Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#81
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote: Also multiple ethernet ports mean you can segment the network: not put the doorbell on the same network as the banking data. You can do that on a switch with VLANs, but to do that you need a more expensive switch. Theo Can you put that in simple English that a a mere professional IT network engineer can understand? What are 'multiple Ethernet ports' in this context, please, and how do they differ from what a switch has anyway? Virtual LANs allow you to run separate networks over the same physical cabling. For instance, you might trust the doorbell network (physically exposed on the outside of your building) less than the one handling credit card data, and don't want them able to communicate. But your site topology might mean you have to use the same physical link for connecting them. Let's assume you have one ethernet cable you want to send both traffic down. You do this by using VLAN-enabled switches. You put a VLAN-enabled switch at each end. You then decide on a VLAN numbering scheme, for instance: VLAN 123 = doorbell VLAN 456 = accounting You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on VLAN 456. You do the same for switch B. You plug in the doorbell kit to port 1 and credit card kit to port 2. You select port 3 to carry all 'tagged' frames, and link the switches with your one cable between their port 3s. +-------------------------------+ | Switch A | doorbell -|-port 1--[tag=123?]-+ | | X--port 3 -|-- VLAN tagged frames on one link accounts -|-port 2--[tag=456?]-+ | | | +-------------------------------+ [and the same at the other end] The switches 'tag' packets going out on port 3, in other words the packet over the link looks like: [VLAN tag=123][Ethernet header][IP header][IP payload][checksums] and then route based on the tag, rather than routing to all ports. Because the tag says VLAN 123, each switch now conveys this only between port 1. For this traffic, it's as if the other ports didn't exist. Effectively you have two isolated networks running over a single cable. The downside is that you need a management interface on each switch to configure this, that means the switch having a webserver, CPU, etc. This makes the switches more expensive. It's also more work to configure and maintain. This is fairly standard enterprise networking, and not uncommon if your business is large enough to buy switches from Cisco rather than Belkin. (Some cheapo switches support it too - for instance there's a 10 pound TP-Link gigabit 8-port. I haven't tried it) Theo |
#82
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
In article , Mike Tomlinson wrote:
Dave Liquorice escribió: Seemed OK at the time but can you imagine trying to use the modern web at 64 kbps? When my broadband went down a while back, I used a 56k modem to get my daily fix of the internets. Quite an eye-opener. A major part of the problem is advertising. Those selfish ****ers think nothing of hurling flashing, auto-vid-playing, noisy ads that consume more bandwidth combined than the page you actually wanted to look at. And then they whinge that people use ad-blockers to preserve their sanity. It was ads that obscured legitimate page content that tipped me into using a blocker. Not popups that had to be dismissed (which I'd blocked earlier), but in-page ads that ****ed up layouts so badly the pages were unreadable. Stories like http://www.theverge.com/2015/8/25/92...-vulnerability http://www.computerworld.com/article...-for-ddos.html have not encouraged me to change back. (The waste of bandwidth doesn't help either, of course.) |
#83
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 12:19, Adrian Caspersz wrote:
On 29/01/16 00:58, John Rumm wrote: On 28/01/2016 19:12, Adrian Caspersz wrote: On 28/01/16 18:32, John Rumm wrote: On 28/01/2016 11:08, Huge wrote: On 2016-01-28, John Rumm wrote: On 27/01/2016 15:03, www.GymRatZ.co.uk wrote: Or, as happened to me once, someone "tidies it away" and then calls IT as to why nothing in the office works any more. Yup, had that... and someone who crated a network storm on a lan by deciding that a loose RJ45 really ought to be plugged into something - and ended up creating a loopback on an old hub that did not spot the problem and attempted to forward the forwarded packet forever more! Or someone brings in their 4-port redundant thing from home which fixes their local lack of ports issue, but gifts the rest of the network a new DHCP server leasing out 192.168.0.0/24 and a gateway to nowhere. Yup had that as well... Another gateway to nowhere... I was working in a UK call centre where 150 thin client devices had the next gateway set to a Citrix server out of town. This worked normally until one particular morning when some of the workstations failed to connect and a lot of sales activity was lost. Management not happy. We could ping the gateway interface and got a quick response. Hmmm... Guys in Citrix server town could ping our interface as well. OK. Netscans revealed the MAC address of the gateway interface, and that to be something made by HP. A printer. Someone bored in a meeting room with idle fingers had given this device the gateway IP address and lots of enquiring packets to look at. We never found whom this person was. IT people have a special dispensation from H&S for running up and down corridors, in fire fighting situations like this. A map of where network printers are exactly located would have been useful, but oh no, we don't have that :-( I had very similar a good few years ago. After driving into Birmingham & back for a new router interface card, I discovered a standalone print server, newly installed that day. It didn't cause a total failure, just woeful, unpredictable performance, presumably as sometimes ARP would resolve the router. I also never discovered which idiot configured the print server. |
#84
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 13:21, Alan Braggins wrote:
In article , Mike Tomlinson wrote: Dave Liquorice escribió: Seemed OK at the time but can you imagine trying to use the modern web at 64 kbps? When my broadband went down a while back, I used a 56k modem to get my daily fix of the internets. Quite an eye-opener. A major part of the problem is advertising. Those selfish ****ers think nothing of hurling flashing, auto-vid-playing, noisy ads that consume more bandwidth combined than the page you actually wanted to look at. And then they whinge that people use ad-blockers to preserve their sanity. It was ads that obscured legitimate page content that tipped me into using a blocker. Not popups that had to be dismissed (which I'd blocked earlier), but in-page ads that ****ed up layouts so badly the pages were unreadable. I love firefox for that,. It has an HTML editor that allows you to delete nodes one by one until all that is left is what you want.. Stories like http://www.theverge.com/2015/8/25/92...-vulnerability http://www.computerworld.com/article...-for-ddos.html have not encouraged me to change back. (The waste of bandwidth doesn't help either, of course.) -- If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The lie can be maintained only for such time as the State can shield the people from the political, economic and/or military consequences of the lie. It thus becomes vitally important for the State to use all of its powers to repress dissent, for the truth is the mortal enemy of the lie, and thus by extension, the truth is the greatest enemy of the State. Joseph Goebbels |
#85
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote: On 29/01/16 00:33, Theo wrote: Also multiple ethernet ports mean you can segment the network: not put the doorbell on the same network as the banking data. You can do that on a switch with VLANs, but to do that you need a more expensive switch. Theo Can you put that in simple English that a a mere professional IT network engineer can understand? What are 'multiple Ethernet ports' in this context, please, and how do they differ from what a switch has anyway? Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) For instance, you might trust the doorbell network (physically exposed on the outside of your building) less than the one handling credit card data, and don't want them able to communicate. But your site topology might mean you have to use the same physical link for connecting them. Let's assume you have one ethernet cable you want to send both traffic down. You do this by using VLAN-enabled switches. You put a VLAN-enabled switch at each end. You then decide on a VLAN numbering scheme, for instance: VLAN 123 = doorbell VLAN 456 = accounting You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on VLAN 456. You do the same for switch B. You plug in the doorbell kit to port 1 and credit card kit to port 2. You select port 3 to carry all 'tagged' frames, and link the switches with your one cable between their port 3s. +-------------------------------+ | Switch A | doorbell -|-port 1--[tag=123?]-+ | | X--port 3 -|-- VLAN tagged frames on one link accounts -|-port 2--[tag=456?]-+ | | | +-------------------------------+ [and the same at the other end] The switches 'tag' packets going out on port 3, in other words the packet over the link looks like: [VLAN tag=123][Ethernet header][IP header][IP payload][checksums] and then route based on the tag, rather than routing to all ports. Because the tag says VLAN 123, each switch now conveys this only between port 1. For this traffic, it's as if the other ports didn't exist. Effectively you have two isolated networks running over a single cable. The downside is that you need a management interface on each switch to configure this, that means the switch having a webserver, CPU, etc. This makes the switches more expensive. It's also more work to configure and maintain. This is fairly standard enterprise networking, and not uncommon if your business is large enough to buy switches from Cisco rather than Belkin. (Some cheapo switches support it too - for instance there's a 10 pound TP-Link gigabit 8-port. I haven't tried it) Theo Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet -- How fortunate for governments that the people they administer don't think. Adolf Hitler |
#86
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 13:46, Chris Bartram wrote:
On 29/01/2016 12:19, Adrian Caspersz wrote: On 29/01/16 00:58, John Rumm wrote: On 28/01/2016 19:12, Adrian Caspersz wrote: On 28/01/16 18:32, John Rumm wrote: On 28/01/2016 11:08, Huge wrote: On 2016-01-28, John Rumm wrote: On 27/01/2016 15:03, www.GymRatZ.co.uk wrote: Or, as happened to me once, someone "tidies it away" and then calls IT as to why nothing in the office works any more. Yup, had that... and someone who crated a network storm on a lan by deciding that a loose RJ45 really ought to be plugged into something - and ended up creating a loopback on an old hub that did not spot the problem and attempted to forward the forwarded packet forever more! Or someone brings in their 4-port redundant thing from home which fixes their local lack of ports issue, but gifts the rest of the network a new DHCP server leasing out 192.168.0.0/24 and a gateway to nowhere. Yup had that as well... Another gateway to nowhere... I was working in a UK call centre where 150 thin client devices had the next gateway set to a Citrix server out of town. This worked normally until one particular morning when some of the workstations failed to connect and a lot of sales activity was lost. Management not happy. We could ping the gateway interface and got a quick response. Hmmm... Guys in Citrix server town could ping our interface as well. OK. Netscans revealed the MAC address of the gateway interface, and that to be something made by HP. A printer. Someone bored in a meeting room with idle fingers had given this device the gateway IP address and lots of enquiring packets to look at. We never found whom this person was. IT people have a special dispensation from H&S for running up and down corridors, in fire fighting situations like this. A map of where network printers are exactly located would have been useful, but oh no, we don't have that :-( I had very similar a good few years ago. After driving into Birmingham & back for a new router interface card, I discovered a standalone print server, newly installed that day. It didn't cause a total failure, just woeful, unpredictable performance, presumably as sometimes ARP would resolve the router. I also never discovered which idiot configured the print server. I had a wonderful one once. Engineer phones me up to say 'I am at the customers site, and I cant work out what is going on. When I try to ping the internet, I get 50% packet loss' 'EXACTLY 50%???' 'Yes' 'What software is it' 'Wuin9odws NT' (not my baby, windows NT) Well it sounds like its doing something like switching routes on a round robin basis, but that's all I can tell you' ..... Phone rings 'I got it!' 'What was it?' 'Windows NT can have multiple default routes!!!' "WHAATTT??*&^! The whole point of a default is its um THE default. If you want diverse routing run RIP/OSPF/BGP..not static routes. 'No, they had TWO DEFAULT ROUTES CONFIGURED' 'God, how crap is that. Microsoft...couldn't write code to add one and one..' Ok if you have two interfaces maybe each one will have its own default route BUT not two default routes working on either of the cards simultaenously. Sheesh. -- He who ****s in the road, will meet flies on his return. "Mr Natural" |
#87
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote: Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) Err, I don't think you do: Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet VLAN != VPN. VLAN is for running networks over shared physical infrastructure. They're separate, they run separate DHCP servers, one side cannot generate packets that route to the other no matter how it gets compromised. VPN is for extending your network over the Internet. In a domestic situation you probably don't want that (though you may use it to connect to your employer). VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing (though some run at layer 2). VLANs won't run over the Internet unless you wrap them in a VPN (and it's generally a bad idea). For instance, you ran a single ethernet cable under the patio to the shed. You want the shed to have access to the front door camera (that anyone could walk up to and hook into while you were on holiday) and the NAS containing your bank statements. You'd like those to be on two separate networks, but can't run another cable because it's under the concrete. Or you ran a single cable up the stairs but you want to give the kids a separate network so you can separate their traffic from your home business in the spare bedroom. You want to be able to firewall your business traffic so whatever dodgy apps they're running won't get access to your work machines. Or perhaps you want first go at the DSL connection and want to restrict the bandwidth the kids have, or shut off their network after dinnertime while you can keep working. This is all on top of standard MAC address switching that means links will only carry traffic relevant for them. That doesn't help you if a dodgy app generates traffic it's not intended to. VLANs do. Theo |
#88
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 15:33, Theo wrote:
The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) Err, I don't think you do: Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet VLAN != VPN. VLAN is for running networks over shared physical infrastructure. They're separate, they run separate DHCP servers, one side cannot generate packets that route to the other no matter how it gets compromised. VPN is for extending your network over the Internet. In a domestic situation you probably don't want that (though you may use it to connect to your employer). VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing (though some run at layer 2). VLANs won't run over the Internet unless you wrap them in a VPN (and it's generally a bad idea). For instance, you ran a single ethernet cable under the patio to the shed. You want the shed to have access to the front door camera (that anyone could walk up to and hook into while you were on holiday) and the NAS containing your bank statements. You'd like those to be on two separate networks, but can't run another cable because it's under the concrete. Or you ran a single cable up the stairs but you want to give the kids a separate network so you can separate their traffic from your home business in the spare bedroom. You want to be able to firewall your business traffic so whatever dodgy apps they're running won't get access to your work machines. Or perhaps you want first go at the DSL connection and want to restrict the bandwidth the kids have, or shut off their network after dinnertime while you can keep working. This is all on top of standard MAC address switching that means links will only carry traffic relevant for them. That doesn't help you if a dodgy app generates traffic it's not intended to. VLANs do. well exactly, nothing to do with ethernet ports and not needed domestically. Since you can run as many networks as you like over a single piece of cable. And if you really must use DHCP make sure the mac addresses are pre-allocated. Theo -- "I am inclined to tell the truth and dislike people who lie consistently. This makes me unfit for the company of people of a Left persuasion, and all women" |
#89
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 15:46, Huge wrote:
The Natural Philosopher wrote: [19 lines snipped] Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet Oh, that's hysterical. Oh yeah, one slip ane read 'VPN' wher VLAN is written and get a good laugh. Now tell me once again, what possible reason could anyone ever have for installing a VLAN in a sonmestic situation, and what is meant oin the context of previous posts by 'Ethernet port' Or is it simply a question of 'I am posting this irrelevant technical **** to baffle bra8ins and show off' ?? -- Karl Marx said religion is the opium of the people. But Marxism is the crack cocaine. |
#90
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote: The Natural Philosopher wrote: On 29/01/16 00:33, Theo wrote: Also multiple ethernet ports mean you can segment the network: not put the doorbell on the same network as the banking data. You can do that on a switch with VLANs, but to do that you need a more expensive switch. Theo Can you put that in simple English that a a mere professional IT network engineer can understand? What are 'multiple Ethernet ports' in this context, please, and how do they differ from what a switch has anyway? Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) For instance, you might trust the doorbell network (physically exposed on the outside of your building) less than the one handling credit card data, and don't want them able to communicate. But your site topology might mean you have to use the same physical link for connecting them. Let's assume you have one ethernet cable you want to send both traffic down. You do this by using VLAN-enabled switches. You put a VLAN-enabled switch at each end. You then decide on a VLAN numbering scheme, for instance: VLAN 123 = doorbell VLAN 456 = accounting You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on VLAN 456. You do the same for switch B. You plug in the doorbell kit to port 1 and credit card kit to port 2. You select port 3 to carry all 'tagged' frames, and link the switches with your one cable between their port 3s. +-------------------------------+ | Switch A | doorbell -|-port 1--[tag=123?]-+ | | X--port 3 -|-- VLAN tagged frames on one link accounts -|-port 2--[tag=456?]-+ | | | +-------------------------------+ [and the same at the other end] The switches 'tag' packets going out on port 3, in other words the packet over the link looks like: [VLAN tag=123][Ethernet header][IP header][IP payload][checksums] and then route based on the tag, rather than routing to all ports. Because the tag says VLAN 123, each switch now conveys this only between port 1. For this traffic, it's as if the other ports didn't exist. Effectively you have two isolated networks running over a single cable. The downside is that you need a management interface on each switch to configure this, that means the switch having a webserver, CPU, etc. This makes the switches more expensive. It's also more work to configure and maintain. This is fairly standard enterprise networking, and not uncommon if your business is large enough to buy switches from Cisco rather than Belkin. (Some cheapo switches support it too - for instance there's a 10 pound TP-Link gigabit 8-port. I haven't tried it) Theo Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet I don't think you know what you are talking about. A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! |
#91
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 15:37, The Natural Philosopher wrote:
On 29/01/16 15:33, Theo wrote: The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) Err, I don't think you do: Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet VLAN != VPN. VLAN is for running networks over shared physical infrastructure. They're separate, they run separate DHCP servers, one side cannot generate packets that route to the other no matter how it gets compromised. VPN is for extending your network over the Internet. In a domestic situation you probably don't want that (though you may use it to connect to your employer). VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing (though some run at layer 2). VLANs won't run over the Internet unless you wrap them in a VPN (and it's generally a bad idea). For instance, you ran a single ethernet cable under the patio to the shed. You want the shed to have access to the front door camera (that anyone could walk up to and hook into while you were on holiday) and the NAS containing your bank statements. You'd like those to be on two separate networks, but can't run another cable because it's under the concrete. Or you ran a single cable up the stairs but you want to give the kids a separate network so you can separate their traffic from your home business in the spare bedroom. You want to be able to firewall your business traffic so whatever dodgy apps they're running won't get access to your work machines. Or perhaps you want first go at the DSL connection and want to restrict the bandwidth the kids have, or shut off their network after dinnertime while you can keep working. This is all on top of standard MAC address switching that means links will only carry traffic relevant for them. That doesn't help you if a dodgy app generates traffic it's not intended to. VLANs do. well exactly, nothing to do with ethernet ports and not needed domestically. Since you can run as many networks as you like over a single piece of cable. And if you really must use DHCP make sure the mac addresses are pre-allocated. Stop digging, you are wrong. |
#92
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: The Natural Philosopher wrote: On 29/01/16 00:33, Theo wrote: Also multiple ethernet ports mean you can segment the network: not put the doorbell on the same network as the banking data. You can do that on a switch with VLANs, but to do that you need a more expensive switch. Theo Can you put that in simple English that a a mere professional IT network engineer can understand? What are 'multiple Ethernet ports' in this context, please, and how do they differ from what a switch has anyway? Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) For instance, you might trust the doorbell network (physically exposed on the outside of your building) less than the one handling credit card data, and don't want them able to communicate. But your site topology might mean you have to use the same physical link for connecting them. Let's assume you have one ethernet cable you want to send both traffic down. You do this by using VLAN-enabled switches. You put a VLAN-enabled switch at each end. You then decide on a VLAN numbering scheme, for instance: VLAN 123 = doorbell VLAN 456 = accounting You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on VLAN 456. You do the same for switch B. You plug in the doorbell kit to port 1 and credit card kit to port 2. You select port 3 to carry all 'tagged' frames, and link the switches with your one cable between their port 3s. +-------------------------------+ | Switch A | doorbell -|-port 1--[tag=123?]-+ | | X--port 3 -|-- VLAN tagged frames on one link accounts -|-port 2--[tag=456?]-+ | | | +-------------------------------+ [and the same at the other end] The switches 'tag' packets going out on port 3, in other words the packet over the link looks like: [VLAN tag=123][Ethernet header][IP header][IP payload][checksums] and then route based on the tag, rather than routing to all ports. Because the tag says VLAN 123, each switch now conveys this only between port 1. For this traffic, it's as if the other ports didn't exist. Effectively you have two isolated networks running over a single cable. The downside is that you need a management interface on each switch to configure this, that means the switch having a webserver, CPU, etc. This makes the switches more expensive. It's also more work to configure and maintain. This is fairly standard enterprise networking, and not uncommon if your business is large enough to buy switches from Cisco rather than Belkin. (Some cheapo switches support it too - for instance there's a 10 pound TP-Link gigabit 8-port. I haven't tried it) Theo Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet I don't think you know what you are talking about. A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. First of all switches only propagate to MAC addresses associated with the actual hardware that has 'claimed' the IP address. The exception is merely broadcasts. You are thinking perhaps of a hub or repeater, which sends all traffic everywhere. Switches never have. So basically you can have dozens of independent IP networks sharing the same switch and traffic will not cross over except on ARP requests, typically a broadcast. Now of course spoofing IP addresses is possible in this scenario, so its not secure as such, but in terms of traffic, it does separate them. My point has been that in a domestic situation, security is not normally an issue within te site. So there is no need for routers and Vlans and expensive kit, just to make best use of the cabling. If you have to share cabling just connect two switches via a bit of cable. They will sort out the traffic just fine. -- How fortunate for governments that the people they administer don't think. Adolf Hitler |
#93
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 16:45, dennis@home wrote:
On 29/01/2016 15:37, The Natural Philosopher wrote: On 29/01/16 15:33, Theo wrote: The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) Err, I don't think you do: Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet VLAN != VPN. VLAN is for running networks over shared physical infrastructure. They're separate, they run separate DHCP servers, one side cannot generate packets that route to the other no matter how it gets compromised. VPN is for extending your network over the Internet. In a domestic situation you probably don't want that (though you may use it to connect to your employer). VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing (though some run at layer 2). VLANs won't run over the Internet unless you wrap them in a VPN (and it's generally a bad idea). For instance, you ran a single ethernet cable under the patio to the shed. You want the shed to have access to the front door camera (that anyone could walk up to and hook into while you were on holiday) and the NAS containing your bank statements. You'd like those to be on two separate networks, but can't run another cable because it's under the concrete. Or you ran a single cable up the stairs but you want to give the kids a separate network so you can separate their traffic from your home business in the spare bedroom. You want to be able to firewall your business traffic so whatever dodgy apps they're running won't get access to your work machines. Or perhaps you want first go at the DSL connection and want to restrict the bandwidth the kids have, or shut off their network after dinnertime while you can keep working. This is all on top of standard MAC address switching that means links will only carry traffic relevant for them. That doesn't help you if a dodgy app generates traffic it's not intended to. VLANs do. well exactly, nothing to do with ethernet ports and not needed domestically. Since you can run as many networks as you like over a single piece of cable. And if you really must use DHCP make sure the mac addresses are pre-allocated. Stop digging, you are wrong. No dennis, I am not wrong. There is a difference between security and traffic sharing http://cnp3book.info.ucl.ac.be/protocols/ethernet.html Read the section on how switches maintain MAC address tables so they only send particular packets destined for a particular target down a particular piece of cable. And the tree spanning algorithms that allow them to decide routes via other switches. Anyone who has set up anything more than a basic network knows that a single switch can acccomodate dozens on independent IP networks, all coexisting happily and all mutually inaccessible if set up correctly, at the casual use level. Of course from a security point of view they are not always so separate - one network CAN break into another..but is that really an issue in a domestic situationb? Is your doorbell really going to change its IP address onto a 'different' network and hack into your server? The whole POINT of a switch is that they are plug and play mac level ROUTERS. Not repeaters. -- The theory of Communism may be summed up in one sentence: Abolish all private property. Karl Marx |
#94
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 17:11, The Natural Philosopher wrote:
On 29/01/16 16:45, dennis@home wrote: On 29/01/2016 15:37, The Natural Philosopher wrote: On 29/01/16 15:33, Theo wrote: The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) Err, I don't think you do: Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet VLAN != VPN. VLAN is for running networks over shared physical infrastructure. They're separate, they run separate DHCP servers, one side cannot generate packets that route to the other no matter how it gets compromised. VPN is for extending your network over the Internet. In a domestic situation you probably don't want that (though you may use it to connect to your employer). VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing (though some run at layer 2). VLANs won't run over the Internet unless you wrap them in a VPN (and it's generally a bad idea). For instance, you ran a single ethernet cable under the patio to the shed. You want the shed to have access to the front door camera (that anyone could walk up to and hook into while you were on holiday) and the NAS containing your bank statements. You'd like those to be on two separate networks, but can't run another cable because it's under the concrete. Or you ran a single cable up the stairs but you want to give the kids a separate network so you can separate their traffic from your home business in the spare bedroom. You want to be able to firewall your business traffic so whatever dodgy apps they're running won't get access to your work machines. Or perhaps you want first go at the DSL connection and want to restrict the bandwidth the kids have, or shut off their network after dinnertime while you can keep working. This is all on top of standard MAC address switching that means links will only carry traffic relevant for them. That doesn't help you if a dodgy app generates traffic it's not intended to. VLANs do. well exactly, nothing to do with ethernet ports and not needed domestically. Since you can run as many networks as you like over a single piece of cable. And if you really must use DHCP make sure the mac addresses are pre-allocated. Stop digging, you are wrong. No dennis, I am not wrong. There is a difference between security and traffic sharing http://cnp3book.info.ucl.ac.be/protocols/ethernet.html Read the section on how switches maintain MAC address tables so they only send particular packets destined for a particular target down a particular piece of cable. And the tree spanning algorithms that allow them to decide routes via other switches. Anyone who has set up anything more than a basic network knows that a single switch can acccomodate dozens on independent IP networks, all coexisting happily and all mutually inaccessible if set up correctly, at the casual use level. Of course from a security point of view they are not always so separate - one network CAN break into another..but is that really an issue in a domestic situationb? Is your doorbell really going to change its IP address onto a 'different' network and hack into your server? The whole POINT of a switch is that they are plug and play mac level ROUTERS. Not repeaters. Do you really want to keep digging? I probably know more about this stuff than you, it was my job to design networks with vlans in over ethernet, ATM, etc. I had millions of pounds worth of kit from juniper, cisco, and others just to model networks on. They included:- a play out suit provided by BBC technical services several reverse caches for the web servers loads of switches ATM switches DSLAMs CISCO VoIP System X exchange (14 of them IIRC) radio links 10G long haul links (never did get the soliton based one) You can continue to claim that you were correct but we know differently. |
#95
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: The Natural Philosopher wrote: On 29/01/16 00:33, Theo wrote: Also multiple ethernet ports mean you can segment the network: not put the doorbell on the same network as the banking data. You can do that on a switch with VLANs, but to do that you need a more expensive switch. Theo Can you put that in simple English that a a mere professional IT network engineer can understand? What are 'multiple Ethernet ports' in this context, please, and how do they differ from what a switch has anyway? Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) For instance, you might trust the doorbell network (physically exposed on the outside of your building) less than the one handling credit card data, and don't want them able to communicate. But your site topology might mean you have to use the same physical link for connecting them. Let's assume you have one ethernet cable you want to send both traffic down. You do this by using VLAN-enabled switches. You put a VLAN-enabled switch at each end. You then decide on a VLAN numbering scheme, for instance: VLAN 123 = doorbell VLAN 456 = accounting You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on VLAN 456. You do the same for switch B. You plug in the doorbell kit to port 1 and credit card kit to port 2. You select port 3 to carry all 'tagged' frames, and link the switches with your one cable between their port 3s. +-------------------------------+ | Switch A | doorbell -|-port 1--[tag=123?]-+ | | X--port 3 -|-- VLAN tagged frames on one link accounts -|-port 2--[tag=456?]-+ | | | +-------------------------------+ [and the same at the other end] The switches 'tag' packets going out on port 3, in other words the packet over the link looks like: [VLAN tag=123][Ethernet header][IP header][IP payload][checksums] and then route based on the tag, rather than routing to all ports. Because the tag says VLAN 123, each switch now conveys this only between port 1. For this traffic, it's as if the other ports didn't exist. Effectively you have two isolated networks running over a single cable. The downside is that you need a management interface on each switch to configure this, that means the switch having a webserver, CPU, etc. This makes the switches more expensive. It's also more work to configure and maintain. This is fairly standard enterprise networking, and not uncommon if your business is large enough to buy switches from Cisco rather than Belkin. (Some cheapo switches support it too - for instance there's a 10 pound TP-Link gigabit 8-port. I haven't tried it) Theo Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet I don't think you know what you are talking about. A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. On a VLAN it won't. |
#96
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
En el artículo , The Natural Philosopher
escribió: Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet You say: Yes, I know that..(mere professional IT network engineer) and you don't even know the difference between a VLAN and a VPN. I'm glad I'm not one of your customers. -- (\_/) (='.'=) Bunny says: Windows 10? Nein danke! (")_(") |
#97
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On Fri, 29 Jan 2016 18:04:16 +0000, dennis@home
wrote: snip No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. On a VLAN it won't. I don't think he's ever heard of 'managed' devices (switches) mate. ;-( So, because he hasn't heard of them, they don't exist. ;-) Cheers, T i m |
#98
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 17:34, dennis@home wrote:
On 29/01/2016 17:11, The Natural Philosopher wrote: On 29/01/16 16:45, dennis@home wrote: On 29/01/2016 15:37, The Natural Philosopher wrote: On 29/01/16 15:33, Theo wrote: The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) Err, I don't think you do: Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet VLAN != VPN. VLAN is for running networks over shared physical infrastructure. They're separate, they run separate DHCP servers, one side cannot generate packets that route to the other no matter how it gets compromised. VPN is for extending your network over the Internet. In a domestic situation you probably don't want that (though you may use it to connect to your employer). VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing (though some run at layer 2). VLANs won't run over the Internet unless you wrap them in a VPN (and it's generally a bad idea). For instance, you ran a single ethernet cable under the patio to the shed. You want the shed to have access to the front door camera (that anyone could walk up to and hook into while you were on holiday) and the NAS containing your bank statements. You'd like those to be on two separate networks, but can't run another cable because it's under the concrete. Or you ran a single cable up the stairs but you want to give the kids a separate network so you can separate their traffic from your home business in the spare bedroom. You want to be able to firewall your business traffic so whatever dodgy apps they're running won't get access to your work machines. Or perhaps you want first go at the DSL connection and want to restrict the bandwidth the kids have, or shut off their network after dinnertime while you can keep working. This is all on top of standard MAC address switching that means links will only carry traffic relevant for them. That doesn't help you if a dodgy app generates traffic it's not intended to. VLANs do. well exactly, nothing to do with ethernet ports and not needed domestically. Since you can run as many networks as you like over a single piece of cable. And if you really must use DHCP make sure the mac addresses are pre-allocated. Stop digging, you are wrong. No dennis, I am not wrong. There is a difference between security and traffic sharing http://cnp3book.info.ucl.ac.be/protocols/ethernet.html Read the section on how switches maintain MAC address tables so they only send particular packets destined for a particular target down a particular piece of cable. And the tree spanning algorithms that allow them to decide routes via other switches. Anyone who has set up anything more than a basic network knows that a single switch can acccomodate dozens on independent IP networks, all coexisting happily and all mutually inaccessible if set up correctly, at the casual use level. Of course from a security point of view they are not always so separate - one network CAN break into another..but is that really an issue in a domestic situationb? Is your doorbell really going to change its IP address onto a 'different' network and hack into your server? The whole POINT of a switch is that they are plug and play mac level ROUTERS. Not repeaters. Do you really want to keep digging? I probably know more about this stuff than you, it was my job to design networks with vlans in over ethernet, ATM, etc. I had millions of pounds worth of kit from juniper, cisco, and others just to model networks on. They included:- a play out suit provided by BBC technical services several reverse caches for the web servers loads of switches ATM switches DSLAMs CISCO VoIP System X exchange (14 of them IIRC) radio links 10G long haul links (never did get the soliton based one) You can continue to claim that you were correct but we know differently. the issues are all exaplianed in the link I posted. Listing a load of brand names doesn't make you an expert. -- He who ****s in the road, will meet flies on his return. "Mr Natural" |
#99
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: On 29/01/16 13:08, Theo Markettos wrote: The Natural Philosopher wrote: On 29/01/16 00:33, Theo wrote: Also multiple ethernet ports mean you can segment the network: not put the doorbell on the same network as the banking data. You can do that on a switch with VLANs, but to do that you need a more expensive switch. Theo Can you put that in simple English that a a mere professional IT network engineer can understand? What are 'multiple Ethernet ports' in this context, please, and how do they differ from what a switch has anyway? Virtual LANs allow you to run separate networks over the same physical cabling. Yes, I know that..(mere professional IT network engineer) For instance, you might trust the doorbell network (physically exposed on the outside of your building) less than the one handling credit card data, and don't want them able to communicate. But your site topology might mean you have to use the same physical link for connecting them. Let's assume you have one ethernet cable you want to send both traffic down. You do this by using VLAN-enabled switches. You put a VLAN-enabled switch at each end. You then decide on a VLAN numbering scheme, for instance: VLAN 123 = doorbell VLAN 456 = accounting You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on VLAN 456. You do the same for switch B. You plug in the doorbell kit to port 1 and credit card kit to port 2. You select port 3 to carry all 'tagged' frames, and link the switches with your one cable between their port 3s. +-------------------------------+ | Switch A | doorbell -|-port 1--[tag=123?]-+ | | X--port 3 -|-- VLAN tagged frames on one link accounts -|-port 2--[tag=456?]-+ | | | +-------------------------------+ [and the same at the other end] The switches 'tag' packets going out on port 3, in other words the packet over the link looks like: [VLAN tag=123][Ethernet header][IP header][IP payload][checksums] and then route based on the tag, rather than routing to all ports. Because the tag says VLAN 123, each switch now conveys this only between port 1. For this traffic, it's as if the other ports didn't exist. Effectively you have two isolated networks running over a single cable. The downside is that you need a management interface on each switch to configure this, that means the switch having a webserver, CPU, etc. This makes the switches more expensive. It's also more work to configure and maintain. This is fairly standard enterprise networking, and not uncommon if your business is large enough to buy switches from Cisco rather than Belkin. (Some cheapo switches support it too - for instance there's a 10 pound TP-Link gigabit 8-port. I haven't tried it) Theo Yes, but what has that utterly pointless and complex solution got to do with domestic installations and 'multiple ethernet ports' You can set up a pair of devicees to talk to each other on different IP networks using a bog standard switch. The switch itself will associate IP and MAC addresses together and prevent traffic spilling onto other segments. You don't meed all that VLAN gubbins at home, and unless ypu are seriously paranoid, you dont need it in an office either Vlan is more about extended trusted networks over foriegn IP and untrusted networks - i.e, the Internet I don't think you know what you are talking about. A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. And just because its perfectly possible to send a broadcast and get a response back from every ethernet devices on a given network, doesnt means that all those devices receive traffic OTHER than broadcasts on a routine basiss. On a VLAN it won't. VLAN is a security issue. It is not about traffic. So first of all, you need to understand the basics Of why we use switches rather than repeaters http://cnp3book.info.ucl.ac.be/protocols/ethernet.html "From a performance perspective, it would be more interesting to have devices that operate in the datalink layer and can analyse the destination address of each frame and forward the frames selectively on the link that leads to the destination. Such devices are usually called *Ethernet switches* [7]. An Ethernet switch is a relay that operates in the datalink layer as is illustrated in the figure below." See that? The switch learns where each destination is, and doesn't send all traffic to all devices. You cant hear a conversation on one wire that is between devices on two other wires, because the switch is a mac level ROUTER. Obviously you can discover by doing an ARP requests, or an Ethernet broadcast what other devices are on that Network, but you cant tell where they are connected unless you can probe the switches MAC address to port map tables. All a VLAN is, is a layer on top of that that disallows broadcasts between pre defined VLANS, that's all. "A switch can support several VLANs and it runs one MAC learning algorithm for each Virtual LAN. When a switch receives a frame with an *unknown or a multicast destination*, it forwards it over all the ports that belong to the same Virtual LAN but not over the ports that belong to other Virtual LANs. Similarly, when a switch learns a source address on a port, it associates it to the Virtual LAN of this port and uses this information only when forwarding frames on this Virtual LAN." http://cnp3book.info.ucl.ac.be/protocols/ethernet.html So devices on other VLANS won't respond to a broadcast on a given VLAN. But beyond that they have no impact on performance or routine routing of packets. So all this nonsense about 'separating traffic' is just that. Nonsense. If you route tow Vlans over the same piece of wire, they will compete with each other VLAN or not. And if you have two devices on two different bits of wire, the traffic fr9m one will not go down the wire to the other irrespective if whether they are on Vlans or not. And Vlans therefore have zero use in a domestic environment. ALL they really do is stop people on a given set of wires representing themselves as belonging to a network they have no rights to join. I repeat (sic!) VLANS are for security, not performance. -- He who ****s in the road, will meet flies on his return. "Mr Natural" |
#100
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 23:50, The Natural Philosopher wrote:
Well yes, but would you REALLY have a live access to your internal network on a CAT 5 socket outside your front door? You might have on the camera. The whole POINT of a switch is that they are plug and play mac level ROUTERS.ow Not repeaters. That buys you efficiency rather than any real security. That was my point. IN a nutshell. The average punter isn't going to buy a switch with management let alone know how to set up a VLAN on it. Its a pointless willy waving exercise on a domestic DIY thread. Stop wriggling. |
#101
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote: On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: 8 A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. For heavens sake admit you are wrong. Switches are layer 2 devices and are transparent so everything is visible whatever you claim. Vlan switches are not as transparent. I can assure you that you can ping every device connected to a switch just as though they were connected to the same segment of ethernet. And just because its perfectly possible to send a broadcast and get a response back from every ethernet devices on a given network, doesnt means that all those devices receive traffic OTHER than broadcasts on a routine basiss. How does that equate with your claim a switch will stop things talking to each other? On a VLAN it won't. VLAN is a security issue. It is not about traffic. So first of all, you need to understand the basics Go away and stop pretending you know anything new. Snip cr@p that you can get out of google in three seconds. |
#102
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/16 00:18, dennis@home wrote:
On 29/01/2016 23:50, The Natural Philosopher wrote: Well yes, but would you REALLY have a live access to your internal network on a CAT 5 socket outside your front door? You might have on the camera. The whole POINT of a switch is that they are plug and play mac level ROUTERS.ow Not repeaters. That buys you efficiency rather than any real security. That was my point. IN a nutshell. The average punter isn't going to buy a switch with management let alone know how to set up a VLAN on it. Its a pointless willy waving exercise on a domestic DIY thread. Stop wriggling. You have some nerve. Anyone can look at he link I posted, read up on the subject and see that you didn't understand what you were saying. You are a classic example of a technician who thinks they understand the technology they use daily, but is hilariously clueless. Like the plumber who installed my *mains pressure* hot water tank in the loft - 'good place for it mate, you will get better water pressure with it in the loft*' Id stop wriggling dennis. Or learn to apologise. -- Bureaucracy defends the status quo long past the time the quo has lost its status. Laurence Peter |
#103
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/16 00:25, dennis@home wrote:
On 29/01/2016 23:44, The Natural Philosopher wrote: On 29/01/16 18:04, dennis@home wrote: On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: 8 A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. For heavens sake admit you are wrong. Switches are layer 2 devices and are transparent so everything is visible whatever you claim. Vlan switches are not as transparent. Please dennis, stop making a fool of yourself an READ UP on how they work. Its embarrassing. A leyer two router, is a switch and its NOT transparent. I can assure you that you can ping every device connected to a switch just as though they were connected to the same segment of ethernet. So what? thats because they route the pings. I can ping almost every device on te internet. That doesn't means I can read every packet on the internet .. And just because its perfectly possible to send a broadcast and get a response back from every ethernet devices on a given network, doesnt means that all those devices receive traffic OTHER than broadcasts on a routine basiss. How does that equate with your claim a switch will stop things talking to each other? I didn't say it would stop these talking to each other dennis. I said that traffic between devices is not available to other devices and does not occupy their segments. Do9nt straw man me. On a VLAN it won't. VLAN is a security issue. It is not about traffic. So first of all, you need to understand the basics Go away and stop pretending you know anything new. I see. In denial because you don't want to read up and learn, so you never ever will. The difference between you and me dennis, is that I like to learn, and I am happier to pass a link to a well written piece of information that explains what I am trying to say better than I can, whereas you wont do that, preferring to present a case based on *your knowledge* and backed with personal abuse. But that is because I am here to learn and to educate, and you are here to boost your inflated ego... Snip cr@p that you can get out of google in three seconds. Well, why dont *you* actually use google to check what you are saty9ing before you make a fool of yourself? -- "What do you think about Gay Marriage?" "I don't." "Don't what?" "Think about Gay Marriage." |
#104
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/2016 00:38, The Natural Philosopher wrote:
On 30/01/16 00:25, dennis@home wrote: On 29/01/2016 23:44, The Natural Philosopher wrote: On 29/01/16 18:04, dennis@home wrote: On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: 8 A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. For heavens sake admit you are wrong. Switches are layer 2 devices and are transparent so everything is visible whatever you claim. Vlan switches are not as transparent. Please dennis, stop making a fool of yourself an READ UP on how they work. Its embarrassing. A leyer two router, is a switch and its NOT transparent. I can assure you that you can ping every device connected to a switch just as though they were connected to the same segment of ethernet. So what? thats because they route the pings. I can ping almost every device on te internet. That doesn't means I can read every packet on the internet .. Hmmm, its interesting that TNP has romped off on a tangent about whether a switch will leak information flowing between two ports to other ports not involved in the discussion (which generally it won't unless instructed to port mirror), as if that alone will provide security. Its missing the elephant in the room that the switch will allow any device on any port to make contact with any other device irrespective of the ports its attached to, the IP subnet its on, or for that matter even the higher level protocol being used. So yes a switch may make it harder for the outsider to eavesdrop on the established conversation between a PC and NAS for example. However it will happily allow the outsider to talk to the PC or the NAS directly, which makes the former a bit of a moot point. And just because its perfectly possible to send a broadcast and get a response back from every ethernet devices on a given network, doesnt means that all those devices receive traffic OTHER than broadcasts on a routine basiss. How does that equate with your claim a switch will stop things talking to each other? I didn't say it would stop these talking to each other dennis. I said that traffic between devices is not available to other devices and does not occupy their segments. Do9nt straw man me. ISTR dennis said: A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Which is true.... TNP countered that Actually it will. Which is clearly not true. Well, why dont *you* actually use google to check what you are saty9ing before you make a fool of yourself? When in glass houses? -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#105
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/16 02:48, John Rumm wrote:
On 30/01/2016 00:38, The Natural Philosopher wrote: On 30/01/16 00:25, dennis@home wrote: On 29/01/2016 23:44, The Natural Philosopher wrote: On 29/01/16 18:04, dennis@home wrote: On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: 8 A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. For heavens sake admit you are wrong. Switches are layer 2 devices and are transparent so everything is visible whatever you claim. Vlan switches are not as transparent. Please dennis, stop making a fool of yourself an READ UP on how they work. Its embarrassing. A leyer two router, is a switch and its NOT transparent. I can assure you that you can ping every device connected to a switch just as though they were connected to the same segment of ethernet. So what? thats because they route the pings. I can ping almost every device on te internet. That doesn't means I can read every packet on the internet .. Hmmm, its interesting that TNP has romped off on a tangent about whether a switch will leak information flowing between two ports to other ports not involved in the discussion (which generally it won't unless instructed to port mirror), as if that alone will provide security. I didnt say that at all. PLEASE read waht I am saying., I have said all along that I cant see what the point of 'secure house networks' is, and that the claims that 'Vlan segeregates traffic' are in fact silly, because a normal; s3witch does that too. But switches DO provide security. Maybe you haven't used a packet sniffer on a coaxial ethernet network, but I have, You can read every packet between every machine passively. YoOu can do that with a wifi password as well . That simply cant be done with a switch unless you have a backdoor into the switch. Its missing the elephant in the room that the switch will allow any device on any port to make contact with any other device irrespective of the ports its attached to, the IP subnet its on, or for that matter even the higher level protocol being used. In principle yes, *if it is actively configured especially to do so*. My point is by the time you have someone who can do that inside your home network, security is gone anyway. So yes a switch may make it harder *impossible* for the outsider to eavesdrop on the *established conversation between a PC and NAS for example. However it will happily allow the outsider to talk to the PC or the NAS directly, which makes the former a bit of a moot point. Well hello. I can talk to any web server on the internet directly too,. but guess what, they all have passwords that people cant read or use because they too cant intercept established traffic..or its encrypted. And just because its perfectly possible to send a broadcast and get a response back from every ethernet devices on a given network, doesnt means that all those devices receive traffic OTHER than broadcasts on a routine basiss. How does that equate with your claim a switch will stop things talking to each other? I didn't say it would stop these talking to each other dennis. I said that traffic between devices is not available to other devices and does not occupy their segments. Do9nt straw man me. ISTR dennis said: A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Which is true.... TNP countered that Actually it will. Which is clearly not true. It is in the context of what was iunder discussion. That dennis was maintaining tat all traffic was available on all segments simultaneously. Well, why dont *you* actually use google to check what you are saty9ing before you make a fool of yourself? When in glass houses? -- How fortunate for governments that the people they administer don't think. Adolf Hitler |
#106
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/2016 09:50, The Natural Philosopher wrote:
On 30/01/16 02:48, John Rumm wrote: On 30/01/2016 00:38, The Natural Philosopher wrote: On 30/01/16 00:25, dennis@home wrote: On 29/01/2016 23:44, The Natural Philosopher wrote: On 29/01/16 18:04, dennis@home wrote: On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: 8 A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. For heavens sake admit you are wrong. Switches are layer 2 devices and are transparent so everything is visible whatever you claim. Vlan switches are not as transparent. Please dennis, stop making a fool of yourself an READ UP on how they work. Its embarrassing. A leyer two router, is a switch and its NOT transparent. I can assure you that you can ping every device connected to a switch just as though they were connected to the same segment of ethernet. So what? thats because they route the pings. I can ping almost every device on te internet. That doesn't means I can read every packet on the internet .. Hmmm, its interesting that TNP has romped off on a tangent about whether a switch will leak information flowing between two ports to other ports not involved in the discussion (which generally it won't unless instructed to port mirror), as if that alone will provide security. I didnt say that at all. PLEASE read waht I am saying., I have said all along that I cant see what the point of 'secure house networks' is, and that the claims that 'Vlan segeregates traffic' are in fact silly, because a normal; s3witch does that too. Why do we want to read your attempts to divert attention away from what I said and you disputed? But switches DO provide security. Maybe you haven't used a packet sniffer on a coaxial ethernet network, but I have, You can read every packet between every machine passively. YoOu can do that with a wifi password as well . That simply cant be done with a switch unless you have a backdoor into the switch. But you are the only one talking about doing that. And even on switches without port mirroring you can spoof the mac address and intercept traffic if you know what you are doing. Its missing the elephant in the room that the switch will allow any device on any port to make contact with any other device irrespective of the ports its attached to, the IP subnet its on, or for that matter even the higher level protocol being used. In principle yes, *if it is actively configured especially to do so*. You do understand that most switches have no configuration options and do allow any device to talk to any other device connected to them. The ones that can be configured to stop it are those that use VLANs to do so. My point is by the time you have someone who can do that inside your home network, security is gone anyway. If its using a managed switch and VLANs they aren't inside your home network . So yes a switch may make it harder *impossible* for the outsider to eavesdrop on the *established conversation between a PC and NAS for example. However it will happily allow the outsider to talk to the PC or the NAS directly, which makes the former a bit of a moot point. Well hello. I can talk to any web server on the internet directly too,. but guess what, they all have passwords that people cant read or use because they too cant intercept established traffic..or its encrypted. Irrelevant argument added to try and obscure your original wrong claim. And just because its perfectly possible to send a broadcast and get a response back from every ethernet devices on a given network, doesnt means that all those devices receive traffic OTHER than broadcasts on a routine basiss. How does that equate with your claim a switch will stop things talking to each other? I didn't say it would stop these talking to each other dennis. I said that traffic between devices is not available to other devices and does not occupy their segments. Do9nt straw man me. ISTR dennis said: A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Which is true.... TNP countered that Actually it will. Which is clearly not true. It is in the context of what was iunder discussion. The context is shown for all and you were wrong so admit it. That dennis was maintaining tat all traffic was available on all segments simultaneously. I have never mention traffic let alone being on all ports. Traffic isn't the issue, that is just some smoke you have introduced to try and hide your lack of knowledge. |
#107
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
The Natural Philosopher wrote:
the claims that 'Vlan segeregates traffic' are in fact silly, because a normal; s3witch does that too. But the level of segregation is different ... All switches *try* to avoid forwarding packets to ports where they're not needed, a VLAN switch *prevents* packets reaching ports other than those they're configured to reach. But switches DO provide security. Maybe you haven't used a packet sniffer on a coaxial ethernet network, but I have, You can read every packet between every machine passively. YoOu can do that with a wifi password as well . That simply cant be done with a switch unless you have a backdoor into the switch. MAC flooding, ARP spoofing. |
#108
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On Sat, 30 Jan 2016 09:50:38 +0000, The Natural Philosopher
wrote: On Fri, 29 Jan 2016 16:44:37 +0000, dennis@home wrote: A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! PLEASE read waht I am saying., I have said all along that I cant see what the point of 'secure house networks' is, Translation: I don't / didn't understand the meaning of 'VLAN'. and that the claims that 'Vlan segeregates traffic' are in fact silly, because a normal; s3witch does that too. No it doesn't (as you have now been told several times) in the context under discussion and the fact that you think it's silly doesn't negate that fact. We are (even if you aren't) in this instance specifically talking about the logical segmentation of groups of ports on a single 'switch' so that (for example) a device in port group A may not be allowed to see a device in port group B. It could be as if there were two completely separate switches. The VLAN in that instance is being used to 'isolate' two logically separate groups, whilst all sharing the same physical cables and hardware. A VLAN could also be used to 'join' disparate workstations spread across a range of equipment, like a 'workgroup'. snip further waffling Cheers, T i m |
#109
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/2016 09:50, The Natural Philosopher wrote:
On 30/01/16 02:48, John Rumm wrote: On 30/01/2016 00:38, The Natural Philosopher wrote: On 30/01/16 00:25, dennis@home wrote: On 29/01/2016 23:44, The Natural Philosopher wrote: On 29/01/16 18:04, dennis@home wrote: On 29/01/2016 17:02, The Natural Philosopher wrote: On 29/01/16 16:44, dennis@home wrote: On 29/01/2016 14:34, The Natural Philosopher wrote: 8 A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Actually it will. So here you claim a plain switch will STOP a device on one port talking to another in the same way that one using VLANs will. Are you still making that claim or would you like to change your mind? No it won't! Just download an IP address scanner app and it will find everything (using IP) on any port. Then dennis highlighted that you IP scan everything on a switch. Dennis. PLEASES read up about how a switch works, and why we HAVE switches instead of repeaters. And why the little blinken lights on your switch do not all blink at the same time but in pairs, because packets are not on all segments simultaneously. You then replied with a non-sequitur of no actual relevance. The fact that the switch will route packets to their most appropriate port(s), has nothing to do with whether an IP scan can establish communications with things attached to every port. For heavens sake admit you are wrong. Switches are layer 2 devices and are transparent so everything is visible whatever you claim. Vlan switches are not as transparent. Please dennis, stop making a fool of yourself an READ UP on how they work. But his statement is patently correct. A plain switch is a transparent routing device. Do you really have to be so shouty and argumentative when it should be clear there are plenty of people other than yourself who understand how this stuff works? Its not dennis looking foolish here. Its embarrassing. A leyer two router, is a switch and its NOT transparent. Since it does not prevent any device on any port talking to any device on any other port, how are you defining transparency? I can assure you that you can ping every device connected to a switch just as though they were connected to the same segment of ethernet. So what? thats because they route the pings. I can ping almost every device on te internet. That doesn't means I can read every packet on the internet .. red herring time I see. The original point was that having a lan segment accessible to outsiders, will compromise the lan security because it will allow the outsiders to communicate with devices on the lan. It was highlighted that using VLANs can prevent this, and you were the one claiming that a normal switch will also do this. You seem to be attempting this feat of cognitive dissonance by putting your blinkers on, and considering one a restrictive use case where an attacker would like to eavesdrop on a conversation running between two other hosts. Arguing that because a switch does not behave as a dumb repeating hub, its harder for an attacker to do this. The fact that this last point is true, does not invalidate the point that the switch does not stop the outsider having its own conversations with any other device. Hmmm, its interesting that TNP has romped off on a tangent about whether a switch will leak information flowing between two ports to other ports not involved in the discussion (which generally it won't unless instructed to port mirror), as if that alone will provide security. I didnt say that at all. PLEASE read waht I am saying., I have, you keep subtly shifting you position. We have noticed. Your words: "I can ping almost every device on te internet. That doesn't means I can read every packet on the internet" I agree with the statement, but fail to see the relevance. I have said all along that I cant see what the point of 'secure house networks' is, That is a separate issue. In many cases there is no point, in others there may be. and that the claims that 'Vlan segeregates traffic' are in fact silly, are in fact also correct, that's what VLANs do. because a normal; s3witch does that too. Not in any practical security sense. But switches DO provide security. Maybe you haven't used a packet sniffer on a coaxial ethernet network, but I have, You can read every packet between every machine passively. YoOu can do that with a wifi password as well . That simply cant be done with a switch unless you have a backdoor into the switch. I understand the point you are making, and you are correct in the sense that the default action of the switch is as you describe. You should also however accept that there are a number of ways of changing this default behaviour if you actually want to sniff traffic between hosts. More importantly you should also accept that once a host is connected to a non VLAN switch, that LAN is now fully accessible to the host, the switch will offer up no protection to stop the host either initiating contact with any other host or receiving contact from any other host. This *different* from VLAN segregated traffic, where you have in effect partitioned the network into two (or more) discrete LANs that behave as if they are not even physically connected to each other. Its missing the elephant in the room that the switch will allow any device on any port to make contact with any other device irrespective of the ports its attached to, the IP subnet its on, or for that matter even the higher level protocol being used. In principle yes, *if it is actively configured especially to do so*. A dumb switch with no configuration (or for that matter even the ability to be configured) will also function as I describe. My point is by the time you have someone who can do that inside your home network, security is gone anyway. Actually that was the point others were originally making to you. So yes a switch may make it harder *impossible* No not at all. Lob it a few (fake) ARP replies, do a bit of IP spoofing, play about with spanning tree configurations, tell it to port mirror, play about with multicast groups etc, There are plenty of ways of getting it to leak data. However none of that is the issue originally being discussed. for the outsider to eavesdrop on the *established conversation between a PC and NAS for example. However it will happily allow the outsider to talk to the PC or the NAS directly, which makes the former a bit of a moot point. Well hello. I can talk to any web server on the internet directly too,. but guess what, they all have passwords that people cant read or use because they too cant intercept established traffic..or its encrypted. again more straw men... If we assume that the internet is at least partly made up of devices that are fully intended to have public visibility and are expecting random computers to attempt to talk to them (and hopefully are hardened to resist attack), you will hopefully see this is a different scenario from machines on what is expected to be a private LAN, which even if connected to the internet is inside a secure perimeter. ISTR dennis said: A VLAN will stop a device on one port talking to a device on another port using a plain switch will not! Which is true.... TNP countered that Actually it will. Which is clearly not true. It is in the context of what was iunder discussion. That dennis was maintaining tat all traffic was available on all segments simultaneously. Could you highlight where you believe he made that claim? -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#110
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
The Natural Philosopher wrote:
PLEASE read waht I am saying., I have said all along that I cant see what the point of 'secure house networks' is, and that the claims that 'Vlan segeregates traffic' are in fact silly, because a normal; s3witch does that too. But switches DO provide security. Maybe you haven't used a packet sniffer on a coaxial ethernet network, but I have, You can read every packet between every machine passively. YoOu can do that with a wifi password as well . That simply cant be done with a switch unless you have a backdoor into the switch. Fun though this discussion is, the point about switches v hubs is a settled one. I don't think you can actually buy a hub for modern networking. I think they may exist for 100M ethernet, but I haven't seen one. They don't exist for gigabit, and definitely not for 10G. The argument is one of 20 years ago. But, as has been pointed out, it doesn't take much to trick a switch into sending you traffic - you just need to be active rather than a passive listener. VLANs prevent that. Anyway, let's get this back to DIY. The question of how this is relevant to 'secure home networks' is that it can dig you out of a hole of not having enough wiring. If you want to run different networks over the same physical wire, VLANs will do that. It won't help if they aren't ethernet, and it won't help if you are constrained by bandwidth (but you could run the inter-switch link at 2.5/5/10G if the wiring was up to it), but otherwise 'not enough cables' is something it'll handle. It's the alternative to chasing another hole in the plaster. Why do you need 'different networks'? Security and bandwidth management. As more stuff goes IP, you don't necessarily want to throw it down one 'best effort' pipe, where it all gets mixed up together. Some things are more important, both in security and traffic priority. You don't want the kids hammering BitTorrent to knock out the phones or the CCTV. Theo |
#111
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
En el artículo , Andy
Burns escribió: MAC flooding, ARP spoofing. On some managed models, port(s) can be put into promiscuous mode, seeing everything that passes through the switch. -- (\_/) (='.'=) Bunny says: Windows 10? Nein danke! (")_(") |
#112
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
Mike Tomlinson wrote:
On some managed models, port(s) can be put into promiscuous mode, seeing everything that passes through the switch. Yes, but an attacker has to get admin control of the switch to enable mirroring/spanning, which usually requires access to another port. |
#113
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 30/01/2016 13:26, Mike Tomlinson wrote:
En el artículo , Andy Burns escribió: MAC flooding, ARP spoofing. On some managed models, port(s) can be put into promiscuous mode, seeing everything that passes through the switch. You are starting to see that as a common option even on relatively low end domestic kit as well now. -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#114
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 29/01/2016 23:50, The Natural Philosopher wrote:
Well yes, but would you REALLY have a live access to your internal network on a CAT 5 socket outside your front door? Maybe not (although IP cams are quite common these days) - but I'm pretty sure the wires out to the shed could be cut and spliced to somewhere else. Andy |
#115
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On Wed, 27 Jan 2016 15:10:41 +0000, T i m wrote:
On Wed, 27 Jan 2016 13:28:05 +0000, F news@nowhere wrote: snip When I upgraded my switch from 100M to Gb, I monitored the network usage and the general time taken to do stuff. Given that the ends were Gb and the cables short and able to support such, I can't say I really saw much difference in the overall throughput, suggesting any bottlenecks were elsewhere (like HDD access etc). I think I looked into it and think I remember the use of a higher performance NIC in the server, the basic 'on board' solutions weren't typically very efficient? Pushing a 50GB file across the 25M of Cat 6 to the Proliant G8 server in the garage I get a transfer speed of ~600Mbps. I'll have to test mine but being yours is a 'real' server (focused on i/o and not economy like mine) is likely to be much better an ant generic PC hardware running as a server. That won't necessarily be true. For several years, I tried just about every trick I could to get the data transfer rates between my NAS4Free box and my win2k desktop machine (connected via 2 or 3 metres worth of CAT5 in total using an 8 port Netgear GBit switch above 60MB/s (circa 500Mbps). Both machines were using 2010 vintage MoBos with built in GBit lan ports and dual core CPUs. The CrystalDiskMark results were interesting in that sustained large sequential transfer rates hovered around the 75MB/s mark for any of the four disks in the NAS box (mapped to local drive letters) almost without regard to any real world stop watch timed benchmarked improvements I was able to make. The biggest improvement arose out of replacing the single core Semperon in the NAS box with a dual core Athlon 64 chip (I was already using a dual core 3.1GHz Phenom in the desktop PC) along with enabling the "Cool 'n' Quiet" feature and allowing N4F's excellent power management to work its magic (I'd initially disabled this feature and slightly underclocked and undervolted the Semperon to keep the power consumption down - it turned out that by allowing N4F's power management to function, I was able to achieve the same power saving - that is for the 99.9% of the time it was just idling). Eventually, I raised the write speed (from desktop to NAS) to a dizzying 64MB/s and the read speed to a more modest 58MB/s (I never did figure why the write performance was so notably better than the write performance - just one of life's many mysteries I guess). I did see an improvement early on when using jumbo frame working until jumbo frames became deprecated to the point of no longer being supported by the FreeBSD devs not long after that last hardware upgrade back around 2010. Nearly two years ago now, I had an opportunity to benchmark using a customer's win7 desktop machine which had a decent specification. This was a real eye opener! The connection still used the same 8 port Gbit switch, only the cat5 segment to the workbench involved an extra 10 or 15 metres of cable. Testing using 10GB's worth of large media files (500GB to 2000GB in size) showed an average speed of circa 85MB/s each way using stopwatch timings. Even more revealing was the fact that before the disk ram caches filled up, the win7 PC reported 120 odd MB/s transfer rates for the 2 or 3 seconds it took before the disk transfer rates throttled it back to the 85 to 90 MB/s mark. I didn't bother changing the CIFS/SMB protocol from type 1 (optimised for win2k / XP) to type 2 (optimised for win7 / 8). Seeing it reach so close to the theoretical max of 125MB/s before hitting the disk i/o limit of 85MB/s made such a test moot. It turned out that the 64MB/s writing speed limit I'd been trying to improve upon for the previous 3 years or so had been nothing to do with the NAS box and everything to do with limitations in win2k's networking driver code. Believe me, I lost count of the number of 'tuning sessions' I'd tried to improve networking performance (it wasn't a hardware issue - the desktop hardware had an even higher spec than the NAS box). Having tested with a decently specced win7 box, I could rest assured that the NAS4Free box was quite capable of maxing out the Gigabit link and not in need of any further network performance tuning. It's also worth remembering that the micro ATX SATA 2 MoBo (now some six years old) used in the NAS was nothing special (other than having a built in Gbit LAN port). Plus, it's also worth keeping in mind that CIFS/SMB performance in BSD blows Linux into the weeds (at least twice as fast compared to using a Linux based NAS box - and the same applies the other way round when Linux is running as a client machine). -- Johnny B Good |
#116
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On Mon, 01 Feb 2016 00:49:56 GMT, Johnny B Good
wrote: On Wed, 27 Jan 2016 15:10:41 +0000, T i m wrote: snip I'll have to test mine but being yours is a 'real' server (focused on i/o and not economy like mine) is likely to be much better an ant generic PC hardware running as a server. That won't necessarily be true. For several years, I tried just about every trick I could to get the data transfer rates between my NAS4Free box and my win2k desktop machine (connected via 2 or 3 metres worth of CAT5 in total using an 8 port Netgear GBit switch above 60MB/s (circa 500Mbps). Both machines were using 2010 vintage MoBos with built in GBit lan ports and dual core CPUs. The CrystalDiskMark results were interesting in that sustained large sequential transfer rates hovered around the 75MB/s mark for any of the four disks in the NAS box (mapped to local drive letters) almost without regard to any real world stop watch timed benchmarked improvements I was able to make. The biggest improvement arose out of replacing the single core Semperon in the NAS box with a dual core Athlon 64 chip snip more interesting stuff for brevity That would reinforce what I was thinking regarding the poor i/o of a 'std' (onboard NIC) compared with one focused on efficient / low CPU involvement / server orientated NIC? Transferring data is a very I/O based task and therefore shouldn't require much in the way of CPU. So, as long as the hardware involved was self sufficient (could use DMA etc) then it should offload much of the CPU load onto the Ethernet card itself (and why the sell such cards for 'servers' presumably)? Network *and* any hard disk controllers may help. http://www.intel.com/content/www/us/en/ethernet-products/gigabit-server-adapters/overview.html Cheers, T i m |
#117
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 01/02/2016 08:25, T i m wrote:
On Mon, 01 Feb 2016 00:49:56 GMT, Johnny B Good wrote: On Wed, 27 Jan 2016 15:10:41 +0000, T i m wrote: snip I'll have to test mine but being yours is a 'real' server (focused on i/o and not economy like mine) is likely to be much better an ant generic PC hardware running as a server. That won't necessarily be true. For several years, I tried just about every trick I could to get the data transfer rates between my NAS4Free box and my win2k desktop machine (connected via 2 or 3 metres worth of CAT5 in total using an 8 port Netgear GBit switch above 60MB/s (circa 500Mbps). Both machines were using 2010 vintage MoBos with built in GBit lan ports and dual core CPUs. The CrystalDiskMark results were interesting in that sustained large sequential transfer rates hovered around the 75MB/s mark for any of the four disks in the NAS box (mapped to local drive letters) almost without regard to any real world stop watch timed benchmarked improvements I was able to make. The biggest improvement arose out of replacing the single core Semperon in the NAS box with a dual core Athlon 64 chip snip more interesting stuff for brevity That would reinforce what I was thinking regarding the poor i/o of a 'std' (onboard NIC) compared with one focused on efficient / low CPU involvement / server orientated NIC? Transferring data is a very I/O based task and therefore shouldn't require much in the way of CPU. So, as long as the hardware involved was self sufficient (could use DMA etc) then it should offload much of the CPU load onto the Ethernet card itself (and why the sell such cards for 'servers' presumably)? Network *and* any hard disk controllers may help. My laptop will get to 80MBytes/sec to the Synology ds215j. That is despite the network being a gig nic on USB3. The CPU hovers in the low teens so the workload isn't high. The nic has never exceed 80% link capacity so I expect that's the limit. Now if I had a suitable wifi router it could do better in theory. Writes should be quicker as the NAS can cache them and write them to disk in optimal order. It can't always know what to read ahead so it can't optimise the reads as easily. However frequently writes are slower and that's probably poor file system optimisation (they are probably still using ext3 rather than a more recent one). |
#118
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
T i m wrote:
That would reinforce what I was thinking regarding the poor i/o of a 'std' (onboard NIC) compared with one focused on efficient / low CPU involvement / server orientated NIC? Transferring data is a very I/O based task and therefore shouldn't require much in the way of CPU. So, as long as the hardware involved was self sufficient (could use DMA etc) then it should offload much of the CPU load onto the Ethernet card itself (and why the sell such cards for 'servers' presumably)? Yes... Intel NICs are the gold standard, they're also less fussy about drivers because they do more in hardware. Realtek and Marvell NICs are cheaper and leave more to software. You can often get Intel NICs for cheap (about a tenner) if you look at ex-server cards on ebay - some are branded HP, Dell or whatever but look for the ones with Intel chips. However if the PC is recent it probably has an Intel NIC as part of the chipset, so the motherboard may already have that sorted. Theo |
#119
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
On 01 Feb 2016 22:00:10 +0000 (GMT), Theo
wrote: T i m wrote: That would reinforce what I was thinking regarding the poor i/o of a 'std' (onboard NIC) compared with one focused on efficient / low CPU involvement / server orientated NIC? Transferring data is a very I/O based task and therefore shouldn't require much in the way of CPU. So, as long as the hardware involved was self sufficient (could use DMA etc) then it should offload much of the CPU load onto the Ethernet card itself (and why the sell such cards for 'servers' presumably)? Yes... Intel NICs are the gold standard, they're also less fussy about drivers because they do more in hardware. Makes sense. Realtek and Marvell NICs are cheaper and leave more to software. Like 'Winmodems' ;-) You can often get Intel NICs for cheap (about a tenner) if you look at ex-server cards on ebay - some are branded HP, Dell or whatever but look for the ones with Intel chips. Ok, good tip, thanks. However if the PC is recent it probably has an Intel NIC as part of the chipset, so the motherboard may already have that sorted. They may of course ... but what are the chances of an integrated NIC (even an Intel one) being as capable (on a desktop board specifically) as an add-on card, in the same way onboard video is rarely as capable as even the simplest add-on video card (demonstrated by the size (lack of?) of any heatsinks on the on-board video solutions)? OOI, is there a utility that is good for doing such network throughput tests or is it more 'real world' to transfer a largish block of data (as I believe you mention previously) and just time the result? Cheers, T i m |
#120
Posted to uk.d-i-y
|
|||
|
|||
Cat5e or what?
"T i m" wrote in message ... On 01 Feb 2016 22:00:10 +0000 (GMT), Theo wrote: T i m wrote: That would reinforce what I was thinking regarding the poor i/o of a 'std' (onboard NIC) compared with one focused on efficient / low CPU involvement / server orientated NIC? Transferring data is a very I/O based task and therefore shouldn't require much in the way of CPU. So, as long as the hardware involved was self sufficient (could use DMA etc) then it should offload much of the CPU load onto the Ethernet card itself (and why the sell such cards for 'servers' presumably)? Yes... Intel NICs are the gold standard, they're also less fussy about drivers because they do more in hardware. Makes sense. Realtek and Marvell NICs are cheaper and leave more to software. Like 'Winmodems' ;-) You can often get Intel NICs for cheap (about a tenner) if you look at ex-server cards on ebay - some are branded HP, Dell or whatever but look for the ones with Intel chips. Ok, good tip, thanks. However if the PC is recent it probably has an Intel NIC as part of the chipset, so the motherboard may already have that sorted. They may of course ... but what are the chances of an integrated NIC (even an Intel one) being as capable (on a desktop board specifically) as an add-on card, OTOH the integrated NIC does better bandwidth wise to the motherboard ram. in the same way onboard video is rarely as capable as even the simplest add-on video card (demonstrated by the size (lack of?) of any heatsinks on the on-board video solutions)? That's a different issue and the highest performance video cards cost more than the entire motherboard, for a reason. OOI, is there a utility that is good for doing such network throughput tests or is it more 'real world' to transfer a largish block of data (as I believe you mention previously) and just time the result? |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
cat5e question | UK diy | |||
Extending cat5e | UK diy | |||
Extending cat5e | UK diy | |||
Supply Cat5e FTP Patch Panels,Cat 5e FTP Patch Panels,Cat5e Shieldes Pat | UK diy | |||
Trunking for cat5e | UK diy |