On 11/20/18 7:23 AM, Alexis Bauvin wrote: > We are trying to isolate the VXLAN traffic from different VMs with VRF as > shown > in the schemas below: > > +-------------------------+ +----------------------------+ > | +----------+ | | +------------+ | > | | | | | | | | > | | tap-red | | | | tap-blue | | > | | | | | | | | > | +----+-----+ | | +-----+------+ | > | | | | | | > | | | | | | > | +----+---+ | | +----+----+ | > | | | | | | | | > | | br-red | | | | br-blue | | > | | | | | | | | > | +----+---+ | | +----+----+ | > | | | | | | > | | | | | | > | | | | | | > | +----+--------+ | | +--------------+ | > | | | | | | | | > | | vxlan-red | | | | vxlan-blue | | > | | | | | | | | > | +------+------+ | | +-------+------+ | > | | | | | | > | | VRF | | | VRF | > | | red | | | blue | > +-------------------------+ +----------------------------+
Roopa and I were discussing this setup and are puzzled by the VRF association here. Does br-red and br-blue have an address? The commands below do not show it and from our perspective seems odd for this scenario. If it does not have an address, then there is no reason for the VRF labeling. Also, it would be good to have a unit test this case. Can you create a shell script that creates the setup and runs a few tests verifying connectivity? You can use network namespaces and veth pairs in place of the VM with a tap device. From there the functionality is the same. Tests can be initial VRF association for the vxlan lower device, changing the VRF to another device, and then changing again back to default VRF - checking proper connectivity for each. Thanks
