Brief instructions for configuring Vlan-s
First , let's determine what 802.1q vlan is , so as not to reinvent the wheel a small clipping from Wikipedia:
What is this for?
There are several situations:
1. Let's imagine a situation: there is a large network, we have two offices in the coverage area of this network, they need to be combined into one physical network, while the citywide network should not see / have access to office cars. Of course, this situation can be resolved by VPN-s, but non-sour iron is needed for encrypted traffic of about 100 megabits, so we drive vlan-s.
2. There are a lot of subnets geographically divided by city, you need to configure an interface for each subnet, at first you can get by with network cards, but the networks have the properties to grow, and what do you want to do, for example, in such a situation ?: 3. The client needs to issue a block 4,8,16 etc. etc. addresses.
4. Reducing the amount of broadcast traffic on the network.
Each VLAN is a separate broadcast domain. For example, a switch is a layer 2 device of the OSI model. All ports on the switch where there are no VLANs are in the same broadcast domain. Creating a VLAN on a switch means splitting the switch into multiple broadcast domains. If the same VLAN is on different switches, then the ports of different switches will form the same broadcast domain.
And many other reasons / situations in which this may be necessary.
5. Increased network security and manageability
When a network is split into VLANs, the task of applying security policies and rules is simplified. With VLAN, policies can be applied to entire subnets, rather than to a single device. In addition, the transition from one VLAN to another involves passing through a level 3 device, on which, as a rule, policies that allow or deny access from VLAN to VLAN are applied.
How can I do all this?
Easy!
Tagging VLAN traffic The
computer, when sending traffic to the network, does not even know in which VLAN it is located. This is what the switch thinks. The switch knows that the computer that is connected to a specific port is in the corresponding VLAN. The traffic arriving at the port of a particular VLAN is no different from the traffic of another VLAN. In other words, there is no information about traffic belonging to a specific VLAN in it.
However, if traffic from different VLANs can come through the port, the switch must somehow distinguish it. To do this, each frame of the traffic must be marked in some special way. The tag should talk about which VLAN traffic belongs to.
The most common way to put such a mark is described in the open IEEE 802.1Q standard. There are proprietary protocols that solve similar problems, for example, the ISL protocol from Cisco Systems, but their popularity is much lower (and declining).
Configuration usually occurs on servers and on switches.
By default, all network devices are in the first (1, default) vlan-e.
Therefore, raise the 2nd vlan, with a network of 1.
Depending on the OS on the server, the vlan’s are configured differently.
In this article, I will try to describe as briefly and clearly as possible the various ways to configure vlan-s on different operating systems.
And so let's go, let's try to do the same task on different OSs - configure the 2nd vlan, with an address space of 64 addresses, 10.10.10.0/26
First, we need to calculate the mask, the Broadcast address and the gateway, ipcalc will come to the rescue :) We will make the gateway 10.10.10.1 Mask 255.255.255.192 or 26 Broadcast 10.10.10.63 In total, we will receive 61 addresses for clients, 10.10.10.2 - 10.10.10.62 Debian- like: We need to install the vlan package. Next, go to / etc / network / and edit the interface file. raise the interface: Red-Hat-like: For the red-hut you need the vlan configuration utility, put the vconfig utility. Add a second vlan to eth0. go to / etc / sysconfig / network-scripts, create an interface file, edit it, raise the interface In BSD-like: ifconfig
vlan_device vlan vlan_id vlandev parent_device In order for the interface to load automatically, edit /etc/rc.conf. Now let's move on to a more interesting point, setting up network switches. because 2nd level switches are different. I will give some examples on how to configure, on different switches different menus are accordingly configured differently, usually there is nothing complicated, and the configuration principle is the same. Serv situation is included in the 1st port, it is necessary to submit the 2nd vlan to 4,5,6 ports, and in the second port to submit it tagged. On D-Link: We try to stick into a 4 hole network device and register an address from the range 10.10.10.0/26 and check it with corny pings. On Asotel On EdgeCore / LinkSys
ps I tried to show the principle of equipment setup as briefly and clearly as possible.
VLAN (abbreviation from the English. Virtual Local Area Network) - a virtual local area computer network, is a group of hosts with a common set of requirements that interact as if they were connected to a broadcast domain, regardless of their physical location. A VLAN has the same properties as a physical local area network, but allows end stations to group together even if they are not on the same physical network. Such a reorganization can be done based on software instead of physically moving devices.
On Cisco devices, VTP (VLAN Trunking Protocol) provides VLAN domains to simplify administration. VTP also purges traffic by directing VLAN traffic to only those switches that have target VLAN ports. Cisco switches primarily use the ISL (Inter-Switch Link) protocol to ensure information interoperability.
By default, each switch port has a management VLAN1 or management VLAN. The management network cannot be removed, however additional VLANs can be created and ports can be additionally assigned to these alternative VLANs.
Native VLAN is a parameter of each port that determines the VLAN number that all untagged packets receive.
What is this for?
There are several situations:
1. Let's imagine a situation: there is a large network, we have two offices in the coverage area of this network, they need to be combined into one physical network, while the citywide network should not see / have access to office cars. Of course, this situation can be resolved by VPN-s, but non-sour iron is needed for encrypted traffic of about 100 megabits, so we drive vlan-s.
2. There are a lot of subnets geographically divided by city, you need to configure an interface for each subnet, at first you can get by with network cards, but the networks have the properties to grow, and what do you want to do, for example, in such a situation ?: 3. The client needs to issue a block 4,8,16 etc. etc. addresses.
serv:~# ifconfig | grep eth | wc -l
152
serv:~#
4. Reducing the amount of broadcast traffic on the network.
Each VLAN is a separate broadcast domain. For example, a switch is a layer 2 device of the OSI model. All ports on the switch where there are no VLANs are in the same broadcast domain. Creating a VLAN on a switch means splitting the switch into multiple broadcast domains. If the same VLAN is on different switches, then the ports of different switches will form the same broadcast domain.
And many other reasons / situations in which this may be necessary.
5. Increased network security and manageability
When a network is split into VLANs, the task of applying security policies and rules is simplified. With VLAN, policies can be applied to entire subnets, rather than to a single device. In addition, the transition from one VLAN to another involves passing through a level 3 device, on which, as a rule, policies that allow or deny access from VLAN to VLAN are applied.
How can I do all this?
Easy!
Tagging VLAN traffic The
computer, when sending traffic to the network, does not even know in which VLAN it is located. This is what the switch thinks. The switch knows that the computer that is connected to a specific port is in the corresponding VLAN. The traffic arriving at the port of a particular VLAN is no different from the traffic of another VLAN. In other words, there is no information about traffic belonging to a specific VLAN in it.
However, if traffic from different VLANs can come through the port, the switch must somehow distinguish it. To do this, each frame of the traffic must be marked in some special way. The tag should talk about which VLAN traffic belongs to.
The most common way to put such a mark is described in the open IEEE 802.1Q standard. There are proprietary protocols that solve similar problems, for example, the ISL protocol from Cisco Systems, but their popularity is much lower (and declining).
Configuration usually occurs on servers and on switches.
By default, all network devices are in the first (1, default) vlan-e.
Therefore, raise the 2nd vlan, with a network of 1.
Depending on the OS on the server, the vlan’s are configured differently.
In this article, I will try to describe as briefly and clearly as possible the various ways to configure vlan-s on different operating systems.
And so let's go, let's try to do the same task on different OSs - configure the 2nd vlan, with an address space of 64 addresses, 10.10.10.0/26
First, we need to calculate the mask, the Broadcast address and the gateway, ipcalc will come to the rescue :) We will make the gateway 10.10.10.1 Mask 255.255.255.192 or 26 Broadcast 10.10.10.63 In total, we will receive 61 addresses for clients, 10.10.10.2 - 10.10.10.62 Debian- like: We need to install the vlan package. Next, go to / etc / network / and edit the interface file. raise the interface: Red-Hat-like: For the red-hut you need the vlan configuration utility, put the vconfig utility. Add a second vlan to eth0. go to / etc / sysconfig / network-scripts, create an interface file, edit it, raise the interface In BSD-like: ifconfig
Address: 10.10.10.0 00001010.00001010.00001010.00 000000
Netmask: 255.255.255.192 = 26 11111111.11111111.11111111.11 000000
Wildcard: 0.0.0.63 00000000.00000000.00000000.00 111111
=>
Network: 10.10.10.0/26 00001010.00001010.00001010.00 000000 (Class A)
Broadcast: 10.10.10.63 00001010.00001010.00001010.00 111111
HostMin: 10.10.10.1 00001010.00001010.00001010.00 000001
HostMax: 10.10.10.62 00001010.00001010.00001010.00 111110
Hosts/Net: 62 (Private Internet)
# apt-get install vlan
# nano interfaces
auto eth0.2 # автоматически поднимаем интерфейс после ребута. eth0 транковый интерфейс в которы подаем vlan
iface eth0.2 inet static
address 10.10.10.1
netmask 255.255.255.192
broadcast 10.10.10.63
# ifup eth0.2
[root@notebook ~]# yum search vconfig
vconfig.i686 : Linux 802.1q VLAN configuration utility
[root@notebook ~]# yum install -y vconfig
[root@notebook ~]# vconfig add eth0 2
[root@notebook ~]# cd /etc/sysconfig/network-scripts
[root@notebook ~]# touch ifcfg-eth0.2
[root@notebook ~]# nano ifcfg-eth0.2
DEVICE=eth0.2
VLAN_TRUNK_IF=eth0
BOOTPROTO=static
IPADDR=10.10.10.1
NETMASK=255.255.255.192
BROADCAST=10.10.10.63
ONBOOT=yes
[root@notebook ~]# ifup eth0.2
vlan_device vlan vlan_id vlandev parent_device In order for the interface to load automatically, edit /etc/rc.conf. Now let's move on to a more interesting point, setting up network switches. because 2nd level switches are different. I will give some examples on how to configure, on different switches different menus are accordingly configured differently, usually there is nothing complicated, and the configuration principle is the same. Serv situation is included in the 1st port, it is necessary to submit the 2nd vlan to 4,5,6 ports, and in the second port to submit it tagged. On D-Link: We try to stick into a 4 hole network device and register an address from the range 10.10.10.0/26 and check it with corny pings. On Asotel On EdgeCore / LinkSys
ifconfig vlan0 vlan 2 vlandev xl0
ifconfig vlan0 inet 10.10.10.1 netmask 255.255.255.192
cloned_interfaces="vlan0" #You need a recent STABLE for this else use:
#network_interfaces="lo0 vlan0"
ifconfig_vlan0="inet 10.10.10.1 netmask 255.255.255.192 vlan 24 vlandev xl0"
#Note: If you do not assign an IP Adress to your parent device, you need to
#start it explicitly:
ifconfig_xl0="up"
config vlan default delete 1-26
config vlan default add untagged 1,3,7-24
create vlan Offices tag 2
config vlan Offices add tagged 1,2
config vlan Offices add untagged 4,5,6
save
set 1qvlan create 2 Offices #создадим 2-й влан
set 1qvlan modify -4-5-6 1 0 #уберем первый с 4,5,6-го портов
set 1qvlan modify +1+2 2 1 #подадим тегированный 2-й влан в 1,2 порты
set 1qvlan modify +4+5+6 2 0 #подадим нетегированный 2-й влан в 4,5,6 порты
set 1qvlan pvid 4 2 # скажем свитчу что 4 дырка пренадлежит 2-му влану, аналогично делаем с 5,6
set 1qvlan pvid 5 2
set 1qvlan pvid 6 2
Vty-0#configure
Vty-0(config)#vlan database
Vty-0(config-vlan)#
Vty-0(config-vlan)#vlan 2 name Offices media ethernet state active
Vty-0(config-vlan)#exit
Vty-0(config)#interface ethernet 1/1
Vty-0(config-if)#switchport mode trunk
Vty-0(config-if)#switchport allowed vlan add 2 tagged
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/2
Vty-0(config-if)#switchport mode trunk
Vty-0(config-if)#switchport allowed vlan add 2 tagged
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/4
Vty-0(config-if)#switchport mode access
Vty-0(config-if)#switchport allowed vlan add 2 untagged
Vty-0(config-if)#switchport native vlan 2
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/5
Vty-0(config-if)#switchport mode access
Vty-0(config-if)#switchport allowed vlan add 2 untagged
Vty-0(config-if)#switchport native vlan 2
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/6
Vty-0(config-if)#switchport mode access
Vty-0(config-if)#switchport allowed vlan add 2 untagged
Vty-0(config-if)#switchport native vlan 2
Vty-0(config-if)#exit
Vty-0(config)#exit
Vty-0#copy running-config startup-config
; Для проверки запустим
Vty-0#show running-config
ps I tried to show the principle of equipment setup as briefly and clearly as possible.