IGW Principle of Operation, Installation, Configuration

Panlab2 InterconncetionPanlab2 InterconncetionGateway (IGW)Gateway (IGW)

P i i l f ti I t ll ti C fi tiPrinciple of operation, Installation, Configuration

Andre Steinbach , T‐Systems Andre.Boenick@t‐systems.com v.10‐09‐27

What is and does an IGW ?What is and does an IGW ?IGW b d t f P l b2 (P2) t ´ h i l• IGWs are border gateways of Panlab2 (P2) partner´s physicaltestbeds and take care of interconnecting Panlab customer´svirtual testbeds. They are foreseen to “mesh” automaticallyd t bli h ti t th IGWand so establish connections to other peer IGWs

• Goal was to make them as self‐configuring as possible ForGoal was to make them as self configuring as possible. Forsuch meshing of all IGWs a stateless low overhead tunnelingwas chosen, without usage of proprietary inter‐IGW protocols

• It is NOT planned for the normal P2 customer to deal with theIGW resource. Only partners setting up a physical P2 testbedsneed to deal with it. In best case the IGW resource iscompletely hidden from customer, even in planning (VCT tool)

IGW principle of operation (external)IGW principle of operation (external)

All i IGW ill t ti ll h ith h• All running IGWs will automatically mesh with eachother, using TCP Port 22 for authentication andregistrationregistration

• To avoid countless tunnels (one for eachinterconnceted testbed (VCT)) only one outer IP‐in‐( )) yIP “interconncetion tunnel” (RFC4251) betweeneach IGW is established

• Inside such “interconnection tunnels” one “Layer2(L2) tunnel” (RFC2661) per VCT makes sure thatth i ht lli i d i f ll it tthe right collision domains of all sites getchained

Virtual customer testbed (VCT) „Physical partner sites“ vs. „Virtual VCT“ view

IGW principle of operation (internal)IGW principle of operation (internal)

O IGW h d t ll th d• Once IGWs are meshed externally, they are readyto route VCT payload between test sites. What testsites get chained is commanded by the Teagle andsites get chained is commanded by the Teagle andVCT planing tool

• Data streams between ressources are shielded allalong the way from each other. On the localdomain (test site Ethernet) tagged VLAN (IEEE802 1Q) i d f th t d b t802.1Q) is used for that purpose and betweenIGWs one seperated L2 tunnel per VCT.

• Each IGW that terminates a L2 tunnel is firewalling• Each IGW that terminates a L2 tunnel is firewallingthis interface to take care that only allowed addressspaces get interconnected.p g

IGW shielded resource interconnectionIGW shielded resource interconnection

IGW information resourcesIGW information resourcesl h l l• Since IGW is an ongoing development, there are several living

documents and sources of information located in the wiki

h f d l• For the most frequent questions and answers , please visithttp://trac.panlab.net/trac/wiki/IGW_FAQ

F IGW i l d li k d d i l i i• For IGW operation related links and documentation, please visithttp://trac.panlab.net/trac/wiki/IGW_VM

F T l d PTM l d h IGW l i i• For Teagle and PTM related access to the IGW, please visithttp://trac.panlab.net/trac/wiki/IGW_RA

Th t IGW i t l hi i b d l d d t• The current IGW virtual server machine image can be downloaded athttp://141.39.79.118/download/P2_IGW.rar

IGW setup preparationsIGW setup preparationsh ´ f l b l• The IGW´s core functionalities are based on Linux Kernel andimplemented for Linux RPM‐based (e.g. RedHat, CentOS, SuSe)machines. Currently it is delivered inside a virtual image.y g

• Download current IGW virtual server machine image for VMware andmake sure this machine is guaranteed at least 256MB of RAMmake sure this machine is guaranteed at least 256MB of RAM.

• Bridge the virtual “Network Adapter 1” Interface (sometimes justBridge the virtual Network Adapter 1 Interface (sometimes justcalled “Network Adapter”) directly to the host system´s physical publicinterface and the virtual “Network Adapter 2” Interface directly to thehost system´s physical testbed internal interfacehost system s physical testbed internal interface

• Do NOT use any NATed or heavily firewalled conncetions and makeDo NOT use any NATed or heavily firewalled conncetions and makesure you have a static non‐private IP address towards public internet

IGW setup preparationsIGW setup preparations

• Important !! If you or you infrastructure staffoperate an external firewall in front of IGW,pmake sure the following ports and protocollsare open to the worldare open to the world ….

• RFC4251 ‐ SSH (TCP, port 22)• RFC2661 ‐ L2TP (UDP port 1701)• RFC2661 ‐ L2TP (UDP, port 1701) • RFC2003 ‐ IPIP tunneling (“next level protocol” 4, RFC790)

IGW setupIGW setup

IGW setupIGW setup

• After that, just boot the virtual machine and all necessary services will be started automatically.

• At the first boot or if no meaningful• At the first boot, or if no meaningful configuration exists, the IGW will prompt an input i d f t l i ti twindow for external communication parameters.

This is important since IP address, network mask, d f l d d iIP default gateway and domain name system

parameters can not be auto‐configured.

IGW setupIGW setup

• When prompted, choose “Edit Devices”.

• Do only select and modify the eth0 interface.Do only select and modify the eth0 interface. The eth1 interface needs to be present but untoucheduntouched.

IGW setupIGW setup

• Insert the usual public IP parameters. The IGW´s t l i t f i t ll d t i t IPexternal interface is not allowed to use private IP

parameters, DHCP configuration or to operate behind a NATing network access device.

IGW setupIGW setup

f f• After modification eth0 parameters, save the changes and go back to main menu.

• As a last step go to the DNS configuration menu• As a last step go to the DNS configuration menu.

IGW setupIGW setup• Enter the partner name

(e.g. EiCT, UoP, TSI, etc.) into the hostname field and up to three existing p gdomain name servers of your choice. Proceed with Ok and go back towith Ok and go back to main menu.

• This procedure is only applied the first time the IGW boots. Thereafter the IGW will try to connect and mesh with other available IGWs as well as the local PTM.

IGW operationIGW operation

• The boot process ends showing a configuration and p g gmonitoring summary of the internal and external interfaces to overview IGW´s connectivity behavior. See below the automatic configured fields (green) and the ones that can be chosen by and (red and yellow).

“VCT access” connectivity for customersVCT access connectivity for customers

IGW d ll d “VCT ” i hi h h• IGWs support a procedure called “VCT access” in which the customer can connect a terminal or small infrastructure with the created VCT and be part of it.the created VCT and be part of it.

• Technically the tunneling t l L2TP d tprotocol L2TP was used to

ensure remote access on ISO/OSI L2 and up‐wards.ISO/OSI L2 and up wards. This type of connection should be used if no local IGW connection is available.


“VCT ” i f ti i hi h th t• “VCT access” is a function in which the customer can connect a terminal or small infrastructure with the created VCT and be part of it. Technically the p ytunnelling protocol L2TP was used to ensure remote access on ISO/OSI L2 and upwards. This type of connection should be used if no local IGW connectionconnection should be used if no local IGW connection is available.

• The following slides present an example for a single Micosoft Windows terminal. Make sure to open UDP P 1701 fi ll ! O f hPort 1701 on your firewall ! Open start menu of the taskbar and select to run the „regedit“ tool :








Date post:	21-Oct-2015
Category:	Documents
Upload:	naeem-shayan
View:	63 times
Download:	1 times

IGW Principle of Operation, Installation, Configuration

Documents