作者:Tony Liu 譯者:TF編譯組
1 總覽
本指南介紹如何使用MX作爲網關(gateway),爲Tungsten Fabric(編者按:原文爲Contrail,其開源版已更名爲Tungsten Fabric,本文出現Contrail之處均以Tungsten Fabric替換)管理的overlay層提供external或underlay連接。
根據性能要求,網關可以連接到主幹(spine)或葉子(leaf)。
2 Underlay/INET
2.1 eBGP
在典型的IP結構中,所有葉子(leaves)、主幹(spines)和網關(gateways)都使用eBGP來建立underlay連接。
2.2 IBGP
對於iBGP,建議使用RR(路由反射器)以避免所有BGP節點之間的完全網狀對等連接。
3 Overlay/VPN
3.1 環回地址
在每個MX上都會分配並派發環回地址(loopback address)。它用於控制節點的BGP對等,以及vRouter的隧道(tunneling)。Tungsten Fabric和環回地址之間的連接由underlay提供。
如果將單獨的接口用於控制平面和數據平面,則當MX通告路由時,控制接口的地址將用作下一跳。要解決此問題,應將環回接口同時用於控制平面和數據平面。
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
3.2 BGP
3.2.1 AS
通常,網關具有一個全局唯一ASN。
set routing-options autonomous-system 64031
3.2.2 EBGP AND IBGP
當Tungsten Fabric和網關位於不同的AS中時,將使用eBGP。
set protocols bgp group vpn-contrail type external
set protocols bgp group vpn-contrail multihop
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family evpn signaling
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
當Tungsten Fabric和網關位於同一AS中時,將使用iBGP。
set protocols bgp group vpn-contrail type internal
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family evpn signaling
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1
當網關全局ASN與Tungsten Fabric ASN不同時,可以使用local-as來啓用iBGP。
set protocols bgp group vpn-contrail type internal
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail local-as 64512
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family evpn signaling
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
3.3 BGP Family
3.3.1 L3VPN
set protocols bgp group vpn-contrail family inet-vpn unicast
3.3.2 EVPN
set protocols bgp group vpn-contrail family evpn signaling
3.3.3 ROUTE TARGET
set protocols bgp group vpn-contrail family route-target
Family“route-target”是用於優化的。在MX上進行配置時,如果存在VRF導入策略,MX將會發布route-target路由。在將VPN-IPv4路由發佈給鄰居之前,MX還會檢查route-target路由表。如果該路由中的route-target未被鄰居通告,則MX不會通告該路由。
如果控制平面和數據平面上的接口是分開的,則MX從Tungsten Fabric控制節點接收route-target路由。RT路由的下一跳是控制節點地址(在控制平面上)。MX會嘗試解決數據平面上MPLS表(inet.3)中的下一跳,但是會失敗。這樣,RT路由不會生效,而會被隱藏。結果是MX沒有發佈路由。爲了解決這個問題,可以在inet.3中添加靜態路由,以使下一跳的控制接口可以被解析。然後,MX應用RT路由併發布路由。Tungsten Fabric沒有此類問題,因爲它不會嘗試解析下一跳。
3.4 隧道(Tunnel)
Tunnel service是必須要啓用的。這裏有一個示例。
set chassis fpc 0 pic 0 tunnel-services bandwidth 1g
3.4.1 MPLSOGRE隧道
對於L3VPN,在BGP收到INET-VPN路由並將其放在表bgp.l3vpn.0中之後,它將爲該路由尋找MPLS路徑。BGP嘗試解析表inet.3中的路由。如果成功,將創建GRE隧道並在inet.3中添加MPLS路由。否則,該路由將會被隱藏在bgp.l3vpn.0中。
在啓用隧道後,destination-networks的路由將被添加到inet.3中。這裏是一個示例。
set routing-options dynamic-tunnels contrail source-address 10.6.0.31set routing-options dynamic-tunnels contrail greset routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
source-address is the loopback address.
這是表inet.3中GRE隧道路由的示例。
10.6.11.4/32 (1 entry, 1 announced)
*Tunnel Preference: 300
Next hop type: Router, Next hop index: 0
Address: 0xd7a9210
Next-hop reference count: 3
Next hop: via gr-0/0/0.32769, selected
Session Id: 0x0
State:
Local AS: 64031
Age: 10
Validation State: unverified
Task: DYN_TUNNEL
Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task
AS path: I
這是動態隧道數據庫。
> show dynamic-tunnels database
*- Signal Tunnels #- PFE-down
Table: inet.3
Destination-network: 10.6.11.0/24
Tunnel to: 10.6.11.1/32 State: Up (expires in 00:06:58 seconds)
Reference count: 0
Next-hop type: gre
Source address: 10.6.0.31
Next hop: gr-0/0/10.32769
State: Up
Tunnel to: 10.6.11.7/32 State: Up
Reference count: 2
Next-hop type: gre
Source address: 10.6.0.31
Next hop: gr-0/0/10.32770
State: Up
3.4.2 MPLSOUDP TUNNEL
UDP隧道更適合於負載均衡。
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail udp
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
這是表inet.3中UDP隧道路由的示例。
10.6.11.4/32 (1 entry, 1 announced)
*Tunnel Preference: 300
Next hop type: Tunnel Composite, Next hop index: 0
Address: 0xd7a87f0
Next-hop reference count: 2
Tunnel type: UDP, Reference count: 5, nhid: 0
Destination address: 10.6.11.4, Source address: 10.6.0.31
State:
Local AS: 64031
Age: 24:46
Validation State: unverified
Task: DYN_TUNNEL
Announcement bits (2): 0-Resolve tree 1 1-Resolve_IGP_FRR task
AS path: I
當路由從VRF導出到Tungsten Fabric時,需要添加策略(policy)來附加到封裝屬性(community)。
set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1
set policy-options policy-statement vrf-export-provider-1 term t1 then community add encap-udp
set policy-options policy-statement vrf-export-provider-1 term t1 then accept
set policy-options community provider-1 members target:64512:101
set policy-options community encap-udp members encapsulation:64512:13
3.5 Routing Instance
3.5.1 VRF
RI的vrf類型用於保留L3路由。
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-target target:64512:101;
set routing-instances provider-1 vrf-table-label
3.5.2 虛擬交換機
(略)
4 路由導入/導出
4.1 工作流
4.1.1 導入(IMPORT)
- 首先,BGP與Tungsten Fabric建立對等關係。如果沒有任何VRF
RI和導入策略,則不會創建表bgp.l3vpn.0,並且BGP無法接收任何INET-VPN路由。 - 在創建VRF RI後(必須配置vrf-table-label),可以使用隱式策略(implicit
policy)或顯式策略(explicit policy)。 - 配置vrf-target將啓用隱式策略,該策略將導入具有特定RT community的路由,並導出具有附加特定RT
community的路由。 - 配置“vrf-import”和“vrf-export”以指定顯式策略,以備需要任何其它的操作。
- 使用任何VRF RI和導入策略,將創建表bgp.l3vpn.0。
- 根據導入策略,爲每個RT創建一個RIB組vpn-unicast。
vpn-unicast target:64512:101, Address: 0xd7a8e40
Address Family: l3vpn, Flags: 0x4, References: 0
Export RIB: l3vpn.0
Import RIB: bgp.l3vpn.0
Secondary Import RIB: provider-1.inet.0
- BGP嘗試解析表inet.3中的路由。如果成功,則分配GRE隧道。否則,該路由將被隱藏。
- BGP接收到與導入策略匹配的INET-VPN路由(route-target
community),並將其放在表bgp.l3vpn.0中。路由也轉換爲INET路由,並放置在VRF表中,該表是RIB組中的輔助導入RIB。否則,路由將被丟棄。
這是表bgp.l3vpn.0中的INET-VPN路由示例。它是由BGP從Tungsten Fabric上通告的;路由標識符10.6.11.4:2由vRouter的IP地址和vRouter分配的ID組成;從Tungsten Fabric控制節點10.6.11.1發佈;下一跳是通過動態GRE隧道接口gr-0/0/0.32769;MPLS標籤爲25。
10.6.11.4:2:172.16.11.3/32
*[BGP/170] 00:03:11, MED 100, localpref 100, from 10.6.11.1
AS path: 64512 ?, validation-state: unverified
> via gr-0/0/0.32769, Push 25
該路由將轉換爲INET路由並放置在VRF中。
172.16.11.3/32 *[BGP/170] 02:35:37, MED 100, localpref 100, from 10.6.11.1
AS path: 64512 ?, validation-state: unverified
> via gr-0/0/0.32769, Push 25
4.1.2 導出(EXPORT)
要從VRF導出路由,根據導出策略,該路由將從INET轉換爲INET-VPN,放入表bgp.l3vpn.0中,然後由BGP導出。MPLS標籤將分配給在表mpls.0中的INET-VPN路由。
這是VRF中的環回接口,如表bgp.l3vpn.0所示。
64512:101:172.16.11.250/32
*[Direct/0] 00:43:14
> via lo0.11
The route is advertised with MPLS label 300624 showing by "show route advertising-protocol bgp 10.6.11.1 detail".
該路由用MPLS標籤300624發佈,通過 “show route advertising-protocol bgp 10.6.11.1 detail”可以顯示細節。
* 64512:101:172.16.11.250/32 (1 entry, 1 announced)
BGP group vpn-contrail type External
Route Distinguisher: 64512:101
VPN Label: 300624
Nexthop: Self
Flags: Nexthop Change
AS path: [64031] I
MPLS標籤在表mpls.0中分配。
300624 *[VPN/170] 00:55:34
receive table provider-1.inet.0, Pop
4.2 隱式VRF導入/導出策略
使用vrf-target,可以創建隱式導入和導出策略。
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 vrf-target target:64512:101;
隱式導入策略將導入帶有community“target:64540:100”的路由。其結果是,從Tungsten Fabric虛擬網絡中發佈的帶有“target:64540:100”的路由,被導入到此RI中。
> show policy __vrf-import-5b4s37-166-internal__
Policy __vrf-import-5b4s37-166-internal__:
Term unnamed:
from community __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ]
then accept
Term unnamed:
then reject
隱式導出策略將導出帶有community“target:64540:100”的路由。其結果是,路由被髮布到Tungsten Fabric,並導入到帶有“target:64540:100”的虛擬網絡中。
> show policy __vrf-export-5b4s37-166-internal__
Policy __vrf-export-5b4s37-166-internal__:
Term unnamed:
then community + __vrf-community-5b4s37-166-common-internal__ [target:64540:100 ] accept
4.3 顯式VRF導入/導出策略
策略可被顯式定義爲導入和導出路由。在此示例中,從Tungsten Fabric虛擬網絡中發佈的帶有“target:64540:91”和“target:64540:92”的路由被導入RI。RI中的路由使用“target:64540:91”和“target:64540:92”進行通告,並導入到兩個虛擬網絡中。
set policy-options policy-statement provider-1-export term t1 then community add provider-1
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-import term t1 from community provider-1
set policy-options policy-statement provider-1-import term t1 from community ext-host
set policy-options policy-statement provider-1-import term t1 then accept
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
5 External/Underlay連接
這裏想說的是——
- 在master RI中具有路由,以將ingress流量(從external/underlay到overlay)引導到VRF RI。
- 在VRF RI中具有路由,以將egress流量(從overlay到external/underlay)引導到master RI。
- 路由可能泄漏爲靜態。
有兩個工作選項:
- 邏輯隧道(Logical tunnel)
- RIB組和帶有下一表(next-table)的靜態路由
詳細信息請見以下各小節內容。
5.1 邏輯隧道
邏輯隧道用於連接master路由實例和VRF路由實例。根據使用情況,這是可選的。由於帶寬限制,必須檢查需求和特定硬件上的隧道帶寬,以此來做出決定。
5.1.1 靜態
這是在邏輯隧道上使用靜態路由的示例。
set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 100 encapsulation frame-relay
set interfaces lt-0/0/0 unit 100 dlci 10
set interfaces lt-0/0/0 unit 100 peer-unit 200
set interfaces lt-0/0/0 unit 100 family inet
set interfaces lt-0/0/0 unit 200 encapsulation frame-relay
set interfaces lt-0/0/0 unit 200 dlci 10
set interfaces lt-0/0/0 unit 200 peer-unit 100
set interfaces lt-0/0/0 unit 200 family inet
set routing-options static route 172.16.11.0/24 next-hop lt-0/0/0.100
set routing-instances provider-1 interface lt-0/0/0.200
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-hop lt-0/0/0.200
5.1.2 動態
這裏是一個示例,使用聚合路由在VRF和master之間配置BGP對等。
set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 100 encapsulation frame-relay
set interfaces lt-0/0/0 unit 100 dlci 10
set interfaces lt-0/0/0 unit 100 peer-unit 200
set interfaces lt-0/0/0 unit 100 family inet address 192.168.200.0/31
set interfaces lt-0/0/0 unit 200 encapsulation frame-relay
set interfaces lt-0/0/0 unit 200 dlci 10
set interfaces lt-0/0/0 unit 200 peer-unit 100
set interfaces lt-0/0/0 unit 200 family inet address 192.168.200.1/31
set protocols bgp group vrf type internal
set protocols bgp group vrf local-address 192.168.200.0
set protocols bgp group vrf keep all
set protocols bgp group vrf family inet unicast
set protocols bgp group vrf export provider-1-export
set protocols bgp group vrf neighbor 192.168.200.1
set policy-options policy-statement provider-1-export term t1 then community add provider-1
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-aggregate-export term 1 from protocol aggregate
set policy-options policy-statement provider-1-aggregate-export term 1 from route-filter 172.16.11.0/24 exact
set policy-options policy-statement provider-1-aggregate-export term 1 then next-hop self
set policy-options policy-statement provider-1-aggregate-export term 1 then accept
set policy-options community provider-1 members target:64512:101
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lt-0/0/0.200
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
set routing-instances provider-1 routing-options aggregate route 172.16.11.0/24
set routing-instances provider-1 protocols bgp group master type internal
set routing-instances provider-1 protocols bgp group master local-address 192.168.200.1
set routing-instances provider-1 protocols bgp group master keep all
set routing-instances provider-1 protocols bgp group master family inet unicast
set routing-instances provider-1 protocols bgp group master export provider-1-aggregate-export
set routing-instances provider-1 protocols bgp group master neighbor 192.168.200.0
5.2 下一表(Next-table)
可以將路由表指定爲路由下一跳。從概念上講,可以像下面的示例一樣,在inet.0和vrf.inet.0之間控制流量。
90aa13ec-7906-4de8-9333-d9f504574c44-image.png
該解決方案的問題在於它將導致路由循環。例如,172.16.11.9的流量被導向vrf.inet.0。如果沒有任何特定的路由解析,它將通過默認路由返回到inet.0。爲了避免這種路由循環,Junos不允許進行這種配置。
Junos也不允許配置第三張表(the third table)。
5.3 RIB組
RIB組通常用於泄漏路由表之間的路由。從概念上講,可以創建一個RIB組以將INET路由從vrf.inet.0導入到inet.0,同時可以創建另一個RIB組以將INET路由從inet.0導入到vrf.inet.0。
set routing-options rib-groups provider-1-master import-rib provider-1.inet.0
set routing-options rib-groups provider-1-master import-rib inet.0
set routing-options rib-groups master-provider-1 import-rib inet.0
set routing-options rib-groups master-provider-1 import-rib provider-1.inet.0
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group master-provider-1
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
此配置將路由從inet.0泄漏到vpn.inet.0。但是從另一種角度來看,自Tungsten Fabric接收而來的路由,不會從vpn.inet.0泄漏到inet.0,原因是Junos的設計。這些路由已經從bgp.13vpn.0中泄漏,因此vpn.inet.0是這些路由的輔助RIB。輔助RIB中的路由不會再次泄漏。
5.4 RIB組和下一表(Next-table)
5.4.1 INGRESS
對於ingress流量,由於Junos不會泄漏從VRF到master的overlay/32路由,因此有兩個選擇。
在VRF中添加生成(聚合)路由,並使用RIB組泄漏從vrf.inet.0到inet.0的聚合路由。
set routing-options rib-groups provider-1-master import-rib provider-1.inet.0
set routing-options rib-groups provider-1-master import-rib inet.0
set routing-options rib-groups provider-1-master import-policy provider-1-master-import
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-target target:64512:101
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
set routing-instances provider-1 routing-options generate route 172.16.11.0/24 next-table provider-1.inet.0
set routing-instances provider-1 routing-options auto-export family inet unicast rib-group provider-1-master
將帶有下一表(next-table)的靜態路由添加到master中的vrf.inet.0。
set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
建議使用選項2。
請注意,需要爲路由協議更新導出策略,以通告此類靜態路由。
5.4.2 EGRESS
對於egress流量,這裏有兩個選擇。
將帶有下一表(next-table)的靜態路由添加到VRF中的inet.0。
set routing-instances provider-1 routing-options static route 0.0.0.0/0 next-table inet.0
這裏的問題是,如果它是如上所述的默認路由,則會導致路由循環。例如,到172.16.11.5/32的ingress流量在vrf.int.0中並不存在,但它將在master和VRF之間循環。使用特定的路由可以避免路由循環,但這不是動態的並且不能擴展。
master中路由協議接收到的路由泄漏到VRF。
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group bgp-corp-provider-1
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set routing-options rib-groups bgp-corp-provider-1 import-rib inet.0
set routing-options rib-groups bgp-corp-provider-1 import-rib provider-1.inet.0
同樣,由於Junos的限制,泄漏到VRF(輔助RIB)中的路由無法發佈給Tungsten Fabric。解決方案是添加默認拒絕路由。
set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
5.4.3 解決方案
作爲結論,這裏是解決方案。
- 從mater泄漏路由到VRF,用於egress流量。
- 在master中添加靜態路由,用於ingress流量。
附錄A.1是完整的配置。
請注意,這不適用於MPLSoUDP。
5.5轉發過濾器和下一表(Next-table)
此解決方案是,使用轉發過濾器(forwarding filter)將ingress流量引導到VRF RI,並使用帶有下一表(next-table)的靜態路由將egress流量引導到master RI。
該解決方案有兩個問題。
-
由於Junos中的某些問題,它不適用於MPLSoUDP。
-
要向外部發布路由,必須添加指向網關本身的路由。Ingress流量將首先到達過濾器,因此靜態路由僅用於通告目的,對流量沒有影響。
5.6 VRF到VRF
附錄A.2是一個示例配置。
請注意,由於Family route-target,在Tungsten Fabric中,對於暴露的VN,必須將遠程VRF RT配置爲導入RT。否則,網關將不會從遠程VRF發佈INET-VPN路由。
5.7 Community
Tungsten Fabric中的路由有以下的community。
- route target
- encapsulation
- mac-mobility
- 0x8004 (security group)
- 0x8071 (origin VN)
根據使用情況(例如去往外部集羣或另一個Tungsten Fabric集羣的路由),這些community可能需要清理,也可能不需要。
附錄A.2中的配置是清理community的一個示例。
6 多集羣
單個網關可以支持多個集羣,它們本應該具有不同的ASN。
- 網關配置ASN。
- 集羣具有不同的專用ASN。
- 每個集羣內控制節點內的iBGP。
- 每個集羣的網關和控制節點之間的eBGP。
- 多個BGP組可以共享連接到不同鄰居組的同一接口。
- 如果每個集羣都位於單獨的網絡中,則每個集羣都有一個動態隧道組。
- 每個集羣應具有單獨的公共地址空間。由於沒有地址衝突,因此一個VRF路由實例可以由多個集羣共享,並且所有集羣中的公共虛擬網絡必須具有相同的路由目標(routing
target)。結果,來自一個集羣的公共路由將泄漏到另一個集羣。
附錄
A.1 RIB組和下一表(Next-table)
set version 18.3R1.9
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/0 mac 52:54:00:8c:f9:2b
set interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30
set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41
set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30
set interfaces fxp0 unit 0 family inet address 10.6.8.31/24
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
set interfaces lo0 unit 11 family inet address 172.16.11.250/32
set interfaces lo0 unit 12 family inet address 172.16.12.250/32
set routing-options interface-routes rib-group inet master-direct-vrf
set routing-options static route 172.16.11.0/24 next-table provider-1.inet.0
set routing-options static route 172.16.12.0/24 next-table provider-2.inet.0
set routing-options rib-groups bgp-corp-vrf import-rib inet.0
set routing-options rib-groups bgp-corp-vrf import-rib provider-1.inet.0
set routing-options rib-groups bgp-corp-vrf import-rib provider-2.inet.0
set routing-options rib-groups master-direct-vrf import-rib inet.0
set routing-options rib-groups master-direct-vrf import-rib provider-1.inet.0
set routing-options rib-groups master-direct-vrf import-rib provider-2.inet.0
set routing-options rib-groups master-direct-vrf import-policy rib-import-master-vrf
set routing-options route-distinguisher-id 10.6.0.31
set routing-options autonomous-system 64031
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast rib-group bgp-corp-vrf
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric export direct
set protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011
set protocols bgp group vpn-contrail type external
set protocols bgp group vpn-contrail multihop
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
set policy-options policy-statement direct term t1 from protocol direct
set policy-options policy-statement direct term t1 from protocol aggregate
set policy-options policy-statement direct term t1 then accept
set policy-options policy-statement direct term t2 from protocol static
set policy-options policy-statement direct term t2 from route-filter 172.16.11.0/24 exact
set policy-options policy-statement direct term t2 then accept
set policy-options policy-statement direct term t3 from protocol static
set policy-options policy-statement direct term t3 from route-filter 172.16.12.0/24 exact
set policy-options policy-statement direct term t3 then accept
set policy-options policy-statement rib-import-master-vrf term t2 from protocol direct
set policy-options policy-statement rib-import-master-vrf term t2 then accept
set policy-options policy-statement rib-import-master-vrf term end then reject
set policy-options policy-statement vrf-export-provider-1 term t1 then community add provider-1
set policy-options policy-statement vrf-export-provider-1 term t1 then accept
set policy-options policy-statement vrf-export-provider-1 term end then reject
set policy-options policy-statement vrf-export-provider-2 term t1 then community add provider-2
set policy-options policy-statement vrf-export-provider-2 term t1 then accept
set policy-options policy-statement vrf-export-provider-2 term end then reject
set policy-options policy-statement vrf-import-provider-1 term t1 from community provider-1
set policy-options policy-statement vrf-import-provider-1 term t1 from community ext-host
set policy-options policy-statement vrf-import-provider-1 term t1 then accept
set policy-options policy-statement vrf-import-provider-1 term end then reject
set policy-options policy-statement vrf-import-provider-2 term t1 from community provider-2
set policy-options policy-statement vrf-import-provider-2 term t1 from community ext-host
set policy-options policy-statement vrf-import-provider-2 term t1 then accept
set policy-options policy-statement vrf-import-provider-2 term end then reject
set policy-options community all-encaps members encapsulation:*:*
set policy-options community all-origin-vns members 0x8071:*:*
set policy-options community all-security-groups members 0x8004:*:*
set policy-options community encap-udp members encapsulation:64512:13
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set policy-options community provider-2 members target:64512:102
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 interface lo0.11
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import vrf-import-provider-1
set routing-instances provider-1 vrf-export vrf-export-provider-1
set routing-instances provider-1 vrf-table-label
set routing-instances provider-1 routing-options static route 0.0.0.0/0 reject
set routing-instances provider-2 instance-type vrf
set routing-instances provider-2 interface lo0.12
set routing-instances provider-2 route-distinguisher 64512:102
set routing-instances provider-2 vrf-import vrf-import-provider-2
set routing-instances provider-2 vrf-export vrf-export-provider-2
set routing-instances provider-2 vrf-table-label
set routing-instances provider-2 routing-options static route 0.0.0.0/0 reject
A.2 VRF到VRF
set version 18.3R1.9
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/0 mac 52:54:00:8c:f9:2b
set interfaces ge-0/0/0 unit 0 family inet address 10.6.30.2/30
set interfaces ge-0/0/1 mac 52:54:00:c4:ee:41
set interfaces ge-0/0/1 unit 0 family inet address 10.6.20.1/30
set interfaces fxp0 unit 0 family inet address 10.6.8.31/24
set interfaces lo0 unit 0 family inet address 10.6.0.31/32
set routing-options route-distinguisher-id 10.6.0.31
set routing-options autonomous-system 64031
set routing-options dynamic-tunnels contrail source-address 10.6.0.31
set routing-options dynamic-tunnels contrail gre
set routing-options dynamic-tunnels contrail destination-networks 10.6.11.0/24
set routing-options dynamic-tunnels contrail destination-networks 10.6.0.0/16
set protocols bgp group corp type external
set protocols bgp group corp family inet unicast
set protocols bgp group corp export direct
set protocols bgp group corp neighbor 10.6.30.1 peer-as 64041
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric export direct
set protocols bgp group fabric neighbor 10.6.20.2 peer-as 64011
set protocols bgp group vpn-contrail type external
set protocols bgp group vpn-contrail multihop
set protocols bgp group vpn-contrail local-address 10.6.0.31
set protocols bgp group vpn-contrail keep all
set protocols bgp group vpn-contrail family inet-vpn unicast
set protocols bgp group vpn-contrail family route-target
set protocols bgp group vpn-contrail neighbor 10.6.11.1 peer-as 64512
set protocols bgp group vpn-external type external
set protocols bgp group vpn-external multihop
set protocols bgp group vpn-external local-address 10.6.0.31
set protocols bgp group vpn-external keep all
set protocols bgp group vpn-external family inet-vpn unicast
set protocols bgp group vpn-external family route-target
set protocols bgp group vpn-external export vpn-external-export
set protocols bgp group vpn-external neighbor 10.6.0.41 peer-as 64041
set policy-options policy-statement direct term t1 from protocol direct
set policy-options policy-statement direct term t1 then accept
set policy-options policy-statement provider-1-export term t1 then accept
set policy-options policy-statement provider-1-import term t1 from community provider-1
set policy-options policy-statement provider-1-import term t1 from community ext-host
set policy-options policy-statement provider-1-import term t1 then accept
set policy-options policy-statement vpn-external-export term t1 from community provider-1
set policy-options policy-statement vpn-external-export term t1 then community add ext-host
set policy-options policy-statement vpn-external-export term t1 then community delete all-encaps
set policy-options policy-statement vpn-external-export term t1 then community delete all-security-groups
set policy-options policy-statement vpn-external-export term t1 then community delete all-origin-vns
set policy-options policy-statement vpn-external-export term t1 then accept
set policy-options community all-encaps members encapsulation:*:*
set policy-options community all-origin-vns members 0x8071:*:*
set policy-options community all-security-groups members 0x8004:*:*
set policy-options community ext-host members target:64510:101
set policy-options community provider-1 members target:64512:101
set firewall family inet filter to-vrf term 1 from destination-address 172.16.11.0/24
set firewall family inet filter to-vrf term 1 then routing-instance provider-1
set firewall family inet filter to-vrf term default then accept
set routing-instances provider-1 instance-type vrf
set routing-instances provider-1 route-distinguisher 64512:101
set routing-instances provider-1 vrf-import provider-1-import
set routing-instances provider-1 vrf-export provider-1-export
