Tag networking

Connecting to a Managed Switch

This article discusses one way to connect a Linux system to a managed network switch over a trunk port and to set up management of that switch via a VLAN. For the purpose of this setup, all normal connections will set to use VLAN 2 while the management connection to the switch will use VLAN 99. It is sometimes advised not to use VLAN 1, and to move all ports to a different VLAN. Depending on your usage scenario, you may or may not wish to do that.

Configuring the Switch

For this scenario I am using a Cisco Catalyst 2950 switch with 24 10/100 ports. I configure the first port as a trunk port as shown. This enables traffic from all VLANs to reach the computer connected to this port. Traffic from all VLANs other than the native VLAN of the port will be tagged using 802.1q encasulation.

(config)# int f0/1
(config-if)# switchport mode trunk
(config-if)# switchport nonegotiate
(config-if)# switchport trunk native vlan 2
Configuring the trunk port.

The remaining ports are configured as access ports. Only the traffic in the VLAN of that port will be allowed, and will not be tagged. I can set all ports at once as shown.

(config)# int range f0/2 - 24
(config-if-range)# switchport mode access
(config-if-range)# switchport nonegotiate
(config-if-range)# switchport access vlan 2
Configuring the remaining ports.

Finally I configure a management interface on the switch so I can log into the switch and perform management without resorting to a USB to serial adapter and console cable.

(config)# int vlan 1
(config-if)# no ip address
(config-if)# shutdown
(config-if)# exit
(config)# int vlan 99
(config-if)# ip address 192.168.99.2 255.255.255.0
(config-if)# no shtdown
(config-if)# exit
Configuring the management interface.

For security, it is generally advised to shutdown unused ports. As this is a switch at home and security breach isn't that much of a concern I don't do this. I can easily plug additional devices into the switch if needed.

Configuring the Computer

I want the computer to be able to connect to the internet directly using the native interface. I also want to be able to manage the switch by using a virtual interface on the management VLAN 99. Because the trunk port has a native VLAN 2, any traffic on that VLAN will get to the computer untagged, and will be directly handled by the native NIC. In addition, any traffic going out the native NIC will be untagged, and thus be considered as VLAN 2 by the switch.

Using Debian, I can add network inferfaces to the file /etc/network/interfaces and easily bring them up and down. The native interface is easy to achieve as shown below.

auto eth0
iface eth0 inet dhcp
Configuration for native interface.

Using the vlan package, I can create a subinterface that will handle any traffic for a particular VLAN. The interface can be manually configured from the command line, and can also be configured from the interfaces file.

# ip link add link eth0 name eth0.99 type vlan id 99
# ip addr add 192.168.99.100/24 dev eth0.99
Manually configuring subinterface.
iface eth0.99 inet static
    address 192.168.99.100
    netmask 255.255.255.0
Configuration for subinterface.

I noticed that when using the interfaces file, I would get error messages. It turns out this is because the commands ifup and ifdown automatically handle VLANs in interfaces if they are named as shown, but the helper scripts are also trying to bring up and down the virtual interfaces. I resolved this problem by editing the helper scripts and causing them to exit without doing anything for interfaces named with a dot and VLAN number.

Using the Switch

Now that the switch and the computer are configured. The switch can be used. Connections to the Internet can be achieved by connecting any of the remaining ports to a home router. In addition, the management subinterface can be brought up and down as needed and the swtich can be managed directly from the computer.

Read more...