VLAN mit Linux und Open vSwitch: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(8 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 
== Zielbeschreibung ==
 
== Zielbeschreibung ==
* Der Cisco-Port '''Ethernet1/1''' ist als '''802.1Q-Trunk''' konfiguriert.
+
{| class="wikitable"
* Der Linux-Rechner verwendet das Interface '''enp0s8'''.
+
! Port !! VLAN !! Modus
* Drei VLANs werden getaggt übertragen:
+
|-
* Ethernet1/2 und Ethernet1/3 → LAN
+
| port1 || 1 (native), 21, 22, 23 (tagged) || trunk native-untagged
* Ethernet1/4 und Ethernet1/5 → SERVER
+
|-
* Ethernet1/6 und Ethernet1/7 → MGMT
+
| port2 || 21 || access
** VLAN 1 → '''172.27.2XX.0/24''' → MGMT
+
|-
** VLAN 21 → '''10.88.2XX.0/24''' → DMZ
+
| port3 || 21 || access
** VLAN 22 → '''172.26.2XX.0/24''' → LAN
+
|-
** VLAN 23 → '''10.2XX.1.0/24''' → SERVER
+
| port4 || 21 || access
 +
|-
 +
| port5 || 21 || access
 +
|-
 +
| port6 || 21 || access
 +
|-
 +
| port7 || 21 || access
 +
|-
 +
| port8 || 21 || access
 +
|-
 +
| port9 || 21 || access
 +
|-
 +
| port10 || 22 || access
 +
|-
 +
| port11 || 22 || access
 +
|-
 +
| port12 || 22 || access
 +
|-
 +
| port13 || 22 || access
 +
|-
 +
| port14 || 23 || access
 +
|-
 +
| port15 || 23 || access
 +
|-
 +
| port16 || 23 || access
 +
|-
 +
| port17 || alle || Mirror (SPAN)
 +
|}
 +
 
 +
{| class="wikitable"
 +
! VLAN !! Netz !! Bezeichnung
 +
|-
 +
| 1 || 172.27.2XX.0/24 || MGMT
 +
|-
 +
| 21 || 10.88.2XX.0/24 || DMZ
 +
|-
 +
| 22 || 172.26.2XX.0/24 || LAN
 +
|-
 +
| 23 || 10.2XX.1.0/24 || SERVER
 +
|}
  
 
== Plan ==
 
== Plan ==
 
{{#drawio:vlan-linux-cisco}}
 
{{#drawio:vlan-linux-cisco}}
 
  
 
=== Voraussetzungen auf Debian/Linux ===
 
=== Voraussetzungen auf Debian/Linux ===
 
;VLAN-Paket installieren:
 
;VLAN-Paket installieren:
*apt install vlan
+
apt install vlan
 
;VLAN-Modul laden:
 
;VLAN-Modul laden:
*sudo modprobe 8021q
+
modprobe 8021q
 
;Modul beim Booten automatisch laden:
 
;Modul beim Booten automatisch laden:
*echo 8021q | sudo tee -a /etc/modules
+
echo 8021q | tee -a /etc/modules
 +
 
 
=== /etc/network/interfaces ===
 
=== /etc/network/interfaces ===
<pre>
+
<syntaxhighlight lang="text">
 
+
# MGMT
#MGMT
 
 
auto enp0s8
 
auto enp0s8
 
iface enp0s8 inet static
 
iface enp0s8 inet static
address 172.26.56.1/24
+
  address 172.27.2XX.1/24
  
 
+
# DMZ
#DMZ
 
 
auto enp0s8.21
 
auto enp0s8.21
 
iface enp0s8.21 inet static
 
iface enp0s8.21 inet static
address 10.88.2XX.1/24
+
  address 10.88.2XX.1/24
vlan-raw-device enp0s8  
+
  vlan-raw-device enp0s8
post-up ip rule add fwmark 0x2 lookup 100
+
  post-up ip rule add fwmark 0x2 lookup 100
post-up ip route add default via 10.88.2XX.4 table 100
+
  post-up ip route add default via 10.88.2XX.4 table 100
  
#LAN
+
# LAN
 
auto enp0s8.22
 
auto enp0s8.22
 
iface enp0s8.22 inet static
 
iface enp0s8.22 inet static
address 172.26.2XX.1/24
+
  address 172.26.2XX.1/24
vlan-raw-device enp0s8  
+
  vlan-raw-device enp0s8
  
 
+
# SERVER
#SERVER
 
 
auto enp0s8.23
 
auto enp0s8.23
 
iface enp0s8.23 inet static
 
iface enp0s8.23 inet static
address 10.2XX.1.1/24
+
  address 10.2XX.1.1/24
vlan-raw-device enp0s8  
+
  vlan-raw-device enp0s8
 +
</syntaxhighlight>
  
</pre>
+
== Zum Open vSwitch ==
 +
ssh localhost -p 2222
  
== Zum Open vSwitch ==
 
*ssh localhost -p 2222
 
 
oder im Notfall
 
oder im Notfall
*nc localhost 2222
+
nc localhost 2222
 +
 
 
;Logindaten
 
;Logindaten
 
*user: kit
 
*user: kit
Zeile 63: Zeile 100:
 
*root: mit '''sudo -i'''
 
*root: mit '''sudo -i'''
  
===VLAN zuordnen===
+
=== VLAN zuordnen ===
*ovs-vsctl add-port sw0 port1 tag=1 trunks=21,22,23 vlan_mode=native-untagged
+
;Trunk
*ovs-vsctl del-port sw0 port2  tag=21
+
ovs-vsctl set port port1 tag=1 trunks=21,22,23 vlan_mode=native-untagged
*ovs-vsctl add-port sw0 port3  tag=21
+
;DMZ (VLAN 21)
*ovs-vsctl add-port sw0 port3 tag=21
+
ovs-vsctl set port port2  tag=21
*ovs-vsctl add-port sw0 port4  tag=21
+
ovs-vsctl set port port3  tag=21
*ovs-vsctl add-port sw0 port5  tag=21
+
  ovs-vsctl set port port4  tag=21
*ovs-vsctl add-port sw0 port6  tag=21
+
ovs-vsctl set port port5  tag=21
*ovs-vsctl add-port sw0 port7  tag=21
+
ovs-vsctl set port port6  tag=21
*ovs-vsctl add-port sw0 port8  tag=21
+
ovs-vsctl set port port7  tag=21
*ovs-vsctl add-port sw0 port9  tag=21
+
ovs-vsctl set port port8  tag=21
*ovs-vsctl add-port sw0 port10 tag=22
+
ovs-vsctl set port port9  tag=21
*ovs-vsctl add-port sw0 port11 tag=22
+
;LAN (VLAN 22)
*ovs-vsctl add-port sw0 port12 tag=22
+
ovs-vsctl set port port10 tag=22
*ovs-vsctl add-port sw0 port13 tag=22
+
ovs-vsctl set port port11 tag=22
*ovs-vsctl add-port sw0 port14 tag=23
+
ovs-vsctl set port port12 tag=22
*ovs-vsctl add-port sw0 port15 tag=23
+
ovs-vsctl set port port13 tag=22
*ovs-vsctl add-port sw0 port16 tag=23
+
;SERVER (VLAN 23)
=== MGMT IP ändern ===
+
ovs-vsctl set port port14 tag=23
 +
ovs-vsctl set port port15 tag=23
 +
ovs-vsctl set port port16 tag=23
 +
 
 +
=== VLAN-Interfaces anlegen ===
 +
ovs-vsctl add-port sw0 mgmt  tag=1  -- set interface mgmt  type=internal
 +
ovs-vsctl add-port sw0 dmz    tag=21 -- set interface dmz    type=internal
 +
ovs-vsctl add-port sw0 lan    tag=22 -- set interface lan    type=internal
 +
ovs-vsctl add-port sw0 server tag=23 -- set interface server type=internal
 +
 
 +
=== MGMT-IP setzen ===
 +
<syntaxhighlight lang="bash">
 +
cat >> /etc/network/interfaces << 'EOF'
 +
auto mgmt
 +
iface mgmt inet static
 +
    address 172.27.2XX.2/24
 +
    gateway 172.27.2XX.1
 +
    dns-nameservers 10.88.2XX.21
 +
    dns-search it2XX.int
 +
EOF
 +
ifup mgmt
 +
</syntaxhighlight>
 +
 
 +
== Mirror-Port konfigurieren (SPAN) ==
 +
port17 dient als Mirror-Ausgang — dort kann ein IDS oder Wireshark angeschlossen werden:
 +
<syntaxhighlight lang="bash">
 +
ovs-vsctl -- --id=@p get port port17 \
 +
          -- --id=@m create Mirror name=mirror0 \
 +
          select-vlan=1,21,22,23 \
 +
          output-port=@p \
 +
          -- set Bridge sw0 mirrors=@m
 +
</syntaxhighlight>
 +
 
 +
=== Kontrolle ===
 +
ovs-vsctl list Mirror
 +
 
 +
Erwartete Ausgabe (gekürzt):
 +
*name: mirror0
 +
*select-vlan: [1,21,22,23]
 +
*output-port: port17
 +
 
 +
=== Nutzung ===
 +
*An '''port17''' wird ein IDS oder ein Analyse-System (z. B. Wireshark/tcpdump) angeschlossen
 +
*Dort ist der gesamte Traffic der VLANs 1, 21, 22 und 23 sichtbar
 +
 
 +
== Aktivierung auf dem Linux-Host ==
 +
systemctl restart networking
 +
ip addr show
 +
 
 +
== Cheat-Sheet: ovs-vsctl ==
 +
{| class="wikitable"
 +
! Befehl !! Beschreibung
 +
|-
 +
| <code>ovs-vsctl show</code> || Gesamte OVS-Konfiguration anzeigen
 +
|-
 +
| <code>ovs-vsctl list-br</code> || Alle Bridges anzeigen
 +
|-
 +
| <code>ovs-vsctl list-ports sw0</code> || Alle Ports der Bridge sw0 anzeigen
 +
|-
 +
| <code>ovs-vsctl add-br sw0</code> || Bridge sw0 anlegen
 +
|-
 +
| <code>ovs-vsctl del-br sw0</code> || Bridge sw0 löschen
 +
|-
 +
| <code>ovs-vsctl add-port sw0 port1</code> || Port hinzufügen
 +
|-
 +
| <code>ovs-vsctl del-port sw0 port1</code> || Port löschen
 +
|-
 +
| <code>ovs-vsctl set port port1 tag=22</code> || Port in VLAN 22 setzen (Access)
 +
|-
 +
| <code>ovs-vsctl set port port1 trunks=21,22,23</code> || Trunk-VLANs setzen
 +
|-
 +
| <code>ovs-vsctl set port port1 vlan_mode=native-untagged</code> || VLAN-Modus setzen
 +
|-
 +
| <code>ovs-vsctl clear port port1 tag</code> || VLAN-Tag entfernen
 +
|-
 +
| <code>ovs-vsctl clear port port1 trunks</code> || Trunks entfernen
 +
|-
 +
| <code>ovs-vsctl list port port1</code> || Details zu einem Port anzeigen
 +
|-
 +
| <code>ovs-vsctl list interface port1</code> || Interface-Details anzeigen
 +
|-
 +
| <code>ovs-vsctl list Mirror</code> || Mirror-Konfiguration anzeigen
 +
|-
 +
| <code>ovs-vsctl clear Bridge sw0 mirrors</code> || Mirror löschen
 +
|-
 +
| <code>ovs-appctl fdb/show sw0</code> || MAC-Tabelle anzeigen
 +
|-
 +
| <code>ovs-ofctl dump-flows sw0</code> || OpenFlow-Flows anzeigen
 +
|}
  
=== TODO Anpassungen ===
+
== TODO ==
 
*Firewall
 
*Firewall
*DHCP Server
+
*DHCP-Server
*Sonst nochwas?
 

Aktuelle Version vom 3. Mai 2026, 14:33 Uhr

Zielbeschreibung

Port VLAN Modus
port1 1 (native), 21, 22, 23 (tagged) trunk native-untagged
port2 21 access
port3 21 access
port4 21 access
port5 21 access
port6 21 access
port7 21 access
port8 21 access
port9 21 access
port10 22 access
port11 22 access
port12 22 access
port13 22 access
port14 23 access
port15 23 access
port16 23 access
port17 alle Mirror (SPAN)
VLAN Netz Bezeichnung
1 172.27.2XX.0/24 MGMT
21 10.88.2XX.0/24 DMZ
22 172.26.2XX.0/24 LAN
23 10.2XX.1.0/24 SERVER

Plan

Voraussetzungen auf Debian/Linux

VLAN-Paket installieren
apt install vlan
VLAN-Modul laden
modprobe 8021q
Modul beim Booten automatisch laden
echo 8021q | tee -a /etc/modules

/etc/network/interfaces

# MGMT
auto enp0s8
iface enp0s8 inet static
  address 172.27.2XX.1/24

# DMZ
auto enp0s8.21
iface enp0s8.21 inet static
  address 10.88.2XX.1/24
  vlan-raw-device enp0s8
  post-up ip rule add fwmark 0x2 lookup 100
  post-up ip route add default via 10.88.2XX.4 table 100

# LAN
auto enp0s8.22
iface enp0s8.22 inet static
  address 172.26.2XX.1/24
  vlan-raw-device enp0s8

# SERVER
auto enp0s8.23
iface enp0s8.23 inet static
  address 10.2XX.1.1/24
  vlan-raw-device enp0s8

Zum Open vSwitch

ssh localhost -p 2222

oder im Notfall 

nc localhost 2222
Logindaten
  • user: kit
  • pass: kit
  • root: mit sudo -i

VLAN zuordnen

Trunk
ovs-vsctl set port port1 tag=1 trunks=21,22,23 vlan_mode=native-untagged
DMZ (VLAN 21)
ovs-vsctl set port port2  tag=21
ovs-vsctl set port port3  tag=21
ovs-vsctl set port port4  tag=21
ovs-vsctl set port port5  tag=21
ovs-vsctl set port port6  tag=21
ovs-vsctl set port port7  tag=21
ovs-vsctl set port port8  tag=21
ovs-vsctl set port port9  tag=21
LAN (VLAN 22)
ovs-vsctl set port port10 tag=22
ovs-vsctl set port port11 tag=22
ovs-vsctl set port port12 tag=22
ovs-vsctl set port port13 tag=22
SERVER (VLAN 23)
ovs-vsctl set port port14 tag=23
ovs-vsctl set port port15 tag=23
ovs-vsctl set port port16 tag=23

VLAN-Interfaces anlegen

ovs-vsctl add-port sw0 mgmt   tag=1  -- set interface mgmt   type=internal
ovs-vsctl add-port sw0 dmz    tag=21 -- set interface dmz    type=internal
ovs-vsctl add-port sw0 lan    tag=22 -- set interface lan    type=internal
ovs-vsctl add-port sw0 server tag=23 -- set interface server type=internal

MGMT-IP setzen

cat >> /etc/network/interfaces << 'EOF'
auto mgmt
iface mgmt inet static
    address 172.27.2XX.2/24
    gateway 172.27.2XX.1
    dns-nameservers 10.88.2XX.21
    dns-search it2XX.int
EOF
ifup mgmt

Mirror-Port konfigurieren (SPAN)

port17 dient als Mirror-Ausgang — dort kann ein IDS oder Wireshark angeschlossen werden: 

ovs-vsctl -- --id=@p get port port17 \
          -- --id=@m create Mirror name=mirror0 \
          select-vlan=1,21,22,23 \
          output-port=@p \
          -- set Bridge sw0 mirrors=@m

Kontrolle

ovs-vsctl list Mirror

Erwartete Ausgabe (gekürzt):

  • name: mirror0
  • select-vlan: [1,21,22,23]
  • output-port: port17

Nutzung

  • An port17 wird ein IDS oder ein Analyse-System (z. B. Wireshark/tcpdump) angeschlossen
  • Dort ist der gesamte Traffic der VLANs 1, 21, 22 und 23 sichtbar

Aktivierung auf dem Linux-Host

systemctl restart networking
ip addr show

Cheat-Sheet: ovs-vsctl

Befehl Beschreibung
ovs-vsctl show Gesamte OVS-Konfiguration anzeigen
ovs-vsctl list-br Alle Bridges anzeigen
ovs-vsctl list-ports sw0 Alle Ports der Bridge sw0 anzeigen
ovs-vsctl add-br sw0 Bridge sw0 anlegen
ovs-vsctl del-br sw0 Bridge sw0 löschen
ovs-vsctl add-port sw0 port1 Port hinzufügen
ovs-vsctl del-port sw0 port1 Port löschen
ovs-vsctl set port port1 tag=22 Port in VLAN 22 setzen (Access)
ovs-vsctl set port port1 trunks=21,22,23 Trunk-VLANs setzen
ovs-vsctl set port port1 vlan_mode=native-untagged VLAN-Modus setzen
ovs-vsctl clear port port1 tag VLAN-Tag entfernen
ovs-vsctl clear port port1 trunks Trunks entfernen
ovs-vsctl list port port1 Details zu einem Port anzeigen
ovs-vsctl list interface port1 Interface-Details anzeigen
ovs-vsctl list Mirror Mirror-Konfiguration anzeigen
ovs-vsctl clear Bridge sw0 mirrors Mirror löschen
ovs-appctl fdb/show sw0 MAC-Tabelle anzeigen
ovs-ofctl dump-flows sw0 OpenFlow-Flows anzeigen

TODO

  • Firewall
  • DHCP-Server
Abgerufen von „http://wiki.ixheim.de/index.php?title=VLAN_mit_Linux_und_Open_vSwitch&oldid=69390