Do More With Less: Build a Linux VLAN

By Carla Schroder | Jan 22, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3723126/Do-More-With-Less-Build-a-Linux-VLAN.htm

Virtual LANs (VLANs) divide your local network logically, rather than relying only on physical switches and routers. This gives you a wonderful level of flexibility. Physically subnetting a LAN requires multiple routers, or routers with multiple network interfaces, and multiple switches. With VLANs you can segment your network and make changes without being limited by hardware. You can create intricate blends of both physical and logical subnets until either your head explodes, or everything works happily.

For example, frugal network administrators can run several subnets off a single Ethernet switch and router. You need a switch that supports VLANs to make this work, client network interfaces require VLAN addresses, and you'll have to configure routing to pass traffic between your new virtual subnets. This is affordable now for all but the most frugal of geeks, since we now have a whole new class of inexpensive "smart" switches that contain many of the features found in their higher-end siblings. Linux supports VLAN addressing and routing, and most commercial routers support VLANs. In this series we're going to use a homegrown Linux-based router.

Network Art

Let's make some nice ASCII pictures to illustrate. Here is a simple network with a single router/firewall and three physical subnets:

              router/firewall
                         ----------------/ | ----------------
   /                  |                  
switch              switch              switch                                 192.168.1.0/24   192.168.2.0/24   192.168.3.0/24
lan1                 lan2                   lan3

The router has three Ethernet interfaces. Each one connects to a separate switch, which then connect to a number of hosts. This is nice and simple and easy to understand. It's also inflexible. Suppose you have some hosts in lan1 and lan2 that you want to have on the same subnet, or suppose you want to add a fourth subnet. You'll have to physically move cables or computers, and possibly buy new gear.

So instead you could create a VLAN structure, which opens up all kinds of possibilities, like a single switch for the whole network:

              router/firewall
                      --------------------switch----------------------                                    192.168.1.0/24   192.168.2.0/24    192.168.3.0/24
vlan1                vlan2                  vlan3

Then you can add a physically-separate DMZ (define):

              router/firewall
                      |-----switch--192.168.4.0/24
                      |               lan1, DMZ
                      --------------------switch----------------------                                    192.168.1.0/24   192.168.2.0/24    192.168.3.0/24
vlan1                vlan2                  vlan3

So you see how this gives you an incredible amount of flexibility even on a small network. You are limited only by the size and capabilities of your switches.

VLANs Are Not Security Devices

One thing you should never do with VLANs is count on them for any kind of security. They're a convenience, not security devices, and are easily circumventable on the LAN with software utilities like the dsniff suite of snooping tools. Which, by the way, can snoop any switched networks. So if you need a DMZ or any network segment that must be segregated, don't put it on a VLAN. Separate it physically using a separate physical network interface on the router, or a separate router, appropriate firewalling, and give it its own switch.

Terminology

Let's define a few terms so we know what the heck we're talking about. A LAN is a Local Area Network, which is typically a geographically-defined Ethernet-connected gaggle of computers, printers, and other network devices in the same building or cluster of buildings. LANs are often divided into subnets or network segments. All the hosts in a single subnet can communicate with each other without needing a router. The simplest example of this is two PCs connected via a crossover cable. Every host connected to a single switch (that is not VLANned) is on the same subnet. You could also call this a broadcast domain, since Ethernet broadcasts do not cross routers, but are confined to single LAN segments. A VLAN group is a broadcast domain. In the olden days of hubs we talked about collision domains, but thankfully switches cured collisions.

It's worth noting that crossover cables are an endangered species because most modern switches and NICs have Auto-MDI/MDI-X, which is also called Universal Cable Recognition, Auto-Sensing, Auto-Uplink, and other marketing terms. Crossover cables were originally needed to ensure that two NICs connected directly, or two switches connected to each other, would have the transmit and receive wires matched up correctly. Switches and hubs did the crossover internally, and so required straight-through cables. Fortunately in this here modern era it's hardly necessary anymore to keep track of the two different cable types.

A gateway is the entrance to a different network, like the Internet or a private WAN (Wide Area Network). A WAN is a network of two or more LANs. Private IP addresses, whether they are IPv4 or IPv6, cannot cross gateways. Note that this is a function of routers and firewalls; private addresses can leak out into the Internet, but smart network admins and service providers block them. If your hosts can communicate with each other without crossing a gateway, they're in a LAN, even if they cross some routers.

When you have two Ethernet interfaces on the same device, such as a router or a wireless access point, they must be on different subnets. You cannot have two NICs on the same device on the same subnet; no traffic will pass if this happens. This is why even small home networks that have both wired and wireless hosts must be subnetted. And so you need a router to enable traffic to pass between the two. There is no requirement to do this, because two subnets can share an Internet connection without being able to talk to each other. This is a simple way to isolate a subnet; for example, if you're generously sharing an open wireless access point you can limit it to Internet connectivity only, and keep it safely walled off from your LAN.

VLAN Trunking and Tagging

Trunking is a key term for VLANs. A trunk is a single physical connection that carries multiple VLANs. In practical terms, this means a single router connected to a single switch can control several VLANs. Each VLAN appears to the router as a separate virtual interface. Does that not perk up your inner frugal geek?

How do your various network devices tell your VLANs apart? The Linux kernel supports the IEEE 802.1q protocol (also called VLAN Tagging) which specifies that a 4-byte VLAN identifier is added to each Ethernet frame. Your router reads these tags and then sends each frame down the correct wire. 802.1q VLANs have the most flexibility and reach, because they can cross multiple switches and routers. If you're into the OSI layers network model, this operates at Layer 3, which means they can read packet headers, including IP addresses and other header data.

In addition to 802.1q VLANs, there are also port-based VLANs. These are less flexible because the frames are not tagged, but the VLAN group is defined by MAC addresses and switch port. It's an easy way to create an isolated VLAN group, because it won't be able to talk to other network segments without having both ingress and egress ports defined, and it can't cross additional switches. This works on Layer 2 switches. Dumb switches and less-smart switches operate at Layer 2, which means they read MAC addresses and switch port numbers, but don't do any packet inspection.

Come back next week to build some actual VLANs.

Resources