Re: [CentOS] VLAN issue
On Mon, Jan 26, 2015 at 3:50 PM, Gordon Messmer gordon.mess...@gmail.com wrote: On 01/25/2015 04:20 PM, Boris Epstein wrote: I have resolved this, finally. The problem was that I configured VLAN 48 as the native VLAN on the trunk port.That was a mistake as apparently the native VLAN is the one where Cisco does not bother to tag packets. That's not a mistake, per se. Having vlan 48 as the native vlan just means that you'd want 192.168.48.100 on eth0 instead of eth0.48. +1 If it were me, I'd opt for setting the native vlan to 48 for that port. It's simpler and avoids having vlan1 to deal with. For now I set the native VLAN to VLAN 1 and that works. As long as you aren't concerned about the security implications of that host having access to vlan 1, that seems pretty reasonable. The system will get some extra broadcast traffic, but the ethernet card will probably filter those out so that they don't have to be processed. Boris could just set what vlans are allowed on the trunk port to his server. Just allow vlans 48, 49, and 50 and not others ! by default your switch trunks on vlan 1 to 4094 ! now to allow it only on the three vlans you specifically specified (48,49,50) switchport trunk allowed vlan remove 1-47,51-4094 ! if you chose to tell it not to trunk any vlans, you'd disconnect your telnet/ssh ! session as well as cause a service outage ... so don't do that! ! ! also realize that Cisco smuggles some data via VLAN1 [0], so there still will likely be traffic on VLAN1 ! ! now that port should not be trunking on ALL vlans ... just 48,49,50 show int Gi1/0/3 switchport show int Gi1/0/3 trunk As far as security goes ... Leaving vlan1 usable when it does not need to be is akin to locking most of the doors at your home, but not all of them. 1) by default (most?) switches have all ports in vlan1 ... so somebody plugs in a new switch and could potentially communicate with your server. 2) If someone compromises that server, now they have a trunk port to have lots of fun with (create more vlan interfaces and sniff/spoof traffic). [0] https://supportforums.cisco.com/discussion/9118321/disabling-vlan1-across-trunks -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On 01/26/2015 06:00 PM, Boris Epstein wrote: What sort of security implications did you have in mind? Just curious. I think the common uses of VLANs are to segregate traffic to reduce collisions, and to segment networks for security. If you've added VLAN 1 as the native VLAN, you might be exposing this host to attacks from that VLAN (assuming you gave it an address), or you might be exposing other hosts on the VLAN to attacks from that host if it's compromised. If your security policy is based on the policy of least privilege, then it's best not to provide a host with VLANs that it doesn't use/need. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On 01/25/2015 04:20 PM, Boris Epstein wrote: I have resolved this, finally. The problem was that I configured VLAN 48 as the native VLAN on the trunk port.That was a mistake as apparently the native VLAN is the one where Cisco does not bother to tag packets. That's not a mistake, per se. Having vlan 48 as the native vlan just means that you'd want 192.168.48.100 on eth0 instead of eth0.48. For now I set the native VLAN to VLAN 1 and that works. As long as you aren't concerned about the security implications of that host having access to vlan 1, that seems pretty reasonable. The system will get some extra broadcast traffic, but the ethernet card will probably filter those out so that they don't have to be processed. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Gordon, thanks! What sort of security implications did you have in mind? Just curious. Boris. On Mon, Jan 26, 2015 at 3:50 PM, Gordon Messmer gordon.mess...@gmail.com wrote: On 01/25/2015 04:20 PM, Boris Epstein wrote: I have resolved this, finally. The problem was that I configured VLAN 48 as the native VLAN on the trunk port.That was a mistake as apparently the native VLAN is the one where Cisco does not bother to tag packets. That's not a mistake, per se. Having vlan 48 as the native vlan just means that you'd want 192.168.48.100 on eth0 instead of eth0.48. For now I set the native VLAN to VLAN 1 and that works. As long as you aren't concerned about the security implications of that host having access to vlan 1, that seems pretty reasonable. The system will get some extra broadcast traffic, but the ethernet card will probably filter those out so that they don't have to be processed. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On Sun, Jan 25, 2015 at 8:38 AM, Andrew Holway andrew.hol...@gmail.com wrote: On 25 January 2015 at 15:12, Boris Epstein borepst...@gmail.com wrote: OK... but why does it need to be a trunk port? Because a trunk port will trunk the vlan. A VLAN is basically a 4 byte tag that gets injected into the packet header when the packet enters the VLAN network. When we trunk a VLAN we say to the switch pass packets on VLAN x but do not strip the tag out. You can either terminate the VLAN at the switch port (untagged) which will strip out the VLAN tag or you can pass the packet containing the VLAN tag to the computer or other device(tagged/trunk). This device can then pull out the tag. On linux this mechanism is done by an 8021q VLAN interface. Hope this is useful. Just to add to that - normally if a host only needs to be on one subnet you would use an access port on the switch to select a single vlan and deliver those packets untagged so the host does not need to care about tags or vlan numbers. And to that end, switches default to treating everything as access ports on native/untagged vlan 0 unless configured otherwise. However, if the host needs interfaces on multiple subnets, you can do it on a single network connection by giving it a trunk connection from the switch and letting it split out the vlan interfaces internally. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Stephen, That is right - it is not on a trunk port. I guess this must be it. Thanks. Boris. On Sun, Jan 25, 2015 at 9:25 AM, Stephen Harris li...@spuddy.org wrote: On Sun, Jan 25, 2015 at 09:12:29AM -0500, Boris Epstein wrote: OK... but why does it need to be a trunk port? If you are on a trunk port then your machine needs to be configured for VLANs. If you are not on a trunk port then your machine needs to be configured normally. It _sounds_ like you have configured your machine for VLANs but are not on a trunk port. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
OK... but why does it need to be a trunk port? Boris. On Sat, Jan 24, 2015 at 6:53 PM, SilverTip257 silvertip...@gmail.com wrote: Andrew and Dennis are spot on. Their conclusions about your server being connected to an access port and not a trunk port would be my conclusion as well. On Sat, Jan 24, 2015 at 9:11 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi Boris, what I'd like to know is the actual VLAN configuration of the switch port (link-type and tagged and untagged VLANs). When I look at the switchport coniguration here I get (among other things): ... Port link-type: trunk Tagged VLAN ID : 8, 1624 Untagged VLAN ID : 10 ... Here is my suspicion: Your ports have an access link-type with an untagged VLAN ID of 48. That would explain why the moment you configure an IP from that VLAN on eth0 you get connectivity because then the packets the Linux box sends are untagged as the switch would expect them to be. If you only put an address on eth0.48 then the packets get tagged by Linux but if the switch port is not configured to receive the packets for VLAN 48 as tagged then it will simply drop these packets and you will not get connectivity. Additionally, the switch should gripe about 802.1q BPDUs. Check the in-memory system log (or syslog server if you have configured that). show logging | i 1Q Example: 1w1d: %SPANTREE-2-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/2 on vlan 100. So getting the actual VLAN config of the switch port would help to determine if the switch actually expects to receive the packets the way you send them from the Linux box. +1 Let's see the config for the switch port your server is connected to. -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On Sun, Jan 25, 2015 at 09:12:29AM -0500, Boris Epstein wrote: OK... but why does it need to be a trunk port? If you are on a trunk port then your machine needs to be configured for VLANs. If you are not on a trunk port then your machine needs to be configured normally. It _sounds_ like you have configured your machine for VLANs but are not on a trunk port. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On 25 January 2015 at 15:12, Boris Epstein borepst...@gmail.com wrote: OK... but why does it need to be a trunk port? Because a trunk port will trunk the vlan. A VLAN is basically a 4 byte tag that gets injected into the packet header when the packet enters the VLAN network. When we trunk a VLAN we say to the switch pass packets on VLAN x but do not strip the tag out. You can either terminate the VLAN at the switch port (untagged) which will strip out the VLAN tag or you can pass the packet containing the VLAN tag to the computer or other device(tagged/trunk). This device can then pull out the tag. On linux this mechanism is done by an 8021q VLAN interface. Hope this is useful. ta Andrew Boris. On Sat, Jan 24, 2015 at 6:53 PM, SilverTip257 silvertip...@gmail.com wrote: Andrew and Dennis are spot on. Their conclusions about your server being connected to an access port and not a trunk port would be my conclusion as well. On Sat, Jan 24, 2015 at 9:11 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi Boris, what I'd like to know is the actual VLAN configuration of the switch port (link-type and tagged and untagged VLANs). When I look at the switchport coniguration here I get (among other things): ... Port link-type: trunk Tagged VLAN ID : 8, 1624 Untagged VLAN ID : 10 ... Here is my suspicion: Your ports have an access link-type with an untagged VLAN ID of 48. That would explain why the moment you configure an IP from that VLAN on eth0 you get connectivity because then the packets the Linux box sends are untagged as the switch would expect them to be. If you only put an address on eth0.48 then the packets get tagged by Linux but if the switch port is not configured to receive the packets for VLAN 48 as tagged then it will simply drop these packets and you will not get connectivity. Additionally, the switch should gripe about 802.1q BPDUs. Check the in-memory system log (or syslog server if you have configured that). show logging | i 1Q Example: 1w1d: %SPANTREE-2-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/2 on vlan 100. So getting the actual VLAN config of the switch port would help to determine if the switch actually expects to receive the packets the way you send them from the Linux box. +1 Let's see the config for the switch port your server is connected to. -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Thank you everyone. OK, the mystery deepens, I guess. The machine does need to support several VLAN's, it is currently on a trunkport (8021q encapsulated), it made it into the ARP table - which I specifically tested for by physically unplugging the table, clearing the ARP table and plugging it back in. The ARP table currently looks like this: hq#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.48.100 0 0025.6440.0301 ARPA Vlan48 Internet 192.168.48.101 - 001b.906a.bcc4 ARPA Vlan48 Internet 192.168.48.10 0025.6440.063f ARPA Vlan48 Internet 192.168.2.520 0025.6440.0547 ARPA Vlan2 Internet 192.168.3.1 - 001b.906a.bcc2 ARPA Vlan3 Internet 192.168.2.1 - 001b.906a.bcc1 ARPA Vlan2 Internet 192.168.7.1 - 001b.906a.bcc3 ARPA Vlan7 hq# The network config on the machine currently looks like this: it has nothing assigned to eth0, eth0.48 = 192.168.48.100/24, eth0.49 = 192.168.49.100/24, eth0.50 = 192.168.50.100/24. And - even though the ARP table seems to be OK - there is no connectivity! Boris. On Sun, Jan 25, 2015 at 11:42 AM, Les Mikesell lesmikes...@gmail.com wrote: On Sun, Jan 25, 2015 at 8:38 AM, Andrew Holway andrew.hol...@gmail.com wrote: On 25 January 2015 at 15:12, Boris Epstein borepst...@gmail.com wrote: OK... but why does it need to be a trunk port? Because a trunk port will trunk the vlan. A VLAN is basically a 4 byte tag that gets injected into the packet header when the packet enters the VLAN network. When we trunk a VLAN we say to the switch pass packets on VLAN x but do not strip the tag out. You can either terminate the VLAN at the switch port (untagged) which will strip out the VLAN tag or you can pass the packet containing the VLAN tag to the computer or other device(tagged/trunk). This device can then pull out the tag. On linux this mechanism is done by an 8021q VLAN interface. Hope this is useful. Just to add to that - normally if a host only needs to be on one subnet you would use an access port on the switch to select a single vlan and deliver those packets untagged so the host does not need to care about tags or vlan numbers. And to that end, switches default to treating everything as access ports on native/untagged vlan 0 unless configured otherwise. However, if the host needs interfaces on multiple subnets, you can do it on a single network connection by giving it a trunk connection from the switch and letting it split out the vlan interfaces internally. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
And additionally here are the detailed port configs on the switch end: hqshow interface Gi1/0/3 switchport Name: Gi1/0/3 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 48 (VLAN0048) Trunking Native Mode VLAN: 48 (VLAN0048) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none hqshow interface Gi1/0/3 trunk PortMode Encapsulation StatusNative vlan Gi1/0/3 on 802.1q trunking 48 PortVlans allowed on trunk Gi1/0/3 1-4094 PortVlans allowed and active in management domain Gi1/0/3 1-3,7,48-50 PortVlans in spanning tree forwarding state and not pruned Gi1/0/3 1-3,7,48-50 hq Boris. On Sun, Jan 25, 2015 at 7:05 PM, Boris Epstein borepst...@gmail.com wrote: Thank you everyone. OK, the mystery deepens, I guess. The machine does need to support several VLAN's, it is currently on a trunkport (8021q encapsulated), it made it into the ARP table - which I specifically tested for by physically unplugging the table, clearing the ARP table and plugging it back in. The ARP table currently looks like this: hq#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.48.100 0 0025.6440.0301 ARPA Vlan48 Internet 192.168.48.101 - 001b.906a.bcc4 ARPA Vlan48 Internet 192.168.48.10 0025.6440.063f ARPA Vlan48 Internet 192.168.2.520 0025.6440.0547 ARPA Vlan2 Internet 192.168.3.1 - 001b.906a.bcc2 ARPA Vlan3 Internet 192.168.2.1 - 001b.906a.bcc1 ARPA Vlan2 Internet 192.168.7.1 - 001b.906a.bcc3 ARPA Vlan7 hq# The network config on the machine currently looks like this: it has nothing assigned to eth0, eth0.48 = 192.168.48.100/24, eth0.49 = 192.168.49.100/24, eth0.50 = 192.168.50.100/24. And - even though the ARP table seems to be OK - there is no connectivity! Boris. On Sun, Jan 25, 2015 at 11:42 AM, Les Mikesell lesmikes...@gmail.com wrote: On Sun, Jan 25, 2015 at 8:38 AM, Andrew Holway andrew.hol...@gmail.com wrote: On 25 January 2015 at 15:12, Boris Epstein borepst...@gmail.com wrote: OK... but why does it need to be a trunk port? Because a trunk port will trunk the vlan. A VLAN is basically a 4 byte tag that gets injected into the packet header when the packet enters the VLAN network. When we trunk a VLAN we say to the switch pass packets on VLAN x but do not strip the tag out. You can either terminate the VLAN at the switch port (untagged) which will strip out the VLAN tag or you can pass the packet containing the VLAN tag to the computer or other device(tagged/trunk). This device can then pull out the tag. On linux this mechanism is done by an 8021q VLAN interface. Hope this is useful. Just to add to that - normally if a host only needs to be on one subnet you would use an access port on the switch to select a single vlan and deliver those packets untagged so the host does not need to care about tags or vlan numbers. And to that end, switches default to treating everything as access ports on native/untagged vlan 0 unless configured otherwise. However, if the host needs interfaces on multiple subnets, you can do it on a single network connection by giving it a trunk connection from the switch and letting it split out the vlan interfaces internally. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
OK, thanks again for all your help. I have resolved this, finally. The problem was that I configured VLAN 48 as the native VLAN on the trunk port.That was a mistake as apparently the native VLAN is the one where Cisco does not bother to tag packets. For now I set the native VLAN to VLAN 1 and that works. Cheers, Boris. On Sun, Jan 25, 2015 at 7:13 PM, Boris Epstein borepst...@gmail.com wrote: And additionally here are the detailed port configs on the switch end: hqshow interface Gi1/0/3 switchport Name: Gi1/0/3 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 48 (VLAN0048) Trunking Native Mode VLAN: 48 (VLAN0048) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none hqshow interface Gi1/0/3 trunk PortMode Encapsulation StatusNative vlan Gi1/0/3 on 802.1q trunking 48 PortVlans allowed on trunk Gi1/0/3 1-4094 PortVlans allowed and active in management domain Gi1/0/3 1-3,7,48-50 PortVlans in spanning tree forwarding state and not pruned Gi1/0/3 1-3,7,48-50 hq Boris. On Sun, Jan 25, 2015 at 7:05 PM, Boris Epstein borepst...@gmail.com wrote: Thank you everyone. OK, the mystery deepens, I guess. The machine does need to support several VLAN's, it is currently on a trunkport (8021q encapsulated), it made it into the ARP table - which I specifically tested for by physically unplugging the table, clearing the ARP table and plugging it back in. The ARP table currently looks like this: hq#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.48.100 0 0025.6440.0301 ARPA Vlan48 Internet 192.168.48.101 - 001b.906a.bcc4 ARPA Vlan48 Internet 192.168.48.10 0025.6440.063f ARPA Vlan48 Internet 192.168.2.520 0025.6440.0547 ARPA Vlan2 Internet 192.168.3.1 - 001b.906a.bcc2 ARPA Vlan3 Internet 192.168.2.1 - 001b.906a.bcc1 ARPA Vlan2 Internet 192.168.7.1 - 001b.906a.bcc3 ARPA Vlan7 hq# The network config on the machine currently looks like this: it has nothing assigned to eth0, eth0.48 = 192.168.48.100/24, eth0.49 = 192.168.49.100/24, eth0.50 = 192.168.50.100/24. And - even though the ARP table seems to be OK - there is no connectivity! Boris. On Sun, Jan 25, 2015 at 11:42 AM, Les Mikesell lesmikes...@gmail.com wrote: On Sun, Jan 25, 2015 at 8:38 AM, Andrew Holway andrew.hol...@gmail.com wrote: On 25 January 2015 at 15:12, Boris Epstein borepst...@gmail.com wrote: OK... but why does it need to be a trunk port? Because a trunk port will trunk the vlan. A VLAN is basically a 4 byte tag that gets injected into the packet header when the packet enters the VLAN network. When we trunk a VLAN we say to the switch pass packets on VLAN x but do not strip the tag out. You can either terminate the VLAN at the switch port (untagged) which will strip out the VLAN tag or you can pass the packet containing the VLAN tag to the computer or other device(tagged/trunk). This device can then pull out the tag. On linux this mechanism is done by an 8021q VLAN interface. Hope this is useful. Just to add to that - normally if a host only needs to be on one subnet you would use an access port on the switch to select a single vlan and deliver those packets untagged so the host does not need to care about tags or vlan numbers. And to that end, switches default to treating everything as access ports on native/untagged vlan 0 unless configured otherwise. However, if the host needs interfaces on multiple subnets, you can do it on a single network connection by giving it a trunk connection from the switch and letting it split out the vlan interfaces internally. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org
Re: [CentOS] VLAN issue
Andrew and Dennis are spot on. Their conclusions about your server being connected to an access port and not a trunk port would be my conclusion as well. On Sat, Jan 24, 2015 at 9:11 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: Hi Boris, what I'd like to know is the actual VLAN configuration of the switch port (link-type and tagged and untagged VLANs). When I look at the switchport coniguration here I get (among other things): ... Port link-type: trunk Tagged VLAN ID : 8, 1624 Untagged VLAN ID : 10 ... Here is my suspicion: Your ports have an access link-type with an untagged VLAN ID of 48. That would explain why the moment you configure an IP from that VLAN on eth0 you get connectivity because then the packets the Linux box sends are untagged as the switch would expect them to be. If you only put an address on eth0.48 then the packets get tagged by Linux but if the switch port is not configured to receive the packets for VLAN 48 as tagged then it will simply drop these packets and you will not get connectivity. Additionally, the switch should gripe about 802.1q BPDUs. Check the in-memory system log (or syslog server if you have configured that). show logging | i 1Q Example: 1w1d: %SPANTREE-2-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/2 on vlan 100. So getting the actual VLAN config of the switch port would help to determine if the switch actually expects to receive the packets the way you send them from the Linux box. +1 Let's see the config for the switch port your server is connected to. -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Do you need the whole configuration? On the switch end, we have the relevant VLAN (VLAN 48) with the assigned IP address of 192.168.48.101 and the range of ports (Gi1/0/1 - Gi1/0/8) assigned to that VLAN. Seems - and acts - like a legitimate setup and works fine, except for this particular instance. Thanks. Boris. On Fri, Jan 23, 2015 at 8:54 PM, Dennis Jacobfeuerborn denni...@conversis.de wrote: We have lots of servers with a similar setup (i.e. tagged vlans and no ip on eth0) and this works just fine. What is the actual vlan configuration on your switchport? Regards, Dennis On 24.01.2015 01:34, Boris Epstein wrote: Steve, Thanks, makes sense. I just don't see why I have to effectively waste an extra IP address to get my connection established. Boris. On Fri, Jan 23, 2015 at 7:16 PM, Stephen Harris li...@spuddy.org wrote: On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: This makes two of us. I've done everything as you have described and it simply does not work. Are you actually seeing VLAN tagged traffic, or is the cisco switch just providing a normal stream? At work we have hundreds of VLANs, but the servers don't get configured for this; we just configure them as normal; ie eth0. The network infrastructure does the VLAN decoding, the server doesn't have to. Try configuring the machine as if it was a real LAN and forget about the VLAN. If that doesn't work then what does 'tcpdump -i eth0' show you? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Hi Boris, Is the switch port mode tagged or untagged. Thanks, Andrew On 24 January 2015 at 13:35, Boris Epstein borepst...@gmail.com wrote: Do you need the whole configuration? On the switch end, we have the relevant VLAN (VLAN 48) with the assigned IP address of 192.168.48.101 and the range of ports (Gi1/0/1 - Gi1/0/8) assigned to that VLAN. Seems - and acts - like a legitimate setup and works fine, except for this particular instance. Thanks. Boris. On Fri, Jan 23, 2015 at 8:54 PM, Dennis Jacobfeuerborn denni...@conversis.de wrote: We have lots of servers with a similar setup (i.e. tagged vlans and no ip on eth0) and this works just fine. What is the actual vlan configuration on your switchport? Regards, Dennis On 24.01.2015 01:34, Boris Epstein wrote: Steve, Thanks, makes sense. I just don't see why I have to effectively waste an extra IP address to get my connection established. Boris. On Fri, Jan 23, 2015 at 7:16 PM, Stephen Harris li...@spuddy.org wrote: On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: This makes two of us. I've done everything as you have described and it simply does not work. Are you actually seeing VLAN tagged traffic, or is the cisco switch just providing a normal stream? At work we have hundreds of VLANs, but the servers don't get configured for this; we just configure them as normal; ie eth0. The network infrastructure does the VLAN decoding, the server doesn't have to. Try configuring the machine as if it was a real LAN and forget about the VLAN. If that doesn't work then what does 'tcpdump -i eth0' show you? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Hi Boris, what I'd like to know is the actual VLAN configuration of the switch port (link-type and tagged and untagged VLANs). When I look at the switchport coniguration here I get (among other things): ... Port link-type: trunk Tagged VLAN ID : 8, 1624 Untagged VLAN ID : 10 ... Here is my suspicion: Your ports have an access link-type with an untagged VLAN ID of 48. That would explain why the moment you configure an IP from that VLAN on eth0 you get connectivity because then the packets the Linux box sends are untagged as the switch would expect them to be. If you only put an address on eth0.48 then the packets get tagged by Linux but if the switch port is not configured to receive the packets for VLAN 48 as tagged then it will simply drop these packets and you will not get connectivity. So getting the actual VLAN config of the switch port would help to determine if the switch actually expects to receive the packets the way you send them from the Linux box. Regards, Dennis So if you On 24.01.2015 13:35, Boris Epstein wrote: Do you need the whole configuration? On the switch end, we have the relevant VLAN (VLAN 48) with the assigned IP address of 192.168.48.101 and the range of ports (Gi1/0/1 - Gi1/0/8) assigned to that VLAN. Seems - and acts - like a legitimate setup and works fine, except for this particular instance. Thanks. Boris. On Fri, Jan 23, 2015 at 8:54 PM, Dennis Jacobfeuerborn denni...@conversis.de wrote: We have lots of servers with a similar setup (i.e. tagged vlans and no ip on eth0) and this works just fine. What is the actual vlan configuration on your switchport? Regards, Dennis On 24.01.2015 01:34, Boris Epstein wrote: Steve, Thanks, makes sense. I just don't see why I have to effectively waste an extra IP address to get my connection established. Boris. On Fri, Jan 23, 2015 at 7:16 PM, Stephen Harris li...@spuddy.org wrote: On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: This makes two of us. I've done everything as you have described and it simply does not work. Are you actually seeing VLAN tagged traffic, or is the cisco switch just providing a normal stream? At work we have hundreds of VLANs, but the servers don't get configured for this; we just configure them as normal; ie eth0. The network infrastructure does the VLAN decoding, the server doesn't have to. Try configuring the machine as if it was a real LAN and forget about the VLAN. If that doesn't work then what does 'tcpdump -i eth0' show you? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] VLAN issue
Hello all, I have a machine running Centos 6.6 connected to a port on a Cisco Catalyst 3750 series switch. That port is part of VLAN 48. I have VLAN 48 on the CentOS machine too. The IP network on VLAN 48 is 192.168.48.0/255.255.255.0. The address on the CentOS side is 192.168.48.101, the address on the Linux end ought to be 192.168.48.100. When I only bring up eth0.48 VLAN device with the IP=192.168.48.100 I have no connectivity. If I bring it up along with eth0 with another VLAN 48 address assigned to it (for instance, 192.168.48.99) I do have connectivity. Also, strangely enough, sometimes to get things going I have to disconnect the Linux host from the switch - physically detach the wire and reconnect it again. Be that as it may when I just bring up the VLAN by itself I have thus far been unable to get anywhere. Has anybody seen a situation like this? Does anybody have an explaination for it? Thanks. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Steve, Thanks, makes sense. I just don't see why I have to effectively waste an extra IP address to get my connection established. Boris. On Fri, Jan 23, 2015 at 7:16 PM, Stephen Harris li...@spuddy.org wrote: On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: This makes two of us. I've done everything as you have described and it simply does not work. Are you actually seeing VLAN tagged traffic, or is the cisco switch just providing a normal stream? At work we have hundreds of VLANs, but the servers don't get configured for this; we just configure them as normal; ie eth0. The network infrastructure does the VLAN decoding, the server doesn't have to. Try configuring the machine as if it was a real LAN and forget about the VLAN. If that doesn't work then what does 'tcpdump -i eth0' show you? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On Fri, Jan 23, 2015 at 5:27 PM, Boris Epstein borepst...@gmail.com wrote: Hello all, I have a machine running Centos 6.6 connected to a port on a Cisco Catalyst 3750 series switch. That port is part of VLAN 48. I have VLAN 48 on the CentOS machine too. The IP network on VLAN 48 is 192.168.48.0/255.255.255.0. The address on the CentOS side is 192.168.48.101, the address on the Linux end ought to be 192.168.48.100. When I only bring up eth0.48 VLAN device with the IP=192.168.48.100 I have no connectivity. If I bring it up along with eth0 with another VLAN 48 address assigned to it (for instance, 192.168.48.99) I do have connectivity. Also, strangely enough, sometimes to get things going I have to disconnect the Linux host from the switch - physically detach the wire and reconnect it again. Be that as it may when I just bring up the VLAN by itself I have thus far been unable to get anywhere. Has anybody seen a situation like this? Does anybody have an explaination for it? I think you always have to bring up the underlying eth device to activate a related eth.nn vlan. The base device would not normally have an IPADDR, though, unless it is for an untagged vlan 0. Assuming the connected switch port is configured as a trunk, you shouldn't see vlan 48 addresses on the base (untagged) device. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
Less, You are 100% right. Of course I brought up my eth0 - but, like you said, with no IP. Meanwhile, I brought up eth0.48 with 192.168.48.100. However, until I would bring up eth0 with an IP address (any in the network) I would have no connection. Why? That's what I fail to understand. Boris. On Fri, Jan 23, 2015 at 6:45 PM, Les Mikesell lesmikes...@gmail.com wrote: On Fri, Jan 23, 2015 at 5:27 PM, Boris Epstein borepst...@gmail.com wrote: Hello all, I have a machine running Centos 6.6 connected to a port on a Cisco Catalyst 3750 series switch. That port is part of VLAN 48. I have VLAN 48 on the CentOS machine too. The IP network on VLAN 48 is 192.168.48.0/255.255.255.0. The address on the CentOS side is 192.168.48.101, the address on the Linux end ought to be 192.168.48.100. When I only bring up eth0.48 VLAN device with the IP=192.168.48.100 I have no connectivity. If I bring it up along with eth0 with another VLAN 48 address assigned to it (for instance, 192.168.48.99) I do have connectivity. Also, strangely enough, sometimes to get things going I have to disconnect the Linux host from the switch - physically detach the wire and reconnect it again. Be that as it may when I just bring up the VLAN by itself I have thus far been unable to get anywhere. Has anybody seen a situation like this? Does anybody have an explaination for it? I think you always have to bring up the underlying eth device to activate a related eth.nn vlan. The base device would not normally have an IPADDR, though, unless it is for an untagged vlan 0. Assuming the connected switch port is configured as a trunk, you shouldn't see vlan 48 addresses on the base (untagged) device. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On Fri, Jan 23, 2015 at 5:48 PM, Boris Epstein borepst...@gmail.com wrote: Less, You are 100% right. Of course I brought up my eth0 - but, like you said, with no IP. Meanwhile, I brought up eth0.48 with 192.168.48.100. However, until I would bring up eth0 with an IP address (any in the network) I would have no connection. Why? That's what I fail to understand. Doesn't make sense to me - I think I've done it both ways (with/without a vlan 0 address). I didn't think it took anything special except the VLAN=yes in the file and the .number in the DEVICE= (and file) name. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: This makes two of us. I've done everything as you have described and it simply does not work. Are you actually seeing VLAN tagged traffic, or is the cisco switch just providing a normal stream? At work we have hundreds of VLANs, but the servers don't get configured for this; we just configure them as normal; ie eth0. The network infrastructure does the VLAN decoding, the server doesn't have to. Try configuring the machine as if it was a real LAN and forget about the VLAN. If that doesn't work then what does 'tcpdump -i eth0' show you? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
On Fri, Jan 23, 2015 at 7:02 PM, Les Mikesell lesmikes...@gmail.com wrote: On Fri, Jan 23, 2015 at 5:48 PM, Boris Epstein borepst...@gmail.com wrote: Less, You are 100% right. Of course I brought up my eth0 - but, like you said, with no IP. Meanwhile, I brought up eth0.48 with 192.168.48.100. However, until I would bring up eth0 with an IP address (any in the network) I would have no connection. Why? That's what I fail to understand. Doesn't make sense to me - I think I've done it both ways (with/without a vlan 0 address). I didn't think it took anything special except the VLAN=yes in the file and the .number in the DEVICE= (and file) name. -- Les Mikesell lesmikes...@gmail.com This makes two of us. I've done everything as you have described and it simply does not work. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VLAN issue
We have lots of servers with a similar setup (i.e. tagged vlans and no ip on eth0) and this works just fine. What is the actual vlan configuration on your switchport? Regards, Dennis On 24.01.2015 01:34, Boris Epstein wrote: Steve, Thanks, makes sense. I just don't see why I have to effectively waste an extra IP address to get my connection established. Boris. On Fri, Jan 23, 2015 at 7:16 PM, Stephen Harris li...@spuddy.org wrote: On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: This makes two of us. I've done everything as you have described and it simply does not work. Are you actually seeing VLAN tagged traffic, or is the cisco switch just providing a normal stream? At work we have hundreds of VLANs, but the servers don't get configured for this; we just configure them as normal; ie eth0. The network infrastructure does the VLAN decoding, the server doesn't have to. Try configuring the machine as if it was a real LAN and forget about the VLAN. If that doesn't work then what does 'tcpdump -i eth0' show you? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
