System Administration Guide: IP Services
Previous Next

Document Information

Preface

Part I TCP/IP Administration

1.  Solaris TCPIP Protocol Suite (Overview)

2.  Planning an IPv4 Addressing Scheme (Tasks

3.  Planning an IPv6 Addressing Scheme (Overview)

4.  Planning an IPv6 Network (Tasks)

5.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

6.  Administering Network Interfaces (Tasks)

Interface Administration (Task Map)

Basics for Administering Physical Interfaces

Administering Individual Network Interfaces

How to Obtain Interface Status

How to Configure a Physical Interface After System Installation

How to Remove a Physical Interface

SPARC: How to Ensure That the MAC Address of an Interface Is Unique

Administering Virtual Local Area Networks

Administering Link Aggregations

How to Create a Link Aggregation

How to Modify an Aggregation

How to Remove an Interface From an Aggregation

How to Delete an Aggregation

Configuring and Communicating Over WiFi Interfaces

How to Connect to a WiFi Network

How to Monitor the WiFi Link

7.  Enabling IPv6 on a Network (Tasks)

8.  Administering a TCP/IP Network (Tasks)

9.  Troubleshooting Network Problems (Tasks)

10.  TCP/IP and IPv4 in Depth (Reference)

11.  IPv6 in Depth (Reference)

Part II DHCP

12.  About Solaris DHCP (Overview)

13.  Planning for DHCP Service (Tasks)

14.  Configuring the DHCP Service (Tasks)

15.  Administering DHCP (Tasks)

16.  Configuring and Administering DHCP Clients

17.  Troubleshooting DHCP (Reference)

18.  DHCP Commands and Files (Reference)

Part III IP Security

19.  IP Security Architecture (Overview)

20.  Configuring IPsec (Tasks)

21.  IP Security Architecture (Reference)

22.  Internet Key Exchange (Overview)

23.  Configuring IKE (Tasks)

24.  Internet Key Exchange (Reference)

25.  Solaris IP Filter (Overview)

26.  Solaris IP Filter (Tasks)

Part IV Mobile IP

27.  Mobile IP (Overview)

28.  Administering Mobile IP (Tasks)

29.  Mobile IP Files and Commands (Reference)

Part V IPMP

30.  Introducing IPMP (Overview)

31.  Administering IPMP (Tasks)

Part VI IP Quality of Service (IPQoS)

32.  Introducing IPQoS (Overview)

33.  Planning for an IPQoS-Enabled Network (Tasks)

34.  Creating the IPQoS Configuration File (Tasks)

35.  Starting and Maintaining IPQoS (Tasks)

36.  Using Flow Accounting and Statistics Gathering (Tasks)

37.  IPQoS in Detail (Reference)

Glossary

Index

Administering Virtual Local Area Networks

A virtual local area network (VLAN) is a subdivision of a local area network at the data link layer of the TCP/IP protocol stack. You can create VLANs for local area networks that use switch technology. By dividing groups of users into VLANs, you can improve network administration and security for the entire local network. You can also assign interfaces on the same system to different VLANs.

Consider dividing your local network into VLANs if you need to do the following:

  • Create a logical division of workgroups.

    For example, suppose all hosts on a floor of a building are connected on one switched-based local network. You could create a separate VLAN for each workgroup on the floor.

  • Enforce differing security policies for the workgroups.

    For example, the security needs of a Finance department and an Information Technologies department are quite different. If systems for both departments share the same local network, you could create a separate VLAN for each department. Then, you could enforce the appropriate security policy on a per-VLAN basis.

  • Split workgroups into manageable broadcast domains.

    The use of VLANs reduces the size of broadcast domains and improves network efficiency.

Overview of VLAN Topology

Switched LAN technology enables you to organize the systems on a local network into VLANs. Before you can divide a local network into VLANs, you must obtain switches that support VLAN technology. You can configure all ports on a switch to serve a single VLAN or multiple VLANs, depending on the VLAN topology design. Each switch manufacturer has different procedures for configuring the ports of a switch.

Figure 6-1 shows a local area network that has the subnet address 192.168.84.0. This LAN is subdivided into three VLANs, Red, Yellow, and blue.

Figure 6-1 Local Area Network With Three VLANs
The surrounding context describes the figure's content.

Connectivity on LAN 192.168.84.0 is handled by Switches 1 and 2. Systems of the Information Technologies workgroup are assigned to the Blue VLAN. The Human Resources workgroup's systems are on the Yellow VLAN. The Red VLAN contains systems in the Accounting workgroup.

VLAN Tags and Physical Points of Attachment

Each VLAN in a local area network is identified by a VLAN tag, or VLAN ID (VID). The VID is assigned during VLAN configuration. The VID is a 12-bit identifier between 1 and 4094 that provides a unique identity for each VLAN. In Figure 6-1, the Blue VLAN has the VID 123, the Yellow VLAN has the VID 456, and the Red VLAN has the VID 789.

When you configure switches to support VLANs, you need to assign a VID to each port. The VID on the port must be the same as the VID assigned to the interface that connects to the port, as shown in the following figure.

Figure 6-2 Switch Configuration for a Network with VLANs
The surrounding context describes the figure's content.

In this figure, the primary network interfaces of three hosts connect into Switch 1. Host A is a member of the Blue VLAN. Therefore, Host A's interface is configured with the VID 123. This interface connects to Port 1 on Switch 1, which is then configured with the VID 123. Host B is a member of the Yellow VLAN, with the VID 456. Host B's interface connects to Port 5 on Switch 1, which is configured with the VID 456, and so on.

During VLAN configuration, you have to specify the physical point of attachment, or PPA, of the VLAN. You obtain the PPA value by using this formula:

driver-name + VID * 1000 + device-instance

Note that the device-instance number must be less than 1000.

For example, you would create the following PPA for a ce1 interface to be configured as part of VLAN 456:

ce + 456 * 1000 + 1= ce456001

Planning for VLANs on a Network

Use the next procedure for planning for VLANs on your network.

How to Plan for VLAN Configuration
  1. Examine the local network topology and determine where subdivision into VLANs is appropriate.

    For a basic example of such a topology, refer to Figure 6-1.

  2. Create a numbering scheme for the VIDs and assign a VID to each VLAN.

    Note - A VLAN numbering scheme might already exist on the network. If so, you must create VIDs within the existing VLAN numbering framework.

  3. On each system, determine which interfaces should be members of a particular VLAN.
    1. Find out which interfaces are configured on a host.
      # dladm show-link
    2. Identify which VID should be associated with each data link on the system.
    3. Create PPAs for each interface to be configured with a VLAN.

    All interfaces on a system do not necessarily have to be configured on the same VLAN.

  4. Check the connections of the interfaces to the network's switches.

    Note the VID of each interface and the switch port where each interface is connected.

  5. Configure each port of the switch with the same VID as the interface to which it is connected.

    Refer to the switch manufacturer's documentation for configuration instructions.

Configuring VLANs

The Solaris OS now supports VLANs on the following interface types:

  • ce

  • bge

  • xge

  • e1000g

Of the legacy interface types, only the ce interface can become a member of a VLAN. You can configure interfaces of different types in the same VLAN. For information about the interface types that are supported by the Solaris OS, refer to Solaris OS Interface Types.

How to Configure a VLAN
  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine the types of interfaces in use on your system.
    # dladm show-link

    The output shows the available interface types:

    ce0             type: legacy    mtu: 1500       device: ce0
ce1             type: legacy    mtu: 1500       device: ce1
bge0            type: non-vlan  mtu: 1500       device: bge0
bge1            type: non-vlan  mtu: 1500       device: bge1
bge2            type: non-vlan  mtu: 1500       device: bge2
  3. Configure an interface as part of a VLAN. 
    # ifconfig interface-PPA plumb IP-address up

    For example, you would use the following command to configure the interface ce1 with a new IP address 10.0.0.2 into a VLAN with the VID 123:

    # ifconfig ce123001 plumb 10.0.0.2 up
  4. (Optional) To make the VLAN settings persist across reboots, create a hostname.interface-PPA file for each interface that is configured as part of a VLAN. 
    # cat hostname.interface-PPA
IPv4-address
  5. On the switch, set VLAN tagging and VLAN ports to correspond with the VLANs that you have set up on the system.
Example 6-3 Configuring a VLAN

This example shows how to configure devices bge1 and bge2 into a VLAN with the VID 123.

# dladm show-link
ce0             type: legacy    mtu: 1500       device: ce0
ce1             type: legacy    mtu: 1500       device: ce1
bge0            type: non-vlan  mtu: 1500       device: bge0
bge1            type: non-vlan  mtu: 1500       device: bge1
bge2            type: non-vlan  mtu: 1500       device: bge2
# ifconfig bge123001 plumb 10.0.0.1 up
# ifconfig bge123002 plumb 10.0.0.2 up 
# cat hostname.bge123001 10.0.0.1
# cat hostname.bge123002 10.0.0.2
# ifconfig -a

lo0: flags=2001000849 <UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> 
     mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
bge123001: flags=201000803 <UP,BROADCAST,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 10.0.0.1 netmask ff000000 broadcast 10.255.255.255
        ether 0:3:ba:7:84:5e 
bge123002: flags=201000803 <UP,BROADCAST,MULTICAST,IPv4,CoS> mtu 1500 index 3
        inet 10.0.0.2 netmask ff000000 broadcast 10.255.255.255
        ether 0:3:ba:7:84:5e 
ce0: flags=1000843 <UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 192.168.84.253 netmask ffffff00 broadcast 192.168.84.255
        ether 0:3:ba:7:84:5e 
# dladm show-link
ce0             type: legacy    mtu: 1500       device: ce0
ce1             type: legacy    mtu: 1500       device: ce1
bge0            type: non-vlan  mtu: 1500       device: bge0
bge1            type: non-vlan  mtu: 1500       device: bge1
bge2            type: non-vlan  mtu: 1500       device: bge2
bge123001       type: vlan 123  mtu: 1500       device: bge1
bge123002       type: vlan 123  mtu: 1500       device: bge2
Previous Next