Documente Academic
Documente Profesional
Documente Cultură
I was gonna write a tut on this but found out I would of been copying to much info and not
writing it myself.
This little thread will give you a list of all known error codes. I'll include sources and program link at
the bottom.
The Program "Error Messages for Windows" written by Gregory Braun is where this info came from.
__________________
=
cheyenne1212
Net use
Syntax
Top of page
Parameters
\\ComputerName\ShareName : Specifies the name of the server and the shared resource. If
ComputerName contains spaces, use quotation marks around the entire computer name from the
double backslash (\\) to the end of the computer name (for example,
"\\Computer Name\Share Name"). The computer name can be from 1 to 15 characters long.
Password : Specifies the password needed to access the shared resource. Type an asterisk (*) to
produce a prompt for the password. The password is not displayed when you type it at the password
prompt.
/user : Specifies a different user name with which the connection is made.
DomainName : Specifies another domain. If you omit DomainName, net use uses the current logged
on domain.
DottedDomainName : Specifies the fully-qualified domain name for the domain where the user
account exists.
/smartcard : Specifies the network connection is to use the credentials on a smart card. If multiple
smart cards are available, you are asked to specify the credential.
/delete : Cancels the specified network connection. If you specify the connection with an asterisk
(*), all network connections are canceled.
/persistent:{yes | no} : Controls the use of persistent network connections. The default is the setting
used last. Deviceless connections are not persistent. Yes saves all connections as they are made,
and restores them at next logon. No does not save the connection being made or subsequent
connections. Existing connections are restored at the next logon. Use /delete to remove persistent
connections.
net help command : Displays help for the specified net command.
Top of page
Remarks
•
Use net use to connect to and disconnect from a network resource, and to view your current
connections to network resources. You cannot disconnect from a shared directory if you use it as
your current drive or an active process is using it.
•
•
•
•
•
After you install and run Client Service for NetWare, you can connect to a NetWare server on a
Novell network. Use the same syntax that you use to connect to a Windows Networking server,
except you must include the volume you to which you want to connect.
•
If the ServerName that you supply contains spaces, use quotation marks around the text (that is,
"Server Name"). If you omit quotation marks, an error message appears.
Top of page
Examples
To assign the disk-drive device name E: to the Letters shared directory on the \\Financial server,
type:
To assign (map) the disk-drive device name M: to the directory Mike within the Letters volume on
the \\Financial NetWare server, type:
To connect the user identifier Dan as if the connection were made from the Accounts domain, type:
To restore the current connections at each logon, regardless of future changes, type:
Top of page
Formatting legend
Format
Meaning
Italic
Bold
Ellipsis (...)
Optional items
Set of choices from which the user must choose only one
Top of page
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/3629c5ba
7f960ac7/1812f19f4c341334?hl=en
View profile
Because there have been various requests for login script help, I wanted to post
something that may help those who aren't so familiar with writing a batch file or login script.
DISCLAIMER: I'm not an instructor, I haven't written any books, I don't write code for a living, and
there may be other ways to accomplish the same thing as I have written. This is intended to help
others so please keep your opinions to yourself unless you have something constructive to add that
will benefit others. Additionally, this example script is intended for tutorial purposes and will need
'tweaked' to suit your environment. I take no responsibility for the use of this script in a production
environment. NOTES: There are tremendous amounts of information on the Internet and in books on
how to write scripts, what good practices are, and what variables can be used in a login script (batch
file). This should be enough to get the average person going in short order. If anything is unclear,
or if you have questions, please post them. Remember, you will need to modify this script for your
server name, network share names, drive letters you require, printer names, etc. Okay, with BS out
of the way, let's get going. First, you can find your default login script by clicking Start - Run, type
\\ServerName\netlogon, click OK. This will open a folder with a batch file called
SBS_LOGIN_SCRIPT.bat. Using Notepad, WordPad, or your favorite text editor open this file (note:
you should be able to right-click the file and select edit from the context menu). This file generally
includes only one line used for SBS client setups. Do not remove this line! It can be moved around
within the script, but leave it intact. If you don't already know it, this line will tell you the name of
your server. Now, following will be a clean version of my sample login script followed by a sample
with notes. My notes will start with the "Note:" to help you distinguish the difference. If this helps
Newsgroups: microsoft.public.windows.server.sbs
From: "TK - M/T Box Computers"
Date: Tue, 16 Aug 2005 12:51:13 -0500
Local: Tues, Aug 16 2005 11:51 am
Subject: Login Script Sample for Newbies
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find
messages by this author
Okay, with BS out of the way, let's get going. First, you can find your
default login script by clicking Start - Run, type \\ServerName\netlogon,
click OK. This will open a folder with a batch file called
SBS_LOGIN_SCRIPT.bat. Using Notepad, WordPad, or your favorite text editor
open this file (note: you should be able to right-click the file and select
edit from the context menu). This file generally includes only one line
used for SBS client setups. Do not remove this line! It can be moved
around within the script, but leave it intact. If you don't already know
it, this line will tell you the name of your server.
Enjoy!
-TK
M/T Box Computers
@echo off
rem ==================================================
rem
rem Title: Login Script
rem Author: Your Name
rem Date: Self-explanatory
rem Description: Network Login Script
rem
rem ==================================================
:SBS_SETUP
rem Default sbs2k3 client setup
\\ServerName\Clients\Setup\setup.exe /s ServerName
:MAPDRIVES
rem Connect network drives
:PRINTERS
rem Connect network printers
net use lpt1: \\ServerName\Printer1ShareName /persistent:no
net use lpt2: \\ServerName\Printer2ShareName /persistent:no
:END
Note: The word 'REM' is a way to add a remark to your batch file (login
script). It is a good idea to use remarks throughout your login script.
This will help later when troubleshooting why the login script is written
the way it is. You should also document dates of changes and why.
Note: The command 'ECHO' can be used to turn display on and off. 'ECHO'
followed by words will display those words on the screen. 'ECHO OFF' will
suppress all display until 'ECHO ON' is issued.
Note: The @ sign in front of 'ECHO OFF' says to not display this line also.
@echo off
rem ==================================================
rem
rem Title: Login Script
rem Author: Your Name
rem Date: Self-explanatory
rem Description: Network Login Script
rem
rem ==================================================
Note: The use of the colon ':' followed immediately by a word designates the
following lines as a section or routine within your script. This allows you
to move back and forth within the login script. This isn't normally
necessary, but I found it helpful to form good script writing habits early
on. A batch file will normally flow from top to bottom executing every line
it comes to that is not a remark line, and that is an actual command. You
can skip sections by using the 'GOTO' command. Often times I will check for
the existence of the drive mappings after they should have completed. If
they do not exist I will send the user to an error message section letting
them know something failed, with instructions to reboot and/or contact their
IT support. If you would like an example of this also, let me know and I
will post it.
:SBS_SETUP
rem Default sbs2k3 client setup
Note: Leave this line intact somewhere near the head of your script. As you
see here, this is the first actual line that executes in this script.
\\ServerName\Clients\Setup\setup.exe /s ServerName
:MAPDRIVES
rem Connect network drives
Note: Tests for and deletes drive mapping if it exists (ensures drive letter
:PRINTERS
rem Connect network printers
Note: This will map your network printers to LPT ports. This is normally
only necessary for older legacy (read: DOS) programs.
Note: Be sure to modify for your correct server name.
net use lpt1: \\ServerName\Printer1ShareName /persistent:no
net use lpt2: \\ServerName\Printer2ShareName /persistent:no
:END
This article walks you through the steps for deploying printer connections to workstations using new
Group Policy capabilities available in Windows Server 2003 R2. This greatly simplifies the
management of printer connections for workstations and can save administrators a lot of time and
effort.
In a previous article titled Managing Printers with Windows Server 2003 R2, we walked through how
to use the new Print Management console that is part of the R2 platform. This console lets you easily
manage printers and print servers from a single, central point of management and can be used to
manage print servers running Windows 2000 Server, Windows Server 2003, Windows Server 2003
R2, and to a limited extent Windows NT 4.0. In that article we saw how to add print servers and
network printers to this console, and how to create and use print filters to get a quick picture of
what's happening with different printers on your network. This is great, but there's another task that
many administrators would love to automate—deploying printer connections to client
computers on their networks. Group Policy seems the natural way to do this, but Windows Server
2003 and earlier have no capability built into Group Policy to deploy printer connections to client. So
until now, to deploy print connections using Group Policy you had to use third-party tools like
AutoProf Policy Maker (note that since I wrote that article, AutoProf has since been renamed
DesktopStandard and their PolicyMaker product line has been expanded). Well, with R2 the
capability to deploy printer connections using Group Policy is now present, and this article walks you
through an example of how to do this. Then, once you've deployed printers to clients you can use
Group Policy to manage these printers as described in my two earlier articles here on
WindowsNetworking.com, namely Managing Printers Using Group Policy (Part 1) and Managing
Printers Using Group Policy (Part 2).
Preparing for Deployment
Platform
Schema Revision
Schema Version
Windows 2000
(none)
13
30
31
Table 1
Next, you should have the Group Policy Management Console (GPMC) installed and your Group
Policy infrastructure in place, with Group Policy Objects (GPOs) linked to domains and organizational
units (OUs) in various ways to manage settings for users and computers across your forest. Choose
the GPOs you wish to use to deploy printer connections, or create new GPOs for this purpose and
link them accordingly. Note that you can deploy printer connections two ways: per-user (so that
users have their printers regardless of which computers they use on the network) and per-machine
(all users on the affected machines have access to the same set of printers). Note that per-machine
deployment of printer connections is supported on Windows XP and later. In other words, you can
only deploy printers to Windows 2000 Professional clients on a per-user basis, not per-machine.
For purposes of our walkthrough we'll use the same setup shown in my previous article Managing
Printers with Windows Server 2003 R2 where we installed the Print Management console on BOX161,
an R2-level domain controller in the r2.local domain where there are two other print servers named
BOX162 and BOX163. Here's a figure to get you oriented:
Figure 1: The Print Management Console running on BOX161 shows no deployed printers
Note that nothing currently shows under the Deployed Printers node. The client computer we're
going to deploy a printer to (recall that in Microsoft terminology the word "printer" is short for
"printer connection") is a Windows XP machine named XP191, and the next figure shows the
contents of the Printers and Faxes folder on this machine, which indicates no printers are currently
present:
Now we're ready to begin. Our company has its Sales Department in Vancouver, and Bob Smith is
our Head of Sales there:
The Vancouver OU has a Group Policy Object named SalesGPO linked to it (see next figure) and we'll
use this GPO to deploy the printer connection to Bob:
Open up the Print Management console and select the printer you wish to deploy:
Right-click on Sales Printer 1 and select Deploy With Group Policy from the shortcut menu. This
opens the Deploy With Group Policy dialog box:
Click the Browse button and select the GPO you plan on using to deploy the printer:
Click OK to return to the Deploy With Group Policy dialog box. Now since we only want Bob to be
able to use the printer (and not anyone who might log on to his computer) we'll deploy the printer on
a per-user basis, so select the first checkbox in the dialog box:
Now click the Add button to add the connection settings for Sales Printer 1 to the SalesGPO:
Click OK a few times and you'll now see the printer under the list of deployed printers:
Note that this may seem confusing as the printer hasn't actually been deployed to the client yet,
only deployed to the SalesGPO. We still have to do one more thing: deploy a utility called
PushPrinterConnections.exe to the client computer so the client can process the printer connection
settings that have been added to the SalesGPO. But before we do that, let's make sure that the
connection settings for Sales Printer 1 have been successfully added to the SalesGPO. To do this,
open the SalesGPO in Group Policy Object Editor and look under User Configuration and you'll see a
new Deployed Printers node with Sales Printer 1 visible under it:
Figure 11: Connection settings for Sales Printer 1 have been added to the SalesGPO
The way we'll get the PushPrinterConnections.exe utility onto the client is to add it as a logon script
(if you were deploying a per-machine printer connection you'd use a startup script instead). The
easiest way to do this is using Group Policy as follows. Start by opening the SalesGPO in the Group
Policy Object Editor and navigate to User Configuration, Windows Settings, Scripts (Logon/Logoff) as
shown:
Right-click on the Logon policy in the right-hand pane and select Properties:
Click the Show Files button and copy the file PushPrinterConnections.exe from the
%Windir%\PMCSnap folder into the open policy folder:
Close the policy folder and click the Add button on Logon Properties, and type
PushPrinterConnections.exe into the Script Name field:
Click OK a couple of times. The logon script will be displayed in the policy when it has been
successfully added:
Now all Bob needs to do is log off and then log on again to refresh his per-user Group Policy settings,
and Sales Printer 1 will appear in his Printers and Faxes folder as expected:
Final Tips
If you unlink the SalesGPO or move Bob out of the Vancouver OU, the connection to Sales Printer 1
will disappear from his machine the next time he logs on. And if you want to remove the connection
settings for Sales Printer 1 from the SalesGPO, you can open this GPO using the Group Policy Object
Editor, right-click on Sales Printer 1, and select Remove. It's also useful to know that in Figure 15
above, if you add the parameter –log to the Script Parameters field, you can enable logging
of printer connection deployment to help you troubleshoot when things go wrong. The log files
that are created are %temp%\PpcUser.log for per-user connections and
%Windir%\temp\PpcMachine.log for per-machine connections and are stored on the computer where
the printer connection is being deployed.
Mitch Tulloch is a writer, trainer and consultant specializing in Windows server operating systems,
IIS administration, network troubleshooting, and security. He is the author of 15 books including the
Microsoft Encyclopedia of Networking (Microsoft Press), the Microsoft Encyclopedia of Security
(Microsoft Press), Windows Server Hacks (O'Reilly), Windows Server 2003 in a Nutshell (O'Reilly),
Windows 2000 Administration in a Nutshell (O'Reilly), and IIS 6 Administration (Osborne/McGraw-
Hill). Mitch is based in Winnipeg, Canada, and you can find more information about his books at his
website www.mtit.com
Windows Vista Resource Kit Chapter 23: Supporting Users Using Remote Assistance (Part 1)
Related links
Customizing Right-Click
Menu Options in Windows
By John Fitzgibbon
Last updated: Tuesday, April 18, 2006, 11:33 AM PST
Typically, before uploading a HTML page, you will want to view it in both Netscape and Internet
Explorer, and you may wish to make quick edits using, say, WordPad. To make this easier for myself
I have added a "Netscape" and an "Edit" option to the right-click menu for all HTML files, (IE is my
default browser). This means I can open HTML files in Internet Explorer, Netscape or WordPad with
two clicks, instead of dragging files all over the desktop, or opening applications and doing a "File
Open".
For GIFs and JPEGS, I have also added the Netscape option, and I've linked the "Edit" option to my
favorite graphics editing program.
If you want to avoid modifying the registry directly, many of the changes described here can also be
made in Windows Explorer's "Folder Options" menu. To use this approach, double click "My
Computer", select the "Tools" menu, then "Folder Options", then the "File Types" tab. From here, you
can highlight the file type you wish to change, then click the "Advanced" button to change the menu
options that appear for the file type. This won't give you complete control of every option, but it is
probably sufficient for most needs, and it is much less likely to cause problems as a result of
accidental changes to the wrong registry keys.
Note: I stopped using Windows a few years ago, (I switched to Linux), so I'm afraid I no longer offer
help with Windows Registry problems. Please accept this apology if I don't reply to Windows-related
questions.
Question:
"How do I remove unwanted options that appear on right-click menus after installing software?"
In the sample shown, deleting "gvim" will remove the right-click options for the GUI Vim program I
installed. I'd recommend making a back up of the key data in case you want to put it back in later. If
you don't find the correct ContextMenuHandlers item under "*" you could try looking under specific
file extensions. You could also try searching the registry for the text that appears on the menu.
When searching, don't forget to preface any character that is underlined in the menu with an "&".
The ampersand is typically used to identify the character to underline when a menu entry's text is
saved in the registry.
Question:
"Can I add a 'Search' option to Internet Explorer's right-click menu?"
Answer:
I've written a script to do just that: http://www.jfitz.com/tips/search.htm
Question:
"Can I disable [insert menu option here] in Internet Explorer's right-click menu?"
Answer:
Non-standard items can be removed from the MenuExt registry key. This can usually be found here:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
After removing the offending key, restart IE and the menu item should be gone.
With regard to the default behavior of Internet Explorer, (i.e. the menu items that don't appear in
MenuExt) there are a number of restrictions you can place on newer versions of the browser.
One of the best online sources for information about the various options is at:
http://registry.winguides.com/display.php/442/
You can't specifically disable a single menu item, (at least as far as I'm aware -- there may be some
undocumented way around it), but you can make the menu go away completely. This might be
useful for shared machines in a "public" environment, where changes made through the menu,
(such as setting the computer's background from a web image), could be confusing to other users.
Navigate to:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions
Set a DWORD value:
NoBrowserContextMenu = 1
You can also do this just for specific users if you wish. In this case, make the change under
HKEY_CURRENT_USER.
If you export the modified key to a .REG file, (using regedit's export menu option), you can very
quickly copy the change to a number of machines. (.REG files open using regedit when double
clicked and apply the registry changes they contain. The files themselves are simply text files -- you
can verify their contents in notepad or any other editor.)
Search for the program you want to add to the right-click menu
Make a note of the folder where the program is found
Some common programs you might like to use are:
Netscape.exe - Netscape Communicator
IExplore.exe - Internet Explorer
WordPad.exe - WordPad
Select the extension, or extension group you wish to modify - typically, you will
want to modify an extension group, rather than an individual extension
In this example we want to add a "Netscape" option to all .html and .htm files, so
we open the "htmlfile" extension group
Note: we could modify each extension separately if we wished
Change the key name to whatever you wish to appear on the right click menu
Note that in the right hand window the name "Default" and "value not set" appear
Double click on the "Default", (or the small "ab" icon to the left)
This brings up an Edit window which is used to set the default value
Note that the menu options are listed in the order in which they were created
The simplest way to reorder the options is to rename the option that you want to
appear at the end of the list
To rename a menu option, right click on the key in the Registry Editor and select
"Rename"
In the above case, we renamed the "Netscape" option and it now appears below
the "Edit" option
Note that you can remove the menu item by deleting the key in the Registry Editor
The "Delete" option is directly above the "Rename" option
Note that to delete the "Netscape" key, you must first delete its "command" subkey
Subscribe Now!
Subscribe Now
Subscribe
New Archive CD
Renew
Customer Service
Magazine Archives
Write for Us
Masthead
FAQ
Press Releases
Advertise
Resources
What Is Linux?
Industry Events
Other Resources
Free eNewsletters
LJ Weekly Update
Off the Shelf
Popular content
Today's:
Navigation
by subject
recent posts
news aggregator
Home
VLANs on Linux
To begin, we must have a more formal definition of what a LAN is. LAN stands for local area network.
Hubs and switches usually are thought of as participating in a single LAN. Normally, if you connect
two computers to the same hub or switch, they are on the same LAN. Likewise, if you connect two
switches together, they are both on the same LAN.
A LAN includes all systems in the broadcast domain. That is, all of the systems on a single LAN
receive a broadcast sent by any member of that LAN. By this definition, a LAN is bordered by routers
or other devices that operate at OSI Layer 3.
This functionality alone has a variety of uses, but VLANs become far more interesting when
combined with trunking. A trunk is a single physical connection that can carry multiple VLANs. Each
frame that crosses the trunk has a VLAN identifier attached to it, so it can be identified and kept
within the correct VLAN.
Trunks can be used between two switches, between a switch and a router or between a switch and a
computer that supports trunking. When connecting to a router or computer, each VLAN appears as a
separate virtual interface.
When using trunks, it is important to consider that all the VLANs carried over the trunk share the
same bandwidth. If the trunk is running over a 100Mbps interface, for example, the combined
bandwidth of all the VLANs crossing that trunk is limited to 100Mbps.
Advantages of VLANs
VLANs provide a number of benefits to a network designer. The first advantage is the number of
devices required to implement a given network topology can be reduced. Without VLANs, if your
network design requires ten machines divided into five different LANs, you would need five different
switches or hubs, and most of the ports would be wasted. With VLANs, this work could be done with
one device.
Most routers and standard computers can support a limited number of physical network interfaces.
Although dual and quad-port Ethernet adapters are available, these are expensive. For example, a
quad-port Ethernet card may cost $400. VLAN capable switches start at around $500, but they
support many more interfaces.
Depending on the scenario, VLANs and trunks can provide an effective way of segmenting a network
without the expense and complexity of managing many physical interfaces.
Types of Trunks
Several trunk encapsulations are available. Trunks can be carried across a variety of interface types,
but this article deals only with Ethernet. The two main protocols for carrying VLANs over Ethernet
are ISL and 802.1q. ISL was created by Cisco prior to the standardization of 802.1q and is
proprietary. 802.1q, on the other hand, is an open standard and is widely supported. Hereafter,
references to trunking mean 802.1q-over-Ethernet. As a side note, 802.1q is defined on only
100Mbps or higher Ethernet; it does not support 10Mbps.
Trunks using the 802.1q protocol work by adding a 4-byte VLAN identifier to each frame. This is used
on both ends to identify to which VLAN each individual frame belongs. When a switch receives a
tagged unicast frame, it looks up the outgoing port using both the destination MAC address and the
VLAN identifier. When a broadcast frame is received, it is flooded out to all active ports participating
in that VLAN.
When a VLAN-aware router or computer receives a tagged frame, it examines the tag to determine
to which virtual interface the frame belongs. This virtual interface can have an IP address and
behaves basically the same as a normal physical interface.
Some switches have the concept of a native VLAN on a trunk connection. Packets sent out from the
trunk port on this VLAN are untagged. Likewise, untagged packets received on this port are
associated with this VLAN. Native VLANs on both ends of a trunk must match. A native-VLAN
mismatch on the two ends of the trunk causes problems using the native VLAN configured on each
end.
For all the benefits of VLANs and trunking, some risks must be weighed. As opposed to physical
separation between network segments, VLANs rely on the switch to do the right thing. It is possible
that a misconfiguration or a bug could cause the VLAN barriers to be broken.
Two risks are associated with VLANs. In the first, a packet leaks from one VLAN to another, possibly
revealing sensitive information. In the second, a specially crafted packet is injected into another
VLAN. Any attack that could cause the VLAN barriers to break requires a machine directly attached
to the physical network. This means that only a local machine can execute an attack against the
switch.
When the switch is configured properly, the chances of these problems happening are slim, but the
possibility still exists. It is up to you to examine your needs and your security policy to determine if
VLANs are right for you.
It is beyond the scope of this article to describe exactly how to configure your switch securely, but
most vendors provide documentation outlining best practices. Briefly, you should configure at least
the following:
Disable trunking and trunk negotiation on all ports except those absolutely necessary.
Linux has long been able to connect to VLAN trunks with a kernel patch, and the functionality was
integrated into the mainstream kernel in 2.4.14. Kernel 2.6 also supports VLAN trunking.
In order to use 802.1q trunking, simply set the CONFIG_VLAN_8021Q option when configuring your
kernel. Depending on what Ethernet card you have, you may need to patch the driver to make
VLANs work correctly. This process is discussed in greater detail later in the article.
MTU Issues
As mentioned earlier, 802.1q works by tagging each frame with a 4-byte VLAN identifier. However,
some Ethernet drivers assume the maximum frame size is 1,500 bytes. The addition of the 4-byte
tag does not leave as much room for data. Thus, although small packets are sent and received
correctly, large packets fail. The solution is either to drop the MTU of the VLAN device or to correct
the assumptions of the driver.
Patches are available on the Linux VLAN Web site for a variety of cards (see Resources). Several
drivers work correctly out of the box (or tar.gz, as the case may be), including the e100 driver for
Intel-based cards.
Configuring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. The
main difference is you first must attach each VLAN to a physical device. This is accomplished with
the vconfig utility. If the trunk device itself is configured, it is treated as native. For example, these
commands define VLANs 2-4 on device eth0:
vconfig add eth0 2
vconfig add eth0 3
vconfig add eth0 4
The vconfig program can set a variety of other options, including device-naming conventions.
Hereafter, these are assumed to be at their defaults.
Once the virtual interfaces are defined, they can be used in the same way as other interfaces. The
standard utilities, such as ifconfig and route, all accept VLAN interfaces and behave as expected. For
example, all VLAN interfaces can be listed with ifconfig -a.
Depending on your distribution, support may be available for automatically configuring VLANs on
startup. Debian 3.0 or greater supports this support, but Red Hat and Fedora currently do not. For
other distributions, you simply need to write a script that executes vconfig prior to the main network
startup scripts.
Switch Configuration
Because the configuration interfaces for different brands of switches all are different, the focus of
this section is the common Cisco 2924. All switch configurations are from this model but should work
with little change on other IOS-based switches. A variety of configuration commands are related to
trunking, but only the most basic are covered here. The samples also assume the ports all have a
default configuration. Specifically, this means all ports are configured as access ports in VLAN 1.
This article focuses on the Linux side of the configuration, so only a basic explanation of the switch
commands are given. Listing 1 is a configuration fragment that could be entered into a Cisco
Catalyst 2924 switch. See Resources for URLs to complete documentation of these commands.
The commands here are fairly self explanatory if you are familiar with the VLAN terminology
presented earlier. Briefly, the first section converts the first port into a trunk running 802.1q
encapsulation with native VLAN 1. The second section simply moves port 2 into VLAN 2.
It is important to see how VLANs are configured and operating on the switch. The first task is to see
the status of a particular port. This can be done with show interfaces switchport command.
Probably the most useful command is the show vlan command. It shows you a table indicating which
ports are in which VLANs.
Example
The best way to see how VLANs work is by example. Imagine you work for Widgets, Inc. There are
about 20 people from several departments working at your location. Ten people work in engineering,
two people are in accounting, five people in sales and three people in marketing. Widgets, Inc.
currently has a flat network, one in which all the machines are on the same LAN. All of these
machines are connected to a Cisco 2924 switch and reside in the 10.0.0.0/24 private network.
To improve security, you have convinced management to let you segment the network. You already
have a Linux firewall running Debian 3.0 facing the Internet, but now you need to extend it to
segment the network. The first snag is you have been given only a minimal budget for the project.
After some consideration, you have decided to separate the inside network into four segments:
Management, Sales & Marketing, Accounting and Engineering and a DMZ for your assorted servers.
The management VLAN has no workstations associated with it and is used only for the switch's
configuration interface.
Your existing firewall cannot accommodate three more physical interfaces. You recently read an
interesting article about how to use VLANs with Linux, which gives you an idea. With VLANs, the new
topology can be implemented with the existing interfaces. In fact, the physical layout of your
network doesn't change at all. Using VLANs adds a management network to the mix, bringing the
total to five.
You also have decided to subnet your existing IP addresses for the new segments. Using a subnet
mask of 255.255.255.224 gives you plenty of IPs for each segment and leaves you several spare
subnets to use later. You already are using DHCP to assign IP addresses, so client reconfiguration is
not an issue.
Preparation
Because the network changes here can cause a loss of connectivity, it is important to have
everything prepared beforehand. Ensure that your firewall meets the prerequisites above. It also is
recommended that you have a serial console connection available before you begin. Obviously,
these kinds of changes should be done after business hours.
Preparation is the most important part of a network project. In this case, it is important to have
everything planned out well in advance. You should have planned out your firewall policy, server
configuration, DNS update and so on. Think about all the functions required for the daily operation of
your network, and consider how the changes described here might effect them. For example,
Firewall Configuration
The first step towards the new network configuration is to establish the trunk between the firewall
and the switch. On Debian, the vlan package contains the required utilities. Most other distributions
also offer a package containing these utilities. Compile and install your kernel as you normally
would, and enable 802.1q support (CONFIG_VLAN_8021Q).
The Debian interfaces file, located in /etc/network/interfaces, provides support for creating VLAN
interfaces. Each interface is defined as normal, with the addition of a vlan_native_interface line. If
your distribution does not support defining VLAN interfaces, you need to have a script define them
before network startup. Listing 4 shows a Debian interfaces file, using DHCP to retrieve the IP for the
outside interface.
If you were using a distribution other than Debian, you could put lines similar to the ones in Listing 5
in a startup script that runs before network configuration.
Once the new interfaces are defined, you can bring them up using ifup . You also need to ifdown and
ifup eth1 to set the correct IP and netmask.
Switch Configuration
Before you begin configuration, make sure the IP address of the switch falls within the new
management subnet. The IP configuration is associated with a virtual interface. This is normally
VLAN1.
The firewall is connected to port 1 on the switch, which is referred to as FastEthernet 0/1 in IOS
notation. The first task is to set the encapsulation and native VLAN, then you can enable the trunk.
Once the trunk is active, you need to move ports from the default VLAN into their new one. This is
done by entering the interface configuration and issuing switchport access vlan . Although not
necessary, it is helpful to physically group VLANs to make them easier to manage.
Once your changes are complete, you can see which ports are in which VLAN by using the show vlan
command.
Finishing Up
The first order of business is to test whether you can move packets of all sizes successfully without
MTU issues. Packets above 1,476 bytes should trigger any MTU issue you have. This can be tested
by pinging from the firewall to a machine on a non-native VLAN. If small packets work but large
packets do not, you most likely have an MTU issue.
Because you are using DHCP, you now need to update your dhcpd.conf file to reflect the new
subnets. Once it is restarted, client machines start to receive their new IP addresses.
Without a policy, a firewall is useless. Unfortunately, defining that policy is beyond the scope of this
article. However, a variety of effective tools are freely available for this purpose.
Now that everything is working, we need to make sure the switch's new configuration is written to
memory. This is done from enable mode using the write memory command.
As you can see, VLAN trunking can be a valuable tool. I hope you have learned where it can be
useful, the risks and benefits of using it and the basics of its configuration. Even though this
document focuses on a Cisco 2924 switch, it shouldn't be difficult to translate the configuration here
to any switch that supports 802.1q trunks.
I would like to give special thanks to Cheryl Lehman for helping to make my first article readable and
to Randall Shutt for reviewing the content.
Resources
digg |
digg |
Select your preferred way to display the comments and click "Save settings" to activate
your changes.
great article
Submitted by Anonymous (not verified) on Sat, 2006-10-21 12:31.
I cannot view the figures in this article,it would be useful to view them.Has anyone got them
This article exactly hit the nail on the head! I was to able create a "layer 3 switch" with an unused PC
running Linux and an old 3Com superstack 3300 switch for our test lab. Suprisingly fast, it's clearly
faster than what I suspected (although certainly not as fast a real L3 switch)
dear
I did configure the switch to use vlan's and I did connect that switch to linux gateway machine.
must I configure vlan under the linux machine also OR just on the switch ?
greeting
I ordered it for general networking purposes but I will (in the future) try some VLAN stuff since I want
to separate wireless access to different subnets.
Hi,
Since a switch can have trunk ports that sees traffic from all VLANs is it possible to configure the
interface in Linux to see traffic from all VLANs .. kinda like a trunk interface?
Thanks
Yes It is possible. you will need to enable in the 802.1Q option in the kernel, recompile, and install
the vlan package to get the vconfig utility which enables you to add vlan interfaces.
VLANs on linux
Submitted by anwar (not verified) on Mon, 2005-09-19 02:22.
Yes,I enabled in the 802.1Q option in the kernel, recompiled, and installed the vlan package to get
the vconfig utility which enables to add vlan interfaces.
With Rgds
Anwar
VLANs on Linux
Submitted by Anonymous on Wed, 2004-04-28 01:00.
Having no previous knowledge about vlans or switch configuration and being suddenly tasked with
setting up multiple vlans on a switch configured from a single ethernet connection on a debian
system, I found this article invaluable. Thanks.
Thanks
Linux does not support VLANs over anything but physical ethernet cards. No aggregate links or the
bridge device, either of which would be a huge win for building fault tolerant routers.
Hardware VLAN tagging / untagging was not supported last time I checked (huge difference on GbE
or 10GbE)
iptables hasn't figured out quite how to deal with VLANs (although last I heard there was a module in
the works)
What about GVRP? Does the linux vlan implementation include support for GVRP?
use cisco
Still a little cloudy if this is necessary all the time when using all Linux workstations on a network.
For instance, you have two switches linked together to share various VLANS (i.e. VLAN 1 and VLAN 2
have ports on both switches) and you have 2 physical LANs with different network addresses.
Physical LAN 1 is part of VLAN 1 and physical LAN 2 is part of VLAN 2. Both physical lans are
connected to a router (Linux box with 2 Ethernet cards) via the switches. With this setup isn't all this
transparent to the the Linux workstations? If you want to talk to the other VLAN or physical network
it would go to the router. In this scenario you would not need to do all the configuration mentioned
in the article? The reason I ask is that we need to mix and match fiber and copper. The above
scenario would enable us share the switches between the physical LANs. We would not be required
to use two switches for each LAN (one copper one fiber). Also, it would still maintain separate
broadcast domains for the physical LANs. Am I way off base?
I had 3c905C card on my RH9 Linux box. I made 2 VLAN and http traffic stopped. Before this
everything worked fine. I tried to change cards and so on. I fixed it only when removed the 3c905
card and installed DFE-538TX card. It seemed 3c905 driver has some bugs. I guess it is a bug of
assigning or management MTU.
The article states that Red Hat/Fedora does not support VLAN setup on
boot. This is incorrect.
VLAN support has been in Red Hat Linux since version 9 and is included
in Fedora.
For those of you using RedHat or Fedora, I'm including the configuration for the VLAN2 interface in
the example. This would be place in the /etc/sysconfig/network-scripts/ifcfg-eth1.2 file.
The RedHat scripts always configure VLAN interfaces using the device and the VLAN ID without
padding, which differs from the article. The interface created above would be eth1.2 rather than
vlan2.
Paul Frieden
having the ETH driver patched to support 1504 mtu's the normal eth's had to have their mtu capped
to 1500... to do that, add to the /etc/sysconfig/network-scripts/ifcfg-ethX MTU=1500 and to the ifcfg-
ethX.X MTU=1504
my to cents
jason
Namely, details of using iptables with the defined vlan interfaces. Can you treat them as physical
interfaces with iptables? Does each vlan have an INPUT chain? Etc..
- cameron
VLAN interfaces behave exactly as normal physical interfaces do in iptables. You can specify them
for rules as incoming (-i) and outgoing (-o) interfaces.
I haven't had any issues with VLAN interfaces behaving differently than normal interfaces do any
any of my deployments. I do know that in the past there were some issues with DHCP, but I have
never had any problems with it myself.
Paul Frieden
Enjoy,
Ben Greear
Excellent article!
I appreciate the info on how to configure the switch to properly trunk to the Linux box as well as the
clear introduction and examples.
I may pull that old 2900 out of the closet and actually play with this.
I'm terribly sorry but this was a crappy article. Understanding how to configure interfaces is done in
two seconds. The MTU issues are a big problem that you wrestle with for much longer. Until recently
(or does it still apply?) you had to patch your ethernet interface drivers manually in the kernel to
adjust the maximum MTU size.
Also you have to adjust your ruleset to accompany the larger packets. Then some drivers are buggy
All this is skimmed through with one sentence that it "could be issues". You might say that, yes.
I disagree with your criticism of the article. He did adequately address tne issue of limited/buggy
Linux ethernet drivers (though a link to a more indepth resource, perhaps a Wiki page where various
kernel hackers list links to their patches, would be nice).
Noting that some cheap ethernet equipment might also choke when connected to a trunk line would
be nice, but is also above and beyind the call of this article.
As for how trivial the interfaces are to set up, configure and use --- that's the core of the article. I
teach professional sysadmin courses, and compile kernels for breakfast (well, usually I start them
before I go to bed, actually).
I've been seeing the VLAN 802.1q patch available for years and was vaguely familiar with VLANs
from working alongside Cisco networks on numerous occasions. However, I'd never used the VLAN
features, didn't know about the 'vconfig' command, wouldn't have known that the vlan* interfaces
needed to be bound to their physical interfaces with it, and generally would have had to hunt around
a bit to find that info.
This article introduced the concept well, and gave me enough info that I could fire up an old Cisco
2900 switch I have laying around and play with the functionality with no fuss. (Well, no fussing on
the Linux side; I have no idea what state that 2900 is in and how I would fix it up; it's on permanent
loan from a friend).
It's one of the best articles I've seen recently. I like the fact that he covers the basics of using Cisco
IOS or is it CatOS for the other side of this effort; stressing how the switch must talk to the Linux box
in trunk mode, and giving examples of setting up the other ports as well.
I abolutely agree with the reply to the original post. This was not intended to be an in depth article
on vlans but introductory one to help a user new to vlans quickly set up to use them. I found it
helpful in answering some questions I had since this just came up at work eg. can I trunk a linux box
to a Cisco 3550 or do I need to buy another switch.
All in all a great starter article for anyone interested in getting started using vlans. BTW he does
throw in some caveats regarding NIC drivers and MTU.
I understand the benefits of VLANS, but I'm not quite sure what the purpose of configuring VLANS at
Thanks.
We use it for management. The public addresses of our servers only do serving, there is no
management (ssh fx) on these addresses. Instead we use a separate LAN for management access.
We could put a separate nic in each server, but it is much easier to just add a VLAN on eth0.
Our management VLAN is tagged throughout the network, so for me to get access to it, my
workstation needs to support VLAN's too. My eth0 is configured like any other user's, but then I also
have an eth0.2 configured, which happens to be our management VLAN.
The switch is configured to allow VLAN 2 only on the switch port where I sit, not on everybody else's.
So normal users simply can't have access to VLAN 2. So there is no way they can even connect to an
open port 22.
Simon
If you want to have a big NFS server directly on two or more subnet (without routing traffic trough
the FW)
I personally prefer separated switches or hub when I can --- especially for the DMZ and server room
segments. However, VLANs become important at a certain scale (as do manageable, SNMP switches).
To route packets between vlans (applying firewall rules in the process). Using virtual interfaces
instead of physcial is (obviously) a lot cheaper, provided that your switch is intelligent enough.
I have a Linux box and am planning to configure a VLAN .. Please tell me how to configure a VLAN in
that linux box
Skyscraper Ad
Indiana University
University Information Technology Services
Skip to content
Indiana University Knowledge Base
* Home
* Menus
* Glossary
* Help
When you make a change to a Group Policy Object (GPO), the change takes place on a Windows
2000 domain controller. The change then replicates to all other domain controllers in the Active
Directory. All Windows 2000 computers in Active Directory check for modifications to GPOs at
regular intervals. If there are changes, then they are applied during the next interval.
If you need to apply the change immediately, you can use one of the following commands to trigger
the process:
* To refresh the group policy for the local computer, enter: secedit /refreshpolicy machine_policy
* To refresh the group policy for the user currently logged in, enter: secedit /refreshpolicy
user_policy
These commands compare the currently applied GPO to the GPO located on the domain controllers.
If nothing has changed since the last time the GPO was applied, then the GPO is skipped.
To force a GPO to be reapplied, whether or not changes have been made to the GPO, use the
/enforce switch: secedit /refreshpolicy machine_policy /enforce Once Windows 2000 accepts the
request, it will display the following message:
"Group policy propagation from the domain has been initiated for this computer. It may take a few
minutes for the propagation to complete and the new policy to take effect. Please check Application
Log for errors, if any."
This information was adapted from article 227448 in Microsoft's knowledge base.
*
*
*
Indiana University
1.
Click Start, click Run, type regedit, and then press ENTER.
2.
Navigate to the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
3.
Right-click the right pane, create a new DWORD value, and then name it EnableBalloonTips.
4.
Double-click this new entry, and then give it a hexadecimal value of 0.
5.
Quit Registry Editor. Log off Windows, and then log back on.
These steps disable all Notification Area balloon tips for this user. There is no way to disable balloon
tips for specific programs only