[ale] VLANs and logging
Phil Turmel
philip at turmel.org
Wed Apr 17 11:47:43 EDT 2019
A trunk port w/ tagged VLANs for your router and DHCP server is all you
need. These devices are then virtually multihomed (in addition to your
router's uplink).
You router will bounce traffic among your local VLANs to the extent you
wish to allow it.
On 4/17/19 10:56 AM, Alex Carver via Ale wrote:
> The plan was always to use managed switches to isolate the VLANs (I
> already have them) but I was mainly trying to sort out the missing
> links. I only have one DHCP server but it's not at the router, it's a
> separate machine that also handles DNS. Similarly the logging server
> with the big drive is also independent of the router. Currently the
> router is a small computer with a pair of USB NICs though I could be
> convinced to replace it with something like a Ubiquiti EdgeRouter if
> that was part of the solution.
>
> The things that complicated the layout were the fact that sometimes some
> devices need to talk to others. For example, the phones and other VoIP
> devices have web management interfaces so I have to be able to reach
> them from one of my desktop machines. The desktop machines live on one
> VLAN and the phones another. The same thing happens to the cameras
> where I need to access their video feeds or their web interfaces
> from a desktop computer. At the same time I wouldn't want the cameras
> being able to initiate a connection to a device outside of the VLAN.
>
> One thing I wasn't sure about is whether some of these devices were
> going to need to be multihomed with multiple IPs hanging off trunk ports
> on the switches or if I could do something smarter than that.
> Multihoming some of the devices would be hard to do. One example are
> the cell phones which I do use to view the cameras, visit internal
> server pages, and also a VoIP softphone when I'm on WiFi to link with
> the rest of the VoIP system. When I'm out and about the VPN server has
> to handle that and making that multihomed is probably an exercise in
> drinking.
>
> The guest network and IoT network were actually the only straightforward
> parst of this mess. Each was going to be isolated from the other and
> neither was going to be able to communicate with the other VLANs (the
> IoT network is specifically for devices like the TV that would need a
> connection out to video services but I don't need to talk to the TV
> myself). It's all my other stuff that's harder simply because I have
> these cross-over cases.
>
>
> On 2019-04-17 06:19, Derek Atkins wrote:
>> I don't see why you can't do both? Assign each VLAN its own /24.
>>
>> You will need to *route* between the different VLANs.
>>
>> Some hosts may be able to be on multiple VLANs simultaneously by putting
>> it on a physical trunk link (don't assign a VLAN at the switch) and then
>> assigning the VLANs in software on the port in question (e.g. ifconfig
>> eth0.69). This would allow your syslog, DHCP, etc servers to talk to
>> all hosts on all VLANs.
>>
>> I'll note that if you use multiple /24s but share a physical LAN you
>> STILL have some potential for cross-talk. For example, a host can put
>> itself onto any VLAN it sees, whereas if you do port-based VLAN then the
>> switch will prevent cross-talk! This might be important for certain
>> applications, like IoT, phone, etc.
>>
>> Of course, things get more complicated if you have a VM solution where
>> different VM guests need to be on different VLANs. ;)
>>
>> For the record, I was planning to use VLANs in my new home build-out.
>> Specifically I was planning to have an IP Camera VLAN, a Guest VLAN, an
>> IoT VLAN, and an in-house VLAN. I was debating also a Server VLAN (I do
>> run an oVirt cluster and have a routable Class-C Network), and maybe a
>> Phone VLAN (although I only have 2 phones, so not a big deal).
>>
>> I'm still a good 6 months out from this deployment, so I have some time
>> to plan it all out.
>>
>> -derek
>>
>> Jim Kinney via Ale <ale at ale.org> writes:
>>
>>> So you have a manageable switch that does vlans. Ports are assigned to
>>> specific vlans ids. To bridge vlans requires either vlan combination at a port
>>> or an external device like a multi homed server.
>>>
>>> For small locations like homes with under 20k devices, it's easier to use
>>> literal private networks. Guest network is one class C, phones get another,
>>> iot another, etc. Use the dhcp server as the bridge/firewall/router between
>>> all. Assign fixed IPs by mac in the dhcp for servers, printers, and such, and
>>> dynamic for everything else based on which nic port the request arrives on at
>>> the dhcp server.
>>>
>>> On April 16, 2019 11:47:28 PM EDT, Alex Carver via Ale <ale at ale.org> wrote:
>>>
>>> I'm playing around with the idea of splitting a few things at home into
>>> VLANs. This would include one VLAN for phones, another for the general
>>> computers, a third for IoT devices, a guest network, and one for the
>>> video cameras.
>>>
>>> The problem I'm trying to figure out is how to set things up so that the
>>> devices with configurable syslogs (in this case phones, computers,
>>> cameras) send their logs to my central logging server, allow the devices
>>> to pick up their DHCP leases from the central DHCP server, and still
>>> have the ability to reach the admin consoles for things like the phones
>>> and cameras.
>>> --------------------------------------------------------------------------
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>> --
>>> Sent from my Android device with K-9 Mail. All tyopes are thumb related and
>>> reflect authenticity.
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
More information about the Ale
mailing list