Chinaunix首页 | 论坛 | 博客
  • 博客访问: 662822
  • 博文数量: 156
  • 博客积分: 4833
  • 博客等级: 上校
  • 技术积分: 1554
  • 用 户 组: 普通用户
  • 注册时间: 2007-05-21 19:36
文章分类

全部博文(156)

文章存档

2016年(2)

2013年(1)

2012年(13)

2011年(30)

2010年(46)

2009年(29)

2008年(23)

2007年(12)

分类: LINUX

2010-08-14 21:59:35

HowTo: VLAN's and Bridging through network-scripts


The methods shown below work on CentOS and other Fedora or RHEL-like Linux systems that have the directory /etc/sysconfig/network-scripts with ifcfg-eth# files that define the network card configuration on startup.


Bridging

What is a bridge?

A bridge acts just like a having an ethernet switch connected across two ethernet cards (NIC). Packets can flow in any direction as needed, intelligently, based on what MAC addresses are present on each network. What that means is that packets will only be echoed (or bridged across) to the other interface when that destination MAC address is on network (this is the same functionality provided by an ethernet switch, rather than an ethernet hub). An exception is made when a destination MAC is used that is unknown, or it is a broadcast address, in which case the packet is echoed on every interface.

Why construct a bridge?

Usually the reason for creating a bridge between two ethernet networks is because they are separate types of networks, like one being a wireless interface. This allows someone connected to the wireless to be virtually connected to the same network as wired users. All WiFi Access Points (AP's) have this bridge function built-in (WiFi routers also use an internal bridge between the LAN ethernet ports and the WiFi network).

It can also be handy to use two ethernet cards in one computer as bridge where you need an extra connection but don't want to buy a switch just to accomplish that. An extra 100bt ethernet card at $10 is cheaper than buying a $30 5-port switch, and runs off the computer instead of having an extra wall-bug for power. Of course, you have to keep the computer on all the time.

Another reason is to make it easier to sniff (view with packet decoder tool) all the packets going to a device you're trying to test or diagnose.

Finally, you can also manage the priority and thus QOS (Quality Of Service) of the connection between the interfaces. This is very useful for VoIP.

One issue with using a bridge though, is that both ethernet cards are put into "promiscuous" mode, meaning that all traffic on either network interface is received and processed by the linux kernel (not just packets meant for you as would otherwise happen). This can put an extra load on the machine, and slow down other programs you may be running on it. However, with a modern machine (basically anything 1ghz or more) or with lesser than the full 100mbit bandwidth such as when web browsing through a DSL modem, the extra CPU load to operate the bridge will hardly be noticed, even while playing Tux Racer. And since bridging runs in the kernel, your applications shouldn't slow down the packets.

How to configure a bridge in network-scripts

The first step is to make sure that you have the brctl utility installed (before you start making changes to the network and loose your internet connection). This can be done through any package manager method to insure that bridge-utils is installed, or by using the command yum install bridge-utils

The next step is to identify which two ethernet interfaces you want to bridge. I'm assuming here that you already have linux installed along with whatever ethernet interfaces you want to use. In these examples, I will assume you are using eth0 and eth1, although any other device you can use ifconfig on will work. I also presume that you know how to cd to directories and edit text files (like with vi) from a shell prompt in linux. If not, go get a book on linux and learn that first.

So in the /etc/sysconfig/network-scripts directory, you should see among other files the ifcfg-eth0 and ifcfg-eth1 files (again substitute your device for the eth# in these examples). Edit these and make sure to remove any lines specifying IPADDR, NETMASK, GATEWAY, or BOOTPROTO values. These are not needed for a bridge, since a separate bridged device is created later to have an IP address. For each of these files, make sure to change or add >, and add a line BRIDGE=br0 to specify the bridge device. You can substitute something other name for br0, but make sure it's the same for all devices. If you want a third or more device in your bridge, edit those icfg-eth# files the same way.

Your ifcfg-eth0 and eth1 files should now look like this (your HWADDR value will be different, don't change it):

ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

HWADDR=##:##:##:##:##:##

>

BRIDGE=br0


ifcfg-eth1

DEVICE=eth1

TYPE=Ethernet

WADDR=##:##:##:##:##:##

>

BRIDGE=br0

Then create a file ifcfg-br0 for the bridge device br0. There are two examples shown below, one for static IP address, and one for DHCP assigned IP address (use only one). If you choose the static option, put in your own values for the IP addresses, and make sure that you have put the correct DNS servers in the /etc/resolv.conf file (DHCP does this for you).

ifcfg-br0 (static)

DEVICE=br0

TYPE=Bridge

>

BOOTPROTO=static

IPADDR=1.2.3.4

NETMASK=255.255.255.0

GATEWAY=1.2.3.1

DELAY=0

STP=off


ifcfg-br0 (DHCP)

DEVICE=br0

TYPE=Bridge

>

BOOTPROTO=dhcp

DELAY=0

STP=off

Once these files have been properly configured, you can reboot the computer, or, issue a service network restart command on the shell console to cause the network to be reconfigured using the new settings. To insure that the bridge has been properly configured, use the command brctl show to see what bridges exist and what interfaces are attached to them. If your bridge didn't get configured at all, and brctl command gives you an error that it's not found, you need to install the bridge utility package by using the command yum install bridge-utils and then restart the network again.



VLAN's

What is a VLAN?

VLAN is short for Virtual LAN (where LAN is short for Local Area Network). The virtual lan is pretty much what is sounds like - a virtual seperate network, but across the same physical network. Confused? Okay, think of it like separate conference rooms. Some computers are plugged into conference room A and can chat, some into conference B and can chat, but A and B can't hear each other. Now do this in the same room, by saying A or B before everything you have to say. That's a virtual lan. All the computers are on the same switch, but ignore the ones that aren't talking with their same virtual lan "network id" number.

Why would you use a VLAN?

VLAN's are useful to set up a separate network to isolate some computers from others, without actually having to have separate cabling and ethernet switches. Intelligent switches can do this on their own, without need for the computer or other gear to know itself what VLAN it's on (this is called port-based VLAN, since it's assigned by port of the switch). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security, or quality of service.

How to create a VLAN in network-scripts

First, make sure that the vconfig package is installed via the command yum install vconfig. In CentOS distributions it's in the base, so it's probably already there.

Next, go to the /etc/sysconfig/network-scripts directory and decide which eth# device you're going to add a VLAN to. Note that the VLAN device will run alongside (in parallel to, at the same time) as the original eth# device, so there is no need to change your existing configuration.

So assuming we're going to add a VLAN interface to eth0, and that the VLAN ID we want to use is 2 (it can be anything from 2 to 4096). We're also going to assume that everything is static (if you want to use DHCP see the section on bridges for what you change). To get started easily, just copy the ifcfg-eth0 file to ifcfg-eth0.2 and edit it. Change the DEVICE entry to match the filename, add a VLAN=yes line, and modify the IPADDR, NETMASK, and GATEWAY entries as necessary to specify a different network. The GATEWAY entry is not necessary if it's an isolated network without Internet access. If this Linux box is providing DHCP for the network, you'll need to add a matching entry in /etc/dhcpd.conf.

ifcfg-eth0.2

DEVICE=eth0.2

VLAN=yes

TYPE=Ethernet

HWADDR=##:##:##:##:##:##

>

BOOTPROTO=static

IPADDR=1.2.3.4

NETMASK=255.255.255.0

GATEWAY=1.2.3.1

That's pretty much it. Reboot the machine or run service network restart to reload the network configuration. You should see the interface eth0.2 listed if you issue a ifconfig command. Remember that any other device must be configured with the same VLAN ID before it's packets will arrive on this interface. Also, be aware that this only works on local LAN and through switches (it won't go through an IP Router, or be carried through the Internet, since the VLAN codes are in the Ethernet packet header). Lastly, some intelligent switches may ignore or strip off all packets with VLAN codes other than what they expect to see, so if you have problems test with a "dumb" switch.

Bridging over VLAN's

What?

As if you weren't confused enough already, now let's combine the two concepts and create a bridge across a VLAN. That would be a bridge between two ethernet interfaces, where one is a real ethernet card in the PC (or a wifi, or some other regular type of ethernet interface), and the other will be a VLAN interface.

Why?

Let's say you have a piece of equipment which by itself doesn't know how to talk VLAN -but you want to connect it to a VLAN. By constructing a bridge between a "normal" and a "VLAN" ethernet interface, the Linux computer will add and remove the VLAN headers on behalf of any other device(s) plugged into the "normal" card. 

How?

Okay, now for the tricky part. It takes a slight modification of the procedures above.  For this example, let's presume we have an ethernet interface eth0 connected to the network where a VLAN id 2 is present, and we have a device or devices on eth1 that need to be bridged into that VLAN 2. 

Go ahead and first construct the VLAN interface like we did before (copy ifcfg-eth#, change DEVICE, add VLAN=yes), except also remove the BOOTPROTO, IPADDR, NETMASK, and GATEWAY lines if present.  Add a line BRIDGE=br2 (or a different named bridge device of your choice).


ifcfg-eth0.2

DEVICE=eth0.2

VLAN=yes

TYPE=Ethernet

HWADDR=##:##:##:##:##:##

>

BRIDGE=br2 

Then edit the ifcfg-eth1 file and make the same changes (remove BOOTPROTO, IPADDR, NETMASK, GATEWAY, add BRIDGE=br2).


ifcfg-eth1

DEVICE=eth1

TYPE=Ethernet

WADDR=##:##:##:##:##:##

>

BRIDGE=br2

Now create one last interface to tie them together (the bridge).  Because of the order in which the interfaces come up, it's probably best to use only the static method to prevent the DHCP client from having errors.  Of course, put your own values in for the IP addresses, and make sure that the bridge name matches the interfaces.

ifcfg-br2 (static)

DEVICE=br2

TYPE=Bridge

>

BOOTPROTO=static

IPADDR=1.2.3.4

NETMASK=255.255.255.0

GATEWAY=1.2.3.1

DELAY=0

STP=off


And that's it.  Use the command service network restart to cause the network to be reloaded, and you should see eth1 interface tied to the VLAN2 network.  Also, the Linux box will be connected to the VLAN2 on the IP address specified, at the same time that it's connected to eth1 on a separate address.

Manual Routes on VLANs

What?

Sometimes when you have a subnet accessible from an interface that is not along the default gateway (such as a group of private routed subnets in 10.x.y.z), you need to add a manual route.

Say for example vlan 2 is on 10.1.0.0/16 and has a router on 10.1.1.1 that also serves 10.2.0.0/16.  You cant put a GATEWAY=10.1.1.1 in the ifcfg-eth0.2 file, since that will (potentially) override the GATEWAY setting in ifcfg-eth0 that reaches the Internet (i.e. you'd be able to reach 10.2.x.x but not google.com).  The solution is to specify manually a route that directs only the 10.2.0.0/16 subnet to the gateway 10.1.1.1 like this:


route-eth0.2

10.2.0.0/16 via 10.1.1.1


It couldn't be easier than that.  Do a service network restart to reload the new route specified in the file.

阅读(1420) | 评论(0) | 转发(0) |
0

上一篇:绑定网口

下一篇:Linux 多网卡同IP段解决

给主人留下些什么吧!~~