Network implementation question

[Ben Kincaid <st...@gmail.com>]

Hi List,

I am currently in the process of evaluating several KVM management
packages in order to replace some old Vsphere.

I have been running up test labs with the following:

* Cloudstack obviously
* oVirt
* OpenNebula
* Proxmox
* Ganeti

While I am more than happy to script up a few CLI tools and interact
with Libvirt directly, that isn’t going to work for most end users of
this infrastructure.

I am running in to a bit of a challenge around the networking aspect
of what I am trying to create here, since most of these management
tools assume you are building an all-in-one box deployment, or you
manage your own network infrastructure in your datacenter.


We have 6 soon to be 8 boxes in a remote DC, and we don’t have any
flexibility around the networking.

Each box has one NIC, with a public IP, and we have a couple of /27
address ranges to use.  We need to specify which port on the switch
that /27 will be going to.

So what I would like to do is build a private address network across
all 8 boxes, either using something like PeerVPN / Tinc or the new VPN
features built in to Vswitch, I would then put that on vmbr1 for
example.

Vmbr0 would be the public internet port on each box, and on one box I
would run up an instance of PFSense or similar in a VM which I would
route the /27’s to and then forward them to IPs on the internal IP
pool.

Does Cloudstack have the ability to manage a network structure such as
this, and if so how might I go about it? I must admit after reading
the docs and launching a test lab I couldn’t work out how to build
such a structure.

As a side note, I had extreme difficulties getting the packages to
build on Ubuntu 16.04 and ended up using the pre-built packages on
Ubuntu 14.04 instead, just to get a test environment set up, I see
there is already a ticket open against this issue though.

Thanks for such a great peace of software, and I appreciate any
suggestions or advice anyone can offer on this issue.

Re: Network implementation question

[Felipe Arturo Polanco <fe...@gmail.com>]

Hi Ben,

What you are looking for is called Network Overlay, it provides the needed
L2 on top of the existing L3 network so you can create VLANs and subnets
all the way through. Open vSwitch provides this functionality with mGRE and
VXLAN tunnels, basically instead of separating the traffic with VLANs, it
creates tunnels between the hosts and each separated network runs in its
own tunnel, thus providing segmentation.

Check in Cloudstack documentation about the virtual network providers and
see which of them is best suited for you.

On Tue, Feb 21, 2017 at 3:30 PM, Ben Kincaid <st...@gmail.com> wrote:

> Thanks for your reply Jeromy.
>
> To be honest I doubt they will do that, there degree of helpfulness in
> the past hasn’t extended much beyond power cycling a box if required,
> they won’t even connect the second NIC on each box to a private VLAN
> for management traffic.
>
> What ever solution I go with is basically constrained to software,
> which is why I was thinking a mesh VPN type setup, it’s not ideal but
> I’m not sure what other options I have.
>
> I have the most experience with Cisco and OpenVPN, but in this case I
> think something a bit more distributed would be better, also something
> that can handle multicast traffic which both Tinc and SoftEther clamed
> to do.
>
> I’ve also seen quite a few references to VDE2 in the libvirt
> documentation, but I haven’t had a chance to fully explore that yet.
>
> Finally I've seen a few blog posts recently around OVN from the
> OpenVSwitch team, which looks like it's perfectly suited to my use
> case, but I'm not sure how I'd go integrating it with CloudStack.
>
> https://www.sdxcentral.com/sdn/network-virtualization/
> definitions/what-is-open-virtual-network-ovn-how-it-works/
>
> Thanks for your suggestions :)
>
> Ben
>
>
> On 2/21/17, Jeromy Grimmett <je...@cloudbrix.com> wrote:
> > Ben,
> >
> > Do you have the ability to tell the provider at the DC to make the 1 port
> > connected to the 1 NIC in the host a "trunk" port?
> >
> > If you are able to do get a couple of VLANs on that port, you can then
> > create subinterfaces on the single NIC on each host and move the traffic
> > across the VLANs as needed.
> >
> > Let me know the answer to that question, and maybe I can come up with
> > another idea for you if that won't work.
> >
> > j
> >
> > Jeromy Grimmett
> > P: 603.766.3625
> > jeromy@cloudbrix.com
> > www.cloudbrix.com
> >
> >
> > -----Original Message-----
> > From: Ben Kincaid [mailto:stillreal86@gmail.com]
> > Sent: Tuesday, February 21, 2017 12:23 PM
> > To: users@cloudstack.apache.org
> > Subject: Network implementation question
> >
> > Hi List,
> >
> > I am currently in the process of evaluating several KVM management
> packages
> > in order to replace some old Vsphere.
> >
> > I have been running up test labs with the following:
> >
> > * Cloudstack obviously
> > * oVirt
> > * OpenNebula
> > * Proxmox
> > * Ganeti
> >
> > While I am more than happy to script up a few CLI tools and interact with
> > Libvirt directly, that isn’t going to work for most end users of this
> > infrastructure.
> >
> > I am running in to a bit of a challenge around the networking aspect of
> what
> > I am trying to create here, since most of these management tools assume
> you
> > are building an all-in-one box deployment, or you manage your own network
> > infrastructure in your datacenter.
> >
> >
> > We have 6 soon to be 8 boxes in a remote DC, and we don’t have any
> > flexibility around the networking.
> >
> > Each box has one NIC, with a public IP, and we have a couple of /27
> address
> > ranges to use.  We need to specify which port on the switch that /27
> will be
> > going to.
> >
> > So what I would like to do is build a private address network across all
> 8
> > boxes, either using something like PeerVPN / Tinc or the new VPN features
> > built in to Vswitch, I would then put that on vmbr1 for example.
> >
> > Vmbr0 would be the public internet port on each box, and on one box I
> would
> > run up an instance of PFSense or similar in a VM which I would route the
> > /27’s to and then forward them to IPs on the internal IP pool.
> >
> > Does Cloudstack have the ability to manage a network structure such as
> this,
> > and if so how might I go about it? I must admit after reading the docs
> and
> > launching a test lab I couldn’t work out how to build such a structure.
> >
> > As a side note, I had extreme difficulties getting the packages to build
> on
> > Ubuntu 16.04 and ended up using the pre-built packages on Ubuntu 14.04
> > instead, just to get a test environment set up, I see there is already a
> > ticket open against this issue though.
> >
> > Thanks for such a great peace of software, and I appreciate any
> suggestions
> > or advice anyone can offer on this issue.
> >
>

Re: Network implementation question

[Ben Kincaid <st...@gmail.com>]

Thanks for your reply Jeromy.

To be honest I doubt they will do that, there degree of helpfulness in
the past hasn’t extended much beyond power cycling a box if required,
they won’t even connect the second NIC on each box to a private VLAN
for management traffic.

What ever solution I go with is basically constrained to software,
which is why I was thinking a mesh VPN type setup, it’s not ideal but
I’m not sure what other options I have.

I have the most experience with Cisco and OpenVPN, but in this case I
think something a bit more distributed would be better, also something
that can handle multicast traffic which both Tinc and SoftEther clamed
to do.

I’ve also seen quite a few references to VDE2 in the libvirt
documentation, but I haven’t had a chance to fully explore that yet.

Finally I've seen a few blog posts recently around OVN from the
OpenVSwitch team, which looks like it's perfectly suited to my use
case, but I'm not sure how I'd go integrating it with CloudStack.

https://www.sdxcentral.com/sdn/network-virtualization/definitions/what-is-open-virtual-network-ovn-how-it-works/

Thanks for your suggestions :)

Ben


On 2/21/17, Jeromy Grimmett <je...@cloudbrix.com> wrote:
> Ben,
>
> Do you have the ability to tell the provider at the DC to make the 1 port
> connected to the 1 NIC in the host a "trunk" port?
>
> If you are able to do get a couple of VLANs on that port, you can then
> create subinterfaces on the single NIC on each host and move the traffic
> across the VLANs as needed.
>
> Let me know the answer to that question, and maybe I can come up with
> another idea for you if that won't work.
>
> j
>
> Jeromy Grimmett
> P: 603.766.3625
> jeromy@cloudbrix.com
> www.cloudbrix.com
>
>
> -----Original Message-----
> From: Ben Kincaid [mailto:stillreal86@gmail.com]
> Sent: Tuesday, February 21, 2017 12:23 PM
> To: users@cloudstack.apache.org
> Subject: Network implementation question
>
> Hi List,
>
> I am currently in the process of evaluating several KVM management packages
> in order to replace some old Vsphere.
>
> I have been running up test labs with the following:
>
> * Cloudstack obviously
> * oVirt
> * OpenNebula
> * Proxmox
> * Ganeti
>
> While I am more than happy to script up a few CLI tools and interact with
> Libvirt directly, that isn’t going to work for most end users of this
> infrastructure.
>
> I am running in to a bit of a challenge around the networking aspect of what
> I am trying to create here, since most of these management tools assume you
> are building an all-in-one box deployment, or you manage your own network
> infrastructure in your datacenter.
>
>
> We have 6 soon to be 8 boxes in a remote DC, and we don’t have any
> flexibility around the networking.
>
> Each box has one NIC, with a public IP, and we have a couple of /27 address
> ranges to use.  We need to specify which port on the switch that /27 will be
> going to.
>
> So what I would like to do is build a private address network across all 8
> boxes, either using something like PeerVPN / Tinc or the new VPN features
> built in to Vswitch, I would then put that on vmbr1 for example.
>
> Vmbr0 would be the public internet port on each box, and on one box I would
> run up an instance of PFSense or similar in a VM which I would route the
> /27’s to and then forward them to IPs on the internal IP pool.
>
> Does Cloudstack have the ability to manage a network structure such as this,
> and if so how might I go about it? I must admit after reading the docs and
> launching a test lab I couldn’t work out how to build such a structure.
>
> As a side note, I had extreme difficulties getting the packages to build on
> Ubuntu 16.04 and ended up using the pre-built packages on Ubuntu 14.04
> instead, just to get a test environment set up, I see there is already a
> ticket open against this issue though.
>
> Thanks for such a great peace of software, and I appreciate any suggestions
> or advice anyone can offer on this issue.
>

RE: Network implementation question

[Jeromy Grimmett <je...@cloudbrix.com>]

Ben,

Do you have the ability to tell the provider at the DC to make the 1 port connected to the 1 NIC in the host a "trunk" port?

If you are able to do get a couple of VLANs on that port, you can then create subinterfaces on the single NIC on each host and move the traffic across the VLANs as needed.

Let me know the answer to that question, and maybe I can come up with another idea for you if that won't work.

j

Jeromy Grimmett
P: 603.766.3625
jeromy@cloudbrix.com
www.cloudbrix.com


-----Original Message-----
From: Ben Kincaid [mailto:stillreal86@gmail.com] 
Sent: Tuesday, February 21, 2017 12:23 PM
To: users@cloudstack.apache.org
Subject: Network implementation question

Hi List,

I am currently in the process of evaluating several KVM management packages in order to replace some old Vsphere.

I have been running up test labs with the following:

* Cloudstack obviously
* oVirt
* OpenNebula
* Proxmox
* Ganeti

While I am more than happy to script up a few CLI tools and interact with Libvirt directly, that isn’t going to work for most end users of this infrastructure.

I am running in to a bit of a challenge around the networking aspect of what I am trying to create here, since most of these management tools assume you are building an all-in-one box deployment, or you manage your own network infrastructure in your datacenter.


We have 6 soon to be 8 boxes in a remote DC, and we don’t have any flexibility around the networking.

Each box has one NIC, with a public IP, and we have a couple of /27 address ranges to use.  We need to specify which port on the switch that /27 will be going to.

So what I would like to do is build a private address network across all 8 boxes, either using something like PeerVPN / Tinc or the new VPN features built in to Vswitch, I would then put that on vmbr1 for example.

Vmbr0 would be the public internet port on each box, and on one box I would run up an instance of PFSense or similar in a VM which I would route the /27’s to and then forward them to IPs on the internal IP pool.

Does Cloudstack have the ability to manage a network structure such as this, and if so how might I go about it? I must admit after reading the docs and launching a test lab I couldn’t work out how to build such a structure.

As a side note, I had extreme difficulties getting the packages to build on Ubuntu 16.04 and ended up using the pre-built packages on Ubuntu 14.04 instead, just to get a test environment set up, I see there is already a ticket open against this issue though.

Thanks for such a great peace of software, and I appreciate any suggestions or advice anyone can offer on this issue.