vLANs on Linux (physical) Hosts
vLANs on VMware virtual linux guests is easy. Set it and you're done, right?
On physical hosts, though, it can be a bit more tricky. It seems the format's changed a bit, too, between RHEL4 and RHEL5 -- for the better!
By example, though, to add vLan 101 to your eth2, it's like this:
Get your stuff onto a managed switch! Segregate your traffic! If you aren't 100% sure, the best security between two networks is an air gap.
On physical hosts, though, it can be a bit more tricky. It seems the format's changed a bit, too, between RHEL4 and RHEL5 -- for the better!
By example, though, to add vLan 101 to your eth2, it's like this:
(emacs /etc/sysconfig/network-scripts/ifcfg-eth2.101)VLAN=yesYeah, it's that easy. The scripts extract the device name (eth2) and vLan (101) from the DEVICE tag, if it sees the VLAN=yes setting. When you're done:
DEVICE=eth2.101ONBOOT=yes
BOOTPROTO=none
IPADDR=10.101.2.17NETMASK=255.255.255.0
ifup eth2.101Your machine should (wait an agonizing 2 seconds and) display something like this:
Added VLAN with VID == 101 to IF -:eth2:-And you know you're done. You can use all the tools you would expect, just like with regular devices and/or ipaliased devices:
ifconfig eth2.101One bit of caution, though: vLANs are privacy; not security. What this means is that you should never have vLANs carrying data where anything-but-completely trustable machines can hear it, even if it's in a vLAN. It's trivial to peel the leading vLAN tag off a packet and read it from the untagged network (eg eth2).
tshark -i eth2.101 host sniffme.mynet.com
ping -I eth2.101 sniffme
Get your stuff onto a managed switch! Segregate your traffic! If you aren't 100% sure, the best security between two networks is an air gap.
<< Home