Difference between revisions of "8021Q"

From RackTables Wiki
Jump to navigation Jump to search
Line 46: Line 46:
  
 
== vendor-specific switch setup ==
 
== vendor-specific switch setup ==
===IOS===
+
===Cisco IOS===
 
* Every port, which is intended to perform switching, must have "switchport mode" explicitly set in its "interface" section.
 
* Every port, which is intended to perform switching, must have "switchport mode" explicitly set in its "interface" section.
 
* VTP mode must be set to "transparent".
 
* VTP mode must be set to "transparent".
===XOS===
+
===Extreme Networks XOS===
 
* Every VLAN besides "Default" and "Mgmt" (that is, any VLAN created by the user) must be named "VLANx", where x is VLAN tag ID. For example, "VLAN2", "VLAN123", "VLAN4000".
 
* Every VLAN besides "Default" and "Mgmt" (that is, any VLAN created by the user) must be named "VLANx", where x is VLAN tag ID. For example, "VLAN2", "VLAN123", "VLAN4000".
 +
===Huawei VRP===
 +
* The device must have output paging disabled:
 +
<pre>
 +
user-interface vty 0 4
 +
screen-length 0
 +
</pre>

Revision as of 23:20, 12 June 2010

802.1Q VLAN management in RackTables

known limitations

  • port naming is fixed and cannot be changed
  • importing configuration for a port, which has VLANs 1~4094 allowed, is very slow
  • for uplink-downlink reverb feature to work, both ports must have correct markup, have respective records on the Ports tab, and these records must be linked
  • there is no support for configuration templates like those in LiveVLANs
  • VLAN1 cannot be used on uplink or downlink ports
  • VLAN domains require a special setup procedure to work properly
  • unbinding of 802.1Q order hides existing 802.1Q ports config, blocking object deletion
  • not all hardware supports trunk ports w/o allowed VLANs, and this is not handled by RackTables
  • ExtemeOS requires a special VLAN naming scheme
  • there is no user interface for the "disabled" deploy queue
  • "max VLANs per switch" option of VLAN switch template is stored, but always ignored
  • VRP's "hybrid untagged VLANs" (which are not to be confused with "native" VLAN) break normal management until they are "undone"

RackTables server setup

RackTables has a special component named "deviceconfig" to deliver configuration from and to managed switches. This component is a set of executable scripts located in gateways/deviceconfig directory (which is probably located in the main RackTables directory). Description below is accurate for RackTables 0.18.x, but may change in future versions.

In deviceconfig directory one can see a sample file named switch.secrets.php-sample. The real file, which will be used by the system, is switch.secrets.php, and the simplest way to have it created properly is to copy it from the sample file. The file has the following format:

Any text (this is by default a piece of PHP code,
which hides contents of the whole file, when the file is
accessed with HTTP).

Marker below enables password scanning and must be left intact.
# S-T-A-R-T
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
<hostname pattern> telnet - - <user_name|-> <user_password|-> <super_password|->
# S-T-O-P
Marker above disables password scanning and must be left intact.

Any text (again, a piece of PHP code).

Column 1 is a hostname pattern, which is matched against "management address" of a given switch, which is:

  • FQDN attribute of the switch, if it is set (the recommended practice is to have "FQDN" set for each managed switch)
  • otherwise it is IP address of the switch, if it has one and only one IP address allocated (on "IPv4" tab of object page)
  • otherwise it is the "common name" of the switch, if its common name is a valid hostname

Again, this "management address" is matched against the pattern. This pattern is a so called "shell pattern", which can use expressions "*", "?" and "[...]" (like those in filename patterns in UNIX shell). It is important to have patterns matching only devices, which one really intends to log into. Without this measure (when one uses "*" as hostname pattern) RackTables would always use a real password for any device. This way the real password would be compromised as soon, as an object in the database resolves into IP address outside your network. This way, to match every hostname in "example.com" domain, one can write "*.example.com" or "switch*.example.com".

Columns 2-4 (telnet minus minus) don't do anything, they are there solely for compatibility reasons and are likely to be discarded in future.

vendor-specific switch setup

Cisco IOS

  • Every port, which is intended to perform switching, must have "switchport mode" explicitly set in its "interface" section.
  • VTP mode must be set to "transparent".

Extreme Networks XOS

  • Every VLAN besides "Default" and "Mgmt" (that is, any VLAN created by the user) must be named "VLANx", where x is VLAN tag ID. For example, "VLAN2", "VLAN123", "VLAN4000".

Huawei VRP

  • The device must have output paging disabled:
user-interface vty 0 4
 screen-length 0