LACP Configuration with Cumulux VX Virtual Appliances

In this post LACP will be configured on Cumulus VX virtual appliance. Test simulated on GNS3 Network simulation.

Sample Topology

This is the sample network topology to test LACP.

Configuration on Both Virtual Appliances for LACP

In this configuration, swp1 and swp2 ports used as a slave ports of LAGG0 on both switches.

cumulus@cumulus:~$ net add bond LAGG0 bond slaves swp1,2
cumulus@cumulus:~$ net add bond LAGG0 bond mode 802.3ad
cumulus@cumulus:~$ net add bond LAGG0 bond lacp-rate slow
cumulus@cumulus:~$ net add bond LAGG0 bond miimon 100

Configuration on Both Virtual Appliances for VLAN configuration

In below configuration, VLAN 10 added to bridge(on cumulus vlan-aware bridge) and swp3 configured as an access port with VLAN id 10.

cumulus@cumulus:~$ net add bridge bridge vlan-protocol 802.1ad
cumulus@cumulus:~$ net add bridge bridge ports LAGG0
cumulus@cumulus:~$ net add bridge bridge ports swp3
cumulus@cumulus:~$ net add bridge bridge vids 10
cumulus@cumulus:~$ net add interface swp3 bridge access 10

Experiment

It is also tested that after one of the link has been cut, host still able to ping to other end without any package drop.

Connect KVM over GRE

Hi Folks,

As you may know, Libvirt virtual network switches operates in NAT mode in default (IP Masquerading rather than SNAT or DNAT). In this mode Virtual guests can communicate outside world. But, Computers external to the host can’t initiate communications to the guests inside, when the virtual network switch is operating in NAT mode. One of the solution is creating a virtual switch in Routed-Mode. We have still one more option without changing underlying virtual switch operation mode. The Solution is creating a GRE Tunnel between the hosts.

What is GRE?

GRE (Generic Routing Encapsulation) is a communication protocol that provides virtually point-to-point communication. It is very simple and effective method of transporting data over a public network. You can use GRE tunnel some of below cases.

  • Use of multiple protocols over a single-protocol backbone
  • Providing workarounds for networks with limited hops
  • Connection of non-contiguous subnetworks
  • Being less resource demanding than its alternatives (e.g. IPsec VPN)

Reference: https://www.incapsula.com/blog/what-is-gre-tunnel.html

Example of GRE encapsulation
Reference: https://www.incapsula.com/blog/what-is-gre-tunnel.html

I have created GRE tunnel to connect to some of KVM guests from the external host. It is depicted in the Figure-2 how my topology looks like.

Figure-2 Connecting KVM guests over GRE Tunnel

I have two Physical hosts installed Mint and Ubuntu GNU/Linux distribution. KVM is running on the Ubuntu.

GRE Tunnel configuration on GNU/Linux hosts

Before create a GRE tunnel, we need to add ip_gre module on both GNU/Linux hosts.

mint@mint$ sudo modprobe ip_gre
tesla@otuken:~$ sudo modprobe ip_gre

Configuring Physical interface on both nodes.

mint@mint$ ip addr add 100.100.100.1/24 dev enp0s31f6
tesla@otuken:~$ ip addr add 100.100.100.2/24 dev enp2s0

Configuring GRE Tunnel (On the first node)

mint@mint$ sudo ip tunnel add tun0 mode gre remote 100.100.100.2 local 100.100.100.1 ttl 255
mint@mint$ sudo ip link set tun0 up
mint@mint$ sudo ip addr add 10.0.0.10/24 dev tun0
mint@mint$ sudo ip route add 10.0.0.0/24 dev tun0
mint@mint$ sudo ip route add 192.168.122.0/24 dev tun0

Configuring GRE Tunnel (On the Second Node)

tesla@otuken:~$ sudo ip tunnel add tun0 mode gre remote 100.100.100.1 local 100.100.100.2 ttl 255
tesla@otuken:~$ sudo ip link set tun0 up
tesla@otuken:~$ sudo ip addr add 10.0.0.20/24 dev tun0
tesla@otuken:~$ sudo ip route add 10.0.0.0/24 dev tun0

As GRE protocol adds additional 24 bytes of header, it is highly recommended to set MTU . Recommended MTU value is 1400.

Also do not forget to check iptables rules on both hosts.

Experiment:

Once configuration completed, I successfully ping the KVM guest(192.168.122.35) and transfer a file over SSH(scp). You can download the Wireshark pcap file here.

Sharing Internet in Linux

Hi Folks!

Today, I installed Ubuntu 18.04 LTS on my personal laptop. But I could not connect to the Internet as Ubuntu does not recognize my wireless driver. After couple of googling I have found my wireless driver .[model:Broadcom Limited BCM43142 802.11b/g/n]. But the problem is how I am going to hook-up to the Internet  to install my driver?

I realized that, I have my company’s laptop which is Lenovo T460 which is one of the best free-DOS laptop. ūüôā I booted it up with Ubuntu Live CD. Finally I made the configuration in the Figure -1.

 

 

 

 

 

Figure – 1 Sample Configuration For Sharing Internet.

After above configuration. Everything is worked excellent — I am able to hook-up to the Internet on my Asus laptop via Lenovo laptop.

To be honest, before above configuration I tried to bridge Ethernet interface with Wireless Interface on the Lenovo laptop. But It is not permitted. After some research I have found this.

http://kerneltrap.org/mailarchive/linux-ath5k-devel/2010/3/21/6871733

It’s no longer possible to add an interface in the managed mode to a
bridge. You should run hostapd first to pure the interface to the
master mode.

Bridging doesn’t work on the station side anyway because the 802.11
header has three addresses (except when WDS is used) omitting the
address that would be needed for a station to send or receive a packet
on behalf of another system.

Final:

Necessary package to be installed for Broadcam Wireless driver.

tesla@otuken:~$ sudo apt-get update
tesla@otuken:~$ sudo apt-get install bcmwl-kernel-source

After Installed the package and  rebooted my laptop. It WORKED LIKE A CHARM!

 

VLAN Creation on KVM-I

Creating a VLAN on KVM requires more raw networking knowledge in comparison to VMware world. KVM requires some Linux networking knowledge beside general understanding of computer networks. I did¬† not see more information on the Internet about that. To fill this gap I write this post. ūüôā Actually there are more than one methods creating a VLAN on KVM. In this post I will show the first method.¬† In this method¬† sub-interfaces are created in the bridge NOT in the physical NIC interface. Doing so, Vlan tags¬† wont be stripped-off or Vlan tags wont be embedded in the physical interface but bridge. I use Ubuntu 16.04 for the KVM host. In this post, I will use KVM and libvirt interchangeable.

root@ankara:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial

Loading 8021q module

First thing we need to load 8021q module on the KVM host in order to encapsulate or d-encapsulate IEEE 802.1Q type Vlan.

root@ankara:~# modprobe 8021q

To load module automatically on boot. Create a file 8021q.conf in the /etc/modules-load.d/ and add 8021q

root@ankara:~# cat /etc/modules-load.d/8021q.conf 
8021q

Creating a Bridge(s)

In order to create a vlan(trunk and access ) we need to crate bridge(s) and tell the system tag the frames. In Linux, to create tagged frame we use vconfig command. We need to install vlan package to use it.

root@ankara:~# apt-get install vlan

Note: Creating a bridge with this method is NOT persistent. To make it persistent you need do add configuration to /etc/network/interfaces file. Because of plenty of tutorials about that, I do not explain it here.

root@ankara:~# brctl addbr br0
root@ankara:~# vconfig add br0 30 #subinterface(vlan30)
root@ankara:~# vconfig add br0 40 #subinterface(vlan40)
root@ankara:~# brctl addbr vlan30
root@ankara:~# brctl addbr vlan40
root@ankara:~# brctl addif vlan30 br0.30 #vlan30
root@ankara:~# brctl addif vlan40 br0.40 #vlan40

You can see network interfaces after creating bridges and sub-interfaces on KVM Host.

root@ankara:~# ip link show 
...(omitted some output)
11: br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
12: br0.30@br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master vlan30 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
13: br0.40@br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master vlan40 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
14: vlan30: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: vlan40: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

We also need to up links.

root@ankara:/etc/libvirt/qemu/networks# ip link set br0 up
root@ankara:/etc/libvirt/qemu/networks# ip link set br0.30 up
root@ankara:/etc/libvirt/qemu/networks# ip link set br0.40 up
root@ankara:/etc/libvirt/qemu/networks# ip link set vlan30 up
root@ankara:/etc/libvirt/qemu/networks# ip link set vlan40 up

Final bridge status

root@ankara:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.000000000000	no			
vlan30		8000.000000000000	no		br0.30
vlan40		8000.000000000000	no		br0.40

Defining Bridges on KVM.

After creating bridges, We also need to define bridges to our hypervisor to use it. I will create three configuration files for the br0, vlan30 and vlan40 successively in the /etc/libvirt/qemu/networks folder.

br0.xml

<network>
  <name>br0</name>
  <forward mode='bridge'/>
  <bridge name='br0'/>
</network>

vlan30.xml

<network>
  <name>vlan30</name>
  <forward mode='bridge'/>
  <bridge name='vlan30'/>
</network>

vlan40.xml

<network>
  <name>vlan40</name>
  <forward mode='bridge'/>
  <bridge name='vlan40'/>
</network>

 

root@ankara:/etc/libvirt/qemu/networks# virsh net-define br0.xml
root@ankara:/etc/libvirt/qemu/networks# virsh net-define vlan30.xml
root@ankara:/etc/libvirt/qemu/networks# virsh net-define vlan40.xml
root@ankara:/etc/libvirt/qemu/networks# virsh net-start br0
root@ankara:/etc/libvirt/qemu/networks# virsh net-start vlan30
root@ankara:/etc/libvirt/qemu/networks# virsh net-start vlan40
#to auto start on boot.
root@ankara:/etc/libvirt/qemu/networks# virsh net-autostart br0
root@ankara:/etc/libvirt/qemu/networks# virsh net-autostart vlan30
root@ankara:/etc/libvirt/qemu/networks# virsh net-autostart vlan40

Checking bridges

root@ankara:/etc/libvirt/qemu/networks# virsh  net-list
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 br0                  active     yes           yes
 vlan30               active     yes           yes
 vlan40               active     yes           yes

So far so good ?

You may confuse due to the fact that we did many things so far. I hope below figure gives you a better understanding what we did so far. It is depicted below figure how our network looks like. Only think that I did not do is adding physical interface to bridge br0. In this post, KVM guests will not connect to the Internet. According to this design we do not need to setup any VLAN configuration on¬† the KVM virtual guests. It has all handled by br0.30 and br0.40–Any outgoing packet from VLAN30 network will be tagged by the br0.30 sub-interface. Any incoming tagged packet to VLAN30 network will be stripped-off by the br0.30 sub-interface. It is the same as VLAN40 network.

 

 

 

 

 

 

 

 

 

 

 

Experiments

I captured the packages on br0.30 interface and br0 bridges to check, if  vlans works as expected.

Output br0.30(we see incoming tagged icmp request stripped-off by the br0.30 we see untagged frames)

root@ankara:/etc/libvirt/qemu/networks# tcpdump -i br0.30 -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0.30, link-type EN10MB (Ethernet), capture size 262144 bytes
15:06:46.125189 70:54:d2:99:56:c0 (oui Unknown) > 52:54:00:43:40:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.50 > 172.16.30.10: ICMP echo request, id 2453, seq 520, length 64
15:06:46.125429 52:54:00:43:40:b7 (oui Unknown) > 70:54:d2:99:56:c0 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.10 > 172.16.30.50: ICMP echo reply, id 2453, seq 520, length 64
15:06:47.149216 70:54:d2:99:56:c0 (oui Unknown) > 52:54:00:43:40:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.50 > 172.16.30.10: ICMP echo request, id 2453, seq 521, length 64
15:06:47.149530 52:54:00:43:40:b7 (oui Unknown) > 70:54:d2:99:56:c0 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.10 > 172.16.30.50: ICMP echo reply, id 2453, seq 521, length 64

 

Output on the br0 (we see tagged 802.1q encapsulation vlan30)

root@ankara:/etc/libvirt/qemu/networks# tcpdump -i br0 -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:06:58.413319 70:54:d2:99:56:c0 (oui Unknown) > 52:54:00:43:40:b7 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 30, p 0, ethertype IPv4, 172.16.30.50 > 172.16.30.10: ICMP echo request, id 2453, seq 532, length 64
15:06:58.413564 52:54:00:43:40:b7 (oui Unknown) > 70:54:d2:99:56:c0 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 30....

 

According to the figure above, hosts on the VLAN30 and hosts on the VLAN40 can not communicate each other as we do not have L3 device for Inter Vlan Routing. Next post, I will provision virtual L3 device which will be VyOS(Vyatta) on the KVM. I will add two network interfaces on it. –Connect one interface to the br0(trunk port) and¬† the other interface¬† to the physical NIC for the Internet connection.

GNS3 couldn’t run /usr/bin/dumpcap in child process: Permission Denied.

Ubuntu 16.04 LTS GNS3:

Problem:

couldn’t run /usr/bin/dumpcap in child process: Permission Denied.

Solution:

1- Enable non-root user to capture network traffic by reconfiguring wireshark.

gns3a@gns3A:~$ sudo dpkg-reconfigure wireshark-common

2- Add wireshark group to the user that you want to start GNS3 program.

gns3a@gns3A:~$ sudo gpasswd -a $USER wireshark

3- Logout and Login again.

 

 

 

Connect to Real World With GNS3

GNS3 is a GPL licenced cross-platform network simulation program. It enables us both virtual and physical networks operate together. It emulates Cisco IOS, doing so we have real Cisco device capability in a Virtual Machine. You can also analyze the packets with Wireshark. One exception that GNS3 has limited device capability as some Cisco devices impossible or  very difficult to simulate them. Also some devices need real hardware to operate. For supported Cisco devices and FAQ, Link.

My system runs on a Virtual Machine which is Ubuntu 16.04 LTS. Router model is 3745.

1- Creating Simple Network Topology.

It is depicted in the Figure-1 all in one picture.

all in one

Figure-1

2- Start the Emulation by Clicking Play button. Figure-2

 

 

 

 

 

Figure – 2

3- Open the router Console

Open up the console for router configuration. Figure-3

 

 

Figure-3

4- Router configuration

I also put the log which is generated by the router after some configurations. Only apply the command which starts by #.

In router configuration I configure Router Interface FA0/0 IP address(192.168.59.5), router’s default gw(192.168.59.2) and dns(8.8.8.8)

R1#enable 
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 192.168.59.5 255.255.255.0
R1(config-if)#no shutdown 
*Mar 1 00:03:47.627: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:03:48.627: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.59.2
R1(config)#ip domain-lookup 
R1(config)#ip name-server 8.8.8.8



5- Experiment

It is time to test whether or not I am able to connect real world. I ping the google.com. I successfully ping the google.com. Figure-4

 

 

 

Figure-4

Next post will be about backingup and restoring router configuration via tftp. And It will connect to the physical tftp server.

Port Forwarding on Windows 10

Hi Folks!

Port Forwarding is a way of making  computer, in which located private LAN, accessible on the Internet. Even though it is behind the router. It is used for gaming, surveillance IP cameras, accessing your personnel computer on the Internet.

Actually, in this post port forwarding is used for accessing a web page that runs on CentOS7 virtual machine, which is hosted on Windows 10. You can catch a glimpse of picture for better understanding in Figure 1. So, any request that is destined for 192.168.1.11:10444 will be redirected to the 192.168.59.128:80, which is virtual guest(CentOS7)  that runs an Apache server.

Diagram

                                                                                           Figure Р1

Adding Forwarding Rule on Windows 10

To do that first open up command prompt as a elevated privilege (Run as Administrator.) and customize it for your needs.(Figure-2)

netsh interface portproxy add v4tov4 listenport=10444 listenaddress=192.168.1.11 connectport=80 connectaddress=192.168.59.128

                                                                                           Figure-2

Removing Forwarding Rule on Windows 10

You can delete existing forwarding rule such below. Figure-3

netsh interface portproxy delete v4tov4 listenport=10444 listenaddress=192.168.1.11

                                                                                              Figure-3

Experiment !

To test it, Virtual guest network was sniffed with tcpdump tool.  Figure-4

[root@rhce html]# tcpdump -i any port 80 -nnvv

tcpdump dumps

18:13:55.845170 IP (tos 0x0, ttl 128, id 2729, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.59.1.60177 > 192.168.59.128.80: Flags [.], cksum 0xc126 (correct), seq 440, ack 181, win 255, length 0
18:13:55.845353 IP (tos 0x0, ttl 128, id 2730, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.59.1.60177 > 192.168.59.128.80: Flags [F.], cksum 0xc125 (correct), seq 440, ack 181, win 255, length 0
18:13:55.845386 IP (tos 0x0, ttl 64, id 56843, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.59.128.80 > 192.168.59.1.60177: Flags [.], cksum 0xf7ec (incorrect -> 0xc137), seq 181, ack 441, win 237, length 0

                                                                                      Figure-4

Wireshark Output:

Network was sniffed on Windows 10 host. Figure-5

 

Figure-5

 

 

What is My IP Address ?(in a shell)

There are couple of web sites that outputs your public IP as a plain. I wrote it down  you can pick one of them.

  • curl icanhazip.com
  • curl ipinfo.io/ip
  • wget -qO- http://ipecho.net/plain ; echo
  • curl ident.me ;echo

 

Dynamic DNS

Hi Folks!

It has been long time, I have not posted anything since December.  Actually I had to do many things. I was battling upkeep of Company Servers and upgrading them. But during that time  I learned many things and I would like to share  with you all. In this post I will introduce you about dynamic DNS, which saves you hassle of persistently changing of your  Router IP  by ISP.

What is Dynamic DNS ?

Dynamic DNS (DDNS) is a service that maps Internet domains name  to IP addresses. It is similar Internet Domain Name service(DNS) but some differences.

Unlike DNS that allows mapping static IP to domain name and domain name to static IP, Dynamic DNS maps your domain name to your dynamic IP. By doing that even though, your IP changes you will access your home router with the your domain name that you choose. And you will be able to access your IP camera or IoTs. But Unlike DNS service that you configure it only once for one domain name, DDNS needs to be informed each time IP has changed. But do be afraid.:)

There are many Dynamic DNS services on the internet enterprise or free. In this post I will introduce you about free dynamic dns, which I am currently using it.–duckns¬† Duck DNS is free dynamic domain name services. You can signup with your google, twitter, facebook or reddit account. After successfully login, duckdns create a token for you. You will update your new IP with this token so keep it secret.(Figure-1)

                                                  Figure-1

Also write your domain name you choose in to the box with the name domain.(Figure-2)

                                                  Figure-2

Almost done.We have just couple of things to do. As I mention before, we have to feed dynamic DNS service with the new IP, each time IP changes.

To do so, I wrote a shell script which pools every 5 minutes to check if  IP changes. For more information you can visit the link. https://www.duckdns.org/install.jsp

You can tweak the shell script for your own purpose. (If you use this script do not forget to replace  XYXY, xxxxxxxx-yyyy-xxxx-yyyy-zzzzzzzzzzzz  and mail addresses with yours!)

Edited: To execute script below every 5 minutes, we need to add the script on  a crontab.

 

 */5 * * * *  ipchecker.sh

 

ipchecker.sh script

#!/bin/bash
newip=$(curl -s ifconfig.co)
oldip=$(head ip.txt)

echo "old:$oldip"
echo "new:$newip"

if [ "$oldip" != "$newip" ] ; then
        echo "$newip" > ip.txt
        /usr/bin/mail -s "oldIP:$oldip/NewIP:$newip" admin@manintheit.org < ip.txt
#do not forget to create a folder with the name "duckdns"
#$mkdir ~/duckdns
        echo url="https://www.duckdns.org/update?domains=XYXY&token=xxxxxxxx-yyyy-xxxx-yyyy-zzzzzzzzzzzz&ip=" | curl -k -o ~/duckdns/duck.log -K -
        res=$?
        if [ "$res" -eq 0 ] ; then
                /usr/bin/dig XYXY.duckdns.org +short | /usr/bin/mail -s "DuckDNS IP changed" admin@manintheit.org
        else
                /usr/bin/mail -s "DuckDNS Error!" admin@manintheit.org<.
        fi
fi

Figure-3 ipchecker.sh