Q-in-Q Ethernet frame size

Just a few notes from a conversation about ethernet frame size while using Q-in-Q (double tagging, vlan tunneling). Maximum frame size for a tagged frame is 1522 bytes. That breaks down like so:

  • 6 byte DA (Destination Address)
  • 6 byte SA (Source Address)
  • 4 byte VLAN tag
  • 2 byte Etype
  • 46-1500 byte DATA (payload)
  • 4 byte FCS

So adding a secondary VLAN tag would increase this maximum frame size to 1526, like so:

  • 6 byte DA (Destination Address)
  • 6 byte SA (Source Address)
  • 4 byte VLAN tag
  • 4 byte VLAN tag
  • 2 byte Etype
  • 46-1500 byte DATA (payload)
  • 4 byte FCS
q-in-q-frame

Frame structure of tagged and double-tagged ethernet frames

Young Writers Studio

Congratulations, Gabran!  Gabe was accepted into the Young Writers Studio at the University of Iowa.

Dropping Gabran off in Iowa City for the Young Writers Studio

Dropping Gabran off in Iowa City for the Young Writers Studio

Gabran signing in at the Young Writers Studio in Iowa City

Gabran signing in at the Young Writers Studio in Iowa City

ManGabe

Here’s a picture from January 15, 2013.  Gabran got his license on that fateful Tuesday.  This was taken right before his first solo drive.

Right before Gabran's first solo drive.

Right before Gabran’s first solo drive.

ISC DHCP and Option 82 coming from non-access gear

DHCP option 82 sub-option 1 information coming from access gear (Occam, Calix, etc.) is sent in ascii format.  That same information sent by switching/routing gear (Brocade, Cisco, etc.) is sent base10 encoded.  Changes have to be made to the dhcpd.conf file to deal with this, no only for the purposes of logging, but also for any match statements for statically assigning IP addresses based on switch/card/port (option 82) information.  Here is a working dhcpd.conf file that solves the issue.

option comment code 200 = string;

################# Logging Script for Calea#############
if exists agent.circuit-id
{
if exists dhcp-client-identifier
{
log ( info, concat( “IP Address: “, binary-to-ascii ( 10, 8, “.”, leased-address ), ” Option-82: “, binary-to-ascii(10, 8, “.”, option agent.circuit-id) ));
}
else
{
log ( info, concat( “IP Address: “, binary-to-ascii ( 10, 8, “.”, leased-address
),
” Option-82: “, binary-to-ascii(10, 8, “.”, option agent.circuit-id ) ));
}
}
#######################Logging Script for Calea End###################
# 259200 seconds = 72 hours
default-lease-time 259200;
max-lease-time 259200;

# These are Google’s public dns resolvers
#option domain-name-servers 8.8.8.8, 8.8.4.4;

# Some random config lines to sidestep clients sending
# dynamic dns updates to us to fill up the logs
ddns-update-style none;
ignore client-updates;
authoritative;

#start of shared-network localnet
shared-network LOCAL-NET {
subnet 192.168.0.0 netmask 255.255.255.0 {
option comment “LOCAL_NET”;
}
}

#############################################################################

#start of shared-network ADMIN_NETWORK
shared-network ADMIN_NETWORK {
subnet 10.50.50.0 netmask 255.255.255.0 {
option comment “Admin_Network”;
option routers 10.50.50.254;
option broadcast-address 10.50.50.255;
# range 10.50.50.200 10.50.50.249;
default-lease-time 259200;
max-lease-time 259200;
filename “testbootfile.xml”;

class “GOAT_TEST_Port_10″ {
match if binary-to-ascii(10, 8, “.”, option agent.circuit-id) = “0.4.0.50.1.10″;
}
pool {
allow members of “GOAT_TEST_Port_10″;
range 10.50.50.2;
deny dynamic bootp clients;
}

class “GOAT_TEST_Port_12″ {
match if binary-to-ascii(10, 8, “.”, option agent.circuit-id) = “0.4.0.50.1.12″;
}
pool {
allow members of “GOAT_TEST_Port_12″;
range 10.50.50.12;
deny dynamic bootp clients;
}

}
} #end of shared-network ADMIN_NETWORK

 

SSH tunnel

Here is an example of how to use an ssh tunnel to get to a web admin port (443) on a device inside of a network.  This assumes you have a server with two ethernet interfaces – one external (real world) at 100.200.200.50, and one internal at 192.168.99.200.  Your appliance/server/whatever with the web admin interface is on a box with an IP of 192.168.99.1.  You want outside (real world) access to this web interface.  This command will get it done:

ssh -f admin@192.168.99.1 -L 74.115.103.26:8080:192.168.99.1:443 -N

Example ssh tunnel for access to port 443 on internal server

Wireshark as non-root user on Ubuntu

When you run wireshark as a non-root user on Ubuntu (and probably other distros), you don’t have rights to the network devices (eth0, wlan0, etc).  The following changes will elevate the privileges of dumpcap and allow this to work:

$ sudo apt-get install libcap2-bin wireshark
$ sudo chgrp admin /usr/bin/dumpcap
$ sudo chmod 750 /usr/bin/dumpcap
$ sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

*Note* – in the chgrp command, replace “admin” with whatever user you are logging in as.