VLAN mit Linux und Open vSwitch: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→TODO) |
|||
| Zeile 166: | Zeile 166: | ||
systemctl restart networking | systemctl restart networking | ||
ip addr show | ip addr show | ||
| + | |||
| + | == Cheat-Sheet: ovs-vsctl == | ||
| + | {| class="wikitable" | ||
| + | ! Befehl !! Beschreibung | ||
| + | |- | ||
| + | | <code>ovs-vsctl show</code> || Gesamte OVS-Konfiguration anzeigen | ||
| + | |- | ||
| + | | <code>ovs-vsctl list-br</code> || Alle Bridges anzeigen | ||
| + | |- | ||
| + | | <code>ovs-vsctl list-ports sw0</code> || Alle Ports der Bridge sw0 anzeigen | ||
| + | |- | ||
| + | | <code>ovs-vsctl add-br sw0</code> || Bridge sw0 anlegen | ||
| + | |- | ||
| + | | <code>ovs-vsctl del-br sw0</code> || Bridge sw0 löschen | ||
| + | |- | ||
| + | | <code>ovs-vsctl add-port sw0 port1</code> || Port hinzufügen | ||
| + | |- | ||
| + | | <code>ovs-vsctl del-port sw0 port1</code> || Port löschen | ||
| + | |- | ||
| + | | <code>ovs-vsctl set port port1 tag=22</code> || Port in VLAN 22 setzen (Access) | ||
| + | |- | ||
| + | | <code>ovs-vsctl set port port1 trunks=21,22,23</code> || Trunk-VLANs setzen | ||
| + | |- | ||
| + | | <code>ovs-vsctl set port port1 vlan_mode=native-untagged</code> || VLAN-Modus setzen | ||
| + | |- | ||
| + | | <code>ovs-vsctl clear port port1 tag</code> || VLAN-Tag entfernen | ||
| + | |- | ||
| + | | <code>ovs-vsctl clear port port1 trunks</code> || Trunks entfernen | ||
| + | |- | ||
| + | | <code>ovs-vsctl list port port1</code> || Details zu einem Port anzeigen | ||
| + | |- | ||
| + | | <code>ovs-vsctl list interface port1</code> || Interface-Details anzeigen | ||
| + | |- | ||
| + | | <code>ovs-vsctl list Mirror</code> || Mirror-Konfiguration anzeigen | ||
| + | |- | ||
| + | | <code>ovs-vsctl clear Bridge sw0 mirrors</code> || Mirror löschen | ||
| + | |- | ||
| + | | <code>ovs-appctl fdb/show sw0</code> || MAC-Tabelle anzeigen | ||
| + | |- | ||
| + | | <code>ovs-ofctl dump-flows sw0</code> || OpenFlow-Flows anzeigen | ||
| + | |} | ||
== TODO == | == TODO == | ||
*Firewall | *Firewall | ||
*DHCP-Server | *DHCP-Server | ||
Aktuelle Version vom 3. Mai 2026, 14:33 Uhr
Zielbeschreibung
| Port | VLAN | Modus |
|---|---|---|
| port1 | 1 (native), 21, 22, 23 (tagged) | trunk native-untagged |
| port2 | 21 | access |
| port3 | 21 | access |
| port4 | 21 | access |
| port5 | 21 | access |
| port6 | 21 | access |
| port7 | 21 | access |
| port8 | 21 | access |
| port9 | 21 | access |
| port10 | 22 | access |
| port11 | 22 | access |
| port12 | 22 | access |
| port13 | 22 | access |
| port14 | 23 | access |
| port15 | 23 | access |
| port16 | 23 | access |
| port17 | alle | Mirror (SPAN) |
| VLAN | Netz | Bezeichnung |
|---|---|---|
| 1 | 172.27.2XX.0/24 | MGMT |
| 21 | 10.88.2XX.0/24 | DMZ |
| 22 | 172.26.2XX.0/24 | LAN |
| 23 | 10.2XX.1.0/24 | SERVER |
Plan
![Bearbeiten](javascript:editDrawio("298839021", "vlan-linux-cisco.drawio.png", "png", false, false, false, true, "https://embed.diagrams.net")){kind=link}
Voraussetzungen auf Debian/Linux
- VLAN-Paket installieren
apt install vlan
- VLAN-Modul laden
modprobe 8021q
- Modul beim Booten automatisch laden
echo 8021q | tee -a /etc/modules
/etc/network/interfaces
# MGMT
auto enp0s8
iface enp0s8 inet static
address 172.27.2XX.1/24
# DMZ
auto enp0s8.21
iface enp0s8.21 inet static
address 10.88.2XX.1/24
vlan-raw-device enp0s8
post-up ip rule add fwmark 0x2 lookup 100
post-up ip route add default via 10.88.2XX.4 table 100
# LAN
auto enp0s8.22
iface enp0s8.22 inet static
address 172.26.2XX.1/24
vlan-raw-device enp0s8
# SERVER
auto enp0s8.23
iface enp0s8.23 inet static
address 10.2XX.1.1/24
vlan-raw-device enp0s8
Zum Open vSwitch
ssh localhost -p 2222
oder im Notfall
nc localhost 2222
- Logindaten
- user: kit
- pass: kit
- root: mit sudo -i
VLAN zuordnen
- Trunk
ovs-vsctl set port port1 tag=1 trunks=21,22,23 vlan_mode=native-untagged
- DMZ (VLAN 21)
ovs-vsctl set port port2 tag=21 ovs-vsctl set port port3 tag=21 ovs-vsctl set port port4 tag=21 ovs-vsctl set port port5 tag=21 ovs-vsctl set port port6 tag=21 ovs-vsctl set port port7 tag=21 ovs-vsctl set port port8 tag=21 ovs-vsctl set port port9 tag=21
- LAN (VLAN 22)
ovs-vsctl set port port10 tag=22 ovs-vsctl set port port11 tag=22 ovs-vsctl set port port12 tag=22 ovs-vsctl set port port13 tag=22
- SERVER (VLAN 23)
ovs-vsctl set port port14 tag=23 ovs-vsctl set port port15 tag=23 ovs-vsctl set port port16 tag=23
VLAN-Interfaces anlegen
ovs-vsctl add-port sw0 mgmt tag=1 -- set interface mgmt type=internal ovs-vsctl add-port sw0 dmz tag=21 -- set interface dmz type=internal ovs-vsctl add-port sw0 lan tag=22 -- set interface lan type=internal ovs-vsctl add-port sw0 server tag=23 -- set interface server type=internal
MGMT-IP setzen
cat >> /etc/network/interfaces << 'EOF'
auto mgmt
iface mgmt inet static
address 172.27.2XX.2/24
gateway 172.27.2XX.1
dns-nameservers 10.88.2XX.21
dns-search it2XX.int
EOF
ifup mgmt
Mirror-Port konfigurieren (SPAN)
port17 dient als Mirror-Ausgang — dort kann ein IDS oder Wireshark angeschlossen werden:
ovs-vsctl -- --id=@p get port port17 \
-- --id=@m create Mirror name=mirror0 \
select-vlan=1,21,22,23 \
output-port=@p \
-- set Bridge sw0 mirrors=@m
Kontrolle
ovs-vsctl list Mirror
Erwartete Ausgabe (gekürzt):
- name: mirror0
- select-vlan: [1,21,22,23]
- output-port: port17
Nutzung
- An port17 wird ein IDS oder ein Analyse-System (z. B. Wireshark/tcpdump) angeschlossen
- Dort ist der gesamte Traffic der VLANs 1, 21, 22 und 23 sichtbar
Aktivierung auf dem Linux-Host
systemctl restart networking ip addr show
Cheat-Sheet: ovs-vsctl
| Befehl | Beschreibung |
|---|---|
ovs-vsctl show |
Gesamte OVS-Konfiguration anzeigen |
ovs-vsctl list-br |
Alle Bridges anzeigen |
ovs-vsctl list-ports sw0 |
Alle Ports der Bridge sw0 anzeigen |
ovs-vsctl add-br sw0 |
Bridge sw0 anlegen |
ovs-vsctl del-br sw0 |
Bridge sw0 löschen |
ovs-vsctl add-port sw0 port1 |
Port hinzufügen |
ovs-vsctl del-port sw0 port1 |
Port löschen |
ovs-vsctl set port port1 tag=22 |
Port in VLAN 22 setzen (Access) |
ovs-vsctl set port port1 trunks=21,22,23 |
Trunk-VLANs setzen |
ovs-vsctl set port port1 vlan_mode=native-untagged |
VLAN-Modus setzen |
ovs-vsctl clear port port1 tag |
VLAN-Tag entfernen |
ovs-vsctl clear port port1 trunks |
Trunks entfernen |
ovs-vsctl list port port1 |
Details zu einem Port anzeigen |
ovs-vsctl list interface port1 |
Interface-Details anzeigen |
ovs-vsctl list Mirror |
Mirror-Konfiguration anzeigen |
ovs-vsctl clear Bridge sw0 mirrors |
Mirror löschen |
ovs-appctl fdb/show sw0 |
MAC-Tabelle anzeigen |
ovs-ofctl dump-flows sw0 |
OpenFlow-Flows anzeigen |
TODO
- Firewall
- DHCP-Server