VLANs on Linux
To begin, we must have a more formal definition of what a LAN is. LAN stands for local area network. Hubs and switches usually are thought of as participating in a single LAN. Normally, if you connect two computers to the same hub or switch, they are on the same LAN. Likewise, if you connect two switches together, they are both on the same LAN.
A LAN includes all systems in the broadcast domain. That is, all of the systems on a single LAN receive a broadcast sent by any member of that LAN. By this definition, a LAN is bordered by routers or other devices that operate at OSI Layer 3.
Now that we've defined a LAN, what is a VLAN? VLAN stands for virtual LAN. A single VLAN-capable switch is able to participate in multiple LANs at once.
This functionality alone has a variety of uses, but VLANs become far more interesting when combined with trunking. A trunk is a single physical connection that can carry multiple VLANs. Each frame that crosses the trunk has a VLAN identifier attached to it, so it can be identified and kept within the correct VLAN.
Trunks can be used between two switches, between a switch and a router or between a switch and a computer that supports trunking. When connecting to a router or computer, each VLAN appears as a separate virtual interface.
When using trunks, it is important to consider that all the VLANs carried over the trunk share the same bandwidth. If the trunk is running over a 100Mbps interface, for example, the combined bandwidth of all the VLANs crossing that trunk is limited to 100Mbps.
VLANs provide a number of benefits to a network designer. The first advantage is the number of devices required to implement a given network topology can be reduced. Without VLANs, if your network design requires ten machines divided into five different LANs, you would need five different switches or hubs, and most of the ports would be wasted. With VLANs, this work could be done with one device.
Most routers and standard computers can support a limited number of physical network interfaces. Although dual and quad-port Ethernet adapters are available, these are expensive. For example, a quad-port Ethernet card may cost $400. VLAN capable switches start at around $500, but they support many more interfaces.
Depending on the scenario, VLANs and trunks can provide an effective way of segmenting a network without the expense and complexity of managing many physical interfaces.
Several trunk encapsulations are available. Trunks can be carried across a variety of interface types, but this article deals only with Ethernet. The two main protocols for carrying VLANs over Ethernet are ISL and 802.1q. ISL was created by Cisco prior to the standardization of 802.1q and is proprietary. 802.1q, on the other hand, is an open standard and is widely supported. Hereafter, references to trunking mean 802.1q-over-Ethernet. As a side note, 802.1q is defined on only 100Mbps or higher Ethernet; it does not support 10Mbps.
Trunks using the 802.1q protocol work by adding a 4-byte VLAN identifier to each frame. This is used on both ends to identify to which VLAN each individual frame belongs. When a switch receives a tagged unicast frame, it looks up the outgoing port using both the destination MAC address and the VLAN identifier. When a broadcast frame is received, it is flooded out to all active ports participating in that VLAN.
When a VLAN-aware router or computer receives a tagged frame, it examines the tag to determine to which virtual interface the frame belongs. This virtual interface can have an IP address and behaves basically the same as a normal physical interface.
Some switches have the concept of a native VLAN on a trunk connection. Packets sent out from the trunk port on this VLAN are untagged. Likewise, untagged packets received on this port are associated with this VLAN. Native VLANs on both ends of a trunk must match. A native-VLAN mismatch on the two ends of the trunk causes problems using the native VLAN configured on each end.
For all the benefits of VLANs and trunking, some risks must be weighed. As opposed to physical separation between network segments, VLANs rely on the switch to do the right thing. It is possible that a misconfiguration or a bug could cause the VLAN barriers to be broken.
Two risks are associated with VLANs. In the first, a packet leaks from one VLAN to another, possibly revealing sensitive information. In the second, a specially crafted packet is injected into another VLAN. Any attack that could cause the VLAN barriers to break requires a machine directly attached to the physical network. This means that only a local machine can execute an attack against the switch.
When the switch is configured properly, the chances of these problems happening are slim, but the possibility still exists. It is up to you to examine your needs and your security policy to determine if VLANs are right for you.
It is beyond the scope of this article to describe exactly how to configure your switch securely, but most vendors provide documentation outlining best practices. Briefly, you should configure at least the following:
Disable trunking and trunk negotiation on all ports except those absolutely necessary.
Enable MAC flood protection on all ports.
Isolate the management VLAN from workstations and servers.
Practical Task Scheduling Deployment
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.View Now!
|The Firebird Project's Firebird Relational Database||Jul 29, 2016|
|Stunnel Security for Oracle||Jul 28, 2016|
|SUSE LLC's SUSE Manager||Jul 21, 2016|
|My +1 Sword of Productivity||Jul 20, 2016|
|Non-Linux FOSS: Caffeine!||Jul 19, 2016|
|Murat Yener and Onur Dundar's Expert Android Studio (Wrox)||Jul 18, 2016|
- Stunnel Security for Oracle
- The Firebird Project's Firebird Relational Database
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- SUSE LLC's SUSE Manager
- Managing Linux Using Puppet
- My +1 Sword of Productivity
- Non-Linux FOSS: Caffeine!
- Google's SwiftShader Released
- Doing for User Space What We Did for Kernel Space
- SuperTuxKart 0.9.2 Released
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide