Cisco 2924 and Linux
I have a basic understanding of how to create VLAN on a Cisco 2924 switch:
PHP Code:
PHP Code:
PHP Code:
|
i thought you already had vlan tagging sorted? http://www.candelatech.com/~greear/vlan/howto.html
that'll get the trunked data flowing no problem. as for the dhcp, you need something listening on each interface and forwarding on to the server via a bootp relay, e.g. dhcrelay. |
This is how my vlan is setup on my Cisco 2924 XL switch:
PHP Code:
|
well from the config above, the only trunk is to fa0/1, which will pass vlan 1 and vlan 2 as 801.2q and also vlan 1 as native. on the 2900 platforms they only do layer 2, so it's impossible to allow interconnectivity between vlan's on them, as that'd be layer 3, presumably what your linux box is there for?
|
Exactly, I only have one switch which is the Catalyst 2924 XL and it connects to my Firewall with three nics and everything feeding into this one switch. I have ports FA01 - FA08 for VLAN1 and I have FA09 - FA16 as VLAN2 (DMZ). I have two questions:
1 - As far as security is concerned what is the best way to setup my switch for security? I have very strict firewall rule set and is VLAN sufficient enough? 2 - I have VOIP traffic on my DMZ. How would I setup QOS for voice over data? |
1 - well one big security issue is using vlan 1 ever. ideally you should pick something non-standard, as by default a port will fall onto vlan1, which isn't really a nice state to be in if that's your secret important vlan too... security on those sorts of switches is pretty simple. you have additional clever features you should use like sticky mac for important connections, but most security is about local concerns, not global ones (i.e. internet attacks)
2 - within IOS VOIP should be automatically subjected to appropriate queuing algorithms, but that's a pretty old switch, and I'm not sure i f the level of ios you'd have on it would do that. not something I've ever tinkered with TBH. |
you are the man!
|
Did you ever connect the trunked switchport to a single NIC configured for trunking on your linux box for inter-vlan routing -or- did you connect 2 of the non-trunked NIC's to separate switchports/vlans?
The reason I ask is this thread has sparked some interest on my part and I plan on trying to use a linux box for inter-vlan routing in a lab environment. I was curious about how (in your example) you configured the linux box to handle non-802.1q frames (vlan 1). If I understand cisco switches correctly, vlan 1 or ANY vlan marked as "the native vlan" will never transmit a frame with an 802.1q header across a trunked port. So in your example of using vlan 1-2 (instead of vlan 2-3), I would think vlan 1 attached devices would be able to communicate between each other, but not be routed to other vlans unless the trunked NIC on the linux box also had an interface defined for non-802.1q traffic (like eth0). Just curious... I hope to try this sometime this week. |
well any switchport using trunking on a port using 802.1q trunking (as opposed to ISL trunking) can have one vlan additionally marked as a native vlan. this is most often the way a voip phone and a desktop share a single port... the phone bridges ethernet traffic and operates in itself on a tagged voice vlan, whilst the pc uses the untagged connection and so needs no meddling. vlan1 is a default only, any other vlan can replace it. obviously, only one vlan can be the native one per port (as the frames are totally untagged... that vlan can also be tagged as well, and in that case i'm not sure what the rationale is to tag or not... probably seperate mac tables for native and the corresponding table...
|
I have the enterprise OS on this 2924. So from what I have read I guess this little switch can do some tricks. I guess what I am looking for is 802.1p QoS to prioritize VOIP traffic for better call quality. This is a layer 2 switch so would 802.1p QoS or better said can 802.1p QoS be done on my linux router?
http://www.kmj.com/cisco/c2924.html |
I understand your reply. But thats not what I was trying to refer to in my post. Sorry for the confusion. Poor wording on my part.
What I was trying to ask metallica1973 was... 1) Did he end up using the trunked switch port or just plug the firewall interfaces into separate switchports/vlans? 2) If he did use the trunked port, how did he account for inter-vlan routing between vlan 1 and 2 (vs. using vlan 2-3), if the cisco switch is not going to encapsulate vlan 1 into an 802.1q frame? What I was trying to refer to in my post (rather poorly) was I think the eth0 interface would handle the vlan 1 non-802.1q frames. The same physical interface the vlan virtuals are created against. At least if you follow the candelatech vlan article with some minor changes at layer 3. Basically, I do not see why you can't assign an IP to eth0 for non-802.1q frames -and- assign IP's to the vconfig created virtuals. Whether or not this will work on a linux based trunked port???? I don't know yet. Long pause... I just booted my laptop into FC8 and followed the candelatech article example and created vlan 2,3 and 10 against eth0. Vconfig created eth0.2, eth0.3 and eth0.10 virtuals respectivly. BTW: I had to load the 8021q module. I assigned arbitrary IP's to all virtuals, but I left eth0 configured with its DHCP assigned IP. In the candelatech article, the author removes the IP from eth0. My laptop still communicates on my home network just fine via eth0, but until I can connect my laptop to an 802.1q trunked port, I really have no way of testing inter-vlan routing and whether or not eth0 will handle the non-802.1q frames across the trunk. Based on the fact my laptop is still communicating on my network, it appears to be working as expected. But then I could be having a brain-fart. Hopefully, I will get some time in the lab this week to test using a linux box for inter-vlan routing. This has been an intersting topic. |
scowles,
Thanks for your replying to my post. To awnser your questions: Quote:
Quote:
|
Perfect scenario for a router-on-a-stick configuration.
http://www.cisco.com/warp/public/473/50.shtml Obviously if you are using your Linux box for the router portion you'll have to work out that configuration, but the overall guide should give you some direction. |
I did get a chance to try this in a lab environment. Worked great! All PC's were able to ping each other on different vlans via linux box acting as router on a single trunked port connection.
The vlan configuration on the linux box was pretty straight forward. Followed the candelatech article for creating the vlan interfaces along with configuring the primary interface (eth0) for vlan 1. NOTE: I am posting example from memory, not copy/paste. I should be close and will update post if needed. Code:
LINUX FC8 DISTRO |
i had tried this before, centos 4 and a 2924-XL and couldn't get a thing... well native vlan worked, but nothing else. didn't have enough resources to probably investaigate with wireshark or such, so i gave up... nice to know it must've been me!
|
All times are GMT -5. The time now is 10:35 PM. |