User:Nathanlkoch/Tutorials/8021QTrunking

From Gentoo Wiki
Jump to:navigation Jump to:search

802.1Q Trunking with Sub Interfaces

Lazy mans switch

Trunking 802.1Q encapsulation with sub interfaces to Cisco or any 802.1Q capable interface. The best way to host VM's with isolated networks. Works with QEMU, VBox any anything that can directly accept network interface names.


Sub interfaces work as the following. Say you have interface eth0. You want to create sub interfaces for each vlan. Vlans are tagged directly to their sub interface only, Vlan 30, 20, and 10 would all have their own sub interface eth0.30, eth0.20, eth0.10. This is a layer 2 topology handled by the kernel. All traffic is then tagged with their vlan id and directed to their sub interface. For extreme measures, You don't even have to apply IP's to any devices, eth0 or eth0.10, In theory your system wouldn't be connected to the internet but any VM's connected to sub interfaces would be able to pull their own IP's. ACL's and Zone Based Firewalling can also be done router side so that Vlans are unable to route to one another. Creating different vlans for different applications. Network Isolation.

This can be done with OpenRC and Systemd.

Kernel

You will need to enable 802.1Q in the kernel.

Networking options ----> 802.1Q/802.1ad VLAN Support. You can enable GVRP and MVRP as well.

OpenRC

Systemd-networkd

You can configure your main interface as you typically would. You can turn off ipv4 and ipv6 on Eth0 all together if you want but the Interface needs to remain on.

You need to create network-scripts for each sub interface you want to create. in /etc/sysconfig/network-scripts/ you will have files ifcfg-eth0. This handles your network configuration for your devices. So you would create /etc/sysconf/network-scripts/ifcfg-eth0.10 and so on.

Example 1

FILE /etc/sysconf/network-scripts/ifcfg-eth0.10
DEVICE=eth0.10
BOOTPROTO=none
ONBOOT=yes
#IPADDR=192.168.10.2
#PREFIX=24
#NETWORK=192.168.10.0
VLAN=yes
TYPE=Vlan
PHYSDEV=eth0
VLAN_ID=10
IPV6INIT=”no”
IPV6_AUTOCONF=”no”

This would create a layer 2 802.1Q interface that would route all traffic on vlan10 and automatically pull dhcp from whatever server running on that network. You can apply an Ip address or leave it as a raw interface.

Example 2

FILE /etc/sysconf/network-scripts/ifcfg-eth0.30
DEVICE=enp6s0.30
ONBOOT=yes
#IPADDR=192.168.30.2
#PREFIX=24
#NETWORK=192.168.30.0
VLAN=yes

TYPE=Vlan
PHYSDEV=eth0
VLAN_ID=30
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6INIT=no
NAME="Vlan enp6s0.30"
IPV6INIT=”no”
IPV6_AUTOCONF=”no”

Example 3

FILE /etc/sysconf/network-scripts/ifcfg-eth0.20
DEVICE=eth0.20
BOOTPROTO=none
ONBOOT=yes
#IPADDR=192.168.20.2
#PREFIX=24
#NETWORK=192.168.20.0
VLAN=yes

IPV6INIT=”no”
IPV6_AUTOCONF=”no”

Systemd-networkd should pickup the configuration after reboot.

Each sub interface will show up in your network device list as it's own interface. eth0, eth0.10, eth0,20 and ifconfig -a will output a list. I personally like to disable ipv6 system wide and then set the devices not to request ip's.


You can set your vm's accordingly. Warning. Installing VM tools and enabling file sharing or any other type of resource that gives file system access comes with it's own set of issues. Best solution is to use NFS and isolate your cluster.

Links

Retrieved from "https://wiki.gentoo.org/index.php?title=User:Nathanlkoch/Tutorials/8021QTrunking&oldid=1180595"