Not exactly. You're manually configuring peers, adjacencies, and service-routes rather than letting the conductor do it for you through the use of neighborhoods.
on how you can leverage the conductor to take care of the heavy lifting.
pt.
Original Message:
Sent: 05-30-2019 12:22
From: Dani Garces
Subject: Conductor over SVR
Hi Patrick:
The only configuration that I have done without the Conductor was the _internal_ tenant in 128T_2.
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-30-2019 11:51
From: Patrick A Timmons
Subject: Conductor over SVR
Hi Dani,
I strongly recommend you develop your configuration using the conductor as the single source of truth. This is its intention, and if you are manipulating configurations individually on the conductor, 128_1 and 128_2, you are going to be in for a very wild ride.
This will avoid any peering issues, since the conductor will create the peers/adjacencies/service-routes between the routers for you automatically.
------------------------------
pt.
Original Message:
Sent: 05-29-2019 14:14
From: Dani Garces
Subject: Conductor over SVR
Hi Patrick:
Interestingly, if I configure the WAN interface of 128T_1 as member of _internal_ tenant, 128T_2 have connectivity to Conductor.
Node: 128T_1
============ ========= ============== ================= ================== ============
Device I/F VLAN ID Network I/F Network I/F IP Source IP Prefix Tenant
============ ========= ============== ================= ================== ============
LAN 0 LAN 192.168.200.1 0.0.0.0/0 <global>
WAN 0 WAN 192.168.201.1 0.0.0.0/0 _internal_
kni254 0 controlKniIf 169.254.127.126 0.0.0.0/0 _internal_
Could be a hace a missconfiguration in the peer between 128T_1 and 128T_2?
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-29-2019 13:22
From: Patrick A Timmons
Subject: Conductor over SVR
Each router's configuration lives in the conductor, not on the individual routers. You're going to be in a position where your router and conductor have differing opinions on configuration, which is not advisable.
When managing a set of routers with a conductor, the conductor's configuration should be the single source of truth for everything.
------------------------------
pt.
Original Message:
Sent: 05-29-2019 12:58
From: Dani Garces
Subject: Conductor over SVR
Hi Patrick:
I have delete the manual services in 128T_1 and 128T_2.
128T_2 seems to be OK:
Node: 128T_2
==================== ======= ======= ============ ========================= ===========
IP Prefix Port Proto Tenant Service Next Hops
==================== ======= ======= ============ ========================= ===========
192.168.200.2/32 <any> icmp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 443 tcp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 930 tcp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 4505 tcp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 4506 tcp _internal_ _conductor_1 1-WAN.0
Session Id Service Tenant Dev Name VLAN Proto Src IP Src Port Dest IP Dest Port NAT IP NAT Port Payload Timeout Uptime
Encrypted
================================== =========== =========== ========== ====== ======= =========== ========== =========== =========== =========== ========== =========== ========= =========
aa290e7a-49bc-48d3-8e31-2b92b2f2 _conducto _internal kni254 0 tcp 169.254.1 57104 192.168.2 4505 192.168.2 16683 false 7 0 days
0d81 r_1 _ 27.127 00.2 01.2 0:00:07
aa290e7a-49bc-48d3-8e31-2b92b2f2 _conducto _internal WAN 0 tcp 192.168.2 4505 192.168.2 16683 0.0.0.0 0 false 3 0 days
0d81 r_1 _ 00.2 01.2 0:00:07
But I do not see this sessions in 128T_1. The service is OK
Node: 128T_1
==================== ======= ======= ============ ========================= ===============
IP Prefix Port Proto Tenant Service Next Hops
==================== ======= ======= ============ ========================= ===============
192.168.200.2/32 <any> icmp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 443 tcp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 930 tcp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 4505 tcp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 4506 tcp _internal_ _conductor_1 192.168.200.2
Node: 128T_1
================================== =========== =========== ========== ====== ======= =========== ========== =========== =========== =========== ========== =========== ========= =========
Session Id Service Tenant Dev Name VLAN Proto Src IP Src Port Dest IP Dest Port NAT IP NAT Port Payload Timeout Uptime
Encrypted
================================== =========== =========== ========== ====== ======= =========== ========== =========== =========== =========== ========== =========== ========= =========
5180dd22-55c6-4434-ae0d-59711242 <BfdServi <unknownT none 0 udp 192.168.2 1280 192.168.2 1280 0.0.0.0 0 false 0 0 days
0834 ce> enant> 01.1 01.2 0:25:05
5180dd22-55c6-4434-ae0d-59711242 <BfdServi <unknownT WAN 0 udp 192.168.2 1280 192.168.2 1280 0.0.0.0 0 false 0 0 days
0834 ce> enant> 01.2 01.1 0:25:05
8b2587ca-1e6a-4377-87bb-d218e4d4 _conducto _internal kni254 0 tcp 169.254.1 49242 192.168.2 930 192.168.2 16385 false 1899 0 days
e89c r_1 _ 27.127 00.2 00.1 0:23:50
8b2587ca-1e6a-4377-87bb-d218e4d4 _conducto _internal LAN 0 tcp 192.168.2 930 192.168.2 16385 0.0.0.0 0 false 1899 0 days
e89c r_1 _ 00.2 00.1 0:23:50
96b1ea24-0e11-417d-85eb-0bf3d807 _conducto _internal kni254 0 tcp 169.254.1 49256 192.168.2 930 192.168.2 16391 false 1896 0 days
ce03 r_1 _ 27.127 00.2 00.1 0:23:43
96b1ea24-0e11-417d-85eb-0bf3d807 _conducto _internal LAN 0 tcp 192.168.2 930 192.168.2 16391 0.0.0.0 0 false 1896 0 days
ce03 r_1 _ 00.2 00.1 0:23:43
bc9fe618-ce22-4bb9-bb34-953cf29a _conducto _internal kni254 0 tcp 169.254.1 49254 192.168.2 930 192.168.2 16390 false 1896 0 days
2488 r_1 _ 27.127 00.2 00.1 0:23:43
bc9fe618-ce22-4bb9-bb34-953cf29a _conducto _internal LAN 0 tcp 192.168.2 930 192.168.2 16390 0.0.0.0 0 false 1896 0 days
2488 r_1 _ 00.2 00.1 0:23:43
f8d7983b-fb05-47cb-821e-48a6beec _conducto _internal kni254 0 tcp 169.254.1 33436 192.168.2 4505 192.168.2 16386 false 1893 0 days
e9cc r_1 _ 27.127 00.2 00.1 0:23:47
f8d7983b-fb05-47cb-821e-48a6beec _conducto _internal LAN 0 tcp 192.168.2 4505 192.168.2 16386 0.0.0.0 0 false 1893 0 days
e9cc r_1 _ 00.2 00.1 0:23:47
With the changes there is no connectivity from 128T_2 to Conductor.
Yout question: do you mean you configured that router directly?
Yes, I configured it directly in 128T_2. Because before this configuration, the kni254 interface was in <global> tenant.
Node: 128T_2
============ ========= ============== ================= ================== ==========
Device I/F VLAN ID Network I/F Network I/F IP Source IP Prefix Tenant
============ ========= ============== ================= ================== ==========
WAN 0 WAN 192.168.201.2 0.0.0.0/0 <global>
kni254 0 controlKniIf 169.254.127.126 0.0.0.0/0 <global>
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-29-2019 01:00
From: Patrick A Timmons
Subject: Conductor over SVR
Hi Dani,
First, you should delete the conductor services you created manually (conductor-128T_1, conductor-128T_2) as these are not necessary and are causing conflicts. The "conductor-address" setting in the configuration will generated _conductor_1 for you, which should be all that you need. Furthermore, you do not need to create the _internal_ tenant... it is there already. I may be missing something... when you say you configured it in 128T_2, do you mean you configured that router directly?
------------------------------
pt.
Original Message:
Sent: 05-28-2019 03:20
From: Dani Garces
Subject: Conductor over SVR
Hi Patrick:
I have created the "_internal_" tenant manually in 128T_2 and now the kni interface is member of this tenant:
Node: 128T_2
============ ========= ============== ================= ================== ============
Device I/F VLAN ID Network I/F Network I/F IP Source IP Prefix Tenant
============ ========= ============== ================= ================== ============
WAN 0 WAN 192.168.201.2 0.0.0.0/0 <global>
kni254 0 controlKniIf 169.254.127.126 0.0.0.0/0 _internal_
And now, the "_conductor_1" service is availiable and in use in 128T_2.
Node: 128T_2
==================== ======= ======= ============ ========================= ===========
IP Prefix Port Proto Tenant Service Next Hops
==================== ======= ======= ============ ========================= ===========
192.168.200.2/32 <any> icmp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 443 tcp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 930 tcp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 4505 tcp _internal_ _conductor_1 1-WAN.0
192.168.200.2/32 4506 tcp _internal_ _conductor_1 1-WAN.0
Only one problem remain, When the traffic to conductor comes from 128T_2 to 128T_1, It is using the service "conductor-128T_1" not the service "_conductor_1".
It seem that 128T_1 do not recognice this traffic as being part of "_internal_" tenant.
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-27-2019 08:19
From: Dani Garces
Subject: Conductor over SVR
Hi Patrick:
Nothing private in the configuration. Is a lab environment I use to test features.
The topolgy is attached in other post.
config
authority
conductor-address 192.168.200.2
remote-login
exit
router 128T_1
name 128T_1
inter-node-security unencrypted
peer 128T_2
name 128T_2
authority-name Authority128
router-name 128T_2
exit
node 128T_1
name 128T_1
asset-id 128T_1.lab
role combo
device-interface LAN
name LAN
pci-address 0000:02:00.0
network-interface LAN
name LAN
global-id 1
conductor true
source-nat true
address 192.168.200.1
ip-address 192.168.200.1
prefix-length 24
exit
exit
exit
device-interface WAN
name WAN
pci-address 0000:00:02.0
network-interface WAN
name WAN
global-id 2
inter-router-security aes1
source-nat false
address 192.168.201.1
ip-address 192.168.201.1
prefix-length 24
gateway 192.168.201.2
exit
adjacency 192.168.201.2
ip-address 192.168.201.2
peer 128T_2
inter-router-security aes1
exit
exit
exit
exit
service-route conductor-128T_1
name conductor-128T_1
service-name conductor-128T_1
next-hop 128T_1 LAN
node-name 128T_1
interface LAN
exit
exit
service-route _conductor_1_route_1
name _conductor_1_route_1
service-name _conductor_1
generated true
next-hop 128T_1 LAN
node-name 128T_1
interface LAN
gateway-ip 192.168.200.2
exit
exit
exit
router 128T_2
name 128T_2
inter-node-security aes1
peer 128T_1
name 128T_1
authority-name Authority128
router-name 128T_1
exit
node 128T_2
name 128T_2
asset-id 128T_2.lab
role combo
device-interface WAN
name WAN
pci-address 0000:00:02.0
network-interface WAN
name WAN
global-id 1
conductor true
inter-router-security aes1
source-nat true
address 192.168.201.2
ip-address 192.168.201.2
prefix-length 24
exit
adjacency 192.168.201.1
ip-address 192.168.201.1
peer 128T_1
inter-router-security aes1
exit
exit
exit
exit
service-route svr-conductor-128T_2
name svr-conductor-128T_2
service-name conductor-128T_2
next-hop 128T_2 WAN
node-name 128T_2
interface WAN
exit
exit
service-route _conductor_1_route_1
name _conductor_1_route_1
service-name _conductor_1
generated true
next-hop 128T_2 WAN
node-name 128T_2
interface WAN
exit
exit
routing default-instance
type default-instance
static-route 192.168.200.2/32 1
destination-prefix 192.168.200.2/32
distance 1
next-hop 192.168.201.1
next-hop-interface 128T_2 WAN
node 128T_2
interface WAN
exit
exit
exit
exit
router conductor
name conductor
node conductor
name conductor
asset-id conductor.lab
exit
exit
tenant _internal_
name _internal_
description "Auto generated tenant for internal services"
generated true
exit
security unencrypted
name unencrypted
hmac-cipher sha256-128
hmac-key (removed)
encryption-cipher aes-cbc-128
encryption-key (removed)
encryption-iv (removed)
encrypt false
adaptive-encryption false
exit
security aes1
name aes1
hmac-cipher sha256-128
hmac-key (removed)
encryption-cipher aes-cbc-128
encryption-key (removed)
encryption-iv (removed)
hmac-mode regular
adaptive-encryption false
exit
service conductor-128T_1
name conductor-128T_1
scope public
transport tcp
protocol tcp
port-range 22
start-port 22
exit
port-range 443
start-port 443
exit
port-range 930
start-port 930
exit
port-range 4505
start-port 4505
exit
port-range 4506
start-port 4506
exit
exit
transport icmp
protocol icmp
exit
address 192.168.200.2/32
access-policy 0.0.0.0/0
source 0.0.0.0/0
exit
exit
service conductor-128T_2
name conductor-128T_2
scope public
security aes1
transport tcp
protocol tcp
port-range 22
start-port 22
exit
port-range 443
start-port 443
exit
port-range 930
start-port 930
exit
port-range 4505
start-port 4505
exit
port-range 4506
start-port 4506
exit
exit
transport icmp
protocol icmp
exit
address 192.168.200.2
access-policy 0.0.0.0/0
source 0.0.0.0/0
exit
access-policy 169.254.127.127/31
source 169.254.127.127/31
exit
exit
service _conductor_1
name _conductor_1
enabled true
scope private
tap-multiplexing false
transport icmp
protocol icmp
exit
transport tcp
protocol tcp
port-range 443
start-port 443
end-port 443
exit
port-range 930
start-port 930
end-port 930
exit
port-range 4505
start-port 4505
end-port 4505
exit
port-range 4506
start-port 4506
end-port 4506
exit
exit
address 192.168.200.2/32
access-policy-generated true
access-policy _internal_
source _internal_
permission allow
exit
service-policy _conductor_
share-service-routes false
source-nat network-interface
application-type generic
fqdn-resolution-type v4
generated true
exit
service-policy _conductor_
name _conductor_
description "Auto generated service-policy for conductor services"
lb-strategy proportional
required-qp 0
qp-preference highest
session-resiliency none
path-quality-filter false
best-effort true
max-loss 0.5
max-latency 250
max-jitter 100
transport-state-enforcement reset
generated true
exit
exit
exit
Thank you¡¡
------------------------------
Dani Garces
Original Message:
Sent: 05-27-2019 08:14
From: Patrick A Timmons
Subject: Conductor over SVR
Can you share your configuration here? If it has any proprietary or private information, please feel free to sanitize it before uploading.
------------------------------
pt.
Original Message:
Sent: 05-27-2019 07:50
From: Dani Garces
Subject: Conductor over SVR
Hi Patrick:
The problem is that kni254 is not tagged with _internal_ tennat:
admin@128T_2.128T_2
# sho tenant members
lun 2019-05-27 13:48:07 CEST
Node: 128T_2
============ ========= ============== ================= ================== ==========
Device I/F VLAN ID Network I/F Network I/F IP Source IP Prefix Tenant
============ ========= ============== ================= ================== ==========
WAN 0 WAN 192.168.201.2 0.0.0.0/0 <global>
kni254 0 controlKniIf 169.254.127.126 0.0.0.0/0 <global>
Completed in 0.09 seconds
I don´t know if I can change it.
Best regards and thank you¡
------------------------------
Dani Garces
Original Message:
Sent: 05-27-2019 07:31
From: Patrick A Timmons
Subject: Conductor over SVR
Hi Dani,
You shouldn't need to have a separate service on 128_2. Note that the connections to conductor originate in Linux and arrive in 128T via a KNI, so the conductor service you create should have an access-policy that accounts for this. If you're using the built-in kni254 interface, then this interface will be tagged with the tenant _internal_. Thus you should have an access-policy that allows _internal_. Your access-policy that includes 0.0.0.0/0 will not work, since this only affects permissions within the "global" namespace (i.e., sources that are not tagged with a tenant).
Sorry this is so complicated... we're making it much much easier in future releases. Our 4.2.0 release makes this simpler, and there are enhancements planned beyond this (4.3.0, specifically) that are going to avoid all of these complications.
------------------------------
pt.
Original Message:
Sent: 05-27-2019 06:55
From: Dani Garces
Subject: Conductor over SVR
Hi:
I made it work, but I feel that is not the best solution.
I had to create a service and a service route for the conductor en 128T_2. Also I had to configure a route under linux pointing to 128T_2 kni interface:
[root@128T_2 128technology]# ip rout
default via 10.0.0.2 dev enp2s0 proto dhcp metric 101
10.0.0.0/16 dev enp2s0 proto kernel scope link src 10.0.0.3 metric 101
169.254.0.0/16 dev kni254 scope link metric 1004
169.254.127.126/31 dev kni254 proto kernel scope link src 169.254.127.127
192.168.200.2 via 169.254.127.126 dev kni254 metric 128
[root@128T_2 128technology]# ping 192.168.200.2
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data.
64 bytes from 192.168.200.2: icmp_seq=1 ttl=62 time=6.17 ms
64 bytes from 192.168.200.2: icmp_seq=2 ttl=62 time=3.79 ms
I had to create a service and a service route for the conductor en 128T_1 (the _conductor_1 internal service did not work for 128_T2..., I do not know why).
128T_2 is now under the Conductor control:
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-26-2019 13:27
From: Dani Garces
Subject: Conductor over SVR
Hi guys:
I still can not make it work. All help will be appreciated!
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-20-2019 06:54
From: Dani Garces
Subject: Conductor over SVR
Hi Sebastian:
I have redo all my environment from scratch and tryfto follow all the indications step by step, but without success.. I have attached a picture of environment to be as clear as I can.
Answering your questions:
1 - 128T_1:
Is it able to reach the conductor via the LAN interface? Is it in the same subnet?
Yes, they are on the same subnet, 128T_1 is managed by the conductor without problem.
admin@con21.conductor
# show assets
=========== ======== =================== ==================== ========= ========
Router Node Asset Id 128T Version Status Errors
=========== ======== =================== ==================== ========= ========
128T_1 128T_1 128T_1.lab 4.1.3-1.el7.centos running 0
conductor con21 testconductor.lab 4.1.3-1.el7.centos running 0
2 - 128T_2:
Create a Service and a Service route on it. Service would be the conductor ip. Point the service route for that service to the peer 128T_1. Use the build in ping utility either from the gui or pcli to ping the conductor.
The service and the service route is created under 128T_2 piointing to 128T_1 peer:
network-interface WAN
name WAN
global-id 1
conductor true
source-nat true
address 192.168.201.2
ip-address 192.168.201.2
prefix-length 24
exit
adjacency 192.168.201.1
ip-address 192.168.201.1
peer 128T_1
inter-router-security aes1
exit
service conductor_128T_2
name conductor_128T_2
scope public
security aes1
transport tcp
protocol tcp
port-range 930
start-port 930
exit
port-range 443
start-port 443
exit
port-range 4505
start-port 4505
exit
port-range 4506
start-port 4506
exit
exit
transport icmp
protocol icmp
exit
address 192.168.200.2/32
access-policy 0.0.0.0/0
source 0.0.0.0/0
exit
exit
service-route svr-conductor-128T_2
name svr-conductor-128T_2
service-name conductor_128T_2
peer 128T_1
exit
The peers are up at both sides:
admin@128T_2.128T_2
# show peers
======== ======== =================== =============== ======== ============= =============
Peer Node Network Interface Destination Status Hostname Path MTU
======== ======== =================== =============== ======== ============= =============
128T_1 128T_2 WAN 192.168.201.1 up unavailable unavailable
admin@128T_1.128T_1
# show peers
======== ======== =================== =============== ======== ============= =============
Peer Node Network Interface Destination Status Hostname Path MTU
======== ======== =================== =============== ======== ============= =============
128T_2 128T_1 WAN 192.168.201.2 up unavailable unavailable
From the CLI of 128T_2 there is ICMP connectivity to Conductor IP:
admin@128T_2.128T_2
# ping 192.168.200.2
PING 192.168.200.2 56 bytes of data.
Ping from 192.168.200.2 (192.168.200.2): icmp_seq=0 ttl=63
Ping from 192.168.200.2 (192.168.200.2): icmp_seq=1 ttl=63
Ping from 192.168.200.2 (192.168.200.2): icmp_seq=2 ttl=63
Ping from 192.168.200.2 (192.168.200.2): icmp_seq=3 ttl=63
to have connecitvity from 128T_2 to Conductor IP, I had to configure a static route in 128T_2:
routing default-instance
type default-instance
static-route 192.168.200.2/32 1
destination-prefix 192.168.200.2/32
distance 1
next-hop 192.168.201.1
exit
exit
3- Conductor IP
Note: The conductor would not be able to manage the second router unless you provision/initialized the 128T_2 with that conductor ip. If you did this you should see the 128T_2 as pending asset under the asset page.
The conductor is configured under Authority leven in 128T_2
admin@128T_2.128T_2
# show config running
config
authority
conductor-address 192.168.200.2
router 128T_2
name 128T_2
inter-node-security aes1
4 - Aditional checks:
Source-NAT and conductor flag is enabled for WAN interface of 128T_2:
node 128T_2
name 128T_2
asset-id 128T_2
device-interface WAN
name WAN
pci-address 0000:00:02.0
network-interface WAN
name WAN
global-id 1
conductor true
source-nat true
For testing purposes, as I see that the service created for Conductor IP in 128T_2 is under <global> tennant, I have created in 128T_1 another conductor service under de <global> tenant (service conductor_128T_1), but without results.
admin@128T_2.128T_2
# show fib
==================== ======= ======= ========== ========================= ===============
IP Prefix Port Proto Tenant Service Next Hops
==================== ======= ======= ========== ========================= ===============
192.168.200.2/32 <any> icmp <global> conductor_128T_2 192.168.201.1
192.168.200.2/32 443 tcp <global> conductor_128T_2 192.168.201.1
192.168.200.2/32 930 tcp <global> conductor_128T_2 192.168.201.1
192.168.200.2/32 4505 tcp <global> conductor_128T_2 192.168.201.1
192.168.200.2/32 4506 tcp <global> conductor_128T_2 192.168.201.1
admin@128T_1.128T_1
# show fib
lun 2019-05-20 12:51:24 CEST
Node: 128T_1
Entry Count: 48
Capacity: 17443
==================== ======= ======= ============ ========================= ===============
IP Prefix Port Proto Tenant Service Next Hops
==================== ======= ======= ============ ========================= ===============
192.168.200.2/32 <any> icmp <global> conductor_128T_1 192.168.200.2
192.168.200.2/32 <any> icmp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 443 tcp <global> conductor_128T_1 192.168.200.2
192.168.200.2/32 443 tcp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 930 tcp <global> conductor_128T_1 192.168.200.2
192.168.200.2/32 930 tcp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 4505 tcp <global> conductor_128T_1 192.168.200.2
192.168.200.2/32 4505 tcp _internal_ _conductor_1 192.168.200.2
192.168.200.2/32 4506 tcp <global> conductor_128T_1 192.168.200.2
192.168.200.2/32 4506 tcp _internal_ _conductor_1 192.168.200.2
Excuseme for this long post....
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-17-2019 08:26
From: Sebastian Hofmann
Subject: Conductor over SVR
Hi Dani,
correct with 4.2 this config moves completely into the gui and will use another typ. Right now for >4.1 the mention option in the guide would be the option to move forward.
Correct i was under the impression that this is already the case, for now the manual creation would be the way forward. Above autogeneration works from the conductor.
So your steps would be:
128T_1:
Is it able to reach the conductor via the LAN interface? Is it in the same subnet?
128T_2:
Create a Service and a Service route on it. Service would be the conductor ip. Point the service route for that service to the peer 128T_1. Use the build in ping utility either from the gui or pcli to ping the conductor.
Note: The conductor would not be able to manage the second router unless you provision/initialized the 128T_2 with that conductor ip. If you did this you should see the 128T_2 as pending asset under the asset page.
Cheers
Seb
------------------------------
Sebastian Hofmann
Sales Engineer - EMEA
Original Message:
Sent: 05-17-2019 08:03
From: Dani Garces
Subject: Conductor over SVR
Hi Sebastian:
OK, I understand from yout post that the 128T router uses its own forwarding interface to reach the conductor.
I read the document you attach, but the kni interface is deprecated in the current version and is not an option tu use under the GUI .
From you last post, I´m no using neighborhoods because as I undestand, I can use neighborhoods when both routers are managed by the conductor. In my case I´m trying and no able to add the 128T_2 to the conductor. For this reason I use manual peers.
I have double checket that the "conductor flag" is enabled in the 128T_2 router interface toward 128T_1, it´s OK. Also I checked that the IP address of the conductor is configured at Authority level in 128T_2 and the conductor.
I have observed that when I configure the IP address of the conductor at Authority level in 128T_2, the service "_conductor_1" is not auto generated. I created this service manually and build a peer service route towards 128T_1, but doesn´t work.
Thank you so much for your support.
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 05-17-2019 06:47
From: Sebastian Hofmann
Subject: Conductor over SVR
Hi Dani,
you could create the adjacencies on your own but i would rather use the concept of neighborhoods on the specific network interfaces. Those would generate the adjacencies and peers for you automatically.
Do you use a conductor for both routers? If yes you need to set the conductor IP under the authority level, it will distribute the those information towards its routers.
There is a little slider within the network interface configuration which is labled: conductor set it to enable (true) on the lan interface. It will generate you a SR and the Service on the 128T_1. On the 128T_2 you need to create a service route which takes the service _conductor_1 (thats the autogenerated service) and build a peer service route towards 128T_1. Once done you should be set. If the conductor has as default GW the 128T no need to set a route on the conductor. If its not the default GW or it sits in another subnet you need to setup the route manually on the conductor.
Cheers
Seb
------------------------------
Sebastian Hofmann
Sales Engineer - EMEA
Original Message:
Sent: 05-16-2019 06:14
From: Dani Garces
Subject: Conductor over SVR
Hi :
Can you elaborate a little bit more?. I´m trying to test this scenario without success.
The scenario is the following:
Conductor <--LAN 1--> 128T_1 <--WAN--> 128T_2
From my undestanding, these are the steps needed (128T_1 is now registered with conductor):
128T_1:
- Create an adjacency with 128T_2
128T_2:
- Create an adjacency with 128T_1
- Configure the conductor IP under Authority level.
- Create a new service with the IP and ports of the conductor and create for this service a service route type "peer" pointing to peer 128T_1.
- Enable network interface to 128T_1 for conductor access.
Conductor:
- Check for a route under linux to reah to IP of the WAN 128T_2
The peering seems to be working fine between the routers:
128T_1
=========== =========== =================== =============== ======== ============= =============
Peer Node Network Interface Destination Status Hostname Path MTU
=========== =========== =================== =============== ======== ============= =============
bo11-test dc11-test WAN 192.168.201.2 up unavailable unavailable
128T_2
========== =========== =================== =============== ======== ============= =============
Peer Node Network Interface Destination Status Hostname Path MTU
========== =========== =================== =============== ======== ============= =============
DC1-test bo11-test WAN 192.168.201.1 up unavailable unavailable
There is connectivity between 128T_2 and the conductor
admin@bo11-test.rbo11
-test# ping 192.168.200.2
PING 192.168.200.2 56 bytes of data.
Ping from 192.168.200.2 (192.168.200.2): icmp_seq=0 ttl=63
I do not know I'm not taking into account?
Best regards.
------------------------------
Dani Garces
Original Message:
Sent: 04-12-2019 11:03
From: Sebastian Hofmann
Subject: Conductor over SVR
Hi Ivan,
sure thats possible. For that you would need to create service which matches the conductor (IP and ports (930,443,4505,4506)) Once created you configure on the headend router a service route for that service. Select as service route type a peer which is able to route you to the conductor.
Let me know if you need any assistance.
Cheers
Seb
------------------------------
Sebastian Hofmann
Sales Engineer - EMEA
Original Message:
Sent: 04-09-2019 13:55
From: Victoria Smiley
Subject: Conductor over SVR
Hi ,
Have you seen this video on service routes? Perhaps it's a good start.
Thanks,
Victoria
------------------------------
Victoria Smiley
Interchange Community Manager
Burlington MA
Original Message:
Sent: 04-09-2019 04:46
From: Ivan Minin
Subject: Conductor over SVR
Hello,
In our setup we have a conductor in our internal network, and not reachable on any interface on remote 128T router directly, but can be accessed over SVR (I guess).
How to properly create a service and a service route on a headend to make remote use SVR to chat with conductor?
Thanks
------------------------------
Ivan Minin
Houston TX
(346) 319-6699
------------------------------