DOCSLIB.ORG

NSX-T Meets Frrouting – Part 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
NSX-T Meets Frrouting – Part 1 NSX-T Meets FRRouting – Part 1 Link Part 1 - https://rutgerblom.com/2020/01/17/nsx-t-meets-frrouting-part-1/ Part 2 - https://rutgerblom.com/2020/01/20/nsx-t-meets-frrouting-part-2/amp/ NSX-T Meets FRRouting – Part 1 rutgerblom January 17, 2020 2 Until recently I always used pfSense with the OpenBGPD package as the NSX- T Edge counterpart in my lab environment. It’s quick and easy to set up and works well enough. But pfSense is not what I typically find in a customer’s production environment. I started to investigate other virtualized “top-of-rack solutions” for the lab that would be a bit more similar to what I see in the enterprise. Right now I’m testing out FRRouting and I must say that I’m pretty impressed with this solution so far. At least it’s good enough to be the subject of a blog post or two � I’m going to walk through deploying and configuring a pair of FRRouting instances, the NSX-T Edge, and BGP routing in a lab environment. Follow along if you want. Target topology The diagram below shows a logical L3 design for the NSX-T Edge – FRRouting solution that we’ll be building: There’s nothing much out of the ordinary here. We have a Tier-0 gateway backed by two Edge nodes, and BGP routing. At the top of the diagram things look a bit less familiar with two Linux routers powered by FRRouting. That’s a nice sketch. Now let’s see if we can make it work too. Bill of materials The following software is used to build this environment: o NSX-T 2.5.1 o vSphere 6.7 U3 o Debian Linux 10.2 o FRRouting 7.2 Deploy FRRouting This first part is about getting the FRR instances up and running which begins with installing two Linux servers. Let’s get right to it. Install Linux servers Debian Linux is a good fit here as there is an official FRR Debian repository which makes installing FRR a lot easier. Each server is configured with two NICs. The ens192 interface is configured as the primary interface and will be the “north-facing” port. The ens224 interface is the “SDDC-facing” port. At this point we only assign a static IP address to the ens192 interface. The only additional components we need to install are the SSH server and standard system utilities: Complete the Debian installation on both servers. Install VLAN support The servers will soon be configured with some VLAN interfaces. To add support for this we install the VLAN package: apt install vlan -y Add the following line to /etc/modules so that VLAN (802.1Q) support is loaded during boot: 8021q Enable IPv4 packet forwarding We want the Linux servers to become Linux routers and as a part of that we need to enable IPv4 packet forwarding in /etc/sysctl.conf: net.ipv4.ip_forward=1 Reboot the servers after making this change. Configure network interfaces Time to configure the network interfaces on the Linux routers. The following shows the interface configuration per Linux router: frr-01: Interface IP address Comment ens192 10.2.129.101/24 Primary interface, north-facing ens224 – Secondary interface, SDDC-facing ens224.1611 172.16.11.253/24 Management VLAN ens224.1657 172.16.57.1/29 BGP peering VLAN ens224.1659 172.16.59.253/24 Overlay transport VLAN Which results in the following /etc/network/interfaces for frr-01: source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface - north-facing port auto ens192 allow-hotplug ens192 iface ens192 inet static address 10.2.129.101/24 gateway 10.2.129.1 dns-nameservers 10.2.129.10 dns-search demo.local # The secondary network interface - SDDC-facing port auto ens224 allow-hotplug ens224 iface ens224 inet manual mtu 9000 # The VLAN 1611 interface - Management auto ens224.1611 iface ens224.1611 inet static address 172.16.11.253/24 # The VLAN 1657 interface - BGP peering auto ens224.1657 iface ens224.1657 inet static address 172.16.57.1/29 # The VLAN 1659 interface - Overlay transport auto ens224.1659 iface ens224.1659 inet static address 172.16.59.253/24 frr-02: Interface IP address Comment ens192 10.2.129.102/24 Primary interface, north-facing ens224 – Secondary interface, SDDC-facing ens224.1611 172.16.11.254/24 Management VLAN ens224.1658 172.16.58.1/29 BGP peering VLAN ens224.1659 172.16.59.254/24 Overlay transport VLAN The corresponding /etc/network/interfaces for frr-02: source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface - north-facing auto ens192 allow-hotplug ens192 iface ens192 inet static address 10.2.129.102/24 gateway 10.2.129.1 dns-nameservers 10.2.129.10 dns-search demo.local # The secondary network interface - SDDC-facing auto ens224 allow-hotplug ens224 iface ens224 inet manual mtu 9000 # The VLAN 1611 interface - Management auto ens224.1611 iface ens224.1611 inet static address 172.16.11.254/24 # The VLAN 1658 interface - BGP peering auto ens224.1658 iface ens224.1658 inet static address 172.16.58.1/29 # The VLAN 1659 interface - Overlay transport auto ens224.1659 iface ens224.1659 inet static address 172.16.59.254/24 Restart the network to activate the new network interface configuration: systemctl restart networking Run the ip address command to verify that the new interface configuration is active: Install VRRP As you noticed we are “stretching” the management VLAN (1611) and the overlay transport VLAN (1659) between the Linux routers. Both routers can act as the default gateway for these VLANs at any given time. To make use of this capability we’ll set up VRRP with Keepalived. Install the package: apt install keepalived -y Create the Keepalived configuration file: /etc/keepalived/keepalived.conf. Below the Keepalived configuration per server: frr-01 (VRRP master): global_defs { # Email Alert Configuration notification_email { # Email To Address [email protected] } # Email From Address notification_email_from [email protected] # SMTP Server Address / IP smtp_server 127.0.0.1 # SMTP Timeout Configuration smtp_connect_timeout 60 router_id frr-01 } vrrp_sync_group VG1 { group { 1611 1659 } } vrrp_instance 1611 { # State = Master or Backup state MASTER # Interface ID for VRRP to run on interface ens224.1611 # VRRP Router ID virtual_router_id 10 # Highest Priority Wins priority 250 # VRRP Advert Intaval 1 Second advert_int 1 # Basic Inter Router VRRP Authentication authentication { auth_type PASS auth_pass VMware1!VMware1! } # VRRP Virtual IP Address Config virtual_ipaddress { 172.16.11.1/24 dev ens224.1611 } } vrrp_instance 1659 { # State = Master or Backup state MASTER # Interface ID for VRRP to run on interface ens224.1659 # VRRP Router ID virtual_router_id 11 # Highest Priority Wins priority 250 # VRRP Advert Intaval 1 Second advert_int 1 # Basic Inter Router VRRP Authentication authentication { auth_type PASS auth_pass VMware1!VMware1! } # VRRP Virtual IP Address Config virtual_ipaddress { 172.16.59.1/24 dev ens224.1659 } } frr-02 (VRRP backup): global_defs { # Email Alert Configuration notification_email { # Email To Address [email protected] } # Email From Address notification_email_from [email protected] # SMTP Server Address / IP smtp_server 127.0.0.1 # SMTP Timeout Configuration smtp_connect_timeout 60 router_id frr-02 } vrrp_sync_group VG1 { group { 1611 1659 } } vrrp_instance 1611 { # State = Master or Backup state BACKUP # Interface ID for VRRP to run on interface ens224.1611 # VRRP Router ID virtual_router_id 10 # Highest Priority Wins priority 150 # VRRP Advert Intaval 1 Second advert_int 1 # Basic Inter Router VRRP Authentication authentication { auth_type PASS auth_pass VMware1!VMware1! } # VRRP Virtual IP Address Config virtual_ipaddress { 172.16.11.1/24 dev ens224.1611 } } vrrp_instance 1659 { # State = Master or Backup state BACKUP # Interface ID for VRRP to run on interface ens224.1659 # VRRP Router ID virtual_router_id 11 # Highest Priority Wins priority 150 # VRRP Advert Intaval 1 Second advert_int 1 # Basic Inter Router VRRP Authentication authentication { auth_type PASS auth_pass VMware1!VMware1! } # VRRP Virtual IP Address Config virtual_ipaddress { 172.16.59.1/24 dev ens224.1659 } } Restart the Keepalived service on both routers to activate the new configuration: systemctl restart keepalived We can now verify VRRP operation by running systemctl status keepalived: Running the ip address command will hopefully show the virtual IP address on the two VLAN interfaces: And a ping to the virtual IP address from the VRRP backup node (frr-02 in this case) should be successful: Install FRRouting With Linux installed and configured we continue with the FRRouting installation. Begin by adding the FRR Debian repository: curl -s https://deb.frrouting.org/frr/keys.asc | apt-key add - FRRVER="frr-stable" echo deb https://deb.frrouting.org/frr $(lsb_release -s -c) $FRRVER | tee -a /etc/apt/sources.list.d/frr.list apt update && apt install frr frr-pythontools -y FRRouting is now installed. Configure FRRouting capabilities We only enable the routing protocols that are needed. To make FRR a good match for the NSX-T Edge we would like the instances to be capable of doing BGP and BFD. So we simply enable these daemons in /etc/frr/daemons. bgpd=yes bfdd=yes Restart the FRR service and verify that the BGP and BFD daemons are active: systemctl restart frr systemctl status frr This is looking good. The FRR instances are now ready for control plane configuration. Summary This completes part 1 of the series on NSX-T and FRRouting. We’ve been quite productive: o Installed two Debian Linux servers o Installed VLAN support o Enabled packet forwarding o Configured network interfaces o Installed and configured VRRP o Installed FRRouting In the next part we’ll continue with deploying the NSX-T Edge and setting up BGP routing between NSX-T and the FRR instances.
Load more

Recommended publications
  • ECE 435 – Network Engineering Lecture 15
    ECE 435 { Network Engineering Lecture 15 Vince Weaver http://web.eece.maine.edu/~vweaver [email protected] 25 March 2021 Announcements • Note, this lecture has no video recorded due to problems with UMaine zoom authentication at class start time • HW#6 graded • Don't forget HW#7 • Project Topics due 1 RFC791 Post-it-Note Internet Protocol Datagram RFC791 Source Destination If other than version 4, Version attach form RFC 2460. Type of Service Precedence high reliability Routine Fragmentation Offset high throughput Priority Transport layer use only low delay Immediate Flash more to follow Protocol Flash Override do not fragment CRITIC/ECP this bit intentionally left blank TCP Internetwork Control UDP Network Control Other _________ Identifier _______________________ Length Header Length Data Print legibly and press hard. You are making up to 255 copies. _________________________________________________ _________________________________________________ _________________________________________________ Time to Live Options _________________________________________________ Do not write _________________________________________________ in this space. _________________________________________________ _________________________________________________ Header Checksum _________________________________________________ _________________________________________________ for more info, check IPv4 specifications at http://www.ietf.org/rfc/rfc0791.txt 2 HW#6 Review • Header: 0x000e: 4500 = version(4), header length(5)=20 bytes ToS=0 0x0010: 0038 = packet length (56 bytes) 0x0012: 572a = identifier 0x0014: 4000 = fragment 0100 0000 0000 0000 = do not fragment, offset 0 0x0016: 40 = TTL = 64 0x0017: 06 = Upper layer protocol (6=TCP) 0x0018: 69cc = checksum 0x001a: c0a80833 = source IP 192.168.8.51 0x001e: 826f2e7f = dest IP 130.111.46.127 • Valid IPs 3 ◦ 123.267.67.44 = N ◦ 8.8.8.8 = Y ◦ 3232237569 = 192.168.8.1 ◦ 0xc0a80801 = 192.168.8.1 • A class-A allocation is roughly 224=232 which is 0.39% • 192.168.13.0/24.
    [Show full text]
  • Směrovací Démon BIRD
    Směrovací démon BIRD CZ.NIC z. s. p. o. Ondřej Filip / [email protected] 8. 6. 2010 – IT10 1 Směrování a forwarding ● Router - zařízení připojené k více sítím ● Umí přeposlat „cizí“ zprávu - forwarding ● Cestu pozná podle směrovací (routovací) tabulky ● Sestavování routovací tabulky – routing – Statické – Dynamické ● Interní - uvnitř AS rychlé, důvěřivé, přesné – RIP, OSPF ● Externí (mezi AS, pomalé, filtering, přibližné – pouze BGP 2 Rozdělení směrovacích protokolů AS 2 RIP BGP AS 1 OSPF BGP BGP AS 3 3 static Směrovací démon ● Na Linuxu (a ostatních UNIXech) – uživatelská aplikace mimo jádro, forwarding v jádře ● Obvykle implementuje více směrovacích protokolů ● Směrovací politika - filtrování ● Quagga (Zebra) – Cisco syntax http://www.quagga.net ● OpenBGPd - http://www.openbgpd.org ● GateD – zastaralý, ne volná licence ● BIRD 4 Historie projektu ● Start projektu v roce 1999 ● Seminární projekt – MFF UK Praha ● Projekt uspán ● Drobné probuzeni v letech 2003 a 2006 (CESNET) ● Plně obnoveno na přelomu 2008/2009 v rámci Laboratoří CZ.NIC - http://labs.nic.cz 5 Cíle projektu ● Opensource směrovací démon – alternativa k tehdejšímu démonu Quagga/Zebra (GateD) ● Rychlý a efektivní ● Portabilní, modulární ● Podpora současných směrovacích protokolů ● IPv6 a IPv4 v jednom zdrojovém kódu (dvojí překlad) ● Snadná konfigurace a rekonfigurace (!) ● Silný filtrovací jazyk 6 Vlastnosti ● Portabilní – Linux, FreeBSD, NetBSD, OpenBSD ● Podpora IPv4 i IPv6 ● Static, RIP, OSPF, BGP - Route reflektor, Směrovací server (Route server) ASN32 (ASPLAIN), MD5
    [Show full text]
  • Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments
    IoT4CPS – Trustworthy IoT for CPS FFG - ICT of the Future Project No. 863129 Deliverable D7.4 Test-beds and guidelines for securing IoT products and for secure set-up production environments The IoT4CPS Consortium: AIT – Austrian Institute of Technology GmbH AVL – AVL List GmbH DUK – Donau-Universit t Krems I!AT – In"neon Technologies Austria AG #KU – JK Universit t Lin$ / Institute for &ervasive 'om(uting #) – Joanneum )esearch !orschungsgesellschaft mbH *+KIA – No,ia -olutions an. Net/or,s 0sterreich GmbH *1& – *1& -emicon.uctors Austria GmbH -2A – -2A )esearch GmbH -)!G – -al$burg )esearch !orschungsgesellschaft -''H – -oft/are 'om(etence 'enter Hagenberg GmbH -AG0 – -iemens AG 0sterreich TTTech – TTTech 'om(utertechni, AG IAIK – TU Gra$ / Institute for A((lie. Information &rocessing an. 'ommunications ITI – TU Gra$ / Institute for Technical Informatics TU3 – TU 3ien / Institute of 'om(uter 4ngineering 1*4T – 1-Net -ervices GmbH © Copyright 2020, the Members of the IoT4CPS Consortium !or more information on this .ocument or the IoT5'&- (ro6ect, (lease contact8 9ario Drobics7 AIT Austrian Institute of Technology7 mario:.robics@ait:ac:at IoT4C&- – <=>?@A Test-be.s an. guidelines for securing IoT (ro.ucts an. for secure set-up (ro.uction environments Dissemination level8 &U2LI' Document Control Title8 Test-be.s an. gui.elines for securing IoT (ro.ucts an. for secure set-u( (ro.uction environments Ty(e8 &ublic 4.itorBsC8 Katharina Kloiber 4-mail8 ,,;D-net:at AuthorBsC8 Katharina Kloiber, Ni,olaus DEr,, -ilvio -tern )evie/erBsC8 -te(hanie von )E.en, Violeta Dam6anovic, Leo Ha((-2otler Doc ID8 DF:5 Amendment History Version Date Author Description/Comments VG:? ?>:G?:@G@G -ilvio -tern Technology Analysis VG:@ ?G:G>:@G@G -ilvio -tern &ossible )esearch !iel.s for the -2I--ystem VG:> >?:G<:@G@G Katharina Kloiber Initial version (re(are.
    [Show full text]
  • DPDK, VPP & Pfsense
    DPDK, VPP & pfSense 3.0 Jim Thompson DPDK Summit Userspace - Dublin- 2017 %whoami Co-founded company in 1992 Focused on network security Originally “Netgate” was name an open source firewall for SunOS 4 Ported to Solaris (2.3), Windows NT, BSDi Added IPsec (then quite new) Wrote CiscoSecure (TACACS+ / RADIUS server) Might know us best for DPDK in a Box DPDK in a Box Simple, easy intro to running DPDK Minnowboard “Turbot” w/ 4C E3845 Atom, 2GB RAM, 32GB M.2 SSD, 2 x i210 Ethernet CentOS + pre-complied / installed DPDK + source code + testpmd DPDK in a Box, next-gen %whoami Co-founded company in 1992 Originally “Netgate” was name an open source firewall for SunOS 4 Also ported to Solaris (2.3), Windows NT, BSDi Also wrote CiscoSecure (TACACS+ server) Might know us best for DPDK in a Box We are the company behind the pfSense project pfSense® software FreeBSD-based router/firewall distribution “Like a Cisco ASA” 100,000 lines of PHP Orchestration + WebGUI Started in 2004 First release 4 October 2006 2.4 release 2 October 2017 1.375 million current installs 960,000+ on 64-bit Intel 8,000 32-bit ARM ARM64 underway October 2014 pfSense under strain after 10 years Increasing use of 10Gbps and higher Ethernet Increasing packet rate requirements No central ‘status’ db, so most config changes require restarting stack No API — makes automated test & interfacing to orchestration difficult Offsite meeting in 2014 Simple goals 10Gbps IP4/IP6 forwarding tinygrams, with ACLs 10Gbps IPsec (large frames) Eliminate PHP Add API Project named Pennybacker Experiments
    [Show full text]
  • BIRD's Flight from Lisbon to Prague
    BIRD's flight from Lisbon to Prague CZ.NIC Ondrej Filip / [email protected] With help of Wolfgang Hennerbichler May 6, 2009 – RIPE 60 / Prague 1 Features ● GPL implementation of RIP, BGP, OSPF ● BGP – ASN32, MD5, route server, ... ● IPv4, IPv6 ● Highly flexible – Multiple routing tables - RIBs (internal and also synchronization with OS) ● Protocol PIPE - multiple routers, route reflectors ● Powerful configuration & filtering language ● Automatic reconfiguration ● Currently developed by CZ.NIC Labs 2 Design 3 Filters example define myas = 47200; function bgp_out(int peeras) { if ! (source = RTS_BGP ) then return false; if (0,peeras) ~ bgp_community then return false; if (myas,peeras) ~ bgp_community then return true; if (0, myas) ~ bgp_community then return false; return true; } protocol bgp R25192x1 { local as myas; neighbor 194.50.100.13 as 25192; import where bgp_in(25192); export where bgp_out(25192); rs client; } 4 Filters example function avoid_martians() prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 0.0.0.0/0{25,32}, 0.0.0.0/0{0,7} ]; # Avoid RFC1918 networks if net ~ martians then return false; return true; } 5 define myas = 47200; function bgp_out(int peeras) { if ! (source = RTS_BGP ) then return false; if (0,peeras) ~ bgp_community then return false; if (myas,peeras) ~ bgp_community then return true; if (0, myas) ~ bgp_community then return false; return true; } protocol bgp R25192x1 { local as myas; neighbor 194.50.100.13 as 25192;
    [Show full text]
  • Rethinking BGP Programmability
    λBGP: Rethinking BGP programmability Nicholas Hart, Charalampos Rotsos, Vasileios Giotsas, Nicholas Race, David Hutchison School of Computing and Communications, Lancaster University Abstract—BGP has long been the de-facto control plane pro- or supplement the information transmitted to adjacent ASes. tocol for inter-network connectivity. Although initially designed Configuration is stateless and programmability is typically to provide best-effort routing between ASes, the evolution of limited to simple arithmetic and logical expressions. As a Internet services has created a demand for more complex control functionalities using the protocol. At the heart of this challenge result, network managers must maintain large and complex lies the static nature of current BGP policy specification and en- configuration files in order to achieve the required policy forcement, and the limited programmability of production BGP effects, requiring regular updates in order to support changing policy frameworks. Meanwhile, in other contexts, the SDN model network conditions. Misconfiguration errors are a major cause has demonstrated that open and generic network control APIs of BGP problems [2], and connectivity outages and route leaks can greatly improve network functionality and seamlessly enable greater flexibility in network management. In this paper, we at a global or national level are not uncommon [3], [4]. argue that BGP speaking systems can and should provide an open Second, the BGP path selection process in current BGP control API and a richer policy language, in order to address routers is proactive, and its scope is limited to protocol modern era network control requirements. Towards this goal, we information and static configuration data. Many measurement present λBGP, a modular and extensible BGP stack written in studies have highlighted the fact that BGP could improve the Haskell.
    [Show full text]
  • Vector Packet Processor Documentation Release 0.1
    Vector Packet Processor Documentation Release 0.1 John DeNisco Aug 10, 2018 Contents 1 Overview 3 1.1 What is VPP?...............................................3 1.2 Features..................................................5 1.3 Performance............................................... 10 1.4 Architectures and Operating Systems.................................. 12 2 Getting Started 13 2.1 Users................................................... 13 2.2 Developers................................................ 51 2.3 Writing VPP Documentation....................................... 77 3 Use Cases 99 3.1 FD.io VPP with Containers....................................... 99 3.2 FD.io VPP with Virtual Machines.................................... 106 3.3 Using VPP as a Home Gateway..................................... 114 3.4 vSwitch/vRouter............................................. 118 4 Troubleshooting 119 4.1 How to Report an Issue......................................... 119 4.2 CPU Load/Usage............................................. 122 5 User Guides 125 5.1 Progressive VPP Tutorial......................................... 125 5.2 API User Guides............................................. 149 6 Events 151 6.1 Conferences............................................... 151 6.2 Summits................................................. 153 6.3 Meetings................................................. 163 6.4 Calls................................................... 165 6.5 Fd.io Training Event..........................................
    [Show full text]
  • Kratka Povijest Unixa Od Unicsa Do Freebsda I Linuxa
    Kratka povijest UNIXa Od UNICSa do FreeBSDa i Linuxa 1 Autor: Hrvoje Horvat Naslov: Kratka povijest UNIXa - Od UNICSa do FreeBSDa i Linuxa Licenca i prava korištenja: Svi imaju pravo koristiti, mijenjati, kopirati i štampati (printati) knjigu, prema pravilima GNU GPL licence. Mjesto i godina izdavanja: Osijek, 2017 ISBN: 978-953-59438-0-8 (PDF-online) URL publikacije (PDF): https://www.opensource-osijek.org/knjige/Kratka povijest UNIXa - Od UNICSa do FreeBSDa i Linuxa.pdf ISBN: 978-953- 59438-1- 5 (HTML-online) DokuWiki URL (HTML): https://www.opensource-osijek.org/dokuwiki/wiki:knjige:kratka-povijest- unixa Verzija publikacije : 1.0 Nakalada : Vlastita naklada Uz pravo svakoga na vlastito štampanje (printanje), prema pravilima GNU GPL licence. Ova knjiga je napisana unutar inicijative Open Source Osijek: https://www.opensource-osijek.org Inicijativa Open Source Osijek je član udruge Osijek Software City: http://softwarecity.hr/ UNIX je registrirano i zaštićeno ime od strane tvrtke X/Open (Open Group). FreeBSD i FreeBSD logo su registrirani i zaštićeni od strane FreeBSD Foundation. Imena i logo : Apple, Mac, Macintosh, iOS i Mac OS su registrirani i zaštićeni od strane tvrtke Apple Computer. Ime i logo IBM i AIX su registrirani i zaštićeni od strane tvrtke International Business Machines Corporation. IEEE, POSIX i 802 registrirani i zaštićeni od strane instituta Institute of Electrical and Electronics Engineers. Ime Linux je registrirano i zaštićeno od strane Linusa Torvaldsa u Sjedinjenim Američkim Državama. Ime i logo : Sun, Sun Microsystems, SunOS, Solaris i Java su registrirani i zaštićeni od strane tvrtke Sun Microsystems, sada u vlasništvu tvrtke Oracle. Ime i logo Oracle su u vlasništvu tvrtke Oracle.
    [Show full text]
  • Linux Networking 101
    The Gorilla ® Guide to… Linux Networking 101 Inside this Guide: • Discover how Linux continues its march toward world domination • Learn basic Linux administration tips • See how easy it can be to build your entire network on a Linux foundation • Find out how Cumulus Linux is your ticket to networking freedom David M. Davis ActualTech Media Helping You Navigate The Technology Jungle! In Partnership With www.actualtechmedia.com The Gorilla Guide To… Linux Networking 101 Author David M. Davis, ActualTech Media Editors Hilary Kirchner, Dream Write Creative, LLC Christina Guthrie, Guthrie Writing & Editorial, LLC Madison Emery, Cumulus Networks Layout and Design Scott D. Lowe, ActualTech Media Copyright © 2017 by ActualTech Media. All rights reserved. No portion of this book may be reproduced or used in any manner without the express written permission of the publisher except for the use of brief quotations. The information provided within this eBook is for general informational purposes only. While we try to keep the information up- to-date and correct, there are no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the information, products, services, or related graphics contained in this book for any purpose. Any use of this information is at your own risk. ActualTech Media Okatie Village Ste 103-157 Bluffton, SC 29909 www.actualtechmedia.com Entering the Jungle Introduction: Six Reasons You Need to Learn Linux ....................................................... 7 1. Linux is the future ........................................................................ 9 2. Linux is on everything .................................................................. 9 3. Linux is adaptable ....................................................................... 10 4. Linux has a strong community and ecosystem ........................... 10 5.
    [Show full text]
  • Free, Functional, and Secure
    Free, Functional, and Secure Dante Catalfamo What is OpenBSD? Not Linux? ● Unix-like ● Similar layout ● Similar tools ● POSIX ● NOT the same History ● Originated at AT&T, who were unable to compete in the industry (1970s) ● Given to Universities for educational purposes ● Universities improved the code under the BSD license The License The license: ● Retain the copyright notice ● No warranty ● Don’t use the author's name to promote the product History Cont’d ● After 15 years, the partnership ended ● Almost the entire OS had been rewritten ● The university released the (now mostly BSD licensed) code for free History Cont’d ● AT&T launching Unix System Labories (USL) ● Sued UC Berkeley ● Berkeley fought back, claiming the code didn’t belong to AT&T ● 2 year lawsuit ● AT&T lost, and was found guilty of violating the BSD license History Cont’d ● BSD4.4-Lite released ● The only operating system ever released incomplete ● This became the base of FreeBSD and NetBSD, and eventually OpenBSD and MacOS History Cont’d ● Theo DeRaadt ○ Originally a NetBSD developer ○ Forked NetBSD into OpenBSD after disagreement the direction of the project *fork* Innovations W^X ● Pioneered by the OpenBSD project in 3.3 in 2002, strictly enforced in 6.0 ● Memory can either be write or execute, but but both (XOR) ● Similar to PaX Linux kernel extension (developed later) AnonCVS ● First project with a public source tree featuring version control (1995) ● Now an extremely popular model of software development anonymous anonymous anonymous anonymous anonymous IPSec ● First free operating system to implement an IPSec VPN stack Privilege Separation ● First implemented in 3.2 ● Split a program into processes performing different sub-functions ● Now used in almost all privileged programs in OpenBSD like httpd, bgpd, dhcpd, syslog, sndio, etc.
    [Show full text]
  • Irscp.Phase2.Pdf
    Wresting Control from BGP: Scalable Fine-grained Route Control ¡ ¡ ¡ Patrick Verkaik , Dan Pei , Tom Scholl , Aman Shaikh , ¡ Alex C. Snoeren , and Jacobus E. van der Merwe ¡ University of California, San Diego AT&T Labs Abstract Internet paths can often provide improved performance characteristics [1, 2, 20], suggesting the potential bene- Today's Internet users and applications are placing in- fit of making routing aware of network conditions [11]. creased demands on Internet service providers to deliver Additionally, today's operators are often required to re- fine-grained, flexible route control. To assist network op- strict the any-to-any connectivity model of the Internet erators in addressing this challenge we present an Intelli- to deal with unwanted traffic in the form of DDoS at- gent Route Service Control Point (IRSCP), a route con- tacks. Responses can take the form of black-holing traf- trol architecture that allows a network operator to flexibly fic, redirecting it to “scrubbing complexes”, or even more control routing between the traffic ingresses and egresses sophisticated differentiation of unwanted traffic based on of an ISP's network without modifying existing routers. network intelligence [24]. Finally, in some cases the de- In essence, IRSCP subsumes the control plane of an ISP's fault BGP decision process is simply at odds with provider network by replacing the distributed BGP decision pro- and/or customer goals. For example, using IGP cost as cess of each router in the network with a more flexi- a tie breaker in the decision process can lead to unbal- ble, logically centralized route computation.
    [Show full text]
  • Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results
    SUBMITTED TO IEEE COMMUNICATIONS SURVEYS & TUTORIALS 1 Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results Pier Luigi Ventre, Stefano Salsano, Marco Polverini, Antonio Cianfrani, Ahmed Abdelsalam, Clarence Filsfils, Pablo Camarillo, Francois Clad Revision R2 - June 2020 Abstract—Fixed and mobile telecom operators, enterprise net- APIs, Northbound APIs, Open Source, Software Defined Net- work operators and cloud providers strive to face the challenging working, SDN, Service Function Chaining, SFC, Standards demands coming from the evolution of IP networks (e.g. huge bandwidth requirements, integration of billions of devices and millions of services in the cloud). Proposed in the early 2010s, I. INTRODUCTION Segment Routing (SR) architecture helps face these challenging demands, and it is currently being adopted and deployed. SR Egment Routing (SR) is based on the loose Source architecture is based on the concept of source routing and S Routing concept. A node can include an ordered list of has interesting scalability properties, as it dramatically reduces instructions in the packet headers. These instructions steer the the amount of state information to be configured in the core forwarding and the processing of the packet along its path in nodes to support complex services. SR architecture was first implemented with the MPLS dataplane and then, quite recently, the network. with the IPv6 dataplane (SRv6). IPv6 SR architecture (SRv6) The single instructions are called segments, a sequence of has been extended from the simple steering of packets across instructions can be referred to as a segment list or as an SR nodes to a general network programming approach, making it Policy.
    [Show full text]