Naoto MATSUMOTO, profile picture
Uploaded byNaoto MATSUMOTO
5,927 views

UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)

The document discusses advanced networking concepts relevant to virtualized environments, focusing on redundancy and recovery techniques for network components. It covers various network configurations, including 1GbE, 10GbE, and 40GbE setups, as well as VPN architecture and clustering configurations using Vyatta vRouter. The text also highlights best practices and performance considerations for setting up resilient network infrastructure.

Embed presentation

23 Mar, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO Japan Vyatta Users Meeting Spring 2014 in Tokyo.
BASIC Networking for VMM Env
Upstream Router redundancy
Virtual Router redundancy
NIC/Cable failure recovery
Switch failure recovery
Upstream Router recovery
Comparison of Fail-over model Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV vSW VMVM 1GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM SW SW Stacking Type SRV vSW VMVM 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM 40GbE Network SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV Network Capacity Low High *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
Best Current Practice [Top of Rack] Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV vSW VMVM 1GbE Network vSW VM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM SW SW Stacking Type SRV vSW VMVM 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM 40GbE Network SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV Network Capacity Low High VM *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
Best Current Practice [Performance] Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV 1GbE Network vSW VM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) 40GbE Network Virtual Chassis Type (MLAG,Fabric...etc) SRV Virtual Chassis Type (MLAG,Fabric...etc) SRV Network Capacity Low High VM vSW VMVM vSW VMVM vSW VMVM vSW VMVM SW SW SW SW Box Type SRV vSW VMVM SW SW SW SW Box Type SRV vSW VMVM SW SW SW SW *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
VRRP Clustering with multicast BCP Source: SAKURA Internet Research Center 03/2014, Project THORN. SW Virtual Chassis Type (MLAG,Fabric...etc) VM SRV vSW VMVM SRV vSW VMVM SW VMSRV vSW VMVM SRV vSW VMVM SW SW Stacking Type SW SW SW SW Box Type VM SRV vSW VMVM SRV vSW VMVM 1/10GbE Network 10/40GbE Network 10/40GbE Network Multicast FlowMulticast Flow Multicast Flow *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
BASIC Network Architecure
BASIC Configuration for LAN Vyatta vRouterVyatta vRouter
Logical IP Networking Vyatta vRouterVyatta vRouter
Clustering Configuration Vyatta vRouterVyatta vRouter
Logical IP Networking (MASTER) Vyatta vRouterVyatta vRouter
Logical IP Networking (SLAVE) Vyatta vRouterVyatta vRouter
Ubreakable VPN Architecure
BASIC Configuration for VPN
Virtualization == H/W Abstraction
Dual IPSec Tunneling Vyatta vRouterVyatta vRouter Vyatta vRouterVyatta vRouter
Dual IPSec Tunneling # set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0 # set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret # set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret XXXX # set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate # set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP # set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE # set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 # set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 # set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 IKE ESP
TCP-MSS Rewriting # set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 # set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp # set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 # set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN # set interfaces tunnel eth0 policy route TCP-MSS1386-ETH0
Clustering Configuration
Clustering Configuration # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster monitor-dead-interval 1000 # set cluster pre-shared-secret YYYYYY # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
Clustering Group Monitoring
Clustering Group Monitoring # set cluster group CLUSTER monitor 133.242.YYY.3
Logical IP Networking (MASTER)
Logical IP Networking (SLAVE) Disposal IPSec link
Firewall/QoS Rule for DoS Attack
Another solution: DMVPN Tunneling DATACENTER A DATACENTER BDATACENTER C
DMVPN Tunneling with IPSec/BGP DATACENTER A DATACENTER BDATACENTER C AS65001 AS65002 AS65003 AS65005 AS65006AS65004
Thanks for your interest. SAKURA Internet Research Center.

More Related Content

PDF
Unbreakable VPN using Vyatta/VyOS - HOW TO -
byNaoto MATSUMOTO
 
PDF
Vyos clustering ipsec
byGireesh Hariharasubramony
 
PDF
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
byNaoto MATSUMOTO
 
PDF
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
byNaoto MATSUMOTO
 
PDF
How to ride a 100GbE LAN -MEMO-
byNaoto MATSUMOTO
 
PDF
An Easy way to build a server cluster without top of rack switches (MEMO)
byNaoto MATSUMOTO
 
PDF
Tiny Server Clustering using Vyatta/VyOS (MEMO)
byNaoto MATSUMOTO
 
PPTX
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
byNaoto MATSUMOTO
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
byNaoto MATSUMOTO
 
Vyos clustering ipsec
byGireesh Hariharasubramony
 
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
byNaoto MATSUMOTO
 
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
byNaoto MATSUMOTO
 
How to ride a 100GbE LAN -MEMO-
byNaoto MATSUMOTO
 
An Easy way to build a server cluster without top of rack switches (MEMO)
byNaoto MATSUMOTO
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
byNaoto MATSUMOTO
 
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
byNaoto MATSUMOTO
 

What's hot

PDF
SR-IOV+KVM on Debian/Stable
byjuet-y
 
PPTX
The Basic Introduction of Open vSwitch
byTe-Yen Liu
 
PDF
VYATTAによるマルチパスVPN接続手法
byNaoto MATSUMOTO
 
PDF
Westermo WeOS Multicast Tunneling
byFabian Vandendyck
 
PDF
VYOS & RPKI at the BGP as edge
byFaelix Ltd
 
PDF
SR-IOV, KVM and Intel X520 10Gbps cards on Debian/Stable
byjuet-y
 
PDF
How to Cisco ACI Multi-Pod
byTakehiro Yokoishi
 
PDF
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
byHarris Andrea
 
PDF
IPv4 over IPv6 Tunneling with IPSec [DRAFT]
byNaoto MATSUMOTO
 
PDF
82599 sriov vm configuration notes
byRyan Aydelott
 
PDF
Nxll14 cut through-proxy on asa
byNetwax Lab
 
PDF
Server-side Intelligent Switching using vyatta
byNaoto MATSUMOTO
 
PPT
SAS (Secure Active Switch)
bySecurity Date
 
PDF
Keeping your rack cool
byPavel Odintsov
 
DOCX
Examen main remote
byjheral stalin
 
PDF
VPNIPSec site to site
byDimitri LEMBOKOLO
 
PDF
Nat
byMohamed Gamel
 
SR-IOV+KVM on Debian/Stable
byjuet-y
 
The Basic Introduction of Open vSwitch
byTe-Yen Liu
 
VYATTAによるマルチパスVPN接続手法
byNaoto MATSUMOTO
 
Westermo WeOS Multicast Tunneling
byFabian Vandendyck
 
VYOS & RPKI at the BGP as edge
byFaelix Ltd
 
SR-IOV, KVM and Intel X520 10Gbps cards on Debian/Stable
byjuet-y
 
How to Cisco ACI Multi-Pod
byTakehiro Yokoishi
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
byHarris Andrea
 
IPv4 over IPv6 Tunneling with IPSec [DRAFT]
byNaoto MATSUMOTO
 
82599 sriov vm configuration notes
byRyan Aydelott
 
Nxll14 cut through-proxy on asa
byNetwax Lab
 
Server-side Intelligent Switching using vyatta
byNaoto MATSUMOTO
 
SAS (Secure Active Switch)
bySecurity Date
 
Keeping your rack cool
byPavel Odintsov
 
Examen main remote
byjheral stalin
 
VPNIPSec site to site
byDimitri LEMBOKOLO
 
Nat
byMohamed Gamel
 

Viewers also liked

PDF
Using Agilio SmartNICs for OpenStack Networking Acceleration
byNetronome
 
PPSX
Juniper Contrail VNS A BASIC introduction
byMarketingArrowECS_CZ
 
PPTX
Mellanox Approach to NFV & SDN
byMellanox Technologies
 
PPT
Vulnerabilities in IP Protocols
bybabak danyal
 
PPTX
Metaswitch and Intel: A Systematic Approach to NFV
bySimon Dredge
 
PDF
Introduction to Open Mano
byvideos
 
PDF
1ip Tunneling And Vpn Technologies 101220042129 Phpapp01
byHussein Elmenshawy
 
PPT
Tcp sockets
bybabak danyal
 
PPTX
InfiniBand Growth Trends - TOP500 (July 2015)
byMellanox Technologies
 
PDF
Gre tunnel pdf
byRajesh Porwal
 
PDF
Performance Lessons learned in vRouter - Stephen Hemminger
byharryvanhaaren
 
PPTX
Controlling remote pc using mobile
byArchana Maharjan
 
PPTX
Open contrailのご紹介
byDaisuke Nakajima
 
PDF
Brocade SDN Controller -Sample Code for Brocade vRouter-
byBrocade
 
PPTX
Open contrail slides for BANV meetup
byScott Edwards
 
PPTX
OpenContrail Presentation at Openstack Days Tokyo Japan Feb 13 2014
byozkan01
 
PDF
大規模なスイッチレス・サーバクラスタリング構築運用の考察
byNaoto MATSUMOTO
 
PDF
Ip tunnelling and_vpn
byRajesh Porwal
 
PDF
Openstack meetup NFV
byMarie-Paule Odini
 
PDF
CernVM Online and Cloud Gateway: a uniform interface for CernVM contextualiza...
byGeorge Lestaris
 
Using Agilio SmartNICs for OpenStack Networking Acceleration
byNetronome
 
Juniper Contrail VNS A BASIC introduction
byMarketingArrowECS_CZ
 
Mellanox Approach to NFV & SDN
byMellanox Technologies
 
Vulnerabilities in IP Protocols
bybabak danyal
 
Metaswitch and Intel: A Systematic Approach to NFV
bySimon Dredge
 
Introduction to Open Mano
byvideos
 
1ip Tunneling And Vpn Technologies 101220042129 Phpapp01
byHussein Elmenshawy
 
Tcp sockets
bybabak danyal
 
InfiniBand Growth Trends - TOP500 (July 2015)
byMellanox Technologies
 
Gre tunnel pdf
byRajesh Porwal
 
Performance Lessons learned in vRouter - Stephen Hemminger
byharryvanhaaren
 
Controlling remote pc using mobile
byArchana Maharjan
 
Open contrailのご紹介
byDaisuke Nakajima
 
Brocade SDN Controller -Sample Code for Brocade vRouter-
byBrocade
 
Open contrail slides for BANV meetup
byScott Edwards
 
OpenContrail Presentation at Openstack Days Tokyo Japan Feb 13 2014
byozkan01
 
大規模なスイッチレス・サーバクラスタリング構築運用の考察
byNaoto MATSUMOTO
 
Ip tunnelling and_vpn
byRajesh Porwal
 
Openstack meetup NFV
byMarie-Paule Odini
 
CernVM Online and Cloud Gateway: a uniform interface for CernVM contextualiza...
byGeorge Lestaris
 

Similar to UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)

PDF
Cloud Network Virtualization with Juniper Contrail
bybuildacloud
 
PPTX
Cloud stack networking shapeblue technical deep dive
byShapeBlue
 
PDF
EYWA Presentation v0.1.27
byJungIn Jung
 
PPT
CloudStack and SDN
bySebastien Goasguen
 
PPTX
EYWA (Elastic load-balancing & high-availabilitY Wired virtual network Archit...
byJeong, Wookjae
 
PPT
Cisco Router As A Vpn Server
bymmoizuddin
 
PPTX
IP Multicast on ec2
byKenta Yasukawa
 
PPTX
Xen and Apache cloudstack
byThe Linux Foundation
 
PDF
Eywa - Cloud Network Architecture 20180625(20150907)(compact)
byJungIn Jung
 
PPTX
Introduction to AWS VPC & Networking
byMichael Pearce
 
PDF
Amazon virtual private cloud (vpc)
byKi Sung Bae
 
PDF
1/10/40GbE Switch Design Pattern for VRRP Clustering with Multicast
byNaoto MATSUMOTO
 
PDF
Open stack advanced_part
bylilliput12
 
PDF
Module_2_Slides.pdf
bygoldfer1
 
PDF
PLNOG16: Data center interconnect dla opornych, Krzysztof Mazepa
byPROIDEA
 
PDF
Private cloud networking_cloudstack_days_austin
byChiradeep Vittal
 
PDF
Exploiting First Hop Protocols to Own the Network - Paul Coggin
byEC-Council
 
PDF
SDN in Apache CloudStack (ApacheCon NA 2013)
byChiradeep Vittal
 
DOCX
Lab 2 Networking in the cloud Overv.docx
byDIPESH30
 
PPTX
CompTIASecPLUS-Part1 Unlimited Edition- Edited.pptx
bymohedkhadar60
 
Cloud Network Virtualization with Juniper Contrail
bybuildacloud
 
Cloud stack networking shapeblue technical deep dive
byShapeBlue
 
EYWA Presentation v0.1.27
byJungIn Jung
 
CloudStack and SDN
bySebastien Goasguen
 
EYWA (Elastic load-balancing & high-availabilitY Wired virtual network Archit...
byJeong, Wookjae
 
Cisco Router As A Vpn Server
bymmoizuddin
 
IP Multicast on ec2
byKenta Yasukawa
 
Xen and Apache cloudstack
byThe Linux Foundation
 
Eywa - Cloud Network Architecture 20180625(20150907)(compact)
byJungIn Jung
 
Introduction to AWS VPC & Networking
byMichael Pearce
 
Amazon virtual private cloud (vpc)
byKi Sung Bae
 
1/10/40GbE Switch Design Pattern for VRRP Clustering with Multicast
byNaoto MATSUMOTO
 
Open stack advanced_part
bylilliput12
 
Module_2_Slides.pdf
bygoldfer1
 
PLNOG16: Data center interconnect dla opornych, Krzysztof Mazepa
byPROIDEA
 
Private cloud networking_cloudstack_days_austin
byChiradeep Vittal
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
byEC-Council
 
SDN in Apache CloudStack (ApacheCon NA 2013)
byChiradeep Vittal
 
Lab 2 Networking in the cloud Overv.docx
byDIPESH30
 
CompTIASecPLUS-Part1 Unlimited Edition- Edited.pptx
bymohedkhadar60
 

More from Naoto MATSUMOTO

PDF
3/4G USB modem Cheat Sheet
byNaoto MATSUMOTO
 
PDF
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
byNaoto MATSUMOTO
 
PDF
Network Adapter Deep dive
byNaoto MATSUMOTO
 
PDF
ADS-B, AIS, APRS cheatsheet
byNaoto MATSUMOTO
 
PDF
How To Train Your ARM(SBC)
byNaoto MATSUMOTO
 
PDF
AMDGPU ROCm Deep dive
byNaoto MATSUMOTO
 
PDF
curl --http3 cheatsheet
byNaoto MATSUMOTO
 
PDF
RTL2838 DVB-T Deep dive
byNaoto MATSUMOTO
 
PDF
BeautifulSoup / selenium Deep dive
byNaoto MATSUMOTO
 
PDF
5Gの見える化
byNaoto MATSUMOTO
 
PDF
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
byNaoto MATSUMOTO
 
PDF
x86_64 Hardware Deep dive
byNaoto MATSUMOTO
 
PDF
旅するパケットの見える化
byNaoto MATSUMOTO
 
PDF
CPU製品出荷状況と消費電力の見える化
byNaoto MATSUMOTO
 
PDF
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
byNaoto MATSUMOTO
 
PDF
災害時における無線モニタリングによる社会インフラの見える化
byNaoto MATSUMOTO
 
PDF
2023年以降のサーバークラスタリング設計(メモ)
byNaoto MATSUMOTO
 
PDF
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
byNaoto MATSUMOTO
 
PDF
Alder Lake-S CPU Temperature Monitoring
byNaoto MATSUMOTO
 
PDF
防災を考慮した水中調査の一考察
byNaoto MATSUMOTO
 
3/4G USB modem Cheat Sheet
byNaoto MATSUMOTO
 
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
byNaoto MATSUMOTO
 
Network Adapter Deep dive
byNaoto MATSUMOTO
 
ADS-B, AIS, APRS cheatsheet
byNaoto MATSUMOTO
 
How To Train Your ARM(SBC)
byNaoto MATSUMOTO
 
AMDGPU ROCm Deep dive
byNaoto MATSUMOTO
 
curl --http3 cheatsheet
byNaoto MATSUMOTO
 
RTL2838 DVB-T Deep dive
byNaoto MATSUMOTO
 
BeautifulSoup / selenium Deep dive
byNaoto MATSUMOTO
 
5Gの見える化
byNaoto MATSUMOTO
 
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
byNaoto MATSUMOTO
 
x86_64 Hardware Deep dive
byNaoto MATSUMOTO
 
旅するパケットの見える化
byNaoto MATSUMOTO
 
CPU製品出荷状況と消費電力の見える化
byNaoto MATSUMOTO
 
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
byNaoto MATSUMOTO
 
災害時における無線モニタリングによる社会インフラの見える化
byNaoto MATSUMOTO
 
2023年以降のサーバークラスタリング設計(メモ)
byNaoto MATSUMOTO
 
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
byNaoto MATSUMOTO
 
Alder Lake-S CPU Temperature Monitoring
byNaoto MATSUMOTO
 
防災を考慮した水中調査の一考察
byNaoto MATSUMOTO
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
December Patch Tuesday
byIvanti
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
AI Technology important knowledge ......
byutkarshj2007
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)

  • 1.
    23 Mar, 2014 SAKURAInternet Research Center Senior Researcher / Naoto MATSUMOTO Japan Vyatta Users Meeting Spring 2014 in Tokyo.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
    Comparison of Fail-overmodel Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV vSW VMVM 1GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM SW SW Stacking Type SRV vSW VMVM 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM 40GbE Network SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV Network Capacity Low High *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  • 9.
    Best Current Practice[Top of Rack] Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV vSW VMVM 1GbE Network vSW VM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM SW SW Stacking Type SRV vSW VMVM 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW SW SW Box Type SRV vSW VMVM 40GbE Network SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV SW SW Virtual Chassis Type (MLAG,Fabric...etc) vSW VMVM SRV Network Capacity Low High VM *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  • 10.
    Best Current Practice[Performance] Source: SAKURA Internet Research Center 03/2014, Project THORN. Complexity vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV 1GbE Network vSW VM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) SW SW Stacking Type SRV 10GbE Network vSW VMVM SRV SW SW SW SW Legacy Type (STP/RSTP/MSTP...etc) 40GbE Network Virtual Chassis Type (MLAG,Fabric...etc) SRV Virtual Chassis Type (MLAG,Fabric...etc) SRV Network Capacity Low High VM vSW VMVM vSW VMVM vSW VMVM vSW VMVM SW SW SW SW Box Type SRV vSW VMVM SW SW SW SW Box Type SRV vSW VMVM SW SW SW SW *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  • 11.
    VRRP Clustering withmulticast BCP Source: SAKURA Internet Research Center 03/2014, Project THORN. SW Virtual Chassis Type (MLAG,Fabric...etc) VM SRV vSW VMVM SRV vSW VMVM SW VMSRV vSW VMVM SRV vSW VMVM SW SW Stacking Type SW SW SW SW Box Type VM SRV vSW VMVM SRV vSW VMVM 1/10GbE Network 10/40GbE Network 10/40GbE Network Multicast FlowMulticast Flow Multicast Flow *SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
  • 12.
  • 13.
    BASIC Configuration forLAN Vyatta vRouterVyatta vRouter
  • 14.
    Logical IP Networking VyattavRouterVyatta vRouter
  • 15.
  • 16.
    Logical IP Networking(MASTER) Vyatta vRouterVyatta vRouter
  • 17.
    Logical IP Networking(SLAVE) Vyatta vRouterVyatta vRouter
  • 18.
  • 19.
  • 20.
  • 21.
    Dual IPSec Tunneling VyattavRouterVyatta vRouter Vyatta vRouterVyatta vRouter
  • 22.
    Dual IPSec Tunneling #set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0 # set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret # set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret XXXX # set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate # set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP # set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE # set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 # set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 # set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 IKE ESP
  • 23.
    TCP-MSS Rewriting # setpolicy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 # set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp # set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 # set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN # set interfaces tunnel eth0 policy route TCP-MSS1386-ETH0
  • 24.
  • 25.
    Clustering Configuration # setcluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster monitor-dead-interval 1000 # set cluster pre-shared-secret YYYYYY # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
  • 26.
  • 27.
    Clustering Group Monitoring #set cluster group CLUSTER monitor 133.242.YYY.3
  • 28.
  • 29.
    Logical IP Networking(SLAVE) Disposal IPSec link
  • 30.
  • 31.
    Another solution: DMVPNTunneling DATACENTER A DATACENTER BDATACENTER C
  • 32.
    DMVPN Tunneling withIPSec/BGP DATACENTER A DATACENTER BDATACENTER C AS65001 AS65002 AS65003 AS65005 AS65006AS65004
  • 33.
    Thanks for yourinterest. SAKURA Internet Research Center.