Vlans, 802.1q or dot1q with cisco.

Contributed by jose on 2003-02-25 from the management- dept.

David writes:

"This is a just a quick note/tutorial on using OpenBSD with 802.1q. I have an OpenBSD3.1 firewall, the external port plugged into a VLAN that is not on a trunk port, and the internal interface pluged into a trunk port. Here are the configs for my Cisco Catalyst 2924. Keep in mind that 802.1q only works on the "Enterprise" load with 8 megs of memory, found this out the hard way by first getting a really old but cheap catalyst (around $300).
So here goes--
interface FastEthernet0/6
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-4,10,1002-1005
 switchport mode trunk
 spanning-tree portfast
 no cdp enable
!
Then the corisponding ports for that vlan.
interface FastEthernet0/22
 switchport access vlan 10
 spanning-tree portfast
 no cdp enable
!
Now for the OpenBSD configs...
ifconfig vlan0 192.168.2.1 vlan 10 vlandev fxp1
or edit /etc/hostname.vlan0 and put in
192.168.2.1 vlan 10 vlandev fxp1
Then add vlan0 to your /etc/dhcpd.interfaces file and then add that network to your /etc/dhcpd.conf file. Also add it to /etc/pf.conf for what you want that vlan to have access to.
The reason I wanted to do this is that I have a small PC (only one PCI slot) and wanted physical seperation between networks. I live in a 4-plex and I give my neighbors internet access. Now I can control what servers (if any) they have access to. This is very simple, but I didn't find a lot of documentation on it, so I hope this helps people in future setups.
The funny thing about this is that I remember when only really expensive equipment could do this type of setup.
Have fun! David"

Thanks for the tip, David! Always good to show people how to use OpenBSD features.

(Comments are closed)

Comments

By djm () on 2003-02-25 04:43

Make sure you read http://www.sans.org/rr/switchednet/switch_security.php

It may also be worthwhile to track -current as there have been some VLAN bugs fixed recently.
Comments
1. By David () dave@nospam.drstrangelove.net on 2003-02-26 20:16 mailto:dave@nospam.drstrangelove.net
  
  Indeed be careful!
  
  Several things that could help is create access lists for the icky "telnet" ports, and shut off the webserver and the snmp server.
  
  You can do so by doing...
  
  ip telnet source-interface vlan4
  no ip http server
  no snmp-server
  
  line vty 0 4
  access-class 10 in
  access-class 1 out
  
  access-list 1 deny any
  access-list 10 permit 10.0.0.30
  access-list 10 deny any
  
  I will have to do some stress testing to see if the switch will drop the structure of the Vlans when pounded on, as I am thinking about doing this for DefCon...
By iGsys (80.229.197.105) on 2005-04-16 01:01

This is just what i have been looking for, for the last 2 hours, thanks.

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (12)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]