Wednesday, November 24, 2010

LISP + GETVPN as alternative for DMPVN+OSPF+GETVPN

Originally LISP was developed to address the issues and concerns raised by the growth of the internet routing table, but LISP turns out to possess appealing features that can be of interest to Service Providers like my friends at InTouch.

At the Cisco NAG2010 conference in San Jose I talked about using LISP as a transport mechanism instead of regular manual GRE tunnels or a DMVPN design. I believe that provisioning and debugging a LISP based virtual private network will be easier and simpler than current approaches.

Some fair warnings are in order here: this setup runs on beta IOS and NXOS images, this design and the configuration syntax are very likely to change a little with every IOS release, for Cisco's LISP implementation is under very active development. The most important aspect of this design is that it's not a multi-tenant architecture. Multi-tenancy will probably be available in a few months, after which I'll post an updated version with more comments on the specifics.

View the slides online at slideshare: LISP+GETVPN or download the PDF from my website: Job_Snijders-InTouch-LISP_GETVPN.pdf.

Wednesday, November 10, 2010

libvirt & KVM & unnumbered bridge setup

This is an ubuntu/debian recipe to use an 'unnumbered bridge' to save on the amount of IP addresses needed to connect your virtual machines on a libvirt host to other networks.

I'm assuming you want the host to be a router between the VM's and the external network. The advantage of this is that you can firewall traffic between the virtual machines and other networks on the host.

A setup like this can be used if your ISP provides you with a /29 and you want to be able to use every IP address out of that /29, and not waste IP's on the network, broadcast and gateway address.

This image shows the various elements involved:

The /etc/network/interfaces file on the host:
auto virbr0
iface virbr0 inet manual
  bridge-ports none
  bridge_stp off
  bridge_maxwait 1
  post-up ip route add dev virbr0
The above configuration will configure a bridge interface without an IPv4 address and route the /29 that was assigned to you by your ISP to that interface. This will force Linux to ARP for every IP from that /29 on this particular virbr0 interface.

The following virsh commands will remove the default network settings, you can enter them on a root prompt:
virsh net-destroy default
virsh net-undefine default
Virtlib's /etc/qemu-ifup script needs to be replaced with the following:
/sbin/ifconfig $1 up
/usr/sbin/brctl addif ${switch} $1
The above will make sure that any tap interface associated with a virtual machine will be added to the correct bridge. The default /etc/qemu-ifup file will try and guess the correct bridge, which is not desirable.

You can edit the XML describing the virtual machines interface with the following command: 'virsh edit NAME_OF_VM'. You could also just type this command:
virsh attach-interface NAME_OF_VM bridge virbr0
This is what the XML could like like:
<interface type="'bridge'">
  <mac address="'52:54:00:51:8b:ad'/">
  <source bridge="'virbr0'/">
  <target dev="'vnet0'/">
The last step is to configure the network settings inside the virtual machine (VM1). This is an example /etc/network/interfaces. Notice the pointtopoint statement and the subnet mask:
# The primary network interface
auto eth0
iface eth0 inet static
To wrap it all up:
  • /etc/network/interfaces on the host takes care of creating the virbr0 bridge
  • libvirt will make a vnetX interface (so don't worry about it)
  • /etc/qemu-ifup adds tap interfaces to the correct bridge when booting the virtual machine
  • thanks to ARP the machines will figure out who is where
  • /etc/network/interfaces inside the virtual machine will force traffic towards the host

I'd like to thank Sten Spans for providing some essential hints.