VLAN Management 101

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] so [Music] hello this is scott and welcome back to the channel today we want to talk a little bit about vlan management 101 so i've been talking about vlans in connection with lexd containers for the past couple of videos and i want to take a little bit of a step back here so virtual lands or vlans are very powerful on a managed network i've been focusing on these container profiles to set the vlan on containers and it's time to take a step back and consider vlans overall so virtual machines and bare metal machines can also communicate on vlans by default all the server instances communicate on an untagged vlan on your network if you don't do anything special so to review vlans are virtual lands and they provide a means to run multiple isolated networks on the same physical cable your default lan is called the untagged lan because it does not have a vlan number each tag vlan is identified by a vlan number and has a unique address range and optionally has its own dhcp server vlans are created on a managed switch and a managed router that both support 802.1 q and vlans help isolate traffic and that helps of security and performance so on this channel i frequently use ubiquity unify routers and qnap nasa's as a starting point but certainly this works on other routers and other hosts that you would host on so ubiquity routers allow the creation of vlans and here's an example of the network screen where i would add a network you can see i've called this new network or vlan test vlan we know it's a vlan because i've specified vlan 100 so i'm creating vlan 100 from scratch and the address range is going to be 192.168.100 with the subnet mask of 24 and 192.168.100.1 is the gateway address which is the address of that interface on the on the network in order to get out to the internet and then finally the dhcp address range we have a our network address range we have a dhcp server and a dhcp address range so it looks like a regular network but it's a vlan vlan 100 then we have the concept of port profiles on managed switches manage switch is the for default to port all and that basically means that a connected host can connect to any defined vlan on your network and even if you have 10 vlans on your network a host on a port profile configured it all connects to the untagged vlan by default and then there's also a switch profile called disabled and if you set it it won't allow any type of connection so if you wanted to secure a port let's say you had a port in an outside area and it wasn't used very often you might want to set that port to disable because that won't allow anybody to connect to it and you can create custom port profiles to define a group of vlans to which a particular switch port is authorized to make a connection and if you define one tagged vlan on a switch port the connected host will only be able to connect to that vlan and it actually will act as though your default vlan is that vlan and you'll be granted an address on that specified vlan so that's a point to consider so then we have a look at switch profiles so looking at this ubiquity us-24 switch there's a port here that's hosting a chamberlain garage door bridge and it happens to be on my network vlan called atf corral and it's vlan 30 and that's my iot network and then down here i have the hallway access point and of course since it's a wireless access point it's on profile all because we want to allow all connections to all vlans to occur from the access point depending upon which ssid the user has connected to so vlan profile management works like this you can go into profiles under settings and you can see the all profile which is a default profile and then you'll get a profile for each vlan that you create and then you can also and there's the disabled vlan i didn't highlight it but there it is and then you can also create some custom vlans are cust not custom vlans but custom vlan port profiles and here's an example of one where i have my dmz network and my lab network as a port profile so on that particular port those are the two vlans that could be made connection so we want to create a custom vlan profile well you go down to profiles you go act like you're going to create a new one here's the example of the dmz and labnet that we just mentioned and it will list all of your tag vlans down here that you may have created on your network you put a check box next to the ones that you want to include for that port and that's what you have all right so creating vlans you can create vlans for traffic that you either want to isolate for security reasons or perhaps performance reasons so create an iot vlan mine's called atf corral and i put my devices like my rokus my fire tv sticks my smart tvs my smart speakers cameras and other aftermarket smart home devices on that particular vlan and then you want to create a vlan for your hosted server instances well since this channel is all about self-hosting i created a vlan called cloud dmz and it basically hosts my web server discord ser discourse server rocket chat jitsi and then lots of the other services that i feature on this channel and then i created a guest vlan where your guests can use the internet but they can't access your local area network and then i also have a vlan called labnet and labnet is designed just so that i can do some testing and i also have a vlan called atf dmz which is an isolated network that i use to connect site-to-site vlans without connecting them to my main network and also avoiding any address conflicts since when you connect on a site to site vpn you have to have a unique address range on the lan on either side so you can also create vlan ssids so if you go down to wireless networks and you go to create a new ssid you can name it anything you want you enable it of course and you can specify you know wpa personal wpa enterprise whatever you want to do as far as security but down under network when it says select network it'll actually give you a list of all of your vlans and if you select that particular vlan then when people connect to that wireless ssid they'll actually be on that vlan okay so what are vlan best practices well vlans use the private address ranges just like your router nat would on your local network and they use the private address ranges in the 10 range and in the 172 16 range and actually 172 16 0.0 to 172 because that's the range and then anything in the 192 168 range those probably look familiar my main network is at 192.168. and then you want to create vlans of the form where like vlan 20 might be the address range 192.168.20.something whereas vlan 50 might have the range 192.168.50. something and that's just a good way to make your vlans and your network address ranges self-documenting so then you want to create lan in router rules to control your vlan traffic and a good thing to do is to allow all traffic to pass from your mainland to other vlans and to allow established and related sessions but to not allow other vlans to initiate new communication back to your mainland of course that's optional you can create any rules that you want so how do hosts use vlans well if a switch port is set specifically to a tag vlan the host has got no idea it's talking to a vlan and it'll simply connect and get an address in that vlan range but if a switch port is set to profile all or it's set to a custom port profile where there are multiple vlans the host system needs to specify on which vlan to communicate otherwise if the untagged vlan is available that will be the one that it connects to by default so in previous videos we talked about lex d containers using lexd profiles to define vlan communication but bare metal and virtual machines require a netplan yaml file to create a vlan adapter in the os that communicates with the selected vlan so we're going to look at the basics of using netplan to communicate with vlans today okay so here we are at the command prompt on my local machine and i'm going to ssh over to a virtual machine that i've created and this virtual machine is an ubuntu 2004.3 server so not a desktop instance but a server instance in this particular case it gained an address via dhcp at 172.16.1.17 so you can go out on your network and define a dhcp address reservation and that way when the machine that boots up with dhcp will always get the same address and that's kind of what i prefer to do most of the time but some people are interested on how to statically address machines so just for fun we're going to go ahead and go over to etsy net plan which is where the netplan tool puts its configuration files the netplan tool is the thing that lets you communicate or configure your network adapters so here uh by default and this file may be called several things um but there'll be a yaml file over here or somewhere that's a startup for your network and you're gonna go over and edit that startup file so um and by the way animal yaml files are these um uh i'm gonna do a pseudo nano um and i'm just gonna pick this up because i can't type copy that paste it over here so yaml files are these formatted files by the way yaml stands for yet another markup language or some people argue that it's not a markup language so it's real acronym is yaml ain't a markup language anyway um what's really important about ammo files is you always have to do spaces and you you can't do any tab characters or else you'll have a syntax error and this is like a pretty default yaml file for any kind of a vm or even a bare metal machine you would create it comes up and kind of looks like this and you can see here that it's um the name of my ethernet adapter in this case happens to be en 3 ens3 but if you were starting from scratch with the yaml file and you didn't know what your adapter name was you could certainly do an ifconfig if you had net tools installed and ifconfig will list everything out so you can see here i have my loopback adapter and i have my ens3 that just happens to be the name of the device and my network's a little different because i have an ipv4 address and that's all we're going to focus on today but my mainland also does ipv6 so there's an ipv6 global address here too and an ipv6 link local address and an ipv6 anycast address but we're not going to pay attention to that i've got some videos on ipv6 that you can go out and watch okay so going back into netplan if i want to go ahead and make this file um not dhcp but if i wanted to readdress it 172.16.1.245. let's just make sure that nothing's in that in that place by doing a ping 172.16.1.245 and nothing is responding so that's a free address we can go ahead and do that so i'm going to come in here and i'm just going to wipe this file out and i'm going to go ahead and copy in the configuration i'll put these in the show notes but basically what this says is it says we're not going to use dhcp we want to use this address 172.16.1.245 which is on my untagged lan the current land where it has that dhcp address and i'm i'm setting up my gateway to be 172.16.0.1 because i happen to know that's the address of my router yours will be different probably 192.168. is very common and then i have here listed two name servers separated by commas oh and by the way the gateway address really doesn't have brackets around it but the other addresses do so um i'm i'm using cloudflare as my default dns so the cloudflare primary dns and the cloudflare secondary dns okay so i go ahead and save this file out and i can do a uh pseudo netplan apply and it will come back and not come back actually because unfortunately we have just yanked the address out from underneath it because as you recall we were communicating at the 172 address and we just changed that address to 245. so we're gonna have to bring up another terminal here and we'll go ahead and connect to 245 and there's the password and i log in and there's test server so that's a simple way to go ahead and change your address to a static address using netplan all right so now we want to use a vlan well i have this vlan 100 that i showed earlier in the in these slides and so since i have that vlan 100 i'm going to go ahead and do a cd over to c netplan again and i still have the same file over here and so i'm going to go edit this thing and this time i am going to put a completely different connection in here and we'll see what that is so vlan 100 you'll remember at doesn't operate in the 172.16 address range it operates in the 192.168.100 address range so what we're going to do is we're going to go ahead and plug that in here so here i'm saying ethernets ns3 and i just have a couple of braces there because i've discovered that that's kind of required i'm not making any settings for this standard adapter and so i am not uh changing that but i do here have a vlan listed and i just decided to call it my vlan 100 so that'll be the name of it and then it's vlan 100 and then it links back to the physical device ens3 and then the address is going to be 192.168.100.10 and then the gateway is going to be 192.168.100.1 and then again the address is for the name servers so i'm going to go ahead and exit out of this and i'm going to do a if config because we have our static address now remember our static address we changed from the 172 address to the 245 address okay so now what we're going to do is we're going to do a pseudonet plan apply and it's going to come back here and i can't hit enter nothing actually happens life is is dead so to speak and so now what i'm going to do is i'm going to bring this thing back up and we're going to reconnect to it and so instead of connecting to 245 which was the new address now we have a new new address on vlan and that's going to be 192.168.100. oh and there we go so we sign on to that now let's do a clear and let's do an if config and if config says ens3 remember i told you that um actually the this this um uh mainland back here on ens3 has ipv6 so we have an ipv6 address because i didn't do anything with ipv6 because we're only focusing on ipv4 here but you notice that ens3 does not have any ipv4 address because i did not give it one but my vlan 100 here does have an address and it's 192.168.100.10 and that's how we connected to this server so we're going to have a little bit more fun here because what we're going to do now is we're going to go ahead and add another address so now we added a section down here for my vlan 50 and that uses vlan 50 and it also links through ens3 and we have the address of 192.168.50 and we're not specifying a gateway because you can only have one default gateway on a machine at a time but you can have multiple vlans so now we're going to go ahead and save that and we're going to go ahead and do a pseudo netplan apply and then we're going to do an if config and this time we have ens3 which does not have an ipv4 address just like it didn't last time we have vlan 100 that has the address of 192.168.100.10 and it's our default gateway and we have vlan 50 now that has 192.168.50.5 assigned to it so if i disconnect here i can go to 192.158. or 168.50.5 i can say yes continue and i can sign on and there you go and notice it says that ipv4 address for mylan 100 is 192.168.100.10 ipv4 address for my vlan 50 is 192.168.50.5 which is what we're connected to and that uh 50 network also has ipv6 enabled on it so in summary vlan management can improve both your security and your traffic management switch port profiles determine which vlans that a connected host is allowed to communicate with and lexd containers should use lexd profiles to define vlan connectivity but virtual machines and bare metal servers are going to use netplan yaml files to connect to vlans and manage switches and routers that support 802.1q support vlan use and management so that's it for today and thanks so much for coming by and please subscribe and like to the channel we'll see you next time [Music] so [Music] [Music] [Applause] [Music] you

Info

Channel: Scotti-BYTE Enterprise Consulting Services

Views: 96

Rating: undefined out of 5

Keywords:

Id: vRnGqqR1hAI

Channel Id: undefined

Length: 25min 19sec (1519 seconds)

Published: Sun Nov 21 2021