SlideShare a Scribd company logo
Fun with PBR, VRFs, and NetNS on Linux
What is it, how does it work, and what can I do with it?
Maximilian Wilhelm
max@sdn.clinic
1 / 45
Agenda
1. Motivation
2. Routing basics
3. Policy-based routing
4. VRFs
5. NetNS
2 / 45
Who's who Maximilian Wilhelm
Networker
OpenSource Hacker
Fanboy of
(Debian) Linux
(Linux) networking
Occupation:
By day: Network Engineer at Cloudflare
By night: Infrastructure Archmage, Freifunk Hochstift
In between: Freelance Infrastructre Architect for hire
Contact
@BarbarossaTM
max@sdn.clinic
3 / 45
Who's who
Motivation
Motivation
4 / 45
Who's who
Motivation
Example 1 - University in need of magic routing (PBR)
5 / 45
Who's who
Motivation
Example 2 - Freifunk Hochstift Backbone
6 / 45
Who's who
Motivation
Example 3 - A small ISP
7 / 45
Who's who
Motivation
Example 3 - A small ISP
8 / 45
Who's who
Motivation
Use cases
Policy-based routing
Route IPv4 traffic leaving the network to CGN boxes
Route non-interactive traffic across cheaper link
VRFs
Keep Internet and internal routing domains seperated
Provide LB/proxy to internal services but don't expose hosts completely
Provide overlays for customers / different routing domains
NetNS
Full-blown separation for applications (-> containers)
vEth + NetNS for debugging purposes
9 / 45
Who's who
Motivation
Routing
Routing (on Linux)
10 / 45
Who's who
Motivation
Routing
Routing
Every device speaking IP has a routing table
German translation according to IBM: "Leitwegtabelle"
Packets are forwarded according to longest prefix match
Default Gateway or Gateway of last resort used if no entry matches
Hot Potato principle
Packets forwarded to next hop w/o knowledge of their routing table
Asymmetric routing
Path to destination and return path don't have to be identical
11 / 45
Who's who
Motivation
Routing
Routing table
Possible routing table of your laptop when using company VPN:
Prefix Iface Next-hop
10.0.0.0/8 tun0 10.23.42.1
10.23.42.0/25 tun0
192.168.178.0/24 wlan0
0.0.0.0/0 wlan0 192.168.178.1
12 / 45
Who's who
Motivation
Routing
Source address selection
With every routing decision for a locally originated connection a source address is
selected based on the routing table.
Usually the (primary) IP configured on the outgoing interface
May be explicitly set to any IP
For example IP on loopback interface
Prefix Iface Next-hop Src address
10.0.0.0/8 tun0 10.23.42.1
10.23.42.0/25 tun0 10.23.42.8
192.168.178.0/24 wlan0 192.168.178.5
0.0.0.0/0 wlan0 192.168.178.1  
13 / 45
Who's who
Motivation
Routing
Source address selection - ICMP erros
What IP will answer on errors?
# icmp_errors_use_inbound_ifaddr - BOOLEAN
#
# If zero, icmp error messages are sent with the primary address of
# the exiting interface.
#
# If non-zero, the message will be sent with the primary address of
# the interface that received the packet that caused the icmp error.
# This is the behaviour many network administrators will expect from
# a router. And it can make debugging complicated network layouts
# much easier.
#
# Note that if no primary address exists for the interface selected,
# then the primary address of the first non-loopback interface that
# has one will be used regardless of this setting.
#
# Default: 0
net.ipv4.icmp_errors_use_inbound_ifaddr = 1
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst
IPv6: It's complicated, see RFC6724
14 / 45
Who's who
Motivation
Routing
Routing tables
Every Linux box has a number of routing tables
$ ip route help
Usage: ip route { list | flush } SELECTOR
...
SELECTOR := ... [ table TABLE_ID ]
...
TABLE_ID := [ local | main | default | all | NUMBER ]
By default routing table main is used
So ip route show and ip route show table main show the same thing
15 / 45
Who's who
Motivation
Routing
Default Routing Tables on Linux
Table local
Contains all routes to
Locally connected IPs
Broadcast addresses
Table main
Contains "usual" routes
Locally connected subnets
Routes to remote subnets
Table default
Usually empty
16 / 45
Who's who
Motivation
Routing
Default Routing Tables on Linux
Table local
$ ip route show table local
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.178.0 dev wlan0 proto kernel scope link src 192.168.178.42
local 192.168.178.42 dev wlan0 proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev wlan0 proto kernel scope link src 192.168.178.42
Table main
$ ip route show [table main]
default via 192.168.178.1 dev wlan0 proto dhcp metric 600
192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.42 metric 600
Table default
$ ip route show table default
$
17 / 45
Who's who
Motivation
Routing
What happens on link-down?
By default Linux will try to use routes with link down
Behaviour can be controlled via sysctl
# ip r
default via 192.168.178.1 dev eth2
192.168.178.0/24 dev eth2 proto kernel scope link src 192.168.178.42
# echo 1 > /proc/sys/net/ipv4/conf/eth2/ignore_routes_with_linkdown
# ip r
default via 192.168.178.1 dev eth2 dead linkdown
192.168.178.0/24 dev eth2 proto kernel scope link src 192.168.178.42 dead linkdown
# ping 1.1.1.1
connect: Network is unreachable
18 / 45
Who's who
Motivation
Routing
PBR Policy-based routing
19 / 45
Who's who
Motivation
Routing
PBR
Policy-based routing
Available since Linux 2.2 (1999)
Allows to influence routing decision depending on (e.g.)
Ingress interface
Source address
Source/destination port
Something netfilter can match
Drawbacks
Beware to close loopholes
Rule for IPv4
Rule for IPv6
Rule for incoming interface
ICMP errors might still get routed by main table
20 / 45
Who's who
Motivation
Routing
PBR
Defaut routing policy on every Linux box
Remember the routing tables from before?
$ ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
21 / 45
Who's who
Motivation
Routing
PBR
PBR rules
$ ip rule help
Usage: ip rule { add | del } SELECTOR ACTION
ip rule { flush | save | restore }
ip rule [ list [ SELECTOR ]]
SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]
[ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]
[ uidrange NUMBER-NUMBER ]
[ ipproto PROTOCOL ]
[ sport [ NUMBER | NUMBER-NUMBER ]
[ dport [ NUMBER | NUMBER-NUMBER ] ]
ACTION := [ table TABLE_ID ]
[ protocol PROTO ]
[ nat ADDRESS ]
[ realms [SRCREALM/]DSTREALM ]
[ goto NUMBER ]
SUPPRESSOR
SUPPRESSOR := [ suppress_prefixlength NUMBER ]
[ suppress_ifgroup DEVGROUP ]
TABLE_ID := [ local | main | default | NUMBER ]
22 / 45
Who's who
Motivation
Routing
PBR
PBR rules - examples
Half our users are special
# ip rule add from 192.168.178.0/25 table 178
Web traffic is special
# ip rule add dport 80 table 80
# ip rule add dport 443 table 80
Packets arriving at eth0 are special
# ip rule add iif eth0 table 23
23 / 45
Who's who
Motivation
Routing
PBR
VRFs
Virtual Routing and Forwarding
24 / 45
Who's who
Motivation
Routing
PBR
VRFs
Virtual Routing and Forwarding (VRFs)
Independent routing instances, provides Layer 3 separation
Commonly used for
(OOB) mgmt access
L3-VPNs, usually in combination with MPLS
VRFs on Linux
VRF interface is master for “real” (member) interfaces
Maps to a (numeric) routing table
Netfilter rules shared across VRFs
Introduced in Kernel 4.[345] (use >= 4.9)
25 / 45
Who's who
Motivation
Routing
PBR
VRFs
Con guring VRFs
By foot
ip link add vrf_external type vrf table 1023
ip link set eth0 master vrf_external # Option 1: generic
ip link set eth0 vrf vrf_external # Option 2: VRF specific
ifupdown2 / ifupdown-ng
auto eth0
iface eth0
address 2002:db8:23:42::2/64
gateway 2001:db8:23:42::1/64
vrf vrf_external
auto vrf_external
iface vrf_external
vrf-table 1023
Device routes move from table main and local to table 1023
26 / 45
Who's who
Motivation
Routing
PBR
VRFs
VRFs: Under the hood - IPv4
A VRF is like a routing table with benefits:
$ ip r s vrf vrf_external
default via 192.0.2.1 dev eth0 metric 1
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.42
$ ip r s table 1023
default via 192.0.2.1 dev eth0 metric 1
broadcast 192.0.2.255 dev eth0 proto kernel scope link src 192.0.2.42
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.42
local 192.0.2.42 dev eth0 proto kernel scope host src 192.0.2.42
broadcast 192.0.2.255 dev eth0 proto kernel scope link src 192.0.2.42
27 / 45
Who's who
Motivation
Routing
PBR
VRFs
VRFs: Under the hood - IPv6
A VRF is like a routing table with benefits:
$ ip -6 r s vrf vrf_external
anycast 2001:db8:23:42:: dev eth0 proto kernel metric 0 pref medium
2002:db8:23:42::/64 dev eth0 proto kernel metric 256 linkdown pref medium
anycast fe80:: dev eth0 proto kernel metric 0 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 proto kernel metric 256 pref medium
default via 2001:db8:23:42::1 dev eth0 metric 1 pref medium
$ ip -6 r s table 1023
anycast 2001:db8:23:42:: dev eth0 proto kernel metric 0 pref medium
local 2001:db8:23:42::2 dev eth0 proto kernel metric 0 pref medium
2002:db8:23:42::/64 dev eth0 proto kernel metric 256 linkdown pref medium
anycast fe80:: dev eth0 proto kernel metric 0 pref medium
local fe80::222:19ff:fe65:b835 dev eth0 proto kernel metric 0 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 proto kernel metric 256 pref medium
default via 2001:db8:23:42::1 dev eth0 metric 1 pref medium
28 / 45
Who's who
Motivation
Routing
PBR
VRFs
VRFs: Under the hood - Plumbing
Remember PBR? Setting up a VRF adds a global VRF rule:
$ ip rule
0: from all lookup local
1000: from all lookup [l3mdev-table]
32766: from all lookup main
32767: from all lookup default
29 / 45
Who's who
Motivation
Routing
PBR
VRFs
Connecting VRFs
Requires vEth pair
Like a virtual network cable within the box
A end in main VRF, Z end in VRF “foo”
Usual routing
Static
Bird talking BGP to itself
Drawback:
ARP didn't work recently (didn't debug :))
Static entries helped
ND worked though
30 / 45
Who's who
Motivation
Routing
PBR
VRFs
Connecting VRFs
By foot
# ip link add VETH_END1 type veth peer name VETH_END2
ifupdown2* / ifupdown-ng
iface veth_ext2int
link-type veth
veth-peer-name veth_int2ext
vrf vrf_external
iface veth_int2ext
link-type veth
veth-peer-name veth_ext2int
* Merged with PR25, unsure if still works 31 / 45
Who's who
Motivation
Routing
PBR
VRFs
Leaking Routes
Similar to vendor boxes
Leaking VRF -> GRT (eth2 part of GRT):
# ip route add default via 192.0.2.1 dev eth2 vrf vrf_foo
Leaking GRT -> VRF
# ip route add 198.51.100.0/24 dev vrf_foo
32 / 45
Who's who
Motivation
Routing
PBR
VRFs
VRF awareness for applications
By default applications only use main table
Packets received in VRF table reach application
Reply sent out via main table
There's help:
# tcp_l3mdev_accept - BOOLEAN
#
# Enables child sockets to inherit the L3 master device index.
# Enabling this option allows a "global" listen socket to work
# across L3 master domains (e.g., VRFs) with connected sockets
# derived from the listen socket to be bound to the L3 domain in
# which the packets originated. Only valid when the kernel was
# compiled with CONFIG_NET_L3_MASTER_DEV.
#
# Default: 0 (disabled)
net.ipv4.tcp_l3mdev_accept = 1
This switch has influence on IPv6, too!
33 / 45
Who's who
Motivation
Routing
PBR
VRFs
Real World Applications for VRFs
LB / Web proxy/frontend
External interface is part of vrf_external
tcp_l3mdev_accept set to 1
nginx as reverse proxy
Listens on ip in GRT + IP in vrf_external
Uses main table for connections to internal services
Can serve queries from external + internal clients
External interface in VRF
External interface is part of vrf_external
GRE / OpenVPN tunnel sent / receive encapsulated packets over VRF
Local tunnel endpoint is in GRT
No risk of leaking stuff from GRT by accident
34 / 45
Who's who
Motivation
Routing
PBR
VRFs
Real World Applications - Tunnels / GRE
Outer and/or inner side of tunnel can be part of a VRF
Outer side in VRF
# ip link add DEVICE type gre remote ADDR local ADDR dev PHYS_DEV
If PHYS_DEV is within a VRF, all encapsulated packets are send/received in VRF
Inner side in VRF
Pushing the inner side of a tunnel into a VRF is equally simple:
# ip link set DEVICE master VRF
35 / 45
Who's who
Motivation
Routing
PBR
VRFs
Real World Applications - Tunnel / OpenVPN
Pushing the inner side of an OpenVPN tunnel into a VRF is as simple as before.
Sending/receiving encapsulated packets into/from a VRF needs application support.
My patch from October 2016 finally made it into OpenVPN 2.5 :)
# openvpn --config your_config.cfg --bind-dev VRF
This is used to glue remote POPs of Freifunk Hochstift together
36 / 45
Who's who
Motivation
Routing
PBR
VRFs
Real World Applications - VRFs + MPLS
In need of L3VPN? It's in the cards, too!
37 / 45
Who's who
Motivation
Routing
PBR
VRFs
Real World Applications - VRFs + MPLS
The plumbing:
# modprobe mpls_iptunnel # Active MPLS
# sysctl -w net.mpls.platform_label=1000000 # Set max. label
# sysctl -w net.mpls.conf.ethX.input=1 # Active MPLS decap on ethX
Encap traffic with MPLS label 2342, send it to neighbor on ethX (in GRT)
# ip route add 192.0.2.0/24 encap mpls 2342 via inet6 2001:d8:42::1 dev ethX vrf vrf_x
Decap traffic with label 4223 and send it to VRF vrf_x
# ip -M route add 4223 dev vrf_x
Swap labels on the path (100 -> 200)
# ip -M route add 100 as 200 via inet6 2001:db8:4711::1
38 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Network Namespaces (NetNS)
Layer 1 separation
An interface is part of exactly one NetNS
Similar to VRFs on vendor gear
Own set of routing tables
VRFs and PBR available within NetNS
Own set of netfilter rules
Processes can be bound to a NetNS
Introduced in Kernel 2.6.29
39 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Network Namespaces and net lter
There may be side effects when traffic enters NetNS via vEth/macvlan
Already went through conntrack
NAT might not work as expected
40 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Con guring Network Namespaces
$ ip netns help
Usage: ip netns list
ip netns add NAME
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id
NETNSID := auto | POSITIVE-INT
41 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Connecting Network Namespaces
You guessed it, vEth to the rescue
# ip link add veth_grt type veth peer name veth_client
# ip netns add "${netns}"
# ip link set veth_client netns "${netns}"
42 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Real world applications
All your containers
Testing networking stuff
43 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Summary
44 / 45
Who's who
Motivation
Routing
PBR
VRFs
NetNS
Links
Further Reading
Contemporary Linux Networking - DENOG9 (2017)
https://www.slideshare.net/BarbarossaTM/contemporary-linux-networking
VRFs
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/
Documentation/networking/vrf.rst
https://de.slideshare.net/CumulusNetworks/operationalizing-vrf-in-the-data-center
OpenVPN and VRFs
https://blog.sdn.clinic/2018/12/openvpn-and-vrfs/
MPLS Lab – Playing with static LSPs and VRFs on Linux
https://blog.sdn.clinic/2022/01/mpls-lab-playing-with-static-lsps-and-vrfs-on-linux/
45 / 45

More Related Content

What's hot

EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5   finalVxlan deep dive session rev0.5   final
Vxlan deep dive session rev0.5 final
KwonSun Bae
 
OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~
Masaya Aoyama
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
 
SRv6 study
SRv6 studySRv6 study
SRv6 study
Hiro Mura
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Bruno Teixeira
 
Operationalizing VRF in the Data Center
Operationalizing VRF in the Data CenterOperationalizing VRF in the Data Center
Operationalizing VRF in the Data Center
Cumulus Networks
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
Mydbops
 
Juniper mpls best practice part 1
Juniper mpls best practice   part 1Juniper mpls best practice   part 1
Juniper mpls best practice part 1
Febrian ‎
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
James Denton
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode series
Cumulus Networks
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
NetProtocol Xpert
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
APNIC
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
Utpal Sinha
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 

What's hot (20)

EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5   finalVxlan deep dive session rev0.5   final
Vxlan deep dive session rev0.5 final
 
OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
 
SRv6 study
SRv6 studySRv6 study
SRv6 study
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
 
Operationalizing VRF in the Data Center
Operationalizing VRF in the Data CenterOperationalizing VRF in the Data Center
Operationalizing VRF in the Data Center
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
 
Juniper mpls best practice part 1
Juniper mpls best practice   part 1Juniper mpls best practice   part 1
Juniper mpls best practice part 1
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPN
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode series
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
 

Similar to Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what can I do with it?

Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the things
Maximilan Wilhelm
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
Open Source Consulting
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay Networks
Laurent Bernaille
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
tmavroidis
 
OSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable SwitchOSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable Switch
Chun Ming Ou
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IP
Maximilan Wilhelm
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
Avansa Mid- en Zuidwest
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay Networks
Docker, Inc.
 
Network commands
Network commandsNetwork commands
Network commands
Dr. Mahadev Gawas
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
APNIC
 
Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014
Đồng Quốc Vương
 
CCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management AutomationCCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management Automation
E.S.G. JR. Consulting, Inc.
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
ernestlithur
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
robertoxe
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
Networking Lab Report
Networking Lab ReportNetworking Lab Report
Networking Lab Report
Syed Ahmed Zaki
 
Ccna 4 chapter 2 v4.0 answers 2011
Ccna 4 chapter 2 v4.0 answers 2011Ccna 4 chapter 2 v4.0 answers 2011
Ccna 4 chapter 2 v4.0 answers 2011
Dân Chơi
 
Ccna 3 Chapter 6 V4.0 Answers
Ccna 3 Chapter 6 V4.0 AnswersCcna 3 Chapter 6 V4.0 Answers
Ccna 3 Chapter 6 V4.0 Answers
ccna4discovery
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 Answers
CCNA4Answers
 

Similar to Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what can I do with it? (20)

Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the things
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay Networks
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
OSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable SwitchOSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable Switch
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IP
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Deeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay NetworksDeeper Dive in Docker Overlay Networks
Deeper Dive in Docker Overlay Networks
 
Network commands
Network commandsNetwork commands
Network commands
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
 
Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014
Www ccnav5 net_ccna_1_chapter_8_v5_0_exam_answers_2014
 
CCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management AutomationCCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management Automation
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Networking Lab Report
Networking Lab ReportNetworking Lab Report
Networking Lab Report
 
Ccna 4 chapter 2 v4.0 answers 2011
Ccna 4 chapter 2 v4.0 answers 2011Ccna 4 chapter 2 v4.0 answers 2011
Ccna 4 chapter 2 v4.0 answers 2011
 
Ccna 3 Chapter 6 V4.0 Answers
Ccna 3 Chapter 6 V4.0 AnswersCcna 3 Chapter 6 V4.0 Answers
Ccna 3 Chapter 6 V4.0 Answers
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 Answers
 

More from Maximilan Wilhelm

This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) Automation
Maximilan Wilhelm
 
Building your own CGN boxes with Linux
Building your own CGN boxes with LinuxBuilding your own CGN boxes with Linux
Building your own CGN boxes with Linux
Maximilan Wilhelm
 
Contemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngContemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ng
Maximilan Wilhelm
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Maximilan Wilhelm
 
Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...
Maximilan Wilhelm
 
Out-of-Band-Management für APU-Boards
Out-of-Band-Management für APU-BoardsOut-of-Band-Management für APU-Boards
Out-of-Band-Management für APU-Boards
Maximilan Wilhelm
 
Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...
Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...
Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...
Maximilan Wilhelm
 
Best Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learnedBest Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learned
Maximilan Wilhelm
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Maximilan Wilhelm
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
Maximilan Wilhelm
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
Maximilan Wilhelm
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and python
Maximilan Wilhelm
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and Linux
Maximilan Wilhelm
 
Software Defined Freifunk Backbones
Software Defined Freifunk BackbonesSoftware Defined Freifunk Backbones
Software Defined Freifunk Backbones
Maximilan Wilhelm
 

More from Maximilan Wilhelm (16)

This is the way - Holistic (Network) Automation
This is the way - Holistic (Network) AutomationThis is the way - Holistic (Network) Automation
This is the way - Holistic (Network) Automation
 
Building your own CGN boxes with Linux
Building your own CGN boxes with LinuxBuilding your own CGN boxes with Linux
Building your own CGN boxes with Linux
 
Contemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngContemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ng
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
 
Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...
 
Out-of-Band-Management für APU-Boards
Out-of-Band-Management für APU-BoardsOut-of-Band-Management für APU-Boards
Out-of-Band-Management für APU-Boards
 
Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...
Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...
Wie baue ich ein Freifunkbackbone - Was wir in den letzten 5 Jahren gelernt h...
 
Best Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learnedBest Current Operational Practices - Dos, Don’ts and lessons learned
Best Current Operational Practices - Dos, Don’ts and lessons learned
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and python
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and Linux
 
Software Defined Freifunk Backbones
Software Defined Freifunk BackbonesSoftware Defined Freifunk Backbones
Software Defined Freifunk Backbones
 

Recently uploaded

My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
exgf28
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
exchangeid32
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
Preston University
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
paridubey2024#G05
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
exgf28
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
Bangladesh Network Operators Group
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
Piotr Siuda
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
eufdev
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
eufdev
 
Network Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptxNetwork Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptx
Infotainmentforall
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
Bangladesh Network Operators Group
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
cossykin19
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
ManojKumarr75
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
JunaManroe1
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
dilbaagsingh0898
 

Recently uploaded (20)

My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
 
Network Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptxNetwork Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptx
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
 

Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what can I do with it?

  • 1. Fun with PBR, VRFs, and NetNS on Linux What is it, how does it work, and what can I do with it? Maximilian Wilhelm max@sdn.clinic 1 / 45
  • 2. Agenda 1. Motivation 2. Routing basics 3. Policy-based routing 4. VRFs 5. NetNS 2 / 45
  • 3. Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux (Linux) networking Occupation: By day: Network Engineer at Cloudflare By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Infrastructre Architect for hire Contact @BarbarossaTM max@sdn.clinic 3 / 45
  • 5. Who's who Motivation Example 1 - University in need of magic routing (PBR) 5 / 45
  • 6. Who's who Motivation Example 2 - Freifunk Hochstift Backbone 6 / 45
  • 7. Who's who Motivation Example 3 - A small ISP 7 / 45
  • 8. Who's who Motivation Example 3 - A small ISP 8 / 45
  • 9. Who's who Motivation Use cases Policy-based routing Route IPv4 traffic leaving the network to CGN boxes Route non-interactive traffic across cheaper link VRFs Keep Internet and internal routing domains seperated Provide LB/proxy to internal services but don't expose hosts completely Provide overlays for customers / different routing domains NetNS Full-blown separation for applications (-> containers) vEth + NetNS for debugging purposes 9 / 45
  • 11. Who's who Motivation Routing Routing Every device speaking IP has a routing table German translation according to IBM: "Leitwegtabelle" Packets are forwarded according to longest prefix match Default Gateway or Gateway of last resort used if no entry matches Hot Potato principle Packets forwarded to next hop w/o knowledge of their routing table Asymmetric routing Path to destination and return path don't have to be identical 11 / 45
  • 12. Who's who Motivation Routing Routing table Possible routing table of your laptop when using company VPN: Prefix Iface Next-hop 10.0.0.0/8 tun0 10.23.42.1 10.23.42.0/25 tun0 192.168.178.0/24 wlan0 0.0.0.0/0 wlan0 192.168.178.1 12 / 45
  • 13. Who's who Motivation Routing Source address selection With every routing decision for a locally originated connection a source address is selected based on the routing table. Usually the (primary) IP configured on the outgoing interface May be explicitly set to any IP For example IP on loopback interface Prefix Iface Next-hop Src address 10.0.0.0/8 tun0 10.23.42.1 10.23.42.0/25 tun0 10.23.42.8 192.168.178.0/24 wlan0 192.168.178.5 0.0.0.0/0 wlan0 192.168.178.1   13 / 45
  • 14. Who's who Motivation Routing Source address selection - ICMP erros What IP will answer on errors? # icmp_errors_use_inbound_ifaddr - BOOLEAN # # If zero, icmp error messages are sent with the primary address of # the exiting interface. # # If non-zero, the message will be sent with the primary address of # the interface that received the packet that caused the icmp error. # This is the behaviour many network administrators will expect from # a router. And it can make debugging complicated network layouts # much easier. # # Note that if no primary address exists for the interface selected, # then the primary address of the first non-loopback interface that # has one will be used regardless of this setting. # # Default: 0 net.ipv4.icmp_errors_use_inbound_ifaddr = 1 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst IPv6: It's complicated, see RFC6724 14 / 45
  • 15. Who's who Motivation Routing Routing tables Every Linux box has a number of routing tables $ ip route help Usage: ip route { list | flush } SELECTOR ... SELECTOR := ... [ table TABLE_ID ] ... TABLE_ID := [ local | main | default | all | NUMBER ] By default routing table main is used So ip route show and ip route show table main show the same thing 15 / 45
  • 16. Who's who Motivation Routing Default Routing Tables on Linux Table local Contains all routes to Locally connected IPs Broadcast addresses Table main Contains "usual" routes Locally connected subnets Routes to remote subnets Table default Usually empty 16 / 45
  • 17. Who's who Motivation Routing Default Routing Tables on Linux Table local $ ip route show table local broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 192.168.178.0 dev wlan0 proto kernel scope link src 192.168.178.42 local 192.168.178.42 dev wlan0 proto kernel scope host src 192.168.178.42 broadcast 192.168.178.255 dev wlan0 proto kernel scope link src 192.168.178.42 Table main $ ip route show [table main] default via 192.168.178.1 dev wlan0 proto dhcp metric 600 192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.42 metric 600 Table default $ ip route show table default $ 17 / 45
  • 18. Who's who Motivation Routing What happens on link-down? By default Linux will try to use routes with link down Behaviour can be controlled via sysctl # ip r default via 192.168.178.1 dev eth2 192.168.178.0/24 dev eth2 proto kernel scope link src 192.168.178.42 # echo 1 > /proc/sys/net/ipv4/conf/eth2/ignore_routes_with_linkdown # ip r default via 192.168.178.1 dev eth2 dead linkdown 192.168.178.0/24 dev eth2 proto kernel scope link src 192.168.178.42 dead linkdown # ping 1.1.1.1 connect: Network is unreachable 18 / 45
  • 20. Who's who Motivation Routing PBR Policy-based routing Available since Linux 2.2 (1999) Allows to influence routing decision depending on (e.g.) Ingress interface Source address Source/destination port Something netfilter can match Drawbacks Beware to close loopholes Rule for IPv4 Rule for IPv6 Rule for incoming interface ICMP errors might still get routed by main table 20 / 45
  • 21. Who's who Motivation Routing PBR Defaut routing policy on every Linux box Remember the routing tables from before? $ ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default 21 / 45
  • 22. Who's who Motivation Routing PBR PBR rules $ ip rule help Usage: ip rule { add | del } SELECTOR ACTION ip rule { flush | save | restore } ip rule [ list [ SELECTOR ]] SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ] [ uidrange NUMBER-NUMBER ] [ ipproto PROTOCOL ] [ sport [ NUMBER | NUMBER-NUMBER ] [ dport [ NUMBER | NUMBER-NUMBER ] ] ACTION := [ table TABLE_ID ] [ protocol PROTO ] [ nat ADDRESS ] [ realms [SRCREALM/]DSTREALM ] [ goto NUMBER ] SUPPRESSOR SUPPRESSOR := [ suppress_prefixlength NUMBER ] [ suppress_ifgroup DEVGROUP ] TABLE_ID := [ local | main | default | NUMBER ] 22 / 45
  • 23. Who's who Motivation Routing PBR PBR rules - examples Half our users are special # ip rule add from 192.168.178.0/25 table 178 Web traffic is special # ip rule add dport 80 table 80 # ip rule add dport 443 table 80 Packets arriving at eth0 are special # ip rule add iif eth0 table 23 23 / 45
  • 25. Who's who Motivation Routing PBR VRFs Virtual Routing and Forwarding (VRFs) Independent routing instances, provides Layer 3 separation Commonly used for (OOB) mgmt access L3-VPNs, usually in combination with MPLS VRFs on Linux VRF interface is master for “real” (member) interfaces Maps to a (numeric) routing table Netfilter rules shared across VRFs Introduced in Kernel 4.[345] (use >= 4.9) 25 / 45
  • 26. Who's who Motivation Routing PBR VRFs Con guring VRFs By foot ip link add vrf_external type vrf table 1023 ip link set eth0 master vrf_external # Option 1: generic ip link set eth0 vrf vrf_external # Option 2: VRF specific ifupdown2 / ifupdown-ng auto eth0 iface eth0 address 2002:db8:23:42::2/64 gateway 2001:db8:23:42::1/64 vrf vrf_external auto vrf_external iface vrf_external vrf-table 1023 Device routes move from table main and local to table 1023 26 / 45
  • 27. Who's who Motivation Routing PBR VRFs VRFs: Under the hood - IPv4 A VRF is like a routing table with benefits: $ ip r s vrf vrf_external default via 192.0.2.1 dev eth0 metric 1 192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.42 $ ip r s table 1023 default via 192.0.2.1 dev eth0 metric 1 broadcast 192.0.2.255 dev eth0 proto kernel scope link src 192.0.2.42 192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.42 local 192.0.2.42 dev eth0 proto kernel scope host src 192.0.2.42 broadcast 192.0.2.255 dev eth0 proto kernel scope link src 192.0.2.42 27 / 45
  • 28. Who's who Motivation Routing PBR VRFs VRFs: Under the hood - IPv6 A VRF is like a routing table with benefits: $ ip -6 r s vrf vrf_external anycast 2001:db8:23:42:: dev eth0 proto kernel metric 0 pref medium 2002:db8:23:42::/64 dev eth0 proto kernel metric 256 linkdown pref medium anycast fe80:: dev eth0 proto kernel metric 0 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium multicast ff00::/8 dev eth0 proto kernel metric 256 pref medium default via 2001:db8:23:42::1 dev eth0 metric 1 pref medium $ ip -6 r s table 1023 anycast 2001:db8:23:42:: dev eth0 proto kernel metric 0 pref medium local 2001:db8:23:42::2 dev eth0 proto kernel metric 0 pref medium 2002:db8:23:42::/64 dev eth0 proto kernel metric 256 linkdown pref medium anycast fe80:: dev eth0 proto kernel metric 0 pref medium local fe80::222:19ff:fe65:b835 dev eth0 proto kernel metric 0 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium multicast ff00::/8 dev eth0 proto kernel metric 256 pref medium default via 2001:db8:23:42::1 dev eth0 metric 1 pref medium 28 / 45
  • 29. Who's who Motivation Routing PBR VRFs VRFs: Under the hood - Plumbing Remember PBR? Setting up a VRF adds a global VRF rule: $ ip rule 0: from all lookup local 1000: from all lookup [l3mdev-table] 32766: from all lookup main 32767: from all lookup default 29 / 45
  • 30. Who's who Motivation Routing PBR VRFs Connecting VRFs Requires vEth pair Like a virtual network cable within the box A end in main VRF, Z end in VRF “foo” Usual routing Static Bird talking BGP to itself Drawback: ARP didn't work recently (didn't debug :)) Static entries helped ND worked though 30 / 45
  • 31. Who's who Motivation Routing PBR VRFs Connecting VRFs By foot # ip link add VETH_END1 type veth peer name VETH_END2 ifupdown2* / ifupdown-ng iface veth_ext2int link-type veth veth-peer-name veth_int2ext vrf vrf_external iface veth_int2ext link-type veth veth-peer-name veth_ext2int * Merged with PR25, unsure if still works 31 / 45
  • 32. Who's who Motivation Routing PBR VRFs Leaking Routes Similar to vendor boxes Leaking VRF -> GRT (eth2 part of GRT): # ip route add default via 192.0.2.1 dev eth2 vrf vrf_foo Leaking GRT -> VRF # ip route add 198.51.100.0/24 dev vrf_foo 32 / 45
  • 33. Who's who Motivation Routing PBR VRFs VRF awareness for applications By default applications only use main table Packets received in VRF table reach application Reply sent out via main table There's help: # tcp_l3mdev_accept - BOOLEAN # # Enables child sockets to inherit the L3 master device index. # Enabling this option allows a "global" listen socket to work # across L3 master domains (e.g., VRFs) with connected sockets # derived from the listen socket to be bound to the L3 domain in # which the packets originated. Only valid when the kernel was # compiled with CONFIG_NET_L3_MASTER_DEV. # # Default: 0 (disabled) net.ipv4.tcp_l3mdev_accept = 1 This switch has influence on IPv6, too! 33 / 45
  • 34. Who's who Motivation Routing PBR VRFs Real World Applications for VRFs LB / Web proxy/frontend External interface is part of vrf_external tcp_l3mdev_accept set to 1 nginx as reverse proxy Listens on ip in GRT + IP in vrf_external Uses main table for connections to internal services Can serve queries from external + internal clients External interface in VRF External interface is part of vrf_external GRE / OpenVPN tunnel sent / receive encapsulated packets over VRF Local tunnel endpoint is in GRT No risk of leaking stuff from GRT by accident 34 / 45
  • 35. Who's who Motivation Routing PBR VRFs Real World Applications - Tunnels / GRE Outer and/or inner side of tunnel can be part of a VRF Outer side in VRF # ip link add DEVICE type gre remote ADDR local ADDR dev PHYS_DEV If PHYS_DEV is within a VRF, all encapsulated packets are send/received in VRF Inner side in VRF Pushing the inner side of a tunnel into a VRF is equally simple: # ip link set DEVICE master VRF 35 / 45
  • 36. Who's who Motivation Routing PBR VRFs Real World Applications - Tunnel / OpenVPN Pushing the inner side of an OpenVPN tunnel into a VRF is as simple as before. Sending/receiving encapsulated packets into/from a VRF needs application support. My patch from October 2016 finally made it into OpenVPN 2.5 :) # openvpn --config your_config.cfg --bind-dev VRF This is used to glue remote POPs of Freifunk Hochstift together 36 / 45
  • 37. Who's who Motivation Routing PBR VRFs Real World Applications - VRFs + MPLS In need of L3VPN? It's in the cards, too! 37 / 45
  • 38. Who's who Motivation Routing PBR VRFs Real World Applications - VRFs + MPLS The plumbing: # modprobe mpls_iptunnel # Active MPLS # sysctl -w net.mpls.platform_label=1000000 # Set max. label # sysctl -w net.mpls.conf.ethX.input=1 # Active MPLS decap on ethX Encap traffic with MPLS label 2342, send it to neighbor on ethX (in GRT) # ip route add 192.0.2.0/24 encap mpls 2342 via inet6 2001:d8:42::1 dev ethX vrf vrf_x Decap traffic with label 4223 and send it to VRF vrf_x # ip -M route add 4223 dev vrf_x Swap labels on the path (100 -> 200) # ip -M route add 100 as 200 via inet6 2001:db8:4711::1 38 / 45
  • 39. Who's who Motivation Routing PBR VRFs NetNS Network Namespaces (NetNS) Layer 1 separation An interface is part of exactly one NetNS Similar to VRFs on vendor gear Own set of routing tables VRFs and PBR available within NetNS Own set of netfilter rules Processes can be bound to a NetNS Introduced in Kernel 2.6.29 39 / 45
  • 40. Who's who Motivation Routing PBR VRFs NetNS Network Namespaces and net lter There may be side effects when traffic enters NetNS via vEth/macvlan Already went through conntrack NAT might not work as expected 40 / 45
  • 41. Who's who Motivation Routing PBR VRFs NetNS Con guring Network Namespaces $ ip netns help Usage: ip netns list ip netns add NAME ip netns set NAME NETNSID ip [-all] netns delete [NAME] ip netns identify [PID] ip netns pids NAME ip [-all] netns exec [NAME] cmd ... ip netns monitor ip netns list-id NETNSID := auto | POSITIVE-INT 41 / 45
  • 42. Who's who Motivation Routing PBR VRFs NetNS Connecting Network Namespaces You guessed it, vEth to the rescue # ip link add veth_grt type veth peer name veth_client # ip netns add "${netns}" # ip link set veth_client netns "${netns}" 42 / 45
  • 43. Who's who Motivation Routing PBR VRFs NetNS Real world applications All your containers Testing networking stuff 43 / 45
  • 45. Who's who Motivation Routing PBR VRFs NetNS Links Further Reading Contemporary Linux Networking - DENOG9 (2017) https://www.slideshare.net/BarbarossaTM/contemporary-linux-networking VRFs https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/ Documentation/networking/vrf.rst https://de.slideshare.net/CumulusNetworks/operationalizing-vrf-in-the-data-center OpenVPN and VRFs https://blog.sdn.clinic/2018/12/openvpn-and-vrfs/ MPLS Lab – Playing with static LSPs and VRFs on Linux https://blog.sdn.clinic/2022/01/mpls-lab-playing-with-static-lsps-and-vrfs-on-linux/ 45 / 45