Tuesday 21 August 2018

Subinterfaces

SUBINTERFACES

Subinterfaces: we need it when we have more vlans than physical links

As we know, we have  setup a trunking port between the switch and router, then configure the configure the interface and sub interfaces in your router:

Switch(config)#interface fa0/2

Switch(config-if)#switchport mode trunk

Router(config)#interface fa0/1

Router(config-if)#no shutdown

Router(config)#interface fa0/1.1

Router(config-subif)#encapsulation dot1q 1

Router(config-subif)#ip address 192.168.10.1 255.255.255.0

Router(config)#interface fa0/1.2

Router(config-subif)#encapsulation dot1q 15

Router(config-subif)#ip address 192.168.15.1 255.255.255.0

Router(config)#interface fa0/1.3

Router(config-subif)#encapsulation dot1q 35

Router(config-subif)#ip address 192.168.20.1 255.255.255.0

We configure sub interfaces because we have 3 vlan and just one physical link, for this reason we need that all data passing through a single link, how do we fix that?

Creating 3 sub-interfaces, one for each vlan, however it reduces the bandwidth one third.

Physical Interfaces: we need it when we have more physical links than vlans

We  configure a normal ip in each interface, (one per vlan), now in the switch instead of create trunk links, we create access links (one per vlan).

Router(config)#interface FastEthernet0/0

Router(config-subif)# ip address 10.10.10.1 255.255.255.0

Router(config)interface FastEthernet0/1

Router(config-subif)# ip address 10.10.20.1 255.255.255.0

Router(config)#interface FastEthernet0/3

Router(config-subif)#ip address 10.10.30.1 255.255.255.0

Switch(config)#interface range fa0/1, fa0/10

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config)#interface range fa0/5,fa0/20

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config)#interface range fa0/8, fa0/30

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 30

Here we have one link per vlan and we  can use the full bandwidth of each interface.

Posted by at 1 comment:
Labels: ,

Wednesday 8 August 2018

Arista FHRP: VRRP

VRRP

  • Advantages of using VRRP:
  • If one router goes down, we don’t need to manually configure in the many devices downstream. We use the virtual IP as the gateway on the devices.

  • Process:
  • We give a ID on the routers which we want to be part of VRRP. If we have the same ID on the routers, then, they both create a virtual Mac. (the SRC mac is a new Mac and dest mac is a well-known mac. Also, the destination IP is a well-known multicast IP (224.0.0.18)
  • Then, depending on the priority, physical IP on the routers, the Master and Backup router is determined. The router which has higher priority will win the election (In Arista, the default priority is 100)

  • Note:
  • The routers are expensive.
  • Also, the probability of a complete router going down is less as compared to a link going down
  • So, to use resources effectively, use a different router for different vlan
  • Also, VRRP is interface specific

  • Reelection Process:
  • If the election process is completed and then, the master router goes down, the Backup becomes the new master.
  • Now, if the master comes back up again, will re-election happen?

  • Other than the VRRP control packets, for any data that is being sent to outside network, the packet rewriting at the current Master Router uses the physical Mac address of that router.
  • http://www.programering.com/a/MDM2IzNwATc.html 
Posted by at No comments:
Labels: , , , ,

Wednesday 1 August 2018

Linux Networking Utilities for Arista EOS- Part 2

Linux Networking Utilities for Arista EOS 

LINUX NETWORKING UTILITIES:

.

ip netns: (Linux Namespaces or VRF)

  • A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.
  • By default a process inherits its network namespace from its parent. Initially all the processes share the same default network namespace from the init process.
  • NOTE: If a VRF was created in EOS, then, in order to access then via Linux; append ‘ns-’ to the VRF name.
  • NOTE: If a namespace was created in Linux, then, it won’t show up in EOS.
  • So, always create a VRF in EOS and use it in Linux by appending ‘ns-’ to the VRF name
  • 1. ip netns list - show all of the named network namespaces
  • This command displays all of the network namespaces in /var/run/netns
  • Note that the VRF named ‘tmod’ when viewed in Linux has the name ‘ns-tmod’

[admin@ck338 ~]$ ip netns list

ns-newvrf

ns-tmod

ns-trident

ns-arad

default

  • 2. ip netns add NAME - create a new named network namespace
  • If NAME is available in /var/run/netns/ this command creates a new network namespace and assigns NAME.

[admin@ck338 ~]$ sudo ip netns add testvrf

[admin@ck338 ~]$ ip netns list

testvrf

ns-newvrf

ns-tmod

ns-trident

ns-arad

default

  • 3. ip [-all] netns delete [ NAME ] - delete the name of a network namespace(s)
  • If NAME is present in /var/run/netns it is umounted and the mount point is removed.
  • If -all option was specified then all the network namespace names will be removed.

[admin@ck338 ~]$ sudo ip netns delete testvrf

  • 4. Assigning Interfaces to network namespace (VRF)
  • Bring up the loopback interface in the vpn network namespace.
  • [IMP] 5. Accessing interface in another VRF or namespace via Linux:
  • ip [-all] netns exec [ NAME ] [cmd]
  • If we want to run a command on any VRF, then, use this command. For example, if you want to do tcpdump via Linux on an interface in another VRF
  • If -all option was specified then cmd will be executed synchronously on the each named network namespace even if cmd fails on some of them.
  • ip netns exec ns-tmod ip addr list will show only the related interfaces and addresses, and will not show any interfaces or addresses from the global namespace.

[admin@ck338 ~]$ sudo ip netns exec ns-tmod ip addr list

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default

    link/ipip 0.0.0.0 brd 0.0.0.0

[admin@ck338 ~]$

  • Another useful command that this can be used with is for tcpdump and piping it to Wireshark:
  • The below command does packet capture on interface Vlan10 (which is in VRF dhcpvrf) only on port 67 and port 68 (since dhcp control messages use these ports)
  • ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68
  • Now, in order to view the tcpdump on Wireshark:

ssh root@mc327 "ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68 " | wireshark -k -i -

Tcpdump:

The various flags that can be used with tcpdump are:

  • -i <interface>
  • # tcpdump -i eth0
  • -i any
  • Listen on all interfaces just to see if you’re seeing any traffic.
  • # tcpdump -i any
  • -c <count> -i <interface>
  • Used to capture a specified number of packets
  • # tcpdump -c 5 -i eth0
  • -D
  • Used to display all available iinterfaces for tcpdump
  • # tcpdump -D
  • -e [useful]
  • To get ethernet header as well
  • Should be used if filtering packets based on L2 headers or for L2-only packets
  • -w [useful]
  • Used to capture and save packets in a pcap file
  • # tcpdump -w 0001.pcap -i eth0
  • -r
  • Used to read captured packets file
  • # tcpdump -r 0001.pcap
  • -n
  • Usually when we do tcpdump, the IP address is replaced with the DNS address
  • In order to get the IP address, use -n flag. It will ignore the hostname and print out IP address itself
  • # tcpdump -n -i eth0
  • [useful] To filter packets based on type of packet:
  • To capture packets based on TCP port, run the following command with option tcp.
  • # tcpdump -i eth0 tcp
  • Similarly, replace tcp with icmp to check for ping packets only
  • Similarly, replace with ether for checking only LLDP or LACP packets. You can increase further filtering by adding destination address so that only LLDP or LACP packets destined to me shows up:
  • tcpdump -nevvvi et1 ether dst host 01:80:c2:00:00:0e
  • The -n -e -vvv -i flags are used in above to get advanced tuning
  • dst host is used to filter based on destination mac address
  • Other types that can be used are: fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp
  • [useful] To capture based on port, src ip, dst ip:
  • Similarly, for packets on particular port: # tcpdump -i eth0 port 22
  • Similarly, for packets from particular source IP: # tcpdump -i eth0 src 192.168.0.2
  • Similarly, for packets from a particular destination IP: # tcpdump -i eth0 dst 50.116.66.139
  • [useful] -v, -vv, -vvv:
  • To select amount of packet information in verbose mode

resolv.conf:

  • resolv.conf is the name of a computer file used in various operating systems to configure the system's Domain Name System (DNS) resolver.
  • The file is a plain-text file usually created by the network administrator or by applications that manage the configuration tasks of the system.
  • The file resolv.conf typically contains directives that specify the default search domains; used for completing a given query name to a fully qualified domain name when no domain suffix is supplied. It also contains a list of IP addresses of nameservers available for resolution. An example file is:

search example.com local.lan
nameserver 127.0.0.1
nameserver 172.16.1.254
nameserver 172.16.2.254
nameserver 192.168.137.2

  • resolv.conf is usually located in the /etc directory of the file system.
  • The file is either maintained manually, or when DHCP is used, it is usually updated with the utility resolvconf.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)