I am very new to Cisco networking (haven't done any course either). I have been trying to learn a bit of networking myself and had no trouble in doing some of the basic stuff which i needed for my personal work. But i am planning to buy a new Cisco switch(a gigabit switch) and configure it to 2 different networks (1 being an internet and other being a separate network for a specific job). I want to configure the ports in such a way that the first few slots for normal internet and the rest for my other network. For example if its a Cisco 2950 48 port switch, the first 1-16 port for my local internet network and the ports from 17-32 for my other network. Can somebody give me a run down on how to achieve this? Sorry for such a long but basic question, i am just trying to save few $$ and learning something new. Any help would be appreciated. Cheers
You can just create the 2 different Vlans and Give the Access port to the 1st vlan with port 1 - 16 , And for Second vlan Give access port remaining Ports. As well you can also configure 2 different network on Single Switch .
Vlans can separate the network traffic away from each other. For Example
Int range gi 0/1 - 16
Desc Local Internet Network
Switchport access vlan 444
Switch port mode access
Int range gi 0/17 - 32
Desc Other Network
Switchport access vlan 555
Switch port mode access
Of course it depends on what you plug into the ports? depends on what type of switchport it is going to be.
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#name Local_Internet_Network
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name my_other_network
Switch(config-vlan)#exit
Switch(config)#interface range gigabitEthernet 0/1-16
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range gigabitEthernet 0/17-32
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#exit
Switch#write memory
and check on trunk
The 2950 switch was a L2 switch only last time I checked so it will not be able to route between the VLANs. You may want to consider a small firewall in order to provide the layer 3 element (routing) and block any internet traffic from hitting your LAN. You can then also utilise a switch with this topology.
The respective switch VLANs for Internet and LAN would be connected to the relevant Internet /LAN firewall ports and your servers would be connected to the LAN. The switch management port should also be on the trusted LAN network or a dedicated management VLAN.
Related
sorry if this is not exactly a "programming" question! I have two PCs on a LAN, connected to two different subnets: one on 192.168.95.x and the other on 192.168.200.y. I have DHCP enabled and if I ping one of the two with PC name, the DNS resolves the IP address correctly for both. However, the ping fails with request timed out every time. I expected that with DHCP enabled both PC should be able to communicate without problem, but apparently not? Thanks!
1 - Try doing it with firewalls off on both devices
2 - Try do a tracert (if these are Windows Machines) from one PC to another.
3 - You need to set up routing between the subnets, did you check this?
4 - Did you troubleshoot the switches they are connected to?
Background:
I've recently setup my Cable router in Bridged mode to use Pfsense for OpenVPN and some other features at my house. Once my modems in bridged mode I can only have 1 port connected. So without having another Gbit switch around, I figured I could add a 4 Port HP Intel NIC to my pfsense box and use it similarly to my old setup. This proved to be problematic.
PF Sense Box
Onboard Nic [em4] Set as DHCP to Modem. Bridged mode tested working by my laptop.
HP Nic
[em0] OPT1
[em1] OPT2
[em2] OPT3
[em3] LAN (first port on the card) 192.168.2.0/24
My goal is to Have all Ports on the HP Nic act as a bridge/switch like they did on my modem.
On first Setup: Wan port received its Public facing IP address ok and default rules worked for LAN. So with my laptop wired to LAN everything is a Go. with OPT ports not working as expected.
I enabled all OPT interfaces and set their IPv4 Configuration Type to None as mentioned in the bridge guide.
I added the OPT and Lan interfaces to the bridge0 here: Interfaces > (assign)
Under System > Advanced on the System Tunables
I set:
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1
For the firewall rules I left OP's blank as I assumed from a guide they would inherit settings from LAN as being set on the bridge. But I have played around with so many firewall settings that I'm not even sure of what to post here for the question. But I've tried setting up default allow all rules for each.
So far I just can't seem to get DCHP connected to OPT's to work. If I set my clients to static I can access the pfsense box. I noticed also that I can communicate with another system via static IP if both are set on different OPT connections. so I guess the bridge is working to some extent. I can also use nslookup with my system set on an opt port with a static IP set but I can't access the web. so it's resolving dns names, but still not allowing traffic. I must be missing some documentation on setting up the rules with a bridged configuration.
Any advice? anyone done it before?
you want:
Each OPT is a different network (VLAN) but leaving by the same port Internet? .. If?.. valid and that the firewall allows navigation for each OPT? (review in the rules, the name OPT)
Is there a way to double the number of ephemeral ports and work around the 16-bit limit? I have tried creating virtual ethernet interfaces over eth0, and hope that would lift the limit. Although the application is utilizing the new virtual IPs in outbound traffic, it seems still hitting the same ephemeral-port limit. I suppose the virtual ports have 1-to-1 mapping to the ports on the physical interface.
ifconfig eth0:1 10.10.10.210 netmask 255.255.255.192
ifconfig eht0:2 10.10.10.211 netmask 255.255.255.192
Could someone please advise how I could double the total number of ephemeral ports in Linux, without adding an extra NIC?
(FYI, I have tried increasing ulimit/max open file, changing the port range, enabling tcp recycle/timestamps, reducing tcp fin timeout... I suppose we simply need more than 65k ports for this proxy machine.)
If you create virtual interfaces over eth0, then you should be able to assign different IP addresses to those interfaces. With that, you can use the same ephemeral port numbers (they are allocated in the kernel, so you dont really have much control) for multiple sockets each bound to different addresses -- you will probably need to set SO_REUSEADDR option. The reason this will work is because for incoming packets (UDP/TCP), the flow is identified by looking at both local source IP and the port number.
And as #Duck mentioned, since TCP/UDP headers allocate only 16 bits for port numbers, there is not much point in increasing the ephemeral range in the local stack.
It's a limitation of the network protocols. Both TCP & UDP, for instance, have 16 bit source and destination ports. Even if you could increase the number of ports no one could address them.
It seems there's a way, but it's not for free. It's called "bind before connect". See this short but dense article, which sums it up very nicely.
Having multiple virtual IPs is just a start. Quoting the linked article:
On Linux the ephemeral port range is a global resource, it's not a specific setting local to an IP address.
So that's bad and you have to improve your starting position with few right settings (where most of them you already found) and get around the global limit with a clever socket allocation technique. The result is that you'll control all the outgoing IPs manually. This also seems not to cope well with other apps on the system using the traditional "connect" way.
It turns out that you cannot use 0 for binding ephemeral port if you want to exceed the 65535 limit. Instead, you need to use an explicit port number.
And also turning on tcp_tw_reuse might be helpful: http://krenel.org/tcp-time_wait-and-ephemeral-ports-bad-friends.html
What you have:
bond (bond0) interface (all modes except 4) with at least 2 ifaces (say eth0 / eth1) connected on the same external switch
bond0 interface joined on a software bridge (br0)
virtual machine (vm0) (eg LibVirt::LXC) with an interface on br0
What you get:
vm0 is not able to connect to (most) IP addresses via bond0 over br0
"bond0: received packet with own address as source address" in syslog
Why you get this:
When vm0 wants to contact an external IP address it will send out an ARP request. This L2 broadcast with the source mac of vm0 will leave through (depending on bonding mode) eg eth0, but via the external switch, re-enter through eth1 and thus bond0. Hence the switch br0 will learn the mac-address of vm0 on the port connected to bond0. As a consequence the ARP-reply is never received by vm0.
What can you do to resolve:
The reason I post this, next to sharing the info, is that I wasn't able to figure out a good enough solution. Those I did find are:
On vm0 set static ARP entry
Use bond0 mode=4 but your external switch must support this
Configure your external siwtch to use private VLAN on eth0/eth1 but only works in some use-cases and adds complexity
Add both physical interfaces to the bridge with spanning tree enabled, instead of using bond driver
Statically configuring the MAC of vm0 on the correct port of br0 is not an option on Linux (works on OpenBSD though)
I'm really hoping for a more elegant solution here... Anyone?
Thanks
I've got the same problem and I come up with the same analysis.
The only non-invasive/scalable solution I've found is to use the active/backup bonding (mode 1). The tradeoff is that you lose the aggregation.
IMO, the best solution is to use 802.3ad, but I can't always use it because I'm limited with 6 port-channels on most of my switches.
Try these options in bridge:
brigde_fd 0
bridge_stp off # switch on with more system like this
bridge_maxage 0
bridge_ageing 0
bridge_maxwait 0
Taken from this thread:
kvm bridge also in proxmox
I have two NIC cards with 4 ports each on Redhat 6.1.
When the application comes up, it creates a bonded interface with one port from each NIC (example: eth1 and eth4), and assigns a virtual IP to that interface. Once this interface is up, all the packets from this machine should go through the bonded interface.
To achieve this currently, I'm changing the default gw device name to the bonded interface using the ip route command: ip route replace default via 10.3.2.1 dev INT-BOND.
When stopping the application, we bring down the bonded interface and change the default gw device name back to eth0.
The problem with my approach is if someone brings down the bonded interface (ifdown), then it removes the default gw.
I need confirmation that my currently working approach is fine to proceed with going forward; otherwise, should I go with modifications to the iptables/ip rules, or are there any better suggestions?