VLANs on Linux
The best way to see how VLANs work is by example. Imagine you work for Widgets, Inc. There are about 20 people from several departments working at your location. Ten people work in engineering, two people are in accounting, five people in sales and three people in marketing. Widgets, Inc. currently has a flat network, one in which all the machines are on the same LAN. All of these machines are connected to a Cisco 2924 switch and reside in the 10.0.0.0/24 private network.
Figure 1. Widgets, Inc.'s Private Network
To improve security, you have convinced management to let you segment the network. You already have a Linux firewall running Debian 3.0 facing the Internet, but now you need to extend it to segment the network. The first snag is you have been given only a minimal budget for the project.
After some consideration, you have decided to separate the inside network into four segments: Management, Sales & Marketing, Accounting and Engineering and a DMZ for your assorted servers. The management VLAN has no workstations associated with it and is used only for the switch's configuration interface.
Figure 2. The Segmented Network
Your existing firewall cannot accommodate three more physical interfaces. You recently read an interesting article about how to use VLANs with Linux, which gives you an idea. With VLANs, the new topology can be implemented with the existing interfaces. In fact, the physical layout of your network doesn't change at all. Using VLANs adds a management network to the mix, bringing the total to five.
Figure 3. The Segmented Network with VLANs
You also have decided to subnet your existing IP addresses for the new segments. Using a subnet mask of 255.255.255.224 gives you plenty of IPs for each segment and leaves you several spare subnets to use later. You already are using DHCP to assign IP addresses, so client reconfiguration is not an issue.
Listing 3. Assigning IP Addresses
Description VLAN IP Subnet Management 1 10.0.0.0/27 DMZ 2 10.0.0.32/27 Accounting 3 10.0.0.64/27 Engineering 4 10.0.0.96/27 Sales & Marketing 5 10.0.0.128/27
Because the network changes here can cause a loss of connectivity, it is important to have everything prepared beforehand. Ensure that your firewall meets the prerequisites above. It also is recommended that you have a serial console connection available before you begin. Obviously, these kinds of changes should be done after business hours.
Preparation is the most important part of a network project. In this case, it is important to have everything planned out well in advance. You should have planned out your firewall policy, server configuration, DNS update and so on. Think about all the functions required for the daily operation of your network, and consider how the changes described here might effect them. For example, reducing the DHCP lease time several days in advance allows the workstations to retrieve their new leases more quickly.
The first step towards the new network configuration is to establish the trunk between the firewall and the switch. On Debian, the vlan package contains the required utilities. Most other distributions also offer a package containing these utilities. Compile and install your kernel as you normally would, and enable 802.1q support (CONFIG_VLAN_8021Q).
The Debian interfaces file, located in /etc/network/interfaces, provides support for creating VLAN interfaces. Each interface is defined as normal, with the addition of a vlan_native_interface line. If your distribution does not support defining VLAN interfaces, you need to have a script define them before network startup. Listing 4 shows a Debian interfaces file, using DHCP to retrieve the IP for the outside interface.
Listing 4. A Debian Interfaces File
auto lo iface lo inet loopback auto eth0 eth1 vlan2 vlan3 vlan4 vlan5 iface eth0 inet dhcp # VLAN 1 - native management VLAN iface eth1 inet static address 10.0.0.1 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 2 - DMZ iface vlan2 inet static address 10.0.0.33 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 3 - Accounting iface vlan3 inet static address 10.0.0.65 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 2 - DMZ iface vlan2 inet static address 10.0.0.33 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 3 - Accounting iface vlan3 inet static address 10.0.0.65 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 4 - Engineering iface vlan4 inet static address 10.0.0.97 netmask 255.255.255.224 vlan_raw_device eth1 # VLAN 5 - Sales & Marketing iface vlan5 inet static address 10.0.0.129 netmask 255.255.255.224 vlan_raw_device eth1
If you were using a distribution other than Debian, you could put lines similar to the ones in Listing 5 in a startup script that runs before network configuration.
Listing 5. Startup Script for Non-Debian Distributions
vconfig add eth1 2 vconfig add eth1 3 vconfig add eth1 4 vconfig add eth1 5
Once the new interfaces are defined, you can bring them up using ifup <device name>. You also need to ifdown and ifup eth1 to set the correct IP and netmask.
- Android Browser Security--What You Haven't Been Told
- Epiq Solutions' Sidekiq M.2
- Readers' Choice Awards 2013
- Nativ Disc
- The Many Paths to a Solution
- Synopsys' Coverity
- RPi-Powered pi-topCEED Makes the Case as a Low-Cost Modular Learning Desktop
- Securing the Programmer
- Identity: Our Last Stand
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide