Vserver With Vlan

SiggiSiggiBangBang
► Linux
► Vserver With Vlan

I do not really write the best tutorials. But, I found so little information about how to do this so I felt obligated, to share with whoever my notes on the subject.

I have a vlan setup on cisco cat4000 IOS v12.2. All the vlans have been created on the cisco VTP master, which also handles all routing. Except for maybe 2 devices that do NAT.
I have several ranges of ip numbers, of different classes.

What I want to do is to use the vserver setup with access to all the vlan existing on the cisco VTP master. My reason for doing this is to for example have all dhcp service on guest servers, for different networks. I also want to have a LTSP server, serving rdesktop clients. I’d like to put the 2 machines that are doing NAT up as vserver guests. It will make my setup at my work much cleaner, and my life much easier. Nobody of course at my work knows this except me. They don’t know how exhausting it can be to …… .. … . . (the rest of this dramatic outlet has been cut out to not cast a shadow on these notes).

For all servers I use strictly debian, to my knowledge everything else just isn’t worth knowing. For my desktop computer I use Ubuntu, I like Ubuntu and Ubuntu likes me.

Along with vserver, a support for vlan has to be compiled into the kernel, I trust you know how so I will not dwell on this.

To make all the vlans available to the vserver, I configure the cisco interface in the following manner.

interface GigabitEthernet2/2
switchport trunk encapsulation dot1q
switchport mode trunk

You do not need to use this specific interface, do whatever suits you the best.

In some cases you may want to only allow certain vlans to trunk through to the vserver, this you can do by adding

switchport trunk allowed vlan 2,10,20,45,200

to the trunking interface.

Get the vlan package with the wonderful command apt-get install vlan .

This package will include the tool vconfig that you will not have to use at all.

You can of course give the vlan part a test by running vconfig add eth0 20 , or whatever vlan existing on your VTP master, except maybe vlan 1.

If everything is well with your vlan setup, you should see in the continuation:
Added VLAN with VID == 20 to IF -:eth0:-

With that done you can bring up the interface without it existing in /etc/network/interfaces, with the ifconfig command. It will behave in every respect as any physical interface.

We will not use vconfig, we will on the other hand map all desired vlans in /etc/network/interfaces.

This we will do as follows:

auto lo
iface lo inet loopback

auto eth0 vlan2 vlan10 vlan20

# iface eth has to be up with no ip number

iface eth0 inet static
address 0.0.0.0
netmask 0.0.0.0
vlan_raw_device eth0

iface vlan2 inet static
address 172.201.221.17
netmask 255.255.255.224
gateway 172.201.221.17
vlan_raw_device eth0

iface vlan10 inet static
address 172.201.222.4
netmask 255.255.254.0
gateway 172.201.222.1
vlan_raw_device eth0

iface vlan20 inet static
address 192.168.1.254
netmask 255.255.255.0
gateway 192.168.1.1
vlan_raw_device eth0

These of course are only examples, I don’t even use the real ip addresses. It should though give an idea of how to do this.

You may think this is enough, but it isn’t.
This variety of ip ranges, and gateways, do not work by default because on a debian box rp_filter is enabled by default. When the rp_filter is enabled(1), the kernel will discard all packets whose
source IP address does not match the route to the interface the
packet was received on.

To disable the rp_filter( a.k.a spoofprotect ), you put the following line in /etc/network/options spoofprotect=no, if the options file does not exist, create it. Run /etc/init.d/networking restart to reconfigure the network.

All the networks defined should now work.

Check your setup with ifconfig.

Try pinging with each interface ping -I vlan10 157.157.205.2 for example and etc.

Now you set up a vserver guest on whatever vlan interface, there is a newvserver script located in /usr/sbin

I made a copy for every vlan, newvserver.vlan10, etc.

Change the interface to work on line to the appropriate vlan.

newvserver.vlan10 –hostname ltsproject –domain aol.com –ip 172.201.222.10

Have fun

update Feb 06 2006
networking and mask settings
It is extremely important to set the mask for every single host. I created severe problems on the network by using the default mask settings. ifconfig does not display this so I suggest the iproute package, including the lovable tool ip addr, use it to give you detailed information about your interfaces.
The mask is set in the following manner echo 255.255.xxx.xxx > /etc/vservers/vserver-name/interfaces/0/mask.
You can also use a file called prefix and set the subnet there, for example echo 24 > /etc/vservers/vserver-name/interfaces/0/prefix

Using the vserver command to create a new vserver.
vserver ltsp build \
-n ltsp \
–hostname ltsp.domain.com \
–interface vlan10:172.201.222.10 \
-m debootstrap — -d sarge