VLANs

A VLAN is a layer of network abstraction that allows you to isolate a network from the rest of the network. At Netsoc, we use this to stop traffic from going places it shouldn't, and to create different subnets for different uses.

Our VLAN definitions can be seen on Nac here.

We use dot1q to tag our VLANs with a VLAN ID, to ensure no traffic crosses VLANs except for the ones we want.

VLAN Tagging

Our VyOS router uses the dot1q VLAN tagging protocol to tag our VLANs. This means that each ethernet (OSI Model Layer 2) packet has a VLAN ID header field inserted, that is supported by the dot1q protocol. This packet is then sent to every machine on that VLAN.

For simplicity, we match a VLAN ID with a subnet. This allows us to easily keep track of which VLANs are on which IP address range.

Notice that the cloud VLAN has /16 subnet mask, so as to be able to support up to 65k IPs, so that Netsoc Cloud IPs can grow (almost) indefinitely.

Web request scenario

Say, for instance a tcp request is sent to Netsoc's Web IP address 84.39.234.53:

VyOS will catch this packet, and looks through its NAT (Network Address Translation) table to find the correct internal IP address (in this case the web VM's IP address) to send the packet to. This can be found here on NaC.

managerN in the config on NaC is a placeholder. In the applied config, the placeholder is replaced by web whose definition is stored in ansible vars/network.yml here.

VLAN Trunking

VLAN trunking is when a machine can send packets to multiple VLANs. At Netsoc, all Proxmox hosts have a trunk connection (not connected to WAN for obvious reasons - we don't want to send arbitrary traffic to the outside world accidentally).

VyOS Router

Be VERY careful when editing the VyOS router config, as it can break all network traffic in Netsoc Cloud.
Contact Oisin Canty (ocanty on GitHub) if you are going to be editing the VyOS router.