Monthly archive May, 2010
Linux / Networking / Technology

Setup Link Aggregation in Ubuntu

by MadHatter on May 15, 2010 No Comments

Link aggregation is something that has greatly interested me the last few months and I’ve been anxious to play with it on my own network setup.  For those not familiar with link aggregation there is a lot of good documentation on Wikipedia to get caught up to speed.  In my lab I wanted to setup link aggregation on a box with a NC3134 which is a dual NIC (2x 10/100 full duplex ports).  I couldn’t do proper 802.3ad because I don’t have a switch which supports it…yet.  However, since I am running Ubuntu server I found I could still set it up using a different mode.  The mode I decided to configure the bond as is mode 0 otherwise known as the round-robin bond mode.  This type is described as “Round-robin policy: Transmit packets in sequential order from the first available slave through the last.  This mode provides load balancing and fault tolerance.” (Linux Horizon)

The setup for bonding the NICs is actually quite simple.

sudo apt-get install ifenslave
sudo nano /etc/network/interfaces

Comment out your current configuration lines using the “#” before all lines.  The following was my setup for the bond address configuration:

auto bond0
iface bond0 inet static
     address 192.168.2.200
     netmask 255.255.255.0
     broadcast 192.168.2.255
     gateway 192.168.2.1
slaves all
bond-mode 0
bond-miimon 100

This configuration will use all of my network devices in the bond (which in this case is just 2) and give the IP address 192.168.2.200.  Note that I specified bond-mode 0.  There are several other bond types (some of which require a 802.3ad capable switch) and it would be worth your while to read up on them to find which would be best for you.

Another thing to note in this configuration is that I used bond-miimon 100.  This means that the links will be checked for failures every 100 milliseconds.  Setting this value to 0 disables checking for link failure.

Save and exit the configuration file.  From here you can take the interfaces down by issuing:

sudo ifdown eth0
sudo ifdown eth1

At this point I connected the 2nd Ethernet cable and restarted the networking services

/etc/init.d/networking restart

Simply type ifconfig and you should see bond0 in the list and listed as UP BROADCAST RUNNING MASTER MULTICAST and all others as UP BROADCAST RUNNING SLAVE MULTICAST.  Next we will test performance of the connection to ensure that the bond is functioning as it should.

Using iperf I can test the bandwidth utilized between the server and client in memory (which takes the drive write bottleneck out of the equation).  To setup iperf see my previous article on using iperf.

I have 192.168.2.101 setup as the server and 192.168.2.200 (the bonded NICs) as the client.  I issue the following command to test my connection:

Iperf –c 192.168.2.101 –i 2

The output was as follows:

------------------------------------------------------------
Client connecting to 192.168.2.101, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.2.200 port 33878 connected with 192.168.2.101 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 2.0 sec  44.8 MBytes    188 Mbits/sec
[  3]  2.0- 4.0 sec  44.9 MBytes    188 Mbits/sec
[  3]  4.0- 6.0 sec  44.9 MBytes    188 Mbits/sec
[  3]  6.0- 8.0 sec  43.9 MBytes    184 Mbits/sec
[  3]  8.0-10.0 sec  44.8 MBytes    188 Mbits/sec
[  3]  0.0-10.0 sec    223 MBytes    187 Mbits/sec

You can see that now the connection is reaching ~188Mbits out of the theoretical 200Mbits that the bond provides (remember we are using 2x 100mbit lines).  This is exactly the result we want.

Next, I wanted to test the fault of one line.  I disconnected one one of the cables from the dual NIC and ran the iperf connection test again.

------------------------------------------------------------
Client connecting to 192.168.2.101, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.2.200 port 33879 connected with 192.168.2.101 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 2.0 sec  22.5 MBytes  94.4 Mbits/sec
[  3]  2.0- 4.0 sec  22.4 MBytes  94.1 Mbits/sec
[  3]  4.0- 6.0 sec  22.4 MBytes  94.0 Mbits/sec
[  3]  6.0- 8.0 sec  22.5 MBytes  94.2 Mbits/sec
[  3]  8.0-10.0 sec  22.4 MBytes  94.0 Mbits/sec
[  3]  0.0-10.0 sec    112 MBytes  94.2 Mbits/sec

You can see that the bandwidth has fallen back down to 94Mbits but the line still worked correctly without any traffic loss.

That’s it!  Pretty simple to setup and test the bond.   If you are creating a bond purely for the bandwidth increase keep in mind that system bottlenecks can still hinder performance – your hard drive write speed being the most likely.

With such a simple setup for this networking task it shows another benefit Linux servers can provide in comparison to Windows servers which (to my knowledge) do not natively support link aggregation.

The question I asked myself after this setup was: How does the 802.3ad configuration (mode 4) differ from mode 0 which doesn’t require switches with 802.ad support?  After some further research I found that while mode 0 uses sequential transmission, it can often receive packets out of order which creates the need for segment retransmission (as mentioned here).  It seems that mode 4 is able to receive all packets in order which produces an overall increase in efficiency.  I would be curious to see some performance benchmarks between the two and plan to do so once I have a managed switch – so stay tuned!

Cisco / Education / Linux / Networking / Technology

Cisco PIX 501 Quick Setup

by MadHatter on May 1, 2010 No Comments

I inherited a Cisco Pix 501 firewall recently and have to say I’m not near as educated on Cisco equipment yet as I feel I should be.  After a good amount of searching along the way I started getting the hang of things.  I had worked in Cisco’s Pix Device Manager (PDM) and found it to be more of a pain trying to navigate than to setup through command line.  So, for this tutorial I will focus only on the CLI for setup of the device.

pix501

Here is how I was able to get things setup.  Note that this is just a basic setup using the CLI with the following:

WAN: DHCP

LAN: Enable NAT, and enable DHCP

After configuration the firewall will be accessible at 192.168.3.1 (and netmask 255.255.255.0) and DHCP leases available will be 192.168.3.50 – 192.168.3.80.  You can change these accordingly while going through the commands.

First of all, you need to connect to the device using your Cisco console cable which is an RJ45 to DB9.  Connect the RJ45 end to the 501, and the DB9 end to a machine with the connector.  In my case this was a Linux machine running Ubuntu.  If you are on a Windows machine you can simply use HyperTerminal to connect. I issued the following commands to get connected to the 501:

Sudo apt-get install cu
cu -l  /dev/ttyS0 -s 9600

ttyS0 was what worked for me, but yours may need to be changed to ttyS1, etc. depending on your setup.

Once things are connected I issued the following commands:

First press no to the guided install (if you plan to follow the tutorial below).

enable

You will be prompted here for a password.  The Enter key is the default password.

config t

This will allow access to the configuration menu.  Press “?” to find all commands available.

username  USER password ***** privilege 15

enable  password ******

passwd  ******

Replace USER with the username you wish to create.  This allows you to create an administrator account for the system.

interface  ethernet0 auto

interface  ethernet1 100full

ip address  outside dhcp

Make sure your WAN connection is live when issuing the command above.  It will try to assign a DHCP address when it’s issued.

ip address  inside 192.168.3.1 255.255.255.0

show ip  address

The above command just shows the current setup.  I used it to double check I entered everything properly.

ip address  outside dhcp setroute

nat  (inside) 1 192.168.3.1 255.255.255.0

global  (outside) 1 interface

telnet  192.168.3.50

This was an optional command.  This allowed telnet access to the client at 192.168.3.50.  This was added so I didn’t need the console cable connected after the initial setup, and could merely telnet in from the client as needed.

no banner  exec

no banner  login

no banner  motd

The banner commands are also optional.  I wanted to cut out any extra information at logins.  You can leave these, or change them as you desire.

hostname  YOURHOST

Replace YOURHOST with the hostname you wish to give the 501.

domain  local

dhcpd  address 192.168.3.50-192.168.3.80 inside

dhcpd dns  4.2.2.1 4.2.2.2

These were test DNS servers I used during setup.  I believe they are Level3’s, and they are rather stable.  You can change to your local ISP’s DNS servers or others as desired.

dhcpd  lease 3600

dhcpd  ping_timeout 750

dhcpd  enable inside

The above command assigns the 501 as the DHCP server for the inside interface (LAN).  If you wish to use a different DHCP server or don’t care to enable DHCP, simply disregard this command.

access-list  ping_acl permit icmp any any

access-group  ping_acl in interface outside

These two commands are added to allow ping requests.  Ping is disabled by default on the 501 and annoyed me when trying to run diagnostics.  These are optional.

wr mem

This finalizes your setup by writing all changes to memory.
These are the commands I found to work for me – and don’t have this in production.  I don’t claim for this method of setup to be secure for your environment and highly recommend you study up on the device more before placing it in a production environment.  If anyone has some modifications or additions to this guide please feel free to contact me.  Hopefully this tutorial can serve as a first step in becoming familiar with setup for the Pix 501, thanks for reading.

Source Image: cisco.com

Archives

© 2010 MaddHat.com. All Rights Reserved.
Powered by WordPress.

Designed by WPSHOWER