Hackosis

Dear Vyatta,

During the past couple of months I have been attempting to replace my Cisco 7500 with your routing software. The Vyatta product looked very promising and supported all the protocols and features that I needed including BGP, Bandwidth Management (through the kernel), VRRP, in addition to standard routing with TCP/IP.

I have run into many issues with the Vyatta software. Just to name a few — VRRP limitations, BGP Routing Policy limitations, static routing bugs, not being able to delete static routes and policy configurations, and more.

I am sad to say, good bye Vyatta. I have enjoyed the past two months getting to know you. You have what seems a wonderful team of individuals working towards the better. I would like to send a thanks to the support group and everyone on the mailing list, they were wonderful.

I will continue to support what the Vyatta team is trying to do. Unfortunately, the software is still premature. I, however, am looking forward to the next release so I can give it another try.

I am sure I could force the software to work, but I would hardly be confident with that procedure. That being said — Vyatta cannot replace my Cisco 7500 core router.

Farewell,

Shane

If you have been following my Vyatta posts, you might be interested in a humorous collection of parody advertisements that the Vyatta team and users have created.

The ad below is my favorite. The first time I told someone about Vyatta, they thought I actually said ‘Viagra’.

Be sure to look at the rest of the parody ads.

NOTE: See the previous posts about Vyatta.

The Vyatta open source routing platform is built upon XORP, the eXtensible Open Router Platform, and uses templates to execute commands that are entered into the xorpsh, also know as the Vyatta CLI, much like other routing platforms.

For example, when entering show system memory in the Vyatta CLI (xorpsh), the system actually executes free -ot. The Linux free command displays the system memory information and the -ot switch enables the ‘totals’ and ‘buffer adjusted’ lines. The output is displayed in kilobytes by default. There is so much RAM in computers today, that it makes more sense to display the output in megabytes with the -m switch; free -m.

Changing How ’show system memory’ executes:

NOTE: Don’t forget to backup before making changes to these important files!

1. Login as root.
2. Go to the template directory:
   cd /opt/vyatta/share/xorp/templates
3. Find the free command:
   # grep free *.cmds
   rl_misc.cmds: %command: “free -ot” %help: “Show system memory usage”;
4. See that it’s in the file rl_misc.cmds. Change it from “-ot” to “-m” with sed:
   cp rl_misc.cmds rl_misc.cmds.bak
   sed -i ’s/free -ot/free -m/’ rl_misc.cmds
5. Try it:
   xorpsh
   Welcome to Vyatta on vDUT
   > show system memory
   total used free shared buffers cached
   Mem: 250 190 59 0 23 96
   -/+ buffers/cache: 70 179
   Swap: 0 0 0

This not only applies to the show system memory command, but for all other Vyatta CLI commands as well. Thanks to Stig on the Vyatta-Users mailing list for the hacking tips. If you have any more Vyatta hacks, please email them to me, or leave a comment.

NOTE: This has been fixed in the latest versions of Vyatta. This post is outdated!

For an open source routing software such as Vyatta not to have a way to provide a null route is major bug and needs to be addresses at least by the next release.

The Problem:

Internet routers are suppose to drop packets directed to and from private networks.

The way to enable a null route on Vyatta should be something like this:

OR

The first example produces an error:

After executing and committing the second example, the route simply doesn’t show in the routing table when executing show route.

The Solution:

The ultimate solution will involve Vyatta implementing the ability to enter null routes from within the Vyatta CLI. But this should work just fine when using an init.d script or entered directly in the bash shell:

Although this is a minor bug, Vyatta should implement a fix for this as soon as possible. I still am enthused about running Vyatta and this will, in no way, stop me from implementing Vyatta for our core routing solution. Be sure to take a look at previous posts on Vyatta on Hackosis if you haven’t already. dontstealmyrsshackosis

It has come to my attention that VRRP cannot be implemented on the new Vyatta routers.

Unfortunately, Vyatta only supports one VRRP group per physical interface, and only one IP address per VRRP group. Looks like the resort will have to go back to a manual configuration copy if the main router fails.

With the VRRP configuration out of the way, it is not long until the Vyatta router will be implemented. It seems that overall Vyatta is a well put together product, but does have its limitations.

Times are getting thin before replacing the Cisco 7500 core router with open source routing platform, Vyatta, as mentioned in a previous post. And not only that, but the decision has been made to go ahead and set up redundant, auto-failover Vyatta routers. Also, check out how to throttle bandwith with the Linux kernel in Vyatta (or any other Linux with 2.4+ kernel) before I go into more detail.

The Hardware

The hardware has been purchased and received. The setup includes 2 - Dell PowerEdge SC1430s with the following specifications:

• 2 Quad-core 2.0GHz Xeon Processors
• 4 GB of 667MHz RAM
• 2 80GB SATA 3GB/s configured with RAID 1
• 1 Gbit Onboard NIC
• 1 Intel 1000PT Gbit PCI Express NIC

You couldn’t ask for an easier install with Vyatta and it did so beautifully with this hardware. Vyatta acually certifies Dell 850s and 860s. Seriously, the install procedure with the live CD is as simple as logging in as root, typing

install-system

and answering a few very basic questions. All hardware components were detected including the SAS 5IR Dell RAID PCI Express adapter.

The Software

Everything has yet to be setup; it is still a work in progress. BUT these are my plans. There will be a post after the system is up and running about how well everything listed here works.

NOTE: The following assumes you have already setup your ‘real’ IP addresses and static routes.
Read the rest of this entry …

I have recently been working with the Vyatta Linux routing platform in an attempt to replace Cisco. It seems that Vyatta will support everything that I need except for bandwidth management and traffic shaping. Luckily, newer versions on Linux have this built into the kernel.

I will show you how to use HTB to control traffic based on what IP address you are coming from. Remember that HTB only shapes outgoing traffic, but since we have at least 2 interfaces on a router - and traffic is always outgoing on one of the interfaces - we can control up and down speeds.

Lets assume that eth0 is your ‘inside’ network and eth1 is your ‘outside’ network and you are trying to limit the bandwidth to 2mbit for Traffic going to or from IP address 12.13.14.15.
 

To accomplish this we are going to start by attached the HTB algorithm to device eth0 and give it a handle of “1:” (You enter this in your bash shell btw):

tc qdisc add dev eth0 root handle 1: htb default 12

Next, add a tc class. The is like a ‘pool’ of bandwidth. Set this to whatever your interface speed is:

tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit ceil 100mbit

Now we can create classes for specific bandwidth that we are going to assign to the IP address. The first line of code will be our limit and the second is our default as specified in the first command above:

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit ceil 2mbit
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 5mbit ceil 5mbit

After that, create some tc filters to match certain criteria. In our case it is IP address. The ’src’ or ‘dst’ is specific to whether this interface is outside network or inside network. Notice how the flowid matches our classid from above. In a nutshell, if the IP address matches 12.13.14.15, we are going to get 2mbit, and if it is any other IP address we will get 5mbit:

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 12.13.14.15 flowid 1:10
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 0.0.0.0 flowid 1:12

Those commands will get you managing bandwith on eth0. To manage bandwidth in the same manner on the internal interface (eth1), enter the above commands, only replace “eth0″ with “eth1″ and in the tc filter commands replace “dst” with “src”.

This was a quick overview and example of HTB bandwidth management filtering by IP address for tc command on Linux. If you are interested in implementing these strategies take a look at some reading material below:

HTB Manual | Linux Advanced Routing & Traffic Control HOWTO | The tc manpage

EDIT: Looks like using HTB alone is a bit primitave. If a second data stream starts, it will only get whats left of the remaining bandwidth. So we add a SFQ command in the mix. This will treat all connections equally, even from the same IP and data streams will even each other out:

tc qdisc add dev eth0 parent 1:10 handle 20: sfq perturb 10
tc qdisc add dev eth0 parent 1:12 handle 30: sfq perturb 10

EDIT: It also has came to my attention that all tc commands are lost on reboot. The solution:

1. mkdir /etc/tc
2. vi /etc/tc/start.sh
   

   #!/bin/sh
   #Custom tc commands to throttle bandwidth
   #All changes must be saved here, or a reboot will loose config!

   #INSIDE NETWORK:

   ENTER TC COMMANDS HERE

   #OUTSIDE NETWORK:

   ENTER TC COMMANDS HERE

3. vi /etc/tc/stop.sh
   

   #!/bin/sh
   #Shutdown commands for tc traffic shaping, this is a static file

   #INSIDE NETWORK:

   tc qdisc del dev eth0 root

   #OUTSIDE NETWORK:

   tc qdisc del dev eth1 root

4. vi /etc/init.d/tc
   

   #!/bin/sh
   ### BEGIN INIT INFO
   # Provides: Traffic Control
   # Required-Start: $network
   # Required-Stop: $network
   # Default-Start: 2 3 5
   # Description: tc qdisc ;p
   ### END INIT INFO

   case .$1. in
   .start.)
   /etc/tc/start.sh
   ;;
   .stop.)
   /etc/tc/stop.sh
   ;;
   *)
   echo “Usage: $0 { start | stop }”
   ;;
   esac
   exit 0

Open source routing operating system Vyatta, can get you out of the grasp of proprietary systems such as Cisco and Juniper. I am really surprised on the accomplishments and efforts this company has put into the product. With support for many multi-port ethernet, T1/E1, and T3 cards, often it is possible to switch to Vyatta and end up with a more dense routing infrastructure.

Vyatta is based on Linux, but the default user shell is customized to look and feel like a ‘router’ interface. Also, commands do not become live in the system until you ‘commit’. All configuration is stored on a separate partition in one single file and makes for easy backup and restoring, even if your hardware fails. This platform has really been built from the ground up to be a true Linux routing platform.

Vyatta has a WebGUI for administration as well:

Vyatta also features support for BGP, clustering, VRRP, NAT, firewall, VPN, SNMP, Syslog, OSPF, RIP, IPv6, DHCP, VLANS, Frame Relay, PPP, HDLC, and more.

I am looking forward to working with Vyatta and plan to replace our Cisco 7500 that we use for a core routing function. I plan to configure Vyatta to do traffic shaping and bandwidth management. This is not included in the CLI or the webGUI, but is a possibility through the bash shell when logging in as root.

Look for tips and tricks and updates of my progress in future posts. Wish me luck.

More information on Vyatta