[Techtalk] VLANs and linux

Anthony de Boer linuxchix at lists.leftmind.net
Fri Jan 11 01:40:10 UTC 2008 

Carla Schroder wrote:
> I am confused on making VLANs. I have a nice cheep Netgear 8-port smart switch 
> that includes VLAN guff that I got for testing. But I keep getting stuck, and 
> the Netgear manual assumes I know what I'm doing. I should be able to create 
> a couple of VLAN segments on a single switch, shouldn't I?
> 
> So does it go like this:
> 
> -create VLAN segments on switch
> -configure network interfaces on Linux hosts with vconfig
> -do some hocus-pocus to router
> 
> Finding recent documentation for this has been hard; I find old stuff that 
> still talks about patching kernels. I think we're a bit beyond that now!

I haven't dealt with that particular switch, but the ways of configuring
VLANs on switches are many.  Typically you create a VLAN and assign ports
to it, or assign each port to a VLAN, and thereby segment a switch into
several smaller virtual switches.

If the switch supports 802.1q, then you also have the option of defining
tagged ports, such that each packet has a little extra bit of header
information with its VLAN number, and you can trunk multiple VLANs between
switches with one cable, or between a switch and an appropriately-
configured port on a Linux box.  You end up with a bunch of virtual
network interfaces each on their own VLAN.

Basically, if the Linux box needs to be connected to three different
networks, which you have as VLANs 10, 47, and 200 in your infrastructure,
you configure a switch port as tagged carrying those VLANs, and configure
the Linux box to match, giving you virtual interfaces that can be called
vlan10, vlan47, and vlan200 (or can follow a different naming scheme,
depending on what you tell vconfig).  The physical interface, eth0 or
whatever, needs to be up but not directly used for IP.

As of at least the CentOS 4.x boxes I was using recently, I believe VLAN
support was in the default kernel.  Back in the good old days we had to
build our own kernels with the patch, though.

Routers that support VLANs do exist, or you may have to connect it to an
"untagged" port on a single VLAN.  The latter is also the case with any
other non-802.1q-aware equipment you want to connect.

Other fun and games: some switches want to separately walk you through
deciding if a port is tagged or untagged, deciding which VLANs to egress
(allow out) on that port, then elsewhere filter which ones are allowed in,
and in yet another place set a default VLAN that will receive any untagged
packets that arrive on that interface.  Some switchs hardcode that latter
to VLAN 1, so that can become a "swamp" VLAN on a busy network.

-- 
Anthony de Boer

More information about the Techtalk mailing list