程式扎記: [Linux 文章收集] HowTo: Configure Linux Virtual Local Area Network (VLAN)

標籤

2015年3月3日 星期二

[Linux 文章收集] HowTo: Configure Linux Virtual Local Area Network (VLAN)

Source From Here 
Preface 
VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via Linux software and not through hardware interface (you still need to configure actual hardware switch too). 

Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on)are separated using a router

VLAN as a name suggest combine multiple LANs at once. But, what are the advantages of VLAN? 
* Performance.
* Ease of management.
* Security.
* Trunks.
* VLANs give you the ability to sub-divide a LAN for security purpose.
* You don't have to configure any hardware device, when physically moving server computer to another location and more.

Fundamental discussion about VLAN or switches is beyond the scope of this blog post. I suggest the following textbooks: 
Cisco CNNA ICND/CCNA 640-802 Official Cert Library books.
Computer Networks by Andrew S. Tanenbaum

A note about your LAN hardware 
To be able to use VLANs you will need a switch that support the IEEE 802.1q standard on an Ethernet network. You will also need a NIC (Network Interface Cardthat works with Linux and support 802.1q standard . 

Linux VLAN configuration issues 
I am lucky enough to get a couple of hints from our internal wiki: 
* Not all network drivers support VLAN. You may need to patch your driver.
* MTU may be another problem. VLAN works by tagging each frame i.e. an Ethernet header extension that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority.
* Do not use VLAN ID 1 as it may be used for admin purpose.

Enough talk, let's get to the Linux VLAN configurations. 

Setting up 802.1q VLAN tagging by loading 8021q Linux kernel driver 
First, make sure that the Linux kernel driver (module) called 8021q is loaded: 
$ lsmod | grep 8021q
8021q 25317 0
garp 7152 1 8021q

If the module is not loaded, load it with the following modprobe command: 
# modprobe 8021q

Method #1: CentOS/RHLE/Fedora Linux VLAN HowTo 
I am using RHEL/CentOS Linux with VLAN ID # 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5 
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5

Now, I've one network card (eth0) and it needs to tagged network traffic for VLAN ID 5. 
* eth0 - Your regular network interface
* eth0.5 - Your virtual interface that use untagged frames

Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using a text editor such as vi, type: 
# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5

Find DEVICE=eth0 line and replace with: 
Also, append the following line: 
Make sure you assign correct IP address using DHCP or static IP. Remove gateway entry from all other network config files. Only add gateway to/etc/sysconfig/network file. This whole configuration may sound complicated. So I am including sample configurations files for you: 
- /etc/sysconfig/network-scripts/ifcfg-eth0.5 file 
  1. # VLAN configuration for my eth0  with ID - 5 #  
  2. DEVICE=eth0.5  
  3. BOOTPROTO=none  
  4. ONBOOT=yes  
  5. IPADDR=192.168.1.5  
  6. NETMASK=255.255.255.0  
  7. USERCTL=no  
  8. NETWORK=192.168.1.0  
  9. VLAN=yes  
- /etc/sysconfig/network-scripts/ifcfg-eth0 file 
  1. # Actual configuration for my eth0 physical interface ##  
  2. DEVICE=eth0  
  3. TYPE=Ethernet  
  4. BOOTPROTO=none  
  5. ONBOOT=yes  
Finally, restart networking service on a CentOS/RHEL/Fedora Linux, type: 
# /etc/init.d/network restart
Or
# service network restart

NOTE: 
If you need a second VLAN i.e. you need to configure for VLAN ID 2 then copy the /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.

Method #2: Using the vconfig command 
Above method is perfect and works with a Red hat Enterprise Linux / CentOS / Fedora Linux without any problem. However, you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual Ethernet devices which represents the virtual lans on the physical lan. This is yet another method of configuring VLAN. To add VLAN ID 5 with following command for eth0 interface
$ vconfig add eth0 5
Added VLAN with VID == 5 to IF -:eth0:-

The vconfig add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information: 
$ ifconfig eth0.5
eth0.5 Link encap:Ethernet HWaddr 00:0C:29:21:FC:43
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Use ifconfig command to assign IP address to vlan interfere: 
$ ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up
$ ifconfig eth0.5
eth0.5 Link encap:Ethernet HWaddr 00:0C:29:21:FC:43
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe21:fc43/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)

To get detailed information about VLAN interface, type: 
$ cat /proc/net/vlan/eth0.5
eth0.5 VID: 5 REORDER_HDR: 1 dev->priv_flags: 1
total frames received 0
total bytes received 0
Broadcast/Multicast Rcvd 0

total frames transmitted 6
total bytes transmitted 468
total headroom inc 0
total encap on xmit 0
Device: eth0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings:

If you wish to delete VLAN interface use delete command as follows: 
$ ifconfig eth0.5 down
$ vconfig rem eth0.5
Removed VLAN -:eth0.5:-

Method #3: Create the VLAN device using the ip command 
Use the ip command as follows for the interface eth0, and the vlan id is 5: 
$ ip link add link eth0 name eth0.5 type vlan id 5
$ ip link
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:21:fc:43 brd ff:ff:ff:ff:ff:ff
3: eth1: mtu 1500 qdisc cbq state UP qlen 1000
link/ether 00:0c:29:21:fc:4d brd ff:ff:ff:ff:ff:ff
4: pan0: mtu 1500 qdisc noop state DOWN
link/ether 02:64:10:19:11:a5 brd ff:ff:ff:ff:ff:ff
5: eth2: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:21:fc:57 brd ff:ff:ff:ff:ff:ff
7: eth0.5@eth0: mtu 1500 qdisc noop state DOWN
link/ether 00:0c:29:21:fc:43 brd ff:ff:ff:ff:ff:ff

You need to activate and add an IP address to vlan link, type: 
$ ip addr add 192.168.1.200/24 brd 192.168.1.255 dev eth0.5
$ ip link set dev eth0.5 up
$ ip link show eth0.5
7: eth0.5@eth0: mtu 1500 qdisc noqueue state UP
link/ether 00:0c:29:21:fc:43 brd ff:ff:ff:ff:ff:ff

All traffic will go through the eth0 interface bith with a BLAN tag 5. Only VLAN aware devices can accept the traffic, otherwise the traffic is dropped. 

How can I remove VLAN ID 5? 
Type the following commands 
$ ip link set dev eth0.5 down
$ ip link delete eth0.5
$ ip link show eth0.5
Device "eth0.5" does not exist.

How do I make above VLAN configuration permanent on a Debian or Ubuntu based system? 
Edit the /etc/network/interfaces file, enter: 
$ sudo vi /etc/network/interfaces
  1. ## vlan for eth0 with ID - 5 on a Debian/Ubuntu Linux##  
  2. auto eth0.5  
  3. iface eth0.5 inet static  
  4.     address 192.168.1.200  
  5.     netmask 255.255.255.0  
  6.     vlan-raw-device eth0  

Supplement 
[Linux 小技巧] 使用 vconfig 設定 vlan

沒有留言:

張貼留言

網誌存檔

關於我自己

我的相片
Where there is a will, there is a way!