[ale] VLANs and logging

Derek Atkins derek at ihtfp.com
Wed Apr 17 09:19:36 EDT 2019 

I don't see why you can't do both?  Assign each VLAN its own /24.

You will need to *route* between the different VLANs.

Some hosts may be able to be on multiple VLANs simultaneously by putting
it on a physical trunk link (don't assign a VLAN at the switch) and then
assigning the VLANs in software on the port in question (e.g. ifconfig
eth0.69).  This would allow your syslog, DHCP, etc servers to talk to
all hosts on all VLANs.

I'll note that if you use multiple /24s but share a physical LAN you
STILL have some potential for cross-talk.  For example, a host can put
itself onto any VLAN it sees, whereas if you do port-based VLAN then the
switch will prevent cross-talk!  This might be important for certain
applications, like IoT, phone, etc.

Of course, things get more complicated if you have a VM solution where
different VM guests need to be on different VLANs.  ;)

For the record, I was planning to use VLANs in my new home build-out.
Specifically I was planning to have an IP Camera VLAN, a Guest VLAN, an
IoT VLAN, and an in-house VLAN.  I was debating also a Server VLAN (I do
run an oVirt cluster and have a routable Class-C Network), and maybe a
Phone VLAN (although I only have 2 phones, so not a big deal).

I'm still a good 6 months out from this deployment, so I have some time
to plan it all out.

-derek

Jim Kinney via Ale <ale at ale.org> writes:

> So you have a manageable switch that does vlans. Ports are assigned to
> specific vlans ids. To bridge vlans requires either vlan combination at a port
> or an external device like a multi homed server.
>
> For small locations like homes with under 20k devices, it's easier to use
> literal private networks. Guest network is one class C, phones get another,
> iot another, etc. Use the dhcp server as the bridge/firewall/router between
> all. Assign fixed IPs by mac in the dhcp for servers, printers, and such, and
> dynamic for everything else based on which nic port the request arrives on at
> the dhcp server.
>
> On April 16, 2019 11:47:28 PM EDT, Alex Carver via Ale <ale at ale.org> wrote:
>
>     I'm playing around with the idea of splitting a few things at home into
>     VLANs.  This would include one VLAN for phones, another for the general
>     computers, a third for IoT devices, a guest network, and one for the
>     video cameras.
>     
>     The problem I'm trying to figure out is how to set things up so that the
>     devices with configurable syslogs (in this case phones, computers,
>     cameras) send their logs to my central logging server, allow the devices
>     to pick up their DHCP leases from the central DHCP server, and still
>     have the ability to reach the admin consoles for things like the phones
>     and cameras.
>     --------------------------------------------------------------------------
>     Ale mailing list
>     Ale at ale.org
>     https://mail.ale.org/mailman/listinfo/ale
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
>
> --
> Sent from my Android device with K-9 Mail. All tyopes are thumb related and
> reflect authenticity.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Ale mailing list