Integrating Linux routing with FusionCLI™
-
Upload
stephen-hemminger -
Category
Technology
-
view
1.509 -
download
0
Transcript of Integrating Linux routing with FusionCLI™
Herding networking cats:
Integrating Linux routing with FusionCLI
Stephen [email protected]
Today, I am going to talk about Vyatta's Command Line Interface. The CLI tries to integrate existing Linux projects which as they say in the US is a bit like herding cats.. Maybe that is a US expression so let me explain...
Outline
Introduction
FusionCLI
QoS configuration
Issues
My background
OSDL Linux FoundationLinux 2.5 network infrastructure bridging
TCP congestion control netem iproute
Network performance Marvell replacement drivers
VyattaKernel performance
Quality Of Service support
Vyatta versions
http://vyatta.orgFree downloadlivecd
Update 2x year
Community forums
http://vyatta.comSubscription
Update 4x year
Software or Hardware
Phone and Email Support
Same source and features
Debian GNU/LinuxCurrent version based on testing lenny
Linux kernel 2.6.24 + bugfixFilesystems: unionfs, squashfs
Serial driver: wanpipe
Additional packagesCLI infrastructure
Configuration templates
Updated routing related packagesQuagga, SNMP, SNORT, ...
Vyatta Distribution
Vyatta Debian mirror repository
Does include all the networking packages on livecd
Does not include X / Gnome /KD
Can use packages from Debian except overlaps.
Linux cats
Start with Linux+ ipv6+ serial+ bonding+ bridging+ vlan+ QoS+ Quagga+ Snort+ clam+ ...
CLI Requirements
Router look & feelCommand completion
Roles: Administrator, operator
Configure mode
ExtensibleText based
Language neutral
Integrated with operating system
Command completion with TAB and ?Admin is like rootOperator is the guy you only partially trust
Vyatta has 4 modes: root, admin, operator, normal
Vyatta
Network Apps
Massive open-sourceecosystemExtensibleLoad BalancingWAN OptimizationPBXProprietarySystem
UniqueHWMonolithic SWInternet Protocols
FusionCLITMGraphical User Interface
Open API
Internet ProtocolsScalable Routing
NW FunctionsDHCP, NAT, RadiusSecurityFirewall, VPN
Linux Kernel
Standard HWOpenSystemIDSAnti-XIOS is monolithic. Not extensible
Explain layers
Marketing != reality
CLI architecture
Demo 1: Basic interface
$ show interfaces Interface IP Address State Link Descriptioneth0 192.168.111.132/24 up upeth1 - up up lo 127.0.0.1/8 up up lo ::1/128 up up
$ show interfaces ethernet detail eth0 eth1
$ show interfaces ethernet eth0 eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:f6:20:9e brd ff:ff:ff:ff:ff:ff inet 192.168.111.132/24 brd 192.168.111.255 scope global eth0 inet6 fe80::20c:29ff:fef6:209e/64 scope link valid_lft forever preferred_lft forever...
Use slogin to VM
Show system kernel-messagesCd /opt/vyatta/share/vyatta-op/templatesCat show/kernel-messages/node.def(Explain template hierarchy and run tag)
Show interfaces ethernet eth0Cat show/interfaces/ethernet/node.tag/node.def
(Explain tag nodes and allowed, etc)
Template hierarchy
/opt/vyatta/share/vyatta-op/templates/show/interfaces/ethernet|-- detail| `-- node.def|-- node.def`-- node.tag |-- brief | `-- node.def |-- capture | |-- node.def | |-- not | | |-- node.def | | `-- port | | |-- node.def | | `-- node.tag | | `-- node.def | `-- port | |-- node.def | `-- node.tag | `-- node.def |-- identify | `-- node.def |-- node.def |-- physical | `-- node.def
Operational template
show/interfaces/ethernet/node.tag/node.defhelp: Show specified ethernet interface informationallowed: for dev in /sys/class/net/*; do if [[ -L $dev/device ]] then if [[ $(cat $dev/type) -eq 1 ]] then echo -n ${dev##*/} " " fi fi donerun: vyatta-show-interfaces.pl --intf="$4"
Demo 2: Configuration
$ configure[edit]# set interfaces ethernet eth0 description 'Vmware NAT'[edit]# show interfaces ethernet eth0 address dhcp+description "Vmware NAT" hw-id 00:0c:29:f6:20:9e[edit]
# mount...unionfs on /opt/vyatta/config/tmp/new_config_5035 type unionfs (rw,dirs=/tmp/changes_only_5035=rw:/opt/vyatta/config/active=ro)[edit]vyatta@vc3-1-3# commit
Cd # home
Show how values are stored
Show how snapshots are done; mount
Emphasize that this is internals (like .git)
Explain save/load
If that was all CLI could do this would be...
Configuration templates
multi:type: txthelp: Set an IP address for this interfacesyntax:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl \ --valid-addr $VAR(@) --dev $VAR(../@)" \ ; "Invalid IP address/prefix [$VAR(@)] for interface $VAR(../@)"
update: /opt/vyatta/sbin/vyatta-interfaces.pl \ --eth-addr-update $VAR(@) --dev $VAR(../@)
delete: /opt/vyatta/sbin/vyatta-interfaces.pl \ --eth-addr-delete $VAR(@) --dev $VAR(../@)
allowed: echo "dhcp "comp_help:Possible completions: Set the IP address and prefix length Set the IPv6 address and prefix length dhcpSet the IP address and prefix length via DHCP
Configuration save restore
interfaces { ethernet eth0 { address dhcp duplex auto hw-id 00:0c:29:f6:20:9e speed auto } loopback lo { }}service { ssh { port 22 protocol-version v2 }}
Quality of Service (QoS) usage models
Real time servicesVOIP
Network control planeBGP, OSPF, STP
Fairness
Throttle batch servicesP2P, backup,
Use QoS as example, most familiar to me, less to audience
Vyatta QoS
Organized by policy typesFair queue=> sfq
Traffic shaper=> htb
Drop tail=> fifo
Rate limiter=> tbf
Traffic limiter=> ingress...
Mapping from policy to internals
fair-queue
# set qos-policy fair-queue fq[edit]# set interfaces ethernet eth0 qos-policy out fq[edit]# commit[edit]# run show queueing Output queues:Interface Qos-Policy Sent Dropped Overlimiteth0 fair-queue 4578 0 0eth1 default 468 0 0
fair-queue template
set/qos-policy/fair-queue/node.deftag:type: txthelp: Set fair queueing policysyntax:expression: pattern $VAR(@) "^[[:alnum:]][-_[:alnum:]]*$" ; "only alpha-numeric policy name allowed"update: /opt/vyatta/sbin/vyatta-qos.pl --create-policy "$VAR(.)" "$VAR(@)"delete: /opt/vyatta/sbin/vyatta-qos.pl --delete-policy "$VAR(@)"
Qos on Ethernet Interface
set/interfaces/ethernet/node.tag/qos-policy/out/node.def
type: txthelp: Set outbound QOS policy for specified ethernet interfaceallowed: /opt/vyatta/sbin/vyatta-qos.pl --list-policyupdate: /opt/vyatta/sbin/vyatta-qos.pl \--update-interface $VAR(../../@) $VAR(.) $VAR(@)delete: /opt/vyatta/sbin/vyatta-qos.pl \--delete-interface $VAR(../../@) $VAR(.)
Internals - perl code
sub update_interface { my ($interface, $direction, $name ) = @_; my $config = new VyattaConfig;
( $direction eq "out" ) or die "Only out direction supported";
$config->setLevel('qos-policy'); foreach my $type ( $config->listNodes() ) { if ( $config->exists("$type $name") ) { my $shaper = make_policy($config, $type, $name); delete_interface($interface, $direction); open my $out, "|-" or exec qw:sudo /sbin/tc -batch -:; $shaper->commands($out, $interface); if (! close $out) { delete_interface($interface, $direction); } }
die "Unknown qos-policy $name\n";}
QoS traffic-shaper
# edit qos-policy traffic-shaper lartc[edit qos-policy traffic-shaper lartc]# set class 2 bandwidth 100%[edit qos-policy traffic-shaper lartc]# set class 2 match www ip destination port 80[edit qos-policy traffic-shaper lartc]# set class 3 bandwidth 3mbit[edit qos-policy traffic-shaper lartc]# set class 3 ceiling 5mbit [edit qos-policy traffic-shaper lartc]# set class 3 match smtp ip destination port 25[edit qos-policy traffic-shaper lartc]# exit
Example from LARTC, Linux server with total of 10Mbit available bandwidth.You want to limit webserver traffic to 5Mbit, SMTP traffic to 3Mbitand everything else (unclassified traffic) to 1Kbit. In case there is unusedbandwidth, you want to share it between SMTP and unclassified traffic.
The "total bandwidth" implies one top-level class with maximum bandwidthof 5Mbit. Under the top-level class, there are three child classes.
set qos-policy traffic-shaper lartc bandwidth 10mbitedit qos-policy traffic-shaper lartcset class 2 bandwidth 50%set class 2 match www ip destination port 80
set class 3 bandwidth 3mbitset class 3 ceiling 100%set class 3 match smtp ip destination port 25
Commit # Fix missing default bandwidthclass for unclassified traffic is allowed to use 1K but must not exceed 5Mbit.set default bandwidth 1set default ceiling 5mbitExit # edit modecommit
# Apply to eth0set interfaces ethernet eth0 qos-policy out lartccommit
Traffic-shaper continue
[edit]# commitqos-policy traffic-shaper lartc configuration not complete: missing default classCommit failed# set qos-policy traffic-shaper lartc default bandwidth 1[edit]# commit[edit]# set interfaces ethernet eth0 qos-policy out
Result
# run show queueing ethernet eth0
eth0 Output queue:Class Qos-Policy Sent Dropped Overlimit1: traffic-shaper 11438 0 0 4 fair-queue 11438 0 0 2 fair-queue 0 0 0 3 fair-queue 0 0 0[edit]
Issues
Developer documentationLinux Kongress paperWatch this space
Vyatta Linux managementVyatta config ignores other changes
CLI stays loosely coupled
Vyatta package changesEvery distribution is a fork
All changes are fed to upstream
These are projects customers want, but upstream project is abandoned
IPV6 is not really abandoned but we want to make sure it has a good home after the end of the WIDE project
SPC-FLOSS: orphaned projects
Users want support for orphaned projectsMulticast routing
MPLS
RSTP
IPV6
Future
Richer featuresQoS+, bonding,
GUI
Multi-queue Performance
Current release (3.1.3) aka Hollywood is finally out
GUI is in next release along with lots more little pieces
Excited about opportunity offered by MQ...