Difference between revisions of "8021Q"

From RackTables Wiki
Jump to navigation Jump to search
Line 95: Line 95:
 
* "max VLANs per switch" option of VLAN switch template is stored, but always ignored
 
* "max VLANs per switch" option of VLAN switch template is stored, but always ignored
 
* VRP's "hybrid untagged VLANs" (which are not to be confused with "native" VLAN) break normal management until they are "undone"
 
* VRP's "hybrid untagged VLANs" (which are not to be confused with "native" VLAN) break normal management until they are "undone"
* once a switch is loaded with 802.1Q ports config, it is impossible to delete it without mysql client
+
* <del>once a switch is loaded with 802.1Q ports config, it is impossible to delete it without mysql client</del> (fixed in 0.18.5)
 
* Brocade FCX switch does not return member ports of VLAN1
 
* Brocade FCX switch does not return member ports of VLAN1

Revision as of 17:31, 13 September 2010

8021q.png

abstract

This page describes 802.1Q VLAN management feature in RackTables, which has been added in 0.18.0 release.

RackTables server setup

RackTables has a special component named "deviceconfig" to deliver configuration from and to managed switches. This component is a set of executable scripts located in gateways/deviceconfig directory (which is probably located in the main RackTables directory). Description below is accurate for RackTables 0.18.x, but may change in future versions.

In deviceconfig directory one can see a sample file named switch.secrets.php-sample. The real file, which will be used by the system, is switch.secrets.php, and the simplest way to have it created properly is to copy it from the sample file. Before you proceed and put real configuration into that file, please understand the following!

  1. This component uses telnet protocol to communicate to managed switches. It is your responsibility to setup your network so, that the passwords cannot be easily intercepted on the way, and that the RackTables server is only allowed to telnet to devices of your own.
  2. RackTables, like most software, can fail during operation. Consequences of that may be serious technical, financial and other losses. Redundancy and backups are also your responsibility.
  3. Please make sure, that the server, where you install RackTables, is setup appropriately to store sensitive data. If the password file is leaked, that is a major problem regardless of any software.

The switch.secrets.php file has the following format:

Any text (this is by default a piece of PHP code,
which hides contents of the whole file, when the file is
accessed with HTTP).

Marker below enables password scanning and must be left intact.
# S-T-A-R-T
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
# S-T-O-P
Marker above disables password scanning and must be left intact.

Any text (again, a piece of PHP code).

Column 1 is a hostname pattern, which is matched against "management address" of a given switch, which is:

  • FQDN attribute of the switch, if it is set (the recommended practice is to have "FQDN" set for each managed switch)
  • otherwise it is IP address of the switch, if it has one and only one IP address allocated (on "IPv4" tab of object page)
  • otherwise it is the "common name" of the switch, if its common name is a valid hostname

Again, this "management address" is matched against the pattern. This pattern is a so called "shell pattern", which can use expressions "*", "?" and "[...]" (like those in filename patterns in UNIX shell). It is important to have patterns matching only devices, which one really intends to log into. Without this measure (when one uses "*" as hostname pattern) RackTables would always use a real password for any device. This way the real password would be compromised as soon, as an object in the database resolves into IP address outside your network. This way, to match every hostname in "example.com" domain, one can write "*.example.com" or "switch*.example.com".

Columns 2-4 (telnet minus minus) don't do anything, they are there solely for compatibility reasons and are likely to be discarded in future.

Columns 5 and 6 are respectively the username and the password strings, which the device expects to receive. If the device expects no username/password, respective column must be set to "-" (minus). Depending on the configuration device may be expecting: username with password, username without password, password without username, and neither username nor password. All these cases can be configured here.

Column 7 is the master (enable, super) password, which some systems require for "administrator" access level. When this password is supplied, it is used along with appropriate (depending on switch software) command to proceed to that access level. When the master password is not set ("-"), it is one's responsibility to configure the switch in a way, which allows the specified account to make configuration changes.

RackTables objects setup

802.1Q code needs to know, if an object is a managed Ethernet switch (a switch, which RackTables can manage, to be precise). This is decided based on certain records about an object (the object must belong to "network switch" type):

  • "IOS 12.0", "IOS 12.1" or "IOS 12.2" SW type
  • "NX-OS 4.0" or "NX-OS 4.1" SW type
  • "Extreme XOS 12" SW type
  • "Huawei VRP 5.30" SW type (since 0.18.4)
  • "Huawei VRP 5.50" SW type (since 0.18.4)
  • "IronWare 5" SW type (since 0.18.4)
  • "Foundry FastIron GS xxx" HW type (not used since 0.18.4)
  • "Huawei Quidway S53xx" HW type (not used since 0.18.4)

For most hardware, which is supported by 802.1Q feature "SW type" is set automatically during "SNMP sync" execution round.

side effects

A configured "deviceconfig" gateway will also enable "Live CDP" and "Live LLDP" features.

vendor-specific switch setup

  • Cisco IOS
    • Every port, which is intended to perform switching, must have "switchport mode" and "switchport trunk encapsulation" explicitly set in its "interface" section.
    • VTP mode must be set to "transparent".
  • Extreme Networks XOS 12
    • telnet operations are very slow
    • Every VLAN besides "Default" and "Mgmt" (that is, any VLAN created by the user) must be named "VLANx", where x is VLAN tag ID. For example, "VLAN2", "VLAN123", "VLAN4000".
  • Huawei S2300/S3300/S5300 VRP 5.30
    • Software patch V100R003SPH006 must be applied.
    • The device must have output paging disabled:
user-interface vty 0 4
 screen-length 0
  • Huawei S9300 VRP 5.50
    • Software patch V100R002SPH009 must be applied.
    • All device ports must have "link-type" set to either "access" or "trunk" (default setting is "hybrid")
    • The device must have output paging disabled:
user-interface vty 0 4
 screen-length 0

known bugs and limitations

  • port naming is fixed and cannot be changed
  • importing configuration for a port, which has VLANs 1~4094 allowed, is very slow
  • for uplink-downlink reverb feature to work, both ports must have correct markup, have respective records on the Ports tab, and these records must be linked
  • there is no support for configuration templates like those in LiveVLANs
  • VLAN1 cannot be used on uplink or downlink ports
  • VLAN domains require a special setup procedure to work properly
  • unbinding of 802.1Q order hides existing 802.1Q ports config, blocking object deletion
  • not all hardware supports trunk ports w/o allowed VLANs, and this is not handled by RackTables
  • ExtemeOS requires a special VLAN naming scheme
  • there is no user interface for the "disabled" deploy queue
  • "max VLANs per switch" option of VLAN switch template is stored, but always ignored
  • VRP's "hybrid untagged VLANs" (which are not to be confused with "native" VLAN) break normal management until they are "undone"
  • once a switch is loaded with 802.1Q ports config, it is impossible to delete it without mysql client (fixed in 0.18.5)
  • Brocade FCX switch does not return member ports of VLAN1