Solved

Setting bridge VLAN filter flags with Linux commands

  • 12 March 2020
  • 7 replies
  • 136 views

Hi,

 

I want to change the default “PVID, Egress Untagged” flag on my port from a vlan-awared bridge to only “PVID”. I can do it from command line:

$ bridge vlan show

port vlan ids

br0 4080

isl 4080 PVID Egress Untagged

$ bridge vlan add vid 4080 dev isl pvid tagged

$ bridge vlan show

port vlan ids

br0 4080

isl 4080 PVID

 

How do I config it in the /etc/network/interfaces* file?

icon

Best answer by Nick Mitchell 12 March 2020, 21:35

Where do the gateways for these networks reside? Assuming VLAN 100, 200, and 1 where the DNS reside are using different subnets, we should be able to allow routing to handle the connectivity for devices in VLAN 100 and 200 to reach the DNS server.

In a configuration like the above, we’ve essentially bridged the two L2 domains together. In many cases this is not desirable.

An alternative approach would be to use a traditional bridge instead of a VLAN-aware bridge, which will allow for VLAN translation. However this will still result in bridging the two L2 domains together. An example of what the traditional bridge config might look like for VLAN translation:

auto br0
iface br0
bridge-ports swp1.100 swp2.200 swp50
bridge-stp on

This will allow frames arriving on swp1 tagged VLAN 100 or swp2 tagged VLAN 200 to be sent on swp50 untagged. Assuming the return packet arrives on swp50 untagged, it will be forwarded via swp1 tagged 100 or swp2 tagged 200 depending on the MAC forwarding table.

View original

7 replies

Userlevel 2

Hi chuyee,

The PVID is the primary VLAN ID or untagged VLAN on the port. If you wish to ensure a specific VLAN is tagged, it should be a member of the bridge VIDs, and a different VLAN should be configured as the PVID.

This is specified within /etc/network/interfaces under the bridge stanza, and could look something like the following:

auto bridge
iface bridge
bridge-ports swp1 swp2
bridge-pvid 1
bridge-vids 4080
bridge-vlan-aware yes

The above config would result in the following:

$ bridge vlan show
port vlan ids
swp1 1 PVID Egress Untagged
4080

swp2 1 PVID Egress Untagged
4080

Note that the PVID or untagged VLAN is now VLAN 1 because of the configuration under the bridge. All other VLANs in the VIDs list will be tagged.

More information is available in the documentation here: https://docs.cumulusnetworks.com/cumulus-linux-37/Layer-2/Ethernet-Bridging-VLANs/VLAN-aware-Bridge-Mode/#configure-a-vlan-aware-bridge

Nick, thanks for you reply. But this is not what I want. I want to the PVID to be 4080 and egress to be tagged. Here is what I do in my config, but I wonder if there is a better way. I thought this requirement should be a pretty common configuration on switches…

 

auto br0

iface br0

    bridge-ports swp1 swp2 swp3 swp50 isl

    bridge-vlan-aware yes

    bridge-pvid 4080

    bridge-vids 4080

    post-up bridge vlan add vid 4080 dev isl pvid tagged

 

Now it looks like

# bridge vlan show

port vlan ids

swp1 4080 PVID Egress Untagged

swp2 4080 PVID Egress Untagged

swp3 4080 PVID Egress Untagged

swp50 4080 PVID Egress Untagged

br0 4080

isl 4080 PVID

Userlevel 2

Hi chuyee,

The nature of the PVID is that it is untagged. You can think of this as the native VLAN on the port. If you want this VLAN to be tagged, then it should be in the VIDs list.

If I’m reading your latest update correctly, then you want to accept untagged traffic and associate with VLAN 4080, but send all traffic out of the switch tagged when in VLAN 4080. Am I understanding correctly?

I’d be interested to understand more of your usecase, as this is not a common requirement. By configuring access ports and utilizing VLAN filtering/pruning we can change which VLANs are tagged on different ports within the bridge. It is normal for a VLAN to either be tagged or untagged both ingress and egress on an interface, not tagged in one direction and untagged in the other.

Thanks for asking. I’d happy to describe my usage scenario.

 

Say I’m an operating a data center. I got two vendors VendorA and VendorB. Each of them bring their appliance (nodes, switches) into my data center. I have my own switch which connects to my DNS, router, etc. I also assign a switch port to each of the vendors and assign them a VLAN (VendorA: VLAN 100 on swp1, VendorB: VLAN 200 on swp2. It’s truck on vendor’s switch port.), the PVID on my switch is the default 1. Both Vendors need to access my DNS on swp50. 

 

Instead of creating a virtual DNS service for each vendor, I’d like them to share my DNS on swp50. So I assign VLAN for my ports:

swp1: 1, 100

swp2: 1, 200

swp50: 1, 100, 200

So for incoming traffic everything looks good. VendorA send frames with tag=100 on swp1 to reach swp50. However on the way back, swp50 send tag=1 to swp1. The “tag=1” will be removed (See the Egress Untagged) when leaves swp1 to VendorA’s switch. VendorA’s switch will discard the frame because it’s configured as (bridge-allow-untagged no which is totally valid).

Is there any better solution for how to make this work on the switch side?

Userlevel 2

Where do the gateways for these networks reside? Assuming VLAN 100, 200, and 1 where the DNS reside are using different subnets, we should be able to allow routing to handle the connectivity for devices in VLAN 100 and 200 to reach the DNS server.

In a configuration like the above, we’ve essentially bridged the two L2 domains together. In many cases this is not desirable.

An alternative approach would be to use a traditional bridge instead of a VLAN-aware bridge, which will allow for VLAN translation. However this will still result in bridging the two L2 domains together. An example of what the traditional bridge config might look like for VLAN translation:

auto br0
iface br0
bridge-ports swp1.100 swp2.200 swp50
bridge-stp on

This will allow frames arriving on swp1 tagged VLAN 100 or swp2 tagged VLAN 200 to be sent on swp50 untagged. Assuming the return packet arrives on swp50 untagged, it will be forwarded via swp1 tagged 100 or swp2 tagged 200 depending on the MAC forwarding table.

Thanks Nick. This seems to work! So for a triditional bridge, are below behavior correct?

  1. the incoming frames must contains the correct tag in the corresponding port to allow them to come into the bridge
  2. all tags are removed after the frames enter the bridge
  3. when frames leave the bridge, a tag is added back according to the port from which they are leaving

If the above is correct, I think the traditional bridge is what I’m looking for.

BTW, for my scenarios, the IP’s (VendorA, VendorB, DNS) are in the same subnet and no router is required just to make things simple.

Userlevel 2

That is a good way to think of it. We specify which interfaces are members of the bridge, and which tags we expect on each port. When a frame arrives on an interface, it must match the expected VLAN tag to be associated with the bridge and potentially forwarded out another bridge port. When the packet is sent out a port in the bridge, the tag will always be whichever tag is specified for that member port.

Reply