Monday, 17 February 2014

VRF & Linux Network Name Space

Introduction

As we know, VRF (Virtual Routing and Forwarding on Switch) and Linux Network Name Space (on Linux hosts) can be used to achieve Network Isolation. Lets see how we can use them together.

Setup 

























On the Linux Host there are two namespaces, namely red and blue.
Each of the namespace is connected to its own Linux Bridge (i.e Red Namespace is connected to Bridge_red  and Blue Namespace is connected to Bridge_Blue ). Virtual Interface (veth0) connected to each bridge is assigned the same ip address (10.70.70.12/24). This L3 Network isolation achieved on the same host by using Network Namespaces.


Bridge_red is connected to external interface eth5 via eth5.80(eth5.80 sends tagged packet with vlan value as 80).
Bridge_blue is connected to external interface eth5 via eth5.90(eth5.80 sends tagged packet with vlan value as 90).

Linux host is connected to external device (that has VRF capability). 10.70.70.14/24 is the ip address configured on both the blue and red vrf's.


Commands to Create Red Name Space



Commands to Create Blue Name Space



Commands to Create VRF on external device.




Communication from Linux host to external device (ie Network Namespace to VRF)

Here ping is initiated from the veth0(10.70.70.12) in the blue namespace to 10.70.70.14 (in the blue VRF)











Here ping is initiated from the veth0(10.70.70.12) in the red namespace to 10.70.70.14 (in the redVRF)








Tcpdump can be used on LinuxBridge interfaces to verify that traffic is indeed flowing to the correct VRF on the external device.

Network Isolation (L3,ip address isolation)  can be achieved by using Linux Network Namespaces and VRFs.Also, we have seen here how they can be interconnected.

Network Isolation is an important concept in multi-tenant cloud environment.





No comments:

Post a comment