Linux and Inter-vlan Routing

Mahdi Rahimi · External Since: Aug 01, 2007 Posts: 5

Hi dears...

I Have 10 switch cisco 2950T that connect via 802.1q protocol togather,
and don't have any Layer 3 switch or Router. I want to know Linux box can
act as layer 3 device with below config or can inter-vlan Routing???

My Intranet interface is the VLAN 1. (eth0)
My Lan Interface face the VLAN 2. (eth1)
My DMZ interface face the VLAN 3. (eth2)

eth0 (linux) -> switch (fas0/1) (switchport mode trunk )
eth1 (linux) -> switch (fas0/2) (switchport access vlan 2)
eth2 (linux) -> switch (fas0/3) (switchport access vlan 3)
////////
Intranet: 192.168.100.0/24 (for switch management)
LAN: 172.16.3.0/24
DMZ: 192.168.1.0/24
/////////
I already install VLAN package and config is:
#modprobe 8021q
#vconfig add eth1 2
#vconfig add eth2 3

My interface scripts is:

auto eth0
iface eth0 inet static
address 192.168.100.91
netmask 255.255.255.0
vlan_raw_device eth0

auto eth1
iface eth1 inet static
address 172.16.3.1
netmask 255.255.255.0
network 172.16.3.0
broadcast 172.16.3.255
vlan_raw_device eth0

iface eth2 inet static
address 192.168.1.192
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
vlan_raw_device eth0

Iptables:
(192.168.1.80 is our sql-server)
*nat
-A PREROUTING -s 172.16.3.0/255.255.255.0 -d 192.168.1.80 -p tcp -m multiport
--dports 1433 -j ACCEPT

-A POSTROUTING -s 172.16.3.0/255.255.255.0 -d 192.168.1.80 -j MASQUERADE

*filter
-A FORWARD -i eth1 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

best regards

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Bart-Jan Vrielink · External Since: Oct 28, 2004 Posts: 18

Mahdi Rahimi wrote:

> I Have 10 switch cisco 2950T that connect via 802.1q protocol togather,
> and don't have any Layer 3 switch or Router. I want to know Linux box can
> act as layer 3 device with below config or can inter-vlan Routing???

> My interface scripts is:
>
> auto eth0
> iface eth0 inet static
> address 192.168.100.91
> netmask 255.255.255.0
> vlan_raw_device eth0

This is not a vlan, but the real interface. Use eth0.1 for interface
name if you want vlan1 on etho, eth0.2 for vlan2 on eth0 and so on.

Tip: avoid using vlan1, as it's a special vlan.

For your 3 network cards, if they are connected to the same switch, I
would not use them as separate interfaces to the switch, but instead
group them into an etherchannel. This is what I am using at home (Debian
to a 2950T):

auto bond0 bond0.2

iface bond0 inet manual
slaves eth0 eth1 eth2 eth3

iface bond0.2 inet static
vlan-raw-device bond0
address 10.2.1.1
network 10.2.1.0
netmask 255.255.255.0
broadcast 10.2.1.255

!Cisco:
interface Port-channel1
switchport mode trunk
switchport nonegotiate
flowcontrol send off
!
interface FastEthernet0/9
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface FastEthernet0/10
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface FastEthernet0/11
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface FastEthernet0/12
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!

--
Tot ziens,

Bart-Jan

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Mahdi Rahimi · External Since: Aug 01, 2007 Posts: 5

Dear Bart-jan Thanks for attention.
I have correct my network configurations:
1) remove all interfaces on Debian except 1 interface
2) connect it to switch 2950 configured as Trunk
3)
#modprobe 8021q
#vconfig add eth0 2
#vconfig add eth0 4
4) vi /etc/network/interfaces

auto eth0

auto eth0.2
iface eth0.2 inet static
address x.x.x.x
...
auto eth0.4
iface eth0.4 inet static
address x.x.x.x
....
5) vi /etc/default/dhcp3-server
interface "eth0.4"

problems:
1)but my DHCP server don't Work!!! 0n eth0.4 interface.
2) Is the Vlan ID on 2950 same as on the vconfig?
3) My server require any patch?

best regards

On Sat, August 4, 2007 12:25, Bart-Jan Vrielink wrote:
> Mahdi Rahimi wrote:
>
>
>> I Have 10 switch cisco 2950T that connect via 802.1q protocol togather,
>> and don't have any Layer 3 switch or Router. I want to know Linux box
>> can act as layer 3 device with below config or can inter-vlan Routing???
>>
>
>> My interface scripts is:
>>
>>
>> auto eth0 iface eth0 inet static address 192.168.100.91 netmask
>> 255.255.255.0
>> vlan_raw_device eth0
>
> This is not a vlan, but the real interface. Use eth0.1 for interface
> name if you want vlan1 on etho, eth0.2 for vlan2 on eth0 and so on.
>
> Tip: avoid using vlan1, as it's a special vlan.
>
>
> For your 3 network cards, if they are connected to the same switch, I
> would not use them as separate interfaces to the switch, but instead group
> them into an etherchannel. This is what I am using at home (Debian to a
> 2950T):
>
>
> auto bond0 bond0.2
>
> iface bond0 inet manual slaves eth0 eth1 eth2 eth3
>
> iface bond0.2 inet static vlan-raw-device bond0 address 10.2.1.1 network
> 10.2.1.0
> netmask 255.255.255.0 broadcast 10.2.1.255
>
> !Cisco:
> interface Port-channel1 switchport mode trunk switchport nonegotiate
> flowcontrol send off !
> interface FastEthernet0/9 switchport mode trunk switchport nonegotiate
> channel-group 1 mode active !
> interface FastEthernet0/10 switchport mode trunk switchport nonegotiate
> channel-group 1 mode active !
> interface FastEthernet0/11 switchport mode trunk switchport nonegotiate
> channel-group 1 mode active !
> interface FastEthernet0/12 switchport mode trunk switchport nonegotiate
> channel-group 1 mode active !
>
>
> --
> Tot ziens,
>
>
> Bart-Jan
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster.TakeThisOut@lists.debian.org
>
>

-------------------------
rahimi{at}eaedu.net
rahimi_m{at}cse.shirazu.ac.ir

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Bart-Jan Vrielink · External Since: Oct 28, 2004 Posts: 18

Mahdi Rahimi wrote:
> Dear Bart-jan Thanks for attention.
> I have correct my network configurations:
> 1) remove all interfaces on Debian except 1 interface
> 2) connect it to switch 2950 configured as Trunk
> 3)
> #modprobe 8021q
> #vconfig add eth0 2
> #vconfig add eth0 4
> 4) vi /etc/network/interfaces
>
> auto eth0
>
> auto eth0.2
> iface eth0.2 inet static
> address x.x.x.x
> ...
> auto eth0.4
> iface eth0.4 inet static
> address x.x.x.x
> ....
> 5) vi /etc/default/dhcp3-server
> interface "eth0.4"
>
> problems:
> 1)but my DHCP server don't Work!!! 0n eth0.4 interface.

Mmm, weird. What does syslog say?

> 2) Is the Vlan ID on 2950 same as on the vconfig?

You don't need (or should?) do the vconfigs yourself. They are done by
the interfaces file automagically.
If ifup doesn't recognize the vlan, then please add the correct
vlan_raw_device statement.

> 3) My server require any patch?

Dunno. You could run into problems if your network card can't handle
larger than normal frames (a tagged vlan increases the frame size by 4
bytes). This is usually a hardware limitation...

--
Tot ziens,

Bart-Jan

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Jean-Paul Blaquiere · External Since: Aug 09, 2006 Posts: 10

> On Aug 04, Bart-Jan Vrielink illuminated :

> Tip: avoid using vlan1, as it's a special vlan.
>
It's not special, just a default. special would imply that it is
treated differently from any other vlan, which it is not.
besides, if you feel you need a default vlan othere than '1' later, you
can set any other vlan as default.

../jp
--
Jean-Paul Blaquiere
jeanpaul.DeleteThis@blaquiere.id.au
http://www.blaquiere.id.au
http://japester.ucc.asn.au/

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org

tomfi · External Since: Jan 16, 2006 Posts: 11

Jean-Paul Blaquiere wrote:
>> On Aug 07, tomfi illuminated :
>
>> I think in Cisco Vlan 1 is treated special ....
>> just try lab:
>> make 802.1q trunk between switches
>> make this trunk native vlan other then vlan 1.
>> turn on PVST
>> look on untagged frames and you will see that Vlan 1 is somehow special Wink

>>
>> And yes ... there is another speciality... You cannot remove this vlan Wink

>>
>> And .... just kidding ... there are some others specialties ... but i
>> dont want to write all here Wink

>>
> for /most/ practical purposes, it's just another VLAN. In all the
> workplaces I've been to, that is how it has been used. Thinking about
> it, yes, it is kind of special in it's non-removable state.
Yes at this point you must "only" strongly remember that it is
default/native vlan so not so secure (people are not error prune Smile

)
I think one of good practices is to use this vlan as "guest vlan".

> I've also not had direct experience configuring trunking, apart from the
> CCNA's requirements. Using yes, not configuring, so haven't discovered
> the little quirks like you have mentioned here.
Yes it is not part of CCNA, and I must appreciate to see somebody knows
his knowledge (mean as praise).

Tomfi

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

tomfi · External Since: Jan 16, 2006 Posts: 11

Rainer Nagel wrote:
> Hi Tomfi,
>
> On Tue, Aug 07, 2007 at 09:07:48AM +0200, tomfi wrote:
>
>> Yes at this point you must "only" strongly remember that it is
>> default/native vlan so not so secure (people are not error prune Smile

)
>> I think one of good practices is to use this vlan as "guest vlan".
>
> Good practice is, not to use it.
> In addition the native vlan on links between your switches
> (infrastructure devices) should be different than that on links between
> your switches and connected hosts if these get trunks.
> Than double tagging VLAN hopping is prevented.
>
> Ciao
Sorry but I must say your interpretation is not correct ... even whorse
is Vlan hooping helper... if you have not consistent native vlan across
all trunks you are nice to your hackers...

maybe it is only English language problem ... see this page, there are
anti Vlan hooping practices:
http://www.ciscopress.com/articles/article.asp?p=474239&seqNum=2&rl=1
section Mitigating VLAN Hopping Attacks

PS: I thing you ware trying to mention that dont use native vlan on
trunks same as native vlan on access ports.

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org