Thursday, August 21, 2014

Load Balancing Lab setup

Virtual Loadblanacers

Nowadays, you don't need a physical load balancer to setup a lab. Almost each and every vendor offers a "virtual appliance", which is just their appliance repacked as a virtual machine:

Here is a list of few such virtual loadbalancers:

There are even opensource alternatives such as:

So building a virtual lab on a laptop is just one download away, isn't it?

No, there are to missing pieces: Network topology with a router and web servers with content which is suitable for such labs.

Luckily for you, I have just setup such a lab, and I welcome you to use it as well.

Network topology

Basic topology

The usual loadbalancer lab looks like this:

But this is not how loadbalncers are usually deployed. And its also not the best way to deploy them, as not all traffic needs to go through the loadbalancer.

Realistic topology

Topology and IP addresses
The laptop is the only physical device here. Every thing else is virtualized.

The router and the servers are running OpenBSD 5.6 snapshot Aug 8, 2014.

The host/laptop will be used as the client for testing.

If you are using just one loadbalancer, make sure it's IP address ends with .100 or ::100 as some routing depends on that.

VMWare setup

You will need to create 4 new networks, here is my VMWare workstation setup:

VMWare networks
Here is a short reference:
  • Name:
    • For each interface on the list, VMWare create a virtual interface on the host with the same Name. We will use that later to add IPv6 address and IPv4/IPv6 routes.
  • Type: 
    • Host-only means that your host/laptop has connectivity to that network, and it also has an IP address on that network.
    • Custom means that you host/laptop is not connected to that network and that network is used for VM to VM communication.
  • Subnet Address:
    • For type Custom, where the host is not connected to, its not really important what the IP address is, but its a good reference.
    • For type Host-only the IP address is actually important, as VMWare will configured the host's interface with an address from that network, usually .1
And here is how the GW VM is configured. You will need to match your own VMNet names to mine, using the network IP address as a key. The most important thing is the order of the network adapters:


Host/Laptop IPv6 configs

We need to add IPv6 addresses to the Host-only VMNet interfaces:

C:\Users\dan.shechter>netsh interface ipv6 add address "VMware Network Adapter VMnet12" fc00:3::100/64

C:\Users\dan.shechter>netsh interface ipv6 add address "VMware Network Adapter VMnet13" fc00:4::100/64

Now would be a good time to verify your host connectivity by pinging to:

  1. 10.136.3.254
  2. 10.136.4.254
  3. fc00:3::254
  4. fc00:3::254


Routing

We need to add routes on laptop/host  to get to the loadbalancers and to the VIPs.


Route Purpose
10.136.85.0/24
fc00:85::/64
This is where the real web servers are.
This is also used for VIPs with client NAT/SNAT
10.136.1.0/24
fc00:1::/64
Some loadbalancers require separate management interface.
10.136.5.0/24
fc00:5::/64
VIP network, which is routed by the router directly to the loadbalancer 10.136.85.100
or fc00:85::100 addresses.
10.136.6.0/24
fc00:6::/64
Same as above but the host will use the 10.136.3.0 or the fc00:3:: network to get there.
The web servers are configured to send replies to 10.136.3.0 or fc00:3:: through the
loadbalancer 10.136.85.100or fc00:85::100 addresses.

Here is a network diagram to show the routes:

This setup allows different VIPs to be used in different network configurations:



Client Network VIP SNAT Logical VIP DSR
10.136.4.0/24
fc00::4::/64
10.136.8.150-250
fc00:85::150-250
X
10.136.4.0/24
fc00::4::/64
10.136.5.X
fc00:5::X
X X
10.136.5.0/24
fc00::5::/64
10.136.6.X
fc00:6::X
X
10.136.4.0/24
fc00::4::/64
10.136.85.199
fc00:85::199
X

Here is an explanation to the columns:
  1. Client Network - The client IP address from where the http/https connection is coming from. As we set the routing on the host/lpatop, the source IP address is determined by those routes, and more specifically, from which interface the connection is sourced.
  2. SNAT - or Cleint NAT. The loadbalancer needs to use client NAT/SNAT to get the replies from the web server back to it. For VIPs which do not need that, the web servers are configured to route traffic to the client via the loadbalancer .100 or ::100 address.
    That is the sole reason why the host is connected to the router via two interfaces.
  3. Logical VIP - VIP addresses that do not belong to a directly connected network.
  4. DSR - Direct Server Return/L4 Performance/Local Triangulation. That address is also configured as loopback interface on the web servers.

Host static routes

The GW and the web server routing is preconfigured. Only the host/laptop needs to be configured:


C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.85.0/24 "VMware Network Adapter VMnet13" 10.136.4.254
Ok.


C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.5.0/24 "VMware Network Adapter VMnet13" 10.136.4.254
Ok.


C:\Users\dan.shechter>netsh interface ipv6 add route fc00:85::/64 "VMware Network Adapter VMnet13" fc00:4::254
Ok.


C:\Users\dan.shechter>netsh interface ipv6 add route fc00:5::/64 "VMware Network Adapter VMnet13" fc00:4::254
Ok.


C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.6.0/24 "VMware Network Adapter VMnet12" 10.136.3.254
Ok.


C:\Users\dan.shechter>netsh interface ipv6 add route fc00:6::/64 "VMware Network Adapter VMnet12" fc00:3::254
Ok.

C:\Users\dan.shechter>netsh interface ipv6 add route fc00:1::/64 "VMware Network Adapter VMnet13" fc00:4::254
Ok.


C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.1.0/24 "VMware Network Adapter VMnet13" 10.136.4.254
Ok.

After we are done with the configuration we can test connectivity.

Web servers

Users

user: cisco
password: cisco!@34

Same for the gateway. Use sudo for root commands.

Web page

Browsing directly to 10.136.85.1 shows:


Few things to notice:

SRVX

Everything inside the table is iFrame, which means it get loaded on its own.

Web server #1 will return SRV1 and images with 1 in them.
Web server #2 will return SRV2 and images with 2 in them.
Web server #3 will return SRV3 and images with 3 in them.

That is how we can detect which server answered the specific request

CSS

HTTP page is using CSS file named http.css with a blue background
HTTPS page is using CSS file named https.css with a red background
There is another CSS filse called green.css and yellow.css . You can use them for iRules / AppShape manipulations.

Direcories

You have alpha, beta and gamma directories, which you can use as a server selector.

Images

In the images directory there are the following files: number1.jpg and number2.jpg and number3.jpg.

On each server X, number.jpg will point to numberX.jpg, but you can manipulate that.

Java script

By default the page will load scripts/flash.js . There is also scripts/flash_fast.js for your iRules/appShape manipulations.

404 Error

That is on purpose. To fix that you need the client to request here.html or make the server think that the client has requested here.html instead of not_here

VMWare/vbox images

Last but not least here are the OVA (virtual appliance) images:
Enjoy...

Thursday, August 7, 2014

OpenStack taining

There are two buzzwords floating around. Cloud and SDN.

They are even closely related.

For now, SDN is mostly a buzzword but Cloud is actually something people are using daily, such as AWS, Azure, Rackspace, Google and others.

As network engineer, my chances of touching or even seeing the details of the backends of those public clouds are quit small. However, private clouds are different.

With private clouds, as it was with VMWare installations, network engineers are expected to be able to support and install the network side of things.

So I have decided to jump in and learn private clouds. And for me, the best way to learn is always hands on.

OpenStack has these online training guides: http://docs.openstack.org/training-guides/content/

I'll jump right in and do the Operator Training Guide.

I'll publish a series of posts with my experience with the training material, and I'll update this post with links to all of the posts.