Icon
Icon		Icon
Icon		Icon
Icon

Ebook Cisco For Unix

10:32 AM
0 comments
Integrated Cisco and UNIX® Network Architectures
By Gernot Schmied
Publisher: Cisco Press
Pub Date: September 14, 2004
ISBN: 1-58705-121-4
Pages: 600

  • Learn how to design, build, and administer integrated gateway routing systems
  • Identify the advantages and disadvantages of Cisco/UNIX integrated designs
  • Review lab exercises throughout the book that bring concepts to life
  • Encounter the fascinating world of dynamic UNIX routing and TCP/IP stacks
  • Understand the way forwarding and signaling are implemented in the UNIX world
  • Gain proficiency with tunnels and VPNs
  • Utilize advanced features such as high availability, NAT, bandwidth management, policy routing, and multicast architectures
  • Explore Linux and BSD networking concepts
  • Design, build, and operate integrated gateway routing systems


More

Copyright© 2005 Cisco Systems, Inc.

10:30 AM
0 comments
Copyright
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

More

Chapter 1. Operating System Issues and Features—The Big Picture

10:29 AM
0 comments
State-of-the art UNIX operating systems are powerful in performance, robust, rich in features, and come with a lot of ancillary tools and packages out of the box. Due to their performance criteria and robustness, UNIX operating systems are the choice for many critical applications in enterprise and service provider environments, data centers, and machine clusters. GNU packages, especially compilers, form the foundation of most UNIX operating systems, with GNU/Linux being the most prominent open-source representative. Because of high-performance network stacks and a complete set of supported protocols, they are also a good choice for gateways, routers, and firewall systems.
More

Routing, Forwarding, and Switching Approaches

10:26 AM
0 comments
Before the explosion of routing tables and of forwarded traffic, the classic routing paradigm constituted routing table lookups in increasingly complex routing tables. These tables were populated by more or less scalable and fast-converging dynamic routing protocols together with connected routes and static routes.
More

Cisco IOS Software

10:25 AM
0 comments
Cisco IOS Software has been around for quite some time. The original intention of the developers was to provide a small embedded system for limited-memory and speed-critical packet-switching routing appliances. Speed requirements within embedded systems are usually met by design simplicity and removal of unnecessary features. Cisco IOS Software has a cooperative multitasking kernel architecture featuring several processes and "resembles a loose collection of components and functions linked with the rest of IOS. Everything including the kernel runs in user mode on the CPU and has full access to systems resources."[1]
More

Linux

10:23 AM
0 comments
This UNIX-like operating system is based on the work of Linus Torvalds and was inspired to some extent by Andrew Tanenbaum's Minix operating system. However, Torvalds also had in mind to overcome the limitations of Minix and abandon its microkernel concept for the sake of a modular kernel. Over the recent years, it has grown to a huge collaborative effort with thousands of developers.
More

Chapter 2. User-Space Routing Software

10:22 AM
0 comments
As described in Chapter 1, "Operating System Issues and Features—The Big Picture," user-space routing tools run as one single process (monolithic architectures) or as a set of daemons external to the kernel routines, either single-threaded or multithreaded. As long as these daemons are alive, routing information—signaling information to be more precise—can be exchanged or withdrawn and eventually populate the gateway's routing table.
More

The GNU Zebra Routing Software

10:19 AM
0 comments
GNU Zebra is a free and mature software package that manages TCP/IP-based routing protocols. Zebra's unique architectural foundation is based on the concept of one single process for each signaling routing protocol. Each module can run, be restarted, or be upgraded independently of the others, which greatly increases the stability of the entire system. In addition, the protocol daemons can be run just to exchange signaling information or populate the system's forwarding table via the Zebra master daemon (zebra). Particularly popular applications that use signaling information are route servers and route reflectors that distribute Border Gateway Protocol (BGP) reachability information. Chapter 10, "ISP Connectivity with BGP4: An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing," discusses these applications in depth. GNU Zebra does not support or make use of threads yet—it has its own internal cooperative user-space thread model (not really multithreaded). Zebra code constitutes the development foundation for IP Infusion's commercial ZebOS. The following list presents some useful details about the software:
More
10:18 AM
0 comments
The routed Daemon
routed is a simple RIP-based LAN routing protocol daemon often used to communicate with other RIP hosts and gateways. It supports the Internet Router Discovery Protocol (IRDP) as well. The IRDP is discussed in more detail at the end of Chapter 12, "Designing for High Availability."
More

MRT (Multithreaded Routing Toolkit)

10:16 AM
0 comments
The MRT Project is a monolithic multithreaded routing engine (MRTd) that was developed under a research grant at the University of Michigan. It contains multiprotocol IPv4/IPv6 routing daemons and accompanying analysis and simulation tools. The following list presents some useful details about the software:
More

Chapter 3. Kernel Requirements for a Full-Featured Lab

5:06 AM
0 comments
This chapter discusses various important aspects of networking-related kernel configurations on which we will rely heavily as we advance throughout this book. Some of these features need to be enabled at kernel compile time, some utilize loadable kernel modules, and others require user-space configuration tools and utilities such as the firewall or virtual local-area network (VLAN) configuration tasks. In the context of kernel parameters, the sysctl utility is introduced and thoroughly discussed.
More

IP Forwarding Control and Special Interfaces

5:05 AM
0 comments
IP forwarding essentially turns a gateway into a router that is capable of forwarding IP datagrams between directly attached physical or virtual interfaces. In firewall setups, it is often desirable to disable IP forwarding during bootup and firewall initialization for security purposes, not to leave a gateway vulnerable during the booting routine before the firewall inspection engine resumes forwarding control. It is also a good idea to make sure IP forwarding is disabled before the firewall terminates at system shutdown. Example 3-2 demonstrates how you can enable/disable IPv4 and multicast forwarding via sysctl parameters. This is possible for IPv6 as well.
Example 3-2. Linux IP Forwarding-Related sysctl Variables
[root@callisto:~#] sysctl -a | grep forwarding
net.ipv4.conf.pimreg.mc_forwarding = 1
net.ipv4.conf.pimreg.forwarding = 1
net.ipv4.conf.ipsec0.mc_forwarding = 0
net.ipv4.conf.ipsec0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 1
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 1
net.ipv4.conf.all.forwarding = 1
VLAN Subinterface Support and Trunk Termination (802.1Q)
If you are connecting a UNIX gateway's Ethernet interfaces to a switch or router, you can use this interface to act as an access link or uplink. This interface can also connect multiple VLAN subinterfaces and act as a pipe (trunk) for all these interfaces.

For VLAN tagging, two methods exist: the Cisco System proprietary Inter-Switch Link (ISL) flavor, and the standardized IEEE 802.1Q method. In fact, what we call an uplink is a special case of trunk carrying only one (untagged) VLAN, usually the default VLAN of the switch. Therefore, a UNIX gateway can route between these VLANs ("router on a stick") or form a pipe to a Cisco neighbor using the same subinterface scheme and VLAN tagging. They form logical interfaces on both Cisco and UNIX gateways.

Note that VLANs result in separated broadcast/multicast domains with Media Access Control (MAC) layer isolation. They are a popular way of separating customer access and services in data centers or service provider server segments and are also widely deployed to segment enterprise entities into multiple VLAN realms that can span hundreds of switches.

To support large VLAN switched environments with a lot of trunks, Cisco has developed the proprietary VLAN Trunking Protocol (VTP), which enables switching hierarchies to flood VLAN information on trunk ports. In fact, VLANs are the Ethernet equivalent of a subinterface concept similar to the features Frame Relay provides on serial WAN interfaces or ATM on dedicated ATM interfaces. However, you need to be aware of VLAN security issues, especially if customers are directly connected to the access port of a switch (MAC-level access). In this case, there exists the possibility of VLAN security penetration and denial-of-service (DoS) attacks under certain circumstances, such as heavy load, MAC address spoofing, malicious VLAN labeling from access ports, trunk and spanning-tree manipulation, and so on. This is especially a matter of concern in cable provider access networks and modern metro networks.

All UNIX operating systems under discussion in this chapter support the standardized IEEE 802.1Q VLAN tagging mechanism as long as this option is enabled in the kernel. (See Appendix A for more information.) VTP is not supported under UNIX. The actual configuration of VLAN interfaces usually happens via the ifconfig command on BSD and via the vconfig command on Linux.
VLAN tagging adds protocol overhead (4 octets in the case of 802.1Q) to the Ethernet frame. This has to be accounted for by manually reducing the maximum frame size via the ifconfig command. Otherwise the network interface card (NIC) driver will silently discard the giant frame. In fact, these giants (also called jumbo frames) are a general caveat in Multiprotocol Label Switching (MPLS) and IP Security (IPSec) setups as well. Tagging always adds overhead. You can alter the maximum transmission unit (MTU) by typing ifconfig {interface} mtu 1496 on Linux or BSD.

NOTE

It is often necessary to alter the MAC address of an Ethernet interface. In particular, cable broadband providers control and provision access via MAC addresses. Whether changing the "burned-in" address is possible or not depends on the hardware and the NIC driver (and therefore the availability of special utilities for this particular purpose). It is not a general feature of the ifconfig command you can rely on.
Alias or Secondary Interfaces
Secondary (alias) interfaces can satisfy the requirements to support multiple addresses on one physical interface. This can also be accomplished with VLANs, as discussed in the VLAN section, with the benefit of MAC layer separation. With an alias address configured, the interface essentially listens to relevant traffic on two segments or a second address within the same broadcast domain. This feature has been supported for a long time on almost all operating systems and is popular for virtual web servers. It is referred to as secondary addresses on Cisco routers and virtual interfaces on Sun Solaris. Examples follow in Chapter 5.

Ethernet Channel Bonding

5:01 AM
0 comments
Ethernet channel bonding describes the physical bundling of multiple full-duplex Fast/Giga Ethernet interfaces (usually two or four) to a virtual pipe of multiplied bandwidth. The resulting channel is transparent to Layer 2 configuration issues and can sustain single- or multiple-link failures of the constituting links.
Experimental channel-bonding drivers for Linux and BSD for selected Fast Ethernet NICs are available. Channel bonding proves particularly useful when using quad Fast Ethernet NICs. In the Cisco context, this feature is referred to as Fast/Giga EtherChannel; in the Sun Solaris world, it is known as Fast/Giga Ethernet trunking. It offers some scalability and resilience between 100-Mbps and -Gbps interfaces, especially when the platform architecture (system bus) is not capable of driving full-duplex Gigabit Ethernet interfaces. Channel bonding in the UNIX world is often deployed in context with cluster architecture approaches such as Beowulf (http://www.beowulf.org/software/bonding.html). A FreeBSD kernel patch for channel bonding is available as well (http://people.freebsd.org/~wpaul/FEC/) via the NetGraph facility (see Appendix B, "The FreeBSD Netgraph Facility"). It compiled on my system without a glitch. I cannot offer advice and reports beyond this statement because of equipment constraints. On Linux, you have to enable the bonding driver support in the kernel Network Device Support section. It is essential to compile this as a module!
Interface Cloning
Usually special interfaces (pseudo interfaces) such as tunnels require provisioning at kernel compile-time. However, as a feature of modern UNIX operating systems, these can be added dynamically at runtime when required via, for example, the ifconfig create command sequence on BSD or certain dedicated user-space utilities. This has nothing in common with the interface-cloning approaches used by Cisco IOS Software (cloning from a template). Cloned routes are a different concept as well and are discussed in Chapter 8, "Static Routing Concepts."
ECMP (Equal-Cost Multi-Path)
ECMP is an important requirement to enable per-packet/per-destination (per-flow) multipath traffic balancing over multiple equal-cost interfaces. This is of a different nature than the previously discussed interface bonding and is important with regard to load-balancing/sharing and redundancy architectures. The term equal cost refers to an identical metric from the point of view of involved static or dynamic routing schemes.
In contrast to Cisco routers, UNIX IP stacks intrinsically have no perception of per-destination load sharing and generally act on a per-packet basis if not configured otherwise (such as in policy routing). Cisco IOS Software defaults to per-destination (per-flow) traffic balancing, as does Cisco Express Forwarding (CEF).
Driver Support for LAN/WAN Interface Cards
The following list offers a quick overview of important interface types supported by popular UNIX operating systems:
10/100-Mbps Ethernet and 4/16-Mbps Token Ring adapters have been supported for a long time on all discussed operating systems.
Although an intriguing concept, 100-Mbps Token Ring has never really generated enough customer interest to penetrate the market.
Gigabit Ethernet support is sufficiently available as well, but you must take into consideration the performance capabilities of the gateway's bus architecture to feed traffic to these high-performance full-duplex cards. At the time of this writing, 10Gigabit adapters make no sense on these systems and will be more of a feature of 64-bit architectures.
Fibre Channel adapters are available as well, and they are used primarily to build storage-area networks (SANs).
Wireless network cards (IEEE 802.11B) are supported for the most prominent chipsets, especially the Cisco Aeronet product line, with the newer 802.11G driver support catching up in Linux 2.6.x and FreeBSD 5.x.
An attractive feature of the discussed UNIX operating systems is the option to use various PCI/ISA WAN interface cards. These flavors include clear-channel or channelized E1 synchronous serial adapters, T3 adapters, PRI cards, and ATM interfaces. These cards come in various flavors with regard to clocking, channelized or clear-channel operation, CSU/DSU integration, duplex transmission, and fractional bandwidths. Well-known producers of these adapters are Sangoma, Cyclades, ImageStream, Stallion, Prosum, and Fore Systems (now Marconi). Usually the vendors provide firmware updates, kernel modules, and utilities for BSD, Linux, and sometimes Sun Solaris. Some of these cards are also gaining popularity for use in software private branch exchange (PBX) systems for enterprise fax and telephony services (FXS/FXO/E1/PRI/BRI interfaces).
Encapsulation Support for WAN Interface Cards
The WAN interfaces I am aware of essentially support the following Layer 2 encapsulations:
Frame Relay
X.25
ATM
HDLC
PPP
The supported features with regard to ATM and Frame Relay vary depending on the vendor of these interface cards. I discuss certain aspects in Chapter 4, "Gateway WAN/Metro Interfaces," in a restricted fashion because of limited access to test equipment.
Support for Bridging Interfaces
Running a UNIX workstation in bridging mode offers two interesting possibilities.
The first is the ability to reduce the traffic on the broadcast domain by bridge segmentation. Because of the availability of cheap switches, this is rarely done anymore.
Second, and more interesting, is the ability to add a transparent IP-filtering and traffic-shaping bridge that is nearly impossible to attack from a remote IP address. It is able to inspect all forwarded frames without configured IP addresses on the interfaces; therefore, IP masquerading (Network Address Translation, or NAT) is not possible. It is okay to assign an IP address for administrative purposes, but you must bear in mind that it is the purpose of a bridge to forward all traffic, not just IP datagrams. You can either use protocol types for filtering non-IP protocols or use the blocknonip option of the OpenBSD brconfig(8) utility. Bridging requires that the interfaces be in promiscuous mode; therefore, the NICs will experience heavier load.
Loop protection in the bridging context is crude. Only Linux supports the 802.1D spanning-tree algorithm, but usually there exists no or only rudimentary Spanning Tree Protocol (STP) support. UNIX gateways were never designed to act as bridges or switches in complicated switch hierarchies/topologies. Therefore, you should prevent loops by design and not rely on the bridging code and its crude loop-protection mechanism to prevent disaster.
Linux and BSD-like operating systems support bridging modes on Ethernet-type interfaces. FreeBSD has expanded the bridging concept to support clustering and VLAN trunks. You will learn more about this feature in Chapter 5. Example 3-3 shows an example of enabling bridging support with a single FreeBSD kernel configuration line.
Example 3-3. BSD Kernel Bridging Support
options BRIDGE # for all BSD OSs
TCP Tuning
The Transport Control Protocol (TCP) is a far more complicated transport protocol than the User Datagram Protocol (UDP) because of its reliable (connection-oriented) character, more complex header, windowing mechanism, and three-way handshaking. Therefore, most IP stacks allow manipulation of TCP behavior to a large extent. This becomes more and more an issue because, unfortunately, several heavy-load protocols such as HTTP are based on TCP segments for transport. Example 3-4 demonstrates several TCP-related kernel configuration options.
Example 3-4. TCP sysctl Parameters
[root@callisto:~#] sysctl -a | grep tcp
net.ipv4.tcp_low_latency = 0
net.ipv4.tcp_frto = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_adv_win_scale = 2
net.ipv4.tcp_app_win = 31
net.ipv4.tcp_rmem = 4096 87380 174760
net.ipv4.tcp_wmem = 4096 16384 131072
net.ipv4.tcp_mem = 48128 48640 49152
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_fack = 1
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_stdurg = 0
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_max_tw_buckets = 180000
net.ipv4.tcp_max_orphans = 8192
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_retrans_collapse = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
Tunnel Support
The open-source operating systems under consideration offer a large variety of kernel- and user-space tunnel solutions, with or without protocol transparency, and with or without encryption/compression. The most widely known are as follows:
IPSec (standard)
IP-IP (standard)
GRE/Mobile IP (standard)
PPTP (standard)
L2TP (standard)
CIPE (no standard, kernel and user space)
VTun (no standard, user space)
Stunnel (HTTPS) (no standard, user space)
As of this writing, not all of the operating systems support all of these approaches. FreeBSD, for example, only offers early user-space Generic Routing Encapsulation (GRE) support. The safest bet still is to use the same solution for both tunnel endpoints.
What most tunnel solutions have in common is the fact that they reduce the available maximum transmission unit (MTU) size because of encapsulation overhead. You must take this into consideration to prevent fragmentation troubles or breaking path MTU discovery (PMTU).
Multicast Support
Linux and BSD operating systems are easily multicast-enabled with two kernel configuration entries. For a detailed discussion of kernel-space and user-space multicast tools, see Chapter 14, "Multicast Architectures."
Example 3-5 shows related kernel configuration lines for BSD, and Example 3-6 shows the relevant sysctl Linux parameters.
Example 3-5. Multicast Configuration Options on BSD
options MROUTING # mrouted (DVMRP)
options PIM # PIM-SMv2/PIM-DM
Example 3-6. sysctl Multicast Parameter
[root@callisto:~#] sysctl -a | grep igmp
net.ipv4.igmp_max_memberships = 20
[root@callisto:~#] sysctl -a | grep mc
net.ipv4.conf.pimreg.mc_forwarding = 1
net.ipv4.conf.ipsec0.mc_forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.all.mc_forwarding = 1
net.ipv4.neigh.pimreg.mcast_solicit = 3
net.ipv4.neigh.ipsec0.mcast_solicit = 0
net.ipv4.neigh.eth1.mcast_solicit = 3
net.ipv4.neigh.eth0.mcast_solicit = 3
net.ipv4.neigh.lo.mcast_solicit = 3
net.ipv4.neigh.default.mcast_solicit = 3
[root@callisto:~#] sysctl -a | grep pim
net.ipv4.conf.pimreg.arp_filter = 0
net.ipv4.conf.pimreg.tag = 0
net.ipv4.conf.pimreg.log_martians = 0
net.ipv4.conf.pimreg.bootp_relay = 0
net.ipv4.conf.pimreg.medium_id = 0
net.ipv4.conf.pimreg.proxy_arp = 0
net.ipv4.conf.pimreg.accept_source_route = 1
net.ipv4.conf.pimreg.send_redirects = 1
net.ipv4.conf.pimreg.rp_filter = 0
net.ipv4.conf.pimreg.shared_media = 1
net.ipv4.conf.pimreg.secure_redirects = 1
net.ipv4.conf.pimreg.accept_redirects = 1
net.ipv4.conf.pimreg.mc_forwarding = 1
net.ipv4.conf.pimreg.forwarding = 1
net.ipv4.neigh.pimreg.locktime = 100
net.ipv4.neigh.pimreg.proxy_delay = 80
net.ipv4.neigh.pimreg.anycast_delay = 100
net.ipv4.neigh.pimreg.proxy_qlen = 64
net.ipv4.neigh.pimreg.unres_qlen = 3
net.ipv4.neigh.pimreg.gc_stale_time = 60
net.ipv4.neigh.pimreg.delay_first_probe_time = 5
net.ipv4.neigh.pimreg.base_reachable_time = 30
net.ipv4.neigh.pimreg.retrans_time = 100
net.ipv4.neigh.pimreg.app_solicit = 0
net.ipv4.neigh.pimreg.ucast_solicit = 3
net.ipv4.neigh.pimreg.mcast_solicit = 3
Firewall and Traffic-Shaping Support
Mature and feature-rich firewalling and masquerading (NAT) support exists for Linux (netfilter/iptables) and BSD (pf, ipf, ipfw). The kernel configuration examples in Appendix A are self-explanatory and commented appropriately. On BSD systems, I do not recommend installing two different firewall systems at the same time unless you have good reasons to do so, such as traffic conditioning. All operating systems under discussion offer sophisticated traffic-shaping and traffic-queuing engines, both in kernel space (ALTQ, dummydev, ipfw) and user space (VTun). These features intrinsically influence traffic leaving an interface of the gateway, not entering. In addition, Linux supports advanced quality of service (QoS) mechanisms (TC, DiffServ, RSVP) to make queuing decisions deviating from the default first in, first out (FIFO) behavior. It is also possible to use a routing table-based or firewall-based classifier.
The IPv6 Protocol Stack
All test platforms provide a full IPv6 stack with accompanying tools. However, discussion of IPv6 goes beyond the scope of this book.

Chapter 4. Gateway WAN/Metro Interfaces

4:59 AM
0 comments
This chapter discusses WAN and metropolitan-access approaches that differ from native switched Ethernet LAN infrastructures. You need to learn about these approaches because the majority of UNIX administrators are aware only of Ethernet network interfaces for connectivity of their beloved systems.
Note that the network access layer delivered to homes and business premises via access/edge metro architectures is either based (generally) on copper cabling or optical cables. In rural areas, the most commercially feasible solutions are dial/wireless access with rapid deployment of digital subscriber line (DSL) infrastructures operated by smaller regional Internet service providers (ISPs) and occasionally local cable networks. The information in this chapter is presented from the customer's (CPE = Customer Premises Equipment) point of view. This discussion considers CPE gateway functionality and not directly connected isolated clients.
In today's metropolitan areas, the following access solutions can be provided to customers:
Dial services (analog/ISDN)
Wireless solutions (laser, microwave, 802.11, GSM, GPRS, UMTS, satellite)
Plain Ethernet services
Metro cable access (Ethernet interfaces)
Synchronous serial digital leased lines (DLLs)
SDH/SONET links
ATM or Frame Relay services
Different flavors of DSL services
Fiber/UTP/STP to the home (Ethernet offerings up to Gbps or shaped transmission rates)
Ethernet via existing PSTN cabling with integrated telephony (LRE = Long Reach Ethernet)
Powerline communications (Internet access via power lines)
Dial-on-Demand Routing: Analog and ISDN Dialup
State-of-the-art digital modems and ISP remote-access platforms support the new ITU V.92 and V.44 standards with features such as better compression, modem-on-hold, quick-connect, and improved upstream performance. However, only time will tell whether ISPs will rush to migrate to these new standards given the development of alternative access technologies with better margin, the risk of introducing instabilities in stable access networks, and the questionable commercial feasibility of upgrading existing equipment, firmware, or software. All modern modems support at least V.90/V.34/V.42bis.

ISDN is available in the form of Basic Rate Interfaces (BRIs) and Primary Rate Interfaces (PRIs) with the capabilities of channel bundling. ISDN is often used for backup scenarios (dial-on-demand routing) and call aggregation, whereas analog modems are often deployed for remote management of network equipment.

In spite of the positive aspects, ISDN backup scenarios are often plagued by the following problems and restrictions:

Backup for at least 50 percent of business bandwidth is not commercially feasible and essentially means deployment of an access server with one or more PRIs.

Deployment results in complicated policy routing configurations. For example, what kind of traffic triggers a dial connect? What is the definition of timeouts, of thresholds? What condition triggers teardown of a dial line? Flapping interfaces, Network Address Translation (NAT) scenarios, and IP Security (IPSec) backups further complicate the matter.

To carriers and service providers, AAA (authentication, authorization and accounting) is a fundamental issue. The effort regarding authentication, IP address allocation, and assignment is considerable for backup scenarios.

Experience has proven that often carrier DLLs as well as the PSTN use the same trunks originating in the same central office. This defeats the purpose of dial backups and presents a treacherous picture of safety, especially at the edge of these infrastructures, where redundant trunks are rare.

Businesses tend to favor dual-homed Internet access with their own autonomous system (AS), provider-independent (PI) address block, and flexible Border Gateway Protocol (BGP) routing. This makes ISDN backup scenarios obsolete to a large extent. However, with the maturity of DSL, wireless, and cable networks, these technologies could be used for backup scenarios as well, even in concert with BGP routing. One has to consider slightly different service-level agreements (SLAs) and the issue of availability in the region, though.

Analog modem adapters, ISDN cards, single-chip solutions, and PRI/channelized PCI or ISA adapters are available in many variants. For a small number of PRI adapters, proprietary UNIX drivers are available and complemented by some open-driver initiatives. A discussion of channelized interfaces goes beyond the scope of this book

Wireless Technologies

4:57 AM
0 comments
Wireless adapter cards and access points for 802.11A/B/G networks are available and have become popular.
Already UNIX kernels support a vast number of different vendor products, with 802.11G drivers catching up. Unfortunately, the Wired Equivalent Privacy (WEP) used for link-layer security is inadequate for modern requirements and can be compromised easily. The successor security architecture (IEEE 802.11I) should be ready by the end of 2004. Several vendors have already started to implement the draft of this standard.

802.11-based networks are plagued by uninvited guests who either connect for free Internet access or for the purpose of sniffing with roaming adapter cards. Therefore, it is highly recommended to add IPSec (3DES/AES) on top of wireless 802.11 networks for transparent encryption, eventually accompanied by measures such as SSH or SSL. Alternative user-space crypto tunnels can be deployed, too. In addition, strong and encrypted authentication is necessary, because MAC-address-based accounting is of limited use, due to the fact that these addresses can be easily changed/spoofed and are tedious to deploy in a vast network of access points. IEEE 802.1X addresses some of these issues.
802.11 is not the only wireless technology available, just the youngest one. Microwave links, satellite links, and laser links will still be available for a long time. The use of GPRS (General Packet Radio Service) and UMTS (Universal Mobile Telecommunications System) is on the rise.
SDH/SONET
Customers can rent Synchronous Digital Hierarchy/Synchronous Optical Network (SDH/SONET) links from carriers and provide their Layer 2 protocol/encapsulation of choice or directly deploy PoS (Packet over SDH/SONET). These links can be acquired either protected (spare port) or unprotected.
For larger enterprise customers, the carriers usually deploy add/drop multiplexers to deliver fractional STM1/OC3 bandwidth. Depending on the linecards of these multiplexers, channels as small as 56/64 kbps could be extracted/injected (added/dropped in multiplexer lingo). T1/E1 fractions are the most common when looking at the total number of deployed units, most of them at carrier edge facilities. Due to the increasing bandwidth needs of larger enterprises, such trunks are normally sold as multiples of full T1/E1 rates. In carrier backbones, state-of-the art photonic networks based on optical cross-connects and dense wavelength-division multiplexing (DWDM) technology transport aggregated traffic of multiple 10 to 100 Gbps
Powerline Communications
Deployment of powerline systems (low-voltage communication) for WAN access requires new equipment at every electrical substation of the energy supplier. The subscriber must be within the rather short and tight distance restrictions of a few hundred meters. Powerline intrinsically is a shared-access technology as well and delivers an Ethernet/USB interface as a demarcation point.
Powerline itself, although initially difficult to deploy, offers the opportunity of new and exciting services: LAN-only powerline in-house cabling, energy management, and remote control of electrical home equipment, just to mention a few.
NOTE
Deployment of T1/E1 symmetrical bandwidth is common. For a technology overview, go to http://www.ipcf.org/powerlineintro.html.
Ethernet to the Home/Premises
With the advances and widespread availability of long- and ultra-long-reach photonic networks, carriers can now provide 10/100/1000-Mbps Ethernet or shaped bandwidths to metropolitan customers, delivering Ethernet demarcation points (optical or copper ports). These services are offered transparently or via virtual LAN (VLAN) or Multiprotocol Label Switching (MPLS) architectures.
Cisco Long-Reach Ethernet (LRE)
Cisco LRE delivers speeds of 5 Mbps to 15 Mbps over legacy category 1/2/3 wiring over several thousand meters. LRE is an extension to the IEEE 802.3 Ethernet standard for single-pair wiring. This requires special switch ports on one end and CPE devices for the office ports on the other end to simultaneously use Plain Old Telephone System (POTS) and Integrated Services Digital Network (ISDN). This is achieved via a sophisticated modulation approach: quadrature amplitude modulation (QAM). Cisco provides a solution that consists of switches, CPE devices, and a POTS splitter for simultaneous use of existing private branch exchange (PBX) equipment.

NOTE

The LRE architecture can coexist with DSL on the same wire bundle facilitating frequency-division multiplexing (FDM).

Synchronous Serial Interface and PRIs

4:53 AM
0 comments
UNIX systems provide excellent support for high-performance T1/E1 and some T3/E3 interface cards, as well as for some High-Speed Serial Interface (HSSI) adapters (up to 52 Mbps) and PRIs. Several vendors provide dedicated drivers and management software for open-source Unices. The NICs integrate nicely into a Cisco WAN network and provide varying telecommunication characteristics:
Clear-channel/channelized/fractional operation
Multiple ports
Physical interfaces: V.35, V.36, X.21, RS-232
With or without integrated CSU/DSU
RAS option: with or without integrated digital modems (DSPs)
PRI signaling
Internal/external clocking
Almost all synchronous serial NICs support the following Layer 2 encapsulation formats:
LAPB (X.25 Layer2)
Frame Relay
Cisco HDLC
Synchronous PPP
Frame Relay services are deployed by carriers up to T3 bandwidth in the United States and up to E1 bandwidth in Europe and most other countries in 56/64-kbps or sometimes even smaller increments (subrates/derived channels). Configuration of X.25 or Frame Relay is similar to Cisco configurations with regard to virtual/subinterface concepts and topology (point to point, point to multipoint, and so on).
ATM Interfaces
Some vendors sell PCI ATM interface cards for ATM25 DSL interfaces, 155-Mbps STM-1/OC3, as well as "exotic" 622-Mbps STM-4/OC12 NICs, featuring both optical and electrical RJ-45 interfaces.
OpenBSD, Linux, and FreeBSD provide an ATM stack, but only a limited family of adapters is supported. This family unfortunately includes almost no state-of-the-art models. The best support available for ATM adapters is provided for Marconi ForeRunner and Efficient Networks chipsets. Consult the hardware compatibility list of the respective operating systems for further details.
As far as I have researched the matter, it would be interesting to deploy ATM25 adapter cards for UNIX gateway devices. Unfortunately, few vendors supply PCI models; almost all development effort appears to go into embedded systems for deployment in integrated access devices (IADs). ATM25 supports approximately 10.5-Mbps high-speed, 8-Mbps full-rate, and 4-Mbps or G.Lite downstream speeds and can accommodate ADSL, SDSL, VDSL, and G.SHDSL.

Because I do not own ATM-PCI adapters, no lab is provided in this section. The following sections discuss the Linux and FreeBSD ATM stack and configuration tools in detail. If you own two ATM interfaces cards, you can use an optical crossover cable pair for a nice lab or connect them to an ATM switch for ILMI testing. For RJ-45 crossovers, consult the pin assignments of the vendor's adapter manual.
Linux ATM Support
Unfortunately, there appears to be no further development going on with regard to the Linux ATM Project (http://linux-atm.sourceforge.net), which, of course, does not mean that it is not stable or useful. The drivers are included in up-to-date kernels. In addition, you still need to download the ATM support tools from http://linux-atm.sourceforge.net. Linux ATM implements several ATM-related daemons: atmsigd, ilmid, and atmarpd, as well as several ancillary tools.
Example 4-1 presents configuration of ATM PVC/SVC pairs under Linux. Remember, ATM PVCs are point-to-point abstractions.
To configure the atm0 interface as 10.1.1.1/30 and build a PVC on PHY 0, VPI 0, VCI 51 (emphasized by the shaded text) to the far-end 10.1.1.2/30, type the commands in the order presented in Example 4-1.
Example 4-1. Simple Linux ATM Interface and PVC Configuration
[root@callisto~#] atmarp -c atm0
[root@callisto~#] ifconfig atm0 10.1.1.1 netmask 255.255.255.252 mtu 4470
[root@callisto~#] atmarp -s 10.1.1.2 0.0.51
For an in-depth discussion, consult the Linux ATM-on-Linux HOWTO.
The FreeBSD HARP ATM Subsystem
FreeBSD provides mature ATM support via the Host ATM Research Platform (HARP) software. For configuration details, consult the atm(8) man page and the links in the "Recommended Reading" section
Cable Access (Ethernet Interfaces)
Cable access can be deployed easily. The vast majority of providers deliver a CPE device (cable modem) that terminates the coax network frequency bands that carry data, TV, and telephony, and provide a standard Ethernet/POTS/ISDN interface as the demarcation point.
To get telephony out of the RF side, an additional termination unit is needed. In contrast to DSL architectures, no additional software or stack components (PPTP, PPPoA, PPPoE) are required on the attached end system or gateway. The cable modem connects via coaxial drop and trunk cables as well as signal repeaters to a carrier's cable head-end. Mixed architectures featuring optical-electrical converters for optical trunk cables are used, too. In contrast to DSL, this is a shared medium; therefore, VLAN architectures and MAC-based access control are commonly deployed and addresses delivered to the customer via Dynamic Host Configuration Protocol (DHCP)
DSL Access
Historically, DSL has been an asymmetric service (ADSL), evolving into a symmetric one (G.SHDSL) designed to replace E1 TDM circuits and provide voice, ATM, raw IP, and ISDN transport.

DSL copper cables are terminated at a central office (CO) DSLAM port (digital subscriber access line multiplexer). The DSLAM serves two purposes:

One is to physically terminate the subscriber line and separate the voice band from the data bands utilizing an integrated splitter device similar to the one on the customer end; the voice signal is delivered directly to the PSTN network on OSI Layer 1.

The second purpose is to relay the data traffic to an IP backbone, usually based on ATM or Ethernet. Aggregation and service-selection gateways constitute the distribution layer of modern DSL provider architectures.

Almost all open-source UNIX operating systems provide mature PPTP support required for the PPPoA architectures that are popular in some European countries. Linux, OpenBSD, and FreeBSD support native PPPoE. PPPoA or PPPoE support of your favorite operating system usually requires a modified/patched version of the PPP toolset. Discussion goes beyond the scope of this book, but you can find easily several cookbooks for setup via your favorite search engine or Linux repository. Several DSL NICs are also available (ATM25, splitterless operation). Some of their important characteristics are as follows:

DSL modes of operation: PPPoA, PPPoE, bridging mode

DSL flavors: ADSL, HDSL, SDSL, G.SHDSL, G.Lite, VDSL, and so on

Software requirements of DSL access: PPPoE or PPPoA stack support, PPTP (for example, via Netgraph/mpd daemon under FreeBSD)

Lab 4-1: Synchronous Serial Connection Setup
This lab (as shown in Figure 4-1) facilitates two Sangoma synchronous serial S514/ET1 PCI adapter cards, connected via an RJ-45 crossover cable for point-to-point configuration between a Linux (callisto) and FreeBSD (castor) gateway. This lab deals with Layer 1 and Layer 2 issues; later labs in following chapters add scenarios on top of the data link layer. For the pin layout of the RJ-45 crossover cable as well as the installation of the NIC drivers, consult the Sangoma website.

Chapter 5. Ethernet and VLANs

4:51 AM
0 comments
Chapter 5. Ethernet and VLANs
This chapter deals with all issues and aspects of Ethernet network interface cards (NICs) with regard to the physical and data link layers. It discusses card-specific aspects such as Media Access Control (MAC) address modification, cabling issues, hardware virtual LAN (VLAN) support, as well as aspects of the OS-specific IP stacks such as IP aliases, 802.1Q VLAN support, and bridging modes of operation.
The second half of this chapter investigates the capabilities of these interfaces when connected to switches, routers, or other UNIX gateways. The chapter concludes with a discussion of bridge and VLAN security, Ethernet channel bonding, and some hands-on labs.
Ethernet NICs
Modern Ethernet NICs are cheap and available in many different flavors. I strongly recommend not relying on the cheapest NICs for production applications, because of the limitations of the chipsets used. A sufficient onboard buffer is also essential for TCP performance.
Note that similar to Cisco router interfaces, the adapters need configuration in terms of speed, duplex settings, and maximum transfer unit (MTU). All the necessary parameters can be set with the UNIX ifconfig command, available on virtually all UNIX platforms.
On Linux systems, the ifconfig tool has evolved into the ip utility (which is part of the iproute2 package). Consult the ifconfig manual pages and the iproute2-HOWTO for details. We will also use this utility for alias and VLAN configuration. I am well aware that iproute2 has superseded many Linux tools such as ifconfig and route, but these are available on all UNIX systems (whereas iproute2 is specific to Linux only).
Autonegotiation of speed and duplex settings has not proven reliable under many circumstances (IEEE 802.3U). The MAC address of some adapters can be changed with a user-space utility provided either by the vendor or the open-source community. This is not possible for all types of NICs. In the worst case, you can use a DOS boot disk with the appropriate utilities. Most vendors also provide firmware upgrades for their products.
NOTE
Exercise care with features such as Wake-On-LAN.
I strongly suggest reading the hardware compatibility notes of your OS releases to ensure proper operation of hardware VLAN support, multicasting, and special features. I also recommend using the same brand of adapters throughout your topology. This makes replacements and driver deployment much easier and does not require kernel recompilation.
Hubs, Bridges, and Multilayer Switches
Because this is not an introductory text, I do not discuss the operation theory of bridges, switches, and hubs. I just want to mention that I am using hubs in my lab setup for the ease of packet sniffing without the need to configure analyzer ports on a switch, which are easily overwhelmed with the traffic of an entire VLAN. This feature is called Switch Port Analyzer (SPAN) on Cisco switches. Besides, I do not own enough switches to build an interesting spanning-tree lab. Therefore, you will find just two limited spanning-tree labs at the end of this chapter so that you can look at the bridge protocol data units (BPDUs) going back and forth between a Linux bridge and a Cisco switch for demonstration purposes.

Of course, I once again warn you about the limited or missing loop-detection mechanisms of some UNIX bridge modes. Take the appropriate topological steps to avoid loops and do not emulate switch functionality with UNIX gateways. Linux, NetBSD, and OpenBSD implement the IEEE 802.1D STP (Spanning-Tree Protocol), which is in charge of loop prevention in switched/bridged topologies in only a crude and limited way.

Instabilities in STP behavior represent the single most severe threat to switched LAN environments with multiple switches and bridges because of the timers involved and the high-performance characteristic of modern switch fabrics. When STP fails, frames might not just circle infinitely; they might multiply (to make the matter even worse). Nevertheless, UNIX bridging modes have their merits in terms of trunk filtering, traffic shaping, and transparent firewalls. Just remember that they are not intended to emulate or replace dedicated switches
Access Ports, Uplinks, Trunks, and EtherChannel Port Groups
A switch's port can either be a simple access port, an up/downlink to a switch or hub, a trunk port for VLAN transport, or a member of a Fast/Giga EtherChannel port group. A UNIX gateway can be connected to another one via a crossover link, can be connected to a switch, can form a VLAN trunk to another trunking-capable neighbor, or can form high-bandwidth multiport EtherChannel connections.

EtherChannels are often constructed with dedicated dual or quad Fast Ethernet NICs and are able to transport and trunk VLANs. At the time of this writing, they offer an alternative to Gigabit Ethernet NICs, especially with low-end 32-bit servers that might have difficulties feeding Gigabit Ethernet. Nevertheless, it is perfectly feasible to use four isolated NICs of good quality. The only requirement is that the other side of the link is EtherChannel-capable as well. As time passes, we will see a similar feature for Gigabit Ethernet gaining momentum. In general, you will come across one of the following EtherChannel or EtherChannel-like implementations:

FreeBSD EtherChannel kernel patch, which supports Cisco Fast EtherChannel (via the Netgraph facility). Two or four ports can be combined into a single aggregate interface.

Linux Ethernet channel bonding.

Cisco Proprietary Fast EtherChannel (featuring PAgP, or Port Aggregation Protocol).

The IEEE 802.3AD link aggregation standard (featuring LACP, or Link Aggregate Control Protocol).

Solaris Ethernet trunking.

Proprietary drivers for dedicated dual and quad interfaces with configuration utilities.

Useful EtherChannel-related links are presented in the "Recommended Reading" section at the end of this chapter.
4:50 AM
0 comments
Alias Interfaces
As mentioned in Chapter 3, "Kernel Requirements for a Full-Featured Lab," alias interfaces provide a way to assign multiple IP addresses to one physical interface. These addresses can either be from the same network broadcast domain or a different address range. However, they do not provide Layer 2 separation as VLAN tagging does.

You will learn in Chapter 9, "Dynamic Routing Protocols—Interior Gateway Protocols," and Chapter 10, "ISP Connectivity with BGP4: An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing," how alias information can be transported via dynamic routing protocols and used for virtual servers, redundancy, and Dynamic Name Service (DNS) round-robin configurations. Examples 5-1, 5-2, and 5-3 show the configuration of alias/secondary interfaces on Linux, OpenBSD, and FreeBSD systems; the corresponding statistics; and their representation in the Address Resolution Protocol (ARP) and routing tables. Keep in mind that the "colon" notation (shaded text) of Linux interfaces in general is not exactly equivalent to Cisco IOS subinterfaces.

Example 5-1. Linux Alias Interface Example

[root@callisto:~#] ifconfig eth1:1 192.168.45.1



[root@callisto:~#] ifconfig eth0:0 192.168.14.14



[root@callisto:~#] ifconfig

eth0 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

inet addr:192.168.14.1 Bcast:192.168.14.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:1485 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:0 (0.0 b) TX bytes:122180 (119.3 Kb)

Interrupt:5 Base address:0xd800



eth0:0 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

inet addr:192.168.14.14 Bcast:192.168.14.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Interrupt:5 Base address:0xd800



eth1 Link encap:Ethernet HWaddr 52:54:05:E3:51:87

inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:2604 errors:0 dropped:0 overruns:0 frame:0

TX packets:3166 errors:0 dropped:0 overruns:0 carrier:0

collisions:7 txqueuelen:100

RX bytes:691838 (675.6 Kb) TX bytes:307948 (300.7 Kb)

Interrupt:9 Base address:0xd400



eth1:1 Link encap:Ethernet HWaddr 52:54:05:E3:51:87

inet addr:192.168.45.1 Bcast:192.168.45.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Interrupt:9 Base address:0xd400



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:489 errors:0 dropped:0 overruns:0 frame:0

TX packets:489 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:54587 (53.3 Kb) TX bytes:54587 (53.3 Kb)



[root@callisto:~#] arp -an

? (192.168.1.254) at 48:54:E8:8C:0A:3F [ether] on eth1

? (192.168.14.254) at 00:60:47:1E:AD:B5 [ether] on eth0

? (192.168.45.254) at 48:54:E8:8C:0A:3F [ether] on eth1



[root@callisto:~#] netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

192.168.45.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1



############################################################################

# Alternative configuration via the Linux "ip" utility #

# Note that "ip" differentiates between "secondary" and "alias" addresses #

############################################################################

[root@callisto:~#] ip address add 192.168.14.14/24 broadcast 255.255.255.0 label eth0:0

dev eth0



[root@callisto:~#] ip address show eth0

2: eth0: mtu 1500 qdisc pfifo_fast qlen 100

link/ether 00:10:5a:d7:93:60 brd ff:ff:ff:ff:ff:ff

inet 192.168.14.1/24 brd 192.168.14.255 scope global eth0

inet 192.168.14.14/24 brd 255.255.255.0 scope global secondary eth0:0



[root@callisto:~#] ip address add 192.168.45.1/24 broadcast 255.255.255.0 label eth1:1

dev eth1



[root@callisto:~#] ip address show eth1

3: eth1: mtu 1500 qdisc pfifo_fast qlen 100

link/ether 52:54:05:e3:51:87 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1

inet 192.168.45.1/24 brd 192.168.45.255 scope global eth1:1



[root@callisto:~#] ip route show

192.168.1.0/24 dev eth1 scope link

192.168.14.0/24 dev eth0 scope link

192.168.45.0/24 dev eth1 proto kernel scope link src 192.168.45.1

127.0.0.0/8 dev lo scope link

default via 192.168.1.254 dev eth1




Example 5-2. OpenBSD Alias Interface Example

[root@ganymed:~#] ifconfig ne3 alias 192.168.45.254 netmask 255.255.255.0



[root@ganymed:~#] ifconfig -A

lo0: flags=8049 mtu 33224

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5

inet6 ::1 prefixlen 128

inet 127.0.0.1 netmask 0xff000000

lo1: flags=8049 mtu 33224

inet 192.168.44.1 netmask 0xffffff00

inet6 fe80::1%lo1 prefixlen 64 scopeid 0x4

inet6 ::1 prefixlen 128

ne3: flags=8b63

mtu 1500

media: Ethernet manual

inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255

inet6 fe80::4a54:e8ff:fe8c:a3f%ne3 prefixlen 64 scopeid 0x1

inet 192.168.45.254 netmask 0xffffff00 broadcast 192.168.45.255

ne4: flags=8863 mtu 1500

media: Ethernet 10baseT full-duplex

inet 192.168.2.254 netmask 0xffffff00 broadcast 192.168.2.255

inet6 fe80::5054:5ff:fee3:e42f%ne4 prefixlen 64 scopeid 0x2

ne5: flags=8863 mtu 1500

media: Ethernet 10baseT full-duplex

inet 111.11.117.206 netmask 0xffffff00 broadcast 111.11.117.255

inet6 fe80::5054:5ff:fee3:5187%ne5 prefixlen 64 scopeid 0x3

ppp0: flags=8010 mtu 1500

ppp1: flags=8010 mtu 1500

tun0: flags=10 mtu 3000

tun1: flags=10 mtu 3000

enc0: flags=0<> mtu 1536

vlan0: flags=0<> mtu 1500

vlan1: flags=0<> mtu 1500

gre0: flags=8010 mtu 1450

gif0: flags=8010 mtu 1280

gif1: flags=8010 mtu 1280

gif2: flags=8010 mtu 1280

gif3: flags=8010 mtu 1280

faith0: flags=8002 mtu 1500



[root@ganymed:~#] netstat -rn -f inet

Routing tables



Internet:

Destination Gateway Flags Refs Use Mtu Interface

default 111.11.117.1 UGS 1 3570 1500 ne5

127/8 127.0.0.1 UGRS 0 0 33224 lo0

127.0.0.1 127.0.0.1 UH 2 38 33224 lo0

192.168.1/24 link#1 UC 0 0 1500 ne3

192.168.1.1 52:54:5:e3:51:87 UHL 1 3387 1500 ne3

192.168.1.2 8:0:46:64:74:1b UHL 1 3049 1500 ne3

192.168.2/24 link#2 UC 0 0 1500 ne4

192.168.2.7 0:10:5a:c4:2c:4 UHL 0 2150 1500 ne4

192.168.44.1 192.168.44.1 UH 0 0 33224 lo1

192.168.45/24 link#1 UC 0 0 1500 ne3

111.11.117/24 link#3 UC 0 0 1500 ne5

111.11.117.1 0:5:9a:5b:23:fc UHL 1 0 1500 ne5

111.11.117.206 127.0.0.1 UGHS 0 0 33224 lo0




Example 5-3. FreeBSD Alias Interface Example

[root@castor:~#] ifconfig ed0 alias 192.168.7.77 netmask 255.255.255.255



[root@castor:~#] ifconfig

xl0: flags=8b43 mtu 1500

options=3

inet 192.168.2.7 netmask 0xffffff00 broadcast 192.168.2.255

inet6 fe80::210:5aff:fec4:2c04%xl0 prefixlen 64 scopeid 0x1

ether 00:10:5a:c4:2c:04

media: Ethernet autoselect (10baseT/UTP)

status: active

ed0: flags=8a43 mtu 1500

inet 192.168.7.7 netmask 0xffffff00 broadcast 192.168.7.255

inet6 fe80::5054:5ff:fee3:e488%ed0 prefixlen 64 scopeid 0x2

inet 192.168.7.77 netmask 0xffffffff broadcast 192.168.7.77

ether 52:54:05:e3:e4:88

lp0: flags=8810 mtu 1500

sl0: flags=c010 mtu 552

sl1: flags=c010 mtu 552

ds0: flags=8008 mtu 65532

stf0: flags=0<> mtu 1280

faith0: flags=8002 mtu 1500

vlan0: flags=0<> mtu 1500

ether 00:00:00:00:00:00

vlan: 0 parent interface:

vlan1: flags=0<> mtu 1500

ether 00:00:00:00:00:00

vlan: 0 parent interface:

lo0: flags=8049 mtu 16384

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb

inet 127.0.0.1 netmask 0xff000000

ppp0: flags=8010 mtu 1500

ppp1: flags=8010 mtu 1500



[root@castor:~#] netstat -rn -f inet

Routing tables



Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.2.254 UGSc 4 1836 xl0

127.0.0.1 127.0.0.1 UH 0 0 lo0

192.168.2 link#1 UC 1 0 xl0

192.168.2.254 52:54:05:e3:e4:2f UHLW 4 0 xl0 592

192.168.7 link#2 UC 0 0 ed0

192.168.7.77/32 link#2 UC 0 0 ed0




NOTE

In contrast to "real" physical interfaces (and to BSD aliases), ifconfig down does not only shut down the interface, but entirely removes it; it cannot be brought up again with a mere ifconfig up, but has to be reassigned the IP address (thus created anew). This is true for several other pseudo-interfaces as well.



Example 5-4 demonstrates a secondary address assignment under Cisco IOS Software as emphasized via the shaded text. Note that Linux differentiates between a secondary address and an interface alias, as demonstrated with the ip tool in Example 5-1 (shaded text).

Example 5-4. Cisco IOS Secondary Interface Address Example

scar# show running-config

!

...

interface Ethernet1

bandwidth 10000

ip address 192.168.14.14 255.255.255.0 secondary

ip address 192.168.14.254 255.255.255.0

no ip proxy-arp

media-type 10BaseT

!

...



scar# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route



Gateway of last resort is 192.168.14.1 to network 0.0.0.0



C 192.168.14.0/24 is directly connected, Ethernet1

10.0.0.0/32 is subnetted, 1 subnets

C 10.0.0.1 is directly connected, Loopback0

C 192.168.7.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.14.1



scar# show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.14.1 0 0010.5ad7.9360 ARPA Ethernet1

Internet 192.168.14.14 - 0060.471e.adb5 ARPA Ethernet1

Internet 192.168.7.7 14 5254.05e3.e488 ARPA Ethernet0

Internet 192.168.7.254 - 0060.471e.adb2 ARPA Ethernet0

Internet 192.168.14.254 - 0060.471e.adb5 ARPA Ethernet1

VLAN Configurations
Today, two dominant VLAN tagging methods exist: the Cisco proprietary Inter-Switch Link (ISL) approach and the standardized IEEE 802.1Q method. Note also that VLAN trunks are special ports or interfaces that are capable of delivering multi-VLAN traffic to a directly connected trunk port or interface.

Cisco has developed a proprietary protocol (VTP, or VLAN Trunking Protocol) to distribute VLAN information through a vast switched network without the need to configure VLANs on every switch. The only task left to do for the administrator is to configure a VTP domain and its participants and to assign ports to specific VLANs distributed via VTP. A rather young open standard for that is available as well (see IEEE GVRP - Generic VLAN Registration Protocol).

VLAN setup itself is not difficult to configure, if you adhere to the following:

To ensure that everything is working, I recommend verifying proper operation with the arp, netstat, and ifconfig/ip commands.

In addition, check MTU issues with large IP datagrams such as FTP transfers or handcrafted ping packets. 802.1Q VLAN tagging adds 4 overhead octets between the frame header and the payload that need to be accounted for. Therefore, adjust the interface MTU size to 1496 in case that is not done automatically (as is done on BSD systems).

Keep in mind that the MTU throughout of your subnet should be consistent as well (for example, 1496 octets). Depending on the protocols involved, it might even become necessary to further decrease the MTU. This might be necessary for both the VLAN and parent interfaces.

Some NICs, such as the Intel FastEtherPro, support large frames and VLAN demultiplexing natively (in firmware) and operate well with the default MTU of 1500. Sometimes patching the drivers also helps.

Adding alias interfaces to VLAN interfaces works perfectly fine, too, exactly as with physical interfaces.

All represented platforms have no problem with the Cisco native VLAN1. The alias and VLAN limits of a platform usually can be derived only when investigating the sources.

Linux imposes a VLAN limit of 4096 VLANs per interface on 2.4.x kernels.

Remember to restart your firewall when adding/deleting interfaces! Unfortunately, a lot of ill-configured firewall gateways nowadays break two-way-path MTU discovery. Ensure that you allow the proper Internet Control Message Protocol (ICMP) packets through in both directions. (ICMP type 3/code 4 = "fragmentation needed but do not fragment bit set" in combination with the probing IP packets with DF-bit set.)

Adding frame overhead such as with Multiprotocol Label Switching (MPLS) shim headers or VLAN tagging represents in the view of many switches a so-called giant or jumbo frame, which usually is silently discarded on regular switch ports. If you encounter problems that appear to affect only large frames, check the giant counters of your switch. Most modern switches and IOS/CatOS versions can deal with this issue. As a workaround, you could configure a VLAN trunk.

Figure 5-1 shows the three VLAN topologies discussed in this chapter. Example 5-5 shows the switch VLAN configuration, and Example 5-6 shows the corresponding ARP output. Example 5-7 presents the analogous configuration for the router involved. Example 5-8 provides status information, and Example 5-9 shows the router's ARP table.
Example 5-5. Ethernet Switch VLAN Configuration (IOS)

Switch# show running-config

!

ip subnet-zero

!

interface FastEthernet0/1

switchport mode trunk

!

interface FastEthernet0/2

switchport mode trunk

!

interface FastEthernet0/3

switchport mode trunk

!

interface VLAN1

ip address 192.168.7.8 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

interface VLAN8

ip address 192.168.80.2 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip default-gateway 192.168.7.7

!




Example 5-6. VLAN-Related Switch ARP Table

Switch# show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.80.1 10 5254.05e3.e488 ARPA VLAN8

Internet 192.168.80.2 - 0006.5258.5d40 ARPA VLAN8

Internet 192.168.7.8 - 0006.5258.5d40 ARPA VLAN1

Internet 192.168.80.254 8 0008.e34d.be81 ARPA VLAN8




Example 5-7. Router VLAN Configuration

mufasa# show running-config

...

!

interface FastEthernet0/1

description *** 802.1Q Trunk ***

no ip address

no ip mroute-cache

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.7.254 255.255.255.0

!

interface FastEthernet0/1.8

encapsulation dot1Q 8

ip address 192.168.80.254 255.255.255.0

!

...




Example 5-8. Router VLAN Status

mufasa# show vlans



Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.1

This is configured as native Vlan for the following interface(s) :

FastEthernet0/1

Protocols Configured: Address: Received: Transmitted:

IP 192.168.7.254 0 19

Virtual LAN ID: 8 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.8

Protocols Configured: Address: Received: Transmitted:

IP 192.168.80.254 20 27




Example 5-9. Router VLAN-Related ARP Table

mufasa# show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.80.1 7 5254.05e3.e488 ARPA FastEthernet0/1.8

Internet 192.168.80.2 5 0006.5258.5d40 ARPA FastEthernet0/1.8

Internet 192.168.7.254 - 0008.e34d.be81 ARPA FastEthernet0/1.1

Internet 192.168.80.254 - 0008.e34d.be81 ARPA FastEthernet0/1.8




The following two subsections elaborate on VLAN capabilities of FreeBSD, OpenBSD, and Linux and discuss differences and similarities in setup and behavior.

Linux VLAN Capabilities
Late 2.4.x kernels provide 802.1Q VLAN capabilities as a native kernel module. However, one still needs to retrieve the vconfig VLAN administration utility from http://www.candelatech.com/~greear/vlan.html#setup. Most up-to-date Linux distributions already include this utility.

Recently, the capability to define MAC-based VLANs was added via the macvlan_config utility, which is included in the vconfig archive. You still have to apply a kernel patch for that extension, however. Example 5-10 shows the configuration sequence for Linux VLAN interfaces, Example 5-11 shows the resulting status, and Example 5-12 shows additional monitoring information. The shaded text emphasizes the previously mentioned warnings about MTU.

Example 5-10. Linux VLAN Interface Configuration

[root@callisto:~#] vconfig add eth0 8

[root@callisto:~#] ifconfig vlan8 192.168.80.3/24 mtu 1496




Example 5-11. Linux Interface Status After VLAN Configuration

[root@callisto:~#] ifconfig

eth0 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

inet addr:192.168.14.1 Bcast:192.168.14.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:124 errors:0 dropped:0 overruns:0 frame:0

TX packets:28 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:9246 (9.0 Kb) TX bytes:2478 (2.4 Kb)

Interrupt:5 Base address:0xd800



eth1 Link encap:Ethernet HWaddr 52:54:05:E3:51:87

inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9007 errors:0 dropped:0 overruns:0 frame:0

TX packets:5240 errors:0 dropped:0 overruns:0 carrier:0

collisions:37 txqueuelen:100

RX bytes:1891927 (1.8 Mb) TX bytes:497578 (485.9 Kb)

Interrupt:9 Base address:0xd400



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:84 errors:0 dropped:0 overruns:0 frame:0

TX packets:84 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:6308 (6.1 Kb) TX bytes:6308 (6.1 Kb)



vlan1 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

inet addr:192.168.7.10 Bcast:192.168.7.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1496 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)



vlan8 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

inet addr:192.168.80.3 Bcast:192.168.80.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1496 Metric:1

RX packets:21 errors:0 dropped:0 overruns:0 frame:0

TX packets:24 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1764 (1.7 Kb) TX bytes:2168 (2.1 Kb)




Example 5-12. Linux VLAN-Related Status Information

[root@callisto:~#] netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.7.0 0.0.0.0 255.255.255.0 U 40 0 0 vlan1

192.168.80.0 0.0.0.0 255.255.255.0 U 40 0 0 vlan8

192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1

192.168.14.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0

127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo

0.0.0.0 192.168.1.254 0.0.0.0 UG 40 0 0 eth1



[root@callisto:~#] arp -an

? (192.168.1.2) at 08:00:46:64:74:1B [ether] on eth1

? (192.168.1.254) at 48:54:E8:8C:0A:3F [ether] on eth1

? (192.168.80.1) at 52:54:05:E3:E4:88 [ether] on vlan8



[root@callisto:~#] less /proc/net/vlan/config

VLAN Dev name | VLAN ID

Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD

vlan1 | 1 | eth0

vlan8 | 8 | eth0



[root@callisto:~#] less /proc/net/vlan/vlan8

vlan8 VID: 8 REORDER_HDR: 1 dev->priv_flags: 1

total frames received: 21

total bytes received: 1764

Broadcast/Multicast Rcvd: 0



total frames transmitted: 24

total bytes transmitted: 2168

total headroom inc: 0

total encap on xmit: 24

Device: eth0

INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0

EGRESSS priority Mappings:



[root@callisto:~#] less /proc/net/vlan/vlan1

vlan1 VID: 1 REORDER_HDR: 1 dev->priv_flags: 1

total frames received: 0

total bytes received: 0

Broadcast/Multicast Rcvd: 0



total frames transmitted: 0

total bytes transmitted: 0

total headroom inc: 0

total encap on xmit: 0

Device: eth0

INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0

EGRESSS priority Mappings:




FreeBSD/OpenBSD VLAN Capabilities
FreeBSD/OpenBSD setup is straightforward and works the same way for both operating systems. The MTU size is adjusted automatically during setup of the VLAN interfaces.

Consult the BSD vlan(4) and ifconfig(8) man pages for further details about these platforms. Example 5-13 shows the configuration steps for FreeBSD VLAN setup, Example 5-14 shows the resulting interface status, and Example 5-15 provides additional status information.

Example 5-13. BSD VLAN Configuration

[root@castor:~#] ifconfig vlan8 create

[root@castor:~#] ifconfig vlan8 vlan 8 vlandev ed0

[root@castor:~#] ifconfig vlan8 192.168.80.1/24




Example 5-14. FreeBSD Interface Status After VLAN Configuration

[root@castor:~#] ifconfig -a

xl0: flags=8b43 mtu 1500

options=3

inet 192.168.2.7 netmask 0xffffff00 broadcast 192.168.2.255

inet6 fe80::210:5aff:fec4:2c04%xl0 prefixlen 64 scopeid 0x1

ether 00:10:5a:c4:2c:04

media: Ethernet autoselect (10baseT/UTP)

status: active

ed0: flags=8a43 mtu 1500

inet 192.168.7.7 netmask 0xffffff00 broadcast 192.168.7.255

inet6 fe80::5054:5ff:fee3:e488%ed0 prefixlen 64 scopeid 0x2

ether 52:54:05:e3:e4:88

lo0: flags=8049 mtu 16384

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb

inet 127.0.0.1 netmask 0xff000000

vlan8: flags=8843 mtu 1496

inet6 fe80::210:5aff:fec4:2c04%vlan8 prefixlen 64 scopeid 0xe

inet 192.168.80.1 netmask 0xffffff00 broadcast 255.255.255.0

ether 52:54:05:e3:e4:88

vlan: 8 parent interface: ed0

...




Example 5-15. FreeBSD VLAN Status Information

[root@castor:~#] netstat -rn -f inet

Routing tables



Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.2.254 UGSc 5 3826 xl0

127.0.0.1 127.0.0.1 UH 0 0 lo0

192.168.2 link#1 UC 1 0 xl0

192.168.2.254 52:54:05:e3:e4:2f UHLW 5 0 xl0 694

192.168.7 link#2 UC 1 0 ed0

192.168.7.7 52:54:05:e3:e4:88 UHLW 0 4 lo0

192.168.80 link#14 UC 1 0 vlan8

192.168.80.1 52.54.5.e3.e4.88 UHLW 0 4 lo0



[root@castor:~#] arp -an

? (192.168.2.254) at 52:54:05:e3:e4:2f on xl0 [ethernet]

? (192.168.7.7) at 52:54:05:e3:e4:88 on ed0 permanent [ethernet]

? (192.168.80.1) at 52:54:05:e3:e4:88 on vlan8 permanent [vlan]

? (192.168.80.2) at (incomplete) on vlan8 [vlan]

? (192.168.80.3) at 00:10:5a:d7:93:60 on vlan8 [vlan]

A Few Words on Cabling

4:46 AM
0 comments
A Few Words on Cabling
In our lab setups, we typically require several kinds of RJ-45 connections: rollover (Console), Ethernet crossover (X-over), and standard Ethernet straight-through cabling. For a reminder of the pin assignments, check Cisco.com (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis3600/hw_inst/cabling/marcabl.htm).

Serial X-over cables are an entirely different matter due to the variety of interfaces. Again, refer to Cisco.com for details. Optical PCI ATM adapters can be connected back to back via a simple optical X-over cable pair without the need for an ATM switch. However, you will not be able to test network-to-network interface (NNI), switched virtual circuit (SVC), or interim local management interface (ILMI) features without an intermediary

Example 5-18. FreeBSD Bridge-Cluster Setup
[root@castor:~#] sysctl net.link.ether.bridge_cfg=vlan8:34,xl0:34,vlan9:35,xl1:35
[root@castor:~#] ifconfig vlan8 create
[root@castor:~#] ifconfig vlan9 create
[root@castor:~#] ifconfig vlan8 vlan 8 vlandev ed0
[root@castor:~#] ifconfig vlan9 vlan 9 vlandev ed0
You can certainly use advanced features such as filtering and traffic shaping on bridged interfaces, VLANs, and trunks as well
Example 5-16. Plain Bridging Between Two Interfaces
[root@castor:~#] sysctl net.link.ether.bridge=1
net.link.ether.bridge: 1 -> 1
[root@castor:~#] sysctl net.link.ether.bridge_cfg=xl0:1,ed0:1
net.link.ether.bridge_cfg: xl0:1 -> xl0:1,ed0:1
Example 5-17. FreeBSD Bridging-Related Status Information
[root@castor:~#] sysctl -a | grep bridge
net.link.ether.bridge_cfg: xl0:1,ed0:1
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 0
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0
The configuration in Figure 5-3 and Example 5-18 is derived from the bridge(4) man page and presents a bridge-cluster setup example involving VLANs and parent interfaces. Interface ed0 acts as a VLAN trunk interface transporting VLANs 8 and 9. The sysctl configuration statement directs packets for VLAN 8 to physical interface xl0, and packets for VLAN 9 to xl1. The logical relationship is established by the two cluster identifiers that tie VLAN 8 to xl0 (cluster ID 34) and VLAN 9 to xl1 (cluster ID 35).
Lab 5-1: FreeBSD Bridge Cluster Lab
This lab introduces the FreeBSD approach to bridging. Bridging is available on OpenBSD and Linux as well; however, FreeBSD offers a unique feature named bridge-clusters. A cluster is an independent set of connected Ethernet or VLAN interfaces uniquely identified by a cluster ID. Consult the manual pages bridge(4), ng_bridge(4), vlan(4), and netgraph(4) for further details.

Example 5-16 shows the configuration sequence for bridging between two gateway interfaces (xl0 and ed0) via (default) cluster ID 1. Before we start, we have to turn bridging on via sysctl, however. The result of this configuration is presented in Example 5-17, the general concept in Figure 5-2.

Lab 5-2: Linux Bridging and the Spanning Tree
The Linux bridge administration is done via the brctl tool. Consult the man page for details and look at the Linux Bridge-STP-HOWTO (http/www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/index.html) and http://bridge.sourceforge.net.

The following setup (Example 5-19) bridges between the two interfaces eth0 and eth1 of the callisto Linux gateway (setup and removal). Example 5-20 provides interface status information of the bridge setup, and Example 5-21 shows a more detailed experience with the brctl tool. Finally, Example 5-22 presents a short sniffer session to capture STP packets.

Example 5-19. Linux Bridge Configuration

[root@callisto:~#] brctl addbr mybridge

[root@callisto:~#] brctl addif mybridge eth0

[root@callisto:~#] brctl addif mybridge eth1

[root@callisto:~#] ifconfig mybridge up



[root@callisto:~#] ifconfig mybridge down

[root@callisto:~#] brctl delbr mybridge




Example 5-20. Linux Bridge Configuration Interface Status

[root@callisto:~#] ifconfig

eth0 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

inet addr:192.168.14.1 Bcast:192.168.14.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:0 (0.0 b) TX bytes:360 (360.0 b)

Interrupt:5 Base address:0xd800



eth1 Link encap:Ethernet HWaddr 52:54:05:E3:51:87

inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:58 errors:0 dropped:0 overruns:0 frame:0

TX packets:48 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:4325 (4.2 Kb) TX bytes:3625 (3.5 Kb)

Interrupt:9 Base address:0xd400



mybridge Link encap:Ethernet HWaddr 00:10:5A:D7:93:60

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)




Example 5-21. Linux brctl Tool

[root@callisto:~#] brctl

commands:

addbr add bridge

addif add interface to bridge

delbr delete bridge

delif delete interface from bridge

show show a list of bridges

showmacs show a list of mac addrs

showstp show bridge stp info

setageing