TCPmag.com
http://tcpmag.com/
http://tcpmag.com/rss
Nov. 13, 2007
Editor: Gladys Rama (grama 1105media.com)
------------------------------------------------------------
------------
THIS ISSUE SPONSORED BY:
- Vyatta Inc. - Open Source Networking
http://in
fo.101com.com/default.asp?id=44814
- Web 2.0: Guide to Hosted Security by Jeremy Moskowitz
http://in
fo.101com.com/default.asp?id=44519
- Evaluating Security in Today's Web Threat Environment
http://in
fo.101com.com/default.asp?id=44817
------------------------------------------------------------
------------
IN THIS ISSUE OF TCPmag.com:
1. Q&A: Take Your VLANs Places
2. What's New on TCPmag.com
3. Interesting Employment in North Carolina, Massachusetts
************************************************************
************
SPONSOR: Vyatta Open-Source Router, Firewall, VPN
************************************************************
************
Vyatta open-source networking solutions are proven to
deliver
better performance, value, and scalability than proprietary
hardware-based routers and firewalls. Try Vyatta for a
flexible,
affordable alternative to Cisco 1800 thru 7200 series
routers and
ASA security appliances.
Download Free Vyatta Software - New VC3 Whitepaper:
Why Vyatta is Better than Cisco
http://i
nfo.101com.com/default.aspx?id=44814
************************************************************
************
1. Q&A: Take Your VLANs Places
Send your toughest Cisco technical questions to editortcpmag.com
with the subject line "Attn: Scott."
Scott,
I'm a little unversed in implementing VLANs in a real-time
environment. My question is this:
I currently have two 3750G-48s that are
StackWise-interconnected,
giving me 104-gig ports with many available ports. I have a
network
switch for a physically separate net that's out of space,
and I was
wondering: If I create a VLAN on the stack for this network,
how
would the uplink port to the router/firewall be configured?
I read your reply to Sam about private VLANs in the Jan. 23
Q&A
(
http://tcpmag.com/qanda/article.asp?EditorialsID=369)
and I'm not
sure if/how the solution you told him would work for my
situation.
If I configure six of the available ports into a separate
VLAN on
the switch stack, does the uplink port need to be configured
any
differently? And what would that config be?
Creating VLANs in a lab is difficult to equate to some
real-world networks.
-- Eric
------------------------------
Eric,
It must be late at night because I had to stare at your
question
three times, trying to figure out how 2x48=104! Then I
remembered
the four SFP slots on the 3750s. So we'll go with that 104
port number.
Now, on to your question about VLANs. You seem to have the
basic
parts down: A VLAN is a separate broadcast domain/subnet,
and you
need some uplink port (a trunk) to connect these VLANs with
the
rest of your switched network.
So let's think a little about each piece. We all learn about
VLANs
from a purpose viewpoint (e.g., the admin VLAN, the
accounting VLAN,
etc.). Or the red one and blue one, depending on which book
you're
reading! The point is that these VLANs can exist all over
our Layer
2 campus, allowing us to plug users with like
needs/requirements no
matter what their physical location.
We just need something to move that VLAN all over the place.
Hence
our trunks. Whether ISL or 802.1Q, we need to carry each
VLAN's
information around and tag it appropriately so that the
switches
can decide where it goes or where it doesn't go.
Now, of course, you're probably sitting there going,
"Blah, blah,
blah, I know all that already." Which is good! Now,
let's just
take the logic backward. If we DON'T allow a certain VLAN to
traverse a trunk link, that effectively cuts it off from the
rest
of the Layer 2 network. Many times, this would fall into the
Not a
Good Idea category -- but if your requirement is isolation
to only
one or two switches, that's a good way to do things.
You could even isolate a VLAN to a particular access-switch
closet,
or to a floor, or to a building, or to just part of your
campus
network. Trace the uplinks of where you do or do not want
your VLAN
to go, and isolate from there.
Let's assume that you want VLAN 100 to exist only in one
chunk of
your network. You'll find that by default, all VLANs are
allowed
to go over all trunk links. For example:
Cat3560-2(config)#do sh int trunk
Port Mode Encapsulation Status Native
vlan
Fa0/19 desirable n-isl trunking 1
Fa0/20 desirable n-isl trunking 1
Fa0/21 desirable n-isl trunking 1
Fa0/22 desirable n-isl trunking 1
Fa0/23 desirable n-isl trunking 1
Fa0/24 desirable n-isl trunking 1
Port Vlans allowed on trunk
Fa0/19 1-4094
Fa0/20 1-4094
Fa0/21 1-4094
Fa0/22 1-4094
Fa0/23 1-4094
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/19 1,12,40,100,200,300,567
Fa0/20 1,12,40,100,200,300,567
Fa0/21 1,12,40,100,200,300,567
Fa0/22 1,12,40,100,200,300,567
Fa0/23 1,12,40,100,200,300,567
Port Vlans allowed and active in management domain
Fa0/24 1,12,40,100,200,300,567
Port Vlans in spanning tree forwarding state and not
pruned
Fa0/19 1,12,40,100,200,300,567
Fa0/20 12,40,100,200,300,567
Fa0/21 1,12,40,100,200,300,567
Fa0/22 1,12,40,100,200,300,567
Fa0/23 1,12,40,100,200,300,567
Fa0/24 1,12,40,100,200,300,567
Cat3560-2(config)#
The important part is "VLANs allowed and active."
Other pieces will
vary based on our spanning-tree configuration, but we won't
go
there now.
So, if this particular switch is the edge of where we want
VLAN 100
to go, we simply pick the trunks we don't want the VLAN to
go over
and make an adjustment. For the sake of argument, let's say
that
fa0/23 and fa0/24 go to another upstream switch that
shouldn't need
this particular VLAN.
On my current switch:
Interface range fa0/23 - 24
Switchport trunk allowed vlan remove 100
Now, look at the difference:
Cat3560-2(config-if-range)#do sh int trunk
Port Mode Encapsulation Status Native
vlan
Fa0/19 desirable n-isl trunking 1
Fa0/20 desirable n-isl trunking 1
Fa0/21 desirable n-isl trunking 1
Fa0/22 desirable n-isl trunking 1
Fa0/23 desirable n-isl trunking 1
Fa0/24 desirable n-isl trunking 1
Port Vlans allowed on trunk
Fa0/19 1-4094
Fa0/20 1-4094
Fa0/21 1-4094
Fa0/22 1-4094
Fa0/23 1-99,101-4094
Fa0/24 1-99,101-4094
Port Vlans allowed and active in management domain
Fa0/19 1,12,40,100,200,300,567
Fa0/20 1,12,40,100,200,300,567
Fa0/21 1,12,40,100,200,300,567
Fa0/22 1,12,40,100,200,300,567
Fa0/23 1,12,40,200,300,567
Port Vlans allowed and active in management domain
Fa0/24 1,12,40,200,300,567
Port Vlans in spanning tree forwarding state and not
pruned
Fa0/19 1,12,40,100,200,300,567
Fa0/20 12,40,100,200,300,567
Fa0/21 1,12,40,100,200,300,567
Fa0/22 1,12,40,100,200,300,567
Fa0/23 1,12,40,200,300,567
Fa0/24 1,12,40,200,300,567
Cat3560-2(config-if-range)#
VLAN 100 is no longer part of the equation for our upstream
switch.
Even if they have a VLAN 100, it'll be logically separated.
So, while it's always been taught to us to achieve
connectivity and
let our VLANs go everyplace, we may run into a situation
that will
force us to think outside the box a little bit. Never fear
to change
things around -- but test it out first, preferably in a
non-production environment.
A couple of weeks ago (http://tinyurl.com/22669x), I suggested that
you should either establish your own lab for testing methods
or
look at renting rack time from vendors on the Internet for
remote
access to equipment. Typically, we use this for CCIE
testing, but
I've had a number of clients use this for their own,
constrained
Proof of Concept testing (also known as "I don't want
to screw up
the production network but need to see if this stuff
works" testing).
I would still suggest looking into it. You'll find a number
of
vendors if you search Google for "CCIE rack
rental," but if you
choose to use Proctor Labs (www.proctorlabs.com), mention
TCPmag
and you'll receive a nice discount for your testing needs.
I hope this particular technology doesn't scare you that
much from
testing things out, but often, management likes plans that
aren't
just "We'll watch what happens." Best of luck with
your changes
and accommodating the business requirements!
Hope that helps,
-- Scott
Scott Morris, quadruple CCIE, JNCIE and all-around
Uber-Geek, can often
be seen traveling around the world consulting and delivering
CCIE
training. He has recently stepped up as VP of Curriculum
Development
for IPexpert and will oversee a new consulting practice. For
more
information on him check out http://www.ipexpert.com.
Send your questions for this column to editortcpmag.com
with the subject line "Attn: Scott."
Miss a Q&A? Go online to http://tcpmag.com/qanda/
To comment on this Q&A, go to:
http://tcpmag.com/qanda/article.asp?editorialsid=393
************************************************************
************
SPONSOR: Leveraging Hosted Security in a Web 2.0 World
************************************************************
************
The best defense against attackers is a "defense in
depth" strategy.
In this guide, Jeremy Moskowitz will examine the latest
types of
threats that are being propagated on the Internet and
available
solutions.
Read it now!
http://in
fo.101com.com/default.asp?id=44519
************************************************************
************
2. What's New on TCPmag.com
NEWS: "Cisco Refreshes Catalyst Switching Line"
Cisco Systems Inc. last week announced several new Catalyst
switch
offerings, including its Catalyst 6500 Series Virtual
Switching System
(VSS) 1440, which is outfitted with Cisco's Virtual
Switching
Supervisor Engine 720.
http://tcpmag.com/news/article.asp?editorialsid=1284
NEWS: "Cisco Touts Small Business Telephony
Refresh"
Cisco Systems Inc. last week announced a bevy of new
additions and
updates for its Smart Business Communications System, or
SBCS.
http://tcpmag.com/news/article.asp?EditorialsID=1285
RSS FEEDS ON TCPMAG.COM
If you're running an RSS client, then consider signing up
for feeds
from TCPmag.com. You'll automatically be notified when new
content
is posted. Learn more here: http://tcpmag.com/rss/
------------------------------------------------------------
------------
3. Interesting Employment in North Carolina, Massachusetts
Job postings courtesy of Monster.com.
BURT'S BEES, INFRASTRUCTURE SUPPORT ANALYST
Position Type: Full time
Location: Raleigh, N.C.
Salary: Not specified
Experience: 2 to 5 years
Desired Education: Bachelor's degree, MCP, CCNA
The infrastructure support analyst will support the
company's
voice/data networks and server environment, help maintain
Internet and
wireless connectivity, troubleshoot problems, and train new
users.
Knowledge of Windows servers and active directory required.
To learn more, visit:
http://jobview.monster.com/getjob.asp?JobID=65241518
-----------------------------
HEBREW REHAB CENTER, NETWORK/SERVER ANALYST
Position Type: Full time
Location: Boston, Mass.
Salary: Not specified
Experience: At least 5 years
Desired Education: Bachelor's degree, MCSE, CCNA
Responsibilities will include troubleshooting hardware and
software,
scheduling patches and software updates, and setting up
e-mail
accounts and user profiles. Must have experience with Novell
GroupWise, VPN and active directory. Some travel may be
required.
Previous experience in health care a plus.
To learn more, visit:
http://jobview.monster.com/getjob.asp?JobID=62457836
************************************************************
************
SPONSOR: Evaluating Security in Today's Web Threat
Environment
************************************************************
************
This paper discusses the changing landscape of malware,
emphasizing
the recent shift to web-based attacks, the challenges that
this shift
presents to the modern organization, and the ways in which
these new
challenges can be adequately addressed.
Read the paper now and stay on top of new threats!
http://in
fo.101com.com/default.asp?id=44817
************************************************************
************
FREE MAGAZINE OFFERS
Subscribe now to our free monthly magazines:
Redmond Developer News magazine
https://subscribe.1105pubs.com/sub/RW?WP=NEW
FREE&TC=1&PC=MK5
Redmond magazine
https://subscribe.1105pubs.com/sub/MI?WP=NEWF
REE&TC=1&P=TCP
MORE NEWSLETTERS
We cover Enterprise Windows news, certification, security
updates,
SQL, Java, SOA, virtualization and more. To review the
entire
list and subscribe, click here:
https://newsletters.1105pubs.com/nl/URMG.do?pc=R07NL
Encourage your peers to excel!
Please forward this newsletter to any IT professional.
************************************************************
************
To learn how you can sponsor a future edition of this
newsletter,
contact Matt Morollo at (508) 532-1418 or
e-mail mmorollo1105media.com
Contact the editorial staff at editortcpmag.com
Newsletter problems: RED1105service.com
TCPmag.com
Redmond Media Group
16261 Laguna Canyon Road, Suite 130
Irvine, CA 92618-3608
Phone 949-265-1520
************************************************************
************
UNSUBSCRIBE OR CHANGE E-MAIL ADDRESS:
https://newsletters.1105pubs.com/nl/URMGf.do?e=nesstosharedlog.com
************************************************************
************
To review our Privacy Policy, visit our Web site at
http://www.1105
media.com/privacy.aspx
Copyright 2007 1105 Media Inc. TCPmag.com News may
only be redistributed in its unedited form. Written
permission
from the editor must be obtained to reprint the information
contained within this newsletter. Contact: editortcpmag.com
|
