Jorge González Briceño
Innovación, Investigación, Aprendizaje, Difusión, Compromiso, Respeto, Igualdad
Networking-auto
autonetworking.blogspot.com
Java en Ubuntu 14
26 May 2018
No suitable Java Virtual Machine could be found on your system.
Be sure to accept the Oracle license!
sudo apt-add-repository ppa:webupd8team/javasudo apt-get updatesudo apt-get install oracle-java8-installerBe sure to accept the Oracle license!
Step #3: Verify Installation
Now verify that Java is installed and is of version 1.8.x:java -version
Convertir Llave OpenSSH a Putty en Linux
19 Apr 2018
Convertir Llave OpenSSH a Putty en Linux
En Debian/Ubuntu apt-get install putty-tools
puttygen keyname -o keyname.ppk
Asegurese de reemplazar"keyname" por su archivo de llave privada (private key filename)
En Debian/Ubuntu apt-get install putty-tools
puttygen keyname -o keyname.ppk
Asegurese de reemplazar"keyname" por su archivo de llave privada (private key filename)
Copiar y pegar en PAC Manager
12 Apr 2018
(Ctrl + Shift + C, Ctrl + Shift + V)
CTRL+INSERT
Mensaje Operation not possible due to RF-kill
04 Aug 2017
$ sudo ifconfig wlan0 up
SIOCSIFFLAGS: Operation not possible due to RF-kill
No manual entry for Rf-kill
$ rfkill list all
0: hci0: Bluetooth
Soft blocked: yes
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: yes
Hard blocked: no
$sudo rfkill unblock wifi
$ rfkill list all
0: hci0: Bluetooth
Soft blocked: yes
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
sudo ifconfig wlan0 up
Auto Login
26 Jul 2017
Una manera de acceder de forma remota es usando "Expect".
Aquí un script mínimo y genérico a tal fin: (meorable)
#!/usr/bin/expect -f
spawn ssh nombre@a.b.c.d
expect "*?assword:*"
send "clave del equipo\r"
interact
Aquí un script mínimo y genérico a tal fin: (meorable)
#!/usr/bin/expect -f
spawn ssh nombre@a.b.c.d
expect "*?assword:*"
send "clave del equipo\r"
interact
Icono en Escritorio para ejecutar Script en Linux
31 May 2017
Esta vez se trata de:
Contenido del archivo tunombre.desktop
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=NsLookup
Type=Application
Terminal=true
Exec=/home/nombredeusuarioe/nombre del script
Icon=/ruta donde se encuentra el icono que deseo se vea en el escritorio
- Tenemos un Script y deseamos ejecutarlo con un Doble Clic en un icono del escritorio
- Crear el Scritp que deseo ejecutar
- Crear en el escritorio un archivo llamado tunombre.desktop
- Hacer ejecutable el archivo tunombre.desktop
Cambiarse de directorio al Escritorio: cd /home/nombre de usuariochmod a+x tunombre.desktop
Contenido del archivo tunombre.desktop
[Desktop Entry]
Encoding=UTF-8
Version=1.0
Name=NsLookup
Type=Application
Terminal=true
Exec=/home/nombredeusuarioe/nombre del script
Icon=/ruta donde se encuentra el icono que deseo se vea en el escritorio
ENGENIUS ACCESS POINT Eoc-2611P
20 Apr 2017
EL problema:
- No hay acceso con ningún password a la gestión web ni telnet (192.168.1.1) del ACCESS POINT ENGENIUS EOC-2611P. Sin embargo, sí responde contínuo a ICMP (ping).
Lo requerido:
- Archivos cfg.jffs2, jffs2.eoc-2610.bin, vmlinuxap51.bin.l7
- Instalar y habilitar el servicio TFTP en el pc (Pumkin me funcionó muy bien) como el ofrecido por solarwinds o cualquier otro fabricante (gratuito)
- Un cliente TELNET (Ejemplo Putty)
- De ser posible, un UPS que alimente el PC y el EOC-2611P
El procedimiento:
- Apagar el Access Point EOC 2611P
- Ejecutar Ping contínuo a 192.168.1.1 (ping -t 192.168.1.1 si la pc es windows, si no es windows no es necesario el parámetro -t) y dejar esa ventana de comandos abierta.
- Encender el EOC-2611P
- Inmediatamente que se observe que hay respuesta Ping proceder al siguiente paso
- Ejecutar un telnet al puerto 9000 con destino a 192.168.1.1
- Se abrirá la consola con Redboot>
- De allí en adelante deben ejecutarse una serie de instrucciones (respetando los espacios en la sintaxis)
RedBoot>
ip_address
-l 192.168.1.1/24 -h 192.168.1.10 (esta es la dir IP de la PC que tiene habilitado el servicio TFTP, conectada al Access Point)
IP:
192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default
server: 192.168.1.20
RedBoot>
load
-r -b %{FREEMEMLO} jffs2.eoc-2610.bin
Using
default protocol (TFTP)
Raw
file loaded 0x80041000-0x80430fff, assumed entry at 0x80041000
RedBoot>
fis
init -f
About
to initialize [format] FLASH image system - continue (y/n)? y
***
Initialize FLASH Image System
...
Erase from 0xa8030000-0xa87e0000:
...........................................................................................................................
...
Erase from 0xa87e0000-0xa87f0000: .
...
Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot>
fis
create256 -f 0xa8030000 -l 0x3f0000 -e 0 rootfs
...
Erase from 0xa8030000-0xa8420000:
...............................................................
...
Program from 0x80041000-0x80431000 at 0xa8030000:
...............................................................
...
Erase from 0xa87e0000-0xa87f0000: .
...
Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot>
load
-r -b %{FREEMEMLO} vmlinux.ap51.bin.l7
Using
default protocol (TFTP)
Raw
file loaded 0x80041000-0x800e0fff, assumed entry at 0x80041000
RedBoot>
fis
create256 -l 0xa0000 -f 0xa8420000 -e 0x80041798 -r 0x80041000
vmlinux.bin.l7
...
Erase from 0xa8420000-0xa84c0000: ..........
...
Program from 0x80041000-0x800e1000 at 0xa8420000: ..........
...
Erase from 0xa87e0000-0xa87f0000: .
...
Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot>
load
-r -b %{FREEMEMLO} cfg.jffs2
Using
default protocol (TFTP)
Raw
file loaded 0x80041000-0x80041000, assumed entry at 0x80041000
...
Erase from 0xa84c0000-0xa84d0000: .
...
Program from 0x80041000-0x80041001 at 0xa84c0000: .
...
Erase from 0xa87e0000-0xa87f0000: .
...
Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot>
reset
Una vez reseteado el equipo, deberíamos tener capacidad de entrar con el usuario y password admin.
Test a sitio web desde Linux y otras Herramientas
12 Mar 2017
En diversas ocasiones es necesario verificar ciertos parámetros en el acceso a sitios web.
En tal sentido, se muestran algunas opciones para verificar tiempos de respuesta desde el cli(command line interface) de Linux.
WGET
usuario@hostname-de-tu-pc:~$ wget -p http://www.sitio_a_verificar.com
CURL
usuario@hostname-de-tu-pc:~$time curl -I http://www.google.com | grep HTTP
usuario@hostname-de-tu-pc:~$curl -Is http://www.google.com | head -1
usuario@hostname-de-tu-pc:~$curl -s -w '\nLookup time:\t%{time_namelookup}\nConnect time:\t%{time_connect}\nPreXfer time:\t%{time_pretransfer}\nStartXfer time:\t%{time_starttransfer}\n\nTotal time:\t%{time_total}\n' -o /dev/null http://www.google.com
Herramienta de Google:
https://toolbox.googleapps.com/apps/dig/
App para Chrome:
Chrome Connectivity Diagnostics
https://chrome.google.com/webstore/detail/chrome-connectivity-diagn/eemlkeanncmjljgehlbplemhmdmalhdc?utm_source=chrome-app-launcher-info-dialog
CURL:
https://curl.haxx.se/
Wget
https://www.gnu.org/software/wget/manual/
Httpie
https://httpie.org/
Twill
http://twill.idyll.org/
Se anexan en este link los códigos de respuesta:
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
Sitio para verificar página web:
https://www.webpagetest.org/easy.php
En tal sentido, se muestran algunas opciones para verificar tiempos de respuesta desde el cli(command line interface) de Linux.
WGET
usuario@hostname-de-tu-pc:~$ wget -p http://www.sitio_a_verificar.com
CURL
usuario@hostname-de-tu-pc:~$time curl -I http://www.google.com | grep HTTP
usuario@hostname-de-tu-pc:~$curl -Is http://www.google.com | head -1
usuario@hostname-de-tu-pc:~$curl -s -w '\nLookup time:\t%{time_namelookup}\nConnect time:\t%{time_connect}\nPreXfer time:\t%{time_pretransfer}\nStartXfer time:\t%{time_starttransfer}\n\nTotal time:\t%{time_total}\n' -o /dev/null http://www.google.com
Herramienta de Google:
https://toolbox.googleapps.com/apps/dig/
App para Chrome:
Chrome Connectivity Diagnostics
https://chrome.google.com/webstore/detail/chrome-connectivity-diagn/eemlkeanncmjljgehlbplemhmdmalhdc?utm_source=chrome-app-launcher-info-dialog
Documentación Adicional
CURL:
https://curl.haxx.se/
Wget
https://www.gnu.org/software/wget/manual/
Httpie
https://httpie.org/
Twill
http://twill.idyll.org/
Se anexan en este link los códigos de respuesta:
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
Sitio para verificar página web:
https://www.webpagetest.org/easy.php
TCP/ IP con Netsh.exe
24 Dec 2013
Este es un extracto del sitio Pietri.co.ilhttp://www.petri.co.il/configure_tcp_ip_from_cmd.htm
In order to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses and many other options you can use Netsh.exe.
Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh.exe also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh.exe can also save a configuration script in a text file for archival purposes or to help you configure other servers.
Netsh.exe is available on Windows 2000, Windows XP, and Windows Server 2003.
You can use the Netsh.exe tool to perform the following tasks:
- Configure interfaces
- Configure routing protocols
- Configure filters
- Configure routes
- Configure remote access behavior for Windows-based remote access routers that are running the Routing and Remote Access Server (RRAS) Service
- Display the configuration of a currently running router on any computer
- Use the scripting feature to run a collection of commands in batch mode against a specified router.
What can we do with Netsh.exe?
With Netsh.exe you can easily view your TCP/IP settings. Type the following command in a Command Prompt window (CMD.EXE):
netsh interface ip show config
With Netsh.exe, you can easily configure your computer's IP address and other TCP/IP related settings. For example:
The following command configures the interface named Local Area Connection with the static IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1:
netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1 1
(The above line is one long line, copy paste it as one line)
Netsh.exe can be also useful in certain scenarios such as when you have a portable computer that needs to be relocated between 2 or more office locations, while still maintaining a specific and static IP address configuration. With Netsh.exe, you can easily save and restore the appropriate network configuration.
First, connect your portable computer to location #1, and then manually configure the required settings (such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses).
Now, you need to export your current IP settings to a text file. Use the following command:
netsh -c interface dump > c:\location1.txt
When you reach location #2, do the same thing, only keep the new settings to a different file:
netsh -c interface dump > c:\location2.txt
You can go on with any other location you may need, but we'll keep it simple and only use 2 examples.
Now, whenever you need to quickly import your IP settings and change them between location #1 and location #2, just enter the following command in a Command Prompt window (CMD.EXE):
netsh -f c:\location1.txt
or
netsh -f c:\location2.txt
and so on.
You can also use the global EXEC switch instead of -F:
netsh exec c:\location2.txt
Netsh.exe can also be used to configure your NIC to automatically obtain an IP address from a DHCP server:
netsh interface ip set address "Local Area Connection" dhcp
Would you like to configure DNS and WINS addresses from the Command Prompt? You can. See this example for DNS:
netsh interface ip set dns "Local Area Connection" static 192.168.0.200
and this one for WINS:
netsh interface ip set wins "Local Area Connection" static 192.168.0.200
Or, if you want, you can configure your NIC to dynamically obtain it's DNS settings:
netsh interface ip set dns "Local Area Connection" dhcp
BTW, if you want to set a primary and secondary DNS address, add index=1 and index=2 respectively to the lines of Netsh command.
As you now see, Netsh.exe has many features you might find useful, and that goes beyond saying even without looking into the other valuable options that exist in the command.
Instalar Cantv Satelital
24 Dec 2013
Instalación de CANTV Satelital
Kit Satellital CANTV
Para evitar frustraciones:
- Sigue muy bien las instrucciones de armado del plato y su base, cada tornillo tiene su función y ubicación.
- Verifica que para la abrazadera (la que ajusta la inclinación) se utilizan DOS (2) tornillos cortos instalados de dentro hacia afuera. Busca la brújula y verifica que hacia el Sur-Oeste (si estás en San Felipe) no hay obstrucciones (arboles, edificios, etc) que impidan la comunicación entre el satélite y tu antena. Para saber cómo ubicar el Sur-Oeste, coloca la brújula en una superficie horizontal, gira la misma hasta hacer coincidir la flecha roja con la letra "N", es decir, el Norte y ya puedes orientar el rumbo que tendrá tu antena.
- Ya puedes saber hacia dónde irá apuntada la antena (SUR-OESTE). El detalle de cuántos grados hacia el SUR_OESTE va a depender de la ciudad en Venezuela. Por ejemplo, En San Felipe, los grados son 223° SO (SUR-OESTE).
- Para saber la inclinación (arriba-abajo) le darás a la antena, debes buscar en el instructivo los grados de inclinación que corresponden a tu ciudad (Por Ejemplo para San Felipe, la antena debe estar inclinada 73°). Una vez que sepas cuál inclinación le darás a la antena, procede a ajustar los tornillos de manera que la antena quede inclinada 73° si estás en San Felipe. No los apretes en exceso pues luego deberás subir o bajar un poco esos grados para que mejore la recepción.
- Ubica una superficie tal que no tenga obstrucciones hacia la orientación que le darás a la antena. (Por ejemplo en San Felipe, hay que buscar un sitio que no tenga obstrucciones hacia el Sur Oeste).
- Una vez que estás seguro del sitio, fija LA BASE del mástil tomando en cuenta el NIVEL, es decir, DEBE estar nivelado horizontal o verticalmente dependiendo de si la estás instalando en una pared o sobre la azotea. Ajusta el mástil en la base que acabas de instalar de forma que quede NIVELADO y a 90° con respecto a la pared o el techo. Recuerda insertar el LNB en su base. Ahora inserta la antena (a través de la abrazadera) en el mástil.
- Mueve la antena Horizontalmente hasta apuntarla 223° hacia el SUR OESTE (si estás en San Felipe) Ya tienes la antena apuntando hacia la orientación que indica el manual (según la ciudad).
- Ya tienes la antena inclinada los grados que indica el manual (según la ciudad).
- Ya tienes instalado el LNB en su base.
- Conecta el cable de video-audio en el tv y en el deco, según el manual que trae la antena cantv. Ahora hay que conectar, con el deco apagado, el cable coaxial al LNB. (RECUERDA: ESTO ES CON EL DECO APAGADO) Conecta ahora el otro extremo del cable coaxial largo al conector en el deco que dice "Lnb" Debes girar un poco a la izquierda (mirando la antena de frente) el LNB. El manual indica entre las 4 y las 5 según la ciudad.
- Conecta el cable coaxial corto de la siguientre forma: Una punta en el conector en el deco que dice "Ch3/CH4" La otra punta al conector coaxial que trae el TV. Ahora enciende el deco y el TV. El TV debe estar en entrada de Video, no en un canal sino en "Video".
- Bien, ahora verás en la pantalla un menú de opciones. Selecciona la opción "Instalar". Aparecerá un medidor de señal en intensidad y calidad. Escucharás también un tono que indica la intensidad y calidad.
- Si suena lento es porque falta ajustar para tener una buena intensidad y calidad. Si aumenta la velocidad es porque está mejorando la intensidad-calidad. RECUERDA QUE EL MÄSTIL Y SU BASE DEBEN ESTAR NIVELADOS HORIZONTAL Y VERTICAL. Si la inclinación dice 73°, fíjala en 75° para luego ir bajando si es necesario.
- Si aparece cero en intensidad y calidad no te preocupes, eso se debe a que hay que orientar bien la antena hacia el rumbo adecuado (SUR OESTE si estás en San Felipe) y con la inclinación adecuada (73° si estás en San Felipe).
- Mueve la antena a la izquierda hasta unos grados menos de lo que te dice el manual (Por ejemplo si el manual te dice que son 223° SUR OESTE, gira la antena horizontalmente hasta 190°).
- Ya el tono debe estar sonando más rápido indicando que aumentó el nivel de señal. Igualmente verás un aumento del nivel de intensidad y calidad en el indicador de la pantalla.
- La Intensidad debe estar por encima de 75 y la calidad por encima de 65. Si la intensidad es baja, debes mover muy poco hacia la derecha la antena e ir escuchando y observando en la pantalla. Te aconsejo que primero dejes fija la inclinación y el giro del lnb y muevas sólo horizontalmente la antena. Luego deberás ajustar el giro del lnb según el manual.
- De ser necesario, deberás ajustar la inclinación, te aconsejo que la fijes en un principio 2 o 3 grados por encima de lo que dice el manual y vas bajando si es necesario, es decir, si el manual dice 73° de inclinación, fíjalo en 76°.
- Cuando tengas la intensidad y calidad recomendadas, presiona OK (o aceptar) del control remoto del deco y verás cómo se registran rápidamente una serie de nombres de canales. Anota el número de serial que trae la tarjeta de chip. Cuando el deco te lo indique, inserta la tarjeta de chip.
- A continuación debes llamar al 0800-CANTV-TV para activar el servicio y debes tener a la mano una tarjeta UNICA de 100BsF o las que hagan la sumatoria, por ejemplo una de 60 y dos de 20 porque el sistema te las pedirá posteriormente. Cuando llamas, el sistema primero te pedirá el serial (ese es el de la tarjeta de chip) y luego te pedirá el código que raspaste de la tarjeta unica. Recuerda que mensualmente debes llamar al 0800-CANTV-TV para cargar saldo correspondiente para continuar disfrutando del servicio.
- En otra oportunidad subiré imágenes ilustrativas para mejorar el tutorial de instalación de cantv satelital.
BMC en servidores IBM x366
07 Dec 2010
¿Es posible administrar un servidor IBM remotamente sin la "famosa" tarjeta RSA?
SI
¿Cómo ...?
Con BMC.
Para acceder al servidor hay que hacer varias cosas:
Configurar una dirección IP al BMC junto con Login y password.
Habilitar las funciones indicadas en
http://www.redbooks.ibm.com/abstracts/tips0551.html
Para la configuración de IP, Login y pass del BMC, se accede al setup del servidor (F1 en el caso de un IBM x366).
Instalar en un PC o equipo desde donde deseo acceder y administrar al servidor una aplicación : OSA System Management Bridge
System Management Bridge Baseboard Management Controller CLI and Remote Console Utility
http://www-947.ibm.com/support/entry/portal/docdisplay?brand=5000008&lndocid=MIGR-64636
Ejecutar el software en la ruta donde se instaló ejecutando una línea parecida a esta:
C:\Archivos de programa\Avocent\SMBridge>smbridge -ip a.b.c.d -u nombre de usuario previamente configurado en el BMC -p clave configurada para el BMC power status
El comando anterior devuelve el estado del servidor (si está on u off)
Si queremos encender el servidor, el comando es power on, es decir,
C:\Archivos de programa\Avocent\SMBridge>smbridge -ip a.b.c.d -u nombre de usuario -p clave power on
Si queremos apagar el servidor, el comando es power off, es decir,
C:\Archivos de programa\Avocent\SMBridge>smbridge -ip a.b.c.d -u nombre de usuario -p clave power off
Un listado de los comandos aparece en el manual del OSA SMBridge User Manual (OSA es el fabricante, después de 3 horas de investigación, me di cuenta que simplemente era el fabricante del software)
ftp://ftp.software.ibm.com/systems/support/system_x_pdf/sysmgmtbridgeuserman.pdf
El siguiente paso lo postearé luego,
voy a seguir configurando porque la intención es encender varios servidores remotamente pero con espacios de tiempo entre cada uno.
Con IBM Director se puede administrar más intuitivamente las BMC de varios servidores, eso está en mi lista de tareas también.
Hay que repasar estos conceptos
Intelligent Platform Management Interface (IPMI)
Este es un extracto de la configuración de BMC en el servidor que deseo administrar remotamente.
SI
¿Cómo ...?
Con BMC.
Para acceder al servidor hay que hacer varias cosas:
Configurar una dirección IP al BMC junto con Login y password.
Habilitar las funciones indicadas en
http://www.redbooks.ibm.com/abstracts/tips0551.html
Para la configuración de IP, Login y pass del BMC, se accede al setup del servidor (F1 en el caso de un IBM x366).
Instalar en un PC o equipo desde donde deseo acceder y administrar al servidor una aplicación : OSA System Management Bridge
System Management Bridge Baseboard Management Controller CLI and Remote Console Utility
http://www-947.ibm.com/support/entry/portal/docdisplay?brand=5000008&lndocid=MIGR-64636
Ejecutar el software en la ruta donde se instaló ejecutando una línea parecida a esta:
C:\Archivos de programa\Avocent\SMBridge>smbridge -ip a.b.c.d -u nombre de usuario previamente configurado en el BMC -p clave configurada para el BMC power status
El comando anterior devuelve el estado del servidor (si está on u off)
Si queremos encender el servidor, el comando es power on, es decir,
C:\Archivos de programa\Avocent\SMBridge>smbridge -ip a.b.c.d -u nombre de usuario -p clave power on
Si queremos apagar el servidor, el comando es power off, es decir,
C:\Archivos de programa\Avocent\SMBridge>smbridge -ip a.b.c.d -u nombre de usuario -p clave power off
Un listado de los comandos aparece en el manual del OSA SMBridge User Manual (OSA es el fabricante, después de 3 horas de investigación, me di cuenta que simplemente era el fabricante del software)
ftp://ftp.software.ibm.com/systems/support/system_x_pdf/sysmgmtbridgeuserman.pdf
El siguiente paso lo postearé luego,
voy a seguir configurando porque la intención es encender varios servidores remotamente pero con espacios de tiempo entre cada uno.
Con IBM Director se puede administrar más intuitivamente las BMC de varios servidores, eso está en mi lista de tareas también.
Hay que repasar estos conceptos
Intelligent Platform Management Interface (IPMI)
Este es un extracto de la configuración de BMC en el servidor que deseo administrar remotamente.
Configuring BIOS to enable Serial Over LAN
Before SMBridge can be used to manage a remote server via SOL, the BMC and BIOS of the remote server must have the following settings configured.
Note: This procedure disables PXE boot on Gigabit port 1 on the server. If you plan to use PXE, you will need to connect Gigabit port 2 to your network and ensure that your remote install procedure is configured to use that port.
1. Enter BIOS Setup by pressing F1 when prompted during boot.
2. If you have not done so already, configure the static IP address, subnet mask, and gateway of the BMC in Advanced Options > Baseboard Management Controller (BMC) Settings.
3. From the main menu, select Devices and I/O Ports. Set the following:
* Set field Serial Port A to Auto-configure
* Set field Serial Port B to Auto-configure
4. Select Remote Console Redirection. Set the following:
* Remote Console Active to Active
* Remote Console Text Emulation to VT100/VT220
* Remote Console Keyboard Emulation to VT100/VT220
* Remote Console Active After Boot to Enabled
* Remote Console Flow Control to Hardware
5. The setup window should now look similar to the following:
********************************************************
* Remote Console Redirection *
********************************************************
* Remote Console Active [ Enabled ] *
* Remote Console COM Port [ COM 1 ] *
* Remote Console Baud Rate [ 19200 ] *
* Remote Console Data Bits [ 8 ] *
* Remote Console Parity [ None ] *
* Remote Console Stop Bits [ 1 ] *
* Remote Console Text Emulation [ VT100/VT220 ] *
* Remote Console Keyboard Emulation [ VT100/VT220 ] *
* Remote Console Active After Boot [ Enabled ] *
* Remote Console Flow Control [ Hardware ] *
********************************************************
6. Press Esc twice to return to the main menu, then select Start Options. Set the following:
Note: You will most likely only have some of these options on your server. For example on the x236, we only set Planar Ethernet PXE/DHCP to Planar Ethernet 2.
* Planar Ethernet 1 PXE to Disabled
* Planar Ethernet 2 PXE to Enabled
* Planar Ethernet PXE/DHCP to Planar Ethernet 2
* Run PXE only on Selected Planar NIC to Enabled
7. Press Esc to return to the main menu, then select Advanced Options then Baseboard Management Controller (BMC) Settings. Set the following:
* System-BMC Serial Port Sharing to Enabled
* BMC Serial Port Access Mode to Dedicated
8. Save the BIOS settings and reboot the server.
SPAN y RSPAN
06 Mar 2010
Les presento un extracto que analiza las desventajas de SPAN y RSPAN hecho por un especialista en networking: Tim O'Neill. La primera parte presenta al autor y la segunda muestra el análisis de esta tecnología.
Especialidades de Tim O’Neill "Oldcommguy™":
High Tech Business Development, Mergers/Acquisitions ,Branding and Identity - In technologies like Industrial LAN, IT LAN, WAN, ATM, WiFi, IP, VoIP, Video-oIP, Database, and Internet technologies. I am a skilled technical media writer.
Editor of www.lovemytool.com a technology advocacy site.
Ex-Law enforcement and Technologist who volunteers to train Internet Safety for Children, Adults and Seniors.
Volunteer Cybercrimes consultant to the Georgia P.O.S.T. Executive Director.
RSPAN … Friend or Foe? (by Tim O’Neill)
Es posible que tu navegador no permita visualizar esta imagen. Editor Profile - Tim O’Neill is an independent technology consultant. He has over 30 years experience working in the WAN, Analog, ISDN, ATM and LAN test market. Tim has worked with companies like Navtel, Network General, Ganymede and ClearSight Networks and is now helping companies get lab recognition and technology verification. Tim is also the Chief Contributing Editor for LoveMyTool.com, a website designed to help network managers gain access to valuable information and real solution stories from other customers. Tim is a patent holding, published and degreed engineer, who has seen this technology grow from Teletype (current loop) data analysis to today’s 10 Gigabit LAN’s focused on business applications with heavy compliance demands. Tim can be reached at oldcommguy (at) bellsouth (dot) net.
Is RSPAN something one should be using? Or is it something to be avoided?
Recently I wrote an article about SPAN that details the overall issues with using SPAN ports as the monitoring data access point, providing evidence that SPAN access for monitoring and analysis is not in the best interest of network managers who need to fully understand their networks.
The list of problems with using SPAN ports for network monitoring and analysis are many and in particular, I pointed out that SPAN ports will not meet the demands of compliance requirements for high fidelity data access nor for analysis of synchronized traffic such as VoIP.
So you should not be surprised when I tell you that RSPAN is even a bigger potential mess and that its usage is not only not recommended but is in fact prohibited altogether in many high-end customer sites!
What is RSPAN?
RSPAN stands for Remote Switched Port for ANalysis.
RSPAN is similar to SPAN except that it utilizes a “remote” switch to send data back through the “production” network for monitoring.
RSPAN has all the issues of SPAN and more
Recall that,
1. SPAN’ing or mirroring changes the timing of the frame interaction (what you see is not a true representation of your network traffic).
2. The SPAN algorithm is not designed to be the primary focus or the main function of the device like switching or routing. This means that the first priority is not SPAN and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process.
3. If the speed of the SPAN port becomes overloaded frames are dropped.
4. Proper SPAN port setup requires that a network engineer configure the switches properly and this takes away from the more important tasks that network engineers have. Many times configurations can become problematic (constantly creating contention between the IT team, the security team and the compliance team).
5. SPAN port drops all packets that are corrupt or those that are below the minimum size, so all frames are not passed on. For IPv6 knowing the amount of fragments is an important measurement criterion.
All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get any, much less all, the data required for proper analysis or reporting/statistics.
Now we add RSPAN, this means that the above issues are compounded with more delay, more loss, more filtering and data grooming. In addition, the RSPAN packets are transported over the production network. This is just unreliable for any type of serious monitoring or analysis techniques.
How does RSPAN really work?
The following shows Cisco’s schematic for RSPAN.
Es posible que tu navegador no permita visualizar esta imagen.
The Source switch is taking frames from the source port and encapsulating them in newly-created RSPAN frames. The switch then sends these new RSPAN frames through the production network to a Destination switch which then removes the encapsulating headers and presents the frames to a capture device on the destination port. From a simple frame timing and performance monitoring perspective, what appears at the ultimate destination port bears no reliable resemblance to what actually occurred at the source port or on the network being monitored.
Summary
SPAN does not deliver high fidelity data access and is a potential failure point in your network. RSPAN just adds to the issues of SPAN and is not recommended for any application of monitoring or analysis for today’s networks.
If one must have remote access to data, my recommendation is to use real access taps such as those manufactured by Network Critical or a secure remote access device like the Gigamon Systems data access switch. This will give you all the packets required for meeting today’s critical analysis and monitoring needs (and save you lots of headache).
Comments from Network Experts –
Betty DuBois – Sniffer Expert, Network Consultant and Wireshark instructor
Tim O’Neill hits the nail on the head again. So often I will hear customers tell me “the sales guy said that with RSPAN I could see my whole network without having to move the capture device”. Just remember the acronym for the OSI model. Please Do Not Take Sales Person’s Advice on this one. If all you need is something quick and dirty just to see if the client and server can talk to each other, then it is fine. But RSPAN is not a viable solution if you are trying to prove whose fault it is, the delta times for the packets are completely skewed.
Scott Haugdahl – Network Expert and Founder of Bitcricket
Editor's Note - Scott has also written previously about RSPAN, please refer here.
Tim, I agree that RSPAN is generally bad for enterprises with a high volume of traffic. There are certain situations where you cannot for practical reasons, put a tap on every segment in your infrastructure, especially low volume local or remote edges. In such situations, save taps for higher volume traffic and permanent installs and use an SNMP tool to monitor switch stats for port CRC counts (i.e. packets not passed through the SPAN).
If the RSPAN VLAN is sharing the same physical segments as corporate data, one might look into lowering the switch VLAN priority for passing RSPAN traffic. Sure, this can worsen the timing but I can still obtain valuable troubleshooting information even if the packet timing at the analyzer is not precise. Finally, using a security ACL as a filter (such as TCP port 80) on the RSPAN VLAN (supported by higher end Catalyst switches in certain configurations), is worth a look to cut down the traffic volume. Regardless, tread *very* lightly!
Tom Tosh – Sniffer Expert – Senior Consultant and Network Expert
RSPAN is one of those features that, when I first heard the concept, I thought “Hmm…. Interesting,” but on a second look, after coming to understand how it works, soon asked, “When and how could that possibly be useful?” I believe that a comprehensive visibility strategy for networks requires some understanding and consideration of RSPAN, its limitations and its caveats. When we have no other visibility into a remote switch, and the answers we seek regarding the traffic seen at any specific, user-based port on that switch are not performance-based, RSPAN can likely provide some usable information. And in that statement are the key caveats of RSPAN:
Limit RSPAN sourcing to a single, user-based port in order to minimize RSPAN’s impact on the switches and network path. This means no multiple-port spanning, and no spanning of trunk or server ports.
Apart from basic network conversations seen within the RSPAN-sourced frames – for example: “this user is definitely talking to this server,” refrain from making any conclusions as to the performance occurring on those conversations. If you have any alternative means of getting the limited answers that RSPAN can provide by all means use them prior to resorting to RSPAN.
Jenny Wilson – Sniffer Expert, Network Expert, Consultant and Trainer
Excellent article Tim! When it comes to RSPAN, if we're not aware of the risks and disclaimers, we can unwittingly sabotage ourselves - either causing additional problems, or spending months troubleshooting a problem that could have been solved in a few minutes with accurate information.
Tony Fortunato - Network Performance Consultant, Certified Wireshark and Fluke Networks instructor with over 15 years experience
Tim you are right on as there are many problems with SPAN and RSPAN! I’ve personally experienced when spanning a server port and capturing from the client’s computer creates duplicate packets and cause false positives. I have seen cases where the worst case scenario involves technician blindly spanning multiple ports or an entire VLAN causing significant switch performance degradation and possible complete switch failure. I’ve been onsite where arguments leading to physical threats between the IDS group who needs the SPAN port and the Network Technician who wants to use the same port for his troubleshooting. Full and direct access is always best!
Richard Bejtlich - Founder of TaoSecurity and author of many security books including Tao of Network Security Monitoring and Extrusion Detection
This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and the rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation). Furthermore, I really liked [Tim's] emphasis on SPAN configuration as a change that must be allowed by the change control board in any semi-mature IT shop. The only CCB action needed for a tap is the initial installation. Any change to a SPAN port configuration should be authorized by the CCB.
To SPAN or to TAP – That is the question!
Until the early 1990’s, using a TAP or test access point from a switch patch panel was the only way to monitor a communications link. Most links were WAN so an adaptor like the V.35 adaptor from Network General or an access balum for a LAN was the only way to access a network. Most LAN analyzers had to join the network to really monitor.
As switches and routers developed, there came a technology we call SPAN ports or mirroring ports and now monitoring was off and running. Analyzers and monitors no longer had to be connected to the network; engineers would use the SPAN (mirror) port and direct packets from their switch or router to the test device for analysis.
SPAN generally stands for Switch Port for Analysis and was a great way to effortlessly and non-intrusively acquire data for analysis. By definition, a SPAN Port usually indicates the ability to copy traffic from any or all data ports to a single unused port but also usually disallows bidirectional traffic on that port to protect against backflow of traffic into the network.
Es posible que tu navegador no permita visualizar esta imagen.
Is SPAN port a passive technology – No!
Some call SPAN port a passive data access solution – but passive means “having no effect” and spanning (mirroring) does have measurable effect on the data.
First - Spanning or mirroring changes the timing of the frame interaction (what you see is not what you get),
Second - The spanning algorithm is not designed to be the primary focus or the main function of the device like switching or routing so the first priority is not spanning and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process,
Third - If the speed of the SPAN port becomes over loaded frames are dropped.
Fourth – Proper spanning requires that a network engineer configure the switches properly and this takes away from the more important tasks that network engineers have and many times configurations can become a political issue (constantly creating contention between the IT team, the security team and the compliance team).
Fifth – SPAN port drops all packets that are corrupt or those that are below the minimum size, so all frames are not passed on. All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get all the data required for proper analysis.
In summary, the fact that SPAN port is not a truly passive data access technology or even entirely non-intrusive can be a problem particularly for Data Security Compliance monitoring or Lawful Intercept. Since there is no guarantee of absolute fidelity, it is possible or even likely that evidence gathered by this monitoring process will be challenged in the court of law.
Is SPAN port a scalable technology – No!
When we had only 10Mbps links and with a robust switch (like one from Cisco) one could almost guarantee they could see every packet going through the switch. With 10Mbps fully loaded at around 50% to 60% of the maximum bandwidth, the switch backplane could easily replicate every frame. Even with 100Mbps one could be somewhat successful at acquiring all the frames for analysis and monitoring and if a frame or two here and there were lost, it was no big problem.
This has all changed with Gigabit and 10 Gigabit technologies starting with the fact that maximum bandwidth is now twice the base bandwidth – so a Full Duplex (FDX) Gigabit link is now 2 Gigabits of data and a 10 Gigabit FDX link is now 20 Gigabits of potential data.
No switch or router can handle replicating/mirroring all this data plus handling its primary job of switching and routing. It is difficult if not impossible to pass all frames (good and bad one) including FDX traffic at full time rate, in real time at non blocking speeds.
Furthermore, to this FDX need we must also consider the VLAN complexity and finding the origin of a problem once the frames have been analyzed and a problem detected.
From Cisco’s own White Paper – On SPAN port usability and using the SPAN port for LAN analysis
Cisco warns that “the switch treats SPAN data with a lower priority than regular port-to-port data.” In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded. This rule applies to preserving network traffic in any situation. For instance, when transporting remote SPAN (RSPAN) traffic through an Inter Switch Link (ISL), which shares the ISL bandwidth with regular network traffic, the network traffic takes priority. If there is not enough capacity for the remote SPAN traffic, the switch drops it. Knowing that the SPAN port arbitrarily drops traffic under specific load conditions, what strategy should users adopt so as not to miss frames? According to Cisco, “the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations.”
Hubs? How about it?
Hubs can be used for 10/100 access but they have several issues that one needs to consider. Hubs are really Half Duplex devices and only allow one side of the traffic to be seen at a time. This effectively reduces the access to 50% of the data.
The Half Duplex issue often leads to collisions when both sides of the network try to talk at the same time. Collision loss is not reported in any way and the analyzer or monitor does not see the data.
The big problem is if a Hub goes down or fails the link it is on is lost.
Hubs no longer fit as an acceptable, reliable access technology for the reasons above and they do not support Gigabit or above access and should not be considered.
Today’s “REAL” Data Access requirements
To add more complexity and challenges to SPAN port as a data access technology,
1) We have entered a much higher utilization environment with many times more frames in the network
2) We have moved from 10 Mbps to 10 Gbps Full Duplex and
3) We have entered into the era of Data Security Legal Compliance and Lawful Intercept which requires that we must monitor all of the data and not just “sample” the data, with the exception of certain very focused monitoring technologies (e.g., application performance monitoring).
These demands will continue to grow since we have become a very digitally focused society. With the advent of VoIP and digital video we now have revenue generating data that is connection oriented and sensitive to bandwidth, loss and delay. The older methods need reviewing and the aforementioned added complexity requires that we change some of the old habits to allow for “real” 100% Full Duplex real time access to the critical data.
In summary, being able to provide “real” access is not only important for Data Compliance Audits and Lawful Intercept events, it is the law (keeping our bosses out of jail has become very high priority these days).
When is SPAN port methodology “OK”?
Many monitoring products can and do successfully use SPAN as an access technology. Since they are looking for low bandwidth application layer events like “conversation analysis”, “application flows” and for access VoIP reports from Call managers, etc.
These monitoring requirements utilize a small amount of bandwidth and grooming does not effect the quality of the reports and statistics. The reason for their success is that they keep within the parameters and capability of the SPAN port capability and they do not need every frame for their successful reporting and analysis. In other words, SPAN port is a very usable technology if used correctly and the companies that use mirroring or SPAN are using it in a well managed and tested methodology.
Conclusion
Spanning (mirroring) technology is still viable for some limited situations but as one migrates to FDX Gigabit and 10 Gigabit networks and with the demands of seeing all frames for Data Security Compliance and Lawful Intercept one must use “real” access (taps) technology to fulfill the demands of today’s complex analysis and monitoring technologies.
If the technology demands are not enough, the network engineers can focus their infrastructure equipment on switching and routing and not spend their valuable resources and time setting up span ports or rerouting data access.
In summary, the advantages of Taps compared to SPAN ports are ...
• Taps do not alter the time relationships of frames – spacing and response times especially important with VoIP and Triple Play analysis including FDX analysis.
• Taps do not introduce any additional jitter or distortion which is important in VoIP / Video analysis.
• VLAN tags are not normally passed through the SPAN port so this can lead to false issues detected and difficulty in finding VLAN issues.
• Taps do not groom data nor filter out physical layer errored packets
• Short or large frames are not filtered
• Bad CRC frames are not filtered
• Taps do not drop packets regardless of the bandwidth
• Taps are not addressable network devices and therefore cannot be hacked
• Taps have no setups or command line issues so getting all the data is assured and saves users time.
• Taps are completely passive and do not cause any distortion even on FDX and full bandwidth networks. They are also fault tolerant.
• Taps do not care if the traffic is IPv4 or IPv6, it passes all traffic through.
Especialidades de Tim O’Neill "Oldcommguy™":
High Tech Business Development, Mergers/Acquisitions ,Branding and Identity - In technologies like Industrial LAN, IT LAN, WAN, ATM, WiFi, IP, VoIP, Video-oIP, Database, and Internet technologies. I am a skilled technical media writer.
Editor of www.lovemytool.com a technology advocacy site.
Ex-Law enforcement and Technologist who volunteers to train Internet Safety for Children, Adults and Seniors.
Volunteer Cybercrimes consultant to the Georgia P.O.S.T. Executive Director.
RSPAN … Friend or Foe? (by Tim O’Neill)
Es posible que tu navegador no permita visualizar esta imagen. Editor Profile - Tim O’Neill is an independent technology consultant. He has over 30 years experience working in the WAN, Analog, ISDN, ATM and LAN test market. Tim has worked with companies like Navtel, Network General, Ganymede and ClearSight Networks and is now helping companies get lab recognition and technology verification. Tim is also the Chief Contributing Editor for LoveMyTool.com, a website designed to help network managers gain access to valuable information and real solution stories from other customers. Tim is a patent holding, published and degreed engineer, who has seen this technology grow from Teletype (current loop) data analysis to today’s 10 Gigabit LAN’s focused on business applications with heavy compliance demands. Tim can be reached at oldcommguy (at) bellsouth (dot) net.
Is RSPAN something one should be using? Or is it something to be avoided?
Recently I wrote an article about SPAN that details the overall issues with using SPAN ports as the monitoring data access point, providing evidence that SPAN access for monitoring and analysis is not in the best interest of network managers who need to fully understand their networks.
The list of problems with using SPAN ports for network monitoring and analysis are many and in particular, I pointed out that SPAN ports will not meet the demands of compliance requirements for high fidelity data access nor for analysis of synchronized traffic such as VoIP.
So you should not be surprised when I tell you that RSPAN is even a bigger potential mess and that its usage is not only not recommended but is in fact prohibited altogether in many high-end customer sites!
What is RSPAN?
RSPAN stands for Remote Switched Port for ANalysis.
RSPAN is similar to SPAN except that it utilizes a “remote” switch to send data back through the “production” network for monitoring.
RSPAN has all the issues of SPAN and more
Recall that,
1. SPAN’ing or mirroring changes the timing of the frame interaction (what you see is not a true representation of your network traffic).
2. The SPAN algorithm is not designed to be the primary focus or the main function of the device like switching or routing. This means that the first priority is not SPAN and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process.
3. If the speed of the SPAN port becomes overloaded frames are dropped.
4. Proper SPAN port setup requires that a network engineer configure the switches properly and this takes away from the more important tasks that network engineers have. Many times configurations can become problematic (constantly creating contention between the IT team, the security team and the compliance team).
5. SPAN port drops all packets that are corrupt or those that are below the minimum size, so all frames are not passed on. For IPv6 knowing the amount of fragments is an important measurement criterion.
All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get any, much less all, the data required for proper analysis or reporting/statistics.
Now we add RSPAN, this means that the above issues are compounded with more delay, more loss, more filtering and data grooming. In addition, the RSPAN packets are transported over the production network. This is just unreliable for any type of serious monitoring or analysis techniques.
How does RSPAN really work?
The following shows Cisco’s schematic for RSPAN.
Es posible que tu navegador no permita visualizar esta imagen.
The Source switch is taking frames from the source port and encapsulating them in newly-created RSPAN frames. The switch then sends these new RSPAN frames through the production network to a Destination switch which then removes the encapsulating headers and presents the frames to a capture device on the destination port. From a simple frame timing and performance monitoring perspective, what appears at the ultimate destination port bears no reliable resemblance to what actually occurred at the source port or on the network being monitored.
Summary
SPAN does not deliver high fidelity data access and is a potential failure point in your network. RSPAN just adds to the issues of SPAN and is not recommended for any application of monitoring or analysis for today’s networks.
If one must have remote access to data, my recommendation is to use real access taps such as those manufactured by Network Critical or a secure remote access device like the Gigamon Systems data access switch. This will give you all the packets required for meeting today’s critical analysis and monitoring needs (and save you lots of headache).
Comments from Network Experts –
Betty DuBois – Sniffer Expert, Network Consultant and Wireshark instructor
Tim O’Neill hits the nail on the head again. So often I will hear customers tell me “the sales guy said that with RSPAN I could see my whole network without having to move the capture device”. Just remember the acronym for the OSI model. Please Do Not Take Sales Person’s Advice on this one. If all you need is something quick and dirty just to see if the client and server can talk to each other, then it is fine. But RSPAN is not a viable solution if you are trying to prove whose fault it is, the delta times for the packets are completely skewed.
Scott Haugdahl – Network Expert and Founder of Bitcricket
Editor's Note - Scott has also written previously about RSPAN, please refer here.
Tim, I agree that RSPAN is generally bad for enterprises with a high volume of traffic. There are certain situations where you cannot for practical reasons, put a tap on every segment in your infrastructure, especially low volume local or remote edges. In such situations, save taps for higher volume traffic and permanent installs and use an SNMP tool to monitor switch stats for port CRC counts (i.e. packets not passed through the SPAN).
If the RSPAN VLAN is sharing the same physical segments as corporate data, one might look into lowering the switch VLAN priority for passing RSPAN traffic. Sure, this can worsen the timing but I can still obtain valuable troubleshooting information even if the packet timing at the analyzer is not precise. Finally, using a security ACL as a filter (such as TCP port 80) on the RSPAN VLAN (supported by higher end Catalyst switches in certain configurations), is worth a look to cut down the traffic volume. Regardless, tread *very* lightly!
Tom Tosh – Sniffer Expert – Senior Consultant and Network Expert
RSPAN is one of those features that, when I first heard the concept, I thought “Hmm…. Interesting,” but on a second look, after coming to understand how it works, soon asked, “When and how could that possibly be useful?” I believe that a comprehensive visibility strategy for networks requires some understanding and consideration of RSPAN, its limitations and its caveats. When we have no other visibility into a remote switch, and the answers we seek regarding the traffic seen at any specific, user-based port on that switch are not performance-based, RSPAN can likely provide some usable information. And in that statement are the key caveats of RSPAN:
Limit RSPAN sourcing to a single, user-based port in order to minimize RSPAN’s impact on the switches and network path. This means no multiple-port spanning, and no spanning of trunk or server ports.
Apart from basic network conversations seen within the RSPAN-sourced frames – for example: “this user is definitely talking to this server,” refrain from making any conclusions as to the performance occurring on those conversations. If you have any alternative means of getting the limited answers that RSPAN can provide by all means use them prior to resorting to RSPAN.
Jenny Wilson – Sniffer Expert, Network Expert, Consultant and Trainer
Excellent article Tim! When it comes to RSPAN, if we're not aware of the risks and disclaimers, we can unwittingly sabotage ourselves - either causing additional problems, or spending months troubleshooting a problem that could have been solved in a few minutes with accurate information.
Tony Fortunato - Network Performance Consultant, Certified Wireshark and Fluke Networks instructor with over 15 years experience
Tim you are right on as there are many problems with SPAN and RSPAN! I’ve personally experienced when spanning a server port and capturing from the client’s computer creates duplicate packets and cause false positives. I have seen cases where the worst case scenario involves technician blindly spanning multiple ports or an entire VLAN causing significant switch performance degradation and possible complete switch failure. I’ve been onsite where arguments leading to physical threats between the IDS group who needs the SPAN port and the Network Technician who wants to use the same port for his troubleshooting. Full and direct access is always best!
Richard Bejtlich - Founder of TaoSecurity and author of many security books including Tao of Network Security Monitoring and Extrusion Detection
This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and the rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation). Furthermore, I really liked [Tim's] emphasis on SPAN configuration as a change that must be allowed by the change control board in any semi-mature IT shop. The only CCB action needed for a tap is the initial installation. Any change to a SPAN port configuration should be authorized by the CCB.
To SPAN or to TAP – That is the question!
Until the early 1990’s, using a TAP or test access point from a switch patch panel was the only way to monitor a communications link. Most links were WAN so an adaptor like the V.35 adaptor from Network General or an access balum for a LAN was the only way to access a network. Most LAN analyzers had to join the network to really monitor.
As switches and routers developed, there came a technology we call SPAN ports or mirroring ports and now monitoring was off and running. Analyzers and monitors no longer had to be connected to the network; engineers would use the SPAN (mirror) port and direct packets from their switch or router to the test device for analysis.
SPAN generally stands for Switch Port for Analysis and was a great way to effortlessly and non-intrusively acquire data for analysis. By definition, a SPAN Port usually indicates the ability to copy traffic from any or all data ports to a single unused port but also usually disallows bidirectional traffic on that port to protect against backflow of traffic into the network.
Es posible que tu navegador no permita visualizar esta imagen.
Is SPAN port a passive technology – No!
Some call SPAN port a passive data access solution – but passive means “having no effect” and spanning (mirroring) does have measurable effect on the data.
First - Spanning or mirroring changes the timing of the frame interaction (what you see is not what you get),
Second - The spanning algorithm is not designed to be the primary focus or the main function of the device like switching or routing so the first priority is not spanning and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process,
Third - If the speed of the SPAN port becomes over loaded frames are dropped.
Fourth – Proper spanning requires that a network engineer configure the switches properly and this takes away from the more important tasks that network engineers have and many times configurations can become a political issue (constantly creating contention between the IT team, the security team and the compliance team).
Fifth – SPAN port drops all packets that are corrupt or those that are below the minimum size, so all frames are not passed on. All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get all the data required for proper analysis.
In summary, the fact that SPAN port is not a truly passive data access technology or even entirely non-intrusive can be a problem particularly for Data Security Compliance monitoring or Lawful Intercept. Since there is no guarantee of absolute fidelity, it is possible or even likely that evidence gathered by this monitoring process will be challenged in the court of law.
Is SPAN port a scalable technology – No!
When we had only 10Mbps links and with a robust switch (like one from Cisco) one could almost guarantee they could see every packet going through the switch. With 10Mbps fully loaded at around 50% to 60% of the maximum bandwidth, the switch backplane could easily replicate every frame. Even with 100Mbps one could be somewhat successful at acquiring all the frames for analysis and monitoring and if a frame or two here and there were lost, it was no big problem.
This has all changed with Gigabit and 10 Gigabit technologies starting with the fact that maximum bandwidth is now twice the base bandwidth – so a Full Duplex (FDX) Gigabit link is now 2 Gigabits of data and a 10 Gigabit FDX link is now 20 Gigabits of potential data.
No switch or router can handle replicating/mirroring all this data plus handling its primary job of switching and routing. It is difficult if not impossible to pass all frames (good and bad one) including FDX traffic at full time rate, in real time at non blocking speeds.
Furthermore, to this FDX need we must also consider the VLAN complexity and finding the origin of a problem once the frames have been analyzed and a problem detected.
From Cisco’s own White Paper – On SPAN port usability and using the SPAN port for LAN analysis
Cisco warns that “the switch treats SPAN data with a lower priority than regular port-to-port data.” In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded. This rule applies to preserving network traffic in any situation. For instance, when transporting remote SPAN (RSPAN) traffic through an Inter Switch Link (ISL), which shares the ISL bandwidth with regular network traffic, the network traffic takes priority. If there is not enough capacity for the remote SPAN traffic, the switch drops it. Knowing that the SPAN port arbitrarily drops traffic under specific load conditions, what strategy should users adopt so as not to miss frames? According to Cisco, “the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations.”
Hubs? How about it?
Hubs can be used for 10/100 access but they have several issues that one needs to consider. Hubs are really Half Duplex devices and only allow one side of the traffic to be seen at a time. This effectively reduces the access to 50% of the data.
The Half Duplex issue often leads to collisions when both sides of the network try to talk at the same time. Collision loss is not reported in any way and the analyzer or monitor does not see the data.
The big problem is if a Hub goes down or fails the link it is on is lost.
Hubs no longer fit as an acceptable, reliable access technology for the reasons above and they do not support Gigabit or above access and should not be considered.
Today’s “REAL” Data Access requirements
To add more complexity and challenges to SPAN port as a data access technology,
1) We have entered a much higher utilization environment with many times more frames in the network
2) We have moved from 10 Mbps to 10 Gbps Full Duplex and
3) We have entered into the era of Data Security Legal Compliance and Lawful Intercept which requires that we must monitor all of the data and not just “sample” the data, with the exception of certain very focused monitoring technologies (e.g., application performance monitoring).
These demands will continue to grow since we have become a very digitally focused society. With the advent of VoIP and digital video we now have revenue generating data that is connection oriented and sensitive to bandwidth, loss and delay. The older methods need reviewing and the aforementioned added complexity requires that we change some of the old habits to allow for “real” 100% Full Duplex real time access to the critical data.
In summary, being able to provide “real” access is not only important for Data Compliance Audits and Lawful Intercept events, it is the law (keeping our bosses out of jail has become very high priority these days).
When is SPAN port methodology “OK”?
Many monitoring products can and do successfully use SPAN as an access technology. Since they are looking for low bandwidth application layer events like “conversation analysis”, “application flows” and for access VoIP reports from Call managers, etc.
These monitoring requirements utilize a small amount of bandwidth and grooming does not effect the quality of the reports and statistics. The reason for their success is that they keep within the parameters and capability of the SPAN port capability and they do not need every frame for their successful reporting and analysis. In other words, SPAN port is a very usable technology if used correctly and the companies that use mirroring or SPAN are using it in a well managed and tested methodology.
Conclusion
Spanning (mirroring) technology is still viable for some limited situations but as one migrates to FDX Gigabit and 10 Gigabit networks and with the demands of seeing all frames for Data Security Compliance and Lawful Intercept one must use “real” access (taps) technology to fulfill the demands of today’s complex analysis and monitoring technologies.
If the technology demands are not enough, the network engineers can focus their infrastructure equipment on switching and routing and not spend their valuable resources and time setting up span ports or rerouting data access.
In summary, the advantages of Taps compared to SPAN ports are ...
• Taps do not alter the time relationships of frames – spacing and response times especially important with VoIP and Triple Play analysis including FDX analysis.
• Taps do not introduce any additional jitter or distortion which is important in VoIP / Video analysis.
• VLAN tags are not normally passed through the SPAN port so this can lead to false issues detected and difficulty in finding VLAN issues.
• Taps do not groom data nor filter out physical layer errored packets
• Short or large frames are not filtered
• Bad CRC frames are not filtered
• Taps do not drop packets regardless of the bandwidth
• Taps are not addressable network devices and therefore cannot be hacked
• Taps have no setups or command line issues so getting all the data is assured and saves users time.
• Taps are completely passive and do not cause any distortion even on FDX and full bandwidth networks. They are also fault tolerant.
• Taps do not care if the traffic is IPv4 or IPv6, it passes all traffic through.
Raid 5 y un hot spare con IBM
07 Oct 2008
La intención era generar un servidor con 5 discos de los cuales 4 harán un raid 5 y el restante servirá de hot spare. Para crear todo esto lo hicimos de la sgte forma: boteando desde el cd server raid, creando el raid 5 pero con los 4 últimos discos y el hot spare sería el 1ro, de otra manera, no funciona.
Pfsense Multiwan
26 Jul 2008
Saludos *,
estoy intentando instalar un router linux (Pfsense) con capacidad multiple Wan. El Pfsense es sencillo de instalar y posee una interfaz web llamativa. Conecté efectivamente dos DSL y funciona pero cuando deshabilito uno de ellos, deja de haber conectividad en el usuario. Si alguien ha hecho esta config exitosa, agradecería mucho su comentario.
estoy intentando instalar un router linux (Pfsense) con capacidad multiple Wan. El Pfsense es sencillo de instalar y posee una interfaz web llamativa. Conecté efectivamente dos DSL y funciona pero cuando deshabilito uno de ellos, deja de haber conectividad en el usuario. Si alguien ha hecho esta config exitosa, agradecería mucho su comentario.
Restaurar X
14 Apr 2008
Conecté un monitor a un equipo y al reiniciar, no tenía entorno gráfico y daba unos errores al tratar de ejecutar startx así que para restaurar xorg.conf ejecuté
sudo dpkg-reconfigure -phigh xserver-xorg
y volví a tener el entorno gráfico.
sudo dpkg-reconfigure -phigh xserver-xorg
y volví a tener el entorno gráfico.
Error 17 de GRUB
14 Apr 2008
Añadí una partición FAT al disco con partition Magic (ya existe una conwindoce y otra con ubuntu) y después de aplicar el cambio y unos warning del partition M., al reiniciar el equipo, apareció el error 17 de grub y esto impedía iniciar ningún SO que había en la máquina.
Existe un .iso llamado "Supergrub" que me permitió iniciar windoce, no así Ubuntu.
Este último lo pude iniciar editando la entrada e indicando que ahora el inicio no sería hd0,5 sino hd0,6 y que el disco no es sda6 sino sda7. El detalle es que tengo q hacer esto c/vez q prendo la máquina. Al resolver esto, publicaré la sol.
Existe un .iso llamado "Supergrub" que me permitió iniciar windoce, no así Ubuntu.
Este último lo pude iniciar editando la entrada e indicando que ahora el inicio no sería hd0,5 sino hd0,6 y que el disco no es sda6 sino sda7. El detalle es que tengo q hacer esto c/vez q prendo la máquina. Al resolver esto, publicaré la sol.
