UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)

5,295 views

Published on

UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)

18 Mar, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO

Japan Vyatta Users Meeting 2014 Spring on Tokyo.

Published in: Technology

UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)

  1. 1. 23 Mar, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO Japan Vyatta Users Meeting Spring 2014 in Tokyo.
  2. 2. BASIC Networking for VMM Env
  3. 3. Upstream Router redundancy
  4. 4. Virtual Router redundancy
  5. 5. NIC/Cable failure recovery
  6. 6. Switch failure recovery
  7. 7. Upstream Router recovery
  8. 8. Comparison of Fail-over model Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV vSW VMVM 1GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM SW SW Stacking Type SRV vSW VMVM 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM 40GbE Network SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV Network Capacity Low High *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  9. 9. Best Current Practice [Top of Rack] Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV vSW VMVM 1GbE Network vSW VM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM SW SW Stacking Type SRV vSW VMVM 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM 40GbE Network SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV Network Capacity Low High VM *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  10. 10. Best Current Practice [Performance] Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV 1GbE Network vSW VM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) 40GbE Network Virtual Chassis Type (MLAG,Fabric...etc) SRV Virtual Chassis Type (MLAG,Fabric...etc) SRV Network Capacity Low High VM vSW VMVM vSW VMVM vSW VMVM vSW VMVM SW SW SW SW Box Type SRV vSW VMVM SW SW SW SW Box Type SRV vSW VMVM SW SW SW SW *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  11. 11. VRRP Clustering with multicast BCP Source: SAKURA Internet Research Center 03/2014, Project THORN. SW Virtual Chassis Type (MLAG,Fabric...etc) VM SRV vSW VMVM SRV vSW VMVM SW VMSRV vSW VMVM SRV vSW VMVM SW SW Stacking Type SW SW SW SW Box Type VM SRV vSW VMVM SRV vSW VMVM 1/10GbE Network 10/40GbE Network 10/40GbE Network Multicast FlowMulticast Flow Multicast Flow *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  12. 12. BASIC Network Architecure
  13. 13. BASIC Configuration for LAN Vyatta vRouterVyatta vRouter
  14. 14. Logical IP Networking Vyatta vRouterVyatta vRouter
  15. 15. Clustering Configuration Vyatta vRouterVyatta vRouter
  16. 16. Logical IP Networking (MASTER) Vyatta vRouterVyatta vRouter
  17. 17. Logical IP Networking (SLAVE) Vyatta vRouterVyatta vRouter
  18. 18. Ubreakable VPN Architecure
  19. 19. BASIC Configuration for VPN
  20. 20. Virtualization == H/W Abstraction
  21. 21. Dual IPSec Tunneling Vyatta vRouterVyatta vRouter Vyatta vRouterVyatta vRouter
  22. 22. Dual IPSec Tunneling # set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0 # set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret # set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret XXXX # set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate # set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP # set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE # set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 # set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 # set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 IKE ESP
  23. 23. TCP-MSS Rewriting # set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 # set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp # set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 # set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN # set interfaces tunnel eth0 policy route TCP-MSS1386-ETH0
  24. 24. Clustering Configuration
  25. 25. Clustering Configuration # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster monitor-dead-interval 1000 # set cluster pre-shared-secret YYYYYY # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
  26. 26. Clustering Group Monitoring
  27. 27. Clustering Group Monitoring # set cluster group CLUSTER monitor 133.242.YYY.3
  28. 28. Logical IP Networking (MASTER)
  29. 29. Logical IP Networking (SLAVE) Disposal IPSec link
  30. 30. Firewall/QoS Rule for DoS Attack
  31. 31. Another solution: DMVPN Tunneling DATACENTER A DATACENTER BDATACENTER C
  32. 32. DMVPN Tunneling with IPSec/BGP DATACENTER A DATACENTER BDATACENTER C AS65001 AS65002 AS65003 AS65005 AS65006AS65004
  33. 33. Thanks for your interest. SAKURA Internet Research Center.

×