Nov
26
Some network newbies may have read books about networking and still doubt about what is the point of VLAN and Subnet. Why we need both ? ... It looks similar, it segment network into separate network (L2,L3) for security, smaller broadcast domain, etc.
So ... what is the key point of VLAN and Subnet ?
VLAN - is used for segment/separate L2 network. Key point of creating VLAN is for more security, lower broadcast domain, save costs. If computer shared same physical/equipment it usually on same L2 network, if you want to separate L2 network you need 2 sets of equipments. But if equipment/computer supported VLAN, we can put each computer/equipment to different L2 network while sharing same physical infrastucture (switches, wire, router, etc.).
Subnet - is used for address assignment. Key point of subnetting is to assign L3 network address (subnet) appropriate for usage (also sometimes for network address conservation). In typical setups, different VLAN also need different subnet. So ... subnetting usually done along with VLAN segmentation. Security and smaller broadcast domain is not main point of subnetting because it already done by VLAN instead.
You can also do have few subnets in one L2 network (VLAN) but ... anyway no security between two L3 network at all. All node in each L3 network still receive other L3 network packets broadcasts in same L2 network.
...
In short
VLAN = segment/separate L2 network
Subnetting = Assign appropriate L3 network address (subnet) to L2 network
FYI!
Posted by SF-Alpha
Mar
25
I have an idea for using IPSET together with NETLINK (nf_queue) based for userspace processing of bittorrent detection and connection marking.
Bitorrent now can use enctyption ... And with encryption, it now hard to detect and throtting those traffic.
I have study bittorrent blocking for long time and I have bitorrent throttling and blocking system using iptables + IPSET + L7-filter + IPP2P setup and working in production environment, but it cannot detect encrypted bittorrent traffic.
After that I comes up with more effective way to block bittorrent, That is tracker communicaton detection with works easily by pattern matching on HTTP query (annouce.+?info_hash=.+) in L7-filter. This way I can throttle specific IP by insert IP to IPSET but this way can only throttle all traffic not bittorrent only.
I comes up with new idea after notice that client send ip/port pair to tracker for other peers to connect, and tracker send back all ip/port peer also. I can grab this information and insert IP+Port to IPSET to throtte all traffice match ip/port without effect all other traffic. But this way need some processing that IPP2P and L7-Filter cannot do this.
So I need to implement this in userspace with NF_QUEUE. But ... it still hard to program and need quite much time to complete this.
Posted by SF-Alpha
Jan
11
Content-SHA1 HTTP header may be useful for hash integrity as well as file download caching.
It should widely developed and have support by cache proxy server, web browser, OS search indexing, etc. Hope it will.
Content-SHA1: (sha1) a927bc412550dadeff573220d00e1505601e8aacd
For example, in scenario that we put download file name 'fooprogramsetup.exe' in many download mirrors which absolutely have different URL ... So cache (proxy) server will not see this file as SAME file, If different users download same file but from different mirrors. Cache proxy will cache it separately and may need to put DIRECT request to download server for new URL even it is the same file. If we have this header, cache can check local cache and then send the same file if hash is match (also need more key: filesize, mtime to make sure that is the same).
Not only proxy, browser may can be configure content-check folder or cache folder, browser can look into hashing of cache or file in content-check folder to see it is the same file and notice the user.
Implementation should also implement in web server directly by looking for hash suffix, for example:
fooprogramsetup.exe may have fooprogramsetup.exe.SHA1 in that folder, so web server pick sha1 and send it automatically (if it configured to do).
Hope this will developed in the future. I am not sure is there any implemented on some of web servers and proxy already, but ... I think it is good idea to do!
Posted by SF-Alpha
Dec
9
I have recently test the CAT6 cable from some manufacturer to test the signal quality and performance. It done by do simple 1GByte file download test using 100 Meter and 150 Meter CAT5e/CAT6 cable (connected via patch panel and patch cord like common installation in TIA/EIA 568B structured cabling standard) to see how much frame error occurred. I did not measured with TDR, Signal Analyzer, etc because all cable should conform the spec when tested from factory (or it to be rejected by most customer anyway).
But ... Results is somewhat really surprising, At first, I thought that using 10BASE-T Signal on CAT6 cable should result in longest transmission with no frame lost, and followed by 100BASE-TX and 1000BASE-T.
Actual result is not like that, on 150M CAT6 cable, 10Mbps using 10BASE-T signal doing well and with small numbers of frame lost when transferring 1Gbyte files. 100Mbps on 100BASE-TX signal is very bad with thousands of frame error. And really surprising, 1000Mbps on 1000BASE-T signal is doing good, PAM5x5 modulation plus 8b10b encoding on 1000BASE-T is very reliable and immune to noise, only a few (less than 10) frames are error.
This are numbers of frame error on the cable tested with transferring 1GB file on 150M cable
| | Frame error | |
| Cable | 10M (10BASE-T) | 100M (100BASE-TX) | 1000M (1000BASE-T) |
| CAT5e Brand A | 221 | Unusable | Unusable |
| CAT5e Brand B | 155 | Unusable | Unusable |
| CAT6 Brand A | 0 | 1521 | 7 |
| CAT6 Brand B | 0 | 1422 | 3 |
So ... Installing 1Gbps Switch on CAT6 Infrastructure does some advantage over 100Mbps switch. You can even use 100M+ distance over CAT6 cable, although TIA/EIA 568 recommended CAT6 at 100M, Actual usable distance is up to 150M if the cable is good enough.
Noted that, TIA/EIA 568B.2 AD10 (2008) now updated to have Argumentd CAT6 (CAT6a or CAT6e) for 10GBASE-T Installation for 100M distance but also permit CAT6 for 10GBASE-T if the total length is less than 55M for old CAT6 installation, because CAT6a is expensive and must have twice signal performance characteristics than CAT6 (250MHz vs 500MHz). CAT6a is not probably not the choice to deploy in installation with distance not exceed 55M.
Posted by SF-Alpha
