Monday, February 28, 2011

Vyatta Router Configuration Example of vR1

Here is the config.boot file of vR1_FW1 described in my previous article. You may tweak the file and upload that into your Vyatta router if you want to create a similar environment.

interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 00:0c:29:fc:9e:47
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        duplex full
        hw-id 00:0c:29:fc:9e:3d
        smp_affinity auto
        speed 10000
        vif 100 {
            address 172.16.10.1/24
            description MSG_VLAN
        }
        vif 200 {
            address 172.16.20.1/24
            description APP_VLAN
        }
        vif 300 {
            address 10.10.30.1/24
            description DB_VLAN
        }
    }
    ethernet eth3 {
        address dhcp
        description "External IF"
        duplex full
        hw-id 00:0c:29:fc:9e:33
        smp_affinity auto
        speed 10000
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.75.55 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name APP_POOL {
            authoritative disable
            description "Application address pool"
            subnet 172.16.20.0/24 {
                default-router 172.16.20.1
                dns-server 192.168.0.1
                domain-name a.kein.com
                lease 86400
                start 172.16.20.100 {
                    stop 172.16.20.199
                }
            }
        }
        shared-network-name MSG_POOL {
            authoritative disable
            description "MSG_VLAN address pool"
            subnet 172.16.10.0/24 {
                default-router 172.16.10.1
                dns-server 192.168.0.1
                lease 86400
                start 172.16.10.100 {
                    stop 172.16.10.199
                }
            }
        }
    }
    https
    nat {
        rule 10 {
            outbound-interface eth2
            source {
                address 192.168.65.0/24
            }
            type masquerade
        }
        rule 20 {
            outbound-interface eth3
            source {
                address 172.16.10.0/24
            }
            type masquerade
        }
        rule 30 {
            outbound-interface eth3
            source {
                address 172.16.20.0/24
            }
            type masquerade
        }
        rule 40 {
            outbound-interface eth3
            source {
                address 10.10.30.0/24
            }
            type masquerade
        }
    }
    telnet {
        port 23
    }
}
system {
    host-name vR1_FW1
    login {
        user vyatta {
            authentication {
                encrypted-password XXXXXXXXX
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository lenny {
            components "main contrib non-free"
            distribution lenny
            password ""
            url http://mirrors.kernel.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}

Monday, February 14, 2011

A Virtual Lab on ESXi in a VMWare Workstation Guest

Alright, have been away for too long. I am still here.

In this article, we will look at a basic infrastructure where we can deploy our filegateway, or anything for that matter. It is a very basic infrastructure architecture. It is definitely no production environment, but is built to have the potential to become one. As we go, we should be able to easily add firewall, load balancer, SSL offloader, redundancy/FT, application clusters, Oracle RAC, monitoring, security and connect it with another LAN with IPSec. Hopefully we will be able to play with many application features in this platform. A DMZ within this virtual infrastructure is certainly possible without significant re-design.

The logical view of the network infrastructure.


Due to limited budget, this environment has been built in an ESXi host within a VM on a Windows 7 64-bit host. Physical switch has been replaced with a vSwitch and the uplink is simulated by a port in a Vyatta Router VM.

The ESXi view of the network and guest OS'es.

ESXi Virtual Network

The Infrastructure Explained
- VLAN
There are 3 VLAN's.
  • MSG_VLAN - As the name suggest, this is for the TIBCO EMS traffics.
  • DB_VLAN - The database network.
  • APP_VLAN - The VLAN for TIBCO BW and the Admin Server. The oracle fusion server will also be deployed on this network.
Each VLAN, except DB_VLAN has it's own DHCP server at the moment. It should be trivial to configure DHCP relay into the Vyatta Router so that only one DHCP is required.

- SWITCH (vS1)
This is a layer 2 access layer switch that provides VLAN and has an 'uplink' that connects to a VLAN trunk in another Layer 3 router. The vSwitch does not do VLAN routing.

- ROUTER (vR1)
This router provides a link to our 'external world', which is our host machine. The router provides inter VLAN routing, NAT and firewall (disabled for now). It has an interface that is configured to support 802.1q VLAN trunking. Outgoing traffics are routed to vR0 for internet access. This route also provide access to the APP_VLAN from the Host machine.

Update: The Vyatta configuration details for vR1 is now available here.

- ROUTER (vR0)
vR1 does not have direct connectivity to the internet. This router provides limited access to the internet from VLAN's and the PROD_LAN. In my Lab, I have another notebook that acts as Internet Connection Sharing (ICS) host. Note the IP address 192.168.0.1 as dictated by Microsoft. This router also eliminate my problem of the ICS side effect where the domain name of every PC connected to 192.168.0.0/24 become mshome.net after ICS is turned on.

Update: The Vyatta configuration details for vR0 is now available here.

- NFS_LAN
This is an IP network that carries all NFS traffics to/from the esx host. For the sake of simplicity, the NAS also provides storage to all VM's within the host. The storage type includes iSCSI (for VMSTORE) and NFSv3, for all other VM's, primary for application data, database cluster and logging. The NAS implementation is provided by OpenFiler.

- Connectivity
All inter VLAN traffics are routed by the layer 3 router on a stick (implemented in Vyatta virtual appliance, vR1).

- Security/Isolation
All VLAN's defined within the Switch are isolated, effectively defining the broadcast boundaries. Routing between the VLAN (Inter VLAN) is performed by the Router connected to the (virtual) uplink port of the switch. Communication between different tiers (MSG, APP, DB) could be firewalled if required.

Access to the Virtual Lab from the Host machine is limited only to the APP_VLAN. Hosts on the MSG_VLAN and DB_VLAN can only be accessed from the hosts within the APP_VLAN.

To provide further clarity, the following images are of the 3 core VMware guest OS'es that make up the ESXi Infrastructure sitting on a Windows 7 host. The rest are in the ESXi 'host'.

ESXi 'host' as a VMware Workstation guest

OpenFiler iSCSI & NAS as a VMware guest

vR0/FW0 as the 'edge router' into the internet.
Cheers.