Integrating Ansible with VOSS

What is X:

1. Ansible is an open-source software provisioning, configuration management, and application-deployment tool.
2. VOSS (VSP Operating System Software).

What you need to prepare:

1. OS for your ansible (I am using ubuntu 18.04 LTS on Hyper-V with multipass) --- download multipass here
2. VOSS image (I am using VOSS 8.1) --- download image here
3. Hypervisor for your Ansible & VOSS (I am using Hyper-V)
4. GNS3 all-in-one (download here)
5. GNS3 VM Hyper-V (download here) --- or you can download from GNS3 all-in-one software installation wizard. Note: if you are not using Hyper-V, you can select other hypervisor with the same version as GNS3 all-in-one. Follow instructions at bottom of this page.
6. VOSS GNS3 template import file (download here)

Implementation:

• After installing multipass, you could launch ubuntu-lts on your Hyper-V.

• Install Ansible on your ubuntu-lts like my previous blog.
• Install GNS3 all-in-one. Check "GNS3 VM" option. Then next..next..finished.
• Start booting your GNS3 VM. Make sure you have ip address assigned and reachable.
• Open GNS3 software. Import GNS3 appliance file (*.gns3a): "File > Import appliance". Setting max vCPU, and half of your total RAM. If successful, you can add/drag VOSS 8.1 from left menu. 
• Add a cloud to your topology like below. 

• Assign ip address on your mgmt port. I am using subnet (172.17.176.32/28)

• Setting up your ansible playbook script. 

• Run ansible-playbook.

Side note:
You can not convert qcow2 to vhdx file using qemu-img and then use it as virtual disk on VM creation. It will not boot to VOSS. Also, you can't add more than 8 network adapter at Hyper-V. So, GNS3 is the solution. I never tried on KVM/Qemu.

Sources:

https://github.com/extremenetworks/Virtual_VOSS

https://github.com/extremenetworks/Virtual_VOSS/blob/master/GNS3_VOSS-VM_Guide.md

https://github.com/GNS3/gns3-gui/releases

Integrating Ansible with VyOS

What is X:

1. Ansible is an open-source software provisioning, configuration management, and application-deployment tool.
2. VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.

What you need to prepare:

1. OS for your ansible (I am using ubuntu 18.04 LTS on Hyper-V with multipass) -- download multipass here
2. VyOS image (I am using vyos-1.1.8-amd64) -- download image here
3. Hypervisor for your Ansible & VyOS (I am using Hyper-V)

Implementation:

• After installing multipass, you could launch ubuntu-lts on your Hyper-V. 

• Install VyOS on Hyper-V

Create virtual switch 'Internal' and 'External':

Create new VM on Hyper-V:

- Login into VyOS using user/pass: vyos/vyos
- Install VyOS by using following command: "install system"
- After installation process succeeded, unmount DVD/ISO so that booting process will be running from HDD. 

Configure interface eth0 & eth1 on VyOS:

• Install Ansible on your Ubuntu

• Integrate Ansible <<>> VyOS

Configure SSH service:

Setting up your playbook for VyOS:

Running your ansible-playbook:

Sources:

https://multipass.run/

http://duffney.io/Vyos-VirtualRouter-Hyper-V

https://support.vyos.io/en/downloads/files/vyos-1-1-8-iso
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-ubuntu
https://wiki.vyos.net/wiki/Remote_access
INE Video Tutorial: Ansible with Vyatta

PPP Principle

Components of PPP :

→ Datagram encapsulation method : define the method of encapsulating multi-protocol datagram

→ Link Control Protocol : define method of establishing, configuring, and testing data link conn.

→ Network Control Protocol : define a set of protocol for establishing connection and negotiating parameters for different network-layer protocols.

* | Protocol (2B) | Information | Padding (optional) |

\____________/

Max receive unit (MRU) [default: 1500 bytes]

0x0021 : IP datagram + padding (optional)

0xc021 : LCP + padding (optional)

0x8021 : IP control protocol (IPCP) + padding (optional)

| Flag | Address | Control | PPP frame | FCS | Flag |

01111110 11111111 00000011 * 16bits 01111110

\____HDLC standard___________/ \___follow HDLC standard__/

Messages Used by LCP Negotiation

→ Configure-Request : the beginning of link-layer parameter negotiation of the two ends

→ Configure-Ack : if the values of negotiated parameters are acceptable

→ Configure-Nak : if the values of negotiated parameters are not acceptable

→ Configure-Reject : if the values of negotiated parameters can not be identified

→ Terminate-Request : asks to close connection. 2 * 3 s. if not receive TA, forced close connection

→ Terminate-Ack : acknowledge terminate request from the peer.

→ Echo-Request : checks the status of link [on VRP every 10 s]

→ Echo-Reply : telling to the peer that the link is normal.

[Success] LCP negotiation : RTA sends CR to RTB. RTB sends CA. If CA is not received 10 * 3 s CR.

[Unsuccessful] : RTA sends CR. RTB sends CN. RTA re-sends modified CR. max 5 CR

[Unidentified] : RTA sends CR. RTB can not identify so returns CJ. RTA re-sends deleted CR params.

<photo>

Principle of PAP Authentication Mode → 2 way

RTA [Authenticator] –––––––––––––––– RTB [Authenticated]

RTB – Authenticate-Request (user name + password) → Authenticator.

RTA – Authenticate-Ack/Authenticate-Nak → RTB.

Principle of CHAP Authentication Mode → 3 way

RTA [Authenticator] –––––––––––––––– RTB [Authenticated]

→ RTA send CHALLENGE. RTB encrypt MD5 { identifier+password+challenge }=16-byte digest. RTB sends RESPONSE packet (CHAP user name & digest) to authenticator. A Success/Failure?→ B

Network Control Protocol

NCP has same mechanism (CR,CA,CN,CJ) like LCP but it doesn't invoke LCP.

→ NCP static configuration

→ NCP dynamic configuration : CR (use 0.0.0.0 address) → CN with IP → CR → CA → CR₂ → CA

HDLC Protocol

High-level Data Link Control : bit based line protocol that run on synchronous serial link.

→ The protocol is independent of any set of characters

→ Packets can be transmitted transparently. The “0-bit insert method” for transparent transmission can be implemented based on hardware.

→ The full-duplex communication can be implemented. Data can be transmitted continuously without waiting. The data transmission on the link is highly efficient.

→ All the frames adopt CRC check. The frames are numbered. Thus no frame is lost or received repeatedly. The transmission reliability is high.

→ The transmission control is separated from processing, which makes HDLC flexible and controllable.

| Flag | Address | Control | Information | FCS | Flag |

01111110 01111110

Types of HDLC Frame

→ Information frame : transmit the valid information or data

→ Supervisory frame : control errors and traffic. First two bit of the control field: “10”. [48 bits]

→ Unnumbered frame : used to establish, delete, and control the link.

Frame Relay

Features:

→ Data is transmitted in the form of the frame. (the access rate is 64 Kbps – 2 Mbps)

→ Bandwidth multiplexing and dynamic bandwidth allocation

→ As a type of simplified X.25 WAN protocol, it completes statistical MUX, transparent transmission of frames and error detection in the data link layer, but doesn't provide retransmission function

→ It provides a set of bandwidth management (CIR) and congestion prevention mechanism

→ FR adopts the connection-oriented switching technology, and provides SVC and PVC service

FR Interface Types

→ DTE : Data Terminal Equipment

→ DCE : Data Circuit-terminating Equipment

→ NNI : Network-to-Network Interface

→ DLCI : Data Link Connection Identifier [FR Network] → [range: 16-1007, DLCI 0-1023 for LMI]

Virtual Circuit : → max 1024 VC

→ PVC (Permanent Virtual Circuit) : Once the link is established, it will always be valid.

→ SVC (Switched Virtual Circuit) : automatically allocated by protocol. → transmit burst data

LMI (Local Management Interface) → monitor PVC status. [ANSI: T1.617 Annex D, ITU-T: Q.933 Annex A, non-standard]

<photo_inverse_ARP>

<photo_horizontal_splitting_and_FR>

<photo_FR_sub-interface>

VLAN Technology Principle

Before VLAN:

→ Network Security is bad.

→ Network efficiency is low. (unnecessary packets → wasting bandwidth and CPU resources)

→ Service expanded capability is bad. (e.g. It can't forward Ethernet frame used for network management with higher priority.

VLAN Tag: +4-byte. (IEEE 802.1Q)

| DA | SA | +TAG | TYPE | DATA | FCS |

[6B] [6B] [4B] [2B] [64-1500B] [4B]

|– TPID (Tag Protocol Identified): fixed value 2-byte (802.1Q tag: 0x8100)

|– TCI (Tag Control Information): 2-byte. {

→ Priority: 3bits. [0-7] → to provide differential forwarding service.

→ CFI (Canonical Format Indicator): 1bit. [token ring/FDDI media access]

→ VLAN ID: 12bits. [0-4095] → it can control the forwarding of Ethernet frame

Implement VLAN in the following way :

→ Based on port: Port VLAN ID (PVID) / port default VLAN configured on every port. If an untagged frame is received, the VLAN ID will be PVID.

→ Based on MAC: mapping relation between MAC and VLAN ID. If an untagged frame is received, VLAN ID will be added according to the mapping relation table.

→ Based on protocol: mapping relation between protocol filed of the Ethernet frame and VLAN ID. If an untagged frame is received, VLAN ID will be added according to the mapping relation table.

→ Based on subnet: add VLAN ID according to IP address information in packet.

Priority order from high to low: subnet → protocol → MAC → port. Based on port is common method.

Ports of switch divided into three types:

→ Access : only permit VLAN ID to pass the port, the VLAN ID is the same with PVID of the port; if the frame received from peer device is untagged, the switch will add PVID to the frame by force; the frame sent by Access port is always untagged frame; the default port of switches are access, PVID is 1 by default. VLAN 1 is created by system and can not be deleted.

→ Trunk : VLAN ID can be the same with PVID and also can be different; if ( VLAN ID != exist in permitted list ) { discarded; else if { VLAN ID == PVID {sent to another device after removing away the tag (*PVID each port is unique); else if ( VLAN ID != PVID ) {forwarded without modification}}}

→ Hybrid : if (VLAN tag == none) {same function with access port; else if (not (!) configure untagged VLAN) {trunk;} }

[ e0/1]port link-type hybrid [ e0/2]port link-type hybrid [ e0/24]port link-type hybrid

[ ]port hybrid pvid vlan 2 [ ]port hybrid pvid vlan 3 [ ]port hybrid pvid vlan 99

[ ]port hybrid vlan 2 untagged [ ]port hybrid vlan 3 untagged [ ]port hyb vlan 2 to 3 untagg

[ ]port hybrid vlan 99 untagged [ ]port hybrid vlan 99 untagged

GVRP (GARP VLAN Registration Protocol) → create VLAN automatically

[]gvrp

[]int e0/1

[ ]port link-type trunk

[ ]port trunk permit vlan all

[ ]gvrp

STP Principle

The Problem of Looping

→ broadcast storm

→ MAC table flapping

Calculation Process of Spanning Tree → exchange information and parameters in BPDU

→ Select a bridge as the root bridge among all bridges (based-on bridge id: 2-byte bridge priority [0-65535, default: 32768] + 6-byte MAC address). Smallest id become root bridge

→ Calculate the shortest path from the current bridge to the root bridge

→ For every shared network segment, select the bridge nearest to the root bridge as the designated bridge, responsible for the data forwarding of this network segment

→ For every bridge, select a root port. Based on path cost outgoing port, smaller is better. On VRP, the cost of 100M port is 200. If the path cost is same, compare with identifier of upstream switches. If it's still not elected, the port whose upstream port has the smallest identifier is elected. Port identifier: 1-byte port priority [default: 128] + 1-byte port number.

→ Select the designated port besides the root port. Root path cost → bridge id → port id. On the root bridge, all ports are the designated ports of the connected network segments.

Switch port role :

→ root port : root port is the nearest port to the root switch, it is in forwarding state

→ designated port : it forwards data from network segment which connects to the root switch and data from switch to the network segment it connects to

→ alternate port : backup port, it will not forward any data to the network segment it connects to.

Port status description :

→ disabled : port will not forward data, learn MAC address and calculate spanning tree

→ listening : port will not forward data and learn MAC address, but it will calculation spanning tree, receive and send BPDU

→ blocking : port will not forward data and learn MAC address; it will receive and deal with BPDU but not send BPDU

→ learning : port will not forward data, but it will learn MAC address, calculate spanning tree, receive and send BPDU

→ forwarding : port will forward data, learn MAC address, calculate spanning tree, receive and send BPDU.

After enabled, a port switches to Listening state and begins to calculate the spanning tree. If the port is set to the alternate port, the port state changes to Blocking. If the port is set to the root port or designated port, change from Listening to Learning, wait forward delay, then Learning to Forwarding.