Some can think that a Linux server cannot do much in switching environment as modern switches heavily depend on special hardware components. It’s true, but we can use a Linux machine for various purposes in such a network also. In this article we’ll see Linux services which helps and coexists with various switching technologies: VLANs, STP and EtherChannel, and we discuss some methods to easily manage a Cisco switch from Linux. Because GNS3 (before the 1.0 version) is limited in switching functionality, the labs in this article are using real devices. We don’t need more than two Cisco switches: I’ll use Catalyst 2950 model, as it’s enough for our purposes. The topology I’ll use is the following:

In reality I used my Debian virtual machine in VirtualBox, bridged onto the physical NICs under Windows.

Let’s start with experimenting STP. Although the Linux interfaces are Layer3 by default, we can create a bridge and assign the physical interfaces to it. In order to do this we need to install bridge utilities by issuing apt-get install bridge-utils. The main utility we get is called brctl. Entering this command alone produces a little help, but I provide the necessary commands to make a bridge called br0, with member interfaces of eth0 and eth2 (note: the interfaces should not have an IP address):

The commands are rather self-explanatory: I created the bridge, assigned the interfaces, set them to up state then checked the state of the bridge. The output states that the bridge ID is 8000.08002746b5a3: the hexadecimal 8000 is equal to 32768, the default priority of an STP bridge, and the next part is the MAC address. STP is still in off state – let’s turn it on, fine tune it a bit and check the results:

The Linux STP implementation is using the cost of four by default on bridge interfaces therefore I set it to 19 according to the FastEthernet ports. As it can be seen all the ports are in a forwarding state, and the bridge ID equals to designated root, so this is the root bridge – this is because the priority: it’s 32768, while on the Cisco switches it’s 32769 as Cisco switches are using the extended system-ID feature. Let’s modify this – raise the priority of br0 (hexadecimal 9000 equals to decimal 36864):

brctl setbridgeprio br0 0x9000

If we check the status again, one of the Cisco switches must be the root (check with show spanning-tree command) and one of the Linux bridge port should be in blocking state (because the non-root Cisco switch has higher priority).

One additional feature is that the Linux bridge interface can have IP addresses just like the VLAN1 interface on Cisco switches. Try to assign addresses to each of the devices (for example use ip address add dev br0 command) and ping between them. Finally, delete the bridge with the following commands (Linux accepts more commands in one line):

ifconfig br0 down; brctl delbr br0

The next topic is an important one in switching: virtual LANs. In the CCNA curriculum we can practice managing port-based VLANs, which means we define each port to be in a particular VLAN (or to be trunk). There’s another method; however, to assign a switchport into a VLAN: this is called dynamic VLAN membership. This method is useful if we want to move our devices frequently in the network, but still want to keep them in the same VLAN. Obviously this cannot be achieved easily with static, port-based VLANs. With dynamic VLANs the VLAN membership will be based on the MAC address of the end device. When we connect it to a switchport, the switch consults a special server called VMPS (VLAN Membership Policy Server) with the help of a protocol called VQP (VLAN Query Protocol) and asks the server, which VLAN needs to put the device into, based on its MAC. The server responds and the switch configures its port into the given VLAN. This method will also improve the security. The devices with unknown MAC addresses cannot connect to any VLAN, or just to a separated one.

Linux can act as a VMPS server, so let’s try dynamic VLANs. First we need to download OpenVMPS as a source package because Debian doesn’t have binary package of it. The link is:

Save the vmpsd-version.tar.gz file into a directory and extract the contents with the following command:

tar zxvf vmpsd-version.tar.gz

This produces a directory called vmpsd-version. We need to enter this directory, configure the source package then compile it. Use the following commands:

cd vmpsd-version
make install

Every command produces some output: wait until they end then issue the next. (More information about the software and its usage can be found in the README and INSTALL files.) At the end we’ll have the binary at /usr/local/bin/vmpsd and the configuration file at /usr/local/etc/vlan.db. We need to edit this file, open with a text editor and modify according to this:

The first line defines the VMPS domain, which should be the same as the VTP domain. The next line specifies the behavior of the server.I If the mode is “open,” then an end device with an unknown MAC address will go to the default VLAN (which is specified in the next line), if the mode is “closed,” then the port will shut down. The fourth line defines if the server answers to a query without VTP domain or not – to improve security we should use “deny.” The next section is rather self-explanatory: the MAC addresses of our devices and the VLAN names they should belong to. (This is just the basic configuration: we can use VLAN groups, policies and other bells and whistles.) Now we can start the server with the following command line:

vmpsd -d -f /usr/local/etc/vlan.db

The –d switch specifies that the daemon program won’t go to background and the –f switch specifies the configuration file.

Now go to the switch SW1 and configure it according to the following:

The configuration is not so difficult: the VTP domain name, the VMPS server’s address (I’ve set the IP connection through VLAN 1 interface to the server before) and the switchport VLAN access mode. The show vmps command is just a confirmation. Now try to attach our PCs with the configured MAC addresses and see if we get the proper response and they belong to the proper VLAN. The vmpsd displays something similar:

ALLOW: 08:00:27:46:b5:a3 -> students, switch (unknown) [] port Fa0/11

Try to attach a machine with an unknown MAC address also.I It should go to VLAN 1 (the default VLAN.) Experiment with the other settings also. One final thing: if you say that it’s hard work to gather the MAC addresses of the end devices, try to use arp-scan or similar utilities.

Our Linux machines usually uses servers or simple workstations which are in a particular VLAN, but if we want we can go further. Linux supports the 802.1q trunking protocol and several VLANs on a given interface. With this we can use our Linux device as router in a router-on-a-stick scenario, or we can use as a server accessible from multiple VLANs. Let’s configure the system according to the following: PC1 and PC2 are in separate VLANs (VLAN 10 and 20, respectively) with IP addresses from the and range. The router uses the first useable address, the PCs are using the second one. We want the PCs to “see” each other.

First we configure the switch as usual: create the two VLANs (name is not necessary), make the Fa0/1 port as trunk and the Fa0/3 and Fa0/4 ports as access ports in the proper VLAN. Check the settings by the show vlan brief command. Then configure the PCs for use of the IP address of their VLAN interface as default gateway.

On the Linux side, first we need to install the package called vlan, and enable the kernel module called 8021q to support tagging of frames. The latter can be achieved by issuing the modprobe 8021q command. Now we need to create VLAN interfaces for each VLAN (think of them as subinterfaces on a router). Remove (if any) IP addresses from eth0 with ifconfig eth0 up command, then issue the following:

The vconfig utility is used to add a VLAN interface to a physical interface. After issuing it the device can be accessed in the form just like on Cisco routers: physical_NIC_name.VLAN_ID. We just need to give an IP address and set them up (I used the traditional ifconfig in this case). From now on the PCs should ping their default gateway on the Linux server, but still be unable to connect to each other, although the routing table is complete (I show it in two ways):

The reason is that Linux is not a router by default; it doesn’t forward packets between its interfaces. We need to set a kernel variable to do this (think of it just like setting a key in Windows Registry to a different value). This can be achieved by several ways, now we’ll use the sysctl utility:

sysctl -w net.ipv4.ip_forward=1

The –w parameter means write, the remaining part is the name of the variable and its new value. Now try to ping PC2 from PC1 and vice versa. If we want our settings to remain intact after rebooting, read the guide at the end of the article. Deleting a VLAN interface is as simple as:

vconfig rem eth0.10

Etherchannel is a very good technology to achieve improved fault tolerance and bandwidth. The new CCNA R&S curriculum describes it, now I show that we can use Linux machines with Etherchannel also. To be accurate, we can use static channels and LACP (Link Aggregation Control Protocol) between a Cisco switch and a Linux server to make our network more stable and fast.

Let’s begin with a little re-cabling. Connect the eth0 interface to the Fa0/10 and the eth2 interface to the Fa0/11 so that our channel can use two physical connections between the server and SW1. Next step will be installing the necessary package on Linux:

apt-get install ifenslave-2.6

In Linux terminology, the port aggregation is called bonding, and the ifenslave utility can be used to do the actual configuration. But before using this we need to load the bonding driver, which will create a virtual interface that represents the channel:

modprobe bonding mode=802.3ad

The driver supports several load balancing schemes, mode 802.3ad is LACP (you can read about the possible modes among the links at the end). We can check the settings:

The /proc directory contains a virtual file system in Linux, it contains various kernel data and variables.

Now configure the actual bonding (or teaming or aggregating, as you like it):

ifenslave bond0 eth0 eth2

So, first we need to define the virtual bonding interface, then the so-called slaves: the actual physical interfaces. If we check the status again with cat /proc/net/bonding/bond0, we can see the slave interfaces and a lot of other information.

The Cisco side needs fewer commands:

The console messages state that the Port-channel 1 interface comes online, but we can use show commands to prove it, for example:

As we can see, the channel is functioning with two ports in it. If we want to further test the connection, give an IP address to VLAN1 interface on the switch and another to the bond0 interface and ping each other.

Last, but not least, I want to show a utility which can be used to manage our switches remotely. There’s Cisco Network Assistant which can be familiar to many Cisco technician – it can be used under Linux also with the help of Wine, the Windows Emulator (see the link below), but there is at least one alternative. The software is called IOS4ALL and although it’s primarily built for Windows, we can still use it on Linux, because it’s a .NET application and there’s Mono, the open source .NET development platform. Install it with apt-get install mono-complete on the Linux box, then download IOS4ALL from this link and install it under Windows:

After the installation you can find the program’s folder under Program Files: copy the files from it to a folder on Linux then issue the command mono IOS4ALL.exe. The program starts with the following screen:

In the Quick connect window we can select the credentials of the administrator and can choose management protocol: HTTP or Telnet. If we want to use HTTP, we can configure the switch as follows:

Fill in the data then click on Connect button. The usage of the program is simple, and we can get help on the webpage. Experiment with the various settings.

I hope that the tools presented gave some ideas about using Linux in conjunction with switches. Unfortunately this little article is not enough to show them in depth, but the possibilities of Linux can be seen.

Useful links:

Dynamic VLANs on switches:

VLAN configuration on Debian:

Linux bonding:

Cisco Network Assistant under Wine: