Sandesh Shrestha: switch

Showing posts with label switch. Show all posts

Monday, December 8, 2014

Connecting Mininet Hosts to Internet

While working on my project on open vswitch I had to connect mininet hosts to internet to enable some functionalities in mininet hosts. After working on it for two days, I came to realise that its just 4 easy steps. If you are struggling with the same here is the solution.

Step 1: Make sure that your guest OS ie mininet OS is connected to the internet.

In virtualbox network setting make sure that you have a NAT interface enabled that allows you to connect to internet. It will have an ip address like this : 10.0.3.15 ie a class A address
Test by pinging www.google.com to make sure you are connected to internet from the guest OS ie Mininet OS.

Step 2: Start the network

Start a mininet netowrk with a switch and a host or any topology you prefer.

sudo mn --switch ovsk --mac --topo single,2

The above command creates a network with single switch and two hosts.
This will create a switch s1 and two hosts h1 and h2.

Step 3: Connect the guest interface(that connects to the internet) to the ovs bridge

The command used to achieve this is an ovs-vsctl command which is used for quering and configuring openvswitchd(this is a process of openvswitch).

Open an xterm window for s1 as this command does not run directly on mininet.For this you need to ssh the guest OS from the host OS. If you don't know how to do this, you can refer to my earlier post titled "Error: Cannot Connect to Display"

Check the openvswitch configuration using the command: ovs-vsctl show
My switch had the following configuration.

root@mininet-vm:~# ovs-vsctl show
d27a9060-3edf-4ee7-a4cf-09e705c93f56
Bridge "s1"
Controller "ptcp:6634"
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "s1-eth1"
Interface "s1-eth1"
Port "s1-eth2"
Interface "s1-eth2"
Port "s1"
Interface "s1"
type: internal
ovs_version: "2.0.1"

Now, run the following command to connect eth1 to s1: ovs-vsctl add-port s1 eth1

Check the configuration again using ovs-vsctl show. The new interface that is added has been highlighted in red.

root@mininet-vm:~# ovs-vsctl show
d27a9060-3edf-4ee7-a4cf-09e705c93f56
Bridge "s1"
Controller "ptcp:6634"
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "eth1"
Interface "eth1"
Port "s1-eth1"
Interface "s1-eth1"
Port "s1-eth2"
Interface "s1-eth2"
Port "s1"
Interface "s1"
type: internal
ovs_version: "2.0.1"

Step 4: Run dhclient on hosts.

Open xterm windows for h1 and h2 and run the following commands. The first command removes the ip from h1-eth0,the second command gets the ip address for h1-eth0 from dhcp server. The second command shows the interface description.

root@mininet-vm:~# ifconfig h1-eth0 0
root@mininet-vm:~# dhclient h1-eth0
root@mininet-vm:~# ifconfig
h1-eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:01
inet addr:10.0.3.16 Bcast:10.0.3.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3304 (3.3 KB) TX bytes:1764 (1.7 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1252 errors:0 dropped:0 overruns:0 frame:0
TX packets:1252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:151432 (151.4 KB) TX bytes:151432 (151.4 KB)

Now check the internet connectivity using ping.

root@mininet-vm:~# ping www.google.com
PING www.google.com (216.58.216.164) 56(84) bytes of data.
64 bytes from sea15s02-in-f4.1e100.net (216.58.216.164): icmp_seq=14 ttl=54 time=61.9 ms
64 bytes from sea15s02-in-f4.1e100.net (216.58.216.164): icmp_seq=15 ttl=54 time=60.7 ms
^C
--- www.google.com ping statistics ---
15 packets transmitted, 2 received, 86% packet loss, time 14065ms
rtt min/avg/max/mdev = 60.707/61.336/61.965/0.629 ms

Summary:

The command that we have used to achieve internet connectivity to hosts are:

ovs-vsctl add-port s1 eth1
ifconfig h1-eth0 0
dhclient h1-eth0

Sunday, November 23, 2014

Dynamic Trunking Protocol

This protocol is used to negotiate trunk links between VLAN aware switches using dot1q or isl. The negotiation process will also determine which trunking protocol is used either dot1q or isl. By default no trunking protocol is configured on either end. ISL is configured if supported by each switch.

DTP advertieses VTP domain, the status of the interface and its DTP type. These packets are transmitted on the native VLAN every 60 seconds.

DTP should not be confused with VTP, as they serve different purposes. VTP communicates VLAN existence information between switches. DTP aids with trunk port establishment. Neither protocol transmits the data frames that trunks carry.

The following switch port mode settings exist:

Access — Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not agree to the change.

CLI command: switchport mode access

Trunk — Puts the LAN port into permanent trunking mode and negotiates to convert the link into a trunk link. The LAN port becomes a trunk port even if the neighboring port does not agree to the change.

CLI command: switchport mode trunk

Dynamic Auto — Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk or desirable mode.

CLI command: switchport mode dynamic auto

Dynamic Desirable — Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default mode for all LAN ports.

CLI command: switchport mode dynamic desirable

Nonegotiate — Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.

CLI command: switchport mode nonegotiate

Tuesday, November 18, 2014

Port Security in Cisco Switches

Switch port security restricts the number of mac-addresses that are able to send or receive packets. Any incoming packet from other device is discarded by the switch.

If the maximum number of secure mac-addresses has been reached, a security violation occurs when a device with a different mac address tries to attach to that port.

The command to configure number of mac-addresses is:

switchport port-security maximum
The maximum number of secure mac-addresses allowed is 132.

Types of secure mac-addresses:

1. Static secure mac-address: Configured manually using the switchport port-security mac-address command. These mac-addresses are stored in the address table and in the running configuration of the switch.

2. Dynamic secure mac-address: These are dynamically learned by the switch and stored in the dynamic mac-address table. These are removed when the switch restarts. Only command required for this type is switchport port-security. The default behaviour is to allow only one mac-address and shutdown for violation.

3. Sticky secure mac-address: Like dynamic secure mac-address they are learned dynamically but are saved in running configuration. For eg: If the maximum is 1, the learn hardware to connect to the switch is the secure device and the switch learns the mac- address and saves it to the running configuration. Since, the mac-addresses are saved in running config, the mac-addresses remain intact if the config is saved to startup-config.

Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:

Protect – when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.Shutdown
Restrict – is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.

Shutdown – this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.

CLI Commands:

For dynamic:

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

For Sticky:

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 10
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation restrict

To see all port security configuration for the switch port use this command:

show port-security int fa0/1

Saturday, November 8, 2014

How to clear switch for new configuration

1. Connect to the console port and enter priviliged EXEC mode.

From your computer terminal connect to the console port of the switch using a console cable. You should see the console prompt that includes the switch's hostname followed by > or #.

If the prompt ends in > you are in user mode. To enter priviliged EXEC mode, type enable.

2. Delete the VLAN database file.

Switch#delete flash:vlan.dat
Delete flash vlan.dat ? [confirm]
Switch#

3. Erase the start-up config from nvram

The startup configuration of switches can be removed using the erase-start up config command.

Switch# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
Switch#
Switch# reload

Sandesh Shrestha

Pages