From 9398cbdf14fd4f84a63bae2a22a71feee1ca3c20 Mon Sep 17 00:00:00 2001 From: Marian Pritsak Date: Wed, 7 Sep 2022 08:24:27 -0700 Subject: [PATCH 1/2] Update vnet-to-vnet-service.md --- .../design/vnet-to-vnet-service.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md b/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md index 33c8c8ab2..351b71712 100644 --- a/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md +++ b/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md @@ -225,6 +225,12 @@ DASH_VNET_MAPPING_TABLE:Vnet1:10.1.1.1: { "underlay_ip":101.1.2.3, "mac_address":F922839922A2 } + +DASH_ROUTE_RULE_TABLE:F4939FEFC47E:45654:100.1.2.0/24: { + "priority": "0", + "vnet": "VNET1", + "pa_validation": "true" +} ``` The next sections describe the lookup behavior in the outbound direction. For @@ -291,6 +297,38 @@ packet destined to `10.2.5.1`. Below are the processing pipeline (lookup) steps. 2. Select routing table `DASH_ROUTE_TABLE:10.2.5.0/24`. The `action_type` is `drop`. 3. Drop the packet. +## Routing a packet back from 101.1.2.3. + +Using the previous configuration, let's analyze the steps involved in routing a +packet destined to our appliance VIP from 101.1.2.0/24. + +1. The packet won't have a special VNI, so we assume the inbound direction +2. Perform VNET lookup. It is priority based, matches on VNI, ENI, and prefix. Protocol is not present. +3. The resulting VNET is Vnet1. +4. The inbound routing rule says to perform PA validation as well. +5. We have a PA validation entry for our ENI and SRC PA 101.1.2.3, so the packet is allowed. +6. We decap the packet and encap it to ENI's PA 25.1.1.1. + +## Routing a packet back from 101.1.2.9. + +Using the previous configuration, let's analyze the steps involved in routing a +packet destined to our appliance VIP from 101.1.2.0/24 for which we don't have a mapping entry in our config. + +1. The packet won't have a special VNI, so we assume the inbound direction +2. Perform VNET lookup. It is priority based, matches on VNI, ENI, and prefix. Protocol is not present. +3. The resulting VNET is Vnet1. +4. The inbound routing rule says to perform PA validation as well. +5. We don't have a PA validation entry for our ENI and SRC PA 101.1.2.9, so the packet is dropped. + +## Counters + +In the VNET to VNET scenario, 3 types of counters are required: +1. Route entry counters (inbound and outbound). +2. ACL rule counters. +3. Mapping entry counters. + +They are per rule, grouped into buckets, packet counters, byte meters are not required. + ## Appendix ### VNET to VNET without DASH optimization From 8a8d7c707386217642b46c4e9ae6edd49700e1eb Mon Sep 17 00:00:00 2001 From: Marian Pritsak Date: Wed, 7 Sep 2022 12:29:39 -0700 Subject: [PATCH 2/2] Update vnet-to-vnet-service.md --- documentation/vnet2vnet-service/design/vnet-to-vnet-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md b/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md index 351b71712..3522e148c 100644 --- a/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md +++ b/documentation/vnet2vnet-service/design/vnet-to-vnet-service.md @@ -307,7 +307,7 @@ packet destined to our appliance VIP from 101.1.2.0/24. 3. The resulting VNET is Vnet1. 4. The inbound routing rule says to perform PA validation as well. 5. We have a PA validation entry for our ENI and SRC PA 101.1.2.3, so the packet is allowed. -6. We decap the packet and encap it to ENI's PA 25.1.1.1. +6. We decap the packet and encap it to ENI PA 25.1.1.1. ## Routing a packet back from 101.1.2.9.