[ale] VLANs and logging

Derek Atkins derek at ihtfp.com
Wed Apr 17 15:48:36 EDT 2019 

Not that I am aware of.

-derek

On Wed, April 17, 2019 3:36 pm, Alex Carver wrote:
> Yeah, I know, I just hoped there was a VLAN method I didn't know about
> that didn't require additional IPs. :)
>
>
> On 2019-04-17 11:59, Derek Atkins wrote:
>> A VLAN is effectively the same as a virtual NIC.  So for each VLAN,
>> imagine the system has yet another Ethernet interface.  Plan your IP
>> network accordingly.
>>
>> -derek
>>
>>
>> On Wed, April 17, 2019 2:50 pm, Alex Carver via Ale wrote:
>>> I was hoping to avoid having multiple IPs on them but looks like I
>>> can't
>>> since each VLAN virtual interface will have to have its own IP.
>>>
>>> On 2019-04-17 08:47, Phil Turmel via Ale wrote:
>>>> A trunk port w/ tagged VLANs for your router and DHCP server is all
>>>> you
>>>> need.  These devices are then virtually multihomed (in addition to
>>>> your
>>>> router's uplink).
>>>>
>>>> You router will bounce traffic among your local VLANs to the extent
>>>> you
>>>> wish to allow it.
>>>>
>>>> On 4/17/19 10:56 AM, Alex Carver via Ale wrote:
>>>>> The plan was always to use managed switches to isolate the VLANs (I
>>>>> already have them) but I  was mainly trying to sort out the missing
>>>>> links.  I only have one DHCP server but it's not at the router, it's
>>>>> a
>>>>> separate machine that also handles DNS.  Similarly the logging server
>>>>> with the big drive is also independent of the router.  Currently the
>>>>> router is a small computer with a pair of USB NICs though I could be
>>>>> convinced to replace it with something like a Ubiquiti EdgeRouter if
>>>>> that was part of the solution.
>>>>>
>>>>> The things that complicated the layout were the fact that sometimes
>>>>> some
>>>>> devices need to talk to others.  For example, the phones and other
>>>>> VoIP
>>>>> devices have web management interfaces so I have to be able to reach
>>>>> them from one of my desktop machines.  The desktop machines live on
>>>>> one
>>>>> VLAN and the phones another.  The same thing happens to the cameras
>>>>> where I need to access their video feeds or their web interfaces
>>>>>   from a desktop computer.  At the same time I wouldn't want the
>>>>> cameras
>>>>> being able to initiate a connection to a device outside of the VLAN.
>>>>>
>>>>> One thing I wasn't sure about is whether some of these devices were
>>>>> going to need to be multihomed with multiple IPs hanging off trunk
>>>>> ports
>>>>> on the switches or if I could do something smarter than that.
>>>>> Multihoming some of the devices would be hard to do.  One example are
>>>>> the cell phones which I do use to view the cameras, visit internal
>>>>> server pages, and also a VoIP softphone when I'm on WiFi to link with
>>>>> the rest of the VoIP system.  When I'm out and about the VPN server
>>>>> has
>>>>> to handle that and making that multihomed is probably an exercise in
>>>>> drinking.
>>>>>
>>>>> The guest network and IoT network were actually the only
>>>>> straightforward
>>>>> parst of this mess.  Each was going to be isolated from the other and
>>>>> neither was going to be able to communicate with the other VLANs (the
>>>>> IoT network is specifically for devices like the TV that would need a
>>>>> connection out to video services but I don't need to talk to the TV
>>>>> myself).  It's all my other stuff that's harder simply because I have
>>>>> these cross-over cases.
>>>>>
>>>>>
>>>>> On 2019-04-17 06:19, Derek Atkins wrote:
>>>>>> I don't see why you can't do both?  Assign each VLAN its own /24.
>>>>>>
>>>>>> You will need to *route* between the different VLANs.
>>>>>>
>>>>>> Some hosts may be able to be on multiple VLANs simultaneously by
>>>>>> putting
>>>>>> it on a physical trunk link (don't assign a VLAN at the switch) and
>>>>>> then
>>>>>> assigning the VLANs in software on the port in question (e.g.
>>>>>> ifconfig
>>>>>> eth0.69).  This would allow your syslog, DHCP, etc servers to talk
>>>>>> to
>>>>>> all hosts on all VLANs.
>>>>>>
>>>>>> I'll note that if you use multiple /24s but share a physical LAN you
>>>>>> STILL have some potential for cross-talk.  For example, a host can
>>>>>> put
>>>>>> itself onto any VLAN it sees, whereas if you do port-based VLAN then
>>>>>> the
>>>>>> switch will prevent cross-talk!  This might be important for certain
>>>>>> applications, like IoT, phone, etc.
>>>>>>
>>>>>> Of course, things get more complicated if you have a VM solution
>>>>>> where
>>>>>> different VM guests need to be on different VLANs.  ;)
>>>>>>
>>>>>> For the record, I was planning to use VLANs in my new home
>>>>>> build-out.
>>>>>> Specifically I was planning to have an IP Camera VLAN, a Guest VLAN,
>>>>>> an
>>>>>> IoT VLAN, and an in-house VLAN.  I was debating also a Server VLAN
>>>>>> (I
>>>>>> do
>>>>>> run an oVirt cluster and have a routable Class-C Network), and maybe
>>>>>> a
>>>>>> Phone VLAN (although I only have 2 phones, so not a big deal).
>>>>>>
>>>>>> I'm still a good 6 months out from this deployment, so I have some
>>>>>> time
>>>>>> to plan it all out.
>>>>>>
>>>>>> -derek
>>>>>>
>>>>>> Jim Kinney via Ale <ale at ale.org> writes:
>>>>>>
>>>>>>> So you have a manageable switch that does vlans. Ports are assigned
>>>>>>> to
>>>>>>> specific vlans ids. To bridge vlans requires either vlan
>>>>>>> combination
>>>>>>> at a port
>>>>>>> or an external device like a multi homed server.
>>>>>>>
>>>>>>> For small locations like homes with under 20k devices, it's easier
>>>>>>> to use
>>>>>>> literal private networks. Guest network is one class C, phones get
>>>>>>> another,
>>>>>>> iot another, etc. Use the dhcp server as the bridge/firewall/router
>>>>>>> between
>>>>>>> all. Assign fixed IPs by mac in the dhcp for servers, printers, and
>>>>>>> such, and
>>>>>>> dynamic for everything else based on which nic port the request
>>>>>>> arrives on at
>>>>>>> the dhcp server.
>>>>>>>
>>>>>>> On April 16, 2019 11:47:28 PM EDT, Alex Carver via Ale
>>>>>>> <ale at ale.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>      I'm playing around with the idea of splitting a few things at
>>>>>>> home into
>>>>>>>      VLANs.  This would include one VLAN for phones, another for
>>>>>>> the
>>>>>>> general
>>>>>>>      computers, a third for IoT devices, a guest network, and one
>>>>>>> for the
>>>>>>>      video cameras.
>>>>>>>           The problem I'm trying to figure out is how to set things
>>>>>>> up so that the
>>>>>>>      devices with configurable syslogs (in this case phones,
>>>>>>> computers,
>>>>>>>      cameras) send their logs to my central logging server, allow
>>>>>>> the devices
>>>>>>>      to pick up their DHCP leases from the central DHCP server, and
>>>>>>> still
>>>>>>>      have the ability to reach the admin consoles for things like
>>>>>>> the phones
>>>>>>>      and cameras.
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>>
>
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Ale mailing list