|
List Info
Thread: Linux and Inter-vlan Routing
|
|
| Linux and Inter-vlan Routing |
 
Iran, Islamic Republic of |
2007-08-03 21:02:36 |
Hi dears...
I Have 10 switch cisco 2950T that connect via 802.1q
protocol togather,
and don't have any Layer 3 switch or Router. I want to know
Linux box can
act as layer 3 device with below config or can inter-vlan
Routing???
My Intranet interface is the VLAN 1. (eth0)
My Lan Interface face the VLAN 2. (eth1)
My DMZ interface face the VLAN 3. (eth2)
eth0 (linux) -> switch (fas0/1) (switchport mode trunk
)
eth1 (linux) -> switch (fas0/2) (switchport access
vlan 2)
eth2 (linux) -> switch (fas0/3) (switchport access
vlan 3)
////////
Intranet: 192.168.100.0/24 (for switch management)
LAN: 172.16.3.0/24
DMZ: 192.168.1.0/24
/////////
I already install VLAN package and config is:
#modprobe 8021q
#vconfig add eth1 2
#vconfig add eth2 3
My interface scripts is:
auto eth0
iface eth0 inet static
address 192.168.100.91
netmask 255.255.255.0
vlan_raw_device eth0
auto eth1
iface eth1 inet static
address 172.16.3.1
netmask 255.255.255.0
network 172.16.3.0
broadcast 172.16.3.255
vlan_raw_device eth0
iface eth2 inet static
address 192.168.1.192
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
vlan_raw_device eth0
Iptables:
(192.168.1.80 is our sql-server)
*nat
-A PREROUTING -s 172.16.3.0/255.255.255.0 -d 192.168.1.80 -p
tcp -m multiport
--dports 1433 -j ACCEPT
-A POSTROUTING -s 172.16.3.0/255.255.255.0 -d 192.168.1.80
-j MASQUERADE
*filter
-A FORWARD -i eth1 -o eth2 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
best regards
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
| Re: Linux and Inter-vlan Routing |
|
2007-08-04 02:55:42 |
Mahdi Rahimi wrote:
> I Have 10 switch cisco 2950T that connect via 802.1q
protocol togather,
> and don't have any Layer 3 switch or Router. I want to
know Linux box can
> act as layer 3 device with below config or can
inter-vlan Routing???
> My interface scripts is:
>
> auto eth0
> iface eth0 inet static
> address 192.168.100.91
> netmask 255.255.255.0
> vlan_raw_device eth0
This is not a vlan, but the real interface. Use eth0.1 for
interface
name if you want vlan1 on etho, eth0.2 for vlan2 on eth0 and
so on.
Tip: avoid using vlan1, as it's a special vlan.
For your 3 network cards, if they are connected to the same
switch, I
would not use them as separate interfaces to the switch, but
instead
group them into an etherchannel. This is what I am using at
home (Debian
to a 2950T):
auto bond0 bond0.2
iface bond0 inet manual
slaves eth0 eth1 eth2 eth3
iface bond0.2 inet static
vlan-raw-device bond0
address 10.2.1.1
network 10.2.1.0
netmask 255.255.255.0
broadcast 10.2.1.255
!Cisco:
interface Port-channel1
switchport mode trunk
switchport nonegotiate
flowcontrol send off
!
interface FastEthernet0/9
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface FastEthernet0/10
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface FastEthernet0/11
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface FastEthernet0/12
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
--
Tot ziens,
Bart-Jan
--
To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
| Re: Linux and Inter-vlan Routing |
Iran, Islamic Republic of |
2007-08-04 04:54:14 |
Dear Bart-jan Thanks for attention.
I have correct my network configurations:
1) remove all interfaces on Debian except 1 interface
2) connect it to switch 2950 configured as Trunk
3)
#modprobe 8021q
#vconfig add eth0 2
#vconfig add eth0 4
4) vi /etc/network/interfaces
auto eth0
auto eth0.2
iface eth0.2 inet static
address x.x.x.x
...
auto eth0.4
iface eth0.4 inet static
address x.x.x.x
....
5) vi /etc/default/dhcp3-server
interface "eth0.4"
problems:
1)but my DHCP server don't Work!!! 0n eth0.4 interface.
2) Is the Vlan ID on 2950 same as on the vconfig?
3) My server require any patch?
best regards
On Sat, August 4, 2007 12:25, Bart-Jan Vrielink wrote:
> Mahdi Rahimi wrote:
>
>
>> I Have 10 switch cisco 2950T that connect via
802.1q protocol togather,
>> and don't have any Layer 3 switch or Router. I
want to know Linux box
>> can act as layer 3 device with below config or can
inter-vlan Routing???
>>
>
>> My interface scripts is:
>>
>>
>> auto eth0 iface eth0 inet static address
192.168.100.91 netmask
>> 255.255.255.0
>> vlan_raw_device eth0
>
> This is not a vlan, but the real interface. Use eth0.1
for interface
> name if you want vlan1 on etho, eth0.2 for vlan2 on
eth0 and so on.
>
> Tip: avoid using vlan1, as it's a special vlan.
>
>
> For your 3 network cards, if they are connected to the
same switch, I
> would not use them as separate interfaces to the
switch, but instead group
> them into an etherchannel. This is what I am using at
home (Debian to a
> 2950T):
>
>
> auto bond0 bond0.2
>
> iface bond0 inet manual slaves eth0 eth1 eth2 eth3
>
> iface bond0.2 inet static vlan-raw-device bond0 address
10.2.1.1 network
> 10.2.1.0
> netmask 255.255.255.0 broadcast 10.2.1.255
>
> !Cisco:
> interface Port-channel1 switchport mode trunk
switchport nonegotiate
> flowcontrol send off !
> interface FastEthernet0/9 switchport mode trunk
switchport nonegotiate
> channel-group 1 mode active !
> interface FastEthernet0/10 switchport mode trunk
switchport nonegotiate
> channel-group 1 mode active !
> interface FastEthernet0/11 switchport mode trunk
switchport nonegotiate
> channel-group 1 mode active !
> interface FastEthernet0/12 switchport mode trunk
switchport nonegotiate
> channel-group 1 mode active !
>
>
> --
> Tot ziens,
>
>
> Bart-Jan
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
> with a subject of "unsubscribe". Trouble?
Contact
> listmasterlists.debian.org
>
>
-------------------------
rahimieaedu.net
rahimi_mcse.shirazu.ac.ir
--
To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
| Re: Linux and Inter-vlan Routing |
|
2007-08-04 09:35:17 |
Mahdi Rahimi wrote:
> Dear Bart-jan Thanks for attention.
> I have correct my network configurations:
> 1) remove all interfaces on Debian except 1 interface
> 2) connect it to switch 2950 configured as Trunk
> 3)
> #modprobe 8021q
> #vconfig add eth0 2
> #vconfig add eth0 4
> 4) vi /etc/network/interfaces
>
> auto eth0
>
> auto eth0.2
> iface eth0.2 inet static
> address x.x.x.x
> ...
> auto eth0.4
> iface eth0.4 inet static
> address x.x.x.x
> ....
> 5) vi /etc/default/dhcp3-server
> interface "eth0.4"
>
> problems:
> 1)but my DHCP server don't Work!!! 0n eth0.4
interface.
Mmm, weird. What does syslog say?
> 2) Is the Vlan ID on 2950 same as on the vconfig?
You don't need (or should?) do the vconfigs yourself. They
are done by
the interfaces file automagically.
If ifup doesn't recognize the vlan, then please add the
correct
vlan_raw_device statement.
> 3) My server require any patch?
Dunno. You could run into problems if your network card
can't handle
larger than normal frames (a tagged vlan increases the frame
size by 4
bytes). This is usually a hardware limitation...
--
Tot ziens,
Bart-Jan
--
To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
| Re: Linux and Inter-vlan Routing |
 
Australia |
2007-08-04 19:48:45 |
> On Aug 04, Bart-Jan Vrielink illuminated :
> Tip: avoid using vlan1, as it's a special vlan.
>
It's not special, just a default. special would imply that
it is
treated differently from any other vlan, which it is not.
besides, if you feel you need a default vlan othere than '1'
later, you
can set any other vlan as default.
./jp
--
Jean-Paul Blaquiere
jeanpaulblaquiere.id.au
http://www.blaquiere.id.au
http://japester.ucc.asn.a
u/
--
To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
| Re: Linux and Inter-vlan Routing |
|
2007-08-07 02:07:48 |
Jean-Paul Blaquiere wrote:
>> On Aug 07, tomfi illuminated :
>
>> I think in Cisco Vlan 1 is treated special ....
>> just try lab:
>> make 802.1q trunk between switches
>> make this trunk native vlan other then vlan 1.
>> turn on PVST
>> look on untagged frames and you will see that Vlan
1 is somehow special ;)
>>
>> And yes ... there is another speciality... You
cannot remove this vlan ;)
>>
>> And .... just kidding ... there are some others
specialties ... but i
>> dont want to write all here ;)
>>
> for /most/ practical purposes, it's just another VLAN.
In all the
> workplaces I've been to, that is how it has been used.
Thinking about
> it, yes, it is kind of special in it's non-removable
state.
Yes at this point you must "only" strongly
remember that it is
default/native vlan so not so secure (people are not error
prune 
)
I think one of good practices is to use this vlan as
"guest vlan".
> I've also not had direct experience configuring
trunking, apart from the
> CCNA's requirements. Using yes, not configuring, so
haven't discovered
> the little quirks like you have mentioned here.
Yes it is not part of CCNA, and I must appreciate to see
somebody knows
his knowledge (mean as praise).
Tomfi
--
To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
| Re: Linux and Inter-vlan Routing |
 
Germany |
2007-08-07 03:06:01 |
Hi Tomfi,
On Tue, Aug 07, 2007 at 09:07:48AM +0200, tomfi wrote:
> Yes at this point you must "only" strongly
remember that it is
> default/native vlan so not so secure (people are not
error prune )
> I think one of good practices is to use this vlan as
"guest vlan".
Good practice is, not to use it.
In addition the native vlan on links between your switches
(infrastructure devices) should be different than that on
links between
your switches and connected hosts if these get trunks.
Than double tagging VLAN hopping is prevented.
Ciao
--
Rainer Nagel, freenet AG
Rainer.Nagelfreenet.ag
WillstätterStr. 13, D-40549 Düsseldorf Tel.: +49
211 53087 423
Vorstand: Eckhard Spoerr (Vors.), Fax.: +49
211 53087 500
Axel Krieger, Stephan Esch, Eric Berger
Amtsgericht Kiel
Vorsitzender des Aufsichtsrates: Prof. Dr. Helmut Thoma
HRB 7306 KI
|
|
| Re: Linux and Inter-vlan Routing |
|
2007-08-07 03:38:12 |
Rainer Nagel wrote:
> Hi Tomfi,
>
> On Tue, Aug 07, 2007 at 09:07:48AM +0200, tomfi wrote:
>
>> Yes at this point you must "only"
strongly remember that it is
>> default/native vlan so not so secure (people are
not error prune )
>> I think one of good practices is to use this vlan
as "guest vlan".
>
> Good practice is, not to use it.
> In addition the native vlan on links between your
switches
> (infrastructure devices) should be different than that
on links between
> your switches and connected hosts if these get trunks.
> Than double tagging VLAN hopping is prevented.
>
> Ciao
Sorry but I must say your interpretation is not correct ...
even whorse
is Vlan hooping helper... if you have not consistent native
vlan across
all trunks you are nice to your hackers...
maybe it is only English language problem ... see this page,
there are
anti Vlan hooping practices:
http://www.ciscopress.com/articles/
article.asp?p=474239&seqNum=2&rl=1
section Mitigating VLAN Hopping Attacks
PS: I thing you ware trying to mention that dont use native
vlan on
trunks same as native vlan on access ports.
--
To UNSUBSCRIBE, email to debian-firewall-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|
|
[1-8]
|
|