Sounds good! But the question now a bit more complicated, and focused on FreeBSD architecture.
That approach would not consume more resources than simple MultiFib? Dataplane being routed on a Jail would not stress the performance of the hardware? What about the equivalent to DPDK? Using Jail wouldn't force to goes up to the CPU to be forwarded? Em qui., 12 de nov. de 2020 às 10:54, Olivier Cochard-Labbé < [email protected]> escreveu: > On Thu, Nov 12, 2020 at 2:33 PM Douglas Fischer <[email protected]> > wrote: > >> Hello All! >> I'm using BSRP with BIRD to create a distributed routing scenario. >> >> And for security and reliability reasons I will dedicate an interface to >> In-Band-Management. >> >> My Objective is to use that interface, with a specific VRF(FIB) to SSH, >> SNMP, Netflow, LDAP queries, DNS Lookups, RTR client, and everything else >> related to MGMT. >> >> The initial idea is to use FIB 0 to MGMT. >> (I can reconsider this if it’s not an idea) >> >> And the Other FIBs, use to dataplane, and BGP/OSPF/BFD/ICMP listeners. >> >> I trying to avoid use firewall rules for that... >> I would like to force the listener of MGMT services(and caller-outs) to >> use the specific In-Band-Management interface. >> >> >> Any suggestions on how to do that? >> Or maybe better than that... >> >> > Hi, > > I don't have lot of experience with FIB, but I would try first the usage > of jail/vnet in place of fib: > To be compliant with fib (FreeBSD and OpenBSD feature), the userland > software had to support this feature (socket option SO_SETFIB). > So right now bird have some FIB support, but it is quite rare because the > majority don't (like dnsmasq). > So in place of using a feature that needs to be supported by the userland > software, jail/vnet could be more simpler (invisible from the userland). > > BSDRP includes an helper-shell script to create a type of jail that could > be useful in a multi-tenant use-case, like in this example: > https://bsdrp.net/documentation/examples/multi-tenant_router_and_firewall > > But if you are the only admin and don't need this multi-tenant feature, > you could do it a lot simpler, like on this example: > > https://github.com/ocochard/myscripts/blob/master/FreeBSD/jail/create-480-jails.sh > > So to resume the idea: > - MGMT service as standard services on your router > - Assign 'data' interfaces to a jail/vnet (they will disappear from your > host) and run your bird process into this jail/vnet > > Regards, > > Olivier > _______________________________________________ > Bsdrp-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/bsdrp-users > -- Douglas Fernando Fischer Engº de Controle e Automação
_______________________________________________ Bsdrp-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bsdrp-users
