Add network best practice document

yaocw2020 · yaocw2020 · commit 398e42b0a543 · 2023-09-11T15:40:07.000+08:00
diff --git a/docs/networking/best-practice.md b/docs/networking/best-practice.md
@@ -0,0 +1,198 @@
+---
+sidebar_position: 6
+sidebar_label: Best Practice
+title: "Harvester Network Best Practice"
+keywords:
+- Harvester
+- Networking
+---
+
+<head>
+  <link rel="canonical" href="https://docs.harvesterhci.io/v1.2/networking/best-pratice"/>
+</head>
+
+## Overview
+In this best practice guide, we will introduce how to configure Harvester and the external network to achieve the following goals:
+- Traffic isolation between the management plane and the data plane
+- General external switch and router configurations
+- Network access to VMs from different VLANs
+- Access Harvester load balancers from different VLANs
+
+We will use the following diagram as an example to illustrate the best practice.
+
+![](/img/v1.2/networking/best-practice.png)
+
+The diagram shows a Harvester cluster composed of two hosts. It contains:
+- Hardware:
+  - Two Harvester servers with daul ports network card.
+  - One "non VLAN-aware" switch and one "VLAN-aware" switch. We will use "Cisco like" configuration as example. 
+  - One router. We will use "Cisco like" configuration as example.
+
+- Cabing:
+  - The NIC eth0 of the node1 connected to the port `ethernet1/1` of the switch1, while the NIC eth0 of the node2 connected to the port `ethernet1/2` of the switch1.
+  - The NIC eth1 of the node1 connected to the port `ethernet1/1` of the switch2, while the NIC eth1 of the node2 connected to the port `ethernet1/2` of the switch2.
+  - The port `ethernet1/3` of the switch1 connected to the port `ethernet0/1` of the router.
+  - The port `ethernet1/3` of the switch2 connected to the port `ethernet0/2` of the router.
+  
+- Network Specification:
+  - Assume that the subnet of the Harvester hosts is in the VLAN untagged network.
+  - Assume all hosts are in the IPv4 subnet `10.10.0.0/24`, the gateway IP address is `10.10.0.254`.
+  - Assume that the VM network allows VLAN 100-200.
+  - Assume the IPv4 subnets of the VM network are:
+    - untagged network: `192.168.0.0/24`, the gateway IP address is `192.168.0.254`.
+    - VLAN 100: `192.168.100.0/24`, the gateway IP address is `192.168.100.254`.
+    - VLAN 200: `192.168.200.0/24`, the gateway IP address is `192.168.200.254`.
+
+- Harvester Configuration:
+  - Two cluster networks: `mgmt` and `vm`.
+  - Three VM networks under cluster network `vm`: `vlan100`, `vlan200` and `untagged`.
+  - Six VMs, from `VM1` to `VM6`.
+  - One guest cluster `demo` composed by `VM3` and `VM4`.
+  - Two VM load balancers and one guest Kubernetes cluster load balancer.
+
+## Multiple Cluster Networks for Traffic Isolation 
+The two Harvester hosts equip with two NICs. Specifically, NIC `eth0` is used for the management network (mapped to the cluster network `mgmt`), while NIC `eth1` is used for the VM network (mapped to the cluster network `vm`). 
+
+It's beneficial to use two cluster networks to achieve traffic isolation between the management plane and the data plane. If there is an issue with the VM network, you can still use the management network for emergency handling to ensure business continuity. Similarly, if there is a failure in the management network, VM traffic is not affected.
+
+If your hardware equips with more NICs, it's recommended to use not less than two NICs for one cluster network. For example, you can use NIC `eth0` and `eth1` for the management network, and use NIC `eth2` and `eth3` for the VM network.
+
+## External Switch and Router Configuration
+1. ** Switch1 Configuration **
+Since the management network is under the untagged network, switch1 can be a "non VLAN-aware" switch. Typically, a "non VLAN-aware" switch cannot be configured. 
+
+2. ** Switch2 Configuration **
+  Configure the ports `ethernet1/1`, `ethernet1/2` and `ethernet1/3` as trunk ports, and allow VLAN 100-200. 
+
+  ```
+  switch2# config terminal
+  switch2(config)# interface ethernet1/1
+  switch2(config-if)# switchport
+  switch2(config-if)# switchport mode trunk
+  switch2(config-if)# switchport trunk allowed vlan 100-200
+  switch2(config-if)# switchport trunk native vlan 1
+  switch2(config-if)# no shutdown
+  switch2(config)# interface ethernet1/2
+  switch2(config-if)# switchport
+  switch2(config-if)# switchport mode trunk
+  switch2(config-if)# switchport trunk allowed vlan 100-200
+  switch2(config-if)# switchport trunk native vlan 1
+  switch2(config-if)# no shutdown
+  switch2(config)# interface ethernet1/3
+  switch2(config-if)# switchport
+  switch2(config-if)# switchport mode trunk
+  switch2(config-if)# switchport trunk allowed vlan 100-200
+  switch2(config-if)# switchport trunk native vlan 1
+  switch2(config-if)# no shutdown
+  switch2(config-if)# end
+  switch2# copy running-config startup-config
+  ```
+
+3. ** Router Configuration **
+
+- Configure a DHCP pool for the management network
+
+  ```
+  router# config terminal
+  router(config)# ip dhcp pool mgmt
+  router(dhcp-config)# network 10.10.0.0 255.255.255.0
+  router(dhcp-config)# default-router 10.10.0.254
+  router(dhcp-config)# interface ethernet0/1
+  router(config-if)# ip address 10.10.0.254 255.255.255.0 
+  router(config-if)# no shutdown
+  router(config)# exit
+  router# copy running-config startup-config
+  ```
+
+- Configure three DHCP pools for the VM networks(untagged, vlan100 and vlan200)
+
+  ```
+  router# config terminal
+  router(config)# ip dhcp pool vm-untagged
+  router(dhcp-config)# network 192.168.0.0 255.255.255.0
+  router(dhcp-config)# default-router 192.168.0.254
+  router(dhcp-config)# ip dhcp pool vm-vlan100
+  router(dhcp-config)# network 192.168.100.0 255.255.255.0
+  router(dhcp-config)# default-router 192.168.100.254
+  router(dhcp-config)# ip dhcp pool vm-vlan200
+  router(dhcp-config)# network 192.168.200.0 255.255.255.0
+  router(dhcp-config)# default-router 192.168.200.254
+  router(config-if)# interface ethernet0/2
+  router(config-if)# ip address 192.168.0.254 255.255.255.0
+  router(config-if)# no shutdown
+  router(config-subif)# interface ethernet0/2.100
+  router(config-subif)# encapsulation dot1q 100
+  router(config-subif)# ip address 192.168.100.254 255.255.255.0
+  router(config-subif)# interface ethernet0/2.200
+  router(config-subif)# encapsulation dot1q 200
+  router(config-subif)# ip address 192.168.200.254 255.255.255.0
+  router(config-subif)# end
+  router# copy running-config startup-config
+  ```
+
+## Network access to VMs from different VLANs
+
+1. Network connection between VM networks
+
+  The router configuration above uses the [`A router on a stick`](https://www.grandmetric.com/knowledge-base/design_and_configure/router-on-a-stick-approach-cisco-configuration/) technology to allow VMs among untagged network, VLAN 100 and VLAN 200 to communicate with each other. Thus, it's not required to add any more configurations on the router.
+
+2. Network connection between VM networks and the management network
+
+  A feasible method to ensure network connectivity between VM networks and the management network is to manually add static routes. The following commands add static routes on the router to allow VMs in the untagged network, VLAN 100 and VLAN 200 to access the management network.
+
+  ```
+  router(config)# config terminal
+  router(config)# ip route 10.10.0.0 255.255.255.0 ethernet0/1
+  router(config)# ip route 192.168.0.0 255.255.255.0 ethernet0/2
+  router(config)# ip route 192.168.100.0 255.255.255.0 ethernet0/2
+  router(config)# ip route 192.168.200.0 255.255.255.0 ethernet0/2
+  router(config)# end
+  ```
+
+  The route table would be like this:
+
+  ```
+  Router#show ip route
+  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
+         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
+         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
+         E1 - OSPF external type 1, E2 - OSPF external type 2
+         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
+         ia - IS-IS inter area, * - candidate default, U - per-user static route
+         o - ODR, P - periodic downloaded static route
+
+  Gateway of last resort is not set
+
+  C    192.168.200.0/24 is directly connected, Ethernet0/2.200
+     10.0.0.0/24 is subnetted, 1 subnets
+  C       10.10.0.0 is directly connected, Ethernet0/1
+  C    192.168.0.0/24 is directly connected, Ethernet0/2
+  C    192.168.100.0/24 is directly connected, Ethernet0/2.100
+  ```
+
+## Access Harvester load balancers from different VLANs
+The Harvester load balancer is divided into two types: VM load balancer and guest Kubernetes cluster load balancer. 
+
+1. The load balancer IP of the VM load balancer is only exposed within the same network as the Harvester hosts, or in other words, the management network. To access the VM load balancer from outside the network, you have to prove the route from outside client to the management network. For example, if the VM load balancer `lb1` has obtained its load balancer IP var DHCP and you want to access it from the VM `VM5`, you need to add the following static route on the router to
+
+  ```
+  router(config)# ip route 10.10.0.0 255.255.255.0 ethernet0/1
+  router(config)# ip route 192.168.0.0 255.255.255.0 ethernet0/2
+  ```
+
+2. The load balancer IP of the guest Kubernetes cluster load balancer is exposed within the VM network. In the diagram above, the guest cluster `demo` is within the VM network `vlan200` because the VMs consist of the guest cluster are in the `vlan200`. Thus, the guest Kubernetes cluster load balancer `lb2` is exposed within the VM network `vlan200`. There are three scenarios to explain how to access `lb2` if it has obtained the load balancer IP via DHCP:
+   - You can access it from the VM `VM3` and `VM4` directly because they are in the `vlan200`. 
+   - You can also access it from the VMs in other VM network directly because of the `A router on a stick` configuration.
+   - You can access it from the Harvester hosts, or in other words, the management network by adding the static route on the router. 
+
+     ```
+     router(config)# ip route 10.10.0.0 255.255.255.0 ethernet0/1
+     router(config)# ip route 192.168.200.0 255.255.255.0 ethernet0/2
+     ```
+
+
+:::note
+
+Except static route used above, you can also use dynamic routing protocols such as RIP, BGP, OSPF and ISIS according to your network planning and requirements.
+
+:::
diff --git a/docs/networking/deep-dive.md b/docs/networking/deep-dive.md
@@ -113,6 +113,23 @@ External network devices typically refer to switches and DHCP servers. With a cl
     | mode 5(balance-tlb) | none |
     | mode 6(balance-alb) | none |
 
+For example, if the bond mode is 802.3ad, you need to configure LACP on the switch. The following is an example of LACP configuration on Cisco switch:
+```
+interface port-channel1
+  switchport trunk encapsulation dot1q
+  switchport mode trunk
+
+interface g0/25
+  switchport trunk encapsulation dot1q
+  switchport mode trunk
+  channel-group 1 mode active
+
+interface g0/27 
+  switchport trunk encapsulation dot1q
+  switchport mode trunk
+  channel-group 1 mode active
+```
+
 - If you want VMs in a VLAN to be able to obtain IP addresses through the DHCP protocol, configure an IP pool for that VLAN in the DHCP server.
 
 
diff --git a/static/img/v1.2/networking/best-practice.png b/static/img/v1.2/networking/best-practice.png
