Getting Your FreeBSD Box to Speak 802.1q Trunks with a Cisco Switch

I have the following setup on my home LAN:

cable modem - cisco router - freebsd fw/gw - cisco switch -  clients

< The client boxes are in two separate VLANs with different address spaces. I needed a way for them to be able to talk to the FreeBSD 4.9 REL firewall/gateway without wasting two interfaces on the fw/gw. Here's how I set this up. I'm no Cisco guru so excuse my lack of shortcuts. I got some help from this how-to, this thread, and this Cisco guide. First, on the switch, I created my VLANs:

gruden#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
gruden(config)#vlan 20
gruden(config-vlan)#name green
gruden(config-vlan)#end

gruden#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
gruden(config)#vlan 10
gruden(config-vlan)#name yellow
gruden(config-vlan)#end

Next I created my trunk port to speak to the FreeBSD box:

gruden#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
gruden(config)#int fa0/24
gruden(config-if)#switchport mode trunk
gruden(config-if)#end

gruden#sh int fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false

Voice VLAN: none (Inactive)
Appliance trust: none

Then I added each switch port to the appropriate VLAN. This is what adding a single port looks like:

gruden#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
gruden(config)#int fa0/1
gruden(config-if)#switchport mode access
gruden(config-if)#switchport access vlan 10
gruden(config-if)#end

gruden#sh int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (yellow)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false

Voice VLAN: none (Inactive)
Appliance trust: none

On to the FreeBSD box! I used the following commands to set it up. Note that fxp2 is the single physical interface connected to interface 0/24 on the Cisco switch:

ifconfig vlan0 create
ifconfig vlan1 create

ifconfig vlan0 vlan 10 vlandev fxp2
ifconfig vlan1 vlan 20 vlandev fxp2

ifconfig vlan0 inet 10.100.100.1 netmask 255.255.255.0
ifconfig vlan1 inet 172.207.200.1 netmask 255.255.255.0

ifconfig fxp2 up

When done, the interfaces on the FreeBSD box look like this:

moog# ifconfig vlan0
vlan0: flags=8843 mtu 1500
        inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255
        inet6 fe80::2d0:b7ff:fe61:3234%vlan0 prefixlen 64 scopeid 0xa
        ether 00:02:b3:0a:cd:5b
        media: Ethernet autoselect (100baseTX )
        status: active
        vlan: 10 parent interface: fxp2
moog# ifconfig vlan1
vlan1: flags=8843 mtu 1500
        inet 172.207.200.1 netmask 0xffffff00 broadcast 172.207.200.255
        inet6 fe80::2d0:b7ff:fe61:3234%vlan1 prefixlen 64 scopeid 0xb
        ether 00:02:b3:0a:cd:5b
        media: Ethernet autoselect (100baseTX )
        status: active
        vlan: 20 parent interface: fxp2
fxp2: flags=8843 mtu 1500
        inet6 fe80::202:b3ff:fe0a:cd5b%fxp2 prefixlen 64 scopeid 0x3
        ether 00:02:b3:0a:cd:5b
        media: Ethernet autoselect (100baseTX )
        status: active

To make this automatic, add these entries to /etc/rc.conf:

cloned_interfaces="vlan0 vlan1"
ifconfig_vlan0="inet 10.100.100.1 netmask 255.255.255.0 vlan 10 vlandev fxp2"
ifconfig_vlan1="inet 172.207.200.1 netmask 255.255.255.0 vlan 20 vlandev fxp2"
ifconfig_fxp2="up"

When done, the 10.100.100.0/24 and 172.207.200.0/24 networks will be able to talk to each other through the FreeBSD box.

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more