Rudy says, "My BSD box sees the vlans on my Cisco switch"

MonkeyBrains.net/~rudy/example

Random examples

device vlan

How to nat between vlans spanning multiple switches using your FreeBSD box

VLAN across multiple switches
I have two cisco switchs set up with most ports on VLAN1. Some machines are on VLAN101. The VLAN101 has customers who need firewalling/nat'ing cause they don't know how to lock down their own boxes. Some are plugged into one switch, some in the other. To get VLANs to span two switches, you need
link the two switches with a cross over cable (duh) or a fiber link

to set the ports to be in trunking mode
The 'show cdp neighbors' command shows you where you plugged the cross over cable in. Here is the output from that command and the configurations used to get the swtiches to trunk. (looks like the spanning-tree settings are not in sync... need to fix that!)
gallo#show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID burro Gig 0/21 167 S I WS-C2950G-Gig 0/1 gallo#show running-config interface GigabitEthernet 0/21 ! interface GigabitEthernet0/21 description To Second Floor switchport mode trunk spanning-tree portfast end (now telnet to the other swtich) burro#show cdp neighbors Device ID Local Intrfce Holdtme Capability Platform Port ID gallo Gig 0/1 137 S I WS-C2960G-Gig 0/21 burro#show running-config interface GigabitEthernet 0/1 ! interface GigabitEthernet0/1 switchport mode trunk no ip address spanning-tree link-type point-to-point end

Getting two VLANs out one port to your FreeBSD box
Now, I have a FreeBSD machine plugged into port 14 on burro that i want to be a part of VLAN 1 and VLAN 101. Here is how I configured it:
burro#show running-config interface FastEthernet 0/14 Building configuration... Current configuration : 109 bytes ! interface FastEthernet0/14 switchport trunk allowed vlan 1,101 switchport mode trunk no ip address end
I spent about an hour trying to do it the OLD way (switchport multi) but found that command gone on the 12.1 IOS. The above example is a Cisco 2950 talking to a Cisco 2960 switch.
My older 2900XL had switchport multi... From the cisco site: 'Configuring a switch port for multi-VLAN mode causes VTP to transition to transparent mode, which disables VTP.' By the way, VTP is cool! Manage all your VLAN definitions from one swtich and have your changes show up on the other switches. So, where was I? Oh yeah, I wanted valn 1 and 101 traffic to go to a FreeBSD box and I don't have multi. Trunking was the answer (as shown above).

Getting the FreeBSD box to see the trunk'd traffic
I researched trunking, and there is this protocol called 802.1Q. Hmmm... can my FreeBSD box understand that protocol? I bet it can! Read [man vlan] This is what I typed to see the vlan 101 traffic on my FreeBSD box:
/sbin/ifconfig vlan0 create vlan 101 vlandev fxp0 /sbin/ifconfig vlan0 10.20.30.1 netmask 255.255.255.0 # ifconfig fxp0: flags=8843 mtu 1500 options=8 inet 1.1.1.20 netmask 0xffffff00 broadcast 1.1.1.255 inet 1.1.1.21 netmask 0xffffffff broadcast 1.1.1.21 ether 00:10:dc:48:90:a8 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 vlan0: flags=8843 mtu 1500 inet 10.20.30.1 netmask 0xffffff00 broadcast 10.20.30.255 ether 00:10:dc:48:90:a8 media: Ethernet autoselect (100baseTX ) status: active vlan: 101 parent interface: fxp0
Oooo... pretty. Did I have to run 'kldstat vlan'? ... I may have, can't remember.

Firewalling between the VLANs
Now that this is all set up, I can use the FreeBSD to NAT/Firewall traffic between the VLANs! That was the real reason I was mucking with all this stuff. Some customer wanted to host a Windows (hack me!!!) box, so I thought I'd give them a fighting chance by firewalling the hell out of it. Load up the ipfilter kernel module: kldload ipl
Now, set up your ipnat rules
Here is a simple /etc/ipnat.rules # inbound mappings ... web and terminal services rdr fxp0 1.1.1.21/32 port 80 -> 10.20.30.3 port 80 tcp rdr fxp0 1.1.1.21/32 port 3388 -> 10.20.30.3 port 3388 tcp rdr fxp0 1.1.1.21/32 port 3389 -> 10.20.30.3 port 3389 tcp # outbound map fxp0 10.20.30.3/32 -> 1.1.1.21/32 You may wan to add these to /boot/loader.conf if_vlan_load="YES" ipl_load="YES" And, add this to your rc.conf cloned_interfaces="vlan0" ifconfig_vlan0="inet 10.20.30.1 netmask 255.255.255.0" gateway_enable="YES" # Set to YES as we will nat between vlans ipnat_enable="YES" # Load up the NAT rules which ... ipnat_rules="/etc/ipnat.rules" # .... are in this file And to start it all up, you can run these commands /etc/rc.d/routing restart (activate the gateway_enable) /etc/rc.d/ipnat start (read in the ipnat.rules file) ipnat -l (show the active ipnat rules)
You should lock down the access to ports 3388 and 3389 with ipfw (or ipf).

Trunking between a Cisco 2900XL and a 2950 or 2960
Note: I have a 3rd (and a 4th and 5th, but no need to confuse the example) switch plugged into the network. It is a Cisco 2900AXL. I was despatetly trying to get VTP to talk to the switch and couldn't get it to work. The commands looked so easy on the cisco site on the VLAN and VTP pages... Upon reading up on Trunking, it seems like either
This tech note If you want to establish a trunk between a switch that supports DTP and one that does not support DTP, use the nonegotiate keyword on the DTP-capable device. Use of this keyword causes the port to become a trunk but not generate DTP frames.

or maybe the cisco 2900 defaulted to ISL (a Cisco-proprietary trunking encapsulation) and the newer Cisco 2960 to 802.1Q (an industry-standard trunking encapsulation)
Will ifigure that out next week.
- Rudy
Sat Jun 3 01:49:23 PDT 2006
Machine had OS version: FreeBSD 5.5