Re: [Astlinux-users] VLAN epiphany

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Lonnie,

Really very interesting and usefull all your experiences. I will make
something similar using Linksys switch and Thomson ST2030 phones. I =
would
like to have 2 different vlan, one for voip and another for the rest of =
the
traffic and enable qos. I don=92t know in this moment how work vlan in =
st2030
but when I make some test I will send to the list my comments.

Thanks,

--
Manuel

-----Mensaje original-----
De: ast...@li...
[mailto:ast...@li...] En nombre de =
Lonnie
Abelbeck
Enviado el: s=E1bado, 17 de marzo de 2007 4:57
Para: AstLinux Users Mailing List
Asunto: [Astlinux-users] VLAN epiphany

Friends,

This note documents my recent experience using VLAN's in a SMB =20
environment.

Probably many of you, are like me, and know what VLAN's are and how =20
useful they are, but relegated their use to the big-time corporate =20
infrastructures.

Well, I recently had a VLAN epiphany, and I am a believer; even for a =20
small network.

For this discussion, consider the following equipment:
1) net4801 running m0n0wall (LAN - WAN - DMZ)
2) net4801 running AstLinux (asterisk, LAN port only)
3) net4801 running AstLinux (OpenVPN and NTP, LAN port only)
4) HP Procurve 1800-8G switches
5) Netgear FS116P PoE switch, SPA-942 phones and SIP ATA's
6) 802.11g access points

I had a couple of issues; the m0n0wall's DMZ included my wireless and =20
asterisk, together.  The OpenVPN box connected to the LAN, resulting =20
in OpenVPN's virtual subnet overlaying the LAN subnet, requiring a =20
hack in m0n0wall to not apply rules to multiple subnets on the same =20
interface... neither good network design.

VLAN's to the rescue.  Since the net4801 supports 802.1Q VLAN =20
tagging, I configured the DMZ port of m0n0wall as a VLAN 'trunk' to a =20
Procurve 1800-8G switch (under $160).  The m0n0wall's LAN and WAN =20
ports remain standard untagged ethernet.

I created 4 VLANS on the m0n0wall DMZ interface:
(Each VLAN is on its own private subnet)
1) VOIP - asterisk, IP phones and ata's on non-VLAN switch
2) WLAN - 802.11g wireless
3) OVPN - solitary AstLinux box with OpenVPN, NTP; asterisk disabled
4) VLAN1 - VLAN management for switches

A key point is that all the magic is done in the m0n0wall and in the =20
VLAN switch.  One switch port needs to be set to "tagged" that =20
connects to the m0n0wall VLAN trunk interface, but all the other =20
ports can accept "All" ethernet types, basically untagged ethernet.  =20
The VLAN switch needs to be carefully configured, port by port to =20
assign which VLAN's are a member on each port.  The 'tagged' port to =20
the m0n0wall must be a member of all four VLAN's.  The other untagged =20
ingress ports are assigned only one VLAN membership to match what the =20
port is connected to.

Be very careful when configuring a VLAN switch, one mistake can make =20
your network inoperable, worst case requiring a factory reset of the =20
switch and starting over.  Planning is the key.  The Procurve 1800 =20
has a very intuitive web interface for the VLAN setup.

The benefits:
1) The publicly available asterisk is segregated with tight firewall =20
rules.
2) The wireless is segregated with tight firewall rules.
3) The OpenVPN server, with its own subnet, reaches any other device =20
by passing through two interfaces, allowing full firewall rules and =20
no hacks to reach a different subnet on the same segment.
4) Elegant, simple network design.

AstLinux has built-in VLAN interface support, but many will find =20
standard untagged AstLinux setup to a VLAN switch the easiest way to go.

I hope my experiences will be useful to the readers here.

Lonnie

-------------------------------------------------------------------------=

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share =
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to
pa...@kr....