How do VLAN access ports and trunk ports work on Linux?

linux networking vlan
7,478

The bridge always does the work, because the bridge is the closest equivalent of an Ethernet switch. ("MAC Bridge" is the actual term used by IEEE 802.1D, and so Ethernet switches are just a specific implementation of bridging.)

Therefore on Linux, the physical interfaces must belong to a 'bridge' interface in order for L2 frames to be forwarded. (It is wrong to think of the entire Linux system as a single giant switch, because you can have multiple bridges with completely independent L2 domains, each having its own "VLAN 10".)

That said, yes, on Linux you can configure per-port VLANs using the bridge vlan command. To use this configuration mode, first enable VLAN filtering on your bridge:

ip link set br0 type bridge vlan_filtering 1

Add both physical ports:

ip link set eth3 master br0
ip link set eth0 master br0

Finally add VLAN-to-port bindings:

bridge vlan add dev eth3 vid 10
bridge vlan add dev eth0 vid 10 pvid untagged
bridge vlan delete dev eth0 vid 1

This mode also has the advantage of correctly supporting (R)STP on the bridge.

Note: If you want the Linux host itself to participate in multiple VLANs, then you will still need 'vlan' interfaces, and you will also have to add the VLAN IDs to the filter (using the self keyword).

bridge vlan add dev br0 vid 10 self
ip link add br0.10 link br0 type vlan id 10
ip addr add x.x.x.x/xx dev br0.10
Share:
7,478

Related videos on Youtube

Bob Naboka
Author by

Bob Naboka

Updated on September 18, 2022

Comments

  • Bob Naboka
    Bob Naboka over 1 year

    I just spent half a day trying to figure out how to perform basic VLAN configuration on a Linux machine. I found some resources on the WEB, but from them it is not clear how to configure access port and trunk port on Linux machines. Some of the links:

    article on access.redhat.com

    article on linuxjournal.com

    In the end I was able to create a "kind of" VLANed network next way, here is my network:

    Picture of Network with one VLAN

    2 client PC's (numbered 4 and 6) on top and 2 "PCs switches" (numbered 1 and 3) on the button

    I want to be able to create several access ports with VLANs on KaliLinuxCLI_2-1 and KaliLinuxCLI_2-3 (currently there is only one port/VLAN for ease of explanation and configuration) and 1 trunk port between the PCs

    I did next configurations:

    • KaliLinuxCLI_2-4 and KaliLInuxCli_2-6 added IP addresses in the same netmask.

    • KaliLinuxCLI_2-1 and KaliLinuxCLI_2-4:

    Added a virtual interface with tag 10 for trunk interface eth3:

    ip link add link eth3 name eth3.10 type vlan id 10

    Created a bridge for vlan 10:

    ip link add brvlan10 type bridge

    Added trunk virtual interface eth3.10 and kind of "access" interface eth0, which I basically didn't configure at all to bridge brvlan10:

    ip link set eth3.10 master brvlan10
ip link set eth0 master brvlan10

    I also did turn on all of the interfaces by ip link set <iface_name> up

    That's it. It did work:

    • I was able to ping from KaliLinuxCLI_2-4 to KaliLinuxCLI_2-6
    • I was able to see the tagged frames between KaliLinuxCLI_2-1 and KaliLinuxCLI_2-3
    • I think I could have even added more PCs like KaliLinuxCLI_2-2 and 6 and added more VLANs in the way I did, and I am sure that it could work.

    The thing that is bothering me is that the bridges does all the work here. Currently bridges are used to connect the "kind of" access ports (eth0) to the specific "trunk" interface with vlan so that frames are forwarded to the next PC.

    How I think it should work is that an access port should be somehow configured with a vlan, so that the Linux PC switches the frame according to the vlan and destination MAC address, instead of blindly forwarding it where bridge wants to.

    Is it possible on Linux configure an VLAN access ports like this? Is there a better way for basic VLAN configuration on Linux machines?

    Thanks!

  • Bob Naboka
    Bob Naboka about 5 years
    Thanks a lot! Very helpful! I will try out your configuration, but for me it seems reasonable!
  • Bob Naboka
    Bob Naboka about 5 years
    It works like a charm!! This is the solution what I was looking for - no more per VLAN bridges and VLAN interfaces

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I ping successfully from an vlan interface on Linux?
Using the Ping command with VLAN IP's
Renaming VLAN Interfaces in Linux
Debian VLAN (8021q) Configuration doesn't work
routing through multiple subinterfaces in debian
Linux VLAN Bridge
How do I dynamically obtain IP addresses for VLAN interfaces?
listing parent interface of a vlan
Multiple virtual VLAN interfaces on single NIC (Debian)
Forward traffic between VLANs with iptables