- Use of a Managed Switch with a trunk line to all of the vlans in the house saves a lot of running around.
- Use of Tasmota controlled extension cables can give you control of power to the RPis in case there are moments when you only want to concentrate on specific RPis for an experiment
- The managed switch on the desk where you wire up experiments gives you extra network connections when needed.
- The key is to be able to work on just what you want without having other thins on when you don’t need them to be on.
This is a blog mostly about techie things, what I am doing to my apartment network on the cheap, IOT, 3D Printing, Raspberry Pis, Arduinos, ESP32, ESP8266, Home Automation, Personal Weather Stations, Things That Go Bump in the Night, and some side issues that need discussing. Remember, sometimes the journey to an end is as much fun as the goal achieved!
Sunday, March 21, 2021
Tips #10 - Network Setup for Raspberry Pi Static Experiments
After some time working with Raspberry Pis (RPi) I have been able to figure out the kind of network setup that makes sense when you develop over a period of time. Here are some particulars of what I have found:
Tips #9 - The Sacrificial Port and Admin vlans
One thing I have discovered in my attempt to be secure is the use of Admin vlans. An Admin vlan is a vlan that you use to limit changes to your network. This is for internal network infrastructure protection. There are a couple of important points about this:
- Each router, Managed Switch, and Type 1 hypervisor that you have in your network is configured so that changes can only be made from the Admin vlan.
- All ACs/Rules setup in the network enforce the Admin vlan to be separate from all others and enforces the items in this list.
- You set up connections throughout the network so that you have to be physically connected to an Admin vlan port to make changes to any infrastructure elements in the network.
- We have a port on each device dedicated to the Admin vlan, but the Admin vlan is allowed to traverse between devices only on Trunk lines and those lines are physically protected as much as possible.
- All connections on the Admin vlan devices have to be encrypted; this is a zero trust approach.
- Encrypted Certs are controlled by a local Certificate Authority (CA) that is usually offline.
- The Admin vlan port is called the Sacrificial Port because that port is only used for the purpose of getting to the Admin vlan.
- The sacrificial port is protected with an 802.1x/Radius connection by MAC address; if you aren’t supposed to be there you shouldn’t be allowed to get in.
- The sacrificial Port is also there to make sure you can still control infrastructure devices if part of the network becomes unresponsive.
- The Sacrificial Port is also protected by a keyed Ethernet dust plug (suggest the color Red); key is necessary to take the plug out of the device.
Monday, March 15, 2021
Changeover of Ubuntu Server to Proxmox Box
I have been wanting to try my hand at a Type 1 hypervisor for a while but it was too expensive. I looked at ESXi, but decided that each change of the software meant a world of hurt for the VMs that would be running. I do like to use KVM and have wanted to learn LXC containers, so I decided to change out the Ubuntu Server and go with Proxmox.
I changed the HW for the Proxmox server to have a 1TB SSD, repurposed the 4TB spinner from the Ubuntu Server to use, and reconnected the DVD drive. I did a fresh install from the Proxmox 6.3-1 iso that I downloaded from the site and came up running very quickly. I then added a number of OS isos, including CentOS, Ubuntu, and Fedora. I was able to quickly spin up Ubuntu and start working on the challenge of other VMs and LXCs.
I connected the GUI/SSH port of the Proxmox to my admin vlan and ran the first Ubuntu VM on my Pers vlan. So far so good.
Subscribe to:
Posts (Atom)