interface Loopback11
 ip vrf forwarding CLIENTE1
 ip address 10.2.11.1 255.255.255.255
!
interface Loopback22
 ip vrf forwarding CLIENTE2
 ip address 10.2.22.1 255.255.255.255
!
interface Loopback33
 ip vrf forwarding CLIENTE3
 ip address 10.2.33.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 172.16.0.2 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
router ospf 10
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 172.16.0.0 0.0.0.3 area 0
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 1.1.1.1 activate
 neighbor 1.1.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CLIENTE3
 redistribute connected
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CLIENTE2
 redistribute connected
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CLIENTE1
 redistribute connected
 no synchronization
 exit-address-family


PRUEBAS

Cada VRF cuenta con una tabla de rutas individual, aisladas una de la otra sin tener  ningún tipo de comunicación entre si. El protocolo BGP transporta las rutas para cada VRF, los comandos para ver con mayor detalle son:
show  ip bgp summary
show ip bgp vpnv4 vrf CLIENTE1
show ip bgp vpnv4 all summary

R1#sh ip route | begin Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 172.16.0.2, 01:18:33, FastEthernet0/0
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, FastEthernet0/0

R1#sh ip route vrf CLIENTE1 | begin Gateway
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 4 subnets
C       10.1.11.1 is directly connected, Loopback11
B       10.2.11.1 [200/0] via 2.2.2.2, 00:25:38
B       10.2.1.1 [200/0] via 2.2.2.2, 01:42:14
C       10.1.1.1 is directly connected, Loopback1

R1#sh ip route vrf CLIENTE2 | begin Gateway
Gateway of last resort is not set
      10.0.0.0/32 is subnetted, 4 subnets
C       10.1.2.1 is directly connected, Loopback2
B       10.2.2.1 [200/0] via 2.2.2.2, 01:39:32
C       10.1.22.1 is directly connected, Loopback22
B       10.2.22.1 [200/0] via 2.2.2.2, 00:26:14
R1#sh ip route vrf CLIENTE3 | begin Gateway
Gateway of last resort is not set
      10.0.0.0/32 is subnetted, 4 subnets
C       10.1.3.1 is directly connected, Loopback3
B       10.3.3.1 [200/0] via 2.2.2.2, 01:41:02
B       10.2.33.1 [200/0] via 2.2.2.2, 00:26:44
C       10.1.33.1 is directly connected, Loopback33
R1#ping vrf CLIENTE1 10.2.1.1
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/140/264 ms
R1#ping vrf CLIENTE1 10.2.2.1
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#sh ip route | begin Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/2] via 172.16.0.1, 01:19:33, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, FastEthernet0/0


R2#show  ip route vrf CLIENTE1 | begin Gateway
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 4 subnets
B       10.1.11.1 [200/0] via 1.1.1.1, 00:28:57
C       10.2.11.1 is directly connected, Loopback11
C       10.2.1.1 is directly connected, Loopback1
B       10.1.1.1 [200/0] via 1.1.1.1, 01:43:16

R2#show  ip route vrf CLIENTE2 | begin Gateway
Gateway of last resort is not set
      10.0.0.0/32 is subnetted, 4 subnets
B       10.1.2.1 [200/0] via 1.1.1.1, 00:29:57
C       10.2.2.1 is directly connected, Loopback2
B       10.1.22.1 [200/0] via 1.1.1.1, 00:29:42
C       10.2.22.1 is directly connected, Loopback22
R2#show  ip route vrf CLIENTE3 | begin Gateway
Gateway of last resort is not set
      10.0.0.0/32 is subnetted, 4 subnets
B       10.1.3.1 [200/0] via 1.1.1.1, 01:41:29
C       10.3.3.1 is directly connected, Loopback3
C       10.2.33.1 is directly connected, Loopback33
B       10.1.33.1 [200/0] via 1.1.1.1, 00:30:11
R2#ping vrf CLIENTE2 10.1.2.1
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/144/316 ms
R2#ping vrf CLIENTE2 10.1.1.1
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)



IMPORTANDO REDES

Las redes del la VRF CLIENTE1 en R1, necesita comunicarse con la redes de la VRF CLIENTE3 de R3, para lo cual necesitamos importar las redes mediante el route-target.

Nota. si la tabla no se actualiza se puede forzar a BGP con el comando: clear ip bgp *

R1(config)#ip vrf CLIENTE1 
R1(config-vrf)#route-target import 3:3
R1(config-vrf)#exit

R2(config)#ip vrf CLIENTE3       
R2(config-vrf)#route-target import 1:1
R2(config-vrf)#exit

R1#show ip route vrf CLIENTE1 | beg Gateway
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 8 subnets
C       10.1.11.1 is directly connected, Loopback11
B       10.2.11.1 [200/0] via 2.2.2.2, 00:47:11
B       10.2.1.1 [200/0] via 2.2.2.2, 02:03:46
B       10.1.3.1 is directly connected, 00:02:40, Loopback3
B       10.3.3.1 [200/0] via 2.2.2.2, 00:02:40
C       10.1.1.1 is directly connected, Loopback1
B       10.2.33.1 [200/0] via 2.2.2.2, 00:02:40
B       10.1.33.1 is directly connected, 00:02:40, Loopback33

R2#show ip route vrf CLIENTE3 | beg Gateway  
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 8 subnets
B       10.1.11.1 [200/0] via 1.1.1.1, 00:03:27
B       10.2.11.1 is directly connected, 00:04:12, Loopback11
B       10.2.1.1 is directly connected, 00:04:12, Loopback1
B       10.1.3.1 [200/0] via 1.1.1.1, 00:04:57
C       10.3.3.1 is directly connected, Loopback3
B       10.1.1.1 [200/0] via 1.1.1.1, 00:03:27
C       10.2.33.1 is directly connected, Loopback33
B       10.1.33.1 [200/0] via 1.1.1.1, 00:04:57

PRUEBAS DE CONECTIVIDAD


Ping desde la VRF CLIENTE1 hacia las redes de la VRF CLIENTE3 en R3 y viceversa.

R1#ping vrf CLIENTE1 10.2.33.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.33.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/121/240 ms

R1#ping vrf CLIENTE1 10.2.33.1 source loopback 11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.33.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/154/256 ms

R2#ping vrf CLIENTE3 10.1.11.1 source loopback 3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.11.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.1
!!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 64/159/292 ms

R2#ping vrf CLIENTE3 10.1.1.1 source loopback 33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.33.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/120/176 ms


IMPORTANDO REDES ESPECIFICAS CON ROUTE-MAP

En el caso anterior, al hacer uso del comando route-target import 3:3 logramos que pasaran todas la redes de la VRF CLIENTE3, teniendo en cuenta que las Tablas pueden ser muy grandes no seria muy optimo usar este método, por lo cual una buena idea, es poder seleccionar solo los prefijos a donde queremos llegar, para ello vamos importar solo la red 10.2.33.1/32 que se encuentra en R2 como se muestra.
R1#show ip bgp vpnv4 vrf CLIENTE3
BGP table version is 68, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf  Weight Path
Route Distinguisher: 3:3 (default for vrf CLIENTE3)
*> 10.1.1.1/32      0.0.0.0                  0                    32768 ?
*> 10.1.3.1/32      0.0.0.0                  0                    32768 ?
*> 10.1.11.1/32     0.0.0.0                  0                   32768 ?
*> 10.1.33.1/32     0.0.0.0                  0                   32768 ?
*>i10.2.1.1/32      2.2.2.2                  0     100                 0 ?
*>i10.2.11.1/32     2.2.2.2                  0    100                0 ?
*>i10.2.33.1/32     2.2.2.2                  0    100                0 ?
*>i10.3.3.1/32      2.2.2.2                  0     100                0 ?

Ahora que hemos comprobado que el prefijo destino se encuentra la tabla de BGP en R1 podemos seleccionar mediante un PREFIX-LIST y hacer uso del route-map.

R1(config)#ip extcommunity-list standard EC-CLIENTE1 permit rt 1:1
R1(config)#ip extcommunity-list standard EC-CLIENTE3 permit rt 3:3
R1(config)#ip prefix-list CLIENTE1-FROM-CLIENTE3 seq 10 permit 10.2.33.1/32
R1(config)#route-map CLIENTE1-IMPORT-MAP 10
R1(config-route-map)# match extcommunity EC-CLIENTE1
R1(config-route-map)#route-map CLIENTE1-IMPORT-MAP 20
R1(config-route-map)# match ip address prefix-list CLIENTE1-FROM-CLIENTE3
R1(config-route-map)# match extcommunity EC-CLIENTE3
R1(config-route-map)#exit
R1(config)#ip vrf CLIENTE1
R1(config-vrf)# import map CLIENTE1-IMPORT-MAP
R1(config-vrf)#route-target import 3:3
R1(config-vrf)#exit

Nota. si la tabla no se actualiza se puede forzar a BGP con el comando: clear ip bgp *

R1#show ip route vrf CLIENTE1 | beg Gateway
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 5 subnets
C       10.1.11.1 is directly connected, Loopback11
B       10.2.11.1 [200/0] via 2.2.2.2, 00:00:16
B       10.2.1.1 [200/0] via 2.2.2.2, 00:00:16
C       10.1.1.1 is directly connected, Loopback1
B       10.2.33.1 [200/0] via 2.2.2.2, 00:00:16

Pruebas de conectividad, vemos que ahora solo tenemos llegada a la red 10.2.33.1 .

R1#ping vrf CLIENTE1 10.2.33.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.33.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/152/332 ms

R1#ping vrf CLIENTE1 10.2.3.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.3.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)

EXPORTANDO  REDES ESPECIFICAS CON ROUTE-MAP

Así como es posible importar rutas especificas, también podemos exportar algunas rutas.
Ahora, el propósito es enviar el prefijo 10.1.11.1 de la VRF CLIENTE 1  hacia la tabla de rutas de la VRF CLIENTE3

Actualmente tenemos lo siguiente:

R1#show ip route vrf CLIENTE3 | begin Gateway
Gateway of last resort is not set
     10.0.0.0/32 is subnetted, 4 subnets
C       10.1.3.1 is directly connected, Loopback3
B       10.3.3.1 [200/0] via 2.2.2.2, 00:02:39
B       10.2.33.1 [200/0] via 2.2.2.2, 00:02:39
C       10.1.33.1 is directly connected, Loopback33

R1#show ip  bgp vpnv4 vrf CLIENTE1
BGP table version is 26, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CLIENTE1)
*> 10.1.1.1/32      0.0.0.0                  0                   32768 ?
*> 10.1.11.1/32     0.0.0.0                  0                  32768 ?
*>i10.2.1.1/32      2.2.2.2                  0     100               0 ?
*>i10.2.11.1/32     2.2.2.2                  0    100              0 ?
*>i10.2.33.1/32     2.2.2.2                  0    100              0 ?

Configuración en R1
ip prefix-list CLIENTE1-TO-CLIENTE3 seq 10 permit 10.1.11.1/32
!
route-map CLIENTE1-EXPORT-MAP permit 10
 match ip address prefix-list CLIENTE1-TO-CLIENTE3
 set extcommunity rt  3:3 additive

ip vrf CLIENTE1
 export map CLIENTE1-EXPORT-MAP

Resultados

R1#show ip route vrf CLIENTE3 | beg Gateway
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 5 subnets
B       10.1.11.1 is directly connected, 00:04:29, Loopback11
C       10.1.3.1 is directly connected, Loopback3
B       10.3.3.1 [200/0] via 2.2.2.2, 00:04:59
B       10.2.33.1 [200/0] via 2.2.2.2, 00:04:59
C       10.1.33.1 is directly connected, Loopback33

R1#show ip route vrf CLIENTE1 | beg Gateway      
Gateway of last resort is not set

     10.0.0.0/32 is subnetted, 5 subnets
C       10.1.11.1 is directly connected, Loopback11
B       10.2.11.1 [200/0] via 2.2.2.2, 00:09:27
B       10.2.1.1 [200/0] via 2.2.2.2, 00:09:27
C       10.1.1.1 is directly connected, Loopback1
B       10.2.33.1 [200/0] via 2.2.2.2, 00:09:27


Ping solo desde 10.1.11.1 (VRF CLIENTE1 en R1)  hacia 10.2.33.1 (VRF CLIENTE3 en R3)

R1#ping vrf CLIENTE1 10.2.33.1 source loopback 11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.33.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/136/248 ms

R1#ping vrf CLIENTE1 10.2.33.1 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.33.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)