Version 3
Archive for May, 2010
Setup Link Aggregation in Ubuntu
Link aggregation is something that has greatly interested me the last few months and I’ve been anxious to play with it on my own network setup. For those not familiar with link aggregation there is a lot of good documentation on Wikipedia to get caught up to speed. In my lab I wanted to setup link aggregation on a box with a NC3134 which is a dual NIC (2x 10/100 full duplex ports). I couldn’t do proper 802.3ad because I don’t have a switch which supports it…yet. However, since I am running Ubuntu server I found I could still set it up using a different mode. The mode I decided to configure the bond as is mode 0 otherwise known as the round-robin bond mode. This type is described as “Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.” (Linux Horizon)
The setup for bonding the NICs is actually quite simple.
sudo apt-get install ifenslave sudo nano /etc/network/interfaces
Comment out your current configuration lines using the “#” before all lines. The following was my setup for the bond address configuration:
auto bond0
iface bond0 inet static
address 192.168.2.200
netmask 255.255.255.0
broadcast 192.168.2.255
gateway 192.168.2.1
slaves all
bond-mode 0
bond-miimon 100
This configuration will use all of my network devices in the bond (which in this case is just 2) and give the IP address 192.168.2.200. Note that I specified bond-mode 0. There are several other bond types (some of which require a 802.3ad capable switch) and it would be worth your while to read up on them to find which would be best for you.
Another thing to note in this configuration is that I used bond-miimon 100. This means that the links will be checked for failures every 100 milliseconds. Setting this value to 0 disables checking for link failure.
Save and exit the configuration file. From here you can take the interfaces down by issuing:
sudo ifdown eth0 sudo ifdown eth1
At this point I connected the 2nd Ethernet cable and restarted the networking services
/etc/init.d/networking restart
Simply type ifconfig and you should see bond0 in the list and listed as UP BROADCAST RUNNING MASTER MULTICAST and all others as UP BROADCAST RUNNING SLAVE MULTICAST. Next we will test performance of the connection to ensure that the bond is functioning as it should.
Using iperf I can test the bandwidth utilized between the server and client in memory (which takes the drive write bottleneck out of the equation). To setup iperf see my previous article on using iperf.
I have 192.168.2.101 setup as the server and 192.168.2.200 (the bonded NICs) as the client. I issue the following command to test my connection:
Iperf –c 192.168.2.101 –i 2
The output was as follows:
------------------------------------------------------------ Client connecting to 192.168.2.101, TCP port 5001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 3] local 192.168.2.200 port 33878 connected with 192.168.2.101 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 2.0 sec 44.8 MBytes 188 Mbits/sec [ 3] 2.0- 4.0 sec 44.9 MBytes 188 Mbits/sec [ 3] 4.0- 6.0 sec 44.9 MBytes 188 Mbits/sec [ 3] 6.0- 8.0 sec 43.9 MBytes 184 Mbits/sec [ 3] 8.0-10.0 sec 44.8 MBytes 188 Mbits/sec [ 3] 0.0-10.0 sec 223 MBytes 187 Mbits/sec
You can see that now the connection is reaching ~188Mbits out of the theoretical 200Mbits that the bond provides (remember we are using 2x 100mbit lines). This is exactly the result we want.
Next, I wanted to test the fault of one line. I disconnected one one of the cables from the dual NIC and ran the iperf connection test again.
------------------------------------------------------------ Client connecting to 192.168.2.101, TCP port 5001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 3] local 192.168.2.200 port 33879 connected with 192.168.2.101 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 2.0 sec 22.5 MBytes 94.4 Mbits/sec [ 3] 2.0- 4.0 sec 22.4 MBytes 94.1 Mbits/sec [ 3] 4.0- 6.0 sec 22.4 MBytes 94.0 Mbits/sec [ 3] 6.0- 8.0 sec 22.5 MBytes 94.2 Mbits/sec [ 3] 8.0-10.0 sec 22.4 MBytes 94.0 Mbits/sec [ 3] 0.0-10.0 sec 112 MBytes 94.2 Mbits/sec
You can see that the bandwidth has fallen back down to 94Mbits but the line still worked correctly without any traffic loss.
That’s it! Pretty simple to setup and test the bond. If you are creating a bond purely for the bandwidth increase keep in mind that system bottlenecks can still hinder performance – your hard drive write speed being the most likely.
With such a simple setup for this networking task it shows another benefit Linux servers can provide in comparison to Windows servers which (to my knowledge) do not natively support link aggregation.
The question I asked myself after this setup was: How does the 802.3ad configuration (mode 4) differ from mode 0 which doesn’t require switches with 802.ad support? After some further research I found that while mode 0 uses sequential transmission, it can often receive packets out of order which creates the need for segment retransmission (as mentioned here). It seems that mode 4 is able to receive all packets in order which produces an overall increase in efficiency. I would be curious to see some performance benchmarks between the two and plan to do so once I have a managed switch – so stay tuned!
Cisco PIX 501 Quick Setup
I inherited a Cisco Pix 501 firewall recently and have to say I’m not near as educated on Cisco equipment yet as I feel I should be. After a good amount of searching along the way I started getting the hang of things. I had worked in Cisco’s Pix Device Manager (PDM) and found it to be more of a pain trying to navigate than to setup through command line. So, for this tutorial I will focus only on the CLI for setup of the device.
Here is how I was able to get things setup. Note that this is just a basic setup using the CLI with the following:
WAN: DHCP
LAN: Enable NAT, and enable DHCP
After configuration the firewall will be accessible at 192.168.3.1 (and netmask 255.255.255.0) and DHCP leases available will be 192.168.3.50 – 192.168.3.80. You can change these accordingly while going through the commands.
First of all, you need to connect to the device using your Cisco console cable which is an RJ45 to DB9. Connect the RJ45 end to the 501, and the DB9 end to a machine with the connector. In my case this was a Linux machine running Ubuntu. If you are on a Windows machine you can simply use HyperTerminal to connect. I issued the following commands to get connected to the 501:
Sudo apt-get install cu cu -l /dev/ttyS0 -s 9600
ttyS0 was what worked for me, but yours may need to be changed to ttyS1, etc. depending on your setup.
Once things are connected I issued the following commands:
First press no to the guided install (if you plan to follow the tutorial below).
enable
You will be prompted here for a password. The Enter key is the default password.
config t
This will allow access to the configuration menu. Press “?” to find all commands available.
username USER password ***** privilege 15 enable password ****** passwd ******
Replace USER with the username you wish to create. This allows you to create an administrator account for the system.
interface ethernet0 auto interface ethernet1 100full ip address outside dhcp
Make sure your WAN connection is live when issuing the command above. It will try to assign a DHCP address when it’s issued.
ip address inside 192.168.3.1 255.255.255.0 show ip address
The above command just shows the current setup. I used it to double check I entered everything properly.
ip address outside dhcp setroute nat (inside) 1 192.168.3.1 255.255.255.0 global (outside) 1 interface telnet 192.168.3.50
This was an optional command. This allowed telnet access to the client at 192.168.3.50. This was added so I didn’t need the console cable connected after the initial setup, and could merely telnet in from the client as needed.
no banner exec no banner login no banner motd
The banner commands are also optional. I wanted to cut out any extra information at logins. You can leave these, or change them as you desire.
hostname YOURHOST
Replace YOURHOST with the hostname you wish to give the 501.
domain local dhcpd address 192.168.3.50-192.168.3.80 inside dhcpd dns 4.2.2.1 4.2.2.2
These were test DNS servers I used during setup. I believe they are Level3’s, and they are rather stable. You can change to your local ISP’s DNS servers or others as desired.
dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside
The above command assigns the 501 as the DHCP server for the inside interface (LAN). If you wish to use a different DHCP server or don’t care to enable DHCP, simply disregard this command.
access-list ping_acl permit icmp any any access-group ping_acl in interface outside
These two commands are added to allow ping requests. Ping is disabled by default on the 501 and annoyed me when trying to run diagnostics. These are optional.
wr mem
This finalizes your setup by writing all changes to memory.
These are the commands I found to work for me – and don’t have this in production. I don’t claim for this method of setup to be secure for your environment and highly recommend you study up on the device more before placing it in a production environment. If anyone has some modifications or additions to this guide please feel free to contact me. Hopefully this tutorial can serve as a first step in becoming familiar with setup for the Pix 501, thanks for reading.
Source Image: cisco.com