Hi everyone, I ran into something this past week that I wanted to share here so others don't have the same struggles I do.
Historically (and this goes WAAAAY back), there was one way to assign tenancy to inbound packets: adding a tenant to a network-interface. In newer software (circa 3.1), we gave administrators the ability to assign tenancy by neighborhood. By configuring a
member in a tenant, you can identify CIDR blocks within a neighborhood that are associated with that tenant. However, there was a strict order of precedence in these tenant configurations: if you assigned a tenant to an interface, it would treat anything arriving on that interface as belonging to the tenant -- no questions asked. Under the hood, 128T creates a source prefix of 0.0.0.0/0 for that interface within its "source tenant table." Configuring tenant members would not apply.
In 4.0, however, there was a behavior change. If you configure both interface tenancy
and members within that tenant, 128T will only add prefixes to the source tenant table for the prefix(es) you specify. All packets that arrive on the interface that are not from one of the specified prefixes will be dropped. (This is what bit me this past week, in case you were wondering.)
Interestingly, if you add a tenant to an interface, 128T will add prefixes for that tenant
and all of the children of that tenant for the prefixes defined in those tenants' members. This is a great addition to our software, as it lets you really lock down the interface to specific prefixes, and deny everything else.
The "source tenant table" governs all of this. To investigate the contents of the source tenant table, use the PCLI command "show tenant members". Here's a configuration example that may help illustrate some of these concepts:
tenant parent
name parent
exit
tenant child1.parent
name child1.parent
member LAN
neighborhood LAN
address 192.168.128.0/25
exit
exit
tenant child2.parent
name child2.parent
member LAN
neighborhood LAN
address 192.168.128.128/25
exit
exit
network-interface lan0
name lan0
global-id 1
description "LAN VLAN 0"
vlan 0
neighborhood LAN
name LAN
topology spoke
exit
tenant parent
inter-router-security internal
address 192.168.128.1
ip-address 192.168.128.1
prefix-length 24
exit
exit
And here's the output of "show tenant members" for this configuration:
admin@hari.fox# show tenant members
Sat 2019-04-20 15:59:01 UTC
Node: hari
============ ========= ============== ================= ==================== ===============
Device I/F VLAN ID Network I/F Network I/F IP Source IP Prefix Tenant
============ ========= ============== ================= ==================== ===============
enp2s0 0 lan0 192.168.128.1 0.0.0.0/0 parent
enp2s0 0 lan0 192.168.128.1 192.168.128.0/25 child1.parent
enp2s0 0 lan0 192.168.128.1 192.168.128.128/25 child2.parent
kni254 0 controlKniIf 169.254.127.126 0.0.0.0/0 <global>
------------------------------
pt.
------------------------------