Passing the BCMSN exam and getting one step closer to the CCNP certification means learning and noticing details that you were not presented with in your CCNA studies. (Yes, I know – you had more than enough details then, right?)   One protocol you’ve got to learn more details about is VTP, which seemed simple enough in your CCNA studies!  Part of learning the details is mastering the fundamentals, so in this tutorial we’ll review the basics of VTP.

In show vtp status readouts, the “VTP Operating Mode” is set to “Server” by default.  The more familiar term for VTP Operating Mode is simply VTP Mode, and Server is the default.  It’s through the usage of VTP modes that we can place limits on which switches can delete and create VLANs.

In Server mode, a VTP switch can be used to create, modify, and delete VLANs.  This means that a VTP deployment has to have at least one switch in Server mode, or VLAN creation will not be possible.  Again, this is the default setting for Cisco switches.

Switches running in Client mode cannot be used to create, modify, or delete VLANs. Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes.

VTP Transparent mode actually means that the switch isn’t participating in the VTP domain as Servers and Clients do.  (Bear with me here.)  Transparent VTP switches don’t synchronize their VTP databases with other VTP speakers. They don’t even advertise their own VLAN information!  Therefore, any VLANs created on a Transparent VTP switch will not be advertised to other VTP speakers in the domain, making them locally significant only. (I know you remember that phrase from your CCNA studies!)

Devices running VTP Transparent mode do have a little something to do with the other switches in the VTP domain, though.  When a switch running in Transparent mode receives a VTP advertisement, that switch will forward that advertisement to other switches in that VTP domain.

Configuring switches as VTP Clients is a great way to “tie down” VLAN creation capabilities to switches that are under your physical control.  However, this occasionally leads to a situation where only the VTP clients will have ports that belong to a given VLAN, but the VLAN still has to be created on the VTP server.  (VLANs can be created and deleted in transparent mode, but those changes aren’t advertised to other switches in the VTP domain.)

In the next BCMSN tutorial, we’ll take a look at the details of VTP.

CCNA and CCNP candidates who have their own Cisco home labs often email me about an odd situation that occurs when they erase a switch’s configuration.  Their startup configuration is gone, as they expect, but the VLAN and VTP information is still there!

Sounds strange, doesn’t it?   Let’s look at an example.  On SW1, we run show vlan brief and see in this abbreviated output that there are three additional vlans in use:

SW1#show vlan br

10   VLAN0010                         active

20   VLAN0020                         active

30   VLAN0030                         active

We want to totally erase the router’s startup configuration, so we use the write erase command, confirm it, and reload without saving the running config:

SW1#write erase

Erasing the nvram filesystem will remove all configuration files! Continue?

[confirm]

[OK]

Erase of nvram: complete

00:06:00: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram

SW1#reload

System configuration has been modified. Save? [yes/no]: n

Proceed with reload? [confirm]

The router reloads, and after exiting setup mode, we run show vlan brief again.  And even though the startup configuration was erased, the vlans are still there!

Switch#show vlan br

10   VLAN0010                         active

20   VLAN0020                         active

30   VLAN0030                         active

The reason is that this vlan and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload.  The file has to be deleted manually.

There’s a little trick to deleting this file.  The switch will prompt you twice to ask if you really want to get rid of this file. Don’t type “y” or “yes”; just accept the defaults by hitting the return key.  If you type “y”, the router attempts to delete a file named “y”, as shown here:

Switch#delete vlan.dat

Delete filename [vlan.dat]? y

Delete flash:y? [confirm]

%Error deleting flash:y (No such file or directory)

Switch#delete vlan.dat

Delete filename [vlan.dat]?

Delete flash:vlan.dat? [confirm]

Switch#

The best way to prepare for CCNA and CCNP exam success is by working on real Cisco equipment, and by performing lab tasks over and over.  Repetition is the mother of skill, and by truly erasing your VLAN and VTP information by deleting the vlan.dat file from Flash, you’ll be building your Cisco skills to the point where your CCNA and CCNP exam success is a certainty.

Openstaande vacatures diverse bewakingsfirma’s

• Jobs @ G4S
• Jobs @ Cobelguard Security
• Jobs @ Securitas
• Jobs @ Seris
• Jobs @ Trigion Security
• Jobs @ Flexpoint Antwerpen (Interim)
• Jobs @ Interne bewakingsdiensten
• Jobs @ Vlan.be
• Jobs @ Jobat
• Jobs @ Stepstone
• Uw firma hier? Contacteer ons

Nos priomordios das redes semgmentadas a separação lógica dos usuarios na rede dependia muito também da separação física da mesma. Uma rede com diversas divisões físicas tinha bastantes problemas em ligar seus departamentos. Imagine que você tinha 3 departamentos: 1, 2 e 3. O 1 ficava no andar 1, o 2 no andar 2 e o 3 no andar 3. Tudo bem. Mas acontece que um usuario do andar 1 precisa ir agora ficar umas tarde no andar 3 e necessita de todos os recursos de rede que tinha no andar 1. O do andar 2 precisa ir ao 3 ou ao andar 1 e vice-versa; Solução: Esticar cabos de andar a andar. Como pode-se notar nao é uma boa solução principalmente em redes complexas.

Bom alguem pensou nisso e criou as VLANs. Com as VLANs a segmentação nao é realizada fisicamente mas logicamente, neste contexo podem ser criadas diversas LANs independentemente da sua localização. Neste contexto a situação acima pode ser facilmente resolvida. Ele pode sair de um andar ao outro e ligar seus dispositivos finais sem necessidade de se preocupar com limitações físicas ou geograficas:

Na fig acima note que a VLAN 4 tanto está no Switch 1 como no Switch 2. Quer dizer que um usuario pode estar ir de posição geografica a posição geografica sem se preocupar com a perca dos seus recursos de rede. A comunição entre diferentes VLAns é realizada através de protocolos de trunking como ISL ou 802.1q.

A mão na massa

Pegue o pacotão:

Entre em CCNA3 -> Trunking with 802.1q -> CCNA3_lab_9_1_5b_en.doc.

Pronto pratique. está tudo muito bem explicado lá, mas eu dou uma chega. Existem apenas alguns passos básicos para se criar vlans:

Você precisa definir na sua empresa que é que, Comece a atribuir numeros de vlans a areas ou departamentos. Por exemplo, conforme no pacotão:

VLAN 1 – Nativa (Nao mexa nessa vem activada por default em todos Switch)

VLAN 10 – Contabilidade

VLAN 20 – Marketing

VLAN 30 – Engenharia

Resta reservas as portas (interfaces) de acesso e de trunking. As de acesso sao usadas pelos dispositivos finais (computadores etc). As de trunking representam a fiação switch a switch na camada de distribuição. Segundo o exemplo do pacotão:

VLAN 10 – Contabilidade – fa0/4 – fa 0/6

VLAN 20 – Marketing        – fa0/7 – fa 0/9

VLAN 30 – Engenharia      – fa0/10 – fa 0/12

A seguir é necessario criar as VLANs nos Switchs. Faça isso nos 3 Switchs:

Switch#vlan database
Switch(vlan)#vlan 10 name Accounting
Switch(vlan)#vlan 20 name Marketing
Switch(vlan)#vlan 30 name Engineering
Switch(vlan)#exit

Atribuir as portas de acesso aos switchs. Para VLAN 1o repetir processo nos 2 Switchs:

Switch#configure terminal
Switch(config)#interface fastethernet 0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#interface fastethernet 0/5
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#interface fastethernet 0/6
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#end

Para VLAN 2o repetir processo nos 2 Switchs:

Switch#configure terminal
Switch(config)#interface fastethernet 0/7
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#interface fastethernet 0/8
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#interface fastethernet 0/9
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#end

OBS: repetir o mesmo exemplo para vlan 30 conforme especificado no pacotao.

Trunking para comunicação entre Switchs:

Conforme exemplo do pacotão nos 2 switchs se as suas interfaces sao ambas fastethernet 0/1:

Switch(config)#interface fastethernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#end

Pronto. Voltaremos a carga com mais materias sobre este assunto.

VoW (vlan over wireless)

Al fin después de que se me ocurriera probar via consola en el NS2 hacer el vlan tagging, que ya este no trae la opcion via GUI, con esto ya se logra una seguridad transparente en cada 2. A continuación les voy a explicar el karaku (medula) del tema. Suponiendo que saben lo que es vlan, pero antes les voy a explicar brevemente

¿Qué es vlan?

Una VLAN (acrónimo de Virtual LAN, ‘red de área local virtual’ IEEE 802.1Q)  es un método de crear redes lógicamente independientes dentro de una misma red física. Varias VLANs pueden coexistir en un único conmutador físico o en una única red física. Son útiles para reducir el tamaño del Dominio de difusión y ayudan en la administración de la red separando segmentos lógicos de una red de área local (como departamentos de una empresa) que no deberían intercambiar datos usando la red local (aunque podrían hacerlo a través de un enrutador o un switch capa 3).

Fuente wikipedia

El problema que tenía era donde  hacer el tagging en el AP o en el Cliente, las ideas que se me ocurrieron fueron las sgtes:

• Si es en el AP, crear tantas VAP (virtual AP) como vlan existan entonces cada VAP haría el tagg por cliente.
• Si es en el CPE, habría que crear un enlace capa2 transparente que deje pasar toda la trama 802.3u sobre 802.11g y hacer el tagging en el CPE

Yo opté por probar con la 2da opción.

Hace un tiempo atrás escribí un tutorial de cómo agregar seguridad a nuestra red en por lo menos 3 capas, y ellas eran:

1. MAC filter
2. Subneteo IP/Firewall
3. Hotspot (usuario/contraseña)

ahora logré anexar una capa de seguridad más, que sería la que trabaja en capa 2 del OSI

En networking se estudia las 1eras 4 capas, Nivel Físico, Enlace de datos, Red, Transporte lo que ahora voy a hablar es sobre capa 2 (Enlace de datos)

La idea era/es utilizar 1 vlan por cliente para separar fisícamente cada cliente de terceros, anteriormente estaban/estan separados en capa 3 (Red) o a nivel lógico, el firewall del router controlaba si la IP/MAC correspondiente al cliente era correcta en ese caso dejaba enrutar a internet e internamente, pero la vulnerabilidad estaba en que se puede utilizar un spoof ARP o ARP broadcast para saturar la red, entonces con vlan se podría evitar eso. Metafóricamente hablando seria como que cada cliente tiene un punto a punto (fisico).

Pasos a realizar

En el Mikrotik

Crear el WDS estático o dinámico

Asignar la MAC de la CPE para el enlace

En esta gráfica se ve que ¨bridge1¨ agregue VM (vlan magement ) o vlan de administración y la vlan15 que en este caso corresponde al cliente.

Con esto ya estaría creado la capa2, después asignamos  una dirección IP a la interface vlan15

eso ya no les mostraré aquí

En el CPE (ubiquiti NS2)

En el NS2 nuestro CPE en particular usaremos el station WDS para que el enlace sea transparente en capa2

Script de vlan en NSX

#####NS2 SM########
#—-Datos Vlan —- 1) vlan administrativo 2) vlan cliente
MVLAN_ID=1
VLAN_ID=15
#———————-
#
#borra la puerta de enlace predeterminada
route del default gw 0.0.0.0
#
#apaga el bridge y borra la puerta de enlace predeterminada
ifconfig br0 0.0.0.0
ifconfig br0 down
brctl delif br0 ath0
brctl delif br0 eth0
brctl delbr br0
#
#—————————————————————
#crea y configura la vlan administrativa con su IP
#—————————————————————
#agrega la vlan administrativa sobre la inalámbrica y asigna una IP
vconfig add ath0 ${MVLAN_ID}
ifconfig ath0.${MVLAN_ID} 192.168.1.2 netmask 255.255.255.0 up
route add default gw 192.168.1.1 ath0.${MVLAN_ID}
#
#—————————————————————
#Etiqueta el trafico ethernet como si fuera inalámbrico
#—————————————————————
#crea el bridge cliente
brctl addbr br${VLAN_ID}
#
#agrega la vlan sobre la interface inalámbrica
vconfig add ath0 ${VLAN_ID}
#
#agregar la interface etiquetada en el bridge
brctl addif br${VLAN_ID} ath0.${VLAN_ID}
brctl addif br${VLAN_ID} eth0
#
#levantar ambas interfaces
ifconfig ath0.${VLAN_ID} 0.0.0.0 up
ifconfig eth0 0.0.0.0 up
#
#levanta la bridge de fábrica
ifconfig br${VLAN_ID} 192.168.1.20 netmask 255.255.255.0 up
#MAC-NAT ( Esto hace un MAC-NAT )
ebtables -t nat -A PREROUTING –in-interface ath0.${VLAN_ID} -j arpnat –arpnat-target ACCEPT
ebtables -t nat -A POSTROUTING –out-interface ath0.${VLAN_ID} -j arpnat –arpnat-target ACCEPT

Les explicaré mas o menos el funcionamiento del script:

Ath0 = Interface wireless (802.11b/g)

Eth0 = Interface Fast Ethernet (802.3u)

Br0 = Bridge inicial

• En la primera parte están los datos de las vlan a utilizar

MVLAN_ID= Vlan Management

VLAN_ID= Vlan Cliente

• Da de baja al bridge ¨br0¨ y quita las interfaces asociadas a esta.
• crea la vlan administrativa sobre ath0 y agrega como puerta de enlace a la IP de la mikrotik para ese rango.
• crea la bridge Cliente
• agrega vlan cliente sobre ¨Ath0¨
• y dentro de Br¨cliente¨ agrega las interface ¨ath0.cliente¨ y ¨eth0¨
• levanta ambas interfaces eth0 y ath0.cliente sin ip.
• en la penúltima parte asigne la IP default del NS2 ( OJO ) esto NO va a ser que genere conflicto IP en la red.
  por que cada vlan esta separado fisicamente
  

Ej. Sería como conectar 2 PCs via cable direcamente entre sus Interfaces

Con esto se logra asignar IP fija en cada cpe en caso de configurar algoya no sería problema el IP de la antena.

• en las últimas 2 líneas hace el MAC-NAT, para los que están familiarizados con el NAT (Network address Translation) esta es NAT en capa 2.
  

Que beneficios tengo, al ser enlace transparente las MAC se reenvian por el enlace esto dificultará por una parte la administración de firewall para nuestra topología en particular, entonces en mi opinión personal es más fácil controlar de esta manera, veo la MAC de la antena y si veo mas de una IP con la misma MAC ya se que es de tal cliente.

Al fin que beneficios tengo de hacer todo esto, se preguntarán para que complicarse tanto.

yo les digo que tienen razón por una parte, pero es más bien una herramienta más que de la caja que puede ser utilizado

Algunos beneficios por así decirlo:

• Multi DHCP server como saben las DHCP server se limitan por interfaces, con esto cada vlan es una interface y podés crear dhcp server como vlan tengas.
• hotspot por vlan.
• Mejor control desde capa2.
  
• te olvidas de las vulnerabilidades en capa2.
  

Desventajas

• Mayor complicación
• Mayor uso de CPU del router AP, AP etc

Después de crear el scripts tenemos que cargarlos en el NS2, existen varias formas de que este script quede guardado en el flash y arranque siempre con esta configuración una de ellas es grabarla en el un directorio como archivo y llamar a este siempre que bootee

Espero que les haya gustado, cualquier duda a mi email y con gusto les responderé

Saludos

Writer notes :

I always confused with the native vlan relation with management protocols (VTP , CDP , PagP , DTP).

Do they use the native vlan in order to send to neighbour switch(es) ?

What happened if i changed the native vlan ?

Once , I did a packet capture , but it seem the management protocols frame were tagged (even though i change the native vlan), are they send via native vlan ?

Really confused me a lot. But following resource completely remove my confusion. Now i know that all those management protocols always use VLAN 1 , regardless the native vlan configured for the trunk link between switches.

Here what i got from cisco website.

Article :

VLAN 1 has a special significance in Catalyst networks.

The Catalyst Supervisor Engine always uses the default VLAN, VLAN 1, to tag a number of control and management protocols when trunking, such as CDP, VTP and PAgP. All ports, including the internal sc0 interface, are configured by default to be members of VLAN 1. All trunks carry VLAN 1 by default, and in CatOS software versions earlier than 5.4, it was not possible to block user data in VLAN 1.

These definitions are needed in order to help clarify some well-used terms in Catalyst networking:

• The management VLAN is where sc0 resides; this VLAN can be changed.
• The native VLAN is defined as the VLAN to which a port returns when not trunking, and is the untagged VLAN on an 802.1Q trunk. By default, VLAN 1 is the native VLAN.
• In order to change the native VLAN, issue the set vlan vlan-id mod/port command.Note: Create the VLAN before you set it as the native VLAN of the trunk.

These are several good reasons to tune a network and alter the behavior of ports in VLAN 1:

• When the diameter of VLAN 1, like any other VLAN, gets large enough to be a risk to stability (particularly from an STP perspective) it needs to be pruned back. This is discussed in more detail in the In-Band Management section of this document.
• Control plane data on VLAN 1 must be kept separate from the user data in order to simplify troubleshooting and maximize available CPU cycles.
• L2 loops in VLAN 1 must be avoided when multilayer-campus networks are designed without STP, and trunking is still required to the access layer if there are multiple VLANs and IP subnets. To do this, manually clear VLAN 1 from trunk ports.

In summary, note this information about trunks:

• CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 is cleared from the trunks and is not the native VLAN. If VLAN 1 is cleared for user data, these is no impact on control plane traffic that is still sent using VLAN 1.
• On an ISL trunk, DTP packets are sent on VLAN1. This is the case even if VLAN 1 is cleared from the trunk and is no longer the native VLAN. On an 802.1Q trunk, DTP packets are sent on the native VLAN. This is the case even if the native VLAN is cleared from the trunk.
• In PVST+, the 802.1Q IEEE BPDUs are forwarded untagged on the common Spanning Tree VLAN 1 for interoperability with other vendors, unless VLAN 1 is cleared from the trunk. This is the case regardless of the native VLAN configuration. Cisco PVST+ BPDUs are sent and tagged for all other VLANs. Refer to the Spanning Tree Protocol section in this document for more details.
• 802.1s Multiple Spanning Tree (MST) BPDUs are always sent on VLAN 1 on both ISL and 802.1Q trunks. This applies even when VLAN 1 is cleared from the trunks.
• Do not clear or disable VLAN 1 on trunks between MST bridges and PVST+ bridges. But, in the case that VLAN 1 is disabled, the MST bridge must become root in order for all VLANs to avoid the MST bridge putting its boundary ports in the root-inconsistent state. Refer to Understanding Multiple Spanning Tree Protocol (802.1s) for details

SOURCE : http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml

Lesson Learned

so my understanding now are :

• - native vlan for backward compatibility with early 802.1q , and switched that does not support 802.1q
• - management protocols are always using vlan 1 , even though removed from the trunk link

°

flic :
vlan
comme un’
claque

°

d.(19/9/9)

A Virtual Local Area Network (VLAN) is a group of hosts that feature a like set of requirements and can communicate as though they were all connected via the same wires. However, unlike a traditional LAN, a VLAN is not necessarily all in the same place, and the hosts involved in the network can be located practically anywhere. All VLANs have the exact same attributes as a traditional physical local area network, though they can be configured via software instead of having to actually relocate the hosts.

Many VLANs are designed as replacements to the services that are traditionally provided by routers on physical LANs. VLANs are able to tackle issues like network management, security, and scalability with ease.

VLANs are known as Layer 2, or Data Link layer, constructs which transfer data between network nodes. Because they are Layer 2 constructs, they can interface with Layer 3 IP subnets with a one to one relationship.

How are VLANs designed?

The IEEE assigned IEEE 802.1Q as the protocol by which to configure virtual LANs. IEEE 802.1Q provides for a header with a 2-byte protocol identifier and another 2-byte tag control information. These are known as TPID and TCI, respectively. The TPID is fixed at 0×8100 while the TCI contains information pertaining to the user priority, canonical format indicator, and VLAN identifier.

What are the two types of VLAN memberships?

VLAN membership can be assigned in one of two ways. Static or Dynamic.

A Static VLAN is also known as a port based VLAN. These types of VLANs are created by assigning specific ports to a VLAN. As new devices enter into the VLAN network, the device assumes a specific port. If end users change ports but require access to the same VLAN, network administrators are required to assign new port to VLAN assignments for the new port.

A Dynamic VLAN is designed to be easily configured using software. The most common software for designing dynamic VLANs is CiscoWorks, a program developed by Cisco. A VLAN Management Policy Server (VMPS) must be set up first for a dynamic VLAN. This server will allow the VLAN to automatically switch ports whenever new devices connect to the VLAN. It uses information such as the device’s ports, unique usernames, and MAC addresses to determine whether or not to change ports to fit the needs of the incoming device.

Chiunque si trovi a configurare una moderna LAN dotata di “switch” e magari anche di “centro stella” (mega-switch centrale), saprà sicuramente che cos’è una VLAN: un modo per partizionare uno switch in più entità virtuali, virtualmente separate fra loro (via software), anche se unite dallo stesso hardware comune (il “pezzo di ferro” switch, con le sue “porte” Ethernet o fibra o altro). Si parla di Standard IEEE 802.1Q (cercare per credere ).

Purtroppo, alcuni “profani”, fra cui alcuni (troppi) “decision makers” del settore IT, tendono a credere che le VLAN siano un elemento di maggior sicurezza, uno dei “mattoni” su cui costruire la sicurezza di una rete interna al CED. Come dire che se una gioielleria custodisce i propri gioielli in diverse cassaforti, invece che in una sola, aumenta il proprio livello di sicurezza. Questo è palesemente falso.

Per quanto riguarda le VLAN, questo articolo chiarisce (in inglese) le idee a questo proposito, e rimanda ad autorevoli fonti che riescono a sfatare questo autentico mito.

In definitiva, le VLAN sono soltanto un metodo per abbassare i costi di impianto e migliorare la gestione dei “broadcast” all’interno della LAN.

Every linux admin would have come across a necessity to bond interfaces . Most of the time you wonder what you can do with that extra network card you have in the server . With Linux you can put it into good use.

Bonding . What is bonding ?

It is combining interfaces  wherever you need redundant links, fault tolerance or load balancing networks. It is the best way to have a high availability network segment. 802.1q VLAN support is a very good example of bonding .

There are different modes or types of bonding

mode=1 (active-backup)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor)
XOR policy: Transmit based on [(source MAC address XOR'd with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast)
Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad)
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

• Prerequisites:
  • Ethtool support in the base drivers for retrieving the speed and duplex of each slave.
  • A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.

mode=5 (balance-tlb)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

• Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave.

mode=6 (balance-alb)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
Also you can use multiple bond interface but for that you must load the bonding module as many as you need.

Based on the above decide which is the bonding you need.

Check if the module is loaded using

#modprobe –list | grep bonding

/lib/modules/2.6.18-92.el5/kernel/drivers/net/bonding/bonding.ko

# modprobe –list | grep mii

/lib/modules/2.6.18-92.el5/kernel/drivers/net/mii.ko

This should return values and now edit the modprobe.conf

# vim /etc/modprobe.conf and append the following

alias bond0 bonding

options bond0 mode=1 arp_ip_target=192.168.52.1 arp_interval=200 primary=eth0

Want to know more about the options

#modinfo bonding

load the module

#modprobe bonding

#modprobe mii

Now edit the following files bond0 , eth0 , eth1 .

bond0 is a copy of eth0 without the hardware address and ip address

# vim /etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0

BOOTPROTO=none

ONBOOT=yes

NETMASK=255.255.255.0

IPADDR=192.168.52.4

USERCTL=no

GATEWAY=192.168.52.1

TYPE=Ethernet

IPV6INIT=no

PEERDNS=yes

#vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=none

ONBOOT=yes

MASTER=bond0

SLAVE=yes

USERCTL=no

TYPE=Ethernet

#vim /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

BOOTPROTO=none

ONBOOT=yes

MASTER=bond0

SLAVE=yes

USERCTL=no

TYPE=Ethernet

Once done restart the network .

#/etc/init.d/network restart

Check the status of the bonding

cat /proc/net/bonding/bond0

Requirements  Centos 5.3 , NICs that support bonding and 802.1q (VLAN) , ethtool and mii-tools installs . If you dont have the latter two use yum to install it .

reference:

• http://www.linuxfoundation.org/en/Net:Bonding
• http://www.howtoforge.com/network_card_bonding_centos

Ok, Ok – I know Ethernet switches are not the top topic of discussion when small business(or any business for that matter) starts talking technology. However over the past few years we have often been asked – why is one switch $50 at the office supply store while other switches can cost up to thousands of dollars. More importantly why should my business spend that much more money on a box to plug things in to?

So the answer to that question is not as straight forward as some of the other topics I have talked about in the small business series, in that it can not be explained quite as easily to a non-technical person. Its no wonder that many small businesses just simply buy the cheapest option available and plug things in and never think about this as the core of their business infrastructure.

For the average person, an ethernet switch most closely resembles a splitter much like the adapters that are used to make one phone line available to multiple devices. So when they see many network cables being plugged in to a single box – it is only natural to think that it’s only purpose is to simply “split” the network signals. For the technical crowd that has had to troubleshoot an issue with network performance, this is a night and day comparison.

So why does one switch cost exponentially more than the low end solution available for under $100? The answer to this could be explained like this; You could simply run an electrical extension cord over to your neighbors house and get electricity, but you don’t and why not? Well – several reasons like – your neighbor does not want to pay for your access to his facilities, you need more access than what can be delivered by that electrical extension cord, no way to control access and secure you availability to that resource, no ability to change the delivery from 110 to 220, and the list can go on and on. The same theory applies to the network infrastructure. You can utilize a low end solution from an office supply store, but you give up many critical controls and features. These may not seem like much on the front end, but when your network is grinding to a halt it suddenly takes on a much higher level of importance.

Low end switches often lack many features the can impact your business in the following ways;

• No Management Interface – Most low-end switches are simple devices that break up the network into broadcast domains but do not offer much more than that. Without a management interface, there is no way to configure any other features, troubleshoot issues, and set up alerts and monitoring.
• No way to create Virtual Local Area Networks(VLANs) – while to the non-technical user this may not make much sense, but VLANS allow you to segment the Ethernet switch into multiple virtual switches to further isolate traffic. While at one point, this was not a huge issue, today’s networks contain a heterogeneous traffic of data, voice, and video all with their own unique needs and constraints. VLANs allow you to treat each of those networks separately within the same physical device.
• No way to set Quality of Service – this goes hand in hand with VLANs. Quality of Service or QOS allows you to set individual policies in regards to how each network or type of traffic is treated. You will probably want to give you voice traffic the highest priority on the network, while email traffic can wait in line if there is a bottleneck. Additionally, if the network gets saturated, you do not want critical network traffic being dropped.
• No way to detect bridge loops – Bridge loops or network loops occur when multiple paths are available to a particular device or network. A common example of this is a server with two network cards – each network card is plugged in to either a separate port on the same switch or separate switches all together to make sure in the event that one of the connections is bad, the other connection can take over. Without bridge loop detection mechanisms, if there are multiple paths to the same destination traffic going to that destination can be broadcast over and over until the network becomes saturated and eventually unusable.
• Per Port Cache – In lower end switches the port buffer can be very limiting in its ability to store traffic for forwarding. If the port cache is limited and the traffic exceeds the ability of the switch, packets are dropped and have to be retransmitted – thus increasing the load on the switch and decreasing the performance.
• No Power over Ethernet capabilities – While not always true, most low end switches do not include Power over Ethernet. Why is this important? More and more network devices can receive their power directly from the network port it is plugged into eliminating the need for a separate power brick at the device. Examples include, IP Cameras, network based speakers, IP Phones, and wireless access points.
• No Routing Capabilities – While not always included in higher end switches, it is almost always an option to include the ability to route between different networks directly on the switch. Why is this important? Well lets say that you have a server on one VLAN within the switch, and the client computers on another VLAN to help isolate and improve performance on the server segments. If one of the client PCs needs to get access to the server, without a switch capable of routing, an external router has to be used and in most cases the link speed will be limited to 100Mb. In a switch that has internal routing capabilities, that traffic does not leave the internal device and the speed in which the traffic can be routed is upwards of 32Gb. Big performance issue without routing on the switch.

Now obviously not all lower end switches are missing all of the above mentioned features. But it is worth a look to see what features you are going to be missing in that lower end solution because, one way or the other it will be missing something. In the end you really need to consider what the ethernet switch does in your business. It is not simply a multiple outlet plug – it is the core of your entire network and can either enable you to work efficiently or disable your ability to perform at full speed. If this all seems greek and more than you want to know or ever consider – then make sure you consult with a knowledgeable and certified network professional that can help guide you in the right direction.

Why is it important for Exponential-e to be involved in cloud computing?

We believe cloud based computing provides true ubiquity of service allowing users to access services from any location, over any infrastructure, with any device, at any time. The development of intelligent user appliances like PDA’s and intelligent phones has removed the barrier of user access. Users are becoming more comfortable with this model due to services provided in the consumer market by Google, Mobile me, etc, which spill into the business environment. SME clients want “corporate” services but at realistic prices and look at the cloud model as a way of achieving this. We are finding that clients are focusing on core business activities and are looking towards the cloud model as a real option when outsourcing in-house activities.

How much potential is there in the market?

We believe there is massive potential in the SME space as:

• Value add applications become available at a fraction of the cost

• Clients don’t have to worry about in house resource

• The cloud assumes responsibility for software updates, upgrades, etc. The client only needs to worry about the access technologies

• The cloud provides a more flexible commercial framework

• Scalability is no longer an issue

• The cloud addresses resiliency and DR issues

• Up front capital expenditure is drastically reduced

There is a quantifiable shift in service delivery models (e.g. SaaS, CaaS, etc.) which can protect the users from issues they would normally have to deal with themselves. For example, our centralised security service “cleanses” internet traffic BEFORE it ever reaches the client’s premises. We do this with our centralised firewall services in conjunction with Message Labs threat management services.

High-speed secure delivery of centrally hosted services with the lowest possible latency, is absolutely key to the success to almost all cloud computing implementations. Therefore, Exponential-e’s business class NGN could be an important enabler to the successful take-up of cloud computing services in the UK especially as the access infrastructure deployed into enterprises by Exponential-e to support cloud computing can be cross-subsidised by the use of other applications on the same high speed Ethernet access circuits using its VPLS technology.

What kinds of customers are interested in these services?

We believe that currently, cloud based computing is more pertinent in the SME market.

Cloud computing is advantageous for SME’s as:

• It enables access to services previously unobtainable (e.g. CRM services, office application services, unified communication services, etc.) due to the expense.

• Enables access to expertise which has previously been too expensive

• Enables cost reduction as there are little set up costs (e.g. VoIP Centrex)

• Enables ubiquity of service – enables different working methodologies (e.g. home working, mobile working)

• Makes corporate governance easier through the centralization of services.

• Makes legislative adherence easier

• Streamlines processes

We launched a new service with Atlanta Technology for small to medium businesses wanting enterprise-class server infrastructure without the capital investment. The service combines both storage and server virtualisation into a centrally-hosted cloud.

How will they be using cloud computing  improve their businesses?

The service provides corporate customers with their own “cloud” from which virtual servers – independent from both physical infrastructure and geographic location – can be hosted.  The communication between the client enterprise customer and their server infrastructure takes place across our high-speed and powerful layer 2 MPLS next generation network which is dedicated to business traffic. The service is based on a subscription pricing model and reduces the need for significant capital investment.

We have also just launched a managed security service delivered from the cloud using a centralised firewall and combined with threat management features from MessageLabs Hosted Services. This will also be attractive to SMEs wanting to outsource the management of security risk, restructure and reduce the associated cost and free up ICT resource for core business activities

How will cloud computing develop in the future?

Cloud based computing is where the client’s “intelligence” will reside. Everything outside of the cloud such as access links, user devices and so on, will become a commodity. Devices will be thin client in nature. The device will become immaterial – the user “profile” will become king and will drive their access scope. Our profile will drive our corporate identity. CBC will become the ultimate secure domain with client pulling information to themselves irrespective of device, infrastructure, geographic location or time.

What role will Exponential-e play in the future of cloud computing?

Exponential-e will be the providers of a suite of value add services to complement our core network.  Ultimately, we will treat every single user as a separate and unique client (irrespective of their organization affiliation).

By Gary Kinghorn

Virtualization has certainly become a driving factor in networking, application deployment and data center design over the last few years. One of our marketing folks recently ran across an interesting deployment scenario where as part of a large network virtualization project, they were also making use of virtual firewalls to virtualize the security layer of their network, further reducing costs. While the first step of virtualization usually happens in the application server, customers should also be thinking about ways to reduce hardware costs and management complexity by taking advantage of the same concepts inherent in all of our H3C security appliances and blades.

The typical deployment scenario goes something like this: A large distributed enterprise has multiple campuses, or a large distributed campus, with divisions or groups spread throughout. You can think of these as potentially subsidiaries of a conglomerate, departments in a university, or logically separated clean-room projects. The problem is that the physical location of the groups is not aligned with the physical layout of the campuses or buildings. This is a challenge for network designs that frequently are aligned with campus layouts and not the virtual organizations. Virtual Local Area Networks (VLANs) work well locally, when closely mirroring the network topology, but don’t work well across the enterprise WAN, since Layer 2 network virtualization doesn’t scale when extended through the Layer 3 routers.

Providing the functionality of a VLAN for a widely separated logical group (over a Layer 3 WAN or router core) requires a technology called Virtual Routing and Forwarding (VRF). This provides what could be thought of as a virtual VLAN (but that sounds both redundant and confusing). These new private WANs are more accurately called VRFs, or what can logically be viewed as a wide area broadcast domain.

VRFs effectively provide the appropriate policy enforcement and network capacity appropriate for each division or group, no matter what their size, while sharing the same Layer 2 and 3 network infrastructure with many other VRFs. This can help optimize network resources and provide better service to individual users. These VRFs are reasonably straightforward to set up and manage since the H3C networking infrastructure and management platform supports this capability for highly scalable deployments.

But things get even better when enterprises take advantage of virtual firewalls. Whereas logically distinct organizations sharing a network would need their own firewall to protect their LAN segment and to define their unique security policies, firewalls no longer need a one-to-one correspondence with the LAN segment they are protecting any more than an enterprise application still needs its own server to provide adequate service. In essence, a single physical firewall can be divided into hundreds of virtual firewalls, each with its own distinct set of rules, aligned with a particular LAN segment, VLAN, or VRF and can be individually managed by a local group administrator (as needed).

The enterprise class SecPath F5000-A5 and the SecBlade VPN Firewall module, for example, both support up to 256 virtual firewalls. The SecBlade module could be deployed right into one of the core router chassis, and all the traffic that flows through the firewall can be partitioned to the right VLAN, applying the relevant policies. A widely distributed VLAN doesn’t need a firewall at each physical site. A few physical firewalls can support hundreds of distributed VLANs in a highly scalable fashion, no matter how widely distributed, as part of a larger virtual network. This can greatly reduce the proliferation of security devices by consolidating and centralizing deployments, while greatly reducing ongoing management costs and overhead. Networks will be able to grow more efficiently and cost-effectively, and maximize use of shared resources.

Interested in hearing more? Give us a call and we’ll show you how.

Multi layer switching adalah cara dimana menyusun perangkat network switch menjadi beberapa tingkatan dikarenakan end user yang terkoneksi ke dalam suatu jaringan memiliki jumlah yang banyak, sehingga kita perlu melakukan trunking (menyambungkan switch satu dengan switch lain) antar network switch secara bertingkat.  Di bawah ini merupakan contoh multi layer switching yang disimulasikan dengan program Packet Tracer milik Cisco.

Pada gambar di atas network switch tersusun atas 3 layer (tingkatan) yaitu Core Switch sebagai layer pertama, Distribution Switch sebagai layer kedua dan Access Switch sebagai layer ketiga.  Fungsi Core Switch adalah sebagai network switch yang menggabungkan beberapa device network switch menjadi satu kesatuan (integrated network).  Distribution Switch berfungsi sebagai penghubung antara Core Switch dengan Access Switch.  Access Switch berfungsi sebagai penghubung antara network dengan computer end user.  Jadi kesimpulannya dengan menggunakan metode multi layer switch kita dapat melakukan extend (perluasan) jumlah komputer yang terkoneksi ke dalam jaringan. Contoh susunan 3 layer network switch di atas dapat dikembangkan lagi menjadi beberapa layer ke bawah tergantung dari kebutuhan jumlah jaringan.

Command line CISCO untuk switch trunking dipergunakan untuk menyusun multi layer switch seperti di atas.  Caranya adalah masuk ke dalam mode configurasi switch kemudian akses port interface switch yang akan dipakai untuk trunking dan set mode port tersebut ke trunking.  Contohnya command line nya adalah sebagai berikut :

Di atas gw mengkonfigurasi Core Switch (CISCO 3560) agar port fast ethernet nomor 1 memiliki mode trunk, karena interface fast ethernet nomor 1 berhubungan dengan Distribution Switch 1 interface fast ethernet nomor 24.  Di bawah ini adalah contoh konfigurasi Distribution Switch 1 port fast ethernet 24 untuk mode trunk.

Dengan cara-cara konfigurasi seperti di atas kita telah menghubungkan / melakukan trunking antar 2 network switch. Untuk menghubungkan network switch yang lain sama halnya seperti cara di atas.  Kesimpulannya adalah apabila kita ingin menghubungkan device network switch satu dengan yang lainnya, kita harus melakukan set mode trunk pada port interface yang dipergunakan untuk penghubung antar switch.

Vlan adalah fasilitas yang diberikan untuk melakukan pengelompokan jaringan besar menjadi segmen-segmen jaringan kecil.  Ilustrasi penggunaan vlan adalah seperti ini, biasanya apabila kita mengimplementasikan sistem network di dalam suatu perusahaan kita harus membatasi akses jaringan suatu unit kerja agar tidak berkomunikasi dengan unit kerja yang lain.  Caranya adalah kita mendefinisikan vlan untuk masing-masing unit kerja; misalnya vlan 101 dengan nama alias vlan_keuangan untuk unit keuangan, vlan 102 dengan nama alias vlan_sdm untuk unit sdm, vlan 103 dengan nama alias vlan_operasional untuk unit operasional, dst.  Dengan adanya pendefinisian vlan untuk masing-masing unit kita bisa membuat seolah-olah network unit satu tidak bisa berkomunikasi dengan network unit lain walaupun network sudah terintegrasi. Di bawah ini merupakan contoh cara pendefinisian beberapa vlan pada network switch.

Untuk multi layer switch pendefinisian vlan seperti di atas dilakukan pada masing – masing switch, sehingga setiap switch pada network mengetahui vlan apa saja yang ada di sistem network tersebut. Untuk mengetahui vlan – vlan apa saja yang telah kita daftarkan dalam suatu device network switch kita dapat mengetik command “show vlan brief” pada mode non configurable, contohnya seperti di bawah ini.

Dapat dilihat di atas ada beberapa vlan yang walaupun kita tidak definisikan tetapi sudah ada di dalam daftar.  Vlan – vlan tersebut dinamakan default vlan.  Berdasarkan data dari “show vlan brief” di atas kita melihat bahwa port interface fast ethernet nomor 1 – 24 dan port interface gigabit ethernet 1 dan 2 akan masuk dalam kategori vlan 1 (vlan default).  Kita dapat merubah beberapa port interface ke vlan-vlan yang telah kita definisikan.

Misalkan kita memiliki topology (struktur network) sederhana seperti di atas, dimana satu switch dipakai untuk 2 unit CPU bagian keuangan, 1 unit CPU bagian SDM dan 1 unit CPU bagian operasional. PC no. 1 keuangan terkoneksi pada port fastethernet no.1, PC no. 2 keuangan terkoneksi pada port fast ethernet no.4, PC SDM terkoneksi pada port fast ethernet no. 2 dan PC operasional terkoneksi pada port fast ethernet no.3. PC 1 dan 2 Keuangan akan ada di vlan 101 (artinya port fast ethernet no.1 dan no. 4 akan kita set masuk ke dalam vlan 101), PC SDM akan ada di vlan 102 (artinya port fast ethernet no. 2 akan kita set masuk ke dalam vlan 102) dan PC Operasional akan ada di vlan 103 (artinya port fast ethernet no. 3 akan kita set masuk ke dalam vlan 103).  Cara melakukan konfigurasi pada switch nya adalah sebagai berikut.

Masuk pada port interface yang akan diset. Set mode port tersebut ke mode access.  Mode access dipergunakan apabila port switch langsung dihubungkan ke komputer end user, lain halnya apabila dihubungkan ke switch lain mode harus di set ke trunk.  Lalu lakukan pemindahan port interface ke vlan.  Setelah melakukan set mode port interface fast ethernet, lakukan setting IP address pada masing masing komputer dengan ketentuan sebagai berikut :

PC 1 keuangan = IP : 10.1.101.11, subnet mask : 255.255.255.0, gateway : kosong (karena kita tidak menggunakan sistem routing)

PC 2 keuangan = IP : 10.1.101.12, subnet mask : 255.255.255.0, gateway : kosong (karena kita tidak menggunakan sistem routing)

PC SDM = IP : 10.1.102.11, subnet mask : 255.255.255.0, gateway : kosong (karena kita tidak menggunakan sistem routing)

PC Operasional = IP : 10.1.103.11, subnet mask : 255.255.255.0, gateway : kosong (karena kita tidak menggunakan sistem routing)

Setelah semua PC diset IP address lakukan test ping ke beberapa komputer.  Contoh di bawah ini gw melakukan test ping dari PC 1 Keuangan ke PC 2 Keuangan ternyata ada reply karena berada pada vlan yang sama, sedangkan pada saat test ping dari PC 1 Keuangan ke PC SDM ternyata “Request Timed Out (RTO)” karena berada pada vlan yang berbeda.

Kesimpulannya adalah dengan memanfaatkan vlan kita melakukan pengelompokan jaringan menjadi beberapa segmen yang membatasi akses network antar satu bagian ke bagian yang lain.  Dalam satu network switch bisa terdapat 1 atau lebih jumlah vlan, tergantung dari kebutuhan network.

Inter Vlan Communication adalah mekanisme dimana melakukan setting agar network di dalam vlan satu dapat berkomunikasi dengan vlan yang lainnya, walaupun sebenarnya dengan adanya vlan membatasi ruang gerak komunikasi antar network. Inter Vlan Communication ada dikarenakan adanya beberapa kebutuhan agar suatu PC di vlan tertentu dapat berhubungan dengan device pada vlan network yang lain, misalnya PC di vlan Keuangan harus berkomunikasi pada PC Server di vlan Server.  Untuk melakukan mekanisme Inter Vlan Communication kita harus meng-enable mode ip routing. Di bawah ini gw memberikan contoh topology sederhana yang menyangkut Inter Vlan Communication.

Di atas merupakan topology sederhana untuk mempraktekkan Inter Vlan Communication.  Mode IP Routing hanya ada pada Device Router dan Device Switch (tidak semua switch CISCO).  Pada contoh di atas saya menggunakan device network switch Cisco 3560. Ada 3 vlan yang didefinisikan pada device switch yaitu vlan 100 sebagai vlan_management, vlan 101 sebagai vlan_keuangan dan vlan 102 sebagai vlan_sdm.  Langkah – langkah konfigurasi switch nya adalah sebagai berikut :

1. Enable mode IP Routing pada Switch 3560

2. Buat daftar vlan

3. Set vlan dengan IP address

4. Rubah mode port interface fast ethernet sesuai dengan vlan nya masing – masing (pada contoh port 1 sebagai vlan 101 dan port 2 sebagai vlan 102)

Setelah mengkonfigurasi network switch lakukan setting ip address ke komputer dengan contoh pengalamatan sebagai berikut :

PC 1 = IP : 10.1.101.11, subnet mask : 255.255.255.0, gateway : 10.1.101.1 (sesuai dengan ip address vlan 101)

PC 2 = IP : 10.1.102.11, subnet mask : 255.255.255.0, gateway : 10.1.102.1 (sesuai dengan ip address vlan 102)

Kemudian lakukan test ping dari PC 1 ke PC 2 dan lihat apa yang terjadi.

Ternyata setelah dilakukan test ping dari PC 1 (vlan 101) ke PC 2 (vlan 102) ada reply dari PC 2, maka inilah yang disebut dengan Inter Vlan Communication.  Bagaimana kalau seandainya ada switch penghubung antara Switch Cisco 3560 dengan PC seperti gambar di bawah ini.

Jawabannya adalah seperti langkah – langkah di bawah ini :

1. Set terlebih dahulu mode trunk pada interface yang dipergunakan untuk menghubungkan antara Switch 3560 dengan Switch 2960.

2. Definisikan vlan di Switch 2960 sama dengan Switch 3560 (tidak perlu set ip address untuk masing-masing vlan di Switch 2960).

3. Ketik command line “ip default-gateway 10.1.1.1″ agar traffic dari PC menuju ke Switch 2960 dilarikan ke Switch 3560.

Apabila switch 2960 selesai di konfigurasi, set kembali ip address PC sama seperti di atas, kemudian test ping dari PC 1 ke PC 2 dan terakhir test tracert untuk mengetahui jalur traffic.

Dapat di lihat dari contoh test ping di atas bahwa ada reply dari PC 2 ke PC 2.  Jalur dari test tracert juga menunjukkan traffic melalui ip 10.1.101.1 (ip address pada vlan 101 yang di set di switch 3560) terlebih dahulu baru sampai ke PC 2.

Sekarang pertanyaannya adalah bagaimana kita melakukan block traffic dari vlan – vlan tertentu yang seyogyanya metode vlan adalah untuk blocking traffic network.  Jawabannya adalah menggunakan fasilitas “Access List”, tapi bagian Access List gw akan bahas pada postingan yang berikutnya ……. kalo sempat …… hehehe

Maju terus IT Indonesia !!!!!!!!