Learn by Creating Services¶
Following these short exercises we will be able to demonstrate how the Netris Controller, in conjunction with the Netris Agents deployed on the switches and SoftGates, is able to intelligently and automagically deploy the necessary configurations across the network fabric to provision the desired services within a matter of seconds.
V-Net (Ethernet/Vlan/VXlan)¶
Let’s create a V-Net service to give server srv05-nyc the ability to reach its gateway address.
In a terminal window:
SSH to server srv05-nyc:
ssh demo@216.172.128.201 -p 30065
.Enter the password provided in the introductory e-mail.
Type
ip route ls
and we can see 192.168.46.1 is configured as the default gateway, indicated by the “default via 192.168.46.1 dev eth1 proto kernel onlink” line in the output.Start a ping session towards the default gateway:
ping 192.168.46.1
Keep the ping running as an indicator for when the service becomes fully provisioned.
Until the service is provisioned, we can see that the destination is not reachable judging by the outputs in the form of “From 192.168.46.64 icmp_seq=1 Destination Host Unreachable”.
In a web browser: (*Fields not specified should remain unchanged and retain default values)
Log into the Netris Controller by visiting https://sandbox1.netris.io and navigate to Services → V-Net.
Click the + Add button in the top right corner of the page to get started with creating a new V-Net service.
Define a name in the Name field (e.g.
vnet-customer
).From the Sites drop-down menu, select “US/NYC”.
From the VLAN ID drop-down menu, select “Enter manually” and type in “46” in the field to the right.
From the Owner drop-down menu, select “Demo”.
From the IPv4 Gateway drop-down menu, select the “192.168.46.0/24(CUSTOMER)” subnet.
The first available IP address “192.168.46.1” is automatically selected in the second drop-down menu of the list of IP addresses. This matches the results of the
ip route ls
command output on srv05-nyc we observed earlier.From the Add Network Interface drop-down menu put a check mark next to both network interfaces “swp5(swp5 | srv05-nyc)@sw12-nyc (Demo)” and “swp5(swp5 | srv05-nyc)@sw21-nyc (Demo)”, which we can see are the interfaces where srv05-nyc is wired into when we reference the “Sandbox Topology diagram”.
The drop-down menu only contains these two network interfaces as they are the only interfaces that have been assigned to the Demo tenant.
Click the Add button.
Click the Add button at the bottom right of the “Add new V-Net” window and the service will start provisioning.
After just a few seconds, once fully provisioned, you will start seeing successful ping replies, similar in form to “64 bytes from 192.168.46.1: icmp_seq=55 ttl=64 time=1.66 ms”, to the ping that was previously started in the terminal window, indicating that now the gateway address is accessible from host srv05-nyc.
More details about V-Net (Ethernet/Vlan/VXlan) can be found on the the “V-Network” page.
E-BGP (Exterior Border Gateway Protocol)¶
Our internal network is already connected with the outside world so that our servers can communicate with the Internet through the E-BGP session with IRIS ISP1 named “iris-isp1-example”.
Optionally you can configure an E-BGP session to IRIS ISP2 for fault tolerance.
In a web browser: (*Fields not specified should remain unchanged and retain default values)
Log into the Netris Controller by visiting https://sandbox1.netris.io and navigate to Network → E-BGP.
Click the + Add button in the top right corner of the page to configure a new E-BGP session.
Define a name in the Name field (e.g.
iris-isp2-ipv4-customer
).From the Site drop-down menu, select “US/NYC”.
From the BGP Router drop-down menu, select “SoftGate2”.
From the Switch Port drop-down menu, select port “swp16(swp16 | ISP2)@sw02-nyc (Admin)” on the switch that is connected to the ISP2.
For the purposes of this exercise, the required switch port can easily be found by typing
ISP2
in the Search field.
For the VLAN ID field, type in
1012
while leaving the Untagged check-box unchecked.In the Neighbor AS field, type in
65007
.In the Local IP field, type in
45.38.161.22
.In the Remote IP field, type in
45.38.161.21
.Expand the Advanced section
In the Prefix List Outbound field, type in
permit 45.38.161.0/28 le 32
And finally click Add
Allow up to 1 minute for both sides of the BGP sessions to come up and then the BGP state on Network → E-BGP page as well as on Telescope → Dashboard pages will turn green, indication a successfully established BGP session. We can glean further insight into the BGP session details by navigating to Net → Looking Glass.
Make sure “vpc-1:Default” is selected from the VPC drop-down menu.
Select “SoftGate2(45.38.161.1)” (the border router where our newly created BGP session is terminated on) from the Hardware drop-down menu.
Leaving the Address Family drop-down menu on “Family: IPV4” and the Command drop-down menu on “Command: BGP Summary”, click on the Submit button.
We are presented with the summary of the BGP sessions terminated on SoftGate2. You can also click on each BGP neighbor name to further see the “Advertised routes” and “Routes” received to/from that BGP neighbor.
More details about E-BGP (Exterior Border Gateway Protocol) can be found on the the “BGP” page.
NAT (Network Address Translation)¶
Now that we have both internal and external facing services, we can aim for our srv05-nyc server to be able to communicate with the Internet.
In a terminal window:
SSH to server srv05-nyc:
ssh demo@216.172.128.201 -p 30065
.Enter the password provided in the introductory e-mail.
Start a ping session towards any public IP address (e.g.
ping 1.1.1.1
).Keep the ping running as an indicator for when the service starts to work.
Let’s configure a Source NAT so our Customer subnet 192.168.46.0/24, which is used in the V-Net services called vnet-customer, can communicate with the Internet.
In a web browser: (*Fields not specified should remain unchanged and retain default values)
Log into the Netris Controller by visiting https://sandbox1.netris.io and navigate to Network → NAT.
Click the + Add button in the top right corner of the page to define a new NAT rule.
Define a name in the Name field (e.g.
NAT Customer
).From the Site drop-down menu, select “US/NYC”.
From the Action drop-down menu, select “SNAT”.
Leave ALL selected in the Protocol drop-down menu.
In the Source Address field, type in
192.168.46.0/24
.In the Destination Address field, leave the default value of
0.0.0.0/0
.Toggle the switch from SNAT to Pool to SNAT to IP.
From the Select subnet drop-down menu, select the “45.38.161.4/30 (NAT)” subnet.
From the Select IP drop-down menu, select the “45.38.161.4/32” IP address.
This public IP address is part of 45.38.161.4/30 (NAT) subnet which is configured in the Network → IPAM section with the purpose of NAT and indicated in the SoftGate configurations to be used as a global IP for NAT by the “Netris SoftGate Agent”.
Click Add
Soon you will start seeing replies similar in form to “64 bytes from 1.1.1.1: icmp_seq=1 ttl=62 time=1.23 ms” to the ping previously started in the terminal window, indicating that now the Internet is reachable from srv05-nyc.
More details about NAT (Network Address Translation) can be found on the “NAT” page.
L3LB (Anycast L3 Load Balancer)¶
In this exercise we will quickly configure an Anycast IP address in the Netris Controller for two of our “ROH (Routing on the Host)” servers (srv01-nyc & srv02-nyc) which both have a running Web Server configured to display a simple HTML webpage and observe ECMP load balancing it in action.
In a web browser: (*Fields not specified should remain unchanged and retain default values)
Log into the Netris Controller by visiting https://sandbox1.netris.io and navigate to Services → ROH.
Click Edit from the Actions menu indicated by three vertical dots (⋮) on the right side of the “srv01-nyc” server.
From the IPv4 drop-down menu, select the “45.38.161.8/30 (L3 LOAD BALANCER)” subnet.
From the second drop-down menu that appears to the right, select the first available IP “45.38.161.8”.
Check the Anycast check-box next to the previously selected IP and click the Save button.
Repeat steps 3 through 4 for “srv02-nyc” by first clicking Edit from the Actions menu indicated by three vertical dots (⋮) on the right side of the “srv02-nyc” server.
While editing “srv02-nyc”, after selecting the “45.38.161.8” IP address , the Anycast check-box will already be automatically checked as we had designated the IP address as such in step 5.
In a new web browser window/tab:
Type in the Anycast IP address we just configured (45.38.161.8) into the browser’s address bar or simply visit http://45.38.161.8/.
Based on the unique hash calculated from factors such as source IP/Protocol/Port, the L3LB will use ECMP to load balance the traffic from your browser to either srv01-nyc or srv02-nyc, with the text on the website indicating where the traffic ended up.
It should be noted that the TCP session will continue to exist between the given end-user and server pair for the lifetime of the session. In our case we have landed on srv01-nyc.
In order to trigger the L3 load balancer to switch directing the traffic towards the other backend server (in this case from srv01-nyc to srv02-nyc, which based on the unique hash in your situation could be the other way around), we can simulate the unavailability of the backend server we ended up on by putting it in Maintenance mode.
Back in the Netris Controller, navigate to Services → L3 Load Balancer.
Expand the LB Vip that was created when we defined the Anycast IP address earlier by clicking on the > button to the left of “45.38.161.8 (name_45.38.161.8)”.
Click Action v to the right of the server you originally ended up on (in this case srv01-nyc).
Click Maintenance on.
Click Maintenance one more time in the pop-up window.
Back in the browser window/tab directed at the 45.38.161.8 Anycast IP address.
After just a few seconds, we can observe that now the website indicates that the traffic is routed to srv02-nyc (once more, your case could be opposite for you based on the original hash).
More details about AL3LB (Anycast L3 load balancer) can be found on the “L3 Load Balancer (Anycast LB)” page.
ACL (Access Control List)¶
Now that srv05-nyc can communicate with both internal and external hosts, let’s check Access Policy and Control options.
In a terminal window:
SSH to server srv05-nyc:
ssh demo@216.172.128.201 -p 30065
.Enter the password provided in the introductory e-mail.
Start a ping session:
ping 1.1.1.1
.If the previous steps were followed, you should see successful ping replies in the form of “64 bytes from 1.1.1.1: icmp_seq=55 ttl=62 time=1.23 ms”.
Keep the ping running as an indicator for when the service starts to work.
In a web browser: (*Fields not specified should remain unchanged and retain default values)
Log into the Netris Controller by visiting https://sandbox1.netris.io and navigate to Network → Sites.
Click Edit from the Actions menu indicated by three vertical dots (⋮) on the right side of the UC/NYC site.
From the ACL Default Policy drop-down menu, change the value from “Permit” to “Deny”.
Click Save.
Soon you will notice that there are no new replies to our previously started ping 1.1.1.1
command in the terminal window, indicating that the 1.1.1.1 IP address is no longer reachable. Now that the Default ACL Policy is set to Deny, we need to configure an ACL entry that will allow the srv05-nyc server to communicate with the Internet.
Back in the web browser: (*Fields not specified should remain unchanged and retain default values)
Navigate to Services → ACL.
Click the + Add button in the top right corner of the page to define a new ACL.
Define a name in the Name field (e.g.
V-Net Customer to WAN
).From the Protocol drop-down menu, select “ALL”.
In the Source field, type in
192.168.46.0/24
.In the Destination field, type in
0.0.0.0/0
.Click Add.
You can observer the status of the syncing process by clicking on the Syncing yellow label at the top right of the ACL windown. Once the Netris Controller has finished syncing the new ACL policy with all relevant member devices, the label will turn green and read as Synced. Back in the terminal window we can observer that the replies to our ping 1.1.1.1
command have resumed, indicating that the srv05-nyc server can communicate with the Internet once again..
More details about ACL (Access Control List) can be found on the “ACL” page.