Using routing domains / routing tables in a production network by Peter Hessler
-
Upload
eurobsdcon -
Category
Technology
-
view
120 -
download
2
Transcript of Using routing domains / routing tables in a production network by Peter Hessler
![Page 1: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/1.jpg)
using routing domains / routing tables in a productionnetwork
Peter Hessler
OpenBSD
27 September, 2014
![Page 2: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/2.jpg)
rtable vs rdomain
rtable
alternate routing table, usable with the same interfacesip addresses cannot overlapmultiple rtables can belong to a single rdomaincan be used for Policy Based Routing
![Page 3: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/3.jpg)
rtable vs rdomain
rdomain
completely independent routing table instanceassign 10.0.0.1/16 a dozen timesinterfaces can be assigned to only one rdomain at a timehow we ’know’ which one incoming packets should userdomains always contain at least one rtable
![Page 4: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/4.jpg)
rdomains
first added in OpenBSD 4.9, released October 2009
initially was IPv4 only
IPv6 support added in OpenBSD 5.5, released May 2014
![Page 5: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/5.jpg)
vrf-lite vs full vrf
vrf-lite
multiple routing tablesdone by handvery common in smaller enterprisesonly needs a single system...where most of my experience comes from
vrf
![Page 6: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/6.jpg)
vrf-lite vs full vrf
vrf-lite
vrf
also known as ’mpls’requires bgp, ldpd and large networksmost frequently used to connect multiple sites in a single network
![Page 7: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/7.jpg)
caveats
default routes for all the domains!
seriouslythe ’do we have a valid route’ check happens *before* pfvery common mistake
debugging can be painful
which route will be used?
but, how do we send (some) traffic to a different rdomain?
![Page 8: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/8.jpg)
Simple setup
$ ifconfig re0 rdomain 1$ ifconfig re0 10.0.0.10/16$ ifconfig lo1 rdomain 1$ ifconfig lo1 127.0.0.1/8$ route -T 1 add default 10.0.0.1$ route -T 1 exec /usr/sbin/sshd
![Page 9: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/9.jpg)
Simple setup
$ ifconfig em0
em0: flags=28843<UP,BROADCAST,...> rdomain 1 mtu 1500
lladdr 28:d2:44:ac:5d:59
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
$ ifconfig lo1
lo1: flags=28049<UP,LOOPBACK,...> rdomain 1 mtu 32768
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
![Page 10: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/10.jpg)
Simple setup
$ netstat -T1 -rnf inet
Routing tables
Internet:
Destination Gateway Flags ~ Prio Iface
default 10.0.0.1 GS ~ 8 em0
10.0/16 link#1 C ~ 4 em0
10.0.0.1 28:d2:44:ac:5d:59 HLl ~ 1 lo0
10.0.255.255 link#1 HLb ~ 1 em0
127.0.0.1 127.0.0.1 UH ~ 4 lo1
![Page 11: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/11.jpg)
Simple setup
pf.conf:
anchor "cust1.example.com" on rdomain 15 {
block
pass proto icmp
pass proto tcp from any to any port 80
}
pass in on rdomain 2 rtable 4
pass out from 10.0.0.0/16 to any nat-to (egress) rtable 20
![Page 12: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/12.jpg)
shared infrastructure (vrf-lite)
very common
just a management network
two rdomains, one pipe
backup servers
monitoring
etc
![Page 13: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/13.jpg)
full vrf
ldpd
label distribution protocol daemondistributes mpls label mappings
bgpd
distibute our networks over the mpls ”tunnel”
![Page 14: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/14.jpg)
production: discovering pitfalls
route -T 1 exec
adding rdomain to an interface
ftp-proxy
source and destination rdomains matter
ntpd
on rdomain
![Page 15: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/15.jpg)
production: discovering pitfalls
route -T 1 exec
originally for testing and hacking, turned out to be very usefulrecommended method to start a daemon in a second rdomain...except a few network tools and a limited number of daemons
adding rdomain to an interface
ftp-proxy
source and destination rdomains matter
ntpd
on rdomain
![Page 16: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/16.jpg)
production: discovering pitfalls
route -T 1 exec
adding rdomain to an interface
erases IP address configvlan vs parent interfacecarp
ftp-proxy
source and destination rdomains matter
ntpd
on rdomain
![Page 17: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/17.jpg)
production: discovering pitfalls
route -T 1 exec
adding rdomain to an interface
ftp-proxy
sometimes, you simply want to ftp from *and* to different rdomains
source and destination rdomains matter
ntpd
on rdomain
![Page 18: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/18.jpg)
production: discovering pitfalls
route -T 1 exec
adding rdomain to an interface
ftp-proxy
source and destination rdomains matter
ntpd
normal solution to needing services in a second rdomain? run thedaemon againrunning a second ntpd to provide time? Holy clock-skew Batman!
on rdomain
![Page 19: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/19.jpg)
production: discovering pitfalls
route -T 1 exec
adding rdomain to an interface
ftp-proxy
source and destination rdomains matter
ntpd
on rdomain
you want to match packets traveling on an rdomain
![Page 20: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/20.jpg)
best practices
default routes for all the things
as i said, real common mistake
pf.conf tricks
spend extra time in the planning stages
![Page 21: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/21.jpg)
very special thanks
henning@ for adding the multiple routing table support
claudio@ writing the code and for putting up with all of my asininequestions when we first tested
reyk@ for lots of work in bringing this into the tree and funding thisvia his (former) company
![Page 22: Using routing domains / routing tables in a production network by Peter Hessler](https://reader034.fdocuments.net/reader034/viewer/2022042817/55a9b0f51a28ab3b0c8b48ce/html5/thumbnails/22.jpg)
Questions?