SD-WAN

last person joined: 3 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).

How-To: Share Interface for Management and Data Planes 

11-21-2018 14:19

In certain deployments, it may be useful to share a physical device interface for the 128T data plane and router management. This guide describes a setup for sharing a single device interface for management and routing, using the 128T services and KNI.


Setup

This setup uses a typical branch office deployment as an example of how to configure a 128T router to use a single interface for routing and management. The system hosting the 128T has two device interfaces: 
  • eth0 connected to the LAN
  • eth1 connected to the WAN/ISP for system management and public access
For this example, our WAN network is 10.10.10.0/24, and the IP address for gateway and router management is 10.10.10.1. Outbound management traffic will go to the 128T conductor in this example, but this approach can be used to also configure for IPFIX, SYSLOG, NTP, DevOps SALT Master, and other servers with which the 128T router may communicate. Inbound management traffic, such as SSH, SFTP, and HTTPS also will be facilitated via the WAN port in this example.


Configuration

To allow access to/from the system at any time, the two different networking states the system might be in must be accounted for:
 
  • 128T up/running
  • 128T down/stopped
 

128T Down

For the case when the 128T is down, Linux will have control of the eth1 interface. The following network script assigns the appropriate address and network information to the interface (it is assumed NetworkManager service is running at all times):
 
[t128@host ~]$ sudo cat /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=static
DEFROUTE=yes
IPV4_ROUTE_METRIC=200
IPV6INIT=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes
ZONE=drop
IPADDR=10.10.10.128
NETMASK=255.255.255.0
GATEWAY=10.10.10.1
NM_CONTROLLED=yes

Zone "drop" is needed by Linux firewalld to protect the system from unauthorized access via the WAN interface. Additional firewall rules will need to be configured to allow access from predefined sources and for specific protocols. Go to How-To: FirewallD Network Manager Linux Public Access for information on how to set that up.

Default route and route metric settings in our ifcfg-eth1 script ensure that outbound management traffic can find its way out of the system via the WAN interface as well.
 
With this configuration, administrators should be able to access the Linux host with SSH/SFTP from the WAN network, by connecting to the 10.10.10.128 address. And SALT traffic, NTP, etc., can continue to egress the system via the same interface as well.


128T Up

When the 128T is up and running, eth1 will no longer be visible to the Linux host. Therefore, the Kernel Network Interface (KNI) must be used between the 128T data plane and the Linux kernel for access.

The following configuration sets up the WAN interface, and uses a link local address and a /31 segment for the KNI:
 
device-interface  1
    id                 1
    description        "NIC connect to WAN"
    type               ethernet
    pci-address        0000:0b:00.3

    network-interface  wan-interface
        name         wan-interface
        description  "WAN Interface"
        source-nat   true

        address      10.10.10.128
            ip-address     10.10.10.128
            prefix-length  24
            gateway        10.10.10.1
                     
            host-service   ssh
            description    "SSH Service on router node"
            service-type   ssh

            access-policy  0.0.0.0/0
                source      0.0.0.0/0
                permission  deny
            exit

            access-policy  10.10.10.68/32
                source      10.10.10.68/32
                permission  allow
            exit
        exit
    exit
exit

device-interface  128
    id                 128
    description        "KNI for management"
    type               kni

    network-interface  mgmt-kni
        name        mgmt-kni
        description "Internal Management Interface"
        source-nat  true
        tenant      128t-management

        address     169.254.128.0
            ip-address     169.254.128.0
            gateway        169.254.128.1
            prefix-length  31
        exit
    exit
exit
Note: see that the configuration is set with source-nat true. This is important because while this configuration will instantiate a KNI interface in Linux, it will not automatically set up any routes in Linux to use the KNI interface. This means that when packets come in via the KNI from the WAN (10.10.10.0/24), Linux will not have a route to send responses back. By enabling source-nat on the KNI, packets arriving via the KNI will be sourced from 169.254.128.0 instead. Linux can easily route responses to this address, since it is local connected.

Similarly, our WAN interface also has source-nat true setting to make sure responses to outbound management requests are properly routed back to the WAN interface.

Final note about the above configuration: to facilitate inbound management traffic, the WAN interface's address element has host-service ssh configured (when host service is configured in such a manner, the 128T software creates another internal interface - kni254, along with all the necessary Linux network setup changes). There is a deny-all access rule, as well as a rule to allow access from 10.10.10.68/32 address. Similar host-service configuration can be added with predefined transport for web and netconf services, but there is also the ability to configure a custom service, with the desired transport protocol and port range.

Of course, the 128T will not pass any packets received on our management KNI, without some kind of service and associated policy defined. The following configuration establishes a service to handle connections to the 10.10.10.68 address (that's the conductor in this example) for SSH (tcp port 22), HTTPS (tcp port 443), as well as the 128T-specific ports for conductor-router management (tcp ports 930 and 4505-4506):
 
service   conductor-mgmt
    name         conductor-mgmt
    description  "conductor management"
 
    transport    tcp
        protocol    tcp

        port-range  22
            start-port  22
        exit

        port-range  443
            start-port  443
        exit

        port-range  930
            start-port  930
        exit

        port-range  4505
            start-port  4505
            end-port 4506
        exit
    exit

    access-policy         128t-management
        source      128t-management
        permission  allow
    exit
    address      10.10.10.68/32
exit
Notice the access-policy allows tenant 128t-management to utilize our service. This tenant is also provisioned on the kni128 interface.

Now set up a route to send conductor-bound management traffic received from host processes on kni128 out the WAN interface:
   
service-route             sr-conductor-mgmt
    name          sr-conductor-mgmt
    service-name  conductor-mgmt

    next-hop      my-node wan-interface
        node-name   my-node
        interface   wan-interface
        gateway     10.10.10.1
    exit
exit
 
Finally, drop down to the Linux shell and add a route for the management traffic originating in host processes to go to the kni128 interface. To do that, create a file in /etc/sysconfig/network-scripts directory called "route-kni128" and add the following to the file:
 
# Default
0.0.0.0/0 via 169.254.128.0 dev kni128 metric 200
 

Verifying Operation

To verify operation, you should be able to connect to Linux using SSH at 10.10.10.128, when the 128T is up or down. 

#HowTo
#DataPlanes
#Linux

Statistics
0 Favorited
14 Views
1 Files
0 Shares
6 Downloads
Attachment(s)
pdf file
How-To- Share Interface for Management and Data Planes.pdf   90 KB   1 version
Uploaded - 09-13-2021

Related Entries and Links

No Related Resource entered.