VLANs on Linux
The best way to see how VLANs work is by example. Imagine you work for Widgets, Inc. There are about 20 people from several departments working at your location. Ten people work in engineering, two people are in accounting, five people in sales and three people in marketing. Widgets, Inc. currently has a flat network, one in which all the machines are on the same LAN. All of these machines are connected to a Cisco 2924 switch and reside in the 10.0.0.0/24 private network.
Figure 1. Widgets, Inc.'s Private Network
To improve security, you have convinced management to let you segment the network. You already have a Linux firewall running Debian 3.0 facing the Internet, but now you need to extend it to segment the network. The first snag is you have been given only a minimal budget for the project.
After some consideration, you have decided to separate the inside network into four segments: Management, Sales & Marketing, Accounting and Engineering and a DMZ for your assorted servers. The management VLAN has no workstations associated with it and is used only for the switch's configuration interface.
Figure 2. The Segmented Network
Your existing firewall cannot accommodate three more physical interfaces. You recently read an interesting article about how to use VLANs with Linux, which gives you an idea. With VLANs, the new topology can be implemented with the existing interfaces. In fact, the physical layout of your network doesn't change at all. Using VLANs adds a management network to the mix, bringing the total to five.
Figure 3. The Segmented Network with VLANs
You also have decided to subnet your existing IP addresses for the new segments. Using a subnet mask of 255.255.255.224 gives you plenty of IPs for each segment and leaves you several spare subnets to use later. You already are using DHCP to assign IP addresses, so client reconfiguration is not an issue.
Listing 3. Assigning IP Addresses
Description VLAN IP Subnet Management 1 10.0.0.0/27 DMZ 2 10.0.0.32/27 Accounting 3 10.0.0.64/27 Engineering 4 10.0.0.96/27 Sales & Marketing 5 10.0.0.128/27
Because the network changes here can cause a loss of connectivity, it is important to have everything prepared beforehand. Ensure that your firewall meets the prerequisites above. It also is recommended that you have a serial console connection available before you begin. Obviously, these kinds of changes should be done after business hours.
Preparation is the most important part of a network project. In this case, it is important to have everything planned out well in advance. You should have planned out your firewall policy, server configuration, DNS update and so on. Think about all the functions required for the daily operation of your network, and consider how the changes described here might effect them. For example, reducing the DHCP lease time several days in advance allows the workstations to retrieve their new leases more quickly.
The first step towards the new network configuration is to establish the trunk between the firewall and the switch. On Debian, the vlan package contains the required utilities. Most other distributions also offer a package containing these utilities. Compile and install your kernel as you normally would, and enable 802.1q support (CONFIG_VLAN_8021Q).
The Debian interfaces file, located in /etc/network/interfaces, provides support for creating VLAN interfaces. Each interface is defined as normal, with the addition of a vlan_native_interface line. If your distribution does not support defining VLAN interfaces, you need to have a script define them before network startup. Listing 4 shows a Debian interfaces file, using DHCP to retrieve the IP for the outside interface.
Listing 4. A Debian Interfaces File
auto lo iface lo inet loopback auto eth0 eth1 vlan2 vlan3 vlan4 vlan5 iface eth0 inet dhcp # VLAN 1 - native management VLAN iface eth1 inet static address 10.0.0.1 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 2 - DMZ iface vlan2 inet static address 10.0.0.33 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 3 - Accounting iface vlan3 inet static address 10.0.0.65 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 2 - DMZ iface vlan2 inet static address 10.0.0.33 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 3 - Accounting iface vlan3 inet static address 10.0.0.65 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 4 - Engineering iface vlan4 inet static address 10.0.0.97 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 5 - Sales & Marketing iface vlan5 inet static address 10.0.0.129 netmask 255.255.255.224 vlan_raw_device eth1
If you were using a distribution other than Debian, you could put lines similar to the ones in Listing 5 in a startup script that runs before network configuration.
Listing 5. Startup Script for Non-Debian Distributions
vconfig add eth1 2 vconfig add eth1 3 vconfig add eth1 4 vconfig add eth1 5
Once the new interfaces are defined, you can bring them up using ifup <device name>. You also need to ifdown and ifup eth1 to set the correct IP and netmask.
|Android Candy: Copay—the Next-Generation Bitcoin Wallet||Sep 03, 2015|
|The True Internet of Things||Sep 02, 2015|
|September 2015 Issue of Linux Journal: HOW-TOs||Sep 01, 2015|
|September 2015 Video Preview||Sep 01, 2015|
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
- The True Internet of Things
- Using tshark to Watch and Inspect Network Traffic
- Android Candy: Copay—the Next-Generation Bitcoin Wallet
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- September 2015 Issue of Linux Journal: HOW-TOs
- Firefox Security Exploit Targets Linux Users and Web Developers
- Concerning Containers' Connections: on Docker Networking
- Where's That Pesky Hidden Word?
- A Project to Guarantee Better Security for Open-Source Projects
- My Network Go-Bag