A bite of virtual linux networking

In this post we shall be discussing about various network components and their corresponding Linux virtual counterparts.

Bridges

Switches basically provide the following functionality

  1. Mac learning: As switch receive packets on their interface they map the interface id/port number to the source mac address of the all packets received on that interface. This is used later while forwarding.
  2. Forwarding: Switches do not see a packet past the l2 headers. The have to perform a simple logic before sending out a packet received on one interface, to other interfaces.
    1. If the destination is broadcast/multi-cast, forward on all ports except the ingress port.
    2. If the destination of a packet is mapped to any interface send the packet out that interface alone.
    3. If the destination is non of the above, forward on all ports belonging to the packet’s VLAN, except the ingress port.
  3. VLAN Isolation: Packets are assorted according to their VLAN. A switch’s port can be either configured as trunk port(Belongs to all VLANs) or as an access port for a particular VLAN. The rules therefore are simple.
    1. Packets appearing on trunk ports should be tagged unless they belong to vlan 1(native vlan). The tag identifies the packet’s vlan in this case.
    2. Packets appearing on access ports should not be tagged unless they want to be dropped. The port configuration(access ports always belong to a VLAN) identifies the packet in this case

    The assorted packets then pass through the forwarding phase, which determine to which port they would be sent to. Packets going out trunk ports will be tagged and those going out access ports will not be tagged. The forwarding logic guarantees that a packet belonging to a VLAN shall never trespass another VLAN.

The switches of course do much more, but I believe the above listed three points would suffice any beginner.

Note: The default factory setting on any switch would configure all ports as trunk with native VLAN ‘1’. Native VLAN packets alone need not be tagged even on a trunk port.

The Linux Bridge

Now arriving at our purpose for this post. Linux bridge can be installed from the package ‘bridge-utils’ irrespective of your distro. Once done you should be able to

  1. Create a bridge
    brctl addbr your_bridge_name
    
  2. add an interface to your bridge
    brctl addif your_bridge_name your_interface_name
    
  3. see all bridges and their ports
    brctl show
    
  4. remove that interface that you just added
    brctl delif your_bridge_name your_interface_name
    
  5. remove your bridge
    brctl delbr your_bridge_name
    

You can add both your physical interface(Once added to a bridge your host may no longer use that interface) and your tap interfaces to your bridge.

Open vSwitch Bridge

The Linux bridge is cool but is far from complete. You can find much more features on an Open vSwitch bridge. You can

  1. Create a bridge
    ovs-vsctl add-br your_bridge_name
    
  2. add an interface to your bridge
    ovs-vsctl add-port your_bridge_name your_interface_name
    
  3. see all bridges and their ports
    ovs-vsctl show
    
  4. remove that interface that you just added
    ovs-vsctl del-port your_bridge_name your_interface_name
    
  5. remove your bridge
    ovs-vsctl del-br your_bridge_name
    
  6. add a port as access port.
    ovs-vsctl add-port your_bridge_name your_interface_name tag=your_vlan_id
    

    Otherwise the port is added as trunk port native vlan 1.

  7. set a controller for a bridge
    ovs-vsctl set-controller your_bridge_name tcp:your_controller_ip:6363
    

    We shall see what controllers are in another post.

  8. add flow rules
    ovs-ofctl add-rule your_bridge_name your_rule_goes_here
    

    Again we shall see what flow rules are in another post.

Network Interfaces

You already know what these are, so lets go straight to creating a virtual network interface. These are called tap interfaces. You can create them like

ip tuntap add name your_interface_name mode tap

You can now make sure it has been created using the ‘ip link show'(add -d for detailed info and -s for statistics) command. You will notice that the iterface is in status ‘DOWN’. They will stay in the same state even after you add them to a bridge, unless a process configures the interface and binds to it.

Network Cables

What is the use in having software bridges when you can not connect them? Lets go and connect them using veth pairs.

ip link add endpoint_1_name type veth peer name end_point_2_name

Now you can connect two bridges by simply adding the endpoints one each to a bridges.

Routers

The bridges always forward traffic between machines on same VLAN. How does one communicate across VLANs?
The router is a device that can see both the VLAN tag and the IP Header, and so is the device that can route traffic from one VLAN to the other. VLANs at layer two are equivalent to Subnets at layer 3. Technically each VLAN would be alloted a separate CIDR by your network administrator. To have connectivity across VLANs you connect a trunk port of the switch to a router and configure multiple IP Addresses on the router’s attached interface, each one on a separate CIDR block corresponding to each of the VLAN that has to be routed.

IP Forwarding

With this you can turn your linux box into a router. All you have to do is

sysctl -w net.ipv4.ip_forward=1

To persist it set ‘net.ipv4.ip_forward = 1’ in ‘/etc/sysctl.conf’.

Network Namespaces

If you feel you do not want to meddle with the host directly you can create a network namespace. Each network namespace in a system has an isolated network stack and hence do not disturb the host.
To create a namespace

ip netns add your_new_network_namespace_name

To list all namespaces

ip netns

To execute commands inside a namespace, say to see all interfaces

ip netns exec network_namespace_name ip link show

there may not be any. So lets create a tap interface and push it to that namespace.

ip tuntap add name tap_device_name mode tap
ip link set tap_device_name netns network_namespace_name

Now enable forwarding inside the namespace

ip netns exec namespace_name sysctl -w net.ipv4.ip_forward=1

To route across all your VLANs add the tap device created to your bridge as trunk port.

VCONFIG

We have a tap interface inside an isolated namespace with ip forwarding enabled, but we still do not have multiple ip addresses configured on the tap interface, one for each vlan.
You can do that with vlan interfaces. First you would have to install package ‘vlan’. Then you can

  1. add subinterfaces to an existing tap interface
    vconfig add your_existing_tap_interface_name your_vlan_id
    

    For example to add a subinterface for vlan 10 on an interface named router0_1

    vconfig add router0_1 10
    

    This should create a new interface ‘router0_1.10’, which you can now see using ‘ip link show’. To do the same on an interface inside a namespace just include ‘ip netns exec namespace_name’ before the vconfig command.

  2. After creating a vlan interface for each of the vlan to be routed, configure each vlan interface with an ip address from the CIDR block allocated for that vlan.
    ip addr add ip_address/prefix dev tapinterface_name.vlan_id
    

    Which in our case would be something like(assuming CIDR 10.10.10.0/24 is alloted to VLAN 10)

    ip addr add 10.10.10.1/24 dev router0_1.10
    

    Again include ‘ip netns exec namepsace_name’ before the command in case router0_1 is inside the namespace.

Now you can use 10.10.10.1 as default gateway for all your VMS that you connect to vlan 10 and can reach all other VLANs.

Firewall

You can not have a network out in the open. That is why Linux provides you with netfilter. Netfilter is now part of the kernel and provides you with iptables, which allows you to configure simple and also complex filtering rules. This subject shall be discussed in a separate post. If you wish to see all firewall rules on you machine you can run

iptables-save

The good news here is that you can have an isolated set of iptables rules inside your namespace without disturbing your host.

Advertisements

3 thoughts on “A bite of virtual linux networking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s