Wednesday, August 4, 2010

Playing with vlan.dat

Hi all, today I'm a little bit insane (or better, not today only, but a little bit more than usual :-) )

Today morning I've started my journey reading the Catalyst 3560 Configuration Guide on the train.
It's nice discover every day new things, today I've heard about the "internal vlans" for the first time...
Walking to the office, that internal vlans stuff has mixed up in my sleepy mind, so I've started playing insane games with two switches instead of having coffee break.

First, have to satisfy the curiosity to see those internal vlans:

Switch# sh vlan internal usage

VLAN Usage
---- --------------------
1025 FastEthernet0/20

Switch#sh run int fa 0/20
Building configuration...

Current configuration : 87 bytes
!
interface FastEthernet0/20
no switchport
ip address 10.12.12.1 255.255.255.0
end


Ok, let say that every L3 port on a switch have assigned an internal vlan on the extended range.
The only ios command I found about the internal vlans is "vlan internal allocation policy"

Switch(config)#vlan internal allocation policy ?
ascending Allocate internal VLAN in ascending order
descending Allocate internal VLAN in descending order

Switch(config)#vlan internal allocation policy descending

note that this command have effect only after a reload. Basically tell the switch to choose the internal vlans number, from 1006 and above, or from 4094 and below, in the most recent releases seems undocumented and not working... anyway..

It gives me the idea to play with internal vlans, trying to loop/trunk it, but unsuccessfully.

Next insane idea is to play with the vlan.dat file.
Just recall that the vlan.dat file is stored into the flash: by default and contains the informations about VTP and standard range vlan ( from 1 to 1005 ).

Let's look closer this vlan.dat file...

Switch#more flash:vlan.dat
%Error opening flash:vlan.dat (No such file or directory)
Switch#

!-- By default there is no vlan.dat file, it's created when the first vlan is done or when vtp is modified

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vtp domain MY-DOMAIN
Changing VTP domain name from NULL to MY-DOMAIN
Switch(config)#end

Switch#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : MY-DOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x0F 0x01 0x47 0xF9 0x1D 0xCD 0x9C 0x56
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 10.0.0.2 on interface Vl1 (lowest numbered VLAN interface fo und)
Switch#

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
00000010: 41494E00 00000000 00000000 00000000 AIN. .... .... ....
00000020: 00000000 00000000 00000000 00000000 .... .... .... ....
00000030: 00000000 00000001 30303030 30303030 .... .... 0000 0000
00000040: 30303030 0F0147F9 1DCD9C56 2F420F7D 0000 ..Gy .M.V /B.}
00000050: F2CC391B 00000000 00000000 00000000 rL9. .... .... ....
00000060: 00000000 00000000 00000000 00000000 .... .... .... ....
00000070: 00000000 00000000 00000000 00000000 .... .... .... ....
00000080: 00000000 00000000 00000000 00000000 .... .... .... ....
00000090: 00000000 00000005 02020000 0388CD3C .... .... .... ..M<
000000A0: 07646566 61756C74 00000000 00000000 .def ault .... ....
000000B0: 00000000 00000000 00000000 00000000 .... .... .... ....
000000C0: 00000101 05DC0001 000186A1 00000000 .... .\.. ...! ....
000000D0: 00000000 00000000 00000000 0C666464 .... .... .... .fdd
000000E0: 692D6465 6661756C 74000000 00000000 i-de faul t... ....
000000F0: 00000000 00000000 00000000 00000201 .... .... .... ....
00000100: 05DC03EA 00018A8A 00000000 00000000 .\.j .... .... ....
00000110: 00000000 00000000 12746F6B 656E2D72 .... .... .tok en-r
00000120: 696E672D 64656661 756C7400 00000000 ing- defa ult. ....
00000130: 00000000 00000000 00000301 05DC03EB .... .... .... .\.k
00000140: 00018A8B 00000000 00000000 00000007 .... .... .... ....
00000150: 07000000 0F666464 696E6574 2D646566 .... .fdd inet -def
00000160: 61756C74 00000000 00000000 00000000 ault .... .... ....
00000170: 00000000 00000401 05DC03EC 00018A8C .... .... .\.l ....
00000180: 00000001 00000000 00000000 00000000 .... .... .... ....
00000190: 0D74726E 65742D64 65666175 6C740000 .trn et-d efau lt..
000001A0: 00000000 00000000 00000000 00000000 .... .... .... ....
000001B0: 00000501 05DC03ED 00018A8D 00000002 .... .\.m .... ....
000001C0: 00000000 00000000 00000000 0388D028 .... .... .... ..P(
000001D0: 000003EA 00000008 032FABFC 01010000 ...j .... ./+| ....
000001E0: 04010000 02F610D4 000003EB 00000008 .... .v.T ...k ....
000001F0: 0388D06C 01010000 04010000 032FB620 ..Pl .... .... ./6
00000200: 000003EC 00000008 02F61118 02010000 ...l .... .v.. ....
00000210: 03010001 00000000 000003ED 00000008 .... .... ...m ....
00000220: 032FB664 02010000 03010002 XXXXXXXX ./6d .... .... XXXX

Switch#


Woops! the switch itself displays binary files as hex dumps with the ascii portion in the right side... interesting!

I noted:
-in the first part, the VTP informations, the domain name is visible in cleartext
-the VTP MD5 seen in the sh vtp status output is stored on file on locations 0x44 - 0x4B
-after VTP, VLAN informations are stored, using some data structure, more investigation needed.

So why not to try to modify by hand this system file? No fear on it, if it fails, delete the file and reload, that's it.

First I tryied to do a simple TCL script to modify the vlan.dat, but seems the "seek" on tcl doesn't work as expected:

Switch#tclsh
Switch(tcl)#set f [open "vlan.dat" "r+"]
file0
Switch(tcl)#seek $f 160

Switch(tcl)#tell $f
160
Switch(tcl)#puts -nonewline $f "TEST"

Switch(tcl)#close $f

Switch(tcl)#^Z
Switch#

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
00000010: 41494E00 00000000 00000000 00000000 AIN. .... .... ....
00000020: 00000000 00000000 00000000 00000000 .... .... .... ....
00000030: 00000000 00000001 30303030 30303030 .... .... 0000 0000
00000040: 30303030 0F0147F9 1DCD9C56 2F420F7D 0000 ..Gy .M.V /B.}
00000050: F2CC391B 00000000 00000000 00000000 rL9. .... .... ....
00000060: 00000000 00000000 00000000 00000000 .... .... .... ....
00000070: 00000000 00000000 00000000 00000000 .... .... .... ....
00000080: 00000000 00000000 00000000 00000000 .... .... .... ....
00000090: 00000000 00000005 02020000 0388CD3C .... .... .... ..M<
000000A0: 07646566 61756C74 00000000 00000000 .def ault .... ....
000000B0: 00000000 00000000 00000000 00000000 .... .... .... ....
000000C0: 00000101 05DC0001 000186A1 00000000 .... .\.. ...! ....
000000D0: 00000000 00000000 00000000 0C666464 .... .... .... .fdd
000000E0: 692D6465 6661756C 74000000 00000000 i-de faul t... ....
000000F0: 00000000 00000000 00000000 00000201 .... .... .... ....
00000100: 05DC03EA 00018A8A 00000000 00000000 .\.j .... .... ....
00000110: 00000000 00000000 12746F6B 656E2D72 .... .... .tok en-r
00000120: 696E672D 64656661 756C7400 00000000 ing- defa ult. ....
00000130: 00000000 00000000 00000301 05DC03EB .... .... .... .\.k
00000140: 00018A8B 00000000 00000000 00000007 .... .... .... ....
00000150: 07000000 0F666464 696E6574 2D646566 .... .fdd inet -def
00000160: 61756C74 00000000 00000000 00000000 ault .... .... ....
00000170: 00000000 00000401 05DC03EC 00018A8C .... .... .\.l ....
00000180: 00000001 00000000 00000000 00000000 .... .... .... ....
00000190: 0D74726E 65742D64 65666175 6C740000 .trn et-d efau lt..
000001A0: 00000000 00000000 00000000 00000000 .... .... .... ....
000001B0: 00000501 05DC03ED 00018A8D 00000002 .... .\.m .... ....
000001C0: 00000000 00000000 00000000 0388D028 .... .... .... ..P(
000001D0: 000003EA 00000008 032FABFC 01010000 ...j .... ./+| ....
000001E0: 04010000 02F610D4 000003EB 00000008 .... .v.T ...k ....
000001F0: 0388D06C 01010000 04010000 032FB620 ..Pl .... .... ./6
00000200: 000003EC 00000008 02F61118 02010000 ...l .... .v.. ....
00000210: 03010001 00000000 000003ED 00000008 .... .... ...m ....
00000220: 032FB664 02010000 03010002 54455354 ./6d .... .... TEST

Switch#


No luck with tcl... seems my "TEST" string was appended to the file, even the "seek" and "tell" shows a pointer on 160 position.

Well, to recreate the correct file, simply add a vlan, so the switch is forced to overwrite the vlan.dat file.

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
[...]
00000220: 032FB664 02010000 03010002 54455354 ./6d .... .... TEST

Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 3
Switch(config-vlan)#exit
Switch(config)#exit
Switch#more flash:vlan.dat
00000000: BADB100D 00000002 02094D59 2D444F4D :[.. .... ..MY -DOM
[...]
00000250: 00000000 000003ED 00000008 0382EAB8 .... ...m .... ..j8
00000260: 02010000 03010002 XXXXXXXX XXXXXXXX .... .... XXXX XXXX

Switch#


So I've downloaded the vlan.dat file with tftp and opened with a Hex editor (GHex for Linux by the way...)
Doing several tests, I have mapped the various fields as follows:


Switch(config)#do sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ....
3 VLAN0003 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Switch#more flash:vlan.dat
00000000: BADB100D 00000002 0209.... ........ ->I bet here there are Vtp config revision, vtp mode ...
........ ........ ....4D59 2D444F4D ->Vtp domain name: MY -DOM
00000010: 41494E.. ........ ........ ........ ->Vtp domain name: AIN
......00 00000000 00000000 00000000
00000020: 00000000 00000000 00000000 00000001
00000030: 0A000002 00000001 39333033 30313030
00000040: 34303034 ........ ........ ........
........ A1204A8A 0852706C ........ -> Vtp domain MD5 hash (as seen on sh vtp status)
........ ........ ........ 93DC7C07
00000050: C08B0833 00000000 00000000 00000000
00000060: 00000000 00000000 00000000 00000000
00000070: 00000000 00000000 00000000 00000000
00000080: 00000000 00000000 00000000 00000000
00000090: 00000000 00000006 02020000 033B7650
000000A0: 07...... ........ ........ ........
..646566 61756C74 ........ ........ -> Vlan Name: default
........ ........ 00000000 00000000 -> Vlan Name: blank space (vlan name up to 32 bytes)
000000B0: 00000000 00000000 00000000 00000000 -> Vlan Name: blank space (vlan name up to 32 bytes)
000000C0: 00000101 ........ ........ ........ -> Not shure about this one, maybe it is the "vlan count?"
........ 05DC.... ........ ........ -> Vlan MTU : value 0x05DC = 1500 in decimal
........ ....0001 ........ ........ -> Vlan ID : value 0x0001 = vlan id 1
........ ........ 000186A1 ........ -> Vlan SAID: value 0x000186A1 = SAID 100001 in decimal
........ ........ ........ 00000000
000000D0: 00000000 00000000 00000000 08......
........ ........ ........ ..564C41 -> next Vlan Name: VLA
000000E0: 4E303030 33...... ........ ........ -> next Vlan Name: N000 3
........ ..000000 00000000 00000000 -> .... and so on...
000000F0: 00000000 00000000 00000000 00000101 .... .... .... ....
00000100: 05DC0003 000186A3 00000000 00000000 .\.. ...# .... ....
00000110: 00000000 00000000 0C666464 692D6465 .... .... .fdd i-de
00000120: 6661756C 74000000 00000000 00000000 faul t... .... ....
00000130: 00000000 00000000 00000201 05DC03EA .... .... .... .\.j
00000140: 00018A8A 00000000 00000000 00000000 .... .... .... ....
00000150: 00000000 12746F6B 656E2D72 696E672D .... .tok en-r ing-
00000160: 64656661 756C7400 00000000 00000000 defa ult. .... ....
00000170: 00000000 00000301 05DC03EB 00018A8B .... .... .\.k ....
00000180: 00000000 00000000 00000007 07000000 .... .... .... ....
00000190: 0F666464 696E6574 2D646566 61756C74 .fdd inet -def ault
000001A0: 00000000 00000000 00000000 00000000 .... .... .... ....
000001B0: 00000401 05DC03EC 00018A8C 00000001 .... .\.l .... ....
000001C0: 00000000 00000000 00000000 0D74726E .... .... .... .trn
000001D0: 65742D64 65666175 6C740000 00000000 et-d efau lt.. ....
000001E0: 00000000 00000000 00000000 00000501 .... .... .... ....
000001F0: 05DC03ED 00018A8D 00000002 ........
........ ........ ........ 00000000 -> From here to end, I didn't undestood the fields
00000200: 00000000 00000000 03830810 000003EA -> but I've seen the Vlan id (eg. here 0x03EA) repeating
00000210: 00000008 038307CC 01010000 04010000 -> for the FDDI/Token Ring/trn vlans
00000220: 0382E9EC 000003EB 00000008 03830854 -> I bet these are bridge/parent/ring/stp params
00000230: 01010000 04010000 0382EA74 000003EC
00000240: 00000008 0382EA30 02010000 03010001
00000250: 00000000 000003ED 00000008 0382EAB8
00000260: 02010000 03010002 XXXXXXXX XXXXXXXX -> file ends at 0x0267, the "X" are padding of the "more" command


I played a little with the hex editor and have a decent version:

Switch#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ....
2 VLAN0002 active
11 VLAN0011 active
12 VLAN0012 active
14 VLAN0014 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
11 enet 100011 1500 - - - - - 0 0
12 enet 100012 1500 - - - - - 0 0
14 enet 100014 1500 - - - - - 0 0


Hehehe no more legacy protocols here!! All vlans are type ethernet and active, but suddently I guess they have hard-coded in the Ios procedures the file format of vlan.dat, maybe they have to count at least 5 vlans, otherwise...:

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no vlan 2
%Error exiting config-vlan mode 33: Bad VLAN count
Switch(config)#no vlan 11
%Error exiting config-vlan mode 33: Bad VLAN count
Switch(config)#no vlan 12
%Error exiting config-vlan mode 33: Bad VLAN count
Switch(config)#vlan 66
Switch(config-vlan)#name TEST
Switch(config-vlan)#exit
Switch(config)#no vlan 66
Switch(config)#vlan 67
Switch(config-vlan)#name TEST2
Switch(config-vlan)#exit
Switch(config)#no vlan 2
Switch(config)#do sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ...
11 VLAN0011 active
12 VLAN0012 active
14 VLAN0014 active
67 TEST2 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
11 enet 100011 1500 - - - - - 0 0
12 enet 100012 1500 - - - - - 0 0
14 enet 100014 1500 - - - - - 0 0
67 enet 100067 1500 - - - - - 0 0




If someone wants to try it, hopefully in a test and safe environment, you can download the vlan.dat.modified version HERE

the nice thing is that this modified vlan.dat can be propagated via VTP, let's try to add another switch:

SW2#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

!--- after a "no shut" on a dynamic desirable port on the other side...
SW2#
*Mar 1 00:01:08.409: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar 1 00:01:10.422: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up

SW2#sh vtp stat
VTP Version : running VTP2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : VTP-domain
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x73 0xE7 0xEC 0x53 0x2F 0xFB 0x8B 0xC4
Configuration last modified by 10.0.0.2 at 3-1-93 00:39:34
Local updater ID is 0.0.0.0 (no valid interface found)
SW2#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, ....
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0




Well, enough fun for today, let's go back to study... as last funny thing, readers can modify the "default" vlan 1 name ... :-D

byeee
Marco

1 comment:

Luca Gervasi said...

Very nice work! CCIE's studies seems to be very interesting ! :D

You can even write a small tcl script to add/modify/delete vlans without using the internal syscalls...supposing you understand the "still unknown" fields ^_^

Bye