Page 1 of 1

Infrastructure lab, VLAN support... and alternatives ?

Posted: 11. May 2009, 14:33
by tarax
all,

First post, so I'll begin thanking all folks that have contributed, one way or the other, to provide us such a great peace of software and such a comprehensive documentation. Really, thank you.

So, as a Sys/Net Admin wannabe, I'd like to create a virtual infrastructure on my WXP SP3 laptop (soon to be migrated to Ubuntu 9.04). The setup I'd like to build:
- will be made of several Linux & WXP guests
- should make extensive use of NIC aggregation (in linux guests at least)
- should make extensive use of VLANs to separate Admin/SAN/LAN Servers/Users PCs & TCs/VoIP/DMZ networks
- Network QoS should be managed on every network link

Basically here is the schema:
- { } are networks (VLANs actually, except for WWW)
- [ ] are hosts (VMs)
- <CSW> is the core switch and <SSW> is the Storage Switch
- all hosts network connections are bonded
{WWW}
||
||
[RTR]
||
||
<CSW>--------<SSW>
||            ||
||---{USR}    ||
||     |      ||
||---{SRV}----||
||            ||
||---{VoIP}---||---[STG]
||            ||
||---{DMZ}----||
||           {SAN}
||---{ADM}
[RTR] should be a Vyatta VM with two WAN connections on one side and a 2 NICs bonded VLAN trunk on the other
All VLANs should be 10.10.<VLANID>.0/24
{ADM} should only be reachable through an OpenVPN tunnel
Servers in {SRV}, {VoIP}, and {DMZ} should have
- one "Storage leg" in the SAN, connected to the SAN/NAS appliance (OpenFiler) through <SSW>
- one "Service leg" plugged in <CSW>
- Terminal servers should have another "Desktop leg" connected to {USR}

Up to now I have:
- installed VirtualBox,
- successfully converted Vyatta 5.02 (and OpenFiler 2.3) VMware images to OVF format using VMware's OVFTool 1.0.0,
- imported them in VirtualBox,
- setup RTR VM with 4 NICs, 2 "WAN" connection in NAT mode and 2 "INT" connections in internal networking mode
- made basic configuration of Vyatta
- configured one "WAN" connection
- configured bonded interface on the internal side
- configured VIF (VLAN interfaces) on top of bond0

And here come toubles ! Kernel messages telling me VLANs are not supported on bond0 interface. So got back to VirtualBox documentation and, searching in the forums, it seems like VLANs are not supported by interfaces/virtual switches created by Internal Networking mode. Next time, I'll double check, sworn !

So, before going any further, would you please, experimented VBoxers and Networking gurus around:
- Tell me if there is a way to build this setup with VirtualBox (using other NIC modes ?)
- Can this be achieved using a network simulation software like GNS3
- May I simply forget about VLANs for the moment waiting for VirtualBox to support it and configure as many IntNets as separate networks I need

By the way, if any of yall have any comment/criticism about the planned network in itself, please do

Thanks a lot in advance
JT

Re: Infrastructure lab, VLAN support... and alternatives ?

Posted: 11. May 2009, 15:01
by vbox4me2
Simulated VLAN is the only way to go with this, it can be defeated but the mear simple hardware router with vlan does the same thing.

Re: Infrastructure lab, VLAN support... and alternatives ?

Posted: 11. May 2009, 15:21
by tarax
hi,

Thank you for your quick reply. Actually, you're reaching the edge of my english skills so, if I understand correctly, you're telling me to go with the multiple IntNets alternative... but what do you mean when you say "it can be defeated but the mear simple hardware router with vlan does the same thing" ?

Bests
JT

Re: Infrastructure lab, VLAN support... and alternatives ?

Posted: 11. May 2009, 15:35
by vbox4me2
A VLAN via a VM and bridge mode networking, VLAN's are usually build by tagging IP frames, it is easy to detag or ignore it and get from one vlan to another, a proper vlan switch doesn't use tagging but this can't be build in software for use in vbox. Tagged vlans can be usefull if you don't let others control the lan settings of the Guests you are trying to isolate.

Re: Infrastructure lab, VLAN support... and alternatives ?

Posted: 14. May 2009, 11:09
by tarax
Hi,

Thank you vbox4me.
I'm sorry to come back on the subject, but I'm so frustrated I'd have to go with VMware because of this...
Can someone tell me how this guy does before I PM him ? He seems to be the only man on earth to play with VLAN and VirtualBox... or I really need to get some rest :|

Bests

Re: Infrastructure lab, VLAN support... and alternatives ?

Posted: 15. May 2009, 00:31
by ckerr
Sure, I can help you understand how I do that (I'm the author of that page that you linked to).

Basically, VirtualBox doesn't know anything about VLANs: with VirtualBox you are essentially defining the physical topology of your network. In the lab that you pointed to, you will therefore need to create a router instance that has interfaces that understand VLAN tags. In this lab, I do that using Vyatta's VLAN support (ie. ethernet ethX vif VLANID)

Ideally, if you wanted to seriously play with VLANs inside VirtualBox, you would need to create a 'manageable switch' guest OS. You could do this using a little Linux system which used Ethernet Bridging... this could be a rather useful virtual appliance, but would need a convincing UI. In such a system, the VLAN port assignments would need to made — exactly how it is done in real VLAN-enabled switches — as well as saying which ports are trunk ports (ie. multiple VLAN assignments).

Hope that helps, if you're using Vyatta you should find it really quite simple. If you're using bare Linux, well it may take a little more research, but it shouldn't be too difficult... you'll want to install the vlan tools (Ubuntu: apt-get install vlan), but I've never used these myself. Note that the point of VLAN's is that edge devices should generally not see any tags, that complicates matters no-end: only switches, routers and other specialised network devices (eg. NIDS) should ever really be in the trunk segments of the network.

Re: Infrastructure lab, VLAN support... and alternatives ?

Posted: 15. May 2009, 11:27
by tarax
Hi ckerr,
ckerr wrote:Sure, I can help you understand how I do that (I'm the author of that page that you linked to).
That is Internet miracle ! ;-)
So let me first thank you for this doc.
ckerr wrote:Basically, VirtualBox doesn't know anything about VLANs: with VirtualBox you are essentially defining the physical topology of your network.
That is, I think, what I had understood and why, to reflect the setup described in my first post, I created a first VM ("RTR") with 2 bridged interfaces (simulating two WAN connections) and 2 interfaces in "CSW" switch/internal network. These two last NICs were aimed at simulating a bonded inter-vlan trunkon the core switch. I since discovered that I'll have to wait for next Vyatta release to use VLANs above bonded interfaces :'( and so fell back to single interface trunk.
ckerr wrote:In the lab that you pointed to, you will therefore need to create a router instance that has interfaces that understand VLAN tags. In this lab, I do that using Vyatta's VLAN support (ie. ethernet ethX vif VLANID)
In this spirit, I created the various VIFs for my six VLANs with the exact command you mentionned. I then assigned each VIF an IP address with vyatta's "set interfaces ethernet ethX vif VLANID address 10.10.<VLANID>.1/24"

To test that everything was ok so far, I set up another Vyatta VM with one Internal Networking NIC connected to my "CSW" switch, configured the six VIFs and assigned 10.10.<VLANID>.2/24 IP addresses to each of them.

Finally, I tried to ping each routers interfaces from the other one but in all cases without any luck :'( I must be missing something but I can't see what...
ckerr wrote:Ideally, if you wanted to seriously play with VLANs inside VirtualBox, you would need to create a 'manageable switch' guest OS. You could do this using a little Linux system which used Ethernet Bridging... this could be a rather useful virtual appliance, but would need a convincing UI. In such a system, the VLAN port assignments would need to made — exactly how it is done in real VLAN-enabled switches — as well as saying which ports are trunk ports (ie. multiple VLAN assignments).
This would be a such a usefull "appliance" for us NetAdmin wannabes !!! But at the moment, this is so far beyond my skills... by the way, with my current understanding, I don't see if/how you'd build a "virtual manageable switch" with more than eight ports in VirtualBox ?
ckerr wrote:Note that the point of VLAN's is that edge devices should generally not see any tags, that complicates matters no-end: only switches, routers and other specialised network devices (eg. NIDS) should ever really be in the trunk segments of the network.
This is a point that was not as clear as now, thank you for the insight. Luckily, I think the setup I'm trying to simulate conforms to this recommandation.

Any further help welcome
Thank you in advance
JT