Scribd Logo
Upload

Welcome to Scribd!

  • Practice 2 VRF

    Uploaded by

    Yuriy
    11 views15 pages
    The document discusses configuring Virtual Routing and Forwarding (VRF) instances on Linux containers using Linux bridges and VLANs. It provides instructions for setting up a topology with multiple VRFs on different Linux containers using bridges and VLAN interfaces. The configuration steps include adding bridges, assigning interfaces to bridges and VLANs, creating VRF instances, routing between VRFs, and verifying isolation between VRFs using ping tests and tcpdump.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses configuring Virtual Routing and Forwarding (VRF) instances on Linux containers using Linux bridges and VLANs. It provides instructions for setting up a topology with multiple VRFs on different Linux containers using bridges and VLAN interfaces. The configuration steps include adding bridges, assigning interfaces to bridges and VLANs, creating VRF instances, routing between VRFs, and verifying isolation between VRFs using ping tests and tcpdump.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    11 views15 pages

    Practice 2 VRF

    Uploaded by

    Yuriy
    The document discusses configuring Virtual Routing and Forwarding (VRF) instances on Linux containers using Linux bridges and VLANs. It provides instructions for setting up a topology with multiple VRFs on different Linux containers using bridges and VLAN interfaces. The configuration steps include adding bridges, assigning interfaces to bridges and VLANs, creating VRF instances, routing between VRFs, and verifying isolation between VRFs using ping tests and tcpdump.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 15

    Practice #2. VRF.

    Interface types
    Agenda
    1. Setup description

    2. Common configuration

    3. VRF configuration
    Topology sketch
    Default VRF
    Virtual Router 1 Virtual Router 2

    VRF 1 VRF 2

    External Loopback
    Topology in ProxMox
    LXC (default VRF)
    Virtual Router 1 Virtual Router 2

    VRF 1 VRF 2

    Host Bridge (vmbrN) VLAN


    LXC Configuration

    LXC 10.0.0.2/24
    VRF Default
    br0.10
    10.0.0.1/24

    VRF 1 br0
    eth1 VLAN 10 eth2
    LXC Configuration (advanced)
    10.0.0.2/24
    10.0.0.1/24

    LXC
    10.0.0.2/24
    VRF 2 VRF 3 VRF 4
    10.0.0.1/24 br0.10 br0.20 br1

    VRF 1 br0 br1


    eth1 eth4
    VLAN 10 eth2 VLAN 20 eth3
    Or even…
    10.0.0.2/24 10.0.0.2/24
    10.0.0.1/24
    10.0.0.1/24
    LXC
    VRF 1 VRF 2 VRF 3 VRF 4
    eth1.10 br0.10 br0.20 br1

    br0 br1
    eth1 VLAN 20U
    eth4
    VLAN 10T eth2 eth3
    Common configuration
    Add VLAN aware bridge
    ip link add dev BR_NAME type bridge ageing_time 1000 mcast_snooping 0 vlan_filtering 1
    VLAN Unaware
    ip link add dev BR_NAME type bridge ageing_time 1000 mcast_snooping 0

    Add port to tagged VLAN (trunk port)


    bridge vlan add vid VLAN_ID dev INTF_NAME

    Untagged VLAN (access port)


    bridge vlan add vid VLAN_ID dev INTF_NAME pvid untagged

    Add VLAN device


    ip link add link INTF_NAME name INTF_NAME.VLAN_ID type vlan id VLAN_ID
    ip link set dev INTF_NAME.VLAN_ID up

    CONFIDENTIAL

    8
    Create Bridge
    # Add bridge
    ip l add name br0 type bridge vlan_filtering 1

    # Add interface to the bridge


    ip l set dev eth2 master br0

    # Remove interface from the default VLAN


    bridge vlan del vid 1 dev eth2
    # Add interface to the VLAN as an access port
    bridge vlan add vid 10 dev eth2 pvid untagged
    # Add bridge itself to a VLAN as a tugged (trunk) port
    bridge vlan add vid 10 dev br0 tagged self

    CONFIDENTIAL

    9
    Configure bridge VLAN interface
    # Add VLAN interface over bridge interface to strip tag
    ip l add link br0 name br0.10 type vlan id 10

    # Set bridge interface up


    ip l set br0 up

    # Check VLAN configuration


    bridge vlan

    CONFIDENTIAL

    10
    Create VRF
    ip link add dev VRF_NAME type vrf table TBL_ID
    ip -4 route add table $tb_id unreachable default metric 4278198272
    ip link set dev $1 up
    ip -br link show type vrf

    Set rules priority to avoid traffic leak to default VRF


    ip -4 rule add pref 32765 table local
    ip -4 rule del pref 0

    Restore default priorities


    ip -4 rule add pref 0 table local
    ip -4 rule del pref 32765

    CONFIDENTIAL

    11
    Enslaving interfaces
    Enslaving to VRF/bridge
    ip link set dev $1 master $2

    Remove from bridge/VRF


    ip link set dev $1 nomaster

    CONFIDENTIAL

    12
    Check config
    1. Ping from VRF:

    ip vrf exec $5 ping -I $3 -c5 $4

    2. tcpdump on host – to ensure that traffic goes through

    external link and not directly through the Linux kernel

    CONFIDENTIAL

    13
    DoD
    - Working topology (screenshot of ip addr, ip route, bridge vlan)

    - 50% of credits (basic config with one VRF)

    - 100% - advanced configuration

    - Proper IP, routing configuration (2 screenshots: successful ping,


    tcpdump with MACs and with exact interface names)

    - Prove isolation between VRFs (1-2 sentences based on screenshots


    above: how do you know that traffic goes as expected)

    WARNING: If you shutdown container configuration will be lost! Save


    your commands and attach to the assessment.

    CONFIDENTIAL

    14
    Q&A

    CONFIDENTIAL

    15

    You might also like