VLAN

From ISPWiki
Jump to: navigation, search
Hierarchy: DCImanager -> VLAN
DCImanager Enterprise -> VLAN

VLAN (Virtual Local Area Network) is a group of devices that appear to be on the same LAN despite their geographical distribution. The can be connected to different network switches. Devices located in different VLAN are not visible for each other, even if they are connected to the same switch.

VLAN is a mechanism for creating a logical network topology regardless of its physical topology. VLANs are used for reducing broadcasting traffic in the network. It allows to increase security, particularly, as an ARP-spoofing protection tool.

How it works

VLAN types:

  • port-based;
  • MAC-based;
  • protocol-based;
  • authentication.

DCImanager supports port-based VLANs.Switch ports are grouped logically into VLAN. Port-based VLAN allows for better management, security, and configuration in comparison with other types.

DCImanager supports Trunk port.Trunks are used to carry traffic that belongs to multiple VLANs between devices over the same port. Tags are Information about the VLAN that the frame belongs to is saved. To do so, the system tags the frames. This feature requires that you have several switches. Two switches are connected only by two trunk ports that can carry traffic from any number of VLANs.

DCImanager can work with Primary and Isolated PVLAN.

Private VLAN (PVLAN) is a technology that is used for isolating switch ports. Private VLAN divide VLAN (primary) into several sub-VLANs (secondary) preserving the existing IP subnet and layer 3 configuration.

Primary VLAN includes the Promiscuous port. This is a switch port connected to devices (a switch, router, etc.).

Secondary VLAN. Types of secondary VLAN ports:

  • Isolated — any switch ports added into Isolated VLAN; they can be connected to Primary VLAN, but not to other Secondary VLAN and other hosts within the same Isolated VLAN.
  • Community — any switch ports added into VLAN; the can be connected to Primary VLAN and each other, but not to Secondary VLAN.

Brocade ICX(Mult) allows to work with PVLAN. For other switches PVLAN support is specified in the list of supported devices.

DCImanager supports "Vlan per user" (VPU) configuration. VPU allows placing every server (a group of servers) into a separate broadcast domain. Every server (a group of servers) is assigned a separate VLAN, and the IRB-interface with this VLAN is created on the router. IRB interface is a logical Layer 3 which is used as the default router for VLAN.

Example configuration:

  1. The VLAN and network with prefix 31 (two IP addresses) are reserved for VLAN. One IP address is for the router, the other one is for the server. The networks of alias addresses may be different.
  2. Configure the IRB-interface with the IP address from the server network and its VLAN on the router.
  3. Configure the DHCP-relay on DCImanager IP address. You can find the configuration commands in the list of networks for the VLAN.
  4. Alias addresses /32 are routed to the primary IP as follows: route x.x.x.16/32 next-hop x.x.x.97.97.
  5. Alias addresses are set with the dynamic routing protocol. DCImanager uses Bird.

VLAN modules

DCImanager uses the following modules to improve VLAN functions:

1. "VPU (Vlan Per User)" module (starting from version 5.155)

Allows placing each server (a group of servers) into a separate broadcast domain.

2. "User VLAN" module

Allows users to place their servers in VLAN allowed by the administrator.

To set up and configure a module, navigate to "Integration" -> "Modules".

VLAN management

Navigate to "Main" -> "VLAN".

You can see the following VLANs:

  • VLANs created manually;
  • VLANs found automatically.
Module«VLAN management»

Adding a virtual network into DCImanager manually

Navigate to "Main" -> "VLAN" click "Create".

Creating VLAN
  • VLAN Id — the virtual network unique identifier;
  • Name — the name of the virtual network which is used when configuring network equipment;
  • Owner — user who can use the VLAN on servers;
  • Notes;
  • PVLAN — select the check box to enable PVLAN;
  • PVLAN type — select a type of the virtual network.
    • isolated — secondary VLAN isolated;
    • primary — primary VLAN;
  • Reserved — select the check box not to specify the VLAN settings on the router.

Adding a virtual network into DCImanager automatically

During the configuration process, the administrator assigns the required VLANs to the switch ports. DCImanager will be synchronized with the VLAN configured on the devices: the system will set VLANs found on the ports, marks the trunk ports and their trunk members.

Adding a switch port into VLAN

Navigate to "Equipment" -> "Switches" -> select a required switch and click "Ports". Select the port in the list and click "Edit".

Port settings associated with the VLAN configuration:

  • Trunk mode — select the checkbox to activate the Trunk mode for the port. Enter the following parameters:
    • Native VLAN — the untagged VLAN;
    • Trunk members — VLANs that can pass the traffic through the port;
  • UpLink — select the checkbox if this port is connected to a switch/router of a higher level (switch, router, etc.). This port won't be displayed in the list of ports when connecting a new device. The system won't search for new servers on this port. Administrators cannot perform any operations (change VLAN, speed, or mode).

If you need to add many VLANs, we recommend that you perform this operation directly on the switch. DCImanager will apply the changes automatically.

Configuring IP addresses in VLAN

Log in to IPmanager and create a group of IP address for the VLAN. Specify the group in the user permissions form for the corresponding subnet in IPmanager. Specify the newly created group of addresses or every server that will work in the VLAN, in the Block of IP addresses field.

Navigate to "Settings" -> "Global settings" -> "Policy" select "Standard type of IP addresses". All the new servers will be configured with this type if another value is not specified in the "Pool of IP addresses " field.