Tuesday, January 23 2007, 12:21 PM

A few weeks ago, I picked up a couple old Cisco 2924XL switches from the MSU surplus store. It was my goal to use them to learn more about the inner workings of Cisco equipment, since our core network at work is comprised exclusively of Cisco equipment. I attempted this once before a few years back, but the switch model I purchased was too old and didn't support IOS - Cisco's Internet Operating System that runs on most of its modern switches/routers - so I wasn't able to achieve my goals. These switches do run IOS, albeit an old version.

Getting them configured really wasn't that hard. It seems that the knowledge that I gleaned from what I've done at work so far was enough to get the basic configuration in place. I ran into a few headaches with what I thought should work compared with what was actually possible, but that was due to a combination of the switch specs and the old IOS image. At work, we have things segregated into many VLANs, and the switch acts as a layer3 gateway for all machines that 'reside' in the VLANs provided by that switch. I was trying to duplicate that with my switches for practice, but no matter what I tried, I could only get one VLAN (VLAN1) to route an IP. I thought it was probably the old IOS image, so I tried to hit Cisco's site to grab a newer image. Unfortunately for me, Cisco's website sucks, and I wasted hours going in circles on their site before learning from someone else that you can't download Cisco software images without a support contract. It would have been nice to see that somewhere in the download area, but no, they'd rather send people in and endless loop of "failed" logins. Grrr.

I was able to pull a few strings and acquired the newest IOS image from a friend who has access to Cisco's software download site. I had the same difficulty after I upgraded the software image, but the error message I got from the newer IOS version proved helpful in isolating the cause. Those switches don't have the capability to run with more than one virtual MAC address, so only one VLAN can be routed with an IP at a time. Once I realized this, I took down the VLAN interface I didn't want to use, an configured the VLAN I did want to use, and everything was peachy. I'm thinking that the same technique would have worked with the old IOS image, but since I don't feel like downgrading, I won't know for sure.

With my new Cisco goodness in place, I was able to play with something I thought up a while back. I bought a few Linksys WRT54GL wireless routers earlier on in the summer, and flashed them with OpenWRT to get Linux on them in a form that I could manipulate. I thought it would be cool to set one of them up in a way that would mimic the networking configuration of my router machine, which has four ethernet interfaces for keeping various parts of my network segregated. Using VLANs, this was possible to replicate in the WRTs. The onboard switch can do VLAN tagging and trunking at a per-port level, so it's possible to replicate the multiple interfaces using seperate VLANs instead of seperate physical interfaces. I was able to replicate the networking for my setup after a good amount of trial and error, with one port allocated for each of the three internal subnets and one for the internet. That left one additional port, which i set up as a trunked port that could carry all VLANs to another VLAN-aware device. Too bad I didn't have any other VLAN-aware devices. After the initial success, I just let it sit.

Well, now I do have some VLAN-aware devices, so I've resumed my experimenting. The VLAN system I set up in the WRTs worked perfectly after I ws able to get over some internal problems in the OpenWRT networking scripts that kept me from using VLANs greater than 9. During some tinkering yesterday, I found that the WRTs can be set into monitor mode without affecting their capability as access points, which allows for the WRTs to function as Kismet drones at the same time as they're functioning as access points. In a corporate setting, this would be a great feature for the security staff. While providing wireless access for employees of the company, the security staff could use Kismet (or another utility) to "patrol" for people that shouldn't be entering the network. I don't have much use for it really, but it is kinda neat to see the various other wireless networks that are in range of my apartment.

cisco kismet networking openwrt vlan wrt54g

Comments

Add a comment

Related Reading - cisco  kismet  networking  openwrt  vlan  wrt54g