Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1251
  • Last Modified:

Linux NFS boot (nfsroot) and VLAN

Hi experts,

imagine the following implementation:
- NFS server on private LAN, vlan 5 on the switch's port
- Linux server, with system NFS share and getting kernel through tftp as part of the nfsroot process, vlan 5 for private IP address and vlan 15 and 20 on public IP ranges.

NFS client interfaces configuration is like :
- eth0 with private IP address
- vlan15 using raw-device-id eth0, with one public IP address
- vlan20 using raw-device-id eth0, with one public IP address on another range

From the Foundry point of view, the port of the nfs client is tagged on vlan 5, 15 and 20, dual-mode on vlan 5 (please translate to Cisco if needed)

The problem is that when the nfs client boots, he can't mount the NFS share to get its system space unless its switch's port is "no tagged" for vlan 15 and 20 (which needs to be tagged again in order to reach the world).
In fact, he can't even get DHCP answer at that time (well, the DHCP request doesn't reach the DHCP server).
Another nfs client which doesn't need vlan other than 5 (only on private network) can boot without any trouble.

I guess that's because there is no way to tell the kernel "hey dude, use vlan5" while booting.
Is that correct?
Why doesn't use the vlan specified on the dual-mode option of the switch's port?
Is there any workaround?

By the way, how do YOU use vlans on your network?

Thanks for your help.
0
Alf92130
Asked:
Alf92130
  • 2
  • 2
1 Solution
 
ravenplCommented:
AFIR on cisco switches(at least 29xx) You can tell port to tag untagged frames with default vlan id, in Your case it's 5. What's the switch, and what's the port config?

> I guess that's because there is no way to tell the kernel "hey dude, use vlan5" while booting.
Actually You probably could hack the initrd to init eth on vlan5, but it's not kernel who asks for DHCP and kernel+initrd via tftp - right?
0
 
Alf92130Author Commented:
Hi ravenpl, thanks for replying!

The switch is a Foundry FastIron II, port is tagged on vlan 5, 15 and 20 with "dual-mode 5", meaning "untagged frames go through vlan 5", I guess it's like the 29XX+ feature.
(http://www.foundrynetworks.co.jp/services/documentation/sribcg/VLANs.html#33633)
At that point I thought it should work but didn't. I wish I could blame Foundry but I won't yet.

>Actually You probably could hack the initrd to init eth on vlan5, but it's not kernel who asks for DHCP
> and  kernel+initrd via tftp - right?
Mhh I don't think I use initrd at all for the moment and I don't know it that much, any hint could be appreciated =)
Indeed, PXE asks for DHCP and kernel via tftp, thanks for pointing that out. I'm gonna check if there is any VLAN option in PXE configuration ...
0
 
ravenplCommented:
> Mhh I don't think I use initrd at all
They always come in twos, the master kernel and the apprentice initramfs <lol> Check out the tftp dir...
0
 
Alf92130Author Commented:
Of course, PXE doesn't provide the option.
Anyway, we decided to cancel this project and went back on a non-tagged vlan.

If anyone still got the answer, I hope he can post it, but I'm gonna close this question.
ravenpl> thanks for your participation, I'll give you some points for that.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now