Configure VLAN tagging

Configure VLAN tagging
		GO

Purpose

This topic describes the steps to configure virtual LAN (VLAN) tagging on the Lucent CM server.

By using VLAN tagging, traffic on a single interface is logically separated on to different virtual LANs.

When used together with additional security mechanisms, VLAN tagging increases security.

Traffic types Lucent CM

The following types of traffic can be distinguished on the Lucent CM system:

Traffic type	Interface
User client traffic	Uses the interfaces on `eth0`.
Application server control and signalling traffic	Uses the internal interface on `eth1`.
OAM&P traffic	Uses the internal interface on `eth1`.

VLAN tagging can be used to separate OAM&P and application server control and signalling traffic

Additional security mechanism

VLAN tagging by itself does not increase the level of security.

To increase security, VLAN tagging must be deployed together with one of the following additional security mechanisms:

Provision specific routes on the Lucent CM Servers to ensure a specific traffic type only goes through the desired interface. This is required since there can only be one default gateway per server and traffic destined to a network not explicitly defined will egress via the default gateway.

Deploy a firewall to prevent access to a specific interface unless authorized.

Deploy a firewall to prevent access to a specific interface unless on an allowed port.

Deploy Access Control Lists on the network routers to limit access to specific interfaces from specific networks.

Before you begin

Before you begin ensure the following:

The network that connects the Lucent CM servers must support VLAN tagging.

A VLAN schema must have been developed.

The configuration information is available, this includes IP interfaces, subnet masks, and VLAN tag IDs.

The network elements (routers and switches) must have been configured to use the same VLAN tags as the VLAN tags that will be used on the Lucent CM system.

Configure VLAN tagging

CAUTION

Service-disruption hazard

Restarting services on an operational Lucent CM system results in a service outage for all users. The service outage time is less then one minute, when VLAN tagging is properly configured.

Perform this procedure during low traffic hours.

Perform the following steps to configure VLAN tagging on the Lucent CM system:

Change directory to the directory where the interface configuration files are located. Enter:

cd /etc/sysconfig/network-scripts/

Create the configuration files for the 2 virtual interfaces by copying the original configuration file.

Enter:

cp <original-ifcfg-filename> <virtual-ifcfg-filename>

Example: cp ifcfg-eth1 ifcfg-eth1.100

cp ifcfg-eth1 ifcfg-eth1.110

Edit the interface configuration file by removing or commenting out all entries except for the following:

DEVICE=<interface>

ONBOOT=yes

Example:

DEVICE=eth1

ONBOOT=yes

Edit the 2 virtual interface configuration files by adding or updating the following lines:

DEVICE=<virtual interface>

VLAN=yes

IPADDR=<IP address>

BROADCAST=<IP address>

NETMASK=<<IP address>>

Example:

DEVICE=eth1.100

VLAN=yes

IPADDR=10.1.100.32

BROADCAST=10.1.255.255

NETMASK=255.255.0.0

Stop and restart the network services. This result in a brief service outage. Enter:

service network restart

Result: The VLAN=yes entries ensure the system is restarted, using the defined VLAN tags.

Observe the output of the command to ensure all interfaces respond with OK.

End of steps

Test interfaces

Verify the Lucent CM system is fully operational by testing connectivity to and from all new interfaces.

		GO
© Lucent Technologies