SD-WAN

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
Back to discussions
Expand all | Collapse all

TIL: tenant membership changes in 4.0

  • 1.  TIL: tenant membership changes in 4.0

     
    Posted 04-20-2019 11:59
    Hi everyone, I ran into something this past week that I wanted to share here so others don't have the same struggles I do.

    Historically (and this goes WAAAAY back), there was one way to assign tenancy to inbound packets: adding a tenant to a network-interface. In newer software (circa 3.1),  we gave administrators the ability to assign tenancy by neighborhood. By configuring a member in a tenant, you can identify CIDR blocks within a neighborhood that are associated with that tenant. However, there was a strict order of precedence in these tenant configurations: if you assigned a tenant to an interface, it would treat anything arriving on that interface as belonging to the tenant -- no questions asked. Under the hood, 128T creates a source prefix of 0.0.0.0/0 for that interface within its "source tenant table." Configuring tenant members would not apply.

    In 4.0, however, there was a behavior change. If you configure both interface tenancy and members within that tenant, 128T will only add prefixes to the source tenant table for the prefix(es) you specify. All packets that arrive on the interface that are not from one of the specified prefixes will be dropped. (This is what bit me this past week, in case you were wondering.)

    Interestingly, if you add a tenant to an interface, 128T will add prefixes for that tenant and all of the children of that tenant for the prefixes defined in those tenants' members. This is a great addition to our software, as it lets you really lock down the interface to specific prefixes, and deny everything else.

    The "source tenant table" governs all of this. To investigate the contents of the source tenant table, use the PCLI command "show tenant members". Here's a configuration example that may help illustrate some of these concepts:

    tenant  parent
    name  parent
exit

tenant  child1.parent
    name    child1.parent

    member  LAN
        neighborhood  LAN
        address       192.168.128.0/25
    exit
exit

tenant  child2.parent
    name    child2.parent

    member  LAN
        neighborhood  LAN
        address       192.168.128.128/25
    exit
exit

network-interface  lan0
    name                   lan0
    global-id              1
    description            "LAN VLAN 0"
    vlan                   0
    neighborhood           LAN
        name      LAN
        topology  spoke
    exit
    tenant                 parent
    inter-router-security  internal
    address                192.168.128.1
        ip-address     192.168.128.1
        prefix-length  24
    exit
exit​

    And here's the output of "show tenant members" for this configuration:
    admin@hari.fox# show tenant members
Sat 2019-04-20 15:59:01 UTC

Node: hari

============ ========= ============== ================= ==================== ===============
 Device I/F   VLAN ID   Network I/F    Network I/F IP    Source IP Prefix     Tenant
============ ========= ============== ================= ==================== ===============
 enp2s0             0   lan0           192.168.128.1     0.0.0.0/0            parent
 enp2s0             0   lan0           192.168.128.1     192.168.128.0/25     child1.parent
 enp2s0             0   lan0           192.168.128.1     192.168.128.128/25   child2.parent
 kni254             0   controlKniIf   169.254.127.126   0.0.0.0/0            <global>


    ------------------------------
    pt.
    ------------------------------