I have a basic understanding of how to create VLAN on a Cisco 2924 switch:

I am using Fedora 6. How do I establish the trunk between the firewall and the switch in Linux and also my firewall is doing the DHCP ip assigning so how can I get ip's to my nodes (VLAN1 - Internal, VLAN2 - DMZ devices)?

i thought you already had vlan tagging sorted? http://www.candelatech.com/~greear/vlan/howto.html

that'll get the trunked data flowing no problem. as for the dhcp, you need something listening on each interface and forwarding on to the server via a bootp relay, e.g. dhcrelay.

This is how my vlan is setup on my Cisco 2924 XL switch:

I only want VLAN2 to go to the internet and not be able to talk to VLAN1(management) but I want VLAN1 to be able to talk to anyone. Have I set this up correctly?

well from the config above, the only trunk is to fa0/1, which will pass vlan 1 and vlan 2 as 801.2q and also vlan 1 as native. on the 2900 platforms they only do layer 2, so it's impossible to allow interconnectivity between vlan's on them, as that'd be layer 3, presumably what your linux box is there for?

Exactly, I only have one switch which is the Catalyst 2924 XL and it connects to my Firewall with three nics and everything feeding into this one switch. I have ports FA01 - FA08 for VLAN1 and I have FA09 - FA16 as VLAN2 (DMZ). I have two questions:

1 - As far as security is concerned what is the best way to setup my switch for security? I have very strict firewall rule set and is VLAN sufficient enough?

2 - I have VOIP traffic on my DMZ. How would I setup QOS for voice over data?

1 - well one big security issue is using vlan 1 ever. ideally you should pick something non-standard, as by default a port will fall onto vlan1, which isn't really a nice state to be in if that's your secret important vlan too... security on those sorts of switches is pretty simple. you have additional clever features you should use like sticky mac for important connections, but most security is about local concerns, not global ones (i.e. internet attacks)

2 - within IOS VOIP should be automatically subjected to appropriate queuing algorithms, but that's a pretty old switch, and I'm not sure i f the level of ios you'd have on it would do that. not something I've ever tinkered with TBH.

you are the man!

Did you ever connect the trunked switchport to a single NIC configured for trunking on your linux box for inter-vlan routing -or- did you connect 2 of the non-trunked NIC's to separate switchports/vlans?

The reason I ask is this thread has sparked some interest on my part and I plan on trying to use a linux box for inter-vlan routing in a lab environment. I was curious about how (in your example) you configured the linux box to handle non-802.1q frames (vlan 1). If I understand cisco switches correctly, vlan 1 or ANY vlan marked as "the native vlan" will never transmit a frame with an 802.1q header across a trunked port. So in your example of using vlan 1-2 (instead of vlan 2-3), I would think vlan 1 attached devices would be able to communicate between each other, but not be routed to other vlans unless the trunked NIC on the linux box also had an interface defined for non-802.1q traffic (like eth0).

Just curious... I hope to try this sometime this week.

well any switchport using trunking on a port using 802.1q trunking (as opposed to ISL trunking) can have one vlan additionally marked as a native vlan. this is most often the way a voip phone and a desktop share a single port... the phone bridges ethernet traffic and operates in itself on a tagged voice vlan, whilst the pc uses the untagged connection and so needs no meddling. vlan1 is a default only, any other vlan can replace it. obviously, only one vlan can be the native one per port (as the frames are totally untagged... that vlan can also be tagged as well, and in that case i'm not sure what the rationale is to tag or not... probably seperate mac tables for native and the corresponding table...

I have the enterprise OS on this 2924. So from what I have read I guess this little switch can do some tricks. I guess what I am looking for is 802.1p QoS to prioritize VOIP traffic for better call quality. This is a layer 2 switch so would 802.1p QoS or better said can 802.1p QoS be done on my linux router?

http://www.kmj.com/cisco/c2924.html

I understand your reply. But thats not what I was trying to refer to in my post. Sorry for the confusion. Poor wording on my part.

What I was trying to ask metallica1973 was...

1) Did he end up using the trunked switch port or just plug the firewall interfaces into separate switchports/vlans?

2) If he did use the trunked port, how did he account for inter-vlan routing between vlan 1 and 2 (vs. using vlan 2-3), if the cisco switch is not going to encapsulate vlan 1 into an 802.1q frame?

What I was trying to refer to in my post (rather poorly) was I think the eth0 interface would handle the vlan 1 non-802.1q frames. The same physical interface the vlan virtuals are created against. At least if you follow the candelatech vlan article with some minor changes at layer 3. Basically, I do not see why you can't assign an IP to eth0 for non-802.1q frames -and- assign IP's to the vconfig created virtuals. Whether or not this will work on a linux based trunked port???? I don't know yet.

Long pause...

I just booted my laptop into FC8 and followed the candelatech article example and created vlan 2,3 and 10 against eth0. Vconfig created eth0.2, eth0.3 and eth0.10 virtuals respectivly. BTW: I had to load the 8021q module. I assigned arbitrary IP's to all virtuals, but I left eth0 configured with its DHCP assigned IP. In the candelatech article, the author removes the IP from eth0. My laptop still communicates on my home network just fine via eth0, but until I can connect my laptop to an 802.1q trunked port, I really have no way of testing inter-vlan routing and whether or not eth0 will handle the non-802.1q frames across the trunk. Based on the fact my laptop is still communicating on my network, it appears to be working as expected. But then I could be having a brain-fart.

Hopefully, I will get some time in the lab this week to test using a linux box for inter-vlan routing. This has been an intersting topic.

scowles,

Thanks for your replying to my post. To awnser your questions:

I plugged my firewall interface for the LAN into VLAN1(trunked switch port). I plan on changing my configurations to add more VLANs and leaving the trunk by itself(VLAN1). I have an array on ports assigned to that VLAN and I will change that.

That is a very good question which I am still trying to figure out. I do not know whether or not my switch which is a WS-C2924-XL-EN (12.5) can perform 802.1q. I would like to enable that to provide better voice quality for my VOIP phones. As far as the inter-vlan routing I believe that has to be done from a layer 3 device. In my case it would be my linux firewall/router and using vconfig. If you could shed some light on this that would help. thanks

Perfect scenario for a router-on-a-stick configuration.

http://www.cisco.com/warp/public/473/50.shtml

Obviously if you are using your Linux box for the router portion you'll have to work out that configuration, but the overall guide should give you some direction.

I did get a chance to try this in a lab environment. Worked great! All PC's were able to ping each other on different vlans via linux box acting as router on a single trunked port connection.

The vlan configuration on the linux box was pretty straight forward. Followed the candelatech article for creating the vlan interfaces along with configuring the primary interface (eth0) for vlan 1.

NOTE: I am posting example from memory, not copy/paste. I should be close and will update post if needed.

Also, I noticed that FC8 supports vconfig in the "ifup" network script. But I did not get a chance to figure out how to configure this part so that vlan interfaces were configured on boot-up.

i had tried this before, centos 4 and a 2924-XL and couldn't get a thing... well native vlan worked, but nothing else. didn't have enough resources to probably investaigate with wireshark or such, so i gave up... nice to know it must've been me!