If we want to communicate between VLANs, we usually use the three layer switch or router sub-interface mode. Linux on the VLAN with Cisco switch relay connection, also can realize their communication with each other.
Environment: RHEL 5.2 Minimized installation, physical NIC Eth1, trunk port connected as VLAN switch connected to 2960 GIGABITETHERNET0/1. Another physical NIC Eth0 as an upstream port, connecting to other networks.
Cisco 2960, the Vlan,vlan-enabled network segment is planned into the following:
VLAN 1:FA0/1-FA0/6 192.168.1.0/24
VLAN 2:FA0/7-FA0/12 192.168.2.0/24
VLAN 3:FA0/13-FA0/18 192.168.3.0/24
VLAN 4:fa0/19-fa0/24 192.168.4.0/24
Since the 2960 supported 802.1q trunk protocol for the intrinsic VLAN 1 of the traffic is not increased VLAN tag, as well as the configuration process of the switch, see the rest of this site about the switch configuration introduction
You can view the Eigen VLAN plan with the show Interfaces Trunk command: For the Eigen VLAN we do not add sub-interfaces, bind IP directly on the physical NIC Eth1, and other VLANs use Vconfig to create sub-interfaces.
First, verify that the Linux system kernel already supports VLAN functionality:
Currently using kernel and OS version:
[[Email protected] ~]# # lsmod |grep 8021q//See if the system core supports 802.1Q protocol
8021q 18633 0
[[email protected] ~]# LSPCI//Verify that the NIC driver is loaded properly
In general, RH9 Linux distributions, such as RHEL4, RHEL5, CentOS4, and CentOS5, have been supported by default for VLAN functionality.
Two. Relationship of physical network card, sub-network card, virtual VLAN NIC:
1. Physical network card: Physical network card here refers to the actual server interface device, here my server on the dual network card, in the system to see the 2 physical network card corresponding to the eth0 and eth1 the two network interfaces.
2. Sub-network card: Sub-network card is not the actual network interface device, but can be used as a network interface in the system, such as ETH0:1, eth1:2 this network interface. They must depend on the physical network card, although the network interface with the physical network card can exist in the system and use different IP addresses, but also have their own network interface configuration files. However, when the dependent physical network card is not enabled (down state) These sub-cards will not work together.
3. Virtual VLAN NIC: These virtual VLAN NICs are not actually network interface devices or can appear as network interfaces in the system, but unlike sub-NICs, they do not have their own configuration files. They are simply VLAN virtual NICs that are generated by adding a physical network to different VLANs. If a physical network card is added to multiple VLANs, there will be multiple VLAN virtual network cards, and their information and related VLAN information are stored in the temporary file/proc/net/vlan/config, and there is no individual configuration file. Their network interface name is the name eth0.1, eth1.2.
Note: When you need to enable VLAN virtual network card operation, the associated physical NIC network interface must not have the IP address configuration information, and these primary physical network card sub-cards must not be enabled and must not have IP address configuration information. The conclusion that I see on the internet is inaccurate according to my actual test results, the physical NIC itself can bind the IP, and give the Eigen VLAN the function of the communication gateway, but it must be under 802.1q.
three. Planning network:
1.VLAN partition: The switch configuration on the
Cisco switch 2960 is not in the repeat. The
RHEL 5.2 default kernel supports VLANs, and only 802.1q of trunk encapsulation is supported by default. We need to configure the eth1 of the relay interface that connects Cisco Switch 2960, as explained above, for VLAN1 native VLAN directly with physical eth1. In addition, because 3 VLANs are used in the network, the relay NIC Eth1 must also add the virtual network card and IP address. The plan is as follows:
eth1:192.168.1.1/24
ETH1.2:192.168.2.1/24
eth1.3:192.168.3.1/24
eth1.4:192.168.4.1/24
2.Linux Gateway forwarding section:
VLAN function Nic eth1 on the other hand, will be divided into 3 VLAN virtual network card, through the relay network card eth1 with Cisco switch 2950 VLAN trunk port connection, another physical network card eth0 as upstream network interface. And the Linux server will be between eth1 and eth0 traffic forwarding, so VLAN and VLAN also realize the data flow forwarding, if you do not want to forward between the VLAN, can be set by iptables, here will not expand iptables.
four. In Linux configuration VLAN trunk:
Since eth1 on Linux is to be set to trunk with a Cisco switch 2960 relay connection, There are several VLANs in the network, then the relay network card must also be added to a number of VLANs to support (the Eigen VLAN does not need to add, belong to the Eigen VLAN port set IP with the physical network card network segment, and the gateway to eth1, about eth0 and eth1 configuration, You can edit configuration files/etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1 directly, or configure with Setup to configure such text graphics tools.
1. Add eth1 to VLAN 2:
[[email protected] net]# vconfig add eth1 2
Warning:could not open/proc/net/vlan/ Config. Maybe need to load the 8021q module, or maybe is not using PROCFS??
Added vlan with VID = = 2 to IF-:eth1:-< br> The first time you add a VLAN virtual network card, the above phrase is bound to appear, because the default/proc/net/vlan/ Config This file that is dedicated to storing VLAN information is not available. The first time you add a VLAN NIC, the file will be automatically created as well. In addition, the files under the/proc/directory are temporary files of the system, so it is necessary to lose rest after restarting, so after configuring and testing the VLAN successfully, you can add some related commands to the Rc.local startup script. Before executing the command, you can go to the/proc/net/directory to see, there is no VLAN folder, after execution will create a VLAN folder, and generate config configuration file, as well as the corresponding virtual VLAN NIC configuration file eth1.2, such as
the following sentence
The Added vlan with VID = = 2 to IF-:eth1:-< br> here indicates that the ETH1 NIC has been added to VLAN 2, and that its virtual NIC in the VLAN is eth1.2.
2. Also add eth1 to VLAN 3, 4:
[[email protected] ~]# vconfig add eth1 3
Added vlan with vid = = 3 to IF-:eth1:-< br>[[email protected] ~]# vconfig add eth1 4
Added VLAN with vid = = 4 to I F-:eth1:-< br>
4. Check the VLAN virtual NIC information added:
[[email protected] ~]# cat/proc/net/vlan/config
----------- ---------------------------------------
VLAN Dev name | VLAN ID
Name-type:vlan_name_type_raw_plus_vid_no_pad
eth1.2 | 2 | eth1
eth1.3 | 3 | eth1
eth1.4 | 4 | ETH1
Virtual network card vlanid Primary network adapter for attribution
---------------------------- ----------------------
to see all VLAN virtual network cards and the primary physical network card they belong to.
Five. Set the IP address for the VLAN virtual network card and enable it:
[Email protected] ~]# ifconfig eth1.2 192.168.2.1 up
[Email protected] ~]# ifconfig eth1.3 192.168.3.1 up
[Email protected] ~]# ifconfig eth1.4 192.168.4.1 up
Six. Confirm all the network interface configurations under the Linux system:
1. Restart the Network Service
[Email protected] ~]# service network restart
--------------------------------------------------
Shutting down interface eth0: [OK]
Shutting down interface eth1: [OK]
Shutting down loopback interface: [OK]
Bringing up loopback interface: [OK]
Bringing Up interface eth0: [OK]
Bringing Up interface eth1: [OK]
--------------------------------------------------
2. Check all the network interface information under the Linux system:
[Email protected] ~]# ifconfig |more
Basically, the main configuration of the VLAN has been completed.
Seven. Simple test:
Testing the connectivity between the various VLANs, you can directly connect to a PC on the switch port belonging to each VLAN, set it to the corresponding network segment IP, and point the gateway to the corresponding VLAN virtual network card IP, will find that communication with the gateway is normal, but the VLAN can not communicate, At that time, because Linux does not forward data by default, the specific introduction can refer to http://www.happyboy.net.cn/article.asp?id=19, directly modify the IP_ A forward value of 1 enables normal communication between VLANs
Subsequently, you can configure the iptables to forward the NAT network interface, configure the iptables to limit the forwarding between the specified VLANs for security and optimize processing.
As mentioned above, these configuration information is written to the system temporary files, the system restart will cause the configuration is lost, we can add the following statement in the/etc/rc.local
Vconfig Add eth1 2
Vconfig Add eth1 3
Vconfig Add eth1 4
Ifconfig eth1.2 192.168.2.1 up
Ifconfig eth1.3 192.168.3.1 up
Ifconfig eth1.4 192.168.4.1 up
echo ' 1 ' >/proc/sys/net/ipv4/ip_forward
Brief description of the Vconfig command:
Vconfig-vlan 802.1q Configuration program.
Description
The Vconfig program can establish VLAN virtual network cards and interface with remote VLAN devices, but only if the kernel must first support VLAN functionality. VLAN Virtual NIC is a virtual NIC that is virtual on an Ethernet card, in order to be able to support VLAN virtual network on a physical network.
Options
Add physical NIC Vlan-id number
VLAN virtual network card with the specified VLAN number on the specified physical network card. The VLAN virtual NIC name is recorded in the/proc/net/vlan/config file.
REM VLAN Virtual network card
Deletes the specified VLAN virtual network card, if the VLAN virtual network card name is not clear, you can view the VLAN virtual network card name in the/proc/net/vlan/config file.
Related documents
/proc/net/vlan/config
/proc/net/vlan/vlan Virtual network card
CentOS Down Port VLAN settings