Search This Blog

Sunday, February 15, 2015

GNS3 - VirtualBox Part 10: Debian/Ubuntu bridge-utils/iproute2 Layer 2 Switches

Debian and Ubuntu Linux provide Layer 2 bridges with the older (and deprecated) bridge-utils package and newer iproute2 package.  This article demonstrates implementing bridges using both.

Introduction

Default Debian/Ubuntu installations include the iproute2 package.  The "ip" family of commands is more stable then the commands it supersedes, such as arp, ifconfig and route.  The iproute2 package also supersedes two older Linux bridge packages: bridge-utils and vlan.  However, the author finds configuring networking in the /etc/network/interfaces file simpler using the bridge-utils package; definitions that require scripting using iproute2 require minimal statements using bridge-utils.  Thus, this article incorporates both iproute2 and bridge-utils commands to configure bridges.

Initial Configuration

The initial VirtualBox installation uses Ubuntu Server 14.04 with eight NICs, only one of which is configured.  The /etc/network/interfaces file consists of:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 10.64.0.2
netmask 255.255.255.0
gateway 10.64.0.1
dns-nameservers 192.168.1.1 8.8.8.8 4.4.4.4
This configures interface eth0 with an IP address, gateway and name servers, the first of which is the local wireless LAN router.  A Cisco 7206 router has two Gigabit Ethernet interfaces, one (10.64.0.1) for the Ubuntu switch and the other (172.16.0.2) for a connection to a tun/tap device on the host laptop.  The host laptop and Cisco 7206 routers use OSPF to manage routing from the virtual environment, local wireless LAN (192.168.1.0/24) and default gateway.

Configuring the Layer 2 Switch

As mentioned above, the author adds the bridge-utils package (sudo apt-get install bridge-utils).  The bridge-utils package provides several statements that are used in the /etc/network/interfaces file.  The iproute2 commands create the bridge and bridge-utils commands configure it at boot time.  The following is an annotated /etc/network/interfaces file:
auto lo
iface lo inet static

auto br0
iface br0 inet static
address 10.64.0.2
netmask 255.255.255.0
gateway 10.64.0.1
dns-nameservers 192.168.1.1 8.8.8.8 4.4.4.4
bridge_stp on #bridge-utils commad to enable Spanning Tree Protocol
bridge_waitport 0 #bridge-utils commad to set immediate availability
bridge_fd 0 #bridge-utils commad to set no forwarding delay
bridge_ports eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7 #bridge-utils commad to add ports to bridge
pre-up ip link add br0 type bridge && ip link set dev br0 up #iproute2 command to create and start the bridge interface

iface eth0 inet manual
iface eth1 inet manual
iface eth2 inet manual
iface eth3 inet manual
iface eth4 inet manual
iface eth5 inet manual
iface eth6 inet manual
iface eth7 inet manual
As previously noted, bridge-utils has been superseded by iproute2.  However, the simple configuration used here is stable.  More complex configurations may not be stable using bridge-utils commands and are likely more reliable using iproute2 scripts.

The bridge may be checked using several commands:
switch@phl-core:~$ ip addr
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 08:00:27:82:81:29 brd ff:ff:ff:ff:ff:ff
...
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 08:00:27:1d:86:04 brd ff:ff:ff:ff:ff:ff
    inet 10.64.0.2/24 brd 10.64.0.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::6854:53ff:fe4c:271/64 scope link
       valid_lft forever preferred_lft forever

This indicates eth0 (and the other seven NICs, omitted for brevity) are up and configured only with MAC addresses.  The bridge is up and configured with both MAC and IP interfaces.

switch@phl-core:~$ ip route
default via 10.64.0.1 dev br0
10.64.0.0/24 dev br0  proto kernel  scope link  src 10.64.0.2
This indicates all Layer 3 (IP) traffic is through the bridge interface.
switch@phl-core:~$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
10.64.0.1                ether   ca:02:10:48:00:06   C                     br0
switch@phl-core:~$ brctl showmacs br0
port no    mac addr        is local?    ageing timer
  7    08:00:27:1d:86:04    yes           0.00
  6    08:00:27:20:e5:3a    yes           0.00
  3    08:00:27:43:d0:28    yes           0.00
  1    08:00:27:82:81:29    yes           0.00
  2    08:00:27:9d:d2:0e    yes           0.00
  4    08:00:27:d9:9c:bb    yes           0.00
  8    08:00:27:f4:a0:8f    yes           0.00
  5    08:00:27:fd:e4:c1    yes           0.00
  1    ca:02:10:48:00:06    no           0.00

These two commands -- arp and brctl showmacs -- show MAC addresses of other devices known by the switch and the entire MAC address table (local and external).  In this case, the switch has entries for all of its local Ethernet devices and the Cisco 7206 router to which it is attached.

Adding Additional Switches

The original device used in this article (VirtualBox machine and Ubuntu host names "switch") is cloned to create additional switches.  Once the switch is working, you may change its /etc/hosts and etc/hostname files to reflect its working name, in this case phl-core, phl-servers and phl-storage.  The only change required in the /etc/network/interfaces file is the IP address of the bridge:  10.64.0.2 for phl-core, 10.64.0.4 for phl-servers and 10.64.0.5 for phl-storage.  Importantly, the default gateway for all switches is 10.64.0.1 -- the Cisco 7206 router.  Even though traffic from phl-servers and phl-storage must pass through phl-core, no Layer 3 processing (IP) is required because Ethernet frames are processed by phl-core using only MAC addresses at Layer 2.

As a check, issue the command "traceroute 8.8.8.8."  Traceroute operates at Layer 3 (IP); since phl-core operates at Laer 2, it does not appear in the trace and the first IP address hop from phl-servers and phl-storage is the Cisco 7206 router's 10.64.0.1 interface.

Ubuntu switches may be added throughout the GNS3 topology, replacing the native (and functionally limited) GNS3 switches.

Spanning Tree Protocol

Spanning Tree Protocol (STP) is a method of detecting bridge loops -- Physical Layer 1 cabling connections in which multiple paths to the same MAC address exist.  Bridging loop continuously forward frames and can eventually build to so much traffic the network becomes congested and unreliable.  STP is a protocol that detects bridge loops and automatically disables ports to logically eliminate them.

In the above switch topology, phl-core is connected to phl-servers (eth2 - eth0) and phl-storage (eth4 - eth0) using two cables.  There is no direct connection between phl-servers and phl-storage, so traffic between the two must pass through phl-core.  The "brctl showstp" command on phl-core will list both eth2 and eth4 as "forwarding," that is, operational.

If we add a cable linking phl-servers to phl-storage (eth1 - eth1), there is now a bridge loop.  For example, traffic from phl-core has two paths to eth0 on phl-servers:  one direct (eth2 - eth0) and the other through phl-storage (eth4 - eth0) and then from phl-storage to phl-servers (eth1 - eth1).  STP detects this loop and automatically shuts down a port.  The "brctl showstp" command on phl-core will now list eth2 as "blocking" and eth4 as "forwarding."  STP does not need to shut down any port on phl-servers and phl-storage; eth0 and eth1 on both remain in the "forwarding" state.  However, all traffic from phl-servers directly to phl-core is blocked and must pass through phl-storage instead.

This case illustrates how STP is an automated protocol whose decisions may result in suboptimal topologies.  The goal to directly connect the servers to the storage switches was achieved, but traffic from the servers to client networks now no longer passes directly to the core, but instead indirectly through the storage switch.

No comments :

Post a Comment