Configuring Virtual Networks for Hub-and-Spoke Topology
As of Contrail Release 3.0, hub-and-spoke topology can be used to ensure that virtual machines (VMs) don’t communicate with each other directly; their communication is only allowed indirectly by means of a designated hub virtual network.
Route Targets for Virtual Networks in Hub-and-Spoke Topology
Hub-and-spoke topology can be used to ensure that virtual machines (VMs) don’t communicate with each other directly; their communication is only allowed indirectly by means of a designated hub virtual network (VN). The VMs are configured in spoke VNs.
This is useful for enabling VMs in a spoke VN to communicate by means of a policy or firewall, where the firewall exists in a hub site.
hub-and-spoke topology is implemented using two route targets (hub-rt and spoke-rt), as follows:
- Hub route target (hub-rt):
- The hub VN exports all routes tagged with hub-rt.
- The spoke VN imports routes tagged with hub-rt, ensuring that the spoke VN has only routes exported by the hub VN.
- To attract spoke traffic, the hub VN readvertises the spoke routes or advertises the default route.
- Spoke route target (spoke-rt):
- All spoke VNs export routes with route target spoke-rt.
- The hub VN imports all spoke routes, ensuring that hub VN has all spoke routes.
 | Note: The hub VN or VRF can reside in an external gateway, such as an MX Series router, while the spoke VN resides in the Contrail controller. |
Example: Configuring Hub-and-Spoke Virtual Networks
The following example uses a script to configure the hub-and-spoke virtual networks.
In the example, the “hub-vn” is configured as a hub virtual network, with the import route target of “target:1:1” and the export route target of “target:1:2”. The “spoke-vn*” is configured as a spoke virtual network, with the import route target of “target:1:2” and the export route target of “target:1:1”.
The spoke-rt is “target:1:1” and the hub-rt is “target:1:2”, consequently, the “hub-vn” imports “spoke-rt” and exports “hub-rt”, and the spoke-vn imports “hub-rt” and exports “spoke-rt”.
Using vnc-api to Configure Hub-and-Spoke Topology Example
from vnc_api.vnc_api import *
lib = VncApi("admin", "<password>", "admin", "<ip address>", "8082")
vn=lib.virtual_network_read(fq_name=["default-domain", "admin", "hub-vn"])
vn.set_import_route_target_list(RouteTargetList(["target:1:1"]))
vn.set_export_route_target_list(RouteTargetList(["target:1:2"]))
lib.virtual_network_update(vn)
vn=lib.virtual_network_read(fq_name=["default-domain", "admin", "spoke-vn1"])
vn.set_import_route_target_list(RouteTargetList(["target:1:2"]))
vn.set_export_route_target_list(RouteTargetList(["target:1:1"]))
lib.virtual_network_update(vn)
vn=lib.virtual_network_read(fq_name=["default-domain", "admin", "spoke-vn2"])
vn.set_import_route_target_list(RouteTargetList(["target:1:2"]))
vn.set_export_route_target_list(RouteTargetList(["target:1:1"]))
lib.virtual_network_update(vn)
vn=lib.virtual_network_read(fq_name=["default-domain", "admin", "spoke-vn3"])
vn.set_import_route_target_list(RouteTargetList(["target:1:2"]))
vn.set_export_route_target_list(RouteTargetList(["target:1:1"]))
lib.virtual_network_update(vn)
vn=lib.virtual_network_read(fq_name=["default-domain", "admin", "spoke-vn4"])
vn.set_import_route_target_list(RouteTargetList(["target:1:2"]))
vn.set_export_route_target_list(RouteTargetList(["target:1:1"]))
lib.virtual_network_update(vn)
Troubleshooting Hub-and-Spoke Topology
The following examples provide methods to help you troubleshoot hub-and-spoke configurations.
Example: Validating the Configuration on the Virtual Network
The following example uses the api-server HTTP get request to validate the configuration on the virtual network.
Hub VN configuration:
curl -u admin:<password> http://<host ip>/virtual-network/<hub-vn-uuid>| python -m json.tool
{
"virtual-network": {
"display_name": "hub-vn",
"fq_name": [
"default-domain",
"admin",
"hub-vn"
],
"export_route_target_list": {
"route_target": [
"target:1:2"
]
},
"import_route_target_list": {
"route_target": [
"target:1:1"
]
},
}
}
Spoke VN configuration:
curl -u admin:<password> http://<host ip>:8095/virtual-network/<spoke-vn-uuid> | python -m json.tool
{
{
"virtual-network": {
"display_name": "spoke-vn1",
"fq_name": [
"default-domain",
"admin",
"spoke-vn1"
],
"export_route_target_list": {
"route_target": [
"target:1:1"
]
},
"import_route_target_list": {
"route_target": [
"target:1:2"
]
},
}
}
Example: Validate the Configuration on the Routing Instance
The following example uses api-server HTTP get request to validate the configuration on the routing instance.
Spoke VRF configuration (with a system-created VRF by schema transformer):
user@node:/opt/contrail/utils# curl -u admin:<password> http://<host ip>:8095/routing-instance/<spoke-vrf-uuid>| python -m json.tool
{
"routing-instance": {
"display_name": "spoke-vn1",
"fq_name": [
"default-domain",
"admin",
"spoke-vn1",
"spoke-vn1"
],
"route_target_refs": [
{
"attr": {
"import_export": "export"
},
"href": "http://<host ip>:8095/route-target/446a3bbe-f263-4b58-a537-8333878dd7c3",
"to": [
"target:1:1"
],
"uuid": "446a3bbe-f263-4b58-a537-8333878dd7c3"
},
{
"attr": {
"import_export": null
},
"href": "http://<host ip>:8095/route-target/7668088d-e403-414f-8f5d-649ed80e0689",
"to": [
"target:64512:8000012"
],
"uuid": "7668088d-e403-414f-8f5d-649ed80e0689"
},
{
"attr": {
"import_export": "import"
},
"href": "http://<host ip>:8095/route-target/8f216064-8488-4486-8fce-b4afb87266bb",
"to": [
"target:1:2"
],
"uuid": "8f216064-8488-4486-8fce-b4afb87266bb"
}
],
"routing_instance_is_default": true,
}
}
Hub VRF configuration:
curl -u admin:<password> http://<host ip>:8095/routing-instance/<hub-vrf-uuid> | python -m json.tool
{
"routing-instance": {
"display_name": "hub-vn",
"fq_name": [
"default-domain",
"admin",
"hub-vn",
"hub-vn"
],
"route_target_refs": [
{
"attr": {
"import_export": "import"
},
"href": "http://<host ip>:8095/route-target/446a3bbe-f263-4b58-a537-8333878dd7c3",
"to": [
"target:1:1"
],
"uuid": "446a3bbe-f263-4b58-a537-8333878dd7c3"
},
{
"attr": {
"import_export": "export"
},
"href": "http://<host ip>:8095/route-target/8f216064-8488-4486-8fce-b4afb87266bb",
"to": [
"target:1:2"
],
"uuid": "8f216064-8488-4486-8fce-b4afb87266bb"
},
{
"attr": {
"import_export": null
},
"href": "http://<host ip>:8095/route-target/a85fec19-eed2-430c-af23-9919aca1dd12",
"to": [
"target:64512:8000016"
],
"uuid": "a85fec19-eed2-430c-af23-9919aca1dd12"
}
],
"routing_instance_is_default": true,
}
}
Example: Using Contrail Control Introspect
Figure 1 shows the import and export targets for hub-vn and spoke-vns, by invoking contrail-control-introspect.
Figure 1: Contrail Introspect
