Networking kung-fu

7 Maio 2011, E.T. Porto Linux

by Nuno Dantas

Vou falar de:

  • bridge
  • bridge + VLAN
  • Multilink trunk
  • bridge+ VLAN + Multilink trunk
  • ipvs
  • stunnel

bridge




ethx ----- Brigde ---- vif1 
                  :--- vif2
                  :--- vif3
                  :--- vif4
                  :--- vifN

bridge

 brctl addbr nomedabridge
 brctl addif ethX
 brctl show 

root@kvm0:~# brctl show
bridge name  bridge id	       STP enabled  interfaces
rede28eth0   8000.0015171954fc	no	    eth0
					    vnet2

bridge

  • interfaces config file:
auto rede28eth0
iface rede28eth0 inet manual
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

bridge + VLAN

ethx --ethx.vlanX--- Brigde ---- vifX1 
     :                      :--- vifX2
     :                      :--- vifX3
     :                      :--- vifX4
     :                      :--- vifXN     
     :
     :-ethx.vlanY--- Brigde ---- vifY1 
                            :--- vifY2
                            :--- vifY3
                            :--- vifY4
                            :--- vifYN

bridge + VLAN

vconfig add eth1 25
vconfig add eth1 97
root@kvm0:~# cat /proc/net/vlan/config 

VLAN Dev name	 | VLAN ID
eth1.25         | 25       | eth1
eth1.97         | 97       | eth1

bridge + VLAN

  • interfaces config file:
auto marcadores
iface marcadores inet manual
        bridge_ports eth7.112
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
        pre-up vconfig add eth7 112
        post-down vconfig rem eth7.112

multilink trunk (bonding)

ethA ---:
        +
ethB ---:----bond0
        +
ethC ---:

multilink trunk (bonding)

  • configuring bonding manually:
 modprobe bonding mode=balance-alb miimon=100  
 ifenslave bond0 eth0
 ifenslave bond0 eth1

multilink trunk (bonding)

  • interfaces config file:
auto bond0
iface bond0 inet manual
  slaves eth2 eth3
    bond_mode 802.3ad
    bond_xmit_hash_policy layer3+4
    bond_lacp_rate fast
    bond_miimon 100
    bond_downdelay 200
    bond_updelay 200

multilink trunk (bonding)

root@kvm0:~# cat /proc/net/bonding/bond0 

Bonding Mode: IEEE 802.3ad Dynamic link aggregation
Transmit Hash Policy: layer3+4 (1)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 200
Down Delay (ms): 200

802.3ad info
LACP rate: fast
Aggregator selection policy (ad_select): stable
Active Aggregator Info:
	Aggregator ID: 2
	Number of ports: 2
	Actor Key: 17
	Partner Key: 12289
	Partner Mac Address: 5c:e2:86:19:7c:01

bridge + VLAN + multilink trunk

ethA ---:
        +
ethB ---:---bond0--bond0.vlanX--- Brigde --- vif1
        +         :                      :-- vif2
ethC ---:         :                      :-- vif3
                  :                      :-- vif4
                  :                      :-- vifN     
                  :
                  :-bond0.vlanY--- Brigde --- vif1 
                                         :-- vif2
                                         :-- vif3
                                         :-- vif4
                                         :-- vifN

bridge + VLAN + multilink trunk

  • interfaces config file:

auto redegestao
iface redegestao inet static
        bridge_ports bond0.97
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
        pre-up vconfig add bond0 97
        post-down vconfig rem bond0.97

bridge + VLAN + multilink trunk + IP

  • interfaces config file:

auto redegestao
iface redegestao inet static
        bridge_ports bond0.97
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
        pre-up vconfig add bond0 97
        post-down vconfig rem bond0.97
	address 172.16.20.123
	netmask 255.255.255.0
	network 172.16.20.0
	broadcast 172.16.20.255

ipvs


VIP:port ---- IPVS ---- Real Server 1
                   :--- Real Server 2
                   :--- Real Server N

ipvs :: scheduling-method

  • rr - Round Robin
  • wrr - Weighted Round Robin
  • lc - Least-Connection
  • wlc - Weighted Least-Connection
  • lblc - Locality-Based Least-Connection
  • lblcr - Locality-Based Least-Connection with Replication
  • dh - Destination Hashing
  • sh - Source Hashing
  • sed - Shortest Expected Delay
  • nq - Never Queue

ipvs

  • configuring ipvs manually:
ipvsadm -A -t 193.136.28.130:143
ipvsadm -a -t 193.136.28.130:143 -r 172.16.20.179:143 -m
ipvsadm -a -t 193.136.28.130:143 -r 172.16.20.180:143 -m
ipvsadm -a -t 193.136.28.130:143 -r 172.16.20.181:143 -m

ipvs

  • /etc/ldirectord.conf 

# Virtual Service for IMAP
virtual=193.136.28.130:143
        real=172.16.20.179:143 masq
        real=172.16.20.180:143 masq
        real=172.16.20.181:143 masq
        service=imap
        scheduler=rr
        #persistent=600
        protocol=tcp
        checktype=negotiate
  • network address translation:
 iptables -t nat -A POSTROUTING -o eth0 -s \
172.16.20.179 -j SNAT --to-source 193.136.28.130

ipvs

IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port   Forward Weight ActiveConn InActConn
TCP  193.136.28.130:25 rr
  -> 172.16.20.179:25     Masq    1      0          0         
  -> 172.16.20.180:25     Masq    1      0          0         
  -> 172.16.20.181:25     Masq    1      0          0         
TCP  193.136.28.130:143 rr persistent 300
  -> 172.16.20.179:143    Masq    1      1          0         
  -> 172.16.20.180:143    Masq    1      0          0         
  -> 172.16.20.181:143    Masq    1      0          0

stunnel

IP:PORT ---- Stunnel---- IP:PORT

193.136.28.130:993 ---- Stunnel---- 193.136.28.130:143

stunnel -p imap.pem -d 193.136.28.130:993 -r 193.136.28.130:143

stunnel

cert=/etc/ssl/certs/10279593.crt
CAfile=/etc/ssl/certs/10279593.ca-bundle
key=/etc/ssl/certs/imap.key 

sslVersion = all

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /imap.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[imaps]
accept  = 193.136.28.130:993
connect = 193.136.28.130:143

big picture

 ethA ethB  ethC       
   :    :     :                     
   -----+------
        :                       :- vifX4 (RSN)
      bond0                     :- vifX3 (RS2)
        :                       :- vifX2 (RS1)
.-------:--bond0.vlanX-- Brigde -- vifX1----.   
:                                           :
:                                           :
:               /-stunnel--VIP:port--IPVS--\:   
:              :\-stunnel--VIP:port--IPVS--/                                     
:              :                     
:              :--------------------.   
:                                   :
:-bond0.vlanY--- Brigde -- vifY1 ---:
                        :- vifY2 -- (VM2) 
                        :- vifY3 -- (VM2)
                        :- vifY4 -- (VM2)
                        :- vifYN -- (VMN)

q&a