Panlab2Interconncetion Gateway(IGW)

P i i l of Principle foperation, ti I Installation, t ll ti C Configuration fi ti

AndreSteinbach,TSystems

Andre.Boenick@tsystems.com

v.100927

WhatisanddoesanIGW?
IGW IGWs are border b d gateways t of f Panlab2 P l b2 (P2) partners t physical h i l testbeds and take care of interconnecting Panlab customers virtual testbeds. They are foreseen to mesh automatically and d so establish t bli h connections ti t other to th peer IGWs IGW possible For Goal was to make them as selfconfiguring as possible. such meshing of all IGWs a stateless low overhead tunneling was chosen, without usage of proprietary interIGW protocols It is NOT planned for the normal P2 customer to deal with the IGW resource. Only partners setting up a physical P2 testbeds need to deal with it. In best case the IGW resource is completely hidden from customer, even in planning (VCT tool)

IGWprincipleofoperation(external)
All running i IGWs IGW will ill automatically t ti ll mesh h with ith each h other, using TCP Port 22 for authentication and registration To avoid countless tunnels (one for each )) only y one outer IPin interconnceted testbed (VCT)) IP interconncetion tunnel (RFC4251) between each IGW is established Inside such interconnection tunnels one Layer2

(L2) tunnel (RFC2661) per VCT makes sure that th right the i ht collision lli i d domains i of f all ll sites it get t chained

Virtualcustomertestbed(VCT)
Physical partner sitesvs.VirtualVCTview

IGWprincipleofoperation(internal)
O Once IGWs IGW are meshed h d externally, t ll they th are ready d to route VCT payload between test sites. What test sites get chained is commanded by the Teagle and VCT planing tool Data streams between ressources are shielded all along the way from each other. On the local domain (test site Ethernet) tagged VLAN (IEEE 802 1Q) is 802.1Q) i used d for f that th t purpose and d between b t IGWs one seperated L2 tunnel per VCT. Each IGW that terminates a L2 tunnel is firewalling this interface to take care that only allowed address p get interconnected. g spaces

IGWshieldedresourceinterconnection

IGWinformationresources
Since IGW is an ongoing development, l there h are several l living l documents and sources of information located in the wiki For the h most frequent f questions and d answers , please l visit http://trac.panlab.net/trac/wiki/IGW_FAQ F For IGW operation i related l d links li k and d documentation, d i please l visit ii http://trac.panlab.net/trac/wiki/IGW_VM F For Teagle T l and d PTM related l d access to the h IGW, IGW please l visit ii http://trac.panlab.net/trac/wiki/IGW_RA Th The current t IGW virtual i t l server machine hi image i can be b downloaded d l d d at t http://141.39.79.118/download/P2_IGW.rar

IGWsetuppreparations
The h IGWs core functionalities f l are based b on Linux Kernel l and implemented for Linux RPMbased (e.g. RedHat, CentOS, SuSe) machines. Currently y it is delivered inside a virtual image. g Download current IGW virtual server machine image for VMware and make sure this machine is guaranteed at least 256MB of RAM. RAM Network Adapter 1 1 Interface (sometimes just Bridge the virtual Network called Network Adapter) directly to the host systems physical public interface and the virtual Network Adapter 2 Interface directly to the host system systems s physical testbed internal interface Do NOT use any NATed or heavily firewalled conncetions and make sure you have a static nonprivate IP address towards public internet

IGWsetuppreparations
Important !! If you or you infrastructure staff operate p an external firewall in front of IGW, make sure the following ports and protocolls are open to the world . RFC4251 SSH (TCP,port22) RFC2661 L2TP (UDP port1701) (UDP, RFC2003 IPIPtunneling (nextlevelprotocol4,RFC790)

IGWsetup

IGWsetup
Afterthat,justbootthevirtualmachineandall necessaryserviceswillbestartedautomatically. Atthefirstboot, boot orifnomeaningful configurationexists,theIGWwillpromptaninput window i d for f external t lcommunication i ti parameters. t ThisisimportantsinceIPaddress,networkmask, IPdefault d f l gatewayand ddomain d i namesystem parameterscannotbeautoconfigured.

IGWsetup

Whenprompted,chooseEditDevices. Doonlyselectandmodifytheeth0interface. Theeth1interfaceneedstobepresentbut untouched. untouched

IGWsetup

InserttheusualpublicIPparameters.TheIGWs external t linterface i t f is i not tallowed ll dto t useprivate i t IP parameters,DHCPconfigurationortooperate behindaNATingnetworkaccessdevice.

IGWsetup

After f modification f eth0parameters,savethe changesandgobacktomainmenu. AsalaststepgototheDNSconfigurationmenu. menu

IGWsetup
Enterthepartnername (e.g.EiCT,UoP,TSI,etc.) intothehostnamefield andup ptothreeexisting g domainnameservers ofyourchoice.Proceed withOkandgobackto mainmenu.

ThisprocedureisonlyappliedthefirsttimetheIGW boots.ThereaftertheIGWwilltrytoconnectand meshwithotheravailableIGWsaswellasthelocal PTM.

IGWoperation

Thebootp processendsshowing gaconfiguration g and monitoringsummaryoftheinternalandexternalinterfacesto overviewIGWsconnectivitybehavior.Seebelowthe automaticconfiguredfields(green)andtheonesthatcanbe chosenbyand(redandyellow).

VCT VCTaccess accessconnectivityfor customers

IGW IGWssupportaprocedure d called ll dVCTaccess i inwhich hi hthe h customercanconnectaterminalorsmallinfrastructurewith thecreatedVCTandbepartofit. Technicallythetunneling protocol t lL2TPwasused dto t ensureremoteaccesson ISO/OSIL2andupwards. Thistypeofconnection shouldbeusedifnolocal IGWconnectionis available.

VCT VCTaccess accessconnectivityforcustomers

VCTaccess is i afunction f ti in i which hi hthe th customer t can connectaterminalorsmallinfrastructurewiththe createdVCTandbep partofit.Technically ythe tunnellingprotocolL2TPwasusedtoensureremote accessonISO/OSIL2andupwards.Thistypeof connectionshouldbeusedifnolocalIGWconnection isavailable. Thefollowingslidespresentanexampleforasingle Micosoft Windowsterminal.MakesuretoopenUDP P 1701onyourfi Port firewall ll!Open O startmenuof fthe h taskbarandselecttoruntheregedittool:

VCT VCTaccess accessconnectivityforcustomers

VCT VCTaccess accessconnectivityforcustomers

VCT VCTaccess accessconnectivityforcustomers

VCT VCTaccess accessconnectivityforcustomers

VCT VCTaccess accessconnectivityforcustomers

VCT VCTaccess accessconnectivityforcustomers

VCT VCTaccess accessconnectivityforcustomers