From: Moray M. <mmc...@ox...> - 2006-09-18 09:26:02
|
We're about to set up VLANs on our local network to support shiny new switches and a shiny new VoIP phone system (Avaya IP Office - if anyone has any experience of networking IP Office, or indeed any Avaya VoIP system, I would love to discuss it with you, probably off-line since it is pretty off-topic.) Naturally I would like to be able to connect our firewalling DL box to the new phone VLAN, and use it as the firewall.=20 I've got a couple of questions, if anyone knows the answers. I've checked out all of this on the web, but haven't found definitive answers. 1) is the sample included with DL the best way to define VLANs (ifcfg-vlan100.sample on my box)? It is like a regular inferface config file, with the addition of VLANID=3D100 and removal of the MODULE=3D = line defining the kernel driver module. 2) does iptables interface identification (-i and -o switches) support identification of vlan interfaces as the source and destination interfaces of packets, or only the physical interfaces? I would expect it to work, except I expected that with virtual interfaces (e.g. eth1:1), and it doesn't work with those, but I guess vlan's a different kernel mechanism. 3) I'll want to run dhcpd on the DL box only on the vlan port, since it will only provide DHCP services for the phones, but our main Windows servers will continue to provide DHCP for everything else (saves messing with interoperability between Linux DHCP and Windows' dynamic DNS, tho' this looks doable if I really have to). Looking through /etc/init.d/dhcpd, DL starts DHCPD on interfaces which have = DHCP=3Dserver in their interface config, which makes this easy, but can anyone tell me what the routes being created in the following lines are for ? for DEVICE in $DEVICES; do route add -net 255.255.255.255 netmask 255.255.255.255 $DEVICE done Cheers, Moray -------------------------------------=20 Moray McConnachie IS Manager +44 1865 261 600 Oxford Analytica http://www.oxan.com |
From: Heiko Z. <he...@zu...> - 2006-09-18 13:00:37
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey, I'm glad I can at least answer one question. ;-) > 3) I'll want to run dhcpd on the DL box only on the vlan port, since it > will only provide DHCP services for the phones, but our main Windows > servers will continue to provide DHCP for everything else (saves messing > with interoperability between Linux DHCP and Windows' dynamic DNS, tho' > this looks doable if I really have to). Looking through /etc/init.d/dhcpd, > DL starts DHCPD on interfaces which have DHCP=server > in their interface config, which makes this easy, but can anyone tell me > what the routes being created in the following lines are for ? > > for DEVICE in $DEVICES; do route add -net 255.255.255.255 netmask > 255.255.255.255 $DEVICE > done DHCP used broadcasts for the early communication stages. That's why this route has to be added to the interface where the DHCP server needs to communicate on. - -- Regards Heiko Zuerker http://www.devil-linux.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iEYEARECAAYFAkUOmF0ACgkQUcytMSbs+YW8tQCfdSYhNOx1ppuq2HsTJfpt80TB 3U8An1QJdqxpU4cpw+51Pddxhr48C2rE =mlDx -----END PGP SIGNATURE----- |
From: cdmiller <cdm...@ad...> - 2006-09-18 14:14:29
|
Moray McConnachie wrote: > > 1) is the sample included with DL the best way to define VLANs > (ifcfg-vlan100.sample on my box)? It is like a regular inferface config > file, with the addition of VLANID=100 and removal of the MODULE= line > defining the kernel driver module. I think it is the best way. Also look in the /etc/init.d/network script to see the vconfig options being used. > 2) does iptables interface identification (-i and -o switches) support > identification of vlan interfaces as the source and destination > interfaces of packets, or only the physical interfaces? I would expect > it to work, except I expected that with virtual interfaces (e.g. > eth1:1), and it doesn't work with those, but I guess vlan's a different > kernel mechanism. Were you using this on the FORWARD, PREROUTING, or POSTROUTING chain? - cameron |
From: Moray M. <mmc...@ox...> - 2006-09-18 14:20:52
|
>> 2) does iptables interface identification (-i and -o switches) support=20 >> identification of vlan interfaces as the source and destination=20 >> interfaces of packets, or only the physical interfaces? I would expect=20 >> it to work, except I expected that with virtual interfaces (e.g. >> eth1:1), and it doesn't work with those, but I guess vlan's a=20 >> different kernel mechanism. >Were you using this on the FORWARD, PREROUTING, or POSTROUTING chain? I was trying to use virtual interfaces on the forward chain. M. |