configure a FreeBSD machine to do VLAN tagging

扫净缘客

configure a FreeBSD machine to do VLAN tagging
This HowTo covers how to setup and configure a FreeBSD machine to do VLAN tagging (802.1q) as well as rate limiting through the DUMMYNET interfaces for the VLAN enabled ports. We will also cover configuration of the VLAN ports on a Cisco 2924-EN- XL 24 port switch for use with the FreeBSD machine.
VLAN tagging allows a VLAN enabled machine to communicate with a VLAN enabled network device to allow each port on the network device to be controlled directly from the machine, for the purpose of firewalling as well as rate limit and other functionality.
Make sure you have a machine with enough power to handle the traffic of the VLANs. We are using a P4 1.4Ghz with 512MB of RAM and two Intel EtherExpress Pro 10/100 cards. You need two cards for the setup. One card is connected to your upstream switch and the other is connected to the VLAN enabled device.
We are starting with a basic installation of FreeBSD. If you are not sure how to install FreeBSD please refer to the FreeBSD installation HowTo.
1) We will first need to make some modifications to the GENERIC kernel to add the needed functionality to our server.
cd /usr/src/sys/i386/conf cp GENERIC vlan (you can use anyname you want here, but make sure you remember it)
Now edit the vlan file and remove the unnecessary options. Some of the more common options that I remove everytime I recompile a kernel are:
cpu I386_CPU
cpu I486_CPU
cpu I586_CPU (none of these are needed unless you are compiling for a system running an older processor, most modern processors are I686.)
Modify the ident name to something that identifies the kernel or the server. I normally use the hostname.
ident vlan
options MATH_EMULATE (again… only needed if you are using a VERY old processor)
options INET6 (I don’t use IPV6, just because I am not ready to implement it yet)
device eisa (I remove this, because I can’t tell you the last time I saw an EISA board)
I remove other options that you might need (usb, scsi raid arrays, etc) so you will need to understand what configuration you have and what devices you are going to be using.
Be sure to leave:
device miibus
device fxp (These two devices will allow us to use the Intel based network cards that we will need for VLANs, other NICs are capable of VLANs as well, but we only use Intels as a matter of choice and convience.)
The Intel GigE cards (em) also support VLANs. Both Intel cards also support device polling, which will be needed as the load through the VLAN server increases you will quickly max out the CPU due to IRQ context switches. (More to follow on how to set that up.)
2) Now we have to add the kernel options that are needed to do rate limiting as well as firewalling.
options DUMMYNET (this enables the interface to allow rate limiting)
options HZ=1000 (this increases the sampling rate of the Real Time Clock allowing better responsiveness of the computer for rate limiting and firewall functions)
options BRIDGE
options ICMP_BANDLIM (this allows you to rate limit ICMP traffic as well)
options IPSTEALTH (this does not increment the TTL counter, making the VLAN machine seem transparent)
options IPFIREWALL (this is needed to allow the DUMMYNET interface)
options IPFIREWALL_VERBOSE (allows verbose logging of ipfirewall rules)
options IPFIREWALL_DEFAULT_TO_ACCEPT (this sets the last rule in ipfw to allow all packets through, I chose this option to allow the greatest level of configurability on our firewall, you might want to leave it off if you want to only allow certain traffic, we want to allow all traffic and only block the specific troublesome traffic)
pseudo-device vlan 1 (this pseudo device allows you to create vlan interfaces in ifconfig. Each vlan interface will correspond with a port on the cisco switch. We use the number 1 since we are only going to clone the interfaces from another interface. You can also increase this number to the number of vlan ports you will be controlling on the switch if you choose, but that tends to clutter the ifconfig print out and I hate clutter.)
3) Now that the kernel configuration file is completed we can compile the kernel.
cd /usr/src make buildkernel KERNCONF=vlan (put your config file from step one here)
Once that is complete we can install the new kernel.
make installkernel KERNCONF=vlan
4) Reboot the machine to load the new kernel. If everything is working correctly, you should see in your ifconfig –a a vlan0 interface with no details.
5) Now we need to configure the /etc/rc.conf to load our vlan interfaces on boot up, as well as configuring the underlying interfaces.
vi /etc/rc.conf
You will want to add the following lines:
gateway_enable="YES" (This option allows packets to be passed between the interfaces on the machine fxp0 fxp1)
defaultrouter="192.168.1.1" (Set this to your gateway to the internet)
cloned_interfaces="vlan0 vlan1 vlan2 vlan3" (This line tells FreeBSD which devices it needs to create as pseudo devices ie: devices that are not physically attached to the machine, but rather exist as virtual devices.)
ifconfig_fxp0="inet 192.168.1.2 netmask 255.255.255.0" (This is your interface to the upstream switch and the internet. Make sure you setup this device as you normally would.)
ifconfig_fxp1="up" (It is very important to mark the device you are cloning from as up, if it is not marked as up, then none of your cloned devices will be up either. Since all the vlan devices are cloned from fxp1, we need to mark it as up and running.)
ifconfig_vlan0="inet 192.168.1.193 netmask 255.255.255.248 vlan 101 vlandev fxp1" (This line configures the vlan interface with an IP address. Each interface must have an IP address. The vlan directive is to tell the interface which vlan on the Cisco switch it is controlling – this will be defined in the Cisco section of the HowTo. Finally we have to tell what device we are creating the clone from. We use FXP1, since that is the interface we are using to connect to the Cisco Switch.)
ifconfig_vlan1="inet 192.168.1.201 netmask 255.255.255.248 vlan 102 vlandev fxp1"
ifconfig_vlan2="inet 192.168.1.209 netmask 255.255.255.248 vlan 103 vlandev fxp1"
ifconfig_vlan3="inet 192.168.1.217 netmask 255.255.255.248 vlan 104 vlandev fxp1"
Once you have those settings in the rc.conf go ahead and save it and reboot the machine. Once the machine has finished rebooting, an ifconfig –a will confirm the settings you put in the rc.conf are correct and working. You should see:
fxp0: flags=8843 mtu 1500
        inet 192.168.1.2 netmask 0xffffffe0 broadcast 198.77.239.127
        ether 00:a0:c9:98:57:7d
        media: Ethernet autoselect (100baseTX )
        status: active
fxp1: flags=8843 mtu 1500
        ether 00:a0:c9:8f:e3:c5
        media: Ethernet autoselect (100baseTX )
        status: active
lo0: flags=8049 mtu 16384
        inet 127.0.0.1 netmask 0xff000000
vlan0: flags=8843 mtu 1500
        inet 192.168.1.193 netmask 0xfffffff8 broadcast 192.168.1.199
        ether 00:a0:c9:8f:e3:c5
        media: Ethernet autoselect (100baseTX )
        status: active
        vlan: 101 parent interface: fxp1
vlan1: flags=8843 mtu 1500
        inet 192.168.1.201 netmask 0xfffffff8 broadcast 192.168.1.207
        ether 00:a0:c9:8f:e3:c5
        media: Ethernet autoselect (100baseTX )
        status: active
        vlan: 102 parent interface: fxp1
vlan2: flags=8843 mtu 1500
        inet 192.168.1.209 netmask 0xfffffff8 broadcast 192.168.1.215
        ether 00:a0:c9:8f:e3:c5
        media: Ethernet autoselect (100baseTX )
        status: active
        vlan: 103 parent interface: fxp1
vlan3: flags=8843 mtu 1500
        inet 192.168.1.217 netmask 0xfffffff8 broadcast 192.168.1.223
        ether 00:a0:c9:8f:e3:c5
        media: Ethernet autoselect (100baseTX )
        status: active
        vlan: 104 parent interface: fxp1
6) We now have to configure the Cisco Switch to know which ports are assigned to which vlans.
Open a session to the Cisco switch and enter the enable mode.
I configure port 24 on the switch to be the VLAN uplink port, because it allows for me to maintain a proper relationship between the VLAN numbers to the physical port numbers. You might choose to do it differently. The choice is yours.
switch# config t
switch(config)# int fa0/24
switch(config-if)# description 802.1Q Trunk to FreeBSD Machine
switch(config-if)# speed 100
switch(config-if)# switchport trunk encapsulation dot1q
switch(config-if)# switchport trunk allowed vlan 101-123
switch(config-if)# exit
switch(config)# exit
switch# wr mem
This will configure the uplink port from your FreeBSD machine to know that it is a VLAN trunk to the other 23 ports on the switch. You must now configure the 23 ports to be members of a specific VLAN.
switch# config t
switch(config)# int fa0/1
switch(config-if)# description Port 1 VLAN 101
switch(config-if)# switchport access vlan 101
switch(config-if)# no cdp enable
switch(config-if)# exit
switch(config)# exit
switch# wr mem
You will need to repeat this for each port you want vlans enabled on. You can also have multiple ports on the same VLAN. That will allow you to have several computers connected to the switch that are owned by one customer. You can then throttle bandwidth for all that customer’s computers.
7) Now that we have our vlans enabled and everything is communicating correctly, we will want to limit the amount of bandwidth each port will get via the DUMMYNET configuration.
Add the following to rc.local, you can add them to any startup script you like, but I prefer rc.local.
ipfw add pipe 1 ip from any to any via vlan0
ipfw pipe 1 config bw 0
This will configure the rate limit pipe, but set it to unlimited. It is one less step to do when you need to limit a users bandwidth quickly.
You can set the bw number to a bunch of different values… man ipfw will explain them more in depth for you.
8) On the clients connected to the vlan ports, you only need to be sure that you set you default gateway to the IP address on the vlan interface.


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/10352/showart_277863.html