Contributed by jose on from the management- dept.
"This is a just a quick note/tutorial on using OpenBSD with 802.1q. I have an OpenBSD3.1 firewall, the external port plugged into a VLAN that is not on a trunk port, and the internal interface pluged into a trunk port. Here are the configs for my Cisco Catalyst 2924. Keep in mind that 802.1q only works on the "Enterprise" load with 8 megs of memory, found this out the hard way by first getting a really old but cheap catalyst (around $300).Thanks for the tip, David! Always good to show people how to use OpenBSD features.So here goes--
interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-4,10,1002-1005 switchport mode trunk spanning-tree portfast no cdp enable !Then the corisponding ports for that vlan.interface FastEthernet0/22 switchport access vlan 10 spanning-tree portfast no cdp enable !Now for the OpenBSD configs...ifconfig vlan0 192.168.2.1 vlan 10 vlandev fxp1or edit /etc/hostname.vlan0 and put in192.168.2.1 vlan 10 vlandev fxp1Then add vlan0 to your /etc/dhcpd.interfaces file and then add that network to your /etc/dhcpd.conf file. Also add it to /etc/pf.conf for what you want that vlan to have access to.The reason I wanted to do this is that I have a small PC (only one PCI slot) and wanted physical seperation between networks. I live in a 4-plex and I give my neighbors internet access. Now I can control what servers (if any) they have access to. This is very simple, but I didn't find a lot of documentation on it, so I hope this helps people in future setups.
The funny thing about this is that I remember when only really expensive equipment could do this type of setup.
Have fun! David"
(Comments are closed)
By djm () on
It may also be worthwhile to track -current as there have been some VLAN bugs fixed recently.
Comments
By David () dave@nospam.drstrangelove.net on mailto:dave@nospam.drstrangelove.net
Several things that could help is create access lists for the icky "telnet" ports, and shut off the webserver and the snmp server.
You can do so by doing...
ip telnet source-interface vlan4
no ip http server
no snmp-server
line vty 0 4
access-class 10 in
access-class 1 out
access-list 1 deny any
access-list 10 permit 10.0.0.30
access-list 10 deny any
I will have to do some stress testing to see if the switch will drop the structure of the Vlans when pounded on, as I am thinking about doing this for DefCon...
By iGsys (80.229.197.105) on