VxLAN fabric. Part 3

Hello, Habr. I am finishing a series of articles devoted to the launch of the "Network Engineer" course from OTUS , on VxLAN EVPN technology on routing within a factory and using a Firewall to restrict access between internal services

The previous parts of the cycle can be found at the links:

• Part 1 of the cycle - L2 connectivity between servers
• 2 part of the cycle - Routing between VNIs
• 2.5 —

VxLAN. VRF. - VRF, . , Firewall, . , , " ".

VRF:

1. , VxLAN ;
2. .

VRF. VRF. VRF, , VRF ( , ). , , Leaf ( ). :

?

, Leaf VRF ( , ) , . Leaf , .

, ( - )

, VRF VRF, , .

export import ( ). :

VRF AF route-target import export . . ASN BGP L3 VNI, VRF. , ASN:

vrf context PROD20
  address-family ipv4 unicast
    route-target export auto      !     RT-65001:99000
    route-target import auto

ASN , route-target. — , , , 9999.

VNI VRF.

:

vrf context PROD10
  address-family ipv4 unicast
    route-target export 9999:99000          
    route-target import 9999:99000
    route-target import 9999:77000         !  1 import   VRF
    route-target import 9999:88000         !  2 import   VRF

:

Leaf11# sh ip route vrf prod
<.....>
192.168.20.0/24, ubest/mbest: 1/0
    *via 10.255.1.20%default, [200/0], 00:24:45, bgp-65001, internal, tag 65001
(evpn) segid: 99000 tunnelid: 0xaff0114 encap: VXLAN          !    L3VNI 99000

VRF — , Firewall.

:

1. , VxLAN ;
2. VxLAN.

, , — VRF Firewall VRF.

, Firewall VxLAN (, , VxLAN. , Checkpoint R81. , ).

:

— Firewall. .

, VRF. Firewall , Firewall VRF. Leaf VRF, Firewall VRF .

Firewall:

Firewall VRF, . , , Firewall, .

. Firewall, VRF. Leaf Firewall?

Leaf, Firewall, , :

0.0.0.0/0, ubest/mbest: 1/0
    *via 10.254.13.55, [1/0], 6w5d, static       !  -  Firewall

Leaf? -?

, EVPN route-type 5, VxLAN . ( cisco, )

- Leaf, Firewall. , Leaf . ( ), VRF, :

vrf context PROD10
    ip route 0.0.0.0/0 10.254.13.55

BGP AF IPv4:

router bgp 65001
    vrf prod
        address-family ipv4 unicast
            network 0.0.0.0/0

. - l2vpn evpn. :

router bgp 65001
    vrf prod
        address-family ipv4 unicast
            network 0.0.0.0/0
            redistribute static route-map COMMON_OUT

BGP

route-map COMMON_OUT permit 10
  match ip address prefix-list COMMON_OUT

ip prefix-list COMMON_OUT seq 10 permit 0.0.0.0/0

0.0.0.0/0 EVPN route-type 5 Leaf:

0.0.0.0/0, ubest/mbest: 1/0
    *via 10.255.1.5%default, [200/0], 5w6d, bgp-65001, internal, tag 65001, segid: 99000 tunnelid: 0xaff0105 encap: VXLAN
    ! 10.255.1.5 -   Leaf(  Leaf    VP ),    Firewall

BGP route-type 5 - 10.255.1.5:

* i[5]:[0]:[0]:[0]:[0.0.0.0]/224
                      10.255.1.5                        100          0 i
*>i                   10.255.1.5                        100          0 i

EVPN. VxLAN Multicast, ( )

/ , - EVPN — , .