Saturday 27 October 2012

Vyatta 6.5!

Hi all, So Vyatta 6.5 is out, have a look at the features:
(http://www.vyatta.com/downloads/documentation/VC6.5/VC65.zip)


 Policy-Based Routing (PBR)
 PBR allows incoming packets to be forwarded based on policies, rather than just on the destination address. This enables the use of policies that selectively cause packets to take different paths based on defined criteria, such as source address, packet size, protocol, etc... By implementing policies that selectively cause packets to take different paths, network administrators have a powerful new tool for organizing and managing the network. Using PBR, administrators and managers are capable of: Increasing quality of service by giving preferential treatment to bandwidth sensitive or high-priority traffic Reducing capital and operating expenses by distributing select traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths Prioritizing critical data over non-critical data Distributing traffic down multiple circuits to avoid connection overload




 Virtual Tunnel Interface (VTI) 

  VTI is a way to represent policy-based IPsec tunnels as virtual interfaces. Vyatta's implementation of VTI mirrors proven industry standards for secure tunnel (st.xx). The advantage of representing an IPsec tunnel as an interface makes it possible to plug IPsec tunnels into the routing protocol infrastructure of a router. Therefore, it becomes possible to influence the packet path by toggling the link state of the tunnel or based on routing metrics. A VTI provides a termination point for a site-to-site IPsec VPN tunnel and allows it to behave like routable interfaces. In addition to simplifying the IPsec configuration, it enables many common routing capabilitiesto be used because the endpoint is associated with an actual interface. VTI benefits include: Simplified configuration of IPsec for protection of remote links Simplified network management and load balancing Dynamic routing through VTI No GRE overhead No need to use access lists to create a tunnel  


BGP Multipath 
 IP routing protocols are designed to select a single best path to a given destination for forwarding traffic. However, many routing protocols have enhanced support for selecting multiple paths, with certain limitations. Multiple paths are useful for traffic engineering, load sharing, load balancing and to help provide quicker failover. This also reduces the probability of a link being left unused. BGP Multipath in Vyatta Network OS 6.5 enables the installation of multiple BGP paths to a destination into the IP routing table. BGP Multipath does not affect the BGP best path selection process. One of the available paths is still designated as the best path as per the standard algorithm and configured/operational conditions. This best path is also advertised to the BGP neighbors. The Vyatta implementations of BGP Multipath will support EBGP and IBGP, but will not support EIGBP, exclusive confed-external path set or MPLS/VPN.  


IPsec for IPv6 Vyatta Network OS 6.5 delivers IPsec support for IPv6 using Internet key management protocol IKEv1. It will not deliver IPsec support for IPv6 using IKEv2. We anticipate that IKEv2 support will be introduced for both IPv4 and IPv6 in a subsequent release. Improved VRRP Commands The VRRP (Virtual Router Redundancy Protocol) operational mode commands have been modified to improve usability and ensure the commands are consistent with the command structure used throughout Vyatta Network OS.








I dont know about you but PDR is (IMHO) the best feature here - I also know the upstream work vyatta has done with Quagga to get this done and its pretty awesome. The other 2 - VTI is cool - but can be done with GRE, but its just simplier, and BGP Mutipath (not MP-BGP that would be awesome!!) is again cool but meh :)

For those that cant wait and want docuementation grab it here:
http://www.vyatta.com/downloads/documentation/VC6.5/VC65.zip


 So thank you Vyatta for 6.5 and roll on core!! 




Sources: http://www.vyatta.com/product/vyatta-network-os/whats-new

Thursday 26 April 2012

VMware - I want these now! App Blast and Octopus

Small post - and just two small requests:

Project Octopus - Think dropbox for VMware yet enables Hybrid dropbox clouds too

Project Appblast - Like Citrix Access Gateway or Xen App but not Citrix Receiver as it is all HTML5!

Wednesday 25 January 2012

Some Revision - EIGRP offset lists

Every so often when reading around the internet you come across a post/email with a network related problem that makes you think "hmmmm i've never had to do that" or "that sounds like an interesting problem" - I'll lab it and see if I can find the answer.

Combine that with an area that I do not normally need to work in (EIGRP) and there you go a blog post in the making!


So here is the scenrio:

You are a network admin that looks after three sites, one main site where your offices are and two datacentres.

You have 2x100mbit links to each datacentre and the databcentres have 1x1Gbit link.


The problem:

Traffic to a certain network/host at datacentre 2 is overloading the link so we as the network admins have been asked if we can use the excess capacity on the link to datacentre 1 to spread the traffic.




First we setup the lab:

R1

interface Loopback0
ip address 192.168.101.1 255.255.255.0
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.13.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 192.168.12.0
network 192.168.13.0
network 192.168.101.0
no auto-summary
!


R2

interface Loopback0
ip address 10.100.10.1 255.255.255.0
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.23.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.100.10.0 0.0.0.255
network 192.168.12.0
network 192.168.23.0
no auto-summary
!


R3


interface Loopback0
ip address 10.200.10.1 255.255.255.0
!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.13.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.23.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 3.3.3.3 0.0.0.0
network 10.200.10.0 0.0.0.255
network 192.168.13.0
network 192.168.23.0
no auto-summary
!




Now the offset lists:
R1

ip access-list standard LOOPBACK
permit 3.3.3.3

router eigrp 100
offset-list LOOPBACK in 4000 FastEthernet0/1



Confirming...

R1


R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.12.0/24 is directly connected, FastEthernet0/0
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
C 192.168.13.0/24 is directly connected, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/158720] via 192.168.12.2, 00:03:14, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
D 10.100.10.0 [90/156160] via 192.168.12.2, 00:05:48, FastEthernet0/0
D 10.200.10.0 [90/156160] via 192.168.13.3, 00:05:48, FastEthernet0/1
D 192.168.23.0/24 [90/30720] via 192.168.13.3, 00:05:48, FastEthernet0/1
[90/30720] via 192.168.12.2, 00:05:48, FastEthernet0/0
C 192.168.101.0/24 is directly connected, Loopback0



Note this bit:

3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/158720] via 192.168.12.2, 00:03:14, FastEthernet0/0

The succesor route is from 192.168.12.2 without the offset list it would be 192.168.13.3.

Here is the output from sh ip eigrp topology all-links

R1#sh ip eigrp topology all-links
IP-EIGRP Topology Table for AS(100)/ID(192.168.101.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 3.3.3.3/32, 1 successors, FD is 158720, serno 9
via 192.168.12.2 (158720/156160), FastEthernet0/0
via 192.168.13.3 (160160/132256), FastEthernet0/1
P 192.168.101.0/24, 1 successors, FD is 128256, serno 3
via Connected, Loopback0
P 10.100.10.0/24, 1 successors, FD is 156160, serno 6
via 192.168.12.2 (156160/128256), FastEthernet0/0
via 192.168.13.3 (158720/156160), FastEthernet0/1
P 192.168.12.0/24, 1 successors, FD is 28160, serno 1
via Connected, FastEthernet0/0
P 192.168.13.0/24, 1 successors, FD is 28160, serno 2
via Connected, FastEthernet0/1
P 192.168.23.0/24, 2 successors, FD is 30720, serno 7
via 192.168.12.2 (30720/28160), FastEthernet0/0
via 192.168.13.3 (30720/28160), FastEthernet0/1
P 10.200.10.0/24, 1 successors, FD is 156160, serno 4
via 192.168.13.3 (156160/128256), FastEthernet0/1
via 192.168.12.2 (158720/156160), FastEthernet0/0



Problem solved :)