Brief instructions for setting up Vlans
To begin , let us define what 802.1q vlan is , in order not to reinvent the bicycle with a small Wikipedia clipping:
What is it for?
There are several situations:
1. Tritely imagine a situation there is a large network, in the area covered by this network we have two offices, they need to be combined into one physical network, while the citywide network should not see / have access to office wheelbarrows. Of course, this situation can be resolved by VPNs, but for encrypted traffic on the order of 100 megabits, it’s not sour iron that is needed, so we are driving vlan-ami.
2. There are a lot of subnets geographically divided around the city, you need to configure the interface for each subnet, you can of course get by with network cards at the beginning, but networks have the properties to grow and what do you want to do, for example in such a situation ?:
3. The client must issue a block of 4,8,16, etc. etc. addresses.
4. Reducing the amount of broadcast traffic on the network
Each VLAN is a separate broadcast domain. For example, a switch is a device of the OSI Layer 2. All ports on the switch where there are no VLANs are in the same broadcast domain. Creating a VLAN on a switch means splitting the switch into several broadcast domains. If the same VLAN is on different switches, then the ports of different switches will form one broadcast domain.
And many other reasons / situations in which this may be needed.
5. Increase network security and manageability
When the network is divided into VLANs, the task of applying policies and security rules is simplified. With VLAN, policies can be applied to whole subnets, rather than to a single device. In addition, the transition from one VLAN to another involves the passage through the device 3 level, which, as a rule, apply policies that allow or deny access from VLAN to VLAN.
How can I do all this?
Easy!
')
VLAN traffic tagging
When sending traffic to the network, the computer does not even know in which VLAN it is located. The switch thinks about it. The switch knows that the computer that is connected to a specific port is in the corresponding VLAN. The traffic coming to the port of a specific VLAN is not much different from the traffic of another VLAN. In other words, there is no information about the ownership of traffic to a specific VLAN.
However, if traffic from a different VLAN can come through the port, the switch should somehow distinguish it. To do this, each frame (frame) of the traffic must be marked in some special way. A mark should indicate which VLAN the traffic belongs to.
The most common way to put this mark is described in the open standard IEEE 802.1Q. There are proprietary protocols that solve similar problems, for example, the ISL protocol from Cisco Systems, but their popularity is much lower (and decreasing).
Setup usually occurs on servers and switches.
By default, all network devices are in the first (1, default) vlan-e.
Therefore, raise the 2nd vlan, with network 1
Depending on the OS on the server, the vlans are configured differently.
In this article I will try to describe the various ways to configure vlans on different operating systems as briefly and clearly as possible.
And so we went, we will try on different OS to do the same task - to configure the 2nd vlan, with an address space of 64 addresses, 10.10.10.0/26
First we need to calculate the mask, the broadcasted address and the gateway, ipcalc will come to help :)
We will make the gateway 10.10.10.1
Mask 255.255.255.192 or 26
Broadcast 10.10.10.63
Total we get to the customers 61 address, 10.10.10.2 - 10.10.10.62
Debian-like:
We need to put the vlan package.
Next, go to / etc / network /
and edit the file with interfaces.
raise the interface:
Red-Hat-like:
For the ed-hata, the vlan configuration utility is needed, we put the vconfig utility
Add the second vlan to eth0.
go to / etc / sysconfig / network-scripts, create an interface file, edit it
we lift the interface
In BSD-like:
ifconfig vlan_device vlan vlan_id vlandev parent_device
In order for the interface to load automatically, edit /etc/rc.conf.
We now turn to a more interesting point, setting up network switches.
because Switches of the 2nd level are different. I will give several examples of configuration, different switches have different menus, respectively, are configured differently, there is usually nothing complicated, and the principle of configuration is the same. situation serv is included in the 1st port, it is necessary to submit the 2nd vlan to 4,5,6 ports, and in the second port to submit it tagged.
On D-Link:
We try to stick into the 4 hole with a network device and register the address from the range 10.10.10.0/26 and it is banal to check with pings.
At Asotel
On EdgeCore / LinkSys
ps I tried to briefly and clearly show with examples the principle of setting up the equipment.
VLAN (abbr. From the English. Virtual Local Area Network) - a virtual local computer network, is a group of hosts with a common set of requirements that interact as if they were connected to a broadcast domain, regardless of their physical location. A VLAN has the same properties as a physical local area network, but allows end stations to cluster together, even if they are not in the same physical network. Such a reorganization can be done based on software instead of physically moving devices.
On Cisco devices, the VTP protocol (VLAN Trunking Protocol) provides VLAN domains to simplify administration. VTP also cleans up traffic by directing VLAN traffic only to those switches that have target VLAN ports. Cisco switches mainly use the Inter-Switch Link (ISL) protocol for information compatibility.
By default, each switch port has a VLAN1 or management VLAN. The management network cannot be removed, however, additional VLANs can be created and ports can be additionally assigned to these alternative VLANs.
Native VLAN is a parameter of each port that determines the VLAN number that all untagged packets receive.
What is it for?
There are several situations:
1. Tritely imagine a situation there is a large network, in the area covered by this network we have two offices, they need to be combined into one physical network, while the citywide network should not see / have access to office wheelbarrows. Of course, this situation can be resolved by VPNs, but for encrypted traffic on the order of 100 megabits, it’s not sour iron that is needed, so we are driving vlan-ami.
2. There are a lot of subnets geographically divided around the city, you need to configure the interface for each subnet, you can of course get by with network cards at the beginning, but networks have the properties to grow and what do you want to do, for example in such a situation ?:
serv:~# ifconfig | grep eth | wc -l
152
serv:~#
3. The client must issue a block of 4,8,16, etc. etc. addresses.
4. Reducing the amount of broadcast traffic on the network
Each VLAN is a separate broadcast domain. For example, a switch is a device of the OSI Layer 2. All ports on the switch where there are no VLANs are in the same broadcast domain. Creating a VLAN on a switch means splitting the switch into several broadcast domains. If the same VLAN is on different switches, then the ports of different switches will form one broadcast domain.
And many other reasons / situations in which this may be needed.
5. Increase network security and manageability
When the network is divided into VLANs, the task of applying policies and security rules is simplified. With VLAN, policies can be applied to whole subnets, rather than to a single device. In addition, the transition from one VLAN to another involves the passage through the device 3 level, which, as a rule, apply policies that allow or deny access from VLAN to VLAN.
How can I do all this?
Easy!
')
VLAN traffic tagging
When sending traffic to the network, the computer does not even know in which VLAN it is located. The switch thinks about it. The switch knows that the computer that is connected to a specific port is in the corresponding VLAN. The traffic coming to the port of a specific VLAN is not much different from the traffic of another VLAN. In other words, there is no information about the ownership of traffic to a specific VLAN.
However, if traffic from a different VLAN can come through the port, the switch should somehow distinguish it. To do this, each frame (frame) of the traffic must be marked in some special way. A mark should indicate which VLAN the traffic belongs to.
The most common way to put this mark is described in the open standard IEEE 802.1Q. There are proprietary protocols that solve similar problems, for example, the ISL protocol from Cisco Systems, but their popularity is much lower (and decreasing).
Setup usually occurs on servers and switches.
By default, all network devices are in the first (1, default) vlan-e.
Therefore, raise the 2nd vlan, with network 1
Depending on the OS on the server, the vlans are configured differently.
In this article I will try to describe the various ways to configure vlans on different operating systems as briefly and clearly as possible.
And so we went, we will try on different OS to do the same task - to configure the 2nd vlan, with an address space of 64 addresses, 10.10.10.0/26
First we need to calculate the mask, the broadcasted address and the gateway, ipcalc will come to help :)
Address: 10.10.10.0 00001010.00001010.00001010.00 000000
Netmask: 255.255.255.192 = 26 11111111.11111111.11111111.11 000000
Wildcard: 0.0.0.63 00000000.00000000.00000000.00 111111
=>
Network: 10.10.10.0/26 00001010.00001010.00001010.00 000000 (Class A)
Broadcast: 10.10.10.63 00001010.00001010.00001010.00 111111
HostMin: 10.10.10.1 00001010.00001010.00001010.00 000001
HostMax: 10.10.10.62 00001010.00001010.00001010.00 111110
Hosts/Net: 62 (Private Internet)
We will make the gateway 10.10.10.1
Mask 255.255.255.192 or 26
Broadcast 10.10.10.63
Total we get to the customers 61 address, 10.10.10.2 - 10.10.10.62
Debian-like:
We need to put the vlan package.
# apt-get install vlanNext, go to / etc / network /
and edit the file with interfaces.
# nano interfaces
auto eth0.2 # . eth0 vlan
iface eth0.2 inet static
address 10.10.10.1
netmask 255.255.255.192
broadcast 10.10.10.63
raise the interface:
# ifup eth0.2Red-Hat-like:
For the ed-hata, the vlan configuration utility is needed, we put the vconfig utility
[root@notebook ~]# yum search vconfig
vconfig.i686 : Linux 802.1q VLAN configuration utility
[root@notebook ~]# yum install -y vconfig
Add the second vlan to eth0.
[root@notebook ~]# vconfig add eth0 2go to / etc / sysconfig / network-scripts, create an interface file, edit it
[root@notebook ~]# cd /etc/sysconfig/network-scripts
[root@notebook ~]# touch ifcfg-eth0.2
[root@notebook ~]# nano ifcfg-eth0.2
DEVICE=eth0.2
VLAN_TRUNK_IF=eth0
BOOTPROTO=static
IPADDR=10.10.10.1
NETMASK=255.255.255.192
BROADCAST=10.10.10.63
ONBOOT=yes
we lift the interface
[root@notebook ~]# ifup eth0.2In BSD-like:
ifconfig vlan_device vlan vlan_id vlandev parent_device
ifconfig vlan0 vlan 2 vlandev xl0
ifconfig vlan0 inet 10.10.10.1 netmask 255.255.255.192
In order for the interface to load automatically, edit /etc/rc.conf.
cloned_interfaces="vlan0" #You need a recent STABLE for this else use:
#network_interfaces="lo0 vlan0"
ifconfig_vlan0="inet 10.10.10.1 netmask 255.255.255.192 vlan 24 vlandev xl0"
#Note: If you do not assign an IP Adress to your parent device, you need to
#start it explicitly:
ifconfig_xl0="up"
We now turn to a more interesting point, setting up network switches.
because Switches of the 2nd level are different. I will give several examples of configuration, different switches have different menus, respectively, are configured differently, there is usually nothing complicated, and the principle of configuration is the same. situation serv is included in the 1st port, it is necessary to submit the 2nd vlan to 4,5,6 ports, and in the second port to submit it tagged.
On D-Link:
config vlan default delete 1-26
config vlan default add untagged 1,3,7-24
create vlan Offices tag 2
config vlan Offices add tagged 1,2
config vlan Offices add untagged 4,5,6
save
We try to stick into the 4 hole with a network device and register the address from the range 10.10.10.0/26 and it is banal to check with pings.
At Asotel
set 1qvlan create 2 Offices # 2-
set 1qvlan modify -4-5-6 1 0 # 4,5,6-
set 1qvlan modify +1+2 2 1 # 2- 1,2
set 1qvlan modify +4+5+6 2 0 # 2- 4,5,6
set 1qvlan pvid 4 2 # 4 2- , 5,6
set 1qvlan pvid 5 2
set 1qvlan pvid 6 2On EdgeCore / LinkSys
Vty-0#configure
Vty-0(config)#vlan database
Vty-0(config-vlan)#
Vty-0(config-vlan)#vlan 2 name Offices media ethernet state active
Vty-0(config-vlan)#exit
Vty-0(config)#interface ethernet 1/1
Vty-0(config-if)#switchport mode trunk
Vty-0(config-if)#switchport allowed vlan add 2 tagged
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/2
Vty-0(config-if)#switchport mode trunk
Vty-0(config-if)#switchport allowed vlan add 2 tagged
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/4
Vty-0(config-if)#switchport mode access
Vty-0(config-if)#switchport allowed vlan add 2 untagged
Vty-0(config-if)#switchport native vlan 2
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/5
Vty-0(config-if)#switchport mode access
Vty-0(config-if)#switchport allowed vlan add 2 untagged
Vty-0(config-if)#switchport native vlan 2
Vty-0(config-if)#exit
Vty-0(config)#interface ethernet 1/6
Vty-0(config-if)#switchport mode access
Vty-0(config-if)#switchport allowed vlan add 2 untagged
Vty-0(config-if)#switchport native vlan 2
Vty-0(config-if)#exit
Vty-0(config)#exit
Vty-0#copy running-config startup-config
;
Vty-0#show running-config
ps I tried to briefly and clearly show with examples the principle of setting up the equipment.
Source: https://habr.com/ru/post/98627/
All Articles