17. Implementing an HA Switch with Location based filtering Capabilities
Introduction
This example shows the implementation of an HA switch with location analysis and filtering capabilities. The HA switch on Layer 2 is implemented by the “haswitch” BalanceNG module, the location filtering by the “lswitch” module. Both modules are available with BalanceNG V4 release 4.071 (and higher).
Hardware, Cabling and Network Setup
As hardware devices we are using a pair of “LES network+” mini Servers from Thomas Krenn, klick here for further details and availability.
Both machines have 16GB Ram and a 64 GB SSD disk and come preinstalled with Ubuntu Linux (Kernel 4.4.0-101).
As a very first step it is necessary to identify the physical NIC ports (and their correspondence to the Linux interfaces eth0-eth5). This can be quite easily done with ethtool and the -p option: The command “ethtool -l eth2 10” lets a physical LED on interface eth2 blink for 10 seconds, for example (see also this for more details and check the manual page of ethtool).
This schematic drawing shows the cabling and network setup of the BNG pair:
Cabling and Network Setup
- eth0 and eth1 are connected to different internal management VLANs and not controlled by BNG. Mainly these are used to connect to the servers with ssh and to provide optional external connectivity for Linux updates and upgrades.
- Interface eth2 of each machine is connected to the internal LAN (or VLAN).
- Interface eth3 of each machine is connected to the external LAN, where also the router sits which provides external IPv4 and IPv6 connectivity.
- Interfaces eth4 and eth5 are used by directly connecting both boxes (without any switch in between) in order to implement an redundant VRRP hardware link. Thus even a broken interface or cable is not a single point of failure.
BalanceNG installation and licensing (optional)
The installation of BalanceNG is quite simple and done with the “dpkg -i” command, here’s a typical dialog:
root@bng1:~# ls -l total 2336 -rw-r--r-- 1 root root 2390304 Dec 20 12:14 balanceng_4.072_amd64.deb root@bng1:~# dpkg -i balanceng_4.072_amd64.deb (Reading database ... 158037 files and directories currently installed.) Preparing to unpack balanceng_4.072_amd64.deb ... Unpacking balanceng (4.072) over (4.072) ... Setting up balanceng (4.072) ... Updating startup-links... ...done! Please restart BalanceNG as soon as possible to use the updated version Processing triggers for systemd (229-4ubuntu21) ... Processing triggers for ureadahead (0.100.0-19) ... root@bng1:~#
For later licensing you may now retrieve the nodeid with the command “bng -N”:
root@bng1:~# bng -N ab:d7:fb:27:28:94 root@bng1:~#
Configuration
The following configuration directives are important:
- The module chain needs to be set to modules vrrp,arp,master,lfilter,haswitch.
- Interface 1 and 2 needs to have switching enable set to be processed by the haswitch module.
- Interface 2 needs additionally have scope external set to identify this interface to be external (for the lfilter module).
- Network 1 is connected to the two interfaces 3 and 4 for hardware failure redundancy. The IP addressing here may be chosen freely, a bngsync connection is set up for synchronising the session table contents.
- The IPv4 and IPv6 location databases both need to be loaded.
- A location group X needs to be present, in this example a * initially allows all IPv4 and IPv6 locations to pass through.
Node 1 Configuration
// configuration taken ...
// BalanceNG ...
hostname [BNG1]
license INTEST-01 15a45385cea25d41c6246b5831cd8186
modules vrrp,arp,master,lfilter,haswitch
set sessiondlimit 50
interface 1 {
name eth2
access raw
switching enablae
}
interface 2 {
name eth3
access raw
switching enable
scope external
}
interface 3 {
name eth4
access raw
}
interface 4 {
name eth5
access raw
}
register interfaces 1,2,3,4
enable interfaces 1,2,3,4
vrrp {
vrid 5
priority 200
network 1
}
network 1 {
addr 10.10.10.0
mask 255.255.255.0
real 10.10.10.5
virt 10.10.10.1
syncpeer 10.10.10.6
interfaces 3,4
}
register network 1
enable network 1
ipdb "/opt/BalanceNG/IpToCountry.csv"
ipdb6 "/opt/BalanceNG/IpToCountry.6R.csv"
lgrp X "*"
// end of configuration
Node 2 Configuration
// configuration taken ...
// BalanceNG ...
hostname [BNG2]
license INTEST-02 a06de72515bcb3aee3ce5f99c70655b4
modules vrrp,arp,master,lfilter,haswitch
set sessiondlimit 50
interface 1 {
name eth2
access raw
switching enable
}
interface 2 {
name eth3
access raw
switching enable
scope external
}
interface 3 {
name eth4
access raw
}
interface 4 {
name eth5
access raw
}
register interfaces 1,2,3,4
enable interfaces 1,2,3,4
vrrp {
vrid 5
priority 200
network 1
}
network 1 {
addr 10.10.10.0
mask 255.255.255.0
real 10.10.10.6
virt 10.10.10.1
syncpeer 10.10.10.5
interfaces 3,4
}
register network 1
enable network 1
ipdb "/opt/BalanceNG/IpToCountry.csv"
ipdb6 "/opt/BalanceNG/IpToCountry.6R.csv"
lgrp X "*"
// end of configuration
Collecting Communication Statistics
The location based communication statistics may be shown on the current VRRP master with the “show module lfilter” command, a typical dialog looks like this:
root@bng2:~# bng control
BalanceNG: connected to PID 4260
[BNG2]-MASTER# show module lfilter
general communication statistics:
udp4 (in) udp4(out) tcp4 (in) tcp4(out) udp6 (in) udp6(out) tcp6 (in) tcp6(out)
AT 3020 2549 Austria
CA 33563 36080 Canada
CH 588 456 Switzerland
CZ 10 12 Czech Republic
DE 137 137 120609 92067 1209 Germany
DK 116 154 Denmark
EU 5100 4185 73 73 European Union
FI 1825 1117 Finland
FR 741 794 France
GB 12420 12550 9 10 12 United Kingdom
IE 29262 29064 24587 10233 Ireland
JP 46 Japan
NL 1 1 751 888 Netherlands
NO 7100 1946 Norway
PL 16 18 16 19 Poland
RU 136 147 Russian Federation
US 230 245 498454 438116 2707 4075 United States
VG 6 14 Virgin Islands (BRITISH)
ZZ 9620 6116638 84 126 Reserved
- 59 828 *** NOT FOUND PSEUDO ENTRY ***
packets dropped (not in location group X):
0 IPv4 packets dropped
0 IPv6 packets dropped
location group settings:
lgrp X "*"
[BNG2]-MASTER#
The keyword “out” means here means that a packet has been received on an interface with scope internal (checking the destination address), the keyword “in” refers to packets received on “scope external” interface (thus checking the source address). Please note that the communication statisctics are available on the current VRRP master only.
Controlling Location Access
This is done by configuring the special location group X, packets that belong to this location group are passed by the “lfilter” module.
The following setting allows only packets to and from Germany and Austria to be forwarded (all others would be dropped), for example:
lgrp X "DE,AT"
The following setting allows packets from and to all locations to be forwarded except those from Germany and Austria, for example:
lgrp {
X "*,!Y"
Y "DE,AT"
}
As soon as packets are being dropped by a location group X setting, the “packet dropped” counters are being updated accordingly.
Please have also a look at the BalanceNG User and Reference Manual for further information about the “lgrp” configuration command.