More Related Content Similar to UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) (20) More from Naoto MATSUMOTO (20) UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) 1. 23 Mar, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO
Japan Vyatta Users Meeting Spring 2014 in Tokyo.
8. Comparison of Fail-over model
Source: SAKURA Internet Research Center 03/2014, Project THORN.
Complexity
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
Stacking Type
SRV
vSW
VMVM
1GbE Network
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
SW
SW
Box Type
SRV
vSW
VMVM
SW
SW
Stacking Type
SRV
vSW
VMVM
10GbE Network
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
SW
SW
Box Type
SRV
vSW
VMVM
40GbE Network
SW SW
Virtual Chassis Type (MLAG,Fabric...etc)
vSW
VMVM
SRV
SW SW
Virtual Chassis Type (MLAG,Fabric...etc)
vSW
VMVM
SRV
Network Capacity
Low
High
*SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
9. Best Current Practice [Top of Rack]
Source: SAKURA Internet Research Center 03/2014, Project THORN.
Complexity
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
Stacking Type
SRV
vSW
VMVM
1GbE Network
vSW
VM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
SW
SW
Box Type
SRV
vSW
VMVM
SW
SW
Stacking Type
SRV
vSW
VMVM
10GbE Network
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
SW
SW
Box Type
SRV
vSW
VMVM
40GbE Network
SW SW
Virtual Chassis Type (MLAG,Fabric...etc)
vSW
VMVM
SRV
SW SW
Virtual Chassis Type (MLAG,Fabric...etc)
vSW
VMVM
SRV
Network Capacity
Low
High VM
*SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
10. Best Current Practice [Performance]
Source: SAKURA Internet Research Center 03/2014, Project THORN.
Complexity
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
Stacking Type
SRV
1GbE Network
vSW
VM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
SW
SW
Stacking Type
SRV
10GbE Network
vSW
VMVM
SRV
SW
SW
SW
SW
Legacy Type (STP/RSTP/MSTP...etc)
40GbE Network
Virtual Chassis Type (MLAG,Fabric...etc)
SRV
Virtual Chassis Type (MLAG,Fabric...etc)
SRV
Network Capacity
Low
High VM
vSW
VMVM
vSW
VMVM
vSW
VMVM
vSW
VMVM
SW
SW
SW
SW
Box Type
SRV
vSW
VMVM
SW
SW
SW
SW
Box Type
SRV
vSW
VMVM
SW SW SW SW
*SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
11. VRRP Clustering with multicast BCP
Source: SAKURA Internet Research Center 03/2014, Project THORN.
SW
Virtual Chassis Type (MLAG,Fabric...etc)
VM
SRV
vSW
VMVM
SRV
vSW
VMVM
SW
VMSRV
vSW
VMVM
SRV
vSW
VMVM
SW
SW
Stacking Type
SW
SW
SW
SW
Box Type
VM
SRV
vSW
VMVM
SRV
vSW
VMVM
1/10GbE Network 10/40GbE Network 10/40GbE Network
Multicast FlowMulticast Flow Multicast Flow
*SW: Ethernet Switch, SRV: Server, vSW: Virtual Switch on VMM, VM: Virtual Maching on VMM
22. Dual IPSec Tunneling
# set vpn ipsec ike-group IKE lifetime 3600
# set vpn ipsec ike-group IKE proposal 1 encryption aes256
# set vpn ipsec ike-group IKE proposal 1 hash sha1
# set vpn ipsec esp-group ESP lifetime 1800
# set vpn ipsec esp-group ESP mode tunnel
# set vpn ipsec esp-group ESP pfs enable
# set vpn ipsec esp-group ESP proposal 1 encryption aes256
# set vpn ipsec esp-group ESP proposal 1 hash sha1
# set vpn ipsec ipsec-interfaces interface eth0
# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret
# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret XXXX
# set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate
# set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP
# set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE
# set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1
# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24
# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24
IKE
ESP
23. TCP-MSS Rewriting
# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24
# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp
# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386
# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN
# set interfaces tunnel eth0 policy route TCP-MSS1386-ETH0
25. Clustering Configuration
# set cluster dead-interval 1000
# set cluster group CLUSTER auto-failback true
# set cluster interface eth0
# set cluster interface eth1
# set cluster keepalive-interval 200
# set cluster monitor-dead-interval 1000
# set cluster pre-shared-secret YYYYYY
# set cluster group CLUSTER primary VR-1
# set cluster group CLUSTER secondary VR-2
# set cluster group CLUSTER service 10.10.10.100/24/eth1
# set cluster mcast-group 239.10.10.100
32. DMVPN Tunneling with IPSec/BGP
DATACENTER A
DATACENTER BDATACENTER C
AS65001 AS65002
AS65003 AS65005 AS65006AS65004