OpenBSD Journal

Vlans, 802.1q or dot1q with cisco.

Contributed by jose on from the management- dept.

David writes:
"This is a just a quick note/tutorial on using OpenBSD with 802.1q. I have an OpenBSD3.1 firewall, the external port plugged into a VLAN that is not on a trunk port, and the internal interface pluged into a trunk port. Here are the configs for my Cisco Catalyst 2924. Keep in mind that 802.1q only works on the "Enterprise" load with 8 megs of memory, found this out the hard way by first getting a really old but cheap catalyst (around $300).

So here goes--

interface FastEthernet0/6
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-4,10,1002-1005
 switchport mode trunk
 spanning-tree portfast
 no cdp enable
!
Then the corisponding ports for that vlan.
interface FastEthernet0/22
 switchport access vlan 10
 spanning-tree portfast
 no cdp enable
!
Now for the OpenBSD configs...
ifconfig vlan0 192.168.2.1 vlan 10 vlandev fxp1
or edit /etc/hostname.vlan0 and put in
192.168.2.1 vlan 10 vlandev fxp1
Then add vlan0 to your /etc/dhcpd.interfaces file and then add that network to your /etc/dhcpd.conf file. Also add it to /etc/pf.conf for what you want that vlan to have access to.

The reason I wanted to do this is that I have a small PC (only one PCI slot) and wanted physical seperation between networks. I live in a 4-plex and I give my neighbors internet access. Now I can control what servers (if any) they have access to. This is very simple, but I didn't find a lot of documentation on it, so I hope this helps people in future setups.

The funny thing about this is that I remember when only really expensive equipment could do this type of setup.

Have fun! David"

Thanks for the tip, David! Always good to show people how to use OpenBSD features.

(Comments are closed)


Comments
  1. By djm () on

    Make sure you read http://www.sans.org/rr/switchednet/switch_security.php

    It may also be worthwhile to track -current as there have been some VLAN bugs fixed recently.

    Comments
    1. By David () dave@nospam.drstrangelove.net on mailto:dave@nospam.drstrangelove.net

      Indeed be careful!

      Several things that could help is create access lists for the icky "telnet" ports, and shut off the webserver and the snmp server.

      You can do so by doing...

      ip telnet source-interface vlan4
      no ip http server
      no snmp-server

      line vty 0 4
      access-class 10 in
      access-class 1 out

      access-list 1 deny any
      access-list 10 permit 10.0.0.30
      access-list 10 deny any

      I will have to do some stress testing to see if the switch will drop the structure of the Vlans when pounded on, as I am thinking about doing this for DefCon...

  2. By iGsys (80.229.197.105) on

    This is just what i have been looking for, for the last 2 hours, thanks.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]