This is the second from the series of the articles that discuss a complete configuration of the enterprise network. Our enterprise campus network consists of the core, distribution and access layer. This network infrastructure design is called a three-tier network model. Each layer has specific function. The access layer provides access for end users to the network . They are two access switches located inside the access layer. The access switches OpenSwitch-Acc-I and OpenSwitch-Acc-II are OpenSwitch Qemu appliances installed on VMware VMDK disks. The switches run OpenSwitch network OS version 0.4.0 and they have assigned 1024 MB memory by GNS3. More details about building OpenSwitch appliance prior to version 2.0 can be found here.
Note: Based on reader's request I share Openswitch 0.4.0 image VMDK image. Username/password is netop/netop and for switch configuration and admin/admin for access to underlying Linux (use sudo su for root access). In case, of trouble, read the section Issue at the end of the tutorial.
The ports Ethernet 3 a and 4 on both switches are configured as access ports and they connect PC1 and PC4 to the campus network. The ports Ethernet 1 and Ethernet 2 are uplinks that connect access switches to the distribution switches. They are configured as trunk ports, carrying traffic from multiple VLANs. Thanks to redundant uplink connection, the access switches remain connected to the upper layer, even in case of the failure one of the distribution switches.
Picture 1 - Access Switches Connected to Distribution Layer
End user computers are assigned to VLANs 10, 20, 30 and 40. Thanks to segmentation to VLAN, user traffic is sent to the distribution layer without being spread across the other access switches in campus. The PC4 is connected to the port Ethernet 4 that is assigned to the management VLAN 40. Management of the access switches is provided by connection of the management port Ethernet0 to the port Ethernet6 of the particular distribution switch. The both ports are configured as the routed (layer3) ports and they have assigned IP addresses from the subnet with /30 mask.
The Switch Virtual Onterface (SVI) created on both access switches allow the access switches to synchronize their time with NTP server running on the appliance Server1 172.16.50.1 in the Data Center (DC). The switches also send logs to the syslog-ng server installed on the same appliance.
Note: The configuration files of the both access switches are: OpeSwitch-Acc-I and OpenSwitch-Acc-II.
1. OpenSwitch-Acc-I Configuration
Login to the OpenSwitch OpenSwitch-Acc-I appliance with the default username netop and the password netop. As a first step, we will change the hostname.
switch# conf t
switch(config)# hostname OpenSwitch-Acc-I
1.1 VLANs Configuration
The VLANs 10,20 are end user VLANs. The VLAN 999 is "parking" VLAN that is configured on ports that are not used. If someone accidentally brings disabled switchports up, the connection is not working. It is because the VLAN 999 is not configured on uplink trunk ports.
OpenSwitch-Acc-I(config)# vlan 10
OpenSwitch-Acc-I(config-vlan)# no shutdown
OpenSwitch-Acc-I(config)# vlan 20
OpenSwitch-Acc-I(configb-vlan)# no shutdown
OpenSwitch-Acc-I(config)# vlan 999
OpenSwitch-Acc-I(config-vlan)# no shutdown
OpenSwitch-Acc-I(config-vlan)# exit
Note: If you encounter strange connectivity problem that you cannot troubleshoot, restart of the particular VLAN might help.
1.2 IP Address and Trunk Port Configuration
In order to access the switches remotely, we have to configure the appropriate IP address and mask on the management port. The management port mgmt is the only interface that is presented in underlying Linux Yocto Linux (except the loopback). However it can by comfortably configured using OpenSwitch CLI.
OpenSwitch-Acc-I(config)# interface mgmt
OpenSwitch-Acc-I(config-if-mgmt)# ip static 10.1.1.9/30
OpenSwitch-Acc-I(config-if-mgmt)# default-gateway 10.1.1.10
OpenSwitch-Acc-I(config-if-mgmt)# nameserver 172.16.50.1
OpenSwitch-Acc-I(config-if-mgmt)# exit
The access switch OpenSwitch-Acc-I has configured SVI20 interface. It allows the switch to access the Server1 located in a DC.
OpenSwitch-Acc-I(config)# interface vlan 20
OpenSwitch-Acc-I(config-if-vlan)# ip address 192.168.20.250/24
OpenSwitch-Acc-I(config-if-vlan)# no shutdown
OpenSwitch-Acc-I(config-if-vlan)# exit
OpenSwitch-Acc-I(config)# int eth1
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan trunk allowed 10,20
OpenSwitch-Acc-I(config-if)# no shutdown
OpenSwitch-Acc-I(config-if)# int eth2
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan trunk allowed 10,20
OpenSwitch-Acc-I(config-if)# no shutdown
OpenSwitch-Acc-I(config-if)# int eth3
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 10
OpenSwitch-Acc-I(config-if)# no shutdown
OpenSwitch-Acc-I(config-if)# int eth4
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 20
OpenSwitch-Acc-I(config-if)# no shutdown
Secure unused interfaces.
OpenSwitch-Acc-I(config-if)# int eth5
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 999
OpenSwitch-Acc-I(config-if)# shutdown
OpenSwitch-Acc-I(config-if)# int eth6
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 999
OpenSwitch-Acc-I(config-if)# shutdown
OpenSwitch-Acc-I(config-if)# int eth7
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 999
OpenSwitch-Acc-I(config-if)# shutdown
OpenSwitch-Acc-I(config-if)# exit
To allow the access switch reach NTP and syslog server in the DC, we have to create a static default route for the switch.
OpenSwitch-Acc-I(config)# ip route 0.0.0.0/0 192.168.20.254
1.3 NTP Configuration
OpenSwitch-Acc-I(config)# ntp server 172.16.50.1
OpenSwitch-Acc-I(config)# timezone set europe/bratislava
Picture 2 - Time Synchronization with NTP Server 172.16.50.1
1.4 Logging
Logs are sent to the syslog-ng server 172.16.50.1 and stored in the directory /var/log/syslog-ng/192.168.20.250/. We collect log messages with the severity notice level 2 and above (0 - debug, 7 - emergency).
OpenSwitch-Acc-I(config)# logging 172.16.50.1 severity notice
1.5 Password Configuration
Even OpenSwitch version 4.0.0 supports Radius client configuration I was not successful with remote login authentication using Radius server. Therefore we will only change password for default local accounts. To do so we need to switch to underlying Linux Yocto OS. Login as root with no password set and change passwords to cisco for all the accounts below.
root@OpenSwitch-Acc-I:~# passwd root
root@OpenSwitch-Acc-I:~# passwd admin
root@OpenSwitch-Acc-I:~# passwd netop
2. OpenSwitch-Acc-II Configuration
The configuration of the switch OpenSwitch-Acc-II is similar to the configuration of the switch OpenSwitch-Acc-II. Therefore I only share the configuration without further explanation.
3. PCs Configuration
The PC4 is used for administration of network devices in the topology therefore it has statically configured IP address. The other PCs have their IP addresses assigned from the DHCP server 172.16.50.1. All PCs are Core LInux Qemu appliances, running Core Linux 6.3. They have assigned 64MB RAM by GNS3. Below is a static IP address configuration for PC4.
$ vim /opt/bootlocal.sh
hostname PC4
ifconfig eth0 192.168.40.1 netmask 255.255.255.0
route add default gw 192.168.40.254
echo "nameserver 172.16.50.1" > /etc/resolv.conf
To save configuration we need to enter the command below.
$ /usr/bin/filetool.sh -b
4. Issues
4.1 OpenSwitch
4.1.1 Cannot Boot VMD Image - Error Message "Could not write to allocated cluster for streamOptimized"
If your OpenSwitch VMDK image does not boot and the error message "qemu-system-x86_64: Could not write to allocated cluster for streamOptimized" appears in a terminal a quick workaround is converting the VMDK image to other format, such as qcow2 or VDI.
$ qemu-img convert -f vmdk OpenSwitch.vmdk -O vdi OpenSwitch.vdi
Now, we can run the image with QEMU command:
$ /usr/bin/qemu-system-x86_64 -m 2G -enable-kvm OpenSwitch.vdi -serial telnet:localhost:2222,server,nowait
Use telnet to connect to the switch console.
$ telnet localhost 2222
4.1.2 Cannot Save OpenSwitch Configuration - Error Message - "System is not ready. Please retry after few seconds.."
You must run OpenSwitch with minimum two NICs otherwise system is not ready. In that case, you get an error message - "System is not ready. Please retry after few seconds.." The comand below starts an OpenSwitch Qemu instance with two NICs attached.
$ /usr/bin/qemu-system-x86_64 -m 2G -enable-kvm OpenSwitch.vdi -serial telnet:localhost:2222,server,nowait -net nic,id=net0 -device e1000,mac=00:11:22:33:44:00 -net nic,id=net1 -device e1000,mac=00:11:22:33:44:01
Great Post !!! Please continue to write up the remaining parts, I learnt a lot from this. !!!
Excelent contribution to learn, I didn't know OpenSwith is so powerfull. waiting for the remaining posts of this series.
Why do you use user vlan for the access switches to synchronize with the NTP and not some dedicated vlan?
Superb...
Great job ! Thank you so much !!!
How are you configuring the Access Layer Switches? Are these Open vSwitch from the GNS3 Appliance section? If so, I do not seem to be able to configure them as you are doing. I am thinking to swap Cisco's L2 switches instead. Thoughts?
Link for Openswitch appliance download added in to the post, please download.
Can you share the OpenSwitch.vmdk version 0.4.0 (or .ova). I'm trying to building it from source but the command "make configure appliance" gives me error. And the version 0.3.0 of .ova is only available in the repositories.
Thank you very much!!
Link for Openswitch appliance download added in to the post, please download.
is not being possible to configure the open switch when it's the configuration command the following message appears " System is not ready. Please retry after few seconds.."
What do I need to do to make it work and configure?
Sorry, I haven't noticed it.
Hello. Can you help me too. I have the same problem. Cant type any command in configuration terminal, this message will appear after entering command, "System is not ready. Please retry after few seconds..". I use vmdk that you provided.
Been asking about it for ages mate, no answer
Please, read the section 4 Jonathon. It took me an hour to solve the problem instead of going for walk in the forest as I had originally planned. Take care.
Read section 4, please.
How do you save the running config in OpenSwtch?
I used:-
OpenSwitch-Acc-I# copy running-config startup-config
the command is working for me.
osboxes@osboxes:~$ /usr/bin/filetool.sh -b
bash: /usr/bin/filetool.sh: No such file or directory
any ideas as to why this is showing?