Configure Inter-Virtual Network Routing Through Route Targets
SUMMARY Cloud-Native Contrail® Networking™ (CN2) supports inter-virtual network routing using route targets. Specify common route targets to route traffic between your virtual networks.
Virtual Networks and Routing Instances Overview
A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The set of interfaces in a routing instance belongs to the routing tables, and the routing protocol parameters control the information in the routing tables. A single routing instance might have multiple routing tables—for example, unicast IPv4, unicast IPv6, and multicast IPv4 routing tables can exist in a single routing instance.
In virtual networking, a physical networking device might be split into multiple virtual
routers, each with its own interfaces, routing instances, and associated virtual networks.
Routing instances isolate traffic within a VirtualNetwork
. If you want to
route traffic between your virtual networks, you can define common route targets for those
networks.
Route Target Overview
Route targets enable your virtual networks (namespaces) to exchange virtual routing and forwarding (VRF) routing tables in a Multiprotocol Label Switching (MPLS) configuration. A route target is a BGP Extended Communities Attribute that defines VPN membership. In other words, members of that VPN share all routes defined within an Extended Communities Attribute. You define the following two route targets in your VRF policy:
-
Route-target import list: Defines a list of acceptable route targets for a VRF to import. When a provider edge (PE) router receives a route from another PE router, it compares the route targets to the route-target import list. Specifically, the PE router compares the route targets attached to each route against the route-target import list defined for each of its VRFs. If no new route target matches the route targets defined in the import list, the VRF rejects the route.
-
Route-target export list: Defines a list of route targets attached to every route advertised to other PE routers in your VPN.
Depending on your network configuration, the import and export lists might be identical. Typically, you do the following:
-
Allocate one route target extended-community value per VPN.
-
Configure the import list and the export list to include the same information: the set of VPNs comprising the sites associated with the VRF.
For more complicated configurations like hub-and-spoke VPNs, the route-target import list and the route-target export list might not be identical.
Enable Inter-Virtual Network Routing Through Route Targets with NAD
Establish route-target communities by defining matching route targets in your
VirtualNetwork
resource. This enables you to route traffic between your
virtual networks (namespaces). Add route targets to a VirtualNetwork
resource object using the Network Attachment Definition
(NAD
).
The Network Attachment Definition (NAD) is a Custom Resource Definition (CRD) specified by
the Kubernetes Network Plumbing Working Group. This CRD, NAD
, defines how a
pod attaches to a logical (virtual) or physical network that the NAD
object
refers to. In other words, the NAD
object contains networking information
(namespace, subnet, routing, interface) for a pod in relation to a network. You can define
the following options for your VirtualNetwork
resource in the
annotations
of a NAD
YAML file:
-
ipamV4Subnet
(optional): Specifies an IPv4 CIDR subnet for yourVirtualNetwork
. -
ipamV6Subnet
(optional): Specifies an IPv6 CIDR subnet for yourVirtualNetwork
. -
routeTargetList
(optional): Lists import and export route targets. -
importRouteTargetList
(optional): Lists route targets used as imports. -
exportRouteTargetList
(optional): Lists route targets used as exports. -
fabricSNAT
(optional): Toggles connectivity to the underlay network by port mapping. The default setting isfalse
.
Additionally, the NAD-Controller
monitors NAD
object-creation events and creates and updates a VirtualNetwork
accordingly. The juniper.net/networks-status
annotation of the
NAD
updates success or error events during
VirtualNetwork
creation.
If you do not specify a juniper.net/networks
annotation, then
Cloud-Native Contrail Networking treats the NAD
resource as a third-party
resource. Cloud-Native Contrail Networking does not create Contrail resources (such as
VirtualNetwork
and Subnet
).
The following example shows a NAD
YAML file with several
annotations
defined:
Example 1:
apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: nasa-network namespace: nm1 annotations: juniper.net/networks: '{ "ipamV4Subnet": "172.16.10.0/24", "ipamV6Subnet": "2001:db8::/64", "routeTargetList": ["target:23:4561"], "importRouteTargetList": ["target:10.2.2.2:561"], "exportRouteTargetList": ["target:10.1.1.1:561"], "fabricSNAT": true }' juniper.net/networks-status: # should be updated by Kube-Manager to status of NAD object. spec: config: '{ "cniVersion": "0.3.1", "name": "nasa-network", "type": "contrail-k8s-cni" }'
The NAD-Controller
automatically updates the
VirtualNetwork
resource after you apply your NAD
YAML
file.
The following example shows a VirtualNetwork
resource with several
route-target options defined:
Example 2:
apiVersion: core.contrail.juniper.net/v1alpha1 kind: VirtualNetwork metadata: namespace: project-sample name: virtualnetwork-sample spec: routeTargetList: - target:23:4561 - target:21L:7000 - target:871:6540 importRouteTargetList: - target:10.2.2.2:561 - target:97:651 exportRouteTargetList: - target:10.1.1.1:561 - target:97:651
After establishing your desired network annotations, you can create a pod with custom
interfaces that are attached to networks with shared route targets. These networks route
traffic between one another as a result of the shared route targets defined in the
NAD
and VirtualNetwork
objects.
The following example shows a pod YAML file with custom interfaces derived from the annotations in Example 1.
Example 3:
apiVersion: v1 kind: Pod metadata: name: nasa-pod-1 annotations: k8s.v1.cni.cncf.io/networks: |- [ { "name":"nasa-network1", "namespace":"nasa-ns", "cni-args":null, "ips":["172.16.20.42"], "mac":"de:ad:00:00:be:ef", "interface":"tap1" }, { "name":"nasa-network2", "namespace":"nasa-ns", "cni-args":null, "ips":["172.16.21.42"], "mac":"de:ad:00:00:be:ee", "interface":"tap2" } ]
Note that the two interfaces shown in the preceding code example
(nasa-network1
and nasa-network2
) attach to different
networks. As a result of NAD
functionality, you can route traffic between
these networks.