VLANs on Linux
The best way to see how VLANs work is by example. Imagine you work for Widgets, Inc. There are about 20 people from several departments working at your location. Ten people work in engineering, two people are in accounting, five people in sales and three people in marketing. Widgets, Inc. currently has a flat network, one in which all the machines are on the same LAN. All of these machines are connected to a Cisco 2924 switch and reside in the 10.0.0.0/24 private network.
Figure 1. Widgets, Inc.'s Private Network
To improve security, you have convinced management to let you segment the network. You already have a Linux firewall running Debian 3.0 facing the Internet, but now you need to extend it to segment the network. The first snag is you have been given only a minimal budget for the project.
After some consideration, you have decided to separate the inside network into four segments: Management, Sales & Marketing, Accounting and Engineering and a DMZ for your assorted servers. The management VLAN has no workstations associated with it and is used only for the switch's configuration interface.
Figure 2. The Segmented Network
Your existing firewall cannot accommodate three more physical interfaces. You recently read an interesting article about how to use VLANs with Linux, which gives you an idea. With VLANs, the new topology can be implemented with the existing interfaces. In fact, the physical layout of your network doesn't change at all. Using VLANs adds a management network to the mix, bringing the total to five.
Figure 3. The Segmented Network with VLANs
You also have decided to subnet your existing IP addresses for the new segments. Using a subnet mask of 255.255.255.224 gives you plenty of IPs for each segment and leaves you several spare subnets to use later. You already are using DHCP to assign IP addresses, so client reconfiguration is not an issue.
Listing 3. Assigning IP Addresses
Description VLAN IP Subnet Management 1 10.0.0.0/27 DMZ 2 10.0.0.32/27 Accounting 3 10.0.0.64/27 Engineering 4 10.0.0.96/27 Sales & Marketing 5 10.0.0.128/27
Because the network changes here can cause a loss of connectivity, it is important to have everything prepared beforehand. Ensure that your firewall meets the prerequisites above. It also is recommended that you have a serial console connection available before you begin. Obviously, these kinds of changes should be done after business hours.
Preparation is the most important part of a network project. In this case, it is important to have everything planned out well in advance. You should have planned out your firewall policy, server configuration, DNS update and so on. Think about all the functions required for the daily operation of your network, and consider how the changes described here might effect them. For example, reducing the DHCP lease time several days in advance allows the workstations to retrieve their new leases more quickly.
The first step towards the new network configuration is to establish the trunk between the firewall and the switch. On Debian, the vlan package contains the required utilities. Most other distributions also offer a package containing these utilities. Compile and install your kernel as you normally would, and enable 802.1q support (CONFIG_VLAN_8021Q).
The Debian interfaces file, located in /etc/network/interfaces, provides support for creating VLAN interfaces. Each interface is defined as normal, with the addition of a vlan_native_interface line. If your distribution does not support defining VLAN interfaces, you need to have a script define them before network startup. Listing 4 shows a Debian interfaces file, using DHCP to retrieve the IP for the outside interface.
Listing 4. A Debian Interfaces File
auto lo iface lo inet loopback auto eth0 eth1 vlan2 vlan3 vlan4 vlan5 iface eth0 inet dhcp # VLAN 1 - native management VLAN iface eth1 inet static address 10.0.0.1 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 2 - DMZ iface vlan2 inet static address 10.0.0.33 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 3 - Accounting iface vlan3 inet static address 10.0.0.65 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 2 - DMZ iface vlan2 inet static address 10.0.0.33 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 3 - Accounting iface vlan3 inet static address 10.0.0.65 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 4 - Engineering iface vlan4 inet static address 10.0.0.97 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 5 - Sales & Marketing iface vlan5 inet static address 10.0.0.129 netmask 255.255.255.224 vlan_raw_device eth1
If you were using a distribution other than Debian, you could put lines similar to the ones in Listing 5 in a startup script that runs before network configuration.
Listing 5. Startup Script for Non-Debian Distributions
vconfig add eth1 2 vconfig add eth1 3 vconfig add eth1 4 vconfig add eth1 5
Once the new interfaces are defined, you can bring them up using ifup <device name>. You also need to ifdown and ifup eth1 to set the correct IP and netmask.
Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report
August 27, 2015
12:00 PM CDT
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
Free to Linux Journal readers.Register Now!
- Django Models and Migrations
- Hacking a Safe with Bash
- Secure Server Deployments in Hostile Territory, Part II
- The Controversy Behind Canonical's Intellectual Property Policy
- Home Automation with Raspberry Pi
- Shashlik - a Tasty New Android Simulator
- Huge Package Overhaul for Debian and Ubuntu
- KDE Reveals Plasma Mobile
- Embed Linux in Monitoring and Control Systems
- diff -u: What's New in Kernel Development