11# External Peering
22
3- Hedgehog Fabric uses the Border Leaf concept to exchange VPC routes outside the Fabric and provide L3 connectivity. The
3+ Hedgehog Fabric uses the Border Leaf concept to exchange VPC routes outside the Fabric and provide L2/ L3 connectivity. The
44` External Peering ` feature allows you to set up an external peering endpoint and to enforce several policies between
5- internal and external endpoints.
5+ internal and external endpoints. Alternatively, the Hedgehog Gateway can be used to provide connectivity via an L2
6+ endpoint connected to a Border Leaf.
67
78!!! note
89 Hedgehog Fabric does not operate Edge side devices.
@@ -16,26 +17,33 @@ Border Leaves (or Borders) can connect to several Edge devices.
1617!!! note
1718 External Peering is only available on the switch devices that are capable for sub-interfaces.
1819
19- ### Connect Border Leaf to Edge device
20+ Hedgehog Fabric supports two types of Edge devices: BGP-speaking (or L3) externals, and Layer 2 (L2) externals.
2021
21- In order to distinguish VPC traffic, an Edge device should be able to:
22+ ### Connect a Border Leaf to an Edge device
2223
24+ In order to distinguish VPC traffic, an Edge device should be able to connect to a Fabric Border Leaf over VLAN.
25+ Additionally, if using the BGP speaker model for external peering, the Edge device should also be capable of:
2326
24- - Set up BGP IPv4 to advertise and receive routes from the Fabric
25- - Connect to a Fabric Border Leaf over VLAN
26- - Be able to mark egress routes towards the Fabric with BGP Communities
27- - Be able to filter ingress routes from the Fabric by BGP Communities
27+ - Setting up BGP IPv4 to advertise and receive routes from the Fabric
28+ - Marking egress routes towards the Fabric with BGP Communities
29+ - Filtering ingress routes from the Fabric by BGP Communities
2830
2931All other filtering and processing of L3 Routed Fabric traffic should be done on the Edge devices.
3032
3133### Control Plane
3234
33- The Fabric shares VPC routes with Edge devices via BGP. Peering is done over VLAN in IPv4 Unicast AFI/SAFI.
35+ For L3 externals, the Hedgehog Fabric shares VPC routes with Edge devices via BGP; peering is done over VLAN in IPv4 Unicast AFI/SAFI.
36+
37+ For L2 externals, the Hedgehog Gateway advertises routes to the prefixes specified in the API, using the Edge device IP as next hop.
38+ Traffic reaching the Edge device will appear to be coming from one of a set of assigned Gateway IPs.
3439
3540### Data Plane
3641
37- VPC L3 routable traffic will be tagged with VLAN and sent to Edge device. Later processing of VPC traffic
38- (NAT, PBR, etc) should happen on Edge devices.
42+ For L3 externals, VPC L3 routable traffic will be tagged with VLAN at a Border Leaf and sent to the Edge device.
43+ Later processing of VPC traffic (NAT, PBR, etc) should happen on Edge devices.
44+
45+ For L2 externals, traffic will first go through the Gateway, where it will be NATed using one of the assigned IPs.
46+ It will then be forwarded to a Border Leaf, where it will be VLAN tagged and forwarded to the Edge device.
3947
4048### VPC access to Edge device
4149
@@ -44,13 +52,35 @@ the VPC can export to Edge devices and import from the Edge devices.
4452
4553## API and implementation
4654
47- ### External
55+ ### Connection
56+
57+ A ` Connection ` of type ` external ` is used to identify the switch port on Border Leaf that is cabled with an Edge device.
58+
59+ ``` yaml
60+ apiVersion : wiring.githedgehog.com/v1beta1
61+ kind : Connection
62+ metadata :
63+ name : # specified or generated
64+ spec :
65+ external :
66+ link :
67+ switch :
68+ port : ds3000/E1/1
69+ ` ` `
70+
71+ A ` Connection` object can be used with both BGP-speaking and L2 `Externals`.
72+
73+ # ## BGP-speaking Externals
74+
75+ General configuration starts with the specification of `External` objects. In this section we will introduce the
76+ BGP-speaking externals and their attachments.
77+
78+ # ### BGP-speaking External object
4879
49- General configuration starts with the specification of ` External ` objects. Each object of ` External ` type can represent
50- a set of Edge devices, or a single BGP instance on Edge device, or any other united Edge entities that can be described
51- with the following configuration:
80+ Each object of `External` type can represent a set of Edge devices, or a single BGP instance on Edge device, or
81+ any other united Edge entities that can be described with the following configuration :
5282
53- - Name of ` External `
83+ - Name of the `External`
5484- Inbound routes marked with the dedicated BGP community
5585- Outbound routes marked with the dedicated community
5686
6797 outboundCommunity: # BGP Standard Community required to be assigned on prefixes advertised from Fabric
6898` ` `
6999
70- ### Connection
71-
72- A ` Connection` of type `external` is used to identify the switch port on Border leaf that is cabled with an Edge device.
73-
74- ` ` ` yaml
75- apiVersion: wiring.githedgehog.com/v1beta1
76- kind: Connection
77- metadata:
78- name: # specified or generated
79- spec:
80- external:
81- link:
82- switch:
83- port: ds3000/E1/1
84- ` ` `
85-
86- # ## External Attachment
100+ # ### BGP-speaking External Attachment object
87101
88- ` External Attachment` defines BGP Peering and traffic connectivity between a Border leaf and `External`. Attachments are
102+ An `External Attachment` defines BGP Peering and traffic connectivity between a Border Leaf and `External`. Attachments are
89103bound to a `Connection` with type `external` and they specify an optional `vlan` that will be used to segregate
90104particular Edge peering.
91105
@@ -107,10 +121,15 @@ spec:
107121
108122Several `External Attachment` can be configured for the same `Connection` but for different `vlan`.
109123
110- # ## External VPC Peering
124+ # ### BGP-speaking External VPC Peering
125+
126+ To allow a specific VPC to have access to BGP-speaking Edge devices, bind the VPC to a specific `External` object.
111127
112- To allow a specific VPC to have access to Edge devices, bind the VPC to a specific `External` object. To do so, define
113- an `External Peering` object.
128+ !!! note
129+ External VPC Peering is only supported for BGP-speaking externals. For L2 externals, see
130+ [Gateway Peering for External Connections](gateway.md#gateway-peering-for-external-connections).
131+
132+ To do so, define an `External Peering` object.
114133
115134` ` ` yaml
116135apiVersion: vpc.githedgehog.com/v1beta1
@@ -134,7 +153,7 @@ spec:
134153equal to 32, effectively permitting all prefixes within the specified one. Use `0.0.0.0/0` for any route, including the
135154default route.
136155
137- This example allows _any_ IPv4 prefix that came from `External`
156+ The following example allows _any_ IPv4 prefix that came from the `External`
138157
139158` ` ` yaml
140159spec:
@@ -145,7 +164,7 @@ spec:
145164 - prefix: 0.0.0.0/0 # Any route will be allowed including default route
146165` ` `
147166
148- This example allows all prefixes that match the default route , with any prefix length
167+ The following example only allows routes in the `77.0.0.0/8` prefix , with any prefix length
149168
150169` ` ` yaml
151170spec:
@@ -156,15 +175,76 @@ spec:
156175 - prefix: 77.0.0.0/8 # Any route that belongs to the specified prefix is allowed (such as 77.0.0.0/8 or 77.1.2.0/24)
157176` ` `
158177
178+ # ## L2 Externals
179+
180+ L2 externals are helpful when the Edge device expects a direct layer-2 connection to the Fabric, as opposed to the BGP-speaking
181+ case we described so far. As far as the Edge device is concerned, traffic from the Fabric should come from a directly connected
182+ device or set of devices, for which the Edge device operator provides IP addresses using our APIs. Prefixes advertised by the
183+ Edge device can be then exposed to VPCs in the Fabric using the Hedgehog Gateway.
184+
185+ # ### L2 External object
186+
187+ An L2 `External` uses the same base CRD of the BGP-speaking case, but it does away with
188+ BGP communities. However, the `External` should provide a list of prefixes that are reachable
189+ via itself : since there is no routing protocol involved here, these prefixes have to be advertised
190+ manually via the API.
191+
192+ Like its BGP-speaking counterpart, an L2 `External` should be bound to an IPv4 namespace to avoid prefix overlap.
193+
194+ ` ` ` yaml
195+ apiVersion: vpc.githedgehog.com/v1beta1
196+ kind: External
197+ metadata:
198+ name: ###
199+ spec:
200+ ipv4Namespace: # VPC IP Namespace
201+ l2:
202+ prefixes:
203+ - # one or more prefixes that are reachable via the Edge device
204+ ` ` `
205+
206+ # ### L2 External Attachment object
207+
208+ The same `External Attachment` object we saw previously is used for L2 externals; like for `Externals`, some of the fields specific
209+ to BGP-speaking attachments will be left empty, and additional L2-specific configuration is required. Specifically, we require :
210+ - the IP address to be used as next hop for traffic destined to the Edge device;
211+ - an optional VLAN to segregate traffic on the external connection, use `0` for untagged;
212+ - a list of IP addresses that the Edge device is prepared to accept as source-address of incoming traffic from the Fabric;
213+ - an IP address to be configured on the Border Leaf interface connected to the Edge device. This does not have to be in the
214+ same subnet as the Edge device or Gateway IPs, in fact it can be any IP address that does not collide with the used addressing.
215+ Its only purpose is to allow the enabling of proxy-ARP on the Border Leaf for that particular interface.
216+
217+ ` ` ` yaml
218+ apiVersion: vpc.githedgehog.com/v1beta1
219+ kind: ExternalAttachment
220+ metadata:
221+ name: ###
222+ spec:
223+ connection: # Name of the Connection with type external
224+ external: # Name of the External this attachment refers to
225+ l2:
226+ ip: # IP address of the Edge device port connected to the Border Leaf
227+ vlan: # VLAN (optional) ID to tag control and data traffic, use 0 for untagged
228+ gatewayIPs:
229+ - # One or more IPs (with prefix length) that can be used in Fabric as source address of traffic directed to the Edge device
230+ fabricEdgeIP: # IP address (with prefix length) to configure on the port connecting to the Edge device
231+ ` ` `
232+
233+ # ### L2 External VPC Peering
234+
235+ To peer VPCs to an L2 external, please see [Gateway Peering for External Connections](gateway.md#gateway-peering-for-external-connections).
236+ NAT - either stateful or stateless - should be used so that traffic reaching the Edge device will have a source address in the allowed
237+ range.
238+
159239# # Examples
160240
161- This example shows how to peer with the `External` object with name `HedgeEdge`, given a Fabric VPC with name `vpc-1` on
241+ This example shows how to peer with the BGP-speaking `External` object with name `HedgeEdge`, given a Fabric VPC with name `vpc-1` on
162242the Border Leaf `switchBorder` that has a cable connecting it to an Edge device
163243on the port `E1/2`. Specifying `vpc-1` is required to receive any prefixes advertised from the `External`.
164244
165245# ## Fabric API configuration
166246
167- # ### External
247+ # ### BGP-speaking External
168248
169249` ` ` console
170250# kubectl fabric external create --name hedgeedge --ipns default --in 65102:5000 --out 5000:65102
@@ -207,7 +287,7 @@ spec:
207287 port: switchBorder/E1/2
208288` ` `
209289
210- # ### ExternalAttachment
290+ # ### BGP-speaking ExternalAttachment
211291
212292Specified in `wiring` diagram
213293
0 commit comments