Installing DANOS on Virtual Box

Recent versions of Virtual Box have the networking capabilities to install and run DANOS for demonstrations and learning about the features of DANOS.

The instructions below were done on the 6.1 version of Virtual Box. Generally, the approach is the same as the libvirt and OpenStack installs where the ISO disk is attached and ‘install image’ is run on the attached virtual hard disk and then the iso is removed. The key difference is to choose the Network Adapter as virtio-net.

In this ‘How-To’ we will create a three VM virtual box environment with a DANOS router, a traffic source and a traffic sink so we can demonstrate routing and basic firewall operations.

 

Prerequisites

  1. Laptop/Desktop with sufficient memory for 8 - 12 GB of virtual machine memory and 4 to 8 vCPU. A 32GB laptop, Intel cor i7 on Windows 10 was used for this How-To but that is not the minimum.

  2. Virtual Box 6.1 or later

  3. DANOS ISO downloaded locally to where you are running Virtual Box.

  4. You may need to download a Ubuntu ISO as well if you don't already have a Linux image in your Virtual Box setup.

Use Case Environment

The use case will be three virtual machines.

  1. DANOS vRR

    1. DANOS with 4 ports, a Ubuntu vm as a traffic source and an Ubuntu vm as a traffic sink

    2. dp0p0s3 (adapter 1) - will be a dhcp Bridged Adapter so we can SSH into the vRR.

    3. dp0p0s8 (adapter 2) - 192.168.2.2/24 (intnet)

    4. dp0p0s9 (adapter 3) - 192.168.3.2/24 (intnet)

  2. VM source (works better if only one is enabled at a time)

    1. adapter 1- NAT (to get to internet for apt update / apt install )

    2. adapter 2 - 192.168.2.3/24 gateway 192.168.2.2 (intnet)

  3. VM sink (works better in only one is enabled at a time)

    1. adapter 1 - NAT (to get to internet for apt update/apt install )

    2. adapter 2 - 192.168.3.3/24 gateway 192.168.3.2 (intnet)

 

Step by step instructions

  1. Create the DANOS Image from the ISO

    1. Create a new image using the Virtual Box Manager → Machine → New

    2. Enter a name (e.g. danosVRR)

    3. Select Linux

    4. Select Debian-64

    5. Click Next

    6. Select 4096 MB of RAM and Click Next

    7. Select ‘Create a virtual hard disk now’ and Click Create

    8. Select ‘Virtual Hard Disk’, not VDI or VMDK (these may work but the DANOS image uses a fixed disk size) and Click Next

    9. Select ‘Use Fixed Size’ and Click Next

    10. Select 8.00 GB and Click Create

    11. The image should now be in your list of instances available to start

    12. You may want to set Adapter 1 Adapter-Type to Advanced → Paravirtualized Network (virtio-net) so that you avoid an error when we activate dhcp in the next section.

  2. Install the DANOS Image

    1. Start the image you just created

    2. Select as the start-up image the DANOS ISO

      1. Click on the file folder icon

      2. Click on +Add and a file browser window should pop up

      3. Navigate to the DANOS ISO and click on “Open”

      4. The ISO should be on the displayed list of options, select and click on “Choose”

      5. Click Start

    3. The virtual machine should now boot from the ISO, present a boot screen and then proceed to boot to a shell as vyatta

    4. We want to activate dhcp on the dp0p0s3 port and turn on ssh so that we can use putty or ssh to configure DANOS with copy/paste. The recommended way is to use the config cli and to choose /config/config.boot as the source of the configuration when doing install image.

    5. 1 2 3 4 5 config set interfaces dataplane dp0p0s3 address dhcp set service ssh commit exit


      You may get an error as it tries to start the dhcp client but you should ignore this error since we will correct the Adapter Type’s in the next section.

      You can check that the config is correct with a show config



    6. Type ‘install image’ and follow the same sequence as the libvirt install

    7. default for image name

    8. default to select /config/config.boot

    9. In the 2005 version, you will be asked to create an administrator account by supplying a username and password.

      1. In the 1908 version the default user is vyatta and you supply a password.

    10. default tty

    11. default No for grub password

    12. default No for reduced grub layout

    13. it will prompt to confirm to install on /sda (this will be the new hard disk image we use instead of the iso)

    14. default for gpt

    15. default for partition and partition size

    16. default for log partition [0]

    17. default for Print final sizes

    18. enter ‘yes’ to Continue the install

    19. you should get a ‘Done’ at the end

  3. Configure Machine Settings

    1. At this point, the ISO is still attached to the machine and needs to be removed

      1. Shutdown the machine (I usually pick sending the signal)

      2. Remove the ISO image attached to the optical device

        1. Go into Virtual Box Manager

        2. Select your DANOS instance

        3. Select Settings

        4. Select Storage



        5. Right-click on the DANOS ISO and Select ‘Remove Attachment’

        6. Click ‘Remove’



    2. Select System and set the number of CPUs to 4. If your environment is limited you should be able to get by with just 2 vCPUs. The default Chipset PIIX3 should be fine.









    3. Network: let's enable adapters for our demonstrations. You will need to make sure that all enabled adapters use an Adapter-Type of Paravirtualized Network (virtio-net) or the dataplane will not come up. Select Network

      1. Adapter 1 should be attached as 'Bridged Adapter'

        1. Click Advanced

        2. Select Adapter Type: Paravirtualized Network (virtio-net)




      2. Select Adapter 2, Select Enable and Select Internal Network and take the default name as ‘intnet’

        1. select Advanced and chose Adapter Type: Paravirtualized Network (virtio-net) like adapter 1.

        2. we will attach traffic source and traffic sink to this internal VB network and use static IP address


           



      3. Repeat for Adapter 3 and 4 just like Adapter 2 with the same name for the internal network (you can use a different internal network name but then we have to set that same name for the other VMs and for a local demonstration it is not needed.

        1. We enabled Adapter 4 in case you want to try more advanced routing options but it is not used in this setup.

  4. Start the machine
    There should not be a long delay if the Adapters are set correctly and you should see dp0p0s3 starting DHCP. After a minutes you should be at the console port with a login prompt




  5. Login at vyatta/vyatta (or your chosen password)

  6. show interfaces should show the dp0p0s3 interfaces as u/u




  7. if you need to edit networking you may need to add your login to the superuser status.

    1. Enter config mode

    2. set system login user vyatta level superuser

    3. commit

    4. exit

    5. log out of the machine and login

    6. you should be able to sudo and edit /etc/network/interfaces as needed

  8. You should be able to login to the vRR using telnet/putty to the IP listed.




  9. Lets Configure DANOS for our demonstration

    1. enter config mode

    2. set interface dataplane dp0p0s8 address 192.168.2.2/24

    3. set interface dataplane dp0p0s9 address 192.168.3.2/24

    4. commit

    5. show interfaces

    6. exit

    7. show interfaces




  10. Create a Traffic Sink

    1. Create a Ubuntu VM (you may need to download a Ubuntu ISO )

      1. 1 vcpu, 2 Gb memory , 10 Gb storage but even less memory is probably okay

      2. Adapter 1 should be NAT

      3. Adapter 2 should be enabled on the Internal Network with the same name as the vRR

      4. There is no need for advanced settings.

      5. The Ubuntu install will automatically remove the iso image during the install so simply hit enter on the reboot after install.

    2. I enable Adapter 1, login and do apt update, apt install lighttpd, apt install curl, apt install net-tools , apt install traceroute and then disable Adapter 1.

      1. This may not be needed if your networking environment doesn't confuse Ubuntu like mine did

      2. You may need to add a corporate proxy to your API installation

        1. sudo vi /etc/apt/apt.conf.d/proxy.conf

        2. Acquire::http::Proxy "http://yourproxyaddress:proxyport";

    3. You can use Ubuntu → Settings → Network to set the static IP address on the dp0p0s8 adapter
      IPv4 Manual
      192.168.3.3 255.255.255.0 192.168.3.2


       

    4. Make sure curl http://127.0.01/ returns some html and you can ping the gateway 192.168.3.2 on the traffic-SINK




  11. Repeat for the Traffic-Source but use 192.168.2.3, 192.168.2.2 as the gateway




  12. Test
    You should be able to ping the 192.168.3.3 address from the Traffic Source (192.168.2.3) and vice versa. Curl from the traffic-SINK should work to the 192.168.3.3 from 192.168.2.3.
    show interface counters should reflect the routing through the vRR



     

  13. You can update the DANOS firewall rules and enable/disable the firewall to test a Port 80 connection policy just like the Openstack use case.

    1. Create a Firewall policy and attach it to interface dp0p0s8 (the traffic-SOURCE ingress port towards the traffic-SINK)

      vyatta@vyatta:~$ config
      [edit]
      vyatta@vyatta# set security firewall name Test80 description "Allow port 80"
      [edit]
      vyatta@vyatta# set security firewall name Test80 rule 100 destination address 192.168.3.3
      [edit]
      vyatta@vyatta# set security firewall name Test80 rule 100 destination port 80
      [edit]
      vyatta@vyatta# set security firewall name Test80 rule 100 protocol tcp
      [edit]
      vyatta@vyatta# set security firewall name Test80 rule 100 action accept
      [edit]
      vyatta@vyatta# set interfaces dataplane dp0p0s8 firewall in Test80
      [edit]

    2. Curl should still work but ping will fail because the policy does not allow ICMP through.

    3. Disable port 80

      config
      set security firewall name Test80 rule 100 action drop
      commit

       

    4. Curl should also be blocked now

    5. Enable Curl on port 80 with:

      config
      set security firewall name Test80 rule 100 action accept
      commit

f. Now let's enable ICMP so both ping and curl work to traffic-SINK (192.168.3.3) from the traffic-SOURCE (192.168.2.3)

vyatta@vyatta# set security firewall name Test80 rule 110 destination address 192.168.3.3
[edit]
vyatta@vyatta# set security firewall name Test80 rule 110 protocol icmp
[edit]
vyatta@vyatta# set security firewall name Test80 rule 110 action accept
[edit]
vyatta@vyatta# commit
[edit]

 

 

 

g. Turn on UDP to permit traceroute through so we can see the vRR is doing the routing.

vyatta@vyatta# set security firewall name Test80 rule 120 destination address 192.168.3.3
[edit]
vyatta@vyatta# set security firewall name Test80 rule 120 protocol udp
[edit]
vyatta@vyatta# set security firewall name Test80 rule 120 action accept
[edit]
vyatta@vyatta# commit
[edit]

 

 

 

You should be able to extend this How-To for more features and different topologies depending on how much memory/cpu you have available.

.