8021Q

From RackTables Wiki
Revision as of 10:10, 15 June 2010 by Infrastation (talk | contribs) (→‎Huawei VRP: note the patch)
Jump to navigation Jump to search
8021q.png

abstract

This page describes 802.1Q VLAN management feature in RackTables, which has been added in 0.18.0 release.

RackTables server setup

RackTables has a special component named "deviceconfig" to deliver configuration from and to managed switches. This component is a set of executable scripts located in gateways/deviceconfig directory (which is probably located in the main RackTables directory). Description below is accurate for RackTables 0.18.x, but may change in future versions.

In deviceconfig directory one can see a sample file named switch.secrets.php-sample. The real file, which will be used by the system, is switch.secrets.php, and the simplest way to have it created properly is to copy it from the sample file. Before you proceed and put real configuration into that file, please understand the following!

  1. This component uses telnet protocol to communicate to managed switches. It is your responsibility to setup your network so, that the passwords cannot be easily intercepted on the way, and that the RackTables server is only allowed to telnet to devices of your own.
  2. RackTables, like most software, can fail during operation. Consequences of that may be serious technical, financial and other losses. Redundancy and backups are also your responsibility.
  3. Please make sure, that the server, where you install RackTables, is setup appropriately to store sensitive data. If the password file is leaked, that is a major problem regardless of any software.

The switch.secrets.php file has the following format:

Any text (this is by default a piece of PHP code,
which hides contents of the whole file, when the file is
accessed with HTTP).

Marker below enables password scanning and must be left intact.
# S-T-A-R-T
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
# S-T-O-P
Marker above disables password scanning and must be left intact.

Any text (again, a piece of PHP code).

Column 1 is a hostname pattern, which is matched against "management address" of a given switch, which is:

  • FQDN attribute of the switch, if it is set (the recommended practice is to have "FQDN" set for each managed switch)
  • otherwise it is IP address of the switch, if it has one and only one IP address allocated (on "IPv4" tab of object page)
  • otherwise it is the "common name" of the switch, if its common name is a valid hostname

Again, this "management address" is matched against the pattern. This pattern is a so called "shell pattern", which can use expressions "*", "?" and "[...]" (like those in filename patterns in UNIX shell). It is important to have patterns matching only devices, which one really intends to log into. Without this measure (when one uses "*" as hostname pattern) RackTables would always use a real password for any device. This way the real password would be compromised as soon, as an object in the database resolves into IP address outside your network. This way, to match every hostname in "example.com" domain, one can write "*.example.com" or "switch*.example.com".

Columns 2-4 (telnet minus minus) don't do anything, they are there solely for compatibility reasons and are likely to be discarded in future.

Columns 5 and 6 are respectively the username and the password strings, which the device expects to receive. If the device expects no username/password, respective column must be set to "-" (minus). Depending on the configuration device may be expecting: username with password, username without password, password without username, and neither username nor password. All these cases can be configured here.

Column 7 is the master (enable, super) password, which some systems require for "administrator" access level. When this password is supplied, it is used along with appropriate (depending on switch software) command to proceed to that access level. When the master password is not set ("-"), it is one's responsibility to configure the switch in a way, which allows the specified account to make configuration changes.

side effects

A configured "deviceconfig" gateway will also enable "Live CDP" and "Live LLDP" features.

vendor-specific switch setup

Cisco IOS

  • Every port, which is intended to perform switching, must have "switchport mode" explicitly set in its "interface" section.
  • VTP mode must be set to "transparent".

Extreme Networks XOS

  • Every VLAN besides "Default" and "Mgmt" (that is, any VLAN created by the user) must be named "VLANx", where x is VLAN tag ID. For example, "VLAN2", "VLAN123", "VLAN4000".

Huawei VRP

  • Software patch V100R003SPH006 must be applied for telnet server to operate correctly.
  • The device must have output paging disabled:
user-interface vty 0 4
 screen-length 0

known limitations

  • port naming is fixed and cannot be changed
  • importing configuration for a port, which has VLANs 1~4094 allowed, is very slow
  • for uplink-downlink reverb feature to work, both ports must have correct markup, have respective records on the Ports tab, and these records must be linked
  • there is no support for configuration templates like those in LiveVLANs
  • VLAN1 cannot be used on uplink or downlink ports
  • VLAN domains require a special setup procedure to work properly
  • unbinding of 802.1Q order hides existing 802.1Q ports config, blocking object deletion
  • not all hardware supports trunk ports w/o allowed VLANs, and this is not handled by RackTables
  • ExtemeOS requires a special VLAN naming scheme
  • there is no user interface for the "disabled" deploy queue
  • "max VLANs per switch" option of VLAN switch template is stored, but always ignored
  • VRP's "hybrid untagged VLANs" (which are not to be confused with "native" VLAN) break normal management until they are "undone"