Hi everyone,
I've been working on this problem for a while now, and I've reached the point where I'm going in circles. I posted about this same problem previously, link to old post: https://www.reddit.com/r/networking/comments/kbd215/juniper_network_vrfs_and_loopback_test/
I've updated my configs and setup since that post, but it may help to understand where this started.
Here is the problem description (with some updates):
I'm trying to set up a loopback test that will go through a layer 2 device and be sent back on the same interface. Using iperf, I need to send test traffic from one VM to another VM on a different subnet. The traffic needs to take a specific path through the network and be looped back through a satellite modem. The modem has the ability to receive traffic on an ethernet interface and loop it back out the same interface. For the purposes of setting this up in a lab, I'm using ICMP to verify the traffic path. I've moved my test network from eve-NG to actual hardware. More on the production and test networks below.
Production network description:
The 2 VMs are on an ESXi cluster that connects to two EX4600 switches, which will be in a VC config. The 4600s downlink to multiple EX4300 ToR switches, which connect to the modems. I'm planning to use two VLANs with corresponding L3 interfaces on the 4600s to separate the VMs from each other. I also believe that I'll need to configure separate VRFs in order to prevent the 4600s from routing the traffic internally and not sending it through the modem.
Test network description:
2 Linux VMs running on a single ESXi host. Each VM has it's own dedicated vswitch and portgroup, and each vswitch has a single physical interface assigned to it. The host connects to an EX4500, which is connected to an EX4200. The modem hangs off the EX4200. Each switch has multiple routing instances configured in order to separate the traffic.
I've attempted various configurations of route leaking between instances, FBF placing traffic from a specific source address into a specific routing instance, or a combination of the two. The closest I've gotten is running end-to-end traffic using leaked routes, however that bypasses the modem entirely.
Does anyone know of a way to force traffic out of a specific interface so that it goes through the layer 2 device before being forwarded on?
Diagram:
Configs:
EX4500
interfaces { ge-0/0/0 { unit 0 { description "link to esxi eth2, PERT1 VM"; proxy-arp restricted; family ethernet-switching { port-mode access; vlan { members 2000; } } } } ge-0/0/1 { unit 0 { description "link to esxi eth3, PERT2 VM"; proxy-arp restricted; family ethernet-switching { port-mode access; vlan { members 2001; } } } } ge-0/0/38 { description "downlink to EX4200 ge-0/0/46"; inactive: ether-options { 802.3ad ae0; } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ 2000 2001 ]; } } } } vlan { unit 2000 { description "PERT LAN 1"; proxy-arp restricted; family inet { no-redirects; address 10.46.253.129/28; } } unit 2001 { description "PERT LAN 2"; proxy-arp restricted; family inet { no-redirects; address 10.46.253.145/28; } } } protocols { igmp-snooping { vlan all; vlan default; } dcbx { interface all; } lldp { interface all; } lldp-med { interface all; } } routing-instances { pert1 { instance-type virtual-router; interface vlan.2000; routing-options { static { route 10.46.253.144/28 next-hop 10.46.253.131; } } } pert2 { instance-type virtual-router; interface vlan.2001; routing-options { static { route 10.46.253.128/28 next-hop 10.46.253.147; } } } } vlans { default { vlan-id 1; } pert-3000 { vlan-id 3000; l3-interface vlan.3000; } pert-3001 { vlan-id 3001; l3-interface vlan.3001; } pert1 { vlan-id 2000; l3-interface vlan.2000; } pert2 { vlan-id 2001; l3-interface vlan.2001; } } EX4200
interfaces { ge-0/0/0 { unit 0 { description "link to EBEM data"; family inet { address 10.0.0.1/24; } inactive: family ethernet-switching; } } ge-0/0/1 { description "link to esxi eth7, wireshark"; unit 0 { family ethernet-switching { port-mode access; vlan { members pert1; } } } } ge-0/0/46 { description "uplink to EX4500 ge-0/0/38"; unit 0 { family ethernet-switching { port-mode trunk; vlan { members 2000-2001; } } } } vlan { unit 2000 { proxy-arp restricted; family inet { inactive: filter { input f1; } address 10.46.253.131/28; } } unit 2001 { proxy-arp restricted; family inet { address 10.46.253.147/28; } } } } protocols { igmp-snooping { vlan all; vlan default; } rstp; lldp { interface all; } lldp-med { interface all; } } policy-options { policy-statement from-ebem1 { term t1 { from { instance ebem1; route-filter 10.0.0.0/24 orlonger; } then accept; } term t2 { then reject; } } policy-statement from-pert1 { term t1 { from { instance pert1; route-filter 10.46.253.128/28 orlonger; } then accept; } term t2 { then next policy; } } policy-statement from-pert2 { term t1 { from { instance pert2; route-filter 10.46.253.144/28 orlonger; } then accept; } term t2 { then reject; } } } firewall { family inet { filter f1 { term t1 { from { source-address { 10.46.253.130/32; } } then { count filter-f1; log; routing-instance ebem1; } } } filter f2 { term t1 { from { source-address { 10.46.253.130/32; } protocol icmp; } then { count filter-f2; log; routing-instance pert2; } } } } family ethernet-switching { filter l2-f1 { term t1 { from { source-address { 10.46.253.130/32; } protocol icmp; } then { log; count filter-f1; interface ge-0/0/0.0; } } } } } routing-instances { ebem1 { instance-type virtual-router; interface ge-0/0/0.0; routing-options { instance-import [ from-pert1 from-pert2 ]; } } pert1 { instance-type virtual-router; interface vlan.2000; routing-options { inactive: instance-import from-ebem1; } } pert2 { instance-type virtual-router; interface vlan.2001; routing-options { instance-import from-ebem1; } } } ethernet-switching-options { inactive: analyzer traffic-mirror { input { ingress { interface ge-0/0/0.0; vlan pert1; } egress { interface ge-0/0/0.0; } } output { vlan { 99 { no-tag; } } } } storm-control { interface all; } } vlans { monitor { vlan-id 99; } pert1 { vlan-id 2000; l3-interface vlan.2000; } pert2 { vlan-id 2001; l3-interface vlan.2001; } } 
No comments:
Post a Comment