interfaces {
ethernet eth0 {
duplex auto
hw-id 00:0c:29:fc:9e:47
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex full
hw-id 00:0c:29:fc:9e:3d
smp_affinity auto
speed 10000
vif 100 {
address 172.16.10.1/24
description MSG_VLAN
}
vif 200 {
address 172.16.20.1/24
description APP_VLAN
}
vif 300 {
address 10.10.30.1/24
description DB_VLAN
}
}
ethernet eth3 {
address dhcp
description "External IF"
duplex full
hw-id 00:0c:29:fc:9e:33
smp_affinity auto
speed 10000
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.75.55 {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name APP_POOL {
authoritative disable
description "Application address pool"
subnet 172.16.20.0/24 {
default-router 172.16.20.1
dns-server 192.168.0.1
domain-name a.kein.com
lease 86400
start 172.16.20.100 {
stop 172.16.20.199
}
}
}
shared-network-name MSG_POOL {
authoritative disable
description "MSG_VLAN address pool"
subnet 172.16.10.0/24 {
default-router 172.16.10.1
dns-server 192.168.0.1
lease 86400
start 172.16.10.100 {
stop 172.16.10.199
}
}
}
}
https
nat {
rule 10 {
outbound-interface eth2
source {
address 192.168.65.0/24
}
type masquerade
}
rule 20 {
outbound-interface eth3
source {
address 172.16.10.0/24
}
type masquerade
}
rule 30 {
outbound-interface eth3
source {
address 172.16.20.0/24
}
type masquerade
}
rule 40 {
outbound-interface eth3
source {
address 10.10.30.0/24
}
type masquerade
}
}
telnet {
port 23
}
}
system {
host-name vR1_FW1
login {
user vyatta {
authentication {
encrypted-password XXXXXXXXX
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository lenny {
components "main contrib non-free"
distribution lenny
password ""
url http://mirrors.kernel.org/debian
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
Monday, February 28, 2011
Vyatta Router Configuration Example of vR1
Here is the config.boot file of vR1_FW1 described in my previous article. You may tweak the file and upload that into your Vyatta router if you want to create a similar environment.
Monday, February 14, 2011
A Virtual Lab on ESXi in a VMWare Workstation Guest
Alright, have been away for too long. I am still here.
In this article, we will look at a basic infrastructure where we can deploy our filegateway, or anything for that matter. It is a very basic infrastructure architecture. It is definitely no production environment, but is built to have the potential to become one. As we go, we should be able to easily add firewall, load balancer, SSL offloader, redundancy/FT, application clusters, Oracle RAC, monitoring, security and connect it with another LAN with IPSec. Hopefully we will be able to play with many application features in this platform. A DMZ within this virtual infrastructure is certainly possible without significant re-design.
The logical view of the network infrastructure.
Due to limited budget, this environment has been built in an ESXi host within a VM on a Windows 7 64-bit host. Physical switch has been replaced with a vSwitch and the uplink is simulated by a port in a Vyatta Router VM.
The ESXi view of the network and guest OS'es.
The Infrastructure Explained
- VLAN
There are 3 VLAN's.
- SWITCH (vS1)
This is a layer 2 access layer switch that provides VLAN and has an 'uplink' that connects to a VLAN trunk in another Layer 3 router. The vSwitch does not do VLAN routing.
- ROUTER (vR1)
This router provides a link to our 'external world', which is our host machine. The router provides inter VLAN routing, NAT and firewall (disabled for now). It has an interface that is configured to support 802.1q VLAN trunking. Outgoing traffics are routed to vR0 for internet access. This route also provide access to the APP_VLAN from the Host machine.
Update: The Vyatta configuration details for vR1 is now available here.
- ROUTER (vR0)
vR1 does not have direct connectivity to the internet. This router provides limited access to the internet from VLAN's and the PROD_LAN. In my Lab, I have another notebook that acts as Internet Connection Sharing (ICS) host. Note the IP address 192.168.0.1 as dictated by Microsoft. This router also eliminate my problem of the ICS side effect where the domain name of every PC connected to 192.168.0.0/24 become mshome.net after ICS is turned on.
Update: The Vyatta configuration details for vR0 is now available here.
- NFS_LAN
This is an IP network that carries all NFS traffics to/from the esx host. For the sake of simplicity, the NAS also provides storage to all VM's within the host. The storage type includes iSCSI (for VMSTORE) and NFSv3, for all other VM's, primary for application data, database cluster and logging. The NAS implementation is provided by OpenFiler.
- Connectivity
All inter VLAN traffics are routed by the layer 3 router on a stick (implemented in Vyatta virtual appliance, vR1).
- Security/Isolation
All VLAN's defined within the Switch are isolated, effectively defining the broadcast boundaries. Routing between the VLAN (Inter VLAN) is performed by the Router connected to the (virtual) uplink port of the switch. Communication between different tiers (MSG, APP, DB) could be firewalled if required.
Access to the Virtual Lab from the Host machine is limited only to the APP_VLAN. Hosts on the MSG_VLAN and DB_VLAN can only be accessed from the hosts within the APP_VLAN.
To provide further clarity, the following images are of the 3 core VMware guest OS'es that make up the ESXi Infrastructure sitting on a Windows 7 host. The rest are in the ESXi 'host'.
Cheers.
In this article, we will look at a basic infrastructure where we can deploy our filegateway, or anything for that matter. It is a very basic infrastructure architecture. It is definitely no production environment, but is built to have the potential to become one. As we go, we should be able to easily add firewall, load balancer, SSL offloader, redundancy/FT, application clusters, Oracle RAC, monitoring, security and connect it with another LAN with IPSec. Hopefully we will be able to play with many application features in this platform. A DMZ within this virtual infrastructure is certainly possible without significant re-design.
The logical view of the network infrastructure.
Due to limited budget, this environment has been built in an ESXi host within a VM on a Windows 7 64-bit host. Physical switch has been replaced with a vSwitch and the uplink is simulated by a port in a Vyatta Router VM.
The ESXi view of the network and guest OS'es.
 |
| ESXi Virtual Network |
The Infrastructure Explained
- VLAN
There are 3 VLAN's.
- MSG_VLAN - As the name suggest, this is for the TIBCO EMS traffics.
- DB_VLAN - The database network.
- APP_VLAN - The VLAN for TIBCO BW and the Admin Server. The oracle fusion server will also be deployed on this network.
- SWITCH (vS1)
This is a layer 2 access layer switch that provides VLAN and has an 'uplink' that connects to a VLAN trunk in another Layer 3 router. The vSwitch does not do VLAN routing.
- ROUTER (vR1)
This router provides a link to our 'external world', which is our host machine. The router provides inter VLAN routing, NAT and firewall (disabled for now). It has an interface that is configured to support 802.1q VLAN trunking. Outgoing traffics are routed to vR0 for internet access. This route also provide access to the APP_VLAN from the Host machine.
Update: The Vyatta configuration details for vR1 is now available here.
- ROUTER (vR0)
vR1 does not have direct connectivity to the internet. This router provides limited access to the internet from VLAN's and the PROD_LAN. In my Lab, I have another notebook that acts as Internet Connection Sharing (ICS) host. Note the IP address 192.168.0.1 as dictated by Microsoft. This router also eliminate my problem of the ICS side effect where the domain name of every PC connected to 192.168.0.0/24 become mshome.net after ICS is turned on.
Update: The Vyatta configuration details for vR0 is now available here.
- NFS_LAN
This is an IP network that carries all NFS traffics to/from the esx host. For the sake of simplicity, the NAS also provides storage to all VM's within the host. The storage type includes iSCSI (for VMSTORE) and NFSv3, for all other VM's, primary for application data, database cluster and logging. The NAS implementation is provided by OpenFiler.
- Connectivity
All inter VLAN traffics are routed by the layer 3 router on a stick (implemented in Vyatta virtual appliance, vR1).
- Security/Isolation
All VLAN's defined within the Switch are isolated, effectively defining the broadcast boundaries. Routing between the VLAN (Inter VLAN) is performed by the Router connected to the (virtual) uplink port of the switch. Communication between different tiers (MSG, APP, DB) could be firewalled if required.
Access to the Virtual Lab from the Host machine is limited only to the APP_VLAN. Hosts on the MSG_VLAN and DB_VLAN can only be accessed from the hosts within the APP_VLAN.
To provide further clarity, the following images are of the 3 core VMware guest OS'es that make up the ESXi Infrastructure sitting on a Windows 7 host. The rest are in the ESXi 'host'.
 |
| ESXi 'host' as a VMware Workstation guest |
 |
| OpenFiler iSCSI & NAS as a VMware guest |
 |
| vR0/FW0 as the 'edge router' into the internet. |
Subscribe to:
Posts (Atom)