Networking section: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
(0)
m (Reverted edits by 78.105.14.211 (Talk); changed back to last version by 76.180.28.191)
Line 3: Line 3:
07.txt;15;15
07.txt;15;15


08.txt;15;15
== VLANs under Debian ==
Debian can support network traffic over VLANs (ethernet 802.1q) - and we don't mean the normal "untagged" network ports (hey, VLANs are transparent that way, anybody and anything can use untagged network ports). No, we mean that Debian can accept network traffic in from, and send traffic out to, a VLAN tagged switchport.
 
Suppose you have a layer 2 switch with support for 802.1q VLANs, and want to route traffic from one VLAN to another. For this you can use a Debian router with a single network interface, using VLAN support (this is called "router on a stick" because the routing takes place over only one cable).
 
First, as root, run
apt-get install vlan
modprobe 8021q
The first line is to install the vlan package, which contains all necessary tools to create and manipulate VLAN-enabled network ports. The second line loads the module that enables VLAN tagging for your ethernet network cards. Note: if you don't have the stock Debian kernel, but compiled your own, then you might have chosen not to compile the 8021q module. In that case, compile the module. Also note, that if you've compiled the 8021q code into the kernel itself, then you don't need to load the module and that second line is unnecessary for you. You'll find this kernel compile option (depending on your kernel version) under Networking -> Networking Options -> "802.1Q VLAN Support". This option has been in the Linux kernel since version 2.4.14.
ifconfig eth0 down
vconfig add eth0 2
vconfig add eth0 3
The first command brings down your network on eth0 (not the thing to do if you're working remote, then :-). The next two commands create two virtual interfaces ''eth0.2'' and ''eth0.3'', which have VLAN tags 2 and 3 (don't use VLAN tag 1 if you can help it; on many devices VLAN1 is a special hardware management VLAN). The virtual interfaces run on top of your ''eth0'' interface.<br>
Now because your VLAN interfaces run on top of ''eth0'', you've got to bring ''eth0'' itself up, even if you don't want to run network traffic over it. Furthermore, you've got to configure the two virtual interfaces you've created. Let's suppose you want to run IP subnet 192.168.1.0/24 on VLAN2, and 192.168.2.0/24 on VLAN3. You can do so with
ifconfig eth0 0.0.0.0 up
ifconfig eth0.2 192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0 up
ifconfig eth0.3 192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0 up
Now that you've this done, you must still configure one of your switch ports to belong to VLAN 2 and 3 at the same time (tagged port), and connect ''eth0'' from your linux box to that port. This enables your box to run network traffic on both VLANs.
 
To round things up: if you haven't yet enabled forwarding, you can do so now. Furthermore, you might wish to augment your route table so that the routing engine in your server knows how to handle packets that it needs to forward from one VLAN to the other:
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.1.1.0 netmask 255.255.255.0 gw eth0.2
route add -net 10.1.2.0 netmask 255.255.255.0 gw eth0.3
This is it; nothing to it, right?

Revision as of 14:59, 5 December 2008

04.txt;15;15

07.txt;15;15

VLANs under Debian

Debian can support network traffic over VLANs (ethernet 802.1q) - and we don't mean the normal "untagged" network ports (hey, VLANs are transparent that way, anybody and anything can use untagged network ports). No, we mean that Debian can accept network traffic in from, and send traffic out to, a VLAN tagged switchport.

Suppose you have a layer 2 switch with support for 802.1q VLANs, and want to route traffic from one VLAN to another. For this you can use a Debian router with a single network interface, using VLAN support (this is called "router on a stick" because the routing takes place over only one cable).

First, as root, run

apt-get install vlan
modprobe 8021q

The first line is to install the vlan package, which contains all necessary tools to create and manipulate VLAN-enabled network ports. The second line loads the module that enables VLAN tagging for your ethernet network cards. Note: if you don't have the stock Debian kernel, but compiled your own, then you might have chosen not to compile the 8021q module. In that case, compile the module. Also note, that if you've compiled the 8021q code into the kernel itself, then you don't need to load the module and that second line is unnecessary for you. You'll find this kernel compile option (depending on your kernel version) under Networking -> Networking Options -> "802.1Q VLAN Support". This option has been in the Linux kernel since version 2.4.14.

ifconfig eth0 down
vconfig add eth0 2
vconfig add eth0 3

The first command brings down your network on eth0 (not the thing to do if you're working remote, then :-). The next two commands create two virtual interfaces eth0.2 and eth0.3, which have VLAN tags 2 and 3 (don't use VLAN tag 1 if you can help it; on many devices VLAN1 is a special hardware management VLAN). The virtual interfaces run on top of your eth0 interface.
Now because your VLAN interfaces run on top of eth0, you've got to bring eth0 itself up, even if you don't want to run network traffic over it. Furthermore, you've got to configure the two virtual interfaces you've created. Let's suppose you want to run IP subnet 192.168.1.0/24 on VLAN2, and 192.168.2.0/24 on VLAN3. You can do so with

ifconfig eth0 0.0.0.0 up
ifconfig eth0.2 192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0 up
ifconfig eth0.3 192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0 up

Now that you've this done, you must still configure one of your switch ports to belong to VLAN 2 and 3 at the same time (tagged port), and connect eth0 from your linux box to that port. This enables your box to run network traffic on both VLANs.

To round things up: if you haven't yet enabled forwarding, you can do so now. Furthermore, you might wish to augment your route table so that the routing engine in your server knows how to handle packets that it needs to forward from one VLAN to the other:

echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.1.1.0 netmask 255.255.255.0 gw eth0.2
route add -net 10.1.2.0 netmask 255.255.255.0 gw eth0.3

This is it; nothing to it, right?