Lately I’ve been toying around with the idea of finally putting more effort into learning ins and outs of CheckPoint VSX systems. Basic deployment technically allows us to rely only on physical interfaces to set up the chassis but I wanted to make sure I have something that reflects most common setups (because in 99.9% of cases you will encounter VSXes simply connected to a switch over a trunk port and very little physical cabling).
So as you might have noticed, I only use KVM and LibVirt for all my VM needs. While so far I had no reason to jump into more advanced aspects since the basic GUI worked fine for me, VSX forced me to look into something that would resemble a switch. I needed a switch that’s virtual and, hopefully, open. And there it is – the Open vSwitch! I will be creating more of these as I go over the documentation and blog posts but so far in this article we will start off with a very simple setup – moving our existing physical connectivity to our Hypervisor machine to a vSwitch.
I will be using a host running fully up-to-date CentOS 7 install.
You might require physical (or LOM) access to the box because those things could break your network.
Make sure you have openvswitch installed on your box.
Adding the switch
In order to start, we will need to add a switch. But before we do so, let’s picture what we’re actually trying to do. What I’m going to cover in next steps might sound stray and therefore I decided it’s a good idea to explain you the concept so you can visualize it.
To start off, we need to add a switch. In real world, this step would literally mean you take the switch out of the box and power it up. It doesn’t do much right now, does it? In order for it to do stuff we will need to plug in cables that will provide the connectivity. In our scenario, the first cable we will plug in is the cable providing us the internet connectivity. So we take this cable and plug it into the switch. This will require us to add the interface (e.g. eth0) this cable connects to to the bridge and clear the IP configuration off it. Why would we do that? The IP configuration should be moved to the switch instead. If you’re familiar with Cisco products, you might have an idea of an SVI. SVI is essentially an IP address we can assign to the switch itself so we can communicate with it over the network. Makes sense?
Let’s add the switch using following command:
sudo ovs-vsctl add-br ovsbr0
We can now see the bridge was created using following command:
ip a s ovsbr0
Which should give us output similar to this:
[strelok@srv2 ~]$ ip a s ovsbr0 7: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether b8:ca:3a:63:90:5b brd ff:ff:ff:ff:ff:ff
Add the external interface to the switch
Alright. Let’s connect our interface to the switch and move the IP configuration right after. If you have no out-of-band connectivity to the box, skip to the “Making our changes permanent” section.
sudo ovs-vsctl add-port ovsbr0 em4 # Replace em4 with your external interface. sudo ip addr flush em4 # Replace em4 with your external interface. sudo ip addr add 192.168.1.230/24 dev ovsbr0 # Replace the IP address with the IP address that was previously used by your external interface
Now we can confirm our changes have been successful by running following commands:
ip a s | grep ovs # output should show that ovsbr0 has been assigned an IP address specified in the previous step ip r s # output should show us a routing table. Make sure you have a default route, otherwise it might stop you from accessing the internet # if the default route is missing, you can add it with following command (replace 192.168.1.1 with your next hop): # ip route add default via 192.168.1.1
If you confirm the connectivity works, we can now make our changes permanent.
Making our changes permanent
To retain the configuration, we will need to edit the interface configuration files. It’s a good idea to back them up first:
cd mkdir interface-configs-backup cp /etc/sysconfig/network-scripts/ifcfg-* interface-configs-backup
Now lets edit the external interface’s config first:
# Open up the interface config first: sudo vi /etc/sysconfig/network-scripts/ifcfg-em4 # Then make sure it resembles the following: TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=ovsbr0 PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none ONBOOT=yes NAME=em4 # Change this to your interface DEVICE=em4 # Change this to your interface NM_CONTROLLED=no
And in similar manner, let’s create our ovsbr0’s config file and fill it with content:
# Open up the interface config first: sudo vi /etc/sysconfig/network-scripts/ifcfg-ovsbr0 # Above will result in creation of an empty file. Don't worry if there's no content, that's a good thing # And paste following: TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static IPADDR=192.168.1.230 # Replace with em4's old IP NETMASK=255.255.255.0 # Replace with em4's old network mask GATEWAY=192.168.1.1 # Replace with em4's old default gateway DNS1=184.108.40.206 DNS2=220.127.116.11 ONBOOT=yes DEVICE=ovsbr0 NM_CONTROLLED=no
Now is the moment of truth. Save the config files and reboot your machine (you might also try
systemctl restart network). Hopefully everything should remain operational after you do that. Now you have a switch we can play around with!
OPTIONAL: Add the vSwitch to LibVirt
If you wish to use the vSwitch right away and “plug” some VMs into the switch, you will need to define the network first.
Let’s create a file in /tmp/ that will represent our network and then use it to define a network in LibVirt:
And paste following content (if you named your vSwitch differently, replace ovsbr0 with the name you have used):
<network> <name>ovsbr0-network</name> <forward mode='bridge'/> <bridge name='ovsbr0'/> <virtualport type='openvswitch'/> </network>
sudo virsh net-define /tmp/your-vswitch.xml sudo virsh net-start ovsbr0-network sudo virsh net-autostart ovsbr0-network
Now when you create new virtual machines, you should have an option to select the ovsbr0-network (mine is named differently but it doesn’t matter):
You can check the number of virtual machines connected to your switch, as well as general switch state using the
sudo ovs-vsctl show command 🙂