VRF_external.conf 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
  1. ################################################################################
  2. # Internet table #
  3. ################################################################################
  4. {%- set ifaces = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':ifaces', {}) %}
  5. {%- set have_vrf_external = [] %}
  6. {%- for iface, iface_config in ifaces.items () %}
  7. {%- if iface_config.get ('vrf', '') == 'vrf_external' %}
  8. {%- do have_vrf_external.append (True) %}
  9. {%- break %}
  10. {%- endif %}
  11. {%- endfor %}
  12. {%- if True not in have_vrf_external %}
  13. #
  14. # No vrf_external configured on this node. Nothing to do.
  15. #
  16. {%- else %}
  17. table t_external;
  18. filter external_IPs_to_learn {
  19. # For now
  20. reject;
  21. }
  22. protocol kernel k_external {
  23. scan time 20;
  24. learn;
  25. import filter external_IPs_to_learn;
  26. export all;
  27. table t_external;
  28. kernel table 1023;
  29. }
  30. # Add unreachable routes for RFC1918, RFC 6598, APIPA so we don't route
  31. # anything private into the internet + null route some bogons.
  32. protocol static bogon_unreach_ext {
  33. table t_external;
  34. {%- if proto == 'v4' %}
  35. route 0.0.0.0/8 unreachable; # Host-Subnet
  36. route 10.0.0.0/8 unreachable; # RFC 1918
  37. route 100.64.0.0/10 unreachable; # RFC 6598
  38. route 169.254.0.0/16 unreachable; # APIPA
  39. route 172.16.0.0/12 unreachable; # RFC 1918
  40. route 192.0.0.0/24 unreachable; # IANA RESERVED
  41. route 192.0.2.0/24 unreachable; # TEST-NET-1
  42. route 192.168.0.0/16 unreachable; # RFC 1918
  43. route 198.18.0.0/15 unreachable; # BENCHMARK
  44. route 198.51.100.0/24 unreachable; # TEST-NET-2
  45. route 203.0.113.0/24 unreachable; # TEST-NET-3
  46. route 224.0.0.0/3 unreachable; # MCast + Class E
  47. {%- else %}
  48. route ::/96 unreachable; # RFC 4291
  49. route 2001:db8::/32 unreachable; # Documentation
  50. route fec0::/10 unreachable; # Site Local
  51. route fc00::/7 unreachable; # ULA
  52. {%- endif %}
  53. }
  54. {%- if 'veth_int2ext' in ifaces and 'veth_ext2int' in ifaces %}
  55. {%- set veth_ips = {} %}
  56. {%- for iface in ifaces if iface in [ 'veth_int2ext', 'veth_ext2int' ] %}
  57. {%- do veth_ips.update ({ iface : { 'v4' : None, 'v6' : None }}) %}
  58. {%- for prefix in ifaces.get (iface, {}).get ('prefixes', []) %}
  59. {%- if "." in prefix %}
  60. {%- do veth_ips[iface].update ({ 'v4' : prefix.split ('/')[0] }) %}
  61. {%- else %}
  62. {%- do veth_ips[iface].update ({ 'v6' : prefix.split ('/')[0] }) %}
  63. {%- endif %}
  64. {%- endfor %}
  65. {%- endfor %}
  66. #
  67. # VRF glue
  68. #
  69. {%- set internal_ip = veth_ips['veth_int2ext'][proto] %}
  70. {%- set external_ip = veth_ips['veth_ext2int'][proto] %}
  71. # Learn route on external side of VEth tunnel between VRFs for recursive BGP
  72. # nexthop lookup.
  73. protocol direct d_ext2int {
  74. table t_external;
  75. interface "veth_ext2int";
  76. }
  77. template bgp ibgp_vrf_glue {
  78. local as AS_OWN;
  79. enable route refresh yes;
  80. graceful restart yes;
  81. }
  82. protocol bgp int2ext from ibgp_vrf_glue {
  83. import filter external_IPs_to_learn;
  84. export filter own_prefixes;
  85. source address {{ internal_ip }};
  86. neighbor {{ external_ip }} as AS_OWN;
  87. rr client;
  88. next hop self;
  89. }
  90. protocol bgp ext2int from ibgp_vrf_glue {
  91. table t_external;
  92. # External router!
  93. router id {{ veth_ips['veth_ext2int']['v4'] }};
  94. import filter own_prefixes;
  95. export filter {
  96. if proto = "k_external" then {
  97. bgp_community.add (EXTERNAL_ROUTE);
  98. accept;
  99. }
  100. reject;
  101. };
  102. source address {{ external_ip }};
  103. neighbor {{ internal_ip }} as AS_OWN;
  104. next hop self;
  105. }
  106. {%- endif %} {#- veth int/ext tunnel #}
  107. {%- endif %} {#- vrf_external exists #}