In certain deployments, it may be useful to share a physical device interface for the 128T data plane and router management. This guide describes a setup for sharing a single device interface for management and routing, using the 128T services and KNI.
Setup
This setup uses a typical branch office deployment as an example of how to configure a 128T router to use a single interface for routing and management. The system hosting the 128T has two device interfaces:
For this example, our WAN network is 10.10.10.0/24
, and the IP address for gateway and router management is 10.10.10.1
. Outbound management traffic will go to the 128T conductor in this example, but this approach can be used to also configure for IPFIX, SYSLOG, NTP, DevOps SALT Master, and other servers with which the 128T router may communicate. Inbound management traffic, such as SSH, SFTP, and HTTPS also will be facilitated via the WAN port in this example.
Configuration
To allow access to/from the system at any time, the two different networking states the system might be in must be accounted for:
128T Down
For the case when the 128T is down, Linux will have control of the eth1
interface. The following network script assigns the appropriate address and network information to the interface (it is assumed NetworkManager service is running at all times):
[t128@host ~]$ sudo cat /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=static
DEFROUTE=yes
IPV4_ROUTE_METRIC=200
IPV6INIT=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes
ZONE=drop
IPADDR=10.10.10.128
NETMASK=255.255.255.0
GATEWAY=10.10.10.1
NM_CONTROLLED=yes
Zone "drop" is needed by Linux firewalld to protect the system from unauthorized access via the WAN interface. Additional firewall rules will need to be configured to allow access from predefined sources and for specific protocols. Go to How-To: FirewallD Network Manager Linux Public Access for information on how to set that up.
Default route and route metric settings in our ifcfg-eth1 script ensure that outbound management traffic can find its way out of the system via the WAN interface as well.
With this configuration, administrators should be able to access the Linux host with SSH/SFTP from the WAN network, by connecting to the 10.10.10.128
address. And SALT traffic, NTP, etc., can continue to egress the system via the same interface as well.
128T Up
When the 128T is up and running, eth1
will no longer be visible to the Linux host. Therefore, the Kernel Network Interface (KNI) must be used between the 128T data plane and the Linux kernel for access.
The following configuration sets up the WAN interface, and uses a link local address and a /31
segment for the KNI:
device-interface 1
id 1
description "NIC connect to WAN"
type ethernet
pci-address 0000:0b:00.3
network-interface wan-interface
name wan-interface
description "WAN Interface"
source-nat true
address 10.10.10.128
ip-address 10.10.10.128
prefix-length 24
gateway 10.10.10.1
host-service ssh
description "SSH Service on router node"
service-type ssh
access-policy 0.0.0.0/0
source 0.0.0.0/0
permission deny
exit
access-policy 10.10.10.68/32
source 10.10.10.68/32
permission allow
exit
exit
exit
exit
device-interface 128
id 128
description "KNI for management"
type kni
network-interface mgmt-kni
name mgmt-kni
description "Internal Management Interface"
source-nat true
tenant 128t-management
address 169.254.128.0
ip-address 169.254.128.0
gateway 169.254.128.1
prefix-length 31
exit
exit
exit
Note: see that the configuration is set with source-nat true
. This is important because while this configuration will instantiate a KNI interface in Linux, it will not automatically set up any routes in Linux to use the KNI interface. This means that when packets come in via the KNI from the WAN (10.10.10.0/24
), Linux will not have a route to send responses back. By enabling source-nat on the KNI, packets arriving via the KNI will be sourced from 169.254.128.0
instead. Linux can easily route responses to this address, since it is local connected.
Similarly, our WAN interface also has source-nat true
setting to make sure responses to outbound management requests are properly routed back to the WAN interface.
Final note about the above configuration: to facilitate inbound management traffic, the WAN interface's address element has host-service ssh configured (when host service is configured in such a manner, the 128T software creates another internal interface - kni254, along with all the necessary Linux network setup changes). There is a deny-all access rule, as well as a rule to allow access from 10.10.10.68/32 address. Similar host-service configuration can be added with predefined transport for web and netconf services, but there is also the ability to configure a custom service, with the desired transport protocol and port range.
Of course, the 128T will not pass any packets received on our management KNI, without some kind of service and associated policy defined. The following configuration establishes a service to handle connections to the 10.10.10.68 address (that's the conductor in this example) for SSH (tcp port 22), HTTPS (tcp port 443), as well as the 128T-specific ports for conductor-router management (tcp ports 930 and 4505-4506):
service conductor-mgmt
name conductor-mgmt
description "conductor management"
transport tcp
protocol tcp
port-range 22
start-port 22
exit
port-range 443
start-port 443
exit
port-range 930
start-port 930
exit
port-range 4505
start-port 4505
end-port 4506
exit
exit
access-policy 128t-management
source 128t-management
permission allow
exit
address 10.10.10.68/32
exit
Notice the access-policy allows tenant 128t-management to utilize our service. This tenant is also provisioned on the kni128 interface.
Now set up a route to send conductor-bound management traffic received from host processes on kni128 out the WAN interface:
service-route sr-conductor-mgmt
name sr-conductor-mgmt
service-name conductor-mgmt
next-hop my-node wan-interface
node-name my-node
interface wan-interface
gateway 10.10.10.1
exit
exit
Finally, drop down to the Linux shell and add a route for the management traffic originating in host processes to go to the kni128 interface. To do that, create a file in /etc/sysconfig/network-scripts directory called "route-kni128" and add the following to the file:
# Default
0.0.0.0/0 via 169.254.128.0 dev kni128 metric 200
Verifying Operation
To verify operation, you should be able to connect to Linux using SSH at 10.10.10.128,
when the 128T is up or down.
#HowTo#DataPlanes#Linux