###### tags: `finished`
:::success
# INR Lab 3 - VLANs & Fault Tolerance
:::
## Task 1 - VLANs
:::info
1. Change the topology of your network to as follows, make the necessary configs.
2. Exchange the defualt switches Cumulus VX instances.
:::
<center>
Picture 1 - New topology
</center>
:::info
3. Configure the switches and make sure you have connectivity between the hosts.
:::
Basic config in `/etc/network/inerfaces` is:
```
cumulus@cumulus:~$ sudo nano /etc/network/interfaces
...
auto bridge
iface bridge
bridge-ports swp1 swp2 swp3
bridge-vids 10 20
bridge-pvid 1
bridge-vlan-aware yes
auto swp1
iface swp1
# bridge-vids
auto swp2
iface swp2
# bridge-vids
auto swp3
iface swp3
# bridge-vids
...
```
<center>
Picture 2 - Pinging HR from Web
</center>
:::info
5. How do VLANs work at a packet level?
What are the two major protocols used for this?
What do we mean by Native VLAN?
:::
VLAN segments the network into logical subnets, regardless of the physical location of the nodes. At the data-link layer (aka packet layer), VLAN redirects frames along specified virtual channels. The transmission of frames occurs sequentially with the transmission of mac addresses.
ARP (to find the MAC address by IP address) & STP (to eliminate loops)
By Native VLAN we mean a VLAN, which transmits untagged frames, by default such VLAN has ID 1 and is trunked.
:::info
5. Configure the VLANs on the switches to isolate the two virtual networks shown below:
:::
Since the Cumulus VX switch is a new device for me, I decided to configure the VLAN not by the classical method, but by the Aware Bridge. It seems to me that this setup is very easy, because all we have to do is activate the ports, give them bridge-vids and do not forget about the bridge for broadcasting traffic. Therefore, the basic settings for each VLAN are the same as those that I attached above.
You can see the settings for the router below. VLANs were also created on it.
<center>
Picture 2 - Router configuration
</center>
<center>
Picture 3 - VLAN on MikroTik
</center>
:::info
6. Ping between **ITManager** and **HR** , do you have replies?
Ping between **ITManager** and **Management** , do you have replies?
Capture the trafic the last ping and show in the packet the VLANs indication.
:::
<center>
Picture 4 - Ping from ITManager to HR and Managment
Picture 5 - Result in Wireshark
</center>
:::info
7. Configure Inter-VLAN Routing between Management VLAN and HR VLAN.
8. Show that you can now ping between them.
9. Capture the trafic going to and out of the router and show the diferent trafic of the sub-interfaces.
:::
For configure inter-Vlan we should include next settings in config:
```
auto vlan10
iface vlan10
address 10.0.0.1/24
vlan-id 10
vlan-raw-device bridge
auto vlan20
iface vlan20
address 10.0.1.1/24
vlan-id 20
vlan-raw-device bridge
```
But there is one small detail, it is not quite clear to me how the devices begin to interact when we move to the third level - vlan addressing. I believe that in order to access the Internet (NAT), the gateway addresses must be reported to the router (10.0.0.1 10.0.1.0), but I still don't understand this point very well, please leave your comment on this.
<center>
Picture 6 - Management is having a conversation with HR
</center>
## Task 2 - Fault Tolerance
:::info
1. What is Link Agregation?
How does it work (breifly)?
What are the possible configuration modes?
:::
This is a technology that allows you to combine several channels between devices into one logical channel. This helps to increase bandwidth and make data transmission more reliable.
Channel aggregation or bonding on the MikroTik router is created by adding interfaces that we want to combine (slaves), then you need to select the operating mode:
* **Balance rr** (packets are sent in turn from the first port and to the last one in a circle)
* **802.3ad** (all links are used when receiving and transmitting)
* **Active backup** (one link is active and packets are sent through it, the rest do not work at this time, if the active interface fails, one of the backup ones comes into operation)
* **Balance tlb** (outgoing traffic is distributed depending on the workload of each port)
* **Balance-alb** (outgoing and incoming traffic is distributed depending on the workload of each port)
* **Balance-xor** (balances outgoing traffic through active links based on hashed protocol header information and accepts incoming traffic from any active link)
* **Broadcast** (all packets are transmitted to all links)
The next step is to configure the ip address on the created interface.
:::info
2. Use link agregation between Web and the Gateway so that you have Load Balancing and Fault Tolerance .
:::
<center>
Picture 7 - Link agregation
</center>
Well, I will try to describe all my steps sequentially:
1. The first and most banal thing is to create a bond on MikroTik:
```
/interface/bonding/ add name=bonding1 slaves=ether2,ether4
/interface/bonding/ set 0 mode=balance-rr
/ip/address> add address=192.168.10.4/24 interface=bonding1
```
2. After that I created a bridge for it:
```
/interface bridge add name=bridge2
/interface bridge port add bridge=bridge2 interface=bonding1
```
<center>
Picture 8 - Something is happening, I'm very glad!
</center>
Well, according to Mikrotik, everything is configured and the traffic is really distributed in turn between the ports, now it remains to figure out fault tolerance or why everything stops working when one of the cables is disabled.
:::info
3. Test the Fault Tolerance by stoping one of the cables and see if you have any down time.
:::
*The first rule of Lab 209*: always read the assignment to the end!
*The second rule of Laboratory 209*: read the task THREE times, and then ask someone from the team if they think the same way as you.
<center>
Picture 9 - A cables between swp3 and eth2 is disabled
</center>
To monitor the traffic between the interfaces, I used the command:
```
/interface/bridge/port> /interface monitor-traffic ether2,ether4
```
:::info
5. Disable STP on the Switches under Internal.
:::
The bridge-stp parameter must be changed to "off":
<center>
Picture 10 - Config of Switch
</center>
To check STP status for a bridge:
```
net show bridge spanning-tree
```
:::info
6. Change the topology to have two paths as show below:
:::
<center>
Picture 11 - New topology
</center>
:::info
7. Capture the trafic send a boradcast ping request to the PCs connected to the Internal Network.
What can you notice?
Why did this happen?
What are the implications of this on the network?
:::
Bridging loop or Switching loop — a state in the network in which there is an infinite frame transfer between switches connected to the same network segment.
The formation of a loop occurs in such a way that after receiving a packet from the host, the switches begin to inform each other that they have received it, sending messages to each other. And these messages begin to accumulate and duplicate at some point, because the switch replaces the source of the sending with its mac address. In general, they kick the unfortunate arp request indefinitely, like a football, although each time these balls become 1 more.
In addition to a heavy load on the network, this can also lead to incorrect operation of the entire network due to the constant updating of the mac address table.
**In the screenshot below, the host 10.0.1.3 pings 8.8.8.8**
<center>
Picture 13 - Here you can see how the switches forward a packet to each other, while you can see that the source addresses change every time.
</center>
:::info
8. Enable back STP on the Switches and do the experiment again.
Can you see STP trafic? Explain it breifly.
Configure the switches to have the Internal as the Root switch.
:::
As you can see below, during the operation of the STP, the received packet is delivered directly to the address, however, despite the fact that the STP is working, I can't see where the root switch is selected and because of this, the picture does not seem complete, because when the `mstpctl showport bridge` command is working, all ports are forwarding. Okay, let's set it up.
<center>
Picture 14 - Work of STP
</center>
Changing the priority of the bridge, setting it to the minimum.
<center>
Picture 15 - Root Switch
Picture 16 - Also root switch
Picture 17 - And about cost
</center>
I just want to make it clear, for the few times that I turned off and turned on the ports, changing the configuration settings of the switches, now I have only a screenshot with three active ports (yes, I didn't have time to turn on the 4th) and I can't show the full picture of STP now. But after the submission, I just entered 2 lines in the config and everything worked. You can come to our laboratory and I will show you a working snapshot.
<center>
Picture 18 - STP view
</center>
:::info
9. Would we need STP between routers ?
:::
Well, he's not bothering us, right? :D
After studying many forums on the issue of disabling STP on routers, I learned that this is necessary only if it can lead to a threat of triggering protection on the access node, then the external line will be blocked. Many people want to increase the bandwidth by disabling STP, but this is a myth, it does not change anything radically. And in the opposite direction - if the network is small and initially built in such a way that there are no loops in it, then you can do without STP.
# References:
1. [Packet Level](https://www.sciencedirect.com/topics/engineering/packet-level)
2. [VLAN-aware Bridge Mode](https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-42/Layer-2/Ethernet-Bridging-VLANs/VLAN-aware-Bridge-Mode/#vlan-layer-3-addressing)
3. [Native VLAN](https://community.cisco.com/t5/switching/what-is-difference-between-default-vlan-and-native-vlan/td-p/2095204)
4. [Cumulus STP](https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-44/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree/#troubleshooting)
Sign in with Wallet
Connect another wallet