Ethernet networks can be partitioned into multiple distinct broadcast domains using VLANs. VLAN domains are mutually isolated. Whenever a hosts in one VLAN domain needs to communicate with a hosts in another VLAN domain, the traffic must be routed between the two domains. This is known as inter-VLAN routing.
This document provides a VLAN configuration example for a small network split into two separate VLAN domains: SALES and ENGINEERING. The backbone consists of two VLAN bridges connected by a VLAN trunk. I will use a Linux-based router, RCPlive, connected to the trunk to provide routing between the two VLAN domains and the outside world. On the router I will also enable a number of services such as DHCP and stateful firewall.
RCPlive is a free, open source router live CD based on Debian 7 and RCP100 routing suite. With an ISO image size of about 50MB, RCPlive is a flexible firewalling and routing platform. It is configured using a command line interface (CLI) syntax similar to the one found in commercial routers.
The software runs directly from a read-only CD or USB stick, and it provides persistence by saving the configuration into a file placed on an existing disk partition.
RCPlive supports layer 3 VLAN interfaces. These interfaces act as any other layer 3 interface and participate in routing. All normal routing features and services are available on VLAN interfaces.
On each backbone bridge, VLANs are defined on a port by port basis. Depending where is connected, a port can be either an access port or a trunk port.
Access ports are attached to end user workstations or servers, and they belong to one and only one VLAN. VLAN tagging takes place inside the bridge, as a result the traffic on the link is normal Ethernet non-VLAN traffic.
Traffic for multiple VLANs is multiplexed over trunk links. Trunk links are used to interconnect bridges and VLAN-aware routers.
The configuration consist of going through each bridge port and setting it up as an access port or a trunk port. I set ENGINEERING ports on VLAN ID 10, and SALES ports on VLAN ID 20. More likely, the configuration is entered using CLI, although some manufacturers also provide a web-based configurator.
Basic router configuration
RCPlive runs from a bootable CD or USB stick, as such there isn’t any disk to partition and format. First boot on RCPlive media, persistence is configured by running persist.sh script. The process is simple and straightforward.
It is advisable to change the default passwords for administrator account and web-based configurator. Additional administrator accounts can also be created. From computer console I log in as user rcp, password rpc, then I go into configuration mode and change the passwords:
User: rcp Password: rcp>en rcp#configure rcp(config)#administrator rcp password a-secret-password rcp(config)#service http password another-secret-password
Passwords are saved as a hash in the running or startup configuration:
rcp(config)#show running-config ... service http encrypted password VWYBTYPF$00d01c8d3151b2a3eb18746903a8e7a7 administrator rcp encrypted password OGAVBTMH$x.hn.WDEufzIRIdHH.39b1 ...
The next step is to configure the outside interface eth0, the default gateway address and name servers:
rcp(config)#interface ethernet eth0 rcp(config-if eth0)#ip address 192.168.1.1/24 rcp(config-if eth0)#no shutdown rcp(config-if eth0)#exit rcp(config)#ip default-gateway 192.168.1.15 rcp(config)#ip name-server 220.127.116.11 rcp(config)#ip name-server 18.104.22.168
In this moment we should be able to go on the Internet:
rcp(config)#ping google.com PING google.com (22.214.171.124) 56(84) bytes of data. 64 bytes from iad23s06-in-f1.1e100.net (126.96.36.199): icmp_req=1 ttl=53 time=57.0 ms 64 bytes from iad23s06-in-f1.1e100.net (188.8.131.52): icmp_req=2 ttl=53 time=60.2 ms 64 bytes from iad23s06-in-f1.1e100.net (184.108.40.206): icmp_req=3 ttl=53 time=56.6 ms 64 bytes from iad23s06-in-f1.1e100.net (220.127.116.11): icmp_req=4 ttl=53 time=57.6 ms 64 bytes from iad23s06-in-f1.1e100.net (18.104.22.168): icmp_req=5 ttl=53 time=57.7 ms --- google.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 56.655/57.863/60.241/1.264 ms rcp(config)#