So I had to configure a bunch of Cisco switches, routers, Juniper firewalls, a Juniper, SSL-gateways and some Unix servers running Radius and RSA SecurID. Pretty hands-on stuff which I don’t get to do much anymore (at work), but it was a nice change of pace. But I’m digressing.
Anyway, I was getting tired of re-configuring my Macbooks network settings everytime I had to be in a different subnet. I secured everything pretty tight, nicely separated in separate Juniper FW security zones, VLAN’s, hardened configurations etc., but of course this also makes hard to configure and test the stuff.
Although location based network profiles helps a lot, I still missed a second interface. To solve this I bought the Macbook Airs USB Ethernet adapter, which btw works perfectly on my Macbook Pro, but I’ll post about that tomorrow.
So I run my SSH -p 443 -L port-forwarding scripts plus NAT-ing (for my mail-servers) via the USB-interface so I have full Internet through my clients Firewall via my own Squid proxy. This way I can still google and download updates. This keeps my built-in ethernet interface free for configuring the rack.
The best thing however is that you can use VLAN 802.1q trunking or tagging, whatever you want to call it, on my built-in ethernet-port! So I just configured all the VLANs I needed, configured the correct subnets on it and of you go.
Please note however that you will need to make sure your routing is setup correctly. The easiest thing to do is to only configure a default gateway on the Internet facing interface and setup static routing for the VLAN interfaces.
See below for how to configure the VLANs (quite simple really)
Go to System Preferences, Network, (Click on the little cog wheel), Virtual Interfaces :
In the next screen you see an overview of all your VLANs. Please note that their is a difference between the name you can randomly choose for your VLAN, the BSD-name (the name that will show up in ifconfig for instance) and the actual VLAN-ID.
Now if you add a VLAN you simply fill in the screen shown below. It’s extremely straight forward. The most import part is the Tag, which is the VLAN-ID you want to use. Currently my Mac only supports VLAN-tagging on it’s built-in ethernet interface, so not much choice there. The VLAN-name is just for administration purposes, it shows up in your Network preferences GUI thingie.
So let’s say you want to trunk from your Mac to a Cisco IOS switch’s fa0/12 port. Then you could configure something like this on the switch:
interface FastEthernet0/12
description Macbook-Pro_et_
switchport trunk allowed vlan 100,200,300,400
switchport mode trunk
The only thing you really need here is the switchport mode trunk statement, but I like to have control over which VLANs are allowed over the trunk (and so should you 
) so I add the switchport trunk allowed statement.
Hi there, I was looking around for a while searching for rsa security and I happened upon this site and your post regarding S X Leopard and VLAN (dot1q) trunking : Littlebighuman.com, I will definitely this to my rsa security bookmarks!
Thank you for this great how-to! This will solve a lot of my problems!
Here, Here! Great Job… I have wondered about that!
Do you know how to set this up from the terminal ???
I’ve tested on the interface and VLAN works perfectly… But when I’ve tryed to setup it on the shell I got some errors:
ymac:~ yg$ sudo ifconfig en0 10.0.0.7/24 vlan 2 vlandev j0
ifconfig: SIOCGETVLAN: Operation not supported on socket
any ideas?
thanks
Ygor
Quick answer, because I don’t have much time right now:
I’ve found some info here: http://www.cyberciti.biz/faq/howto-configure-freebsd-vlans-with-ifconfig-command/
Also, webbased man page for ifconfig: http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man8/ifconfig.8.html
I got it working with the following commands:
$sudo ifconfig vlan0 create To create the vlan interface, the number is not related to the vlan tag.
$sudo ifconfig vlan0 vlan 50 vlandev en0 To associate the vlan0 interface to the physical en0 interface and to tag the vlan traffic with tag 50.
$ ifconfig vlan0 inet 1.2.3.4 netmask 255.255.255.0 To assign an IP-address to the vlan0 interface.
Know I’ve noticed that the vlan shows up in ifconfig -a, but not in the OS X System Preferences. Also, I tried removing the vlan0 with the ifconfig vlan0 destroy command, but it still shows up in ifconfig -a, although it’s IP-address is removed etc.
Hope this helps,
Gotta go for now.
I was going to set this up the BSD way (via terminal), but thought I’d google OSX dot1q, and found this. I’m glad I did. I’ve noticed that when you do certain things from the terminal (such as add/delete users) it causes a real disconnect with the GUI. I’ll use your method via the GUI on my xserver, and keep everything tidy. Thanks for the tip!
BTW… In case anyone else finds this a problem too…
I use multiple location profiles for various common configurations on my laptop. Once I setup the VLAN via the gui it works fine. Fast-forward a bit… I have switched to a different location and I switch back to do some other work on my second VLAN… but I can’t connect to any of the hosts. I can ping without any issues, but I can’t connect. So I delete the VLAN directive in the gui and recreate it… Voila! It works again. So there is a bug in the VLAN interface when switching location profiles.
Just so you are not wasting hours like me.
-Cheers, Peter.
Thank you so much for this article. I had just set a (production) DSLAM back to factory defaults to try to clear a problem, needed to turn it back up, and then realized there was not a single computer on hand with a real serial port, so I had to configure the thing using the DSLAM’s uplink ethernet port. Learning how to tag traffic on my Mac’s en0 port saved my a$$. Many thanks again.
Cheers, Michael
Migration net. I made vlan interface with external ip (one internet provider), on en0 i have ip from second network provider.Cabel from en0 is pluged in 3com vlan-ed switch with . I have no route path to other devices (1 provider) on vlan0.
1ip.net prov— switch—-mac .So in vlan i have 2 network. | 2ip.net.prov——-
I made the same on Suse and work. Where is bag ?
On mac i add route to gw for network on vlan0 .I tryied without and always i have got problem.