Introduction

When deploying virtual servers on ESX and ESXi hosts you may notice that the time on your servers can drift, this is due to the way that the operating system keeps time by using the server’s hardware. We need a solution to keep the time of our servers correct.

 

Terminology: NTP

The Network Time Protocol is used to synchronise the clocks of a client to a time server.

 

Configuration

We have a couple of  methods available to ensure the correct time of our guest servers. The first is to get the guest servers to synchronise with the underlying host. The first thing, then, to do is to make sure out hosts are at the right time.

 

1. We’ll first SSH to out host servers and login, making sure that we either login as root or su from a less priviliged user. By default the NTP client isn’t allowed out through the firewall, so we need to permit this with the command “esxcfg-firewall -e ntpClient“.

 

2. Now we’re logged in we can enable the NTPD service, this is the service that will be responsible for keeping accurate time to the NTP servers we specify. We enable the service to run at startup with the command “/sbin/chkconfig ntpd on“. We then need to setup NTP by editing the ntp.conf file.

 

3. We now open this configuration file with our favourate text editor (VI, of course) “vi /etc/ntp.conf” and press “i” to get into “insert” mode. We then enter the following into the file:

restrict 127.0.0.1

server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org

server  127.127.1.0
fudge   127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay  0.008

The “restrict 127.0.0.1″ option only permits the server itself to synchronise the clocks with itself. Without this, the server could potentially be used by anyone as an ntp server. We then specify the servers we wish to synchronise with. You can find a list of servers at http://www.ntp.org or your ISP may offer a time server to use. The “server 127.127.1.0″ defines the local clock and “fudge 127.127.1.0 stratum 10″ sets the distance of the server, almost like the priority to 10, so that the other servers defined will be used before the local clock is used. The “driftfile /var/lib/ntp/drift” specifies the name and location of the driftfile, this file is used to record the drift rate to this file, this helps speed up the synchronisation with the NTP server. “Broadcastdelay” specifies the ammount of delay in the network between the client and the server. The default when we don’t specify a value is 0.004 seconds.

When we’re done we type “Esc” followed by “w” for write and “q” for quit to save and exit the file.

 

4. We now need to start the ntpd service on out host. We do this with the command “/etc/init.d/ntpd start“. The service will start and begin to bring our server clock to the right time. It may take a while to do this. Instead of changing the clock to the correct time immediately, NTP makes slight changes to the clock. This is to stop some applications having a fit. We can, however, change the time immediately with the command “ntpdate -u ntpserver” where ntpserver is a valid NTP server. In my case, I might use 0.uk.pool.ntp.org.

5. Now that our host(s) have to correct time we can set the guest server to use the host as a time source in VMware Tools. Once we open theVMware tools dialogue box, we can see on the first tab an option called “Time synchronization between the virtual machine and the ESX server.” If we select this, the guest server will use the host to keep time.

 

 

Our second method is to get the guest server to use time servers directly. We can do this easily with w32tm.

 

1. For this method we do not need to set the host server to use an accurate time source, so we can just jump straight onto the guest. We first need to start by determining the server that holds the PDC fsmo role, we can do this with the command “netdom query fsmo“. This is the results of the command that we get running it on the domain controller that we provisioned in the post Creating a Domain Controller.

Not surprisingly, the server we are on is the PDC (in the post NT4 world the concept of PDC’s and BDC’s dont exist, but the fsmo role is there for backwards compatability and is a PDC emulator), as it is the only server in our domain.

 

2. We now start by stopping the w32time service with the command “net stop w32time”. Now the service is stopped, we can use the command “w32tm /config /syncfromflags:manual /manualpeerlist:”server1, server2, server3” where server1, server2, and server3 are valid NTP servers, at least one is required. Note: the list of servers are surrounded by quotation marks “. Breaking down this command we see “/config” this means that we want to configure  w32tm, “/syncfromflags:manual” specifies the NTP server that the computer should query for time, in our case “manual“, so we now need so specify our manual list. This is where “/manualpeerlist:”server1, etc, etc” comes in.

 

3. Our next command is “w32tm /config /reliable:yes“. This allows the server to announce itself as a reliable time source on the network and other servers and PCs in our domain will use this server to keep time.

 

4. Finally, we need to start the e32time service again. The command for this is “net start w32time“. Altogether, the commands look like this. I’ve only included two servers here to keep the length of the line short.

n short.et stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.uk.pool.ntp.org, 1.uk.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time

And a screenshot:

 

Summary

We’ve seen how to set up our VMware ESX hosts to query NTP servers for the correct time, and to allow our Windows guests to syncronise with the host server. We also saw how to configure the guest server to query NTP servicers directly. This is ideal because it can be used on physical servers. We can also use the method implemented on the ESX host to configure our Linux servers, we just don’t need to use the command “esxcfg-firewall -e ntpClient” as it won’t be an ESX server. We may need to open a port in iptables or any other firewall we may be running to allow the NTP client access to the NTP server.

 

I hope you found this post informative, please leave a comment if you have any questions or feedback.

Comments 2,589 Comments »

Introduction

More and more people and organisations are moving to VoIP for all sorts of different reasons. Where I work we’re looking to implement VoIP to expand our range of services and as an extra option we can add to various bespoke solutions we work on. But how does that call get made, how does the phone connected to our network manage to call another phone connected to our network or another phone connected somewhere out there on the Internet? Hopefully this should show the steps that are taken to setup and terminate a phone call using SIP.

 

Terminology: SIP

SIP or Session Initiation Protocol is a signalling protocol used to create, modify and terminate media streams, in our case this would be RTP between two VoIP / SIP phones.

Terminology: RTP

RTP or Real-time Transport Protocol is the protocol used to send voice and video data between two endpoints such as two VoIP / SIP phones. RTP is used in conjunction with RTCP.

Terminology: RTCP

RTCP or Real-Time Transport Control Protocol works along side RTP and provides statistics and control information to the endpoints about the media stream(s) transported by RTP so that the endpoints may control the QoS parameters of the stream.

Terminology: QoS

QoS (Quality or Service) is the ability to provide different priority to different types of traffic or applications on our network or to guaranteed a specific level of performance to a particular type of traffic or application.

Terminology: VoIP

VoIP (Voice over Internet Protocol) is a family of technologies that includes SIP, RTP and RTCP to provide the delivery of voice over our existing data networks and the Internet.

 

Configuration

In this blog post there isn’t going to be any configuration as such. We’ll use the following topology as we go through the steps involved with the setup of a SIP call.

1. When the two phones are connected they will first connect to the network, and if an IP address is not statically set, they will attempt to obtain an address using DHCP, exactly like any PC on the network would do. They then register with the SIP Proxy Sever, this is like the phones logging onto the server, information about the phone is recorded in the location database such as the address of the phone, the IP address etc. The address of the phone is referred to as the AOR or Address-of-Record and might look something like sip:bob@sipprovider.com or 1234@sip.callmebyvoip.com.

 

2. When the user with extension 1111 picks up the phone and dials 2222, the phone sends an invite message to the SIP Proxy Server. The server then looks up the destination and sends an invite message to the phone with extension 2222.

 

3. The phone at extension 2222 will then send back a trying message to the server, the server then sends the trying message to the calling phone. The trying message means that the phone is trying to ring, almost like asking the source phone to wait while to call is connected.

 

4. The phone at extension 2222 will then start to ring to let the user know there is a call and will send a ringing message to the server, again the server will then send a ringing message back to the phone with extension 1111. Once this phone receives this message it will play a ringing sound from the ear piece.

 

5. The user at extension 2222 will then pick up the handset to answer the call and the phone will then send the OK message to the server to let it know that the call has been answered, the server then sends the OK message to the phone at extension 1111 to let it know that the call has been answered by the other side.

 

6. The phone at 1111 now sends an ACK message to the  phone at extension 2222, the two phones will now setup a media session between themselves and will being to send audio (and video) directly between each other using RTP.

 

7. When the call is finished the handset is hung up and this phone sends a bye message to the other phone, this is acknowledged with a final OK message before the media session is closed and both phones are now ready to place or accept a new call.

 

Summary

We’ve take a brief look at how a SIP call is setup, looking at the protocols used — such as RTP — and what messages are sent between the phones to the server during the call initialization. We’ve also seen that the actual voice call does not pass through the SIP server but instead is sent directly between the two phones using the media session setup at the end of the  the SIP call setup and when the media session is closed.

 

I hope you found this post informative, please leave a comment if you have any questions or feedback.

Comments 3,261 Comments »

Introduction

I am involved in setting up many bespoke hosted solutions for various customers that I deal with as part of my job. The vast majority of these revolve around a Microsoft Windows based domain, and at the heart of this is the Domain Controller. Setting this up is simple so let’s get started.

Terminology: Domain Controller (DC)

A Domain Controller is a server that is responsible for responding to authentication requests. It is possible to have a single server or several servers acting as Domain Controllers. In the days of NT4 you would have a Primary Domain Controller and then one or more Backup Domain Controllers. Windows 2000 introduced Active Directory and eliminated the need for Master and Backup severs and utilising multi-master replication.

Terminology: Active Directory (AD)

Active Directory is a directory service that stores information relating to network objects such as Users, Computers, Printers etc. It also allows administrators to assign policies to the objects. The Active Directory database is held on the Domain Controllers.

Terminology: Domain

A domain is a collections of objects including at least one domain controller that all share the same DNS namespace. For example you might have have server1.mydomain.com, server2.mydomain.com and pc1.mydomain.com these would all be part of the same domain.

Terminology: Tree

A tree is a collection of domains in a contigous DNS namespace, so you could have your tree contain the domains red.mydomain.com, blue.mydomain.com and green.mydomain.com.

Terminology: Forest

A Forest is a collections of Trees that share common elements such as the Global Catalog and Directory Schema.

Terminology: Global Catalog (GC)

Global Catalog servers are Domain Controllers but rather than just containing the information for their own domain they hold the information for all objects in the forest. This information is then replicated to other Global Catalog Servers in the Forest. In a large forest the information being replicated could cause network issues especially over slow WAN / Internet connections so only selected attributes of each object are replicated.

Terminology: Directory Schema

The Directory Schema a database of all the object classes such as users, groups computers etc and attributes that can be stored in the directory. The schema can be extended to include additional classes and attributes.

Terminology: Flexible single master operation (FSMO)

FSMO pronounced “fizz-mo” also known as operations master roles. There are five FSMO roles that exists. Some of these are required once per domain and some once per forest. We’ll look at FSMO roles in a later article but for now as we are only deploying a single server all roles will exist on the one server.

 

Configuration

1. We start with a fresh install of Windows Server 2008 R2 which at the moment is just part of a workgroup and does not have any domain membership. First thing we need to do with our new server is to set the name of our new server. We do this by going into “System Properties“. Once there we need to click on “Change” under  the “Computer Name” tab, this will open the “System Properties” dialogue box for us.

In here we’ll enter our new server name “server“, we want to ignore the Member of section because this is used if we want to add our server or PC to a domain. After clicking OK we’ll be prompted to reboot the server for the changes to take effect.

Alternatively we can do this using commands from the command prompt, the command we would use is “netdom renamecomputer currentservername/newname:newservername/reboot:0” where newservername is the name we want to change our server to and currentservername is the name of the server currently, we can find the current name from the output of the “hostname” command. We specify the “/reboot:0” to reboot the server after the change and to wait for zero seconds before reboot, if we don’t add the “:0” to the end the server will wait for the default 30 seconds before restarting.

Once we enter the command we will be asked if this is what we want to do because changing the name after certain roles have been installed can cause issues with the services. As this is a new server install we have no services or roles installed that would require a fixed name so we can choose Y to continue, the server will then reboot.

 

2. OK so the server is backup, the next thing we need to do before promoting the server to a domain controller is is set a static IP address. We do this in the “Internet Protocol Version 4 (TCP/IPv4) Properties” dialogue. We just need a static IP address, the correct subnet mask and gateway. I’ll enter the DNS server addresses too, because when we install the DNS server role later it’ll automatically take the values set here as our forwarder addresses and set our DNS server as 127.0.0.1.

Alternatively we can do this at the command line with the “netsh interface ipv4 set address name=”myadapterid” source=static address=myipaddress mask=mysubnetmask gateway=mydefaultgateway” command where myadapterid is the idx value show in the output of the “netsh interface ipv4 show interfaces” command.

 

Now we can add our DNS servers using the command “netsh interface ipv4 add dnsservers name=”myadapterid” address=mydnsserver index=x validate=no” where myadapterid is the same idx value as earlier, mydnsserver is the ip address of your DNS server and x is the index so 1 for the first DNS server address, 2 for the second etc, I always add “validate=no” to the end to stop windows

We can then verify with “ipconfig /all” that all the information we have entered has been assigned to the adapter.

 

3. We’ll run a tool called “dcpromo“. This will launch a wizard and allow us to promote this server to a Domain Controller. We can run “dcpromo /answer:C:\filename.txt” where C:\filename.txt is the full path and name of a text file that we create with all the answers the wizard would ask us defined to allow for an unattended setup of the domain.

After running “dcpromo” the server will start to install the Active Directory Domain Services binaries to the server.

Once this has completed, you will be presented with the wizard and asked if we wish to use advanced mode installation. We can also launch the advanced mode installation by adding the switch “/adv” to the “dcpromo” command. The advanced mode install gives us additional options in particular is the Domain NETBIOS name, when not in advanced mode the server will determine the best name to use but when using advanced mode we can set our own. So going with the old adage “more is better”, let’s tick “use advanced mode configuration” and click next.

 

4. We are presented with a page of text, basically this is saying that some older clients and applications  may not be compatible with the new Domain Controller because of newer more secure settings preventing clients from using the weaker NT4 style cryptography algorithms.

We’re OK with this so we can just click next.

 

5. Now our first proper question. Do we want to set this up in an “Existing Forest” or do we want to “Create a new domain in a new forest”. We have no existing Forest or Domain so we need to choose the option to create a new one. You’ll also see options greyed out beneath “Existing Forest” these let us specify what type of new Domain we would be adding to our forest. For now we’ll click “Create a new domain in a new forest” and click Next.

We now need to pick out FQDN or Fully Qualified Domain Name for our new forest and domain. We’ll go with “pebelnet.local”. You can use a full real Internet domain name such as “pebelnet.co.uk” but usually the servers responsible for your real domain name are completely separate from your Windows doamin and you’ll have problems with DNS later on down the line.

The server will then check to see if it can find the new forest/domain name you specified is already in use. If all is OK you’ll be asked to enter a NETBIOS name. The server will try and determine the best name to use based on the FQDN you entered, usually this is acceptable, however in some cases you may wish to change it and without the “use advanced mode installation” ticked at the beginning we wouldn’t have been given this option.

 

6. So we are now asked to set the Forest Functional Level. The Forest Functional Level is the level of the earliest version of windows you want to add as a domain controller to the forest. If the level is set at “Windows Server 2003″ you can only add domain controllers running Windows Sever 2003 or later, you will not be able to add Windows Server 2000 to the forest because the level is too high. Similarly if the level is set at “Windows Sever 2008 R2″ servers running Windows Server 2000, Server 2003 and Server 2008 will not be able to join the forest as domain controllers.

Where possible I like to set the Forest Functional Level as high as I can as more features are available in the later levels, however if you choose a lower level you can at a later stage increase the functional level but you cannot decrease it.

We are only going to use Windows Server 2008 R2 in our forest but just in case we’ll set it to the “Windows Server 2003″ level and click next.

 

7. Next the server will examine the DNS configuration and checks to see if we have a DNS server available and if we have any DNS server that are already authoritative for our chosen forest / domain name.

After the server has finished checking it will now ask us what additional options we wish to install. As this is our first Domain Controller it must be the Global Catalog too, because we arn’t managing DNS for this domain elsewhere we need to install the DNS server role also. The third option we have is for a RODC or Read Only Domain Controller, these are domain controllers that do not allow changes to be made to made to Active Directory and do not store password by default. Because of this we cannot have our first Domain Controller as a RODC.

RODCs would be used in branch offices or in insecure locations, if access was gained to the server objects within the directory could not be altered, i.e. users cannot be added or removed, passwords changed etc. As passwords are not stored on the server if it was stolen from an insecure branch office then someone trying to obtain or brute force the passwords would be out of luck. We can specify that the RODC stores passwords for certain accounts, like the users and computers at the branch office so they can have their logons authenticated locally. But again if the server is stolen, the administrator can remove the server from the domain / forest, without all the issues associated with removing Domain Controllers that cannot be safely demoted, this act also resets the passwords and in effect lock out the accounts of all the users and computers that that RODC has stored.

So getting back to the setup. Lets make sure DNS is selected and click next.

 

8. The server will go ahead and examine the DNS configuration again and we should then be told that the server cannot find a DNS server for the domain we specified earlier and therefore cannot create a delegation for this DNS server. We’re fine with this because we’re using a “.local” domain and this is only specific to this Windows Domain we’re creating now so we can click yes to continue.

 

9. We now get to choose where to put the Database Log Files and SYSVOL. In an ideal world each of these would be on their own separate volume for easier recovery in case of hardware failure. This isn’t possible in our setup as we only have one volume available to us so we’ll have to stick with the defaults.

 

10. We now need to pick a DSRM or Directory Services Restore Mode password, this password will be used if we have a problem with Active Directory and need to boot the server in DSRM, the boot option is found in the boot menu by pressing F8 at startup just like you were trying to get into safe mode. Pick something secure and something that you can remember when you need it.

 

11. We are now presented with a summary of our setup before we commit it. You can also export the answer file using the “Export settings…” button, this will save a copy of the answer file that can be used with  the “dcpromo /unattend:c:\myanswerfile.txt” command. The export will remove any passwords set such as the DSRM password and these will have to be re-added manually to the text file before it can be used for an unattended setup. Clicking next will start the setup of our Domain Controller.

 

12. The server is now installing various roles and components needed to function as a Domain Controller. Once it has complete we click the “Finish” button and the server will prompt us for a reboot to complete the setup.

 

 

 

13. Now our server has booted back up it is now a domain controller, we need to login for the first time, the administrator’s password is still the same as before, the password we set during the wizard is just for the Directory Services Restore Mode. We can confirm by looking at the install roles in “Server manager” and can see the roles “Active Directory Domain Services” and “DNS Server” as installed roles.

Summary

We’ve seen how to setup Windows Server 2008 R2 as a Domain Controller in a new Forest. We’ve seen the additional options available during setup, and what options, such as Global Catalog and Read Only Domain Controller, do for us and our Windows Domain.

 

I hope you found this post informative, please leave a comment if you have any questions or feedback.

Comments 5,047 Comments »

Introduction

At home I like to keep my wireless network separate from the wired network. The way I do this is using VLANs or Virtual LANS. So for example I have my wired network on VLAN 2 and my wireless network on VLAN 50, doing this ensures the networks cannot communicate directly and are in separate broadcast domains.

Terminology: VLAN

A VLAN is a Virtual LAN. Devices in a VLAN communicate as if they were connected to the same broadcast domain in the same way that all devices connected to a hub or  switch do. However you can segment your switch into VLANs each becoming a separate broadcast domain.

Configuration

We will use the topology shown below. The wired network will be on 192.168.2.0/24 and the wireless network will be on 192.168.50.0/24.

 

1. We start on S1 and the first thing we need to do is  create our VLANs, we do this from global configuration mode using the commands “vlan vlan-id” where vlan-id is the identifying number of the VLAN we are creating. In our case we are creating VLAN 2 and VLAN 50. We can give names to the VLANS so we can identify them in the show commands later, we give the VLAN names from the VLAN configuration mode and the command is “name vlan-name” where vlan-name is just a word.

S1(config)#vlan 2
S1(config-vlan)#name WIRED_NETWORK
S1(config-vlan)#
S1(config-vlan)#vlan 50
S1(config-vlan)#name WIRELESS_NETWORK

 

2. Now we have VLANs setup we can verify with the “show vlan” command.

S1#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
2    WIRED_NETWORK                    active    
50   WIRELESS_NETWORK                 active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
S1#

You can see from this output that we have our two VLANS created but also a default VLAN and VLANS 1002 – 1005. VLAN 1 is the default VAN on a switch, if you do no VLAN configuration all interfaces and devices connected to the switch are part of VLAN 1. VLANs 1002 – 1005 are only present so the switch complies with the standards.

 

3. You should have also noticed from the output above that even though we have two VLANs created we don’t actually have any interfaces associated with the VLANS so next thing to go is go into the interface configuration and assign the correct interfaces to the relevant vlans. To do this we first need to put the switch ports into access mode, by default these are dynamic desirable which means that the interface will try and become a trunk if possible and if not fall back to an access interface. We want to set out interfaces to access so we do this with the command “switchport mode access” and then set the interface to the correct VLAN with the command “switchport access vlan vlan-id” where vlan-id is the VLAN we want to put the interface into.

S1(config)#interface FastEthernet 0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 2
S1(config-if)#
S1(config-if)#interface FastEthernet 0/2
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 50

If we now look at the output of “show vlan” we can see that the VLANs now have the interfaces assigned.

S1#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24
2    WIRED_NETWORK                    active    Fa0/1
50   WIRELESS_NETWORK                 active    Fa0/2
...

 

4.  We now need to be able to route between the two VLANS so we jump to R1 and from here we create two sub-interfaces on FastEthernet0/0, we do this by typing the command “interface interface interface-number.subinterface-number” where interface is they type of interface such as Ethernet / ATM / FastEthernet, interface-number is the number of the interface such as 0/0 or 0/1 or 1/0/3 and subinterface-number is any number up to 4294967295 to uniquely identify the subinterface. I like to use the VLAN id as the subinterface number. We’ll then create FastEtherent0/0.2 and FastEthernet0/0.50 on our router.

R1(config)#interface FastEthernet0/0.2
R1(config-subif)#interface FastEthernet0/0.50
R1(config-subif)#

Now we have out interfaces lets assign these to the relevant VLANs with the command “encapsulation dot1q vlan-id” where vlan-id is the VLAN we want to put this sub-interface into. We need to go back under the sub-interface configuration for FastEthernet0/0.2 and FastEthernet0/0.50. While we are in the sub-interface configuration we’ll add the IP address for the interfaces too. 192.168.2.254 for FastEthernet0/0.2 and 192.168.50.254 for FastEthernet0/0.50

R1(config)#interface FastEthernet0/0.2
R1(config-subif)#encapsulation dot1Q 2
R1(config-subif)#ip address 192.168.2.254 255.255.255.0
R1(config-subif)#
R1(config-subif)#interface FastEthernet0/0.50
R1(config-subif)#encapsulation dot1Q 50
R1(config-subif)#ip address 192.168.50.254 255.255.255.0
R1(config-subif)#

 

5. If we try and ping then router from the PCs, wired network PC set to 192.168.2.1 and the wireless network PC set to 192.168.50.1, we will get no response. Why? Because S1 and R1 need to be able to communicate the two VLANs over a single interface, this is where trunking comes in. Trunking allows us to send all VLAN traffic over one connection rather than having to have an individual interface for each VLAN. To enable trunking between R1 and S1 we first need to go to S1 and enter the command “switchport mode trunk” in interface configuration mode on interface FastEthernet0/3.

S1(config)#interface FastEthernet0/3
S1(config-if)#switchport mode trunk
S1(config-if)#

This then allows S1 to trunk with R1 and pass all VLAN traffic. We can verify this by looking at “show vlan“, we’ll see that Fa0/3 is missing from the output, this is because it is no longer associated with a single vlan.

S1#show vlan
VLAN Name                             Status    Ports
 ---- -------------------------------- --------- -------------------------------
 1    default                          active    Fa0/4, Fa0/5, Fa0/6, Fa0/7
                                                 Fa0/8, Fa0/9, Fa0/10, Fa0/11
                                                 Fa0/12, Fa0/13, Fa0/14, Fa0/15
                                                 Fa0/16, Fa0/17, Fa0/18, Fa0/19
                                                 Fa0/20, Fa0/21, Fa0/22, Fa0/23
                                                 Fa0/24
 2    WIRED_NETWORK                    active    Fa0/1
 50   WIRELESS_NETWORK                 active    Fa0/2
 ...

To see the trunk information we need to use the command “show interface trunk“, here we will see all the active trunk interfaces, the status of the trunk and which VLANs it is passing.

S1#show interface trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/3       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/3       1-1005

Port        Vlans allowed and active in management domain
Fa0/3       1,2,50

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/3       1,2,50
S1#

 

6. We should now be able to ping R1 from the wired network PC.

C:\>ping 192.168.2.254

Pinging 192.168.2.254 with 32 bytes of data:
Reply from 192.168.2.254: bytes=32 time<1ms TTL=255
Reply from 192.168.2.254: bytes=32 time<1ms TTL=255
Reply from 192.168.2.254: bytes=32 time<1ms TTL=255
Reply from 192.168.2.254: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.2.254:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

We should also be able to ping the wireless network PC.

C:\>ping 192.168.50.1

Pinging 192.168.50.254 with 32 bytes of data:
Reply from 192.168.50.1: bytes=32 time<1ms TTL=255
Reply from 192.168.50.1: bytes=32 time<1ms TTL=255
Reply from 192.168.50.1: bytes=32 time<1ms TTL=255
Reply from 192.168.50.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.50.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

Summary

We have now setup VLANs on a switch and sub-interfaces on a router. Setup and enabled trunking for our new VLANS between the switch and router as well as assigning switchports to VLANS. We have verified the configuration with relevant show commands and finally tested the connectivity and have successfully pinged between the two network.

We can expand on this further and use a layer3 switch and do all of our routing at the switch and remove our bottleneck on the trunk link.

 

I hope you found this post informative, please leave a comment if you have any questions or feedback.

Comments 4,108 Comments »

Introduction

In the datacenter we have several customers who take the L2TP handoff service from us. A few of these have separate LNSs for each of their clients, so having say just ten clients like this you’re talking anything up to over a rack just for the LNSs. So if only their was a way to use a single router that all the clients can connect to but at the same time be separate from each other and allow overlapping address ranges.

We can do this simply with VRF-lite, and very little extra configuration.

Terminology: VRF-lite

VRF-lite allows a router to support two or more VPNs (Virtual Private Networks) that have IP address ranges that overlap. VRF-lite is enabled on interfaces to separate routes for the individual VPNs and creates virtual routing tables on the router for the separate VRF instances.

Configuration

We’ll use the following as the topology, Client A and Client B are both directly connected to R1 but could easily be connected to virtual interfaces cloned from a virtual template on an LNS.

 

1. On R1 we will first define our two VRF-lite instances. This is done using the command “ip vrf vrf-name” from global configuration mode where vrf-name is the name assigned to this VRF instance. Once this is set we are in VRF configuration mode, here we set our Route Distinguisher, this should be a unique value for each of our VRF instances. The Route Distinguisher is entered in the format ASN:nn or IP-address:nn, where ASN is your Autonomous System Number, IP-address is a valid address in your assignment and nn is any number.

R1(config)#ip vrf CLIENT_A
R1(config-vrf)#rd 65500:100
R1(config-vrf)#exit
R1(config)#ip vrf CLIENT_B
R1(config-vrf)#rd 65500:200

 

2. Now we have our two VRF instances defined we need to tell the router which interfaces will be part of the instances. We do this by going into the interface configuration mode of the interface we want to add to the instance and use the command “ip vrf forwarding vrf-name” where vrf-name is the name of the VRF we created earlier.

When adding an interface to a VRF instance any IP addressing configuration will be removed from the running configuration and will have to be re-added.

% Interface Ethernet0/0 IP address x.x.x.x removed due to enabling VRF VRF_NAME

If you are connected to this router remotley by telnet/SSH etc you will loose connection to the device.

So lets put the Ethernet0/0 interface into the CLIENT_A VRF instance.

R1(config)#interface ethernet 0/0
R1(config-if)#ip vrf forwarding CLIENT_A
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown

Then the same again for Ethernet0/1, Serial 0/0 and Serial0/1.

R1(config-if)#interface Ethernet 0/1
R1(config-if)#ip vrf forwarding CLIENT_B
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface Serial 0/0
R1(config-if)#ip vrf forwarding CLIENT_A
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#interface Serial 0/1
R1(config-if)#ip vrf forwarding CLIENT_B
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#no shutdown

 

3. We can verify the VRF instances and the interfaces configured in those instances with the command “show ip vrf vrf-name” from privileged exec mode. We can see that the interfaces Ethernet0/0 and Serial0/0 are part of the CLIENT_A VRF instance and the interfaces Ethernet0/1 and Serial0/1 are part of the CLIENT_B VRF instance.

R1#show ip vrf CLIENT_A
Name                             Default RD          Interfaces
CLIENT_A                         65500:100           Ethernet0/0
                                                     Serial0/0
R1#
R1#show ip vrf CLIENT_B
Name                             Default RD          Interfaces
CLIENT_B                         65500:200           Ethernet0/1
                                                     Serial0/1
R1#

We can also view the routing tables using the “show ip route” command, where this will show us the main routing table of the router, we can see the individual instance routing tables with the command “show ip route vrf vrf-name“.

R1#show ip route vrf CLIENT_A

Routing Table: CLIENT_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.0.0/24 is directly connected, Ethernet0/0
R1#

 

R1#show ip route vrf CLIENT_B

Routing Table: CLIENT_B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.0.0/24 is directly connected, Ethernet0/1
R1#

4. We can add static routes to the VRF instances with the “ip route” command. Like a normal static route we specify the destination ip prefix and mask, but we can only specify a forwarding interface if it configured as point-to-point, otherwise we get the message

% For VPN routes, must specify a next hop IP address if not a point-to-point interface

We also must specify which vrf the static route is to belong to by adding “vrf vrf-name” to the “ip route” command. So our whole command is “ip route vrf vrf-name prefix mask ip-address metric“, if the metric isn’t set the router will use the default value of 1.

R1(config)#ip route vrf CLIENT_A 0.0.0.0 0.0.0.0 172.16.0.2 5

 

R1#show ip route vrf CLIENT_A

Routing Table: CLIENT_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.0.2 to network 0.0.0.0

C    172.16.0.0/16 is directly connected, Loopback0
C    192.168.0.0/24 is directly connected, Ethernet0/0
S*   0.0.0.0/0 [5/0] via 172.16.0.2
R1#

Summary

We now have our router configured for VRF-lite and we have two virtual routing tables that are independent form each other. We have allowed the two clients to use the same ip address range and have used overlapping addresses on R1. Static routing has been setup withing the VRF instance and the configuration has been verified with the relevant show commands.

We can extend this further by using a per VLAN instance of VRF on sub-interfaces of the router trunking to a switch, or use MP-BGP to carry these customer routes through our network.

 

I hope you found this post informative, please leave a comment if you have any questions or feedback.

Comments 4,482 Comments »

Anyone who has ever used SpamTitan will realise what a fantastic product it is, unfortunately for some unknown reason the developers have decided to disallow any form of access to the shell apart from a stupid 5 option menu that only allows an administrator to change the network settings, restart Apache and reboot the appliance. This is all well and good, however what happens if something goes wrong, you contact SpamTitan support and 48 hours later they still haven’t done anything. Wouldn’t it be much quicker if you could do it yourself? Read on to find out how.

First off, I take no responsibility for any problems that you may cause by changing any of the setting on your SpamTitan, I mean it!

Second, this article is purely for informational purposes only, it is against the licence / terms and conditions / other legal bumph, to attempt to gain root access to the appliance.

Should you wish to ignore my warnings please read on!

When the SpamTitan boots you will notice that we do not get the usual FreeBSD loader countdown. This is because it has been disabled, our first job is to enable this as we need to get into single user mode.

You will need to get a copy of FreeSBIE a FreeBSD live CD from http://www.freesbie.org/. Download the ISO and burn to a CD, restart your appliance and boot from this.

When you are presented with the FreeSBIE prompt type su and hit return. We are now in as root in the live CD version.

We now mount the SpamTitan disk. First create a folder to mount into
mkdir /mnt/spamtitan
and mount the first slice of the drive into this in my case it is da0s1a, it may be different for you.
mount /dev/da0s1a /mnt/spamtitan
Change to this directory cd /mnt/spamtitan
We now need to go to the boot folder
cd boot/
and edit the loader.conf file. Use your favourite editor mine’s VI
vi loader.conf
and change the line
beastie_disable=NO
to
beastie_disable=YES
and change
autoboot_delay=1
to
autoboot_delay=120
this will now enable the usual loader countdown and give us 120 seconds to decide what we want to do. Save the file and exit your text editor.

Reboot the appliance and remove the CD. We are now given the countdown loader. Choose option 4 to enter single user mode. It will then ask you to enter a full path name for a shell, the default is /bin/sh, leave this as is and just press enter.

You are now logged in in single user mode. We now need to remount the root file system just type the following two lines.
mount -u /
mount -a

Now we can write to the file system just enter the command passwd and you will be prompted for a new root password enter this and enter it again to confirm, then type exit. The appliance will now boot in normal mode.

At the login prompt enter root as the username and use the password you just set. Congratulations root access!

Just add a standard user with adduser so we can access the appliance from ssh as we don’t want to allow root logins to ssh. Remember only users in the wheel group can su so when adding your user account when asked if you want to be part of another group type wheel, if you forget you can always add your username to the wheel group in /etc/group just add a comma and then your username to the end of the line and save.

How easy is that!

Comments 2,723 Comments »