Sorry for reposting this old message, but it could still be useful and I couldn't find archives of the mailing list from before moving to the current domain name. I guess they're on their way over to the new archive. :) On Tue, Apr 22, 2003 at 06:08:23AM +0200, Peter Stuge wrote: > On Mon, Apr 21, 2003 at 01:35:17PM +0200, Ard van Breemen wrote: > > a FAQ. I can only think of 1 item actually. So Please join in > > this thread and add your experiences. I will gather the > > It could include a couple of "success stories" with threads from the mailing > list where we solved people's problems, including a closing comment of some > sort where both problem and solution are summarized, if neccessary. > > The all time high FAQ is "Why doesn't it work?" so perhaps a good way to > educate people is to show them a couple of different setups using VLANs in > different ways. This will also save list resources; "I'm using the FAQ > standard setup 1b, but I've added a NIC on box A connecting to a Cisco > xyzzy, but box B is unable to see the Cisco." instead of a lengthy > description of the same network that everyone else has set up. > > >From the top of my head, I can think of a few different setups.. > > +--------+ +--------+ trunk+---------+ > ( internet )-----| router |---------| VLAN |vlan4 > ( cloud ) eth0| box A |eth1 | switch |------------------+ > +--------+ +--------+ +---------+ | > vlan2| v2| |vlan3 | > | | | | > +--------+ | +-------+ | > | | | | > eth0| eth0| eth0| eth0| > +--------+ +--------+ +--------+ +--------+ > | client | | client | | client | | server | > | box B | | box C | | box D | | box E | > +--------+ +--------+ +--------+ +--------+ > > ------------------- > > Setup 1a > The clean way, one subnet per VLAN. > > box A: > ip addr add 1.2.3.4/24 broadcast 1.2.3.255 dev eth0 > ip link set eth0 up > ip link set eth1 up > vconfig set_name_type DEV_PLUS_VID_NO_PAD > vconfig add eth1 2 > vconfig add eth1 3 > vconfig add eth1 4 > ip addr add 192.168.2.1/24 broadcast 192.168.2.255 dev eth1.2 > ip addr add 192.168.3.1/24 broadcast 192.168.3.255 dev eth1.3 > ip addr add 192.168.4.1/24 broadcast 192.168.4.255 dev eth1.4 > ip link set eth1.2 up > ip link set eth1.3 up > ip link set eth1.4 up > iptables -F > iptables -P FORWARD DROP > iptables -A FORWARD -i eth1.2 -o eth0 -s 192.168.2.0/24 -j ACCEPT #v2->inet > iptables -A FORWARD -i eth0 -o eth1.2 -d 192.168.2.0/24 -j ACCEPT #inet->v2 > iptables -A FORWARD -i eth1.3 -o eth0 -s 192.168.3.0/24 -j ACCEPT #v3->inet > iptables -A FORWARD -i eth0 -o eth1.3 -d 192.168.3.0/24 -j ACCEPT #inet->v3 > iptables -A FORWARD -i eth1.2 -o eth1.4 -s 192.168.2.0/24 \ > -d 192.168.4.0/24 -j ACCEPT #v2->v4 > iptables -A FORWARD -i eth1.4 -o eth1.2 -s 192.168.4.0/24 \ > -d 192.168.2.0/24 -j ACCEPT #v4->v2 > iptables -A FORWARD -i eth1.3 -o eth1.4 -s 192.168.3.0/24 \ > -d 192.168.4.0/24 -j ACCEPT #v3->v4 > iptables -A FORWARD -i eth1.4 -o eth1.3 -s 192.168.4.0/24 \ > -d 192.168.3.0/24 -j ACCEPT #v4->v3 > iptables -t nat A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE > echo 1 > /proc/sys/net/ipv4/ip_forward > dhcpd eth1.2 eth1.3 > > box B: > ip addr add 192.168.2.2/24 broadcast 192.168.2.255 dev eth0 > ip link set eth0 up > > box C: > ip addr add 192.168.2.3/24 broadcast 192.168.2.255 dev eth0 > ip link set eth0 up > > box D: > ip addr add 192.168.3.2/24 broadcast 192.168.3.255 dev eth0 > ip link set eth0 up > > box E: > ip addr add 192.168.4.2/24 broadcast 192.168.4.255 dev eth0 > ip link set eth0 up > > ------------------- > > Setup 1b > The dirty way, only one subnet behind the router. > > ip addr add 1.2.3.4/24 broadcast 1.2.3.255 dev eth0 > ip link set eth0 up > ip link set eth1 up > vconfig set_name_type DEV_PLUS_VID_NO_PAD > vconfig add eth1 2 > vconfig add eth1 3 > vconfig add eth1 4 > brctl addbr br0 > brctl stp br0 off # may not be what you want > brctl addif br0 eth1.2 > brctl addif br0 eth1.3 > brctl addif br0 eth1.4 > ip addr add 192.168.42.1/24 broadcast 192.168.42.255 dev br0 > ip link set eth1.2 up > ip link set eth1.3 up > ip link set eth1.4 up > ip link set br0 up > iptables -F > iptables -P FORWARD DROP > iptables -A FORWARD -i eth1.2 -o eth0 -s 192.168.42.0/24 -j ACCEPT #v2->inet > iptables -A FORWARD -i eth0 -o eth1.2 -d 192.168.42.0/24 -j ACCEPT #inet->v2 > iptables -A FORWARD -i eth1.3 -o eth0 -s 192.168.42.0/24 -j ACCEPT #v3->inet > iptables -A FORWARD -i eth0 -o eth1.3 -d 192.168.42.0/24 -j ACCEPT #inet->v3 > ebtables -P FORWARD DROP #rules within bridges, see http://ebtables.sf.net/ > ebtables -A FORWARD -i eth1.2 -o eth1.4 --ip-src 192.168.42.2 \ > --ip-dst 192.168.42.5 -j ACCEPT #vlan2->vlan4 > ebtables -A FORWARD -i eth1.2 -o eth1.4 --ip-src 192.168.42.3 \ > --ip-dst 192.168.42.5 -j ACCEPT #vlan2->vlan4 > ebtables -A FORWARD -i eth1.4 -o eth1.2 --ip-src 192.168.42.5 \ > --ip-dst 192.168.42.2 -j ACCEPT #vlan4->vlan2 > ebtables -A FORWARD -i eth1.4 -o eth1.2 --ip-src 192.168.42.5 \ > --ip-dst 192.168.42.3 -j ACCEPT #vlan4->vlan2 > ebtables -A FORWARD -i eth1.3 -o eth1.4 --ip-src 192.168.42.4 \ > --ip-dst 192.168.42.5 -j ACCEPT #vlan3->vlan4 > ebtables -A FORWARD -i eth1.4 -o eth1.3 --ip-src 192.168.42.5 \ > --ip-dst 192.168.42.4 -j ACCEPT #vlan4->vlan3 > iptables -t nat A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE > echo 1 > /proc/sys/net/ipv4/ip_forward > dhcpd br0 > > box B: > ip addr add 192.168.42.2/24 broadcast 192.168.42.255 dev eth0 > ip link set eth0 up > > box C: > ip addr add 192.168.42.3/24 broadcast 192.168.42.255 dev eth0 > ip link set eth0 up > > box D: > ip addr add 192.168.42.4/24 broadcast 192.168.42.255 dev eth0 > ip link set eth0 up > > box E: > ip addr add 192.168.42.5/24 broadcast 192.168.42.255 dev eth0 > ip link set eth0 up > > ------------------- > > Setup 2 > Please fill this space. > > ------------------- > > People: Please also remember to sniff packets on different parts of your > network. The best way to do this is to bring a small hub and a laptop to > one of the ends of the interesting cable. > > Connect the hub "on" the cable (i.e. unplug the cable and connect it to the > hub instead, then connect another cable from the hub to where the first > cable was before) and then the laptop to the hub. This way neither sender > nor receiver will be doing the sniffing, which has been the cause of > problems for me. Don't forget to bring up the interface on the laptop, but > don't set an IP address on it. > > ip link set eth0 up # is all that's needed > > > //Peter > _______________________________________________ > VLAN mailing list - VLAN@xxxxxxxxxxx > http://www.WANfear.com/mailman/listinfo/vlan > VLAN Page: http://scry.wanfear.com/~greear/vlan.html On Thu, Nov 11, 2004 at 07:49:04PM -0500, Jake Howerton wrote: > Someone asked me about unnumbered VLAN setup... Is this possible? > Currently they are using a Cisco Layer 3 switch to do this. Can > linux vlan implementation do it? All switch ports are on their own > vlan cascading down to the layer 3 switch where they pull dhcp > address from one server with one default gateway but no traffic is > routed between vlans. This is for hotel/mdu type of setup. I guess you're describing Setup 1b in my post above, be sure to set up ebtables rules if you want to limit traffic between ports in the bridge. In addition, there have been problems reported with interface names that have a period in them when running the iptables commands. Possibly you'll have to switch to set_name_type VLAN_PLUS_VID_NO_PAD and adjust the iptables rules accordingly. Also, in order for dhcpd to properly receive DHCP queries, you may need to run: vconfig set_flag eth1.2 1 1 vconfig set_flag eth1.3 1 1 vconfig set_flag eth1.4 1 1 Although with the 2.6.9-rc4 kernel I just tested on this isn't neccessary since the (REORDER_HDR) flag is enabled by default when adding the VLANs. //Peter
