17. Implementing an HA Switch with Location based filtering Capabilities

Introduction

This example shows the implementation of an HA switch with location analysis and filtering capabilities. The HA switch on Layer 2 is implemented by the “haswitch” BalanceNG module, the location filtering by the “lswitch” module. Both modules are available with BalanceNG V4 release 4.071 (and higher).

Hardware, Cabling and Network Setup

As hardware devices we are using a pair of “LES network+” mini Servers from Thomas Krenn, klick here for further details and availability.

Both machines have 16GB Ram and a 64 GB SSD disk and come preinstalled with Ubuntu Linux (Kernel 4.4.0-101).

As a very first step it is necessary to identify the physical NIC ports (and their correspondence to the Linux interfaces eth0-eth5). This can be quite easily done with ethtool and the -p option: The command “ethtool -l eth2 10” lets a physical LED on interface eth2 blink for 10 seconds, for example (see also this for more details and check the manual page of ethtool).

This schematic drawing shows the cabling and network setup of the BNG pair:

Cabling and Network Setup

  • eth0 and eth1 are connected to different internal management VLANs and not controlled by BNG. Mainly these are used to connect to the servers with ssh and to provide optional external connectivity for Linux updates and upgrades.
  • Interface eth2 of each machine is connected to the internal LAN (or VLAN).
  • Interface eth3 of each machine is connected to the external LAN, where also the router sits which provides external IPv4 and IPv6 connectivity.
  • Interfaces eth4 and eth5 are used by directly connecting both boxes (without any switch in between) in order to implement an redundant VRRP hardware link. Thus even a broken interface or cable is not a single point of failure.

BalanceNG installation and licensing (optional)

The installation of BalanceNG is quite simple and done with the “dpkg -i” command, here’s a typical dialog:

root@bng1:~# ls -l
total 2336
-rw-r--r-- 1 root root 2390304 Dec 20 12:14 balanceng_4.072_amd64.deb
root@bng1:~# dpkg -i balanceng_4.072_amd64.deb
(Reading database ... 158037 files and directories currently installed.)
Preparing to unpack balanceng_4.072_amd64.deb ...
Unpacking balanceng (4.072) over (4.072) ...
Setting up balanceng (4.072) ...
Updating startup-links...
...done!
Please restart BalanceNG as soon as possible to use the updated version
Processing triggers for systemd (229-4ubuntu21) ...
Processing triggers for ureadahead (0.100.0-19) ...
root@bng1:~#

For later licensing you may now retrieve the nodeid with the command “bng -N”:

root@bng1:~# bng -N
ab:d7:fb:27:28:94
root@bng1:~#

Configuration

The following configuration directives are important:

  • The module chain needs to be set to modules vrrp,arp,master,lfilter,haswitch.
  • Interface 1 and 2 needs to have switching enable set to be processed by the haswitch module.
  • Interface 2 needs additionally have scope external set to identify this interface to be external (for the lfilter module).
  • Network 1 is connected to the two interfaces 3 and 4 for hardware failure redundancy. The IP addressing here may be chosen freely, a bngsync connection is set up for synchronising the session table contents.
  • The IPv4 and IPv6 location databases both need to be loaded.
  • A location group X needs to be present, in this example a * initially allows all IPv4 and IPv6 locations to pass through.

Node 1 Configuration

//        configuration taken ...
//        BalanceNG ...
hostname  [BNG1]
license   INTEST-01 15a45385cea25d41c6246b5831cd8186
modules   vrrp,arp,master,lfilter,haswitch
set       sessiondlimit 50
interface 1 {
          name eth2
          access raw
          switching enablae
}         
interface 2 {
          name eth3
          access raw
          switching enable
          scope external
}         
interface 3 {
          name eth4
          access raw
}         
interface 4 {
          name eth5
          access raw
}         
register  interfaces 1,2,3,4
enable    interfaces 1,2,3,4
vrrp      {
          vrid 5
          priority 200
          network 1
}         
network   1 {
          addr 10.10.10.0
          mask 255.255.255.0
          real 10.10.10.5
          virt 10.10.10.1
          syncpeer 10.10.10.6
          interfaces 3,4
}         
register  network 1
enable    network 1
ipdb      "/opt/BalanceNG/IpToCountry.csv"
ipdb6     "/opt/BalanceNG/IpToCountry.6R.csv"
lgrp      X "*"
//        end of configuration

Node 2 Configuration

//        configuration taken ...
//        BalanceNG ...
hostname  [BNG2]
license   INTEST-02 a06de72515bcb3aee3ce5f99c70655b4
modules   vrrp,arp,master,lfilter,haswitch
set       sessiondlimit 50
interface 1 {
          name eth2
          access raw
          switching enable
}         
interface 2 {
          name eth3
          access raw
          switching enable
          scope external
}         
interface 3 {
          name eth4
          access raw
}         
interface 4 {
          name eth5
          access raw
}         
register  interfaces 1,2,3,4
enable    interfaces 1,2,3,4
vrrp      {
          vrid 5
          priority 200
          network 1
}         
network   1 {
          addr 10.10.10.0
          mask 255.255.255.0
          real 10.10.10.6
          virt 10.10.10.1
          syncpeer 10.10.10.5
          interfaces 3,4
}         
register  network 1
enable    network 1
ipdb      "/opt/BalanceNG/IpToCountry.csv"
ipdb6     "/opt/BalanceNG/IpToCountry.6R.csv"
lgrp      X "*"
//        end of configuration

Collecting Communication Statistics

The location based communication statistics may be shown on the current VRRP master with the “show module lfilter” command, a typical dialog looks like this:

root@bng2:~# bng control
BalanceNG: connected to PID 4260
[BNG2]-MASTER# show module lfilter

   general communication statistics:

         udp4 (in)   udp4(out)   tcp4 (in)   tcp4(out)   udp6 (in)   udp6(out)   tcp6 (in)   tcp6(out)
   AT                                 3020        2549                                                 Austria
   CA                                33563       36080                                                 Canada
   CH                                  588         456                                                 Switzerland
   CZ                                   10          12                                                 Czech Republic
   DE          137         137      120609       92067        1209                                     Germany
   DK                                  116         154                                                 Denmark
   EU                                 5100        4185                                  73          73 European Union
   FI                                 1825        1117                                                 Finland
   FR                                  741         794                                                 France
   GB                                12420       12550           9                      10          12 United Kingdom
   IE                                29262       29064                               24587       10233 Ireland
   JP                       46                                                                         Japan
   NL            1           1         751         888                                                 Netherlands
   NO                                 7100        1946                                                 Norway
   PL           16          18          16          19                                                 Poland
   RU                                  136         147                                                 Russian Federation
   US          230         245      498454      438116                                2707        4075 United States
   VG                                    6          14                                                 Virgin Islands (BRITISH)
   ZZ         9620     6116638          84         126                                                 Reserved
   -                                                            59         828                         *** NOT FOUND PSEUDO ENTRY ***

   packets dropped (not in location group X):

        0 IPv4 packets dropped
        0 IPv6 packets dropped

   location group settings:

   lgrp      X "*"

[BNG2]-MASTER#

The keyword “out” means here means that a packet has been received on an interface with scope internal (checking the destination address), the keyword “in” refers to packets received on “scope external” interface (thus checking the source address). Please note that the communication statisctics are available on the current VRRP master only.

Controlling Location Access

This is done by configuring the special location group X, packets that belong to this location group are passed by the “lfilter” module.

The following setting allows only packets to and from Germany and Austria to be forwarded (all others would be dropped), for example:

lgrp      X "DE,AT"

The following setting allows packets from and to all locations to be forwarded except those from Germany and Austria, for example:

lgrp      {
          X "*,!Y"
          Y "DE,AT"
}         

As soon as packets are being dropped by a location group X setting, the “packet dropped” counters are being updated accordingly.

Please have also a look at the BalanceNG User and Reference Manual for further information about the “lgrp” configuration command.