SlideShare a Scribd company logo
1 of 21
(C)Copyright 1996-2010 SAKURA Internet Inc.
5 Sep, 2013
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO
日本学術振興会産学協力研究委員会 インターネット技術第 163 委員会 (ITRC)
地域間インタークラウド分科会 (RICC)
第3回地域間インタークラウドワークショップ
Multi-Path VPN Overview
Bridge + IEEE 802.1w(Rapid STP)
Virtual Ethernet NIC
Process Process Process
Vyatta VM
IaaS-B IaaS-C
IaaS-A
IaaS-D
Source: SAKURA Internet Research Center. 08/2012: Project THORN
Tunnel TunnelTunnel
Vyatta VM
Process Process Process
Vyatta VM
Process Process Process
Vyatta VM
Process Process Process
How does it works?
Bridge + IEEE 802.1w(Rapid STP)
Virtual Ethernet NIC
Process Process Process
Tunnel Tunnel Tunnel
Vyatta VM
vyattaVM# sudo rstpctl showport br0
* vtun1 8001 Fwd 8000-027a0b4f3269 8...3269 8001 D
* vtun2 8001 Fwd 8000-027a0b4f3269 8...3269 8002 D
:
veth1 8004 Fwd 8000-027a0b4f3269 8...3269 8004 D
Tunnel Interface + Linux Bridge + IEEE 802.1w (Rapid STP) Daemon
Source: SAKURA Internet Research Center. 08/2012: Project THORN
Packages for Multi-Path VPN
Bridge + IEEE 802.1w
(Rapid STP)
Virtual Ethernet NIC
Process Process Process
Tunnel Tunnel Tunnel
VyattaCore 6.4
- Tunneling Protocol:
OpenVPN,GRETAP,L2TPv3 or VXLAN ..etc
- Bridging Daemon: bridge-utils
- Rapid STP Daemon: rstpd
http://git.kernel.org/?p=linux/kernel/git/shemminger/rstp.git
- Virtual Interface: iproute2
http://kernel.org/pub/linux/utils/net/iproute2/
Source: SAKURA Internet Research Center. 08/2012: Project THORN
How to Build on Vyatta
configure
delete system package repository community
set system package repository oxnard components main
set system package repository oxnard distribution oxnard
set system package repository oxnard url http://packages.vyatta.com/vyatta-dev/oxnard/unstable
commit
save
reboot
sudo full-upgrade -k
configure
set system package repository squeeze components main
set system package repository squeeze distribution squeeze
set system package repository squeeze url http://cdn.debian.net/debian
commit
save
sudo apt-get update
sudo aptitude install module-assistant
sudo aptitude install linux-vyatta-kbuild
cd /lib/modules/3.0.23-1-586-vyatta-virt/
sudo ln -s /usr/src/linux-image/debian/build/build-i386-none-586-vyatta-virt/ build
sudo aptitude install rpm zlib1g-dev zlib1g-dbg byacc bison flex
sudo module-assistant prepare Source: SAKURA Internet Research Center. 08/2012: Project THORN
Install rstpd and switch-setup
- Downloading latest master from git
http://git.kernel.org/?p=linux/kernel/git/shemminger/rstp.git
cd rstp ; sudo make; sudo make install
- L2TPv3 pseudo-wire Config
sudo ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 udp_sport 5001 udp_dport 5001 ¥
encap udp local X.X.X.X remote Y.Y.Y.Y
sudo ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
:
sudo ifconfig l2tpeth0 0
sudo ifconfig l2tpeth0 up up
- Virtual Ehternet Config
ip link add type veth
sudo ifconfig veth0 up up ; sudo ifconfig veth1 up up
- Bridge/Switch Config
sudo brctl addbr br0
sudo brctl addif br0 veth1
sudo brctl addif br0 l2tpeth0
sudo rstpd
sudo rstpctl rstp br0 on
Bridge + IEEE 802.1w(Rapid STP)
Virtual Ethernet NIC
Process Process Process
Tunnel Tunnel Tunnel
Vyatta VM
Linux Performance Tuning
- Linux kernel parameter Tuning
su
sysctl -w net.core.netdev_max_backlog=500000
sysctl -w net.core.rmem_max=67108864
sysctl -w net.core.wmem_max=67108864
sysctl -w net.core.rmem_default=67108864
sysctl -w net.core.wmem_default=67108864
sysctl -w net.ipv4.tcp_mem="67108864 67108864 67108864″
echo 1000000000 > /proc/sys/kernel/shmmax
echo 400 > /proc/sys/vm/nr_hugepages
- Linux RPS(Recive Packet Steering) Tuning
echo 65535 >/proc/sys/net/core/rps_sock_flow_entries
echo 002 > /sys/class/net/eth0/queues/rx-0/rps_cpus
echo 200 > /sys/class/net/l2tpeth0/queues/rx-0/rps_cpus
:
etc
echo 65535 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt
echo 65535 > /sys/class/net/l2tpeth0/queues/rx-0/rps_flow_cnt
:
etc Source: SAKURA Internet Research Center. 08/2012: Project THORN
Bridge/RSTP Aging Timer
- Linux Bridge STP Timer Config
brctl sethello br0 1
brctl setfd br0 4
brctl setmaxage br0 6
brctl setageing br0 10
- Linux RSTP Timer Config
rstpctl sethello br0 1
rstpctl setmaxage br0 6
rstpctl setfdelay br0 4
Bridge + IEEE 802.1w
(Rapid STP)
Virtual Ethernet NIC
Process Process Process
Tunnel Tunnel Tunnel
VyattaCore 6.4
Source: SAKURA Internet Research Center. 08/2012: Project THORN
Performance Benchmark HowTo
- Linux in-kernel packet generator tool
su
modprobe pktgen
echo "rem_device_all" > /proc/net/pktgen/kpktgend_0
echo "add_device eth0" > /proc/net/pktgen/kpktgend_0
echo "max_before_softirq 50000" > /proc/net/pktgen/kpktgend_0
echo "count 0" > /proc/net/pktgen/eth0
echo "clone_skb 1000000" > /proc/net/pktgen/eth0
echo "pkt_size 64" > /proc/net/pktgen/eth0
echo "delay 400" > /proc/net/pktgen/eth0
echo "dst X.X.X.X" > /proc/net/pktgen/eth0
echo "dst_mac aa:18:39:6e:fc:3c" > /proc/net/pktgen/eth0
echo "start" > /proc/net/pktgen/pgctrl
Bridge + IEEE 802.1w(Rapid STP)
Virtual Ethernet NIC
Process Process Process
Tunnel Tunnel Tunnel
Vyatta VM
Source: SAKURA Internet Research Center. 08/2012: Project THORN
Tunneling Performance Analysis
[System: Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz / 32GB DDR3-DIMM]
[Traffic Generater: *pktgen, **iperf. Traffic Monitor: vnstat]
VXLAN on UNKOWN-DEVICE (IPoEth) 4.79 Gbit/s**
Mellanox ConnectX3 10GbE-NIC (IPoEth) 9.93 Gbit/s*
Mellanox ConnectX3 40GbE-NIC (IPoEth) 27.45 Gbit/s*
Mellanox ConnectX3 FDR10-HCA (IPoIB) 29.56 Gbit/s**
(Gbit/sec) (Packet/sec)
820Kpps (MTU 1,500)
882Kpps (MTU 1,500)
2.28Mpps (MTU 1,500)
61Kpps (MTU 65,520)
High is Faster Low is Better
OpenVPN on FDR10-HCA (IPoIB) 0.24 Gbit/s*
GRETAP on FDR10-HCA (IPoIB) 5.41 Gbit/s*
L2TPv3 on FDR10-HCA (IPoIB) 10.65 Gbit/s*
N/A
N/A
N/A
Source: SAKURA Internet Research Center. 07/2012: Project THORN
Another way to Multi-Path VPN
set interfaces tunnel tun0 address 10.0.0.99/24
set interfaces tunnel tun0 encapsulation gre-multipoint
set interfaces tunnel tun0 local‐ip 192.168.2.99
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 nhrp authentication pre‐shared‐secret NET10
set interfaces tunnel tun0 nhrp holding‐time 300
set interfaces tunnel tun0 nhrp multicast parameters dynamic
set interfaces tunnel tun0 nhrp redirect
set interfaces tunnel tun0 parameters ip key 1
set protocols static route 192.168.1.0/24 next‐hop 10.0.0.1
set protocols static route 192.168.2.0/24 next‐hop 10.0.0.2
VYATTAによるマルチパスVPN接続手法
What is PBR?
1) PBR-LB (Policy Based Router–Load Balancing) is forcusing Server Scale-Out Tech.
- Breaking L2DSR(Layer 2 Direct Server Return) Limitation.
- without NAT.
- without DSCP modify (e.g. Layer 3 Direct Server Return mechanism).
- Add Tunneling Capabiltiy.
- Do not add/modify Server kernel modules.
- using Policy Based Routing Functionality on Newest Software Router.
PBR-LB BASIC Configuration.
vyatta$ configuration
# set policy route SRC-PORT-SLB rule 11 destination address A.A.A.A
# set policy route SRC-PORT-SLB rule 11 protocol tcp_udp
# set policy route SRC-PORT-SLB rule 11 set table 11
# set policy route SRC-PORT-SLB rule 11 source port 1-10000
# set protocols static table 10 route 0.0.0.0/0 next-hop 10.0.0.1
# set interfaces ethernet eth0 policy route SRC-PORT-SLB
# commit
# save
*Reference: VYATTA, INC. Policy Based Routing REFERENCE GUIDE. (6.5R1 v01)
Internet
Layer 3 Direct Server Return
SERVER
eth0:10.0.0.1/32
lo:A.A.A.A/32
SRC PORT DST ADDR NEXTHOP-TABLE
1-10,000 A.A.A.A 0.0.0.0/0 -> 10.0.0.1
10,001-20,000 A.A.A.A 0.0.0.0/0 -> 10.0.0.2
20,001-30,000 A.A.A.A 0.0.0.0/0 -> 10.0.0.3
Policy Router
(VyattaCore 6.5R1 on x86 Commodity Hardware)
SOURCE: SAKURA Internet Research Center. 02/2013 Project THORN.
*Reference: L3DSR – Overcoming Layer 2 Limitations of Direct Server Return Load Balancing. Jan Schaumann, Systems Architect (NANOG51),
Policy Based Routing REFERENCE GUIDE. (6.5R1 v01), VYATTA, INC.
in more detail.
$ show version
Version: VC6.5R1
Description: Vyatta Core 6.5 R1
:
$ show policy route
$ show policy route statistics
...etc
One more Thing: Enabling 40GbE
1) Using Pre-installed kernel modeuls for Mellanox 40GbE-NIC(mlx4_core,en)
2) Load 40GbE-NIC kernel module on /etc/modules
$ show version
Version: VC6.5R1
Description: Vyatta Core 6.5 R1
$ sudo vi /etc/modules
mlx4_en
$ sync; sync; sync; reboot
© 2013 Mellanox Technologies. All Rights Reserved.
40GbE-NIC Status Check
$ show interfaces ethernet eth1 physical
Settings for eth1:
Supported ports: [ TP ]
:
Speed: 40000Mb/s
Duplex: Full
Port: Twisted Pair
:
Link detected: yes
driver: mlx4_en
version: 2.0 (Dec 2011)
firmware-version: 2.10.800
bus-info: 0000:01:00.0
© 2013 Mellanox Technologies. All Rights Reserved.
40GbE-NIC Option Check
$ sudo ethtool -k eth1
Offload parameters for eth1:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off
ntuple-filters: off
receive-hashing: on
© 2013 Mellanox Technologies. All Rights Reserved.
40GbE-NIC module Check
$ sudo modinfo mlx4_en
filename: /lib/modules/3.3.8-1-586-vyatta/.../mellanox/mlx4/mlx4_en.ko
version: 2.0 (Dec 2011)
license: Dual BSD/GPL
description: Mellanox ConnectX HCA Ethernet driver
author: Liran Liss, Yevgeny Petrilin
srcversion: 142AB5E074EB35EDB627247
depends: mlx4_core
intree: Y
vermagic: 3.3.8-1-586-vyatta SMP mod_unload modversions 586
parm: inline_thold:threshold for using inline data (int)
parm: udp_rss:Enable RSS for incomming UDP traffic or disabled (0)...
parm: pfctx:Priority based Flow Control policy on TX[7:0]. Per prio...
parm: pfcrx:Priority based Flow Control policy on RX[7:0]. Per prio...
Thanks for your interest.
SAKURA Internet Research Center.

More Related Content

What's hot

Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)Naoto MATSUMOTO
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stablejuet-y
 
2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310a2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310aKen Igarashi
 
82599 sriov vm configuration notes
82599 sriov vm configuration notes82599 sriov vm configuration notes
82599 sriov vm configuration notesRyan Aydelott
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyHiroshi Ota
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201Manabu Ori
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stablejuet-y
 
Network Jumbo Frame Config Guide
Network Jumbo Frame Config GuideNetwork Jumbo Frame Config Guide
Network Jumbo Frame Config GuideWoo Hyung Choi
 
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 TunnelingUNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 TunnelingNaoto MATSUMOTO
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)Security Date
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking   juno l3 h-a, dvrOpenStack networking   juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrSim Janghoon
 
OpenStack networking-sfc flow 분석
OpenStack networking-sfc flow 분석OpenStack networking-sfc flow 분석
OpenStack networking-sfc flow 분석Yongyoon Shin
 
JomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private CloudJomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private CloudJomaSoft
 

What's hot (19)

Vyos clustering ipsec
Vyos clustering ipsecVyos clustering ipsec
Vyos clustering ipsec
 
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
 
2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310a2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310a
 
82599 sriov vm configuration notes
82599 sriov vm configuration notes82599 sriov vm configuration notes
82599 sriov vm configuration notes
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudy
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201
 
Juniper 40G and 100G
Juniper 40G and 100GJuniper 40G and 100G
Juniper 40G and 100G
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
 
Network Jumbo Frame Config Guide
Network Jumbo Frame Config GuideNetwork Jumbo Frame Config Guide
Network Jumbo Frame Config Guide
 
VyattaCore TIPS2013
VyattaCore TIPS2013VyattaCore TIPS2013
VyattaCore TIPS2013
 
Juniper for Enterprise
Juniper for EnterpriseJuniper for Enterprise
Juniper for Enterprise
 
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 TunnelingUNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking   juno l3 h-a, dvrOpenStack networking   juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvr
 
OpenStack networking-sfc flow 분석
OpenStack networking-sfc flow 분석OpenStack networking-sfc flow 분석
OpenStack networking-sfc flow 분석
 
JomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private CloudJomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private Cloud
 
SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home.
 

Similar to VYATTAによるマルチパスVPN接続手法

Server-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows AzureServer-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows AzureNaoto MATSUMOTO
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdfssusercbaa33
 
從INTEL技術談網路卡
從INTEL技術談網路卡從INTEL技術談網路卡
從INTEL技術談網路卡zman
 
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Odinot Stanislas
 
cisco-ws-c2960+48pst-l-datasheet.pdf
cisco-ws-c2960+48pst-l-datasheet.pdfcisco-ws-c2960+48pst-l-datasheet.pdf
cisco-ws-c2960+48pst-l-datasheet.pdfHi-Network.com
 
cisco-cbs350-48t-4x-datasheet.pdf
cisco-cbs350-48t-4x-datasheet.pdfcisco-cbs350-48t-4x-datasheet.pdf
cisco-cbs350-48t-4x-datasheet.pdfHi-Network.com
 
Lab- Full IPsec Implementation.pdf
Lab- Full IPsec Implementation.pdfLab- Full IPsec Implementation.pdf
Lab- Full IPsec Implementation.pdfNesibusami
 
cisco-cbs350-48t-4g-datasheet.pdf
cisco-cbs350-48t-4g-datasheet.pdfcisco-cbs350-48t-4g-datasheet.pdf
cisco-cbs350-48t-4g-datasheet.pdfHi-Network.com
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
Exercise 4c stp rapid pvst+ question
Exercise 4c   stp rapid pvst+ questionExercise 4c   stp rapid pvst+ question
Exercise 4c stp rapid pvst+ questionsufi1248
 
cisco-cbs350-48fp-4g-datasheet.pdf
cisco-cbs350-48fp-4g-datasheet.pdfcisco-cbs350-48fp-4g-datasheet.pdf
cisco-cbs350-48fp-4g-datasheet.pdfHi-Network.com
 
cisco-sf350-48mp-datasheet.pdf
cisco-sf350-48mp-datasheet.pdfcisco-sf350-48mp-datasheet.pdf
cisco-sf350-48mp-datasheet.pdfHi-Network.com
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
cisco-sg350-28p-datasheet.pdf
cisco-sg350-28p-datasheet.pdfcisco-sg350-28p-datasheet.pdf
cisco-sg350-28p-datasheet.pdfHi-Network.com
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
cisco-cbs350-24fp-4g-datasheet.pdf
cisco-cbs350-24fp-4g-datasheet.pdfcisco-cbs350-24fp-4g-datasheet.pdf
cisco-cbs350-24fp-4g-datasheet.pdfHi-Network.com
 
Avb pov 2017 v2
Avb pov 2017 v2Avb pov 2017 v2
Avb pov 2017 v2Jeff Green
 
ws-c2960+48tc-s-datasheet.pdf
ws-c2960+48tc-s-datasheet.pdfws-c2960+48tc-s-datasheet.pdf
ws-c2960+48tc-s-datasheet.pdfHi-Network.com
 
cisco-cbs350-24fp-4x-datasheet.pdf
cisco-cbs350-24fp-4x-datasheet.pdfcisco-cbs350-24fp-4x-datasheet.pdf
cisco-cbs350-24fp-4x-datasheet.pdfHi-Network.com
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 

Similar to VYATTAによるマルチパスVPN接続手法 (20)

Server-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows AzureServer-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows Azure
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068  Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
 
從INTEL技術談網路卡
從INTEL技術談網路卡從INTEL技術談網路卡
從INTEL技術談網路卡
 
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
 
cisco-ws-c2960+48pst-l-datasheet.pdf
cisco-ws-c2960+48pst-l-datasheet.pdfcisco-ws-c2960+48pst-l-datasheet.pdf
cisco-ws-c2960+48pst-l-datasheet.pdf
 
cisco-cbs350-48t-4x-datasheet.pdf
cisco-cbs350-48t-4x-datasheet.pdfcisco-cbs350-48t-4x-datasheet.pdf
cisco-cbs350-48t-4x-datasheet.pdf
 
Lab- Full IPsec Implementation.pdf
Lab- Full IPsec Implementation.pdfLab- Full IPsec Implementation.pdf
Lab- Full IPsec Implementation.pdf
 
cisco-cbs350-48t-4g-datasheet.pdf
cisco-cbs350-48t-4g-datasheet.pdfcisco-cbs350-48t-4g-datasheet.pdf
cisco-cbs350-48t-4g-datasheet.pdf
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
Exercise 4c stp rapid pvst+ question
Exercise 4c   stp rapid pvst+ questionExercise 4c   stp rapid pvst+ question
Exercise 4c stp rapid pvst+ question
 
cisco-cbs350-48fp-4g-datasheet.pdf
cisco-cbs350-48fp-4g-datasheet.pdfcisco-cbs350-48fp-4g-datasheet.pdf
cisco-cbs350-48fp-4g-datasheet.pdf
 
cisco-sf350-48mp-datasheet.pdf
cisco-sf350-48mp-datasheet.pdfcisco-sf350-48mp-datasheet.pdf
cisco-sf350-48mp-datasheet.pdf
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
cisco-sg350-28p-datasheet.pdf
cisco-sg350-28p-datasheet.pdfcisco-sg350-28p-datasheet.pdf
cisco-sg350-28p-datasheet.pdf
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
 
cisco-cbs350-24fp-4g-datasheet.pdf
cisco-cbs350-24fp-4g-datasheet.pdfcisco-cbs350-24fp-4g-datasheet.pdf
cisco-cbs350-24fp-4g-datasheet.pdf
 
Avb pov 2017 v2
Avb pov 2017 v2Avb pov 2017 v2
Avb pov 2017 v2
 
ws-c2960+48tc-s-datasheet.pdf
ws-c2960+48tc-s-datasheet.pdfws-c2960+48tc-s-datasheet.pdf
ws-c2960+48tc-s-datasheet.pdf
 
cisco-cbs350-24fp-4x-datasheet.pdf
cisco-cbs350-24fp-4x-datasheet.pdfcisco-cbs350-24fp-4x-datasheet.pdf
cisco-cbs350-24fp-4x-datasheet.pdf
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 

More from Naoto MATSUMOTO

Alder Lake-S CPU Temperature Monitoring
Alder Lake-S CPU Temperature MonitoringAlder Lake-S CPU Temperature Monitoring
Alder Lake-S CPU Temperature MonitoringNaoto MATSUMOTO
 
CPU製品出荷状況と消費電力の見える化
CPU製品出荷状況と消費電力の見える化CPU製品出荷状況と消費電力の見える化
CPU製品出荷状況と消費電力の見える化Naoto MATSUMOTO
 
2023年以降のサーバークラスタリング設計(メモ)
2023年以降のサーバークラスタリング設計(メモ)2023年以降のサーバークラスタリング設計(メモ)
2023年以降のサーバークラスタリング設計(メモ)Naoto MATSUMOTO
 
防災を考慮した水中調査の一考察
防災を考慮した水中調査の一考察防災を考慮した水中調査の一考察
防災を考慮した水中調査の一考察Naoto MATSUMOTO
 
旅するパケットの見える化
旅するパケットの見える化旅するパケットの見える化
旅するパケットの見える化Naoto MATSUMOTO
 
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
LTE-M/NB IoTを試してみる nRF9160/Thingy:91LTE-M/NB IoTを試してみる nRF9160/Thingy:91
LTE-M/NB IoTを試してみる nRF9160/Thingy:91Naoto MATSUMOTO
 
災害時における無線モニタリングによる社会インフラの見える化
災害時における無線モニタリングによる社会インフラの見える化災害時における無線モニタリングによる社会インフラの見える化
災害時における無線モニタリングによる社会インフラの見える化Naoto MATSUMOTO
 
BeautifulSoup / selenium Deep dive
BeautifulSoup / selenium Deep diveBeautifulSoup / selenium Deep dive
BeautifulSoup / selenium Deep diveNaoto MATSUMOTO
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep diveNaoto MATSUMOTO
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep diveNaoto MATSUMOTO
 
ADS-B, AIS, APRS cheatsheet
ADS-B, AIS, APRS cheatsheetADS-B, AIS, APRS cheatsheet
ADS-B, AIS, APRS cheatsheetNaoto MATSUMOTO
 
3/4G USB modem Cheat Sheet
3/4G USB modem Cheat Sheet3/4G USB modem Cheat Sheet
3/4G USB modem Cheat SheetNaoto MATSUMOTO
 
How To Train Your ARM(SBC)
How To  Train Your ARM(SBC)How To  Train Your ARM(SBC)
How To Train Your ARM(SBC)Naoto MATSUMOTO
 
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~Naoto MATSUMOTO
 
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)Naoto MATSUMOTO
 
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化Naoto MATSUMOTO
 

More from Naoto MATSUMOTO (20)

Alder Lake-S CPU Temperature Monitoring
Alder Lake-S CPU Temperature MonitoringAlder Lake-S CPU Temperature Monitoring
Alder Lake-S CPU Temperature Monitoring
 
CPU製品出荷状況と消費電力の見える化
CPU製品出荷状況と消費電力の見える化CPU製品出荷状況と消費電力の見える化
CPU製品出荷状況と消費電力の見える化
 
5Gの見える化
5Gの見える化5Gの見える化
5Gの見える化
 
2023年以降のサーバークラスタリング設計(メモ)
2023年以降のサーバークラスタリング設計(メモ)2023年以降のサーバークラスタリング設計(メモ)
2023年以降のサーバークラスタリング設計(メモ)
 
防災を考慮した水中調査の一考察
防災を考慮した水中調査の一考察防災を考慮した水中調査の一考察
防災を考慮した水中調査の一考察
 
旅するパケットの見える化
旅するパケットの見える化旅するパケットの見える化
旅するパケットの見える化
 
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
LTE-M/NB IoTを試してみる nRF9160/Thingy:91LTE-M/NB IoTを試してみる nRF9160/Thingy:91
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
 
災害時における無線モニタリングによる社会インフラの見える化
災害時における無線モニタリングによる社会インフラの見える化災害時における無線モニタリングによる社会インフラの見える化
災害時における無線モニタリングによる社会インフラの見える化
 
BeautifulSoup / selenium Deep dive
BeautifulSoup / selenium Deep diveBeautifulSoup / selenium Deep dive
BeautifulSoup / selenium Deep dive
 
AMDGPU ROCm Deep dive
AMDGPU ROCm Deep diveAMDGPU ROCm Deep dive
AMDGPU ROCm Deep dive
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep dive
 
RTL2838 DVB-T Deep dive
RTL2838 DVB-T Deep diveRTL2838 DVB-T Deep dive
RTL2838 DVB-T Deep dive
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep dive
 
ADS-B, AIS, APRS cheatsheet
ADS-B, AIS, APRS cheatsheetADS-B, AIS, APRS cheatsheet
ADS-B, AIS, APRS cheatsheet
 
curl --http3 cheatsheet
curl --http3 cheatsheetcurl --http3 cheatsheet
curl --http3 cheatsheet
 
3/4G USB modem Cheat Sheet
3/4G USB modem Cheat Sheet3/4G USB modem Cheat Sheet
3/4G USB modem Cheat Sheet
 
How To Train Your ARM(SBC)
How To  Train Your ARM(SBC)How To  Train Your ARM(SBC)
How To Train Your ARM(SBC)
 
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
 
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
 
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
 

Recently uploaded

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

VYATTAによるマルチパスVPN接続手法

  • 1. (C)Copyright 1996-2010 SAKURA Internet Inc. 5 Sep, 2013 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO 日本学術振興会産学協力研究委員会 インターネット技術第 163 委員会 (ITRC) 地域間インタークラウド分科会 (RICC) 第3回地域間インタークラウドワークショップ
  • 2. Multi-Path VPN Overview Bridge + IEEE 802.1w(Rapid STP) Virtual Ethernet NIC Process Process Process Vyatta VM IaaS-B IaaS-C IaaS-A IaaS-D Source: SAKURA Internet Research Center. 08/2012: Project THORN Tunnel TunnelTunnel Vyatta VM Process Process Process Vyatta VM Process Process Process Vyatta VM Process Process Process
  • 3. How does it works? Bridge + IEEE 802.1w(Rapid STP) Virtual Ethernet NIC Process Process Process Tunnel Tunnel Tunnel Vyatta VM vyattaVM# sudo rstpctl showport br0 * vtun1 8001 Fwd 8000-027a0b4f3269 8...3269 8001 D * vtun2 8001 Fwd 8000-027a0b4f3269 8...3269 8002 D : veth1 8004 Fwd 8000-027a0b4f3269 8...3269 8004 D Tunnel Interface + Linux Bridge + IEEE 802.1w (Rapid STP) Daemon Source: SAKURA Internet Research Center. 08/2012: Project THORN
  • 4. Packages for Multi-Path VPN Bridge + IEEE 802.1w (Rapid STP) Virtual Ethernet NIC Process Process Process Tunnel Tunnel Tunnel VyattaCore 6.4 - Tunneling Protocol: OpenVPN,GRETAP,L2TPv3 or VXLAN ..etc - Bridging Daemon: bridge-utils - Rapid STP Daemon: rstpd http://git.kernel.org/?p=linux/kernel/git/shemminger/rstp.git - Virtual Interface: iproute2 http://kernel.org/pub/linux/utils/net/iproute2/ Source: SAKURA Internet Research Center. 08/2012: Project THORN
  • 5. How to Build on Vyatta configure delete system package repository community set system package repository oxnard components main set system package repository oxnard distribution oxnard set system package repository oxnard url http://packages.vyatta.com/vyatta-dev/oxnard/unstable commit save reboot sudo full-upgrade -k configure set system package repository squeeze components main set system package repository squeeze distribution squeeze set system package repository squeeze url http://cdn.debian.net/debian commit save sudo apt-get update sudo aptitude install module-assistant sudo aptitude install linux-vyatta-kbuild cd /lib/modules/3.0.23-1-586-vyatta-virt/ sudo ln -s /usr/src/linux-image/debian/build/build-i386-none-586-vyatta-virt/ build sudo aptitude install rpm zlib1g-dev zlib1g-dbg byacc bison flex sudo module-assistant prepare Source: SAKURA Internet Research Center. 08/2012: Project THORN
  • 6. Install rstpd and switch-setup - Downloading latest master from git http://git.kernel.org/?p=linux/kernel/git/shemminger/rstp.git cd rstp ; sudo make; sudo make install - L2TPv3 pseudo-wire Config sudo ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 udp_sport 5001 udp_dport 5001 ¥ encap udp local X.X.X.X remote Y.Y.Y.Y sudo ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1 : sudo ifconfig l2tpeth0 0 sudo ifconfig l2tpeth0 up up - Virtual Ehternet Config ip link add type veth sudo ifconfig veth0 up up ; sudo ifconfig veth1 up up - Bridge/Switch Config sudo brctl addbr br0 sudo brctl addif br0 veth1 sudo brctl addif br0 l2tpeth0 sudo rstpd sudo rstpctl rstp br0 on Bridge + IEEE 802.1w(Rapid STP) Virtual Ethernet NIC Process Process Process Tunnel Tunnel Tunnel Vyatta VM
  • 7. Linux Performance Tuning - Linux kernel parameter Tuning su sysctl -w net.core.netdev_max_backlog=500000 sysctl -w net.core.rmem_max=67108864 sysctl -w net.core.wmem_max=67108864 sysctl -w net.core.rmem_default=67108864 sysctl -w net.core.wmem_default=67108864 sysctl -w net.ipv4.tcp_mem="67108864 67108864 67108864″ echo 1000000000 > /proc/sys/kernel/shmmax echo 400 > /proc/sys/vm/nr_hugepages - Linux RPS(Recive Packet Steering) Tuning echo 65535 >/proc/sys/net/core/rps_sock_flow_entries echo 002 > /sys/class/net/eth0/queues/rx-0/rps_cpus echo 200 > /sys/class/net/l2tpeth0/queues/rx-0/rps_cpus : etc echo 65535 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt echo 65535 > /sys/class/net/l2tpeth0/queues/rx-0/rps_flow_cnt : etc Source: SAKURA Internet Research Center. 08/2012: Project THORN
  • 8. Bridge/RSTP Aging Timer - Linux Bridge STP Timer Config brctl sethello br0 1 brctl setfd br0 4 brctl setmaxage br0 6 brctl setageing br0 10 - Linux RSTP Timer Config rstpctl sethello br0 1 rstpctl setmaxage br0 6 rstpctl setfdelay br0 4 Bridge + IEEE 802.1w (Rapid STP) Virtual Ethernet NIC Process Process Process Tunnel Tunnel Tunnel VyattaCore 6.4 Source: SAKURA Internet Research Center. 08/2012: Project THORN
  • 9. Performance Benchmark HowTo - Linux in-kernel packet generator tool su modprobe pktgen echo "rem_device_all" > /proc/net/pktgen/kpktgend_0 echo "add_device eth0" > /proc/net/pktgen/kpktgend_0 echo "max_before_softirq 50000" > /proc/net/pktgen/kpktgend_0 echo "count 0" > /proc/net/pktgen/eth0 echo "clone_skb 1000000" > /proc/net/pktgen/eth0 echo "pkt_size 64" > /proc/net/pktgen/eth0 echo "delay 400" > /proc/net/pktgen/eth0 echo "dst X.X.X.X" > /proc/net/pktgen/eth0 echo "dst_mac aa:18:39:6e:fc:3c" > /proc/net/pktgen/eth0 echo "start" > /proc/net/pktgen/pgctrl Bridge + IEEE 802.1w(Rapid STP) Virtual Ethernet NIC Process Process Process Tunnel Tunnel Tunnel Vyatta VM Source: SAKURA Internet Research Center. 08/2012: Project THORN
  • 10. Tunneling Performance Analysis [System: Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz / 32GB DDR3-DIMM] [Traffic Generater: *pktgen, **iperf. Traffic Monitor: vnstat] VXLAN on UNKOWN-DEVICE (IPoEth) 4.79 Gbit/s** Mellanox ConnectX3 10GbE-NIC (IPoEth) 9.93 Gbit/s* Mellanox ConnectX3 40GbE-NIC (IPoEth) 27.45 Gbit/s* Mellanox ConnectX3 FDR10-HCA (IPoIB) 29.56 Gbit/s** (Gbit/sec) (Packet/sec) 820Kpps (MTU 1,500) 882Kpps (MTU 1,500) 2.28Mpps (MTU 1,500) 61Kpps (MTU 65,520) High is Faster Low is Better OpenVPN on FDR10-HCA (IPoIB) 0.24 Gbit/s* GRETAP on FDR10-HCA (IPoIB) 5.41 Gbit/s* L2TPv3 on FDR10-HCA (IPoIB) 10.65 Gbit/s* N/A N/A N/A Source: SAKURA Internet Research Center. 07/2012: Project THORN
  • 11. Another way to Multi-Path VPN set interfaces tunnel tun0 address 10.0.0.99/24 set interfaces tunnel tun0 encapsulation gre-multipoint set interfaces tunnel tun0 local‐ip 192.168.2.99 set interfaces tunnel tun0 multicast enable set interfaces tunnel tun0 nhrp authentication pre‐shared‐secret NET10 set interfaces tunnel tun0 nhrp holding‐time 300 set interfaces tunnel tun0 nhrp multicast parameters dynamic set interfaces tunnel tun0 nhrp redirect set interfaces tunnel tun0 parameters ip key 1 set protocols static route 192.168.1.0/24 next‐hop 10.0.0.1 set protocols static route 192.168.2.0/24 next‐hop 10.0.0.2
  • 13. What is PBR? 1) PBR-LB (Policy Based Router–Load Balancing) is forcusing Server Scale-Out Tech. - Breaking L2DSR(Layer 2 Direct Server Return) Limitation. - without NAT. - without DSCP modify (e.g. Layer 3 Direct Server Return mechanism). - Add Tunneling Capabiltiy. - Do not add/modify Server kernel modules. - using Policy Based Routing Functionality on Newest Software Router.
  • 14. PBR-LB BASIC Configuration. vyatta$ configuration # set policy route SRC-PORT-SLB rule 11 destination address A.A.A.A # set policy route SRC-PORT-SLB rule 11 protocol tcp_udp # set policy route SRC-PORT-SLB rule 11 set table 11 # set policy route SRC-PORT-SLB rule 11 source port 1-10000 # set protocols static table 10 route 0.0.0.0/0 next-hop 10.0.0.1 # set interfaces ethernet eth0 policy route SRC-PORT-SLB # commit # save *Reference: VYATTA, INC. Policy Based Routing REFERENCE GUIDE. (6.5R1 v01)
  • 15. Internet Layer 3 Direct Server Return SERVER eth0:10.0.0.1/32 lo:A.A.A.A/32 SRC PORT DST ADDR NEXTHOP-TABLE 1-10,000 A.A.A.A 0.0.0.0/0 -> 10.0.0.1 10,001-20,000 A.A.A.A 0.0.0.0/0 -> 10.0.0.2 20,001-30,000 A.A.A.A 0.0.0.0/0 -> 10.0.0.3 Policy Router (VyattaCore 6.5R1 on x86 Commodity Hardware) SOURCE: SAKURA Internet Research Center. 02/2013 Project THORN. *Reference: L3DSR – Overcoming Layer 2 Limitations of Direct Server Return Load Balancing. Jan Schaumann, Systems Architect (NANOG51), Policy Based Routing REFERENCE GUIDE. (6.5R1 v01), VYATTA, INC.
  • 16. in more detail. $ show version Version: VC6.5R1 Description: Vyatta Core 6.5 R1 : $ show policy route $ show policy route statistics ...etc
  • 17. One more Thing: Enabling 40GbE 1) Using Pre-installed kernel modeuls for Mellanox 40GbE-NIC(mlx4_core,en) 2) Load 40GbE-NIC kernel module on /etc/modules $ show version Version: VC6.5R1 Description: Vyatta Core 6.5 R1 $ sudo vi /etc/modules mlx4_en $ sync; sync; sync; reboot © 2013 Mellanox Technologies. All Rights Reserved.
  • 18. 40GbE-NIC Status Check $ show interfaces ethernet eth1 physical Settings for eth1: Supported ports: [ TP ] : Speed: 40000Mb/s Duplex: Full Port: Twisted Pair : Link detected: yes driver: mlx4_en version: 2.0 (Dec 2011) firmware-version: 2.10.800 bus-info: 0000:01:00.0 © 2013 Mellanox Technologies. All Rights Reserved.
  • 19. 40GbE-NIC Option Check $ sudo ethtool -k eth1 Offload parameters for eth1: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: off ntuple-filters: off receive-hashing: on © 2013 Mellanox Technologies. All Rights Reserved.
  • 20. 40GbE-NIC module Check $ sudo modinfo mlx4_en filename: /lib/modules/3.3.8-1-586-vyatta/.../mellanox/mlx4/mlx4_en.ko version: 2.0 (Dec 2011) license: Dual BSD/GPL description: Mellanox ConnectX HCA Ethernet driver author: Liran Liss, Yevgeny Petrilin srcversion: 142AB5E074EB35EDB627247 depends: mlx4_core intree: Y vermagic: 3.3.8-1-586-vyatta SMP mod_unload modversions 586 parm: inline_thold:threshold for using inline data (int) parm: udp_rss:Enable RSS for incomming UDP traffic or disabled (0)... parm: pfctx:Priority based Flow Control policy on TX[7:0]. Per prio... parm: pfcrx:Priority based Flow Control policy on RX[7:0]. Per prio...
  • 21. Thanks for your interest. SAKURA Internet Research Center.