[Gllug] A little OT: On the limits of VLANs

Andrew Back andrew at osmosoft.com
Thu Apr 29 07:41:52 UTC 2010


On (03:48 29/04/10), general_email at technicalbloke.com wrote:

> It looks fairly straight forward to create several VLANs and, as I've
> only got one switch I  don't think any of the known VLAN hopping hacks
> apply to me. So what I was hoping to do was section off say 8 ports, put
> them all on their own VLAN and then make one of my servers a member of
> all 8 of those VLANs, the intended effect being that the machines
> plugged into those 8 ports can not see each other but can see my server.
> Is that something I could do with VLANs? The other scenario I'm

You should just need to designate a port as "trunk" rather than be on a
specific VLAN, and then on your host configure VLAN interfaces that pick up
each of these. It's up to you then how you configure the network layer on
each VLAN interface and whether your choose to route between them or not.
I've run OpenBSD firewalls that way, and you often see routers set up in
that manner ("router-on-a-stick" IIRC).

Trunk means as the name suggests - all the VLANs. Trunks are generally used
to connected multiple managed switches together, but you can also use a
trunk port to pass all the VLANs to a host, where the host can then be
configured with virtual VLAN interfaces which pick up the VLANs of interest.
There tend to be switch options to let you "prune" VLANs from the trunk too,
so you don't necessarily have to pass every VLAN across them.

> interested in is quite similar, as in non of the machines could see each
> other locally except for an internet gateway.

Right, so that's roughly the firewall scenario I just described.

When defining your VLAN scheme you might want to avoid VLAN 1 as this is
used for control plane traffic, and unconfigured ports default to 1 (on
Cisco at least). 

Cheers,

Andrew 

PS. It probably will be, but you might want to check that the VLAN
trunking/tagging is IEEE 802.1Q, and not some proprietary protocol. I think
you'd be pretty unlucky were it not, and even then Linux & may BSD may
support others, I'm not sure.

-- 
Andrew Back
mailto:andrew at osmosoft.com
http://carrierdetect.com
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list