vlan question

[darkpaw]

Hi, all. I'm new to VLANs, and know very little about them. I need some help. I have a Cisco 2950 switch, and need to find a way to write a program (preferably in Perl) to knock an IP on the switch into a private VLAN so that it can't access anything. The ultimate goal, actually, is to have it knocked into a private VLAN, have no access other than to a single machine running Apache and have it pop a message up on the user's screen.

Things I need:
1. an API to access the 2950. I emailed Cisco, but haven't heard anything back. Ideas on where I'd get this?
2. some training on VLANs. That's why I'm here. I'm hoping there's enough experts here that can give me some pointers on this.

I have a "basic" understanding of it. It's a group of machines lumped together, though not necessarily on the same subnet (like it can span parts of multiple Class-C networks together), and these are grouped into the ports on the switch. Is this fairly close?

If so, then how can an IP address by put into a single one? From everything I can find in Cisco's documentation, it tells about moving them around on the switches, spanning them to alternate ports, but nothing on how to add specific IP ADDRESSES to one (a VLAN). How can I do this?

Any help on getting me going on this would be MUCH appreciated....

 

[baddos]

First off... What are you trying to do? You can do a lot of different things with the 2950 switch, whether it's a secured port, voice port, vlan, etc.

Bascially what VLANs do is segment the network into multiple broadcast domains. A HUB is one broadcast domain (one segment), and a switch with vlan support can have many broadcast domains.

Say a switch has two vlans and ports 1-10 are on vlan1 and ports 11-24 are on vlan2. Ports 1-10 can only talk with ports 1-10 because that is all the ports they can broadcast do (it's how ethernet works). Port 1 couldn't talk directly to port 24, because they are on two different broadcast domains. It's like having two physical hubs.

If you want the vlans to be able to talk to each other, you'll need a router or a layer3 route module. The router will have interfaces in both broadcast domains and know how to route data between them.

Basically the subject gets pretty deep, so we really need to know what you are trying to do first.

 

[darkpaw]

What I'm trying to do is write a program (Perl) so that if a machine exceeds a certain amount of bandwidth (calculated with another program -- the program I'm writing will be spawned from that one)that it will kick that user into a private VLAN (ie: can't do anything on the network, I'm hoping).

I know the first thing I'll need is an API to interact with the 2950. Then I need a way to find out which port the user's IP address is using (which I assume will be tricky, since switches are based on layer2 and the IP I'll need to find is in layer3). I already know the commands on the 2950 to create the new VLAN, and to move a port into it, but without an API and knowing how to track down the IP I'm stuck.

Please help...

 

[NetEng631]

As far as I know cisco doesn't have an API. But I can be wrong. Everything is done via command line or a web interface. And as far as I know the web interface just opens a session to the switch and dumps command line commands.

My question is why would you need to isolate a port when it exceeds bandwidth. A switch is not a shared media, every port is brigded. The other question is how will you handle layer 3. Once you change the VLAN you need some layer three devied connected to it so that it can communicate.

I think you may want to do ALOT more research before you begin this project.

 

[baddos]

You could just use traffic shaping to limit bandwith for a given IP address.

 

[NetEng631]

Thanks Baddos Didn't know you could do traffic shapping on a 2950. Ill have to check that out.

 

[baddos]

You can't... You would do it on your router. I don't think you care about how much bandwidth the user is using on the switch.

 

[darkpaw]

The specific reason isn't really important, the fact is that I'm trying to do it.

Is there a way to find out a layer-3 IP address that is being used on a port?

I think I found a way around needing an API, as you can just telnet to the switch; so I can just use the telnet Perl module to accomplish that.

So the only thing I really need to know is:

How can I tell which IP address(es) are on each port?

On HP ProCurves, there's a way to tell both the MACs and IPs that are on a particular port. Can you do this on a Cisco 2950?

 

[baddos]

The "show mac-address-table" command will display the mac addresses on a per port basis, but the switch doesn't care about IP addresses. Your switch is a layer2 switch, and doesn't care about layer3 (the whole let the upper layer care model OSI).

 

[danshelb]

You can use &quot;sho ip arp A.B.C.D&quot; to get the MAC address and then plug that address into &quot;sho mac address-table | include <MAC Addr> &quot; to get the interface it is on.

Dan

 

[bierhunter]

Couldn't you use SNMP to monitor the traffic on the ports, and if one exceeds the threshold then send a shutdown command to that port?

Trying to manipulate this at layer-3 with moving someone to another vlan seems a bit over complicated to me. But it depends upon your reasons.