{"id":803,"date":"2013-03-11T15:22:58","date_gmt":"2013-03-11T19:22:58","guid":{"rendered":"https:\/\/infotechguy.net\/?p=803"},"modified":"2025-02-22T11:30:51","modified_gmt":"2025-02-22T16:30:51","slug":"inter-vlan-routing-with-linux-powerconnect-5324","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=803","title":{"rendered":"Linux — Inter-VLAN routing with PowerConnect 5324"},"content":{"rendered":"

I recently purchased a 24-port Gigabit Layer 2 Switch that supports VLAN tagging and trunking. Dell PowerConnect 5324, see here, has 24 Ethernet ports and is capable of tagging and untagging Frames at wire speed. It is a discontinued model, however doing some googling I found a updated firmware and IOS image!<\/p>\n

Physical Topology<\/h3>\n

The topology is pretty typical of “routing-on-a-stick” for Multiple VLANs. I have a Linux server running Ubuntu 12.04 with a single NIC and the Dell PowerConnect switch.<\/p>\n

Port configuration:<\/b>
\nNetwork 1 = g1 – g16
\nNetwork 2 = g17 -g23<\/p>\n

802.1q Information:<\/strong>
\nSwitch Trunk Port = g24
\nRouter Trunk Port = eth1<\/p>\n

\"\"<\/a><\/p>\n

Logical Topology<\/h3>\n

I have a single LAN I want logically separated using a single switch. The VLAN IDs are 100 & 200. The VLAN subnets and ports will be as follows;<\/p>\n

Subnets:<\/strong>
\nVLAN 100 = 192.168.1.1\/24
\nVLAN 200 = 192.168.2.1\/24<\/p>\n

VLAN Access Ports:<\/strong>
\nVLAN 100 = g1 – g16
\nVLAN 200 = g17 -g23<\/p>\n


\nNow before we continue with the configurations, I want to explain the differences between an Access Port<\/strong> and a Trunk Port<\/strong> when using VLANs. An access port is 99% of the time connected to an end user device, such as a computer, Wireless AP, etc. A trunk port, is connected between network devices and carries multiple VLAN tagged Frames. A trunk link is what makes this setup possible, carrying VLAN 100 & 200 Frames over one physical cable from the Linux Router to the Dell Switch.<\/p>\n

There is also the terminology of Tagging<\/strong> and Untagging<\/strong>. Tagging referes to the 802.1q (or Cisco’s ISL) Ethernet tagging of Frames as they enter a Access Port. Untagged is the opposite, this refers process to untagg Frames as they leave an Access Port. The tagging and untagging is VLAN ID specific, meaning you can’t tag a Frame with VLAN ID 100 and have VLAN ID 200 untag it. Also, Tagged Frames cannot be sent to end user devices, as the end user device will not know how to read the Frame. For our example, g1-g16, and g17-g23 are Access ports. Maintain these VLAN ID and Interface Port associations happens on the Switch itself, why Managed Switches are able to support VLANs and unmanaged Switches do not.<\/p>\n

When you run this command you are denoting a physical interface as an Access Port<\/strong> for VLAN 100, Frames leaving this interface will be Untagged from VLAN ID 100, and anything entering the interface tagged on VLAN ID 100.<\/p>\n

console(config-if)# switchport access vlan 100 <\/code><\/pre>\n
Here is TCPDUMP showing the 802.1q header in an Ethernet Frame:
\n\"\"<\/a><\/p>\n
For more information on VLAN tagging see here<\/a>.<\/p>\n
Configure Switch<\/h3>\n
    \n
  1. Add VLANs to VLAN Database on Switch\n
    console# configure \nconsole(config)# vlan database \nconsole(config-vlan)# vlan 100 \nconsole(config-vlan)# vlan 200\nconsole# interface range ethernet g1,g2,g3,g4,g5,g6,g7,g8,g9,g10,g11,g12,g13,g14,g15,g16\nconsole# switchport mode access\nconsole# switchport access vlan 100\nconsole# interface range ethernet g17,g18,g19,g20,g21,g22,g23\nconsole# switchport mode access\nconsole# switchport access vlan 200\n<\/pre>\n<\/li>\n
  2. Verify VLANs\n
    console# show vlan\nVlan Name Ports Type Authorization\n---- ----------------- --------------------------- ------------ -------------\n1 1 g(17-24),ch(1-8) other Required\n100 Network1 g(1-16) permanent Required\n200 Network2 permanent Required\n<\/pre>\n<\/li>\n
  3. Set IP on Network 1 (VLAN 100)\n
    console# configure\nconsole(config)# interface vlan 100\nconsole(config-if)# ip address 192.168.1.2 255.255.255.0\n<\/pre>\n<\/li>\n
  4. Lastly, set Trunk interface and the allowed VLANs to egress the Trunk link:\n
    console# configure\nconsole# interface ethernet g24\nconsole# switchport mode trunk\nconsole# (config-if)# switchport trunk allowed vlan add all\n<\/pre>\n
    NOTICE:<\/strong> The switch will spit back the current VLANs it knows about from it’s VLAN database. Therefore, if you add more VLANs to the database you will need to reissue this command to add the new VLANs to be allowed across the Trunk Link.<\/em><\/li>\n
  5. Don’t forget to save!\n
    console# copy startup-config running-config<\/pre>\n<\/li>\n<\/ol>\n
    Linux Router Configuration<\/h3>\n
      \n
    1. Install VLAN package\n
      apt-get install vlans<\/pre>\n<\/li>\n
    2. Add the 8021q module to be in the startup modules\n
      modprobe 8021q<\/pre>\n
      Add 8021q mod to the bottom of \/etc\/modules<\/p>\n
      vi \/etc\/modules\n# \/etc\/modules: kernel modules to load at boot time.\n#\n# This file contains the names of kernel modules that should be loaded\n# at boot time, one per line. Lines beginning with \"# are ignored.\n\nloop\nlp\nrtc\n8021q\n<\/pre>\n<\/li>\n
    3. Add VLANs to each Sub-Interfaces\n
      vconfig add eth1 100\nvconfig add eth1 500<\/pre>\n
      NOTICE: <\/strong>The terminal will echo a information message telling you that eth1.100 and eth1.200 have been added. Run ifconfig<\/strong> and you’ll see them.<\/em><\/li>\n
    4. Edit Network Interface Config\n
      vi \/etc\/network\/interfacesm\nauto eth1.100\niface eth1.100 inet static\n        address 192.168.1.1\n        netmask 255.255.255.0\n        network 192.168.1.0\n        broadcast 192.168.1.255\n        vlan_raw_device eth1\n\nauto eth1.200\niface eth1.200 inet static\n        address 192.168.2.1\n        netmask 255.255.255.\n        network 192.168.2.0\n        broadcast 192.168.2.255\n        vlan_raw_device eth1\n<\/pre>\n<\/li>\n
    5. If you want the two networks to talk to each other you need to enable IP forwarding on the Linux Router\n
      echo \"1\" > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n<\/li>\n
    6. For good measure. Restart eth1<\/strong> on the Linux Router\n
      \/etc\/init.d\/networking restart<\/pre>\n<\/li>\n<\/ol>\n
      That’s It! The Linux Router is able to communicate with the Dell switch via an 802.1q Trunk Link.<\/p>\n
      How to Test<\/h3>\n
      To test the VLANs are working and separating the Traffic based on the Access Ports, grab a Laptop and a Network cable. Configure your laptops local NIC to 192.168.1.5\/24. plug the cable into your laptop and any one of the g1-g16 ports. Try to ping another device on that network, such as 192.168.1 or .2. It works! Now lets test to make sure the VLANs are separating traffic, using the same ip of 192.168.1.5\/24 connect your laptop to any one fo the g17-g23 ports. Remember these ports are on a different LAN whos layer 3 network is 192.168.2.0\/24(this really doesn’t matter because we are dealing with Layer 2 only). Try to ping a device on the 192.168.1.0\/24 network. Hmm, doesn’t work….That’s a Good thing! The reason is the VLAN separation going on in the switch. When you tried to ping 192.168.1.1 from 192.168.1.5(laptop) an Layer 2 broadcast went out to all ports VLAN, in this case VLAN 200. The broadcast did not cross into VLAN 100 because of the logical separation.<\/p>\n
      A lot more is going on here, but is outside the scope of this article to be explained.<\/em><\/p>\n
      Sources:<\/strong><\/p>\n