Jump to content

Understanding How Network And Vlans Work

ascorbic

By ascorbic
in Questions

 Share

Recommended Posts

ascorbic Newbie

ascorbic

Posted
Posted

I am trying to learn more about networking and how to set up a network, specifically with VLANs. I believe VLANs are the answer to helping me bridge and isolate my network, but I am no expert on this topic so I could be way off.

I have mentioned else where I am planning on sticking with eBox as my router/firewall. I have a quad port intel pro 1000 nic. eth0 is WAN, eth 1 & 2 will be internal and eth3 will be connected to a wireless router in bridged mode. I have a very small number of wired machines so I don't want to have an additional piece of hardware just for them, I'd rather plug them directly into the router because I have the ports there. (I also have additional ports but I want to get a smaller base configuration working first).

In my first attempt I configured eth1 & 2 as 192.168.100.1/24 and 192.168.100.2/24 respectivly. I enabled DHCP (Yeah I know I could just use static IPs but I will also have VMs running on the client machines that I want to pick up IPs automatically) on eth1 to hand out IPs in the 192.168.100.100-199 range. When machines were plugged into eth1 & 2 they got an IP but could not ping anything. I learned this was because having eth1 & 2 on the same subnet resulted in a routing issue. The solution was to place eth1 on 192.168.101.1/24 and eth2 on 192.168.102.1/24. After this change routing works.

Now when eth3 comes into play on 192.168.103.1/24, clients are able to ping anything on the entire network, ie 192.168.101.0/24. So I thought the answer might be VLANs. My wired VLAN was going to be 192.168.110.0/24 and wireless 192.168.120.0/24. When I gave eth1 and eth2 VLAN IPs of 192.168.110.1 and 192.168.110.2 I ran into the same exact routing problems.

So it seems like I am missing a big understanding of exactly how VLANs, or something else, works. Can anyone enlighten me? Basically in the end I want my router to act as a switch and allow me to share connections between a few interfaces, but I also want to isolate other interfaces so they are on their own private lan.

Link to comment
Share on other sites
VaKo Newbie

VaKo

Posted
Posted

Ok,, you want to put some firewall rules between you WLAN and LAN interfaces if you wish to control traffic between the 2 networks, as the router is just routing traffic between said interfaces. VLANs are just a way of extending a broadcast domain across multiple physical locations, IE having all of finance in 192.168.10.0/23 despite being located in 3 different buildings on your site.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

What kind of network switch are you using?

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)

As far as I know a normal router cant isolate vlans by itself without the help of a switch and trunking. You can try setting a vlan on each workstation's nic, setting them to different vlans and groups of subnets, but ultimately if they are on one router IP Subnet, and no switch in between, then they all share the same network. The problem is once you seperate the machines into subnets, they wont be able to talk to the router unless they are on the same subnet and mask as the routers gateway address. Each subnet would need its own gateway address on the router itself in order for them to speak to the router.

I'm not too familiar with ebox, but if you can configure individual ports to their own subnets and a gateway address for each physical port, then in theory you really dont need vlans since they will all be on their own subnets. This may however not be possible, by which you would then need a switch to configure true vlans, subnets and your router would need to be able to do trunking for multiple subnets on one physical port that is connected to the switch.

Edited by digip
Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

There are a lot of cheap switches that are capable of creating vlans. Its only a matter of choosing the appropriate one for you current lan set up.

I currently have this netgear switch at home.

http://www.netgear.com.au/au/Product/Switc...art-Swit/GS108T

Link to comment
Share on other sites
ascorbic Newbie

ascorbic

Posted
  • Author
Posted
What kind of network switch are you using?

I am trying to minimize hardware so I want to keep everything in one box, so no switch. I have a quad and a dual port nic so plenty of ports for my network. But unfortunatly it seems like using a switch is the answer if I want this sort of setup.

As far as I know a normal router cant isolate vlans by itself without the help of a switch and trunking. You can try setting a vlan on each workstation's nic, setting them to different vlans and groups of subnets, but ultimately if they are on one router IP Subnet, and no switch in between, then they all share the same network. The problem is once you seperate the machines into subnets, they wont be able to talk to the router unless they are on the same subnet and mask as the routers gateway address. Each subnet would need its own gateway address on the router itself in order for them to speak to the router.

I'm not too familiar with ebox, but if you can configure individual ports to their own subnets and a gateway address for each physical port, then in theory you really dont need vlans since they will all be on their own subnets. This may however not be possible, by which you would then need a switch to configure true vlans, subnets and your router would need to be able to do trunking for multiple subnets on one physical port that is connected to the switch.

Thanks, this clarifies the behavior I am seeing. I have now configured each port to be on its own subnet and its own gateway.

Ok,, you want to put some firewall rules between you WLAN and LAN interfaces if you wish to control traffic between the 2 networks, as the router is just routing traffic between said interfaces. VLANs are just a way of extending a broadcast domain across multiple physical locations, IE having all of finance in 192.168.10.0/23 despite being located in 3 different buildings on your site.

Thanks, Firewall rules seem to be working to block WLAN to LAN. Is there any security concearn if I leave LAN to WLAN open?

Link to comment
Share on other sites
mux Newbie

mux

Posted
Posted
The problem is once you seperate the machines into subnets, they wont be able to talk to the router unless they are on the same subnet and mask as the routers gateway address. Each subnet would need its own gateway address on the router itself in order for them to speak to the router.

I beg to differ. I can't remember what the terminology was called, but I remember during my CCNA coursework, there was a lab that did exactly this with a Cisco switch and router. I'm not sure if this networking capability is only available through the Cisco IOS or not, but basically the topology was this:

-1 router, 1 switch, 10 workstations, 10 vlans.

-VLANs 1 and 2 to had to be able to talk to each other and the gateway, but no other VLANs, VLANs 3 and 4 had to have the same setup as 1 and 2, and this process continued to VLANs 9 and 10.

If anyone could remind me what this networking structure is called, you would save me the time of reading through my CCNA books, which I am currently doing. :P

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)
I beg to differ. I can't remember what the terminology was called, but I remember during my CCNA coursework, there was a lab that did exactly this with a Cisco switch and router. I'm not sure if this networking capability is only available through the Cisco IOS or not, but basically the topology was this:

-1 router, 1 switch, 10 workstations, 10 vlans.

-VLANs 1 and 2 to had to be able to talk to each other and the gateway, but no other VLANs, VLANs 3 and 4 had to have the same setup as 1 and 2, and this process continued to VLANs 9 and 10.

If anyone could remind me what this networking structure is called, you would save me the time of reading through my CCNA books, which I am currently doing. :P

This is possible with high end cisco equipment because you can configure vlan trunking with multiple ip subnets on the same physical router port to share multiple vlans to speak to one another. You can then trunk it to say vlan 1 can speak to vlan 2, but keep vlan 3 and 4 out, while also allowing vlan 3 and 4 to speak, but not see vlan 1 and 2.

Still requires a switch, and a router capable of doing (I beleive, but dont quote me, been long time since I looked at cisco stuff) dot1q or 802.1Q encapsulation. Something also has to be done to their native vlan settings as well I think because vlan 1 can see all vlans, but doesnt transfer the vlan packet ID or Tag, but like I said, been a long time since I messed with any of that stuff.

I think 802.1q is what allows you to bridge two vlans together. Have to look it up though.

Edited by digip
Link to comment
Share on other sites
mux Newbie

mux

Posted
Posted

Yeah, that process sounds about right. You also brought up a good point about VLAN1 and why I even remember that lab to begin with (SCREW YOU HALF-BROKEN CISCO LABS! :P).

I started reading some of the dot1q stuff in my books last night and was going to make a follow up until I saw that you posted pretty much the general outline of the process. Thanks!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...