Non Vlan-aware and default VLAN and 802.1q


Hi,

in a case of non vlan-aware usage (because of VxLAN usage) could I set-up the default vlan like this ?:

auto vlan426
iface vlan426
bridge-ports glob swp1-48
bridge-ports glob swp1-48.426
...

Idea is to support untagged AND/or tagged port

8 replies

Userlevel 4
I would use the regex match for this... bridge-ports regex swp[0-9]+\.?[0-9]* Feel free to test out some examples on regexpal.com: Here are the examples I used: swp1 swp12 swp99 swp78.100 swp9.19 swp7.1 swp99.1 eth0 eth0.10 eth5.5 swpx.12 bond0 bond
Hi,

thanks for your answers regarding the templating, working on this too.
Regarding the native VLAN this would mean it's possible to have 802.1q and untag for the same VLAN on the same ports ?

Thanks

Yes, it is possible to have native vlan and tagged vlan on the same port.
Hi David, can you clarify the question?

A swp CAN be part of two bridges with different VLAN tags. This creates a trunk port.
auto br100
iface br100
bridge-ports swp1.100 swp2.100
auto br200
iface br200
bridge-ports swp1.200 swp2.200

A swp CANNOT be part of one traditional bridge twice with different VLAN tags (or tagged and native).
auto br0
iface br0
bridge-ports swp1.100 swp1.200
Idea is to have "dual-mode" like functionality, idea is to accept either tag or untagged packets on a port.
To the best of my understanding, the current generation of switching hardware (regardless of switch vendor) does not support receiving both a tagged frame and an untagged frame on the same interface and putting them in the same broadcast domain (i.e. a traditional bridge or a VLAN in a VLAN-aware bridge).

Take the following configuration as an example.

Cumulus Switch:

root@leaf2:~# ifquery br0 br0.10
auto br0
iface br0
bridge-vlan-aware yes
bridge-vids 10,20,30
bridge-pvid 10
bridge-ports swp32s1
auto br0.10
iface br0.10
address 10.10.10.254/24
address 9.9.9.10/30


Ubuntu Server connected to swp32s1:

root@server1:~# ip addr show eth0
2: eth0: mtu 9216 qdisc mq state UP qlen 1000
link/ether 90:e2:ba:7d:74:b0 brd ff:ff:ff:ff:ff:ff
inet 9.9.9.9/30 brd 9.9.9.11 scope global eth0
inet6 fe80::92e2:baff:fe7d:74b0/64 scope link
valid_lft forever preferred_lft forever
root@server1:~# ip addr show eth0.10
6: eth0.10@eth0: mtu 9216 qdisc noqueue state UP
link/ether 90:e2:ba:7d:74:b0 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.30/24 brd 10.10.10.255 scope global eth0.10
inet6 fe80::92e2:baff:fe7d:74b0/64 scope link
valid_lft forever preferred_lft forever
root@server1:~#

In this example, port swp32s1 on the Cumulus switch is a trunk port. It has a native VLAN of 10 and allows VLANs 10, 20 and 30.

A ping from the server sourced from 9.9.9.9 (eth0) has no VLAN tag and is SUCCESSFUL.

root@server1:~# ping 9.9.9.10 -I 9.9.9.9 -c 1
PING 9.9.9.10 (9.9.9.10) from 9.9.9.9 : 56(84) bytes of data.
64 bytes from 9.9.9.10: icmp_req=1 ttl=64 time=0.406 ms

A ping from the server sourced from 10.10.10.30 (eth0.10) has a VLAN tag of 10 is DROPPED.

root@server1:~# ping 10.10.10.254 -I 10.10.10.30 -c 1
PING 10.10.10.254 (10.10.10.254) from 10.10.10.30 : 56(84) bytes of data.
From 10.10.10.30 icmp_seq=1 Destination Host Unreachable

Does this address the query?
Scott Laffer wrote:

To the best of my understanding, the current generation of switching hardware (regardless of swit...

Hi scott,

as far as I know, most traditional switches do accept both untagged frames and frames tagged with the port VLAN ID entering a switch port. All those frames are placed in the same VLAN (broadcast domain) inside the switch.

I have not yet seen the opposite, that is a way to configure tagged and untagged egress for frames of one VLAN from the same port.

As an example for accepting both tagged and untagged frames on the same switchport I have connected two Extreme Networks C5 switches (based on Broadcom BCM56620) using port 24 of each switch with one side configured for untagged egress and ingress (a usual access port), but the other for tagged egress and untagged ingress for VLAN 42. The two switches can ping each other if I give them Ip addresses in VLAN 42.

To check if this is just a quirk of this platform I connected an Extreme X460G2, another Broadcom based switch, but with a completely different operating system, to one of the C5 switches. The X460G2 uses an untagged port in VLAN 42, the C5 uses tagged frames on egress and puts untagged frames into VLAN 42. The X460G2 accepts the tagged frames on the access port.

This common switch behavior is used in one kind of VLAN hopping attack, as explained for example in the Cisco SWITCH course curriculum.

Topology:

p3_sw4 and p4_sw4 are C5 switches, p4sw2 is an X460G2 switch.
+--------+24        +--------+21        +-------+ | p3_sw4 |----------| p4_sw4 |----------| p4sw2 | +--------+        24+--------+        21+-------+ 
Relevant switch configuration:
p3_sw4(su)->set port enable ge.1.24 p3_sw4(su)->set vlan create 42 p3_sw4(su)->set host vlan 42 p3_sw4(su)->set ip address 10.42.0.1 mask 255.255.255.0 p3_sw4(su)->set port vlan ge.1.24 42 modify-egress p3_sw4(su)->set port ingress-filter ge.1.24 enable  p4_sw4(su)->set port enable ge.1.24 p4_sw4(su)->set vlan create 42 p4_sw4(su)->set host vlan 42 p4_sw4(su)->set ip address 10.42.0.2 mask 255.255.255.0 p4_sw4(su)->set port vlan ge.1.24 42 no-modify-egress p4_sw4(su)->set vlan egress 42 ge.1.24 tagged p4_sw4(su)->clear vlan egress 1 ge.1.24 p4_sw4(su)->set port ingress-filter ge.1.24 enable p4_sw4(su)->set port enable ge.1.21 p4_sw4(su)->set port vlan ge.1.21 42 no-modify-egress  p4_sw4(su)->clear vlan egress 1 ge.1.21 p4_sw4(su)->set port ingress-filter ge.1.21 enable p4_sw4(su)->set vlan egress 42 ge.1.21 tagged  p4sw2.1 # enable port 21 * p4sw2.2 # create vlan 42 * p4sw2.3 # configure vlan 42 ipaddress 10.42.0.3/24 * p4sw2.4 # configure vlan default delete ports 21 * p4sw2.5 # configure vlan 42 add ports 21
Relevant show output:

Switch p3_sw4 (10.42.0.1):
p3_sw4(su)->show ip address Name            Address               Mask ------------    -------------         ----------------- host            10.42.0.1             255.255.255.0 p3_sw4(su)->show vlan portinfo port ge.1.24  Port           VLAN      Ingress   Egress                            Filter     Vlan    ----------------------------------------------------------------- ge.1.24        42         Y          untagged: 42 p3_sw4(su)->ping 10.42.0.2  10.42.0.2 is alive p3_sw4(su)->ping 10.42.0.3  10.42.0.3 is alive 
Switch p4_sw4 (10.42.0.2):
p4_sw4(su)->show vlan portinfo port ge.1.21;ge.1.24  Port           VLAN      Ingress   Egress                            Filter     Vlan    ----------------------------------------------------------------- ge.1.21        42         Y           tagged: 42 ge.1.24        42         Y           tagged: 42 p4_sw4(su)->show ip address Name            Address               Mask ------------    -------------         ----------------- host            10.42.0.2             255.255.255.0        p4_sw4(su)->ping 10.42.0.1  10.42.0.1 is alive p4_sw4(su)->ping 10.42.0.3  10.42.0.3 is alive 
Switch p4sw2 (10.42.0.3):
* p4sw2.1 # show vlan | include 42 VLAN_0042       42   10.42.0.3      /24  ----------------------------  ANY    1 /1   VR-Default * p4sw2.4 # show vlan VLAN_0042 | include "Ports:|Untag:"     Ports:   1.           (Number of active ports=1)        Untag:     *21 * p4sw2.5 # ping 10.42.0.1 Ping(ICMP) 10.42.0.1: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.42.0.1: icmp_seq=0 ttl=64 time=0.716 ms 16 bytes from 10.42.0.1: icmp_seq=1 ttl=64 time=0.793 ms 16 bytes from 10.42.0.1: icmp_seq=2 ttl=64 time=0.756 ms 16 bytes from 10.42.0.1: icmp_seq=3 ttl=64 time=0.768 ms  --- 10.42.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% loss round-trip min/avg/max = 0/0/0 ms * p4sw2.6 # ping 10.42.0.2 Ping(ICMP) 10.42.0.2: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.42.0.2: icmp_seq=0 ttl=64 time=0.710 ms 16 bytes from 10.42.0.2: icmp_seq=1 ttl=64 time=0.767 ms 16 bytes from 10.42.0.2: icmp_seq=2 ttl=64 time=1.031 ms 16 bytes from 10.42.0.2: icmp_seq=3 ttl=64 time=0.683 ms  --- 10.42.0.2 ping statistics --- 4 packets transmitted, 4 packets received, 0% loss round-trip min/avg/max = 0/0/1 ms 
Not only ExtremeEOS as used on the C5, but also e.g. the Broadcom FASTPATH switch operating system allows to configure VLAN egress independently from VLAN ingress, which is needed to create the bidirectional links with asymmetrical configuration for this test.

Best regards,
Erik
Yes thaks for your help

Reply