Re: [Vyatta-users] GLBP
Thanks for the feedbacks, i am particulary interested by the load sharing functionnality. TRoopy -- Original Message -- From: Stig Thormodsrud [EMAIL PROTECTED] Date: Wed, 9 Jan 2008 11:42:34 -0800 (PST) What features specifically from GLBP are you looking for? Depending on the implementation, VRRP is capable of load sharing. I know Extreme and Cisco equipment will do it. From RFC3786 (http://tools.ietf.org/html/rfc3768): 2.1. IP Address Backup Backup of IP addresses is the primary function of the Virtual Router Redundancy Protocol.While providing election of a Virtual Router Master and the additional functionality described below, the protocol should strive to: - Minimize the duration of black holes. - Minimize the steady state bandwidth overhead and processing complexity. - Function over a wide variety of multiaccess LAN technologies capable of supporting IP traffic. ***- Provide for election of multiple virtual routers on a network for load balancing.*** I get the impression that the load balancing you get with vrrp is more of a static thing where you configure some of your hosts default route to router-A and others to router-B, and have vrrp to provide the backup if either router goes down. Another way I've seen it used is such that traffic in one direction goes through router-A and then through router-B on the other direction. For an example diagram see page 2 of http://www.redbooks.ibm.com/redpapers/pdfs/redp3657.pdf stig - Support of multiple logical IP subnets on a single LAN segment. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 9, 2008, at 1:17 PM, Troopy . wrote: Hello, This question is not fully related to Vyatta but i am sure i will receive interseting answers about my questions. I am wondering if it exists an standardized version comparable to the cisco GLBP protocol, to provide load sharing functionnalities. Do you know if VRRP (or another standardized redondancy protocol) provide these functionnalities? Thanks a lot for your fantastic tool Troopy __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users Thanks __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] VC3 firewall problem
Hi All, I have upgraded VC2 to VC3. But when I tried to implement firewall, all traffic to internet stops. Here is my old and new firewall configuration: OLD FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { rule 1 { protocol: all state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number: xxx } } rule 7 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } NEW FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { description: inbound firewall rule 1 { protocol: tcp state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 7 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 8 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } I have applied this setting to my interface's firewall as : in and local . When I try to enable this firewall setting , I can't ping to my ISP gateway (modem IP) too. Please tell me what I want to change to implement it on VC3 ? Thanks in Advance, Regards, Abhilash S ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Side Issue: open source solution for load balancer
Hi guys, being good fellows of Vyatta community, I was wondering if you guys use any good load balancer solution that is open source, like Vyatta? I came across a few, but am wondering if you guys can offer some first-hand experience advice :) http://www.ultramonkey.org/ http://www.openclovis.org/project-poll/project-idea-openclovis-load-balancer Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VC3 firewall problem
Hi Abhilash, There is an issue in VC3 that restricts the related/ established rule (your rule number 1) to TCP only. Most likely, the reason your VC2 firewall was working is because return traffic of any type (ICMP, UDP, TCP, etc.) was allowed back in via rule number 1. Your new rule number 1 on VC3 only allows return traffic on TCP. For more information on the bug and to fix this issue on your system, see the following post to the user's list: http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html This bug has been fixed and will no longer be an issue in the next release. Thank you, Robyn abhilash s wrote: Hi All, I have upgraded VC2 to VC3. But when I tried to implement firewall, all traffic to internet stops. Here is my old and new firewall configuration: OLD FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { rule 1 { protocol: all state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number: xxx } } rule 7 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } NEW FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { description: inbound firewall rule 1 { protocol: tcp state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 7 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 8 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } I have applied this setting to my interface's firewall as : in and local . When I try to enable this firewall setting , I can't ping to my ISP gateway (modem IP) too. Please tell me what I want to change to implement it on VC3 ? Thanks in Advance, Regards, Abhilash S ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] VRRP and disable-vmac true
Hi Dave, When a new master takes over the vip address it sends out a gratuitous arp so that the hosts can learn the new mac. stig Hi, I been reading a few posts regarding Bug 2350 https://bugzilla.vyatta.com/show_bug.cgi?id=2350 Doesn't the disable-vmac true option create an issue with the arp cache on the devices that are routing to the vrrp vip address? Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Network ports Compatibility issue for Vyatta? to install in production box for router use
No, no known issues the the cards, and six ports should be fine. I've got that many ports in production :-) Justin On Jan 10, 2008 2:22 AM, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, just wanna check if there's any known issues for the following network cards with Vyatta: Intel PRO/1000 PT dual-port gigabit ethernet PCIe x4 card. I am planning to install 2 of that in the server (Dell PowerEdge) to get a 6 port setup. Also, is it ok I install so many? I am planning to use Vyatta as a production router for our new infrastructure... all the way man. Planning to get a simple Dell PowerEdge and pump it with adequate network ports to handle 2 different subnets and firewall. What do you guys think? Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] GLBP
Can canyone comment more on load balaning vrrp? Active/active style configuration? Perhaps even noting bgp? I was not aware with vrrp one could have two routers handling packets :/ -Original Message- From: Troopy . [EMAIL PROTECTED] Sent: Thursday, January 10, 2008 2:04 AM To: vyatta-users@mailman.vyatta.com; [EMAIL PROTECTED]; Stig Thormodsrud [EMAIL PROTECTED] Cc: 'vyatta-users' [EMAIL PROTECTED] Subject: Re: [Vyatta-users] GLBP Thanks for the feedbacks, i am particulary interested by the load sharing functionnality. TRoopy -- Original Message -- From: Stig Thormodsrud [EMAIL PROTECTED] Date: Wed, 9 Jan 2008 11:42:34 -0800 (PST) What features specifically from GLBP are you looking for? Depending on the implementation, VRRP is capable of load sharing. I know Extreme and Cisco equipment will do it. From RFC3786 (http://tools.ietf.org/html/rfc3768): 2.1. IP Address Backup Backup of IP addresses is the primary function of the Virtual Router Redundancy Protocol.While providing election of a Virtual Router Master and the additional functionality described below, the protocol should strive to: - Minimize the duration of black holes. - Minimize the steady state bandwidth overhead and processing complexity. - Function over a wide variety of multiaccess LAN technologies capable [The entire original message is not included] ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] GLBP
All I really know about it is when I set up a trio of Cisco 7301 routers a couple years ago, one of the options I researched was VRRP and the other was GLBP. I ended up going with GLBP because Cisco's implementation of it was more stable than its implementation of VRRP. I know that it *will* do it on any semi-recent IOS version. No idea if the opensource impementations of VRRP will do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 10, 2008, at 3:30 PM, Max wrote: Can canyone comment more on load balaning vrrp? Active/active style configuration? Perhaps even noting bgp? I was not aware with vrrp one could have two routers handling packets :/ -Original Message- From: Troopy . [EMAIL PROTECTED] Sent: Thursday, January 10, 2008 2:04 AM To: vyatta-users@mailman.vyatta.com; [EMAIL PROTECTED]; Stig Thormodsrud [EMAIL PROTECTED] Cc: 'vyatta-users' [EMAIL PROTECTED] Subject: Re: [Vyatta-users] GLBP Thanks for the feedbacks, i am particulary interested by the load sharing functionnality. TRoopy -- Original Message -- From: Stig Thormodsrud [EMAIL PROTECTED] Date: Wed, 9 Jan 2008 11:42:34 -0800 (PST) What features specifically from GLBP are you looking for? Depending on the implementation, VRRP is capable of load sharing. I know Extreme and Cisco equipment will do it. From RFC3786 (http://tools.ietf.org/html/rfc3768): 2.1. IP Address Backup Backup of IP addresses is the primary function of the Virtual Router Redundancy Protocol.While providing election of a Virtual Router Master and the additional functionality described below, the protocol should strive to: - Minimize the duration of black holes. - Minimize the steady state bandwidth overhead and processing complexity. - Function over a wide variety of multiaccess LAN technologies capable [The entire original message is not included] ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Basic Rip help and nat translation question
All, I'm coming from a cisco background and although I've used vyatta at one production location (using some static routes successfully) I'm having a heck of a time just getting two routers to talk to each other with RIP. I've read through the big config guide pdf, but to no avail. Could anyone either paste in their RIP configuration or at least give me some pointers on how to get this to work? In my test enviornment I have two routers. Router A (eth0) 192.168.50.1 /24 -- cross over-- Router B (eth0) 192.168.50.2 /24 Router A (eth1) 192.168.51.1 /24 Router B (eth1) 192.168.52.1 /24 I can ping across all the networks if I set up static routes-- so I know the connections and IPs are okay. In addition, on a standard cisco router I can run this: show ip nat trans . How do I see all the differnent translations on a vyatta box going out to the world? Thanks in advance, Aaron___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Disable forwarding of broadcast directed packets
Is broadcast forwarding disabled by default on Vyatta? If not, is there a way I can disable forwarding of broadcast packets on my Vyatta v3 router? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] GLBP
-BEGIN PGP SIGNED MESSAGE- On Thu, 10 Jan 2008, Max wrote: Can canyone comment more on load balaning vrrp? Active/active style configuration? Perhaps even noting bgp? I was not aware with vrrp one could have two routers handling packets :/ This may have changed, but I believe Vyatta only supports one VRRP address per interface. Consider what I'm describing here a feature request, although perhaps someone else can comment on how to make this work with the current functionality. :) If Vyatta supported multiple VRRP addresses (and the equipment behind it supports ECMP), you could do active/active by configuring two default gateway addresses and using the VRRP priority/preempt parameters to give one address an affinity for one router and one for the other. For instance: Router A, x.x.x.3, VRRP addresses x.x.x.1 priority 100 and x.x.x.2 priority 50 Router B, x.x.x.4, VRRP addresses x.x.x.1 priority 50 and x.x.x.2 priority 100 Device C, x.x.x.5, default gateway configured as x.x.x.1 and x.x.x.2 with equal metrics In normal operation, half the packets will be processed by either router (depending on how device C implements equal cost multipath). If one router fails, both the .1 and .2 addresses end up on the surviving box. N.B. this breaks stateful packet inspection. I believe the original reason for the one-addres-per-interface restriction was due to the virtual MAC address. Now that we have the disable-vmac option, perhaps this limitation could be removed? - -- Dave Pifke, [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBR4aPSTuW2fOIQC3pAQFKmgP/U6kbweEz+HR0Tbrq5aeoXOZu2JXpav4y fVjBzG8wR7mL/2b1whiVjUq/hj55uiMcXPWQ4+dxWvbRoJgZZx1o1kpjfASW3z+J aCJ4fbcv0O2fmWqxVGuEc8gPohW3BrBuWOipj1y7vFofmfV7dkEtyOdLLFbaLE9I Jt7AFqzoFCM= =ASQ2 -END PGP SIGNATURE- ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Basic Rip help and nat translation question
Hi Aaron, For NAT translations, there is an enhancement request for a show command that displays the information you want. You can see some more details in bugzilla: https://bugzilla.vyatta.com/show_bug.cgi?id=522 An-Cheng [EMAIL PROTECTED] wrote: In addition, on a standard cisco router I can run this: show ip nat trans . How do I see all the differnent translations on a vyatta box going out to the world? Thanks in advance, Aaron ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Disable forwarding of broadcast directed packets
It's disabled, and the current best practices have had it set this way for quite a while. See ftp://ftp.rfc-editor.org/in-notes/rfc2644.txt if you really want the details :-) Best, Justin On Jan 10, 2008 1:27 PM, Shane McKinley [EMAIL PROTECTED] wrote: Is broadcast forwarding disabled by default on Vyatta? If not, is there a way I can disable forwarding of broadcast packets on my Vyatta v3 router? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] GLBP
Can canyone comment more on load balaning vrrp? Active/active style configuration? Perhaps even noting bgp? I was not aware with vrrp one could have two routers handling packets :/ This may have changed, but I believe Vyatta only supports one VRRP address per interface. Consider what I'm describing here a feature request, although perhaps someone else can comment on how to make this work with the current functionality. :) Hi Dave, I have already added the support of both multiple vrrp groups per interface and multiple vips per vrrp group in the current development branch. So assuming the testing of these features goes well, then you should see it in the glendale release. I'm hoping to also add support for vrrp sync groups if time permits. stig If Vyatta supported multiple VRRP addresses (and the equipment behind it supports ECMP), you could do active/active by configuring two default gateway addresses and using the VRRP priority/preempt parameters to give one address an affinity for one router and one for the other. For instance: Router A, x.x.x.3, VRRP addresses x.x.x.1 priority 100 and x.x.x.2 priority 50 Router B, x.x.x.4, VRRP addresses x.x.x.1 priority 50 and x.x.x.2 priority 100 Device C, x.x.x.5, default gateway configured as x.x.x.1 and x.x.x.2 with equal metrics In normal operation, half the packets will be processed by either router (depending on how device C implements equal cost multipath). If one router fails, both the .1 and .2 addresses end up on the surviving box. N.B. this breaks stateful packet inspection. I believe the original reason for the one-addres-per-interface restriction was due to the virtual MAC address. Now that we have the disable-vmac option, perhaps this limitation could be removed? - -- Dave Pifke, [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBR4aPSTuW2fOIQC3pAQFKmgP/U6kbweEz+HR0Tbrq5aeoXOZu2JXpav4y fVjBzG8wR7mL/2b1whiVjUq/hj55uiMcXPWQ4+dxWvbRoJgZZx1o1kpjfASW3z+J aCJ4fbcv0O2fmWqxVGuEc8gPohW3BrBuWOipj1y7vFofmfV7dkEtyOdLLFbaLE9I Jt7AFqzoFCM= =ASQ2 -END PGP SIGNATURE- ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VC3 firewall problem
Hi Robyn, This works for me. Thank you very much. Thanks and Regards, Abhilash.S On Jan 10, 2008 10:11 AM, Robyn Orosz [EMAIL PROTECTED] wrote: Hi Abhilash, There is an issue in VC3 that restricts the related/ established rule (your rule number 1) to TCP only. Most likely, the reason your VC2 firewall was working is because return traffic of any type (ICMP, UDP, TCP, etc.) was allowed back in via rule number 1. Your new rule number 1 on VC3 only allows return traffic on TCP. For more information on the bug and to fix this issue on your system, see the following post to the user's list: http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html This bug has been fixed and will no longer be an issue in the next release. Thank you, Robyn abhilash s wrote: Hi All, I have upgraded VC2 to VC3. But when I tried to implement firewall, all traffic to internet stops. Here is my old and new firewall configuration: OLD FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { rule 1 { protocol: all state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number: xxx } } rule 7 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } NEW FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { description: inbound firewall rule 1 { protocol: tcp state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 7 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 8 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } I have applied this setting to my interface's firewall as : in and local . When I try to enable this firewall setting , I can't ping to my ISP gateway (modem IP) too. Please tell me what I want to change to implement it on VC3 ? Thanks in Advance,