Linux VLAN-aware bridges and trunk ports

vlan linux networking bridge

10,352

When using the bridge vlan command, you can add (or delete) a range of VLAN IDs in a single shot. For example:

# bridge vlan add vid 2-4094 dev eth0

will add all available VLANs to the trunk interface eth0 (0 and 4095 are reserved in the protocol and must not (nor can) be used, 1 is by default set as PVID untagged VLAN ID, so should be avoided or perhaps better, removed).

# bridge vlan show dev eth0
eth0     1 PVID Egress Untagged
         2
         3
[...]
         4093
         4094

# bridge -c vlan show dev eth0
port    vlan ids
eth0     1 PVID Egress Untagged
         2-4094

Here -c stands for -c[ompressvlans] rather than -c[olor]: the bridge man page (at least up to iproute2-ss191125) completely lacks information about this option.

Deleting a range works as one could expect:

# bridge vlan del vid 100-200 dev eth0
# bridge -c vlan show
port    vlan ids
bridge0  1 PVID Egress Untagged

eth1     1 Egress Untagged
         10 PVID Egress Untagged

eth0     1 PVID Egress Untagged
         2-99
         201-4094

Internally all are handled using a (hashed) list of individual VLANs.

Note 1

Cumulus Networks (known to mostly use Linux' native network stack on their network equipments) has some old (and newer) examples about this:

Consider the following example bridge:

auto bridge
iface bridge
  bridge-vlan-aware yes
  bridge-ports swp1 swp9
  bridge-vids 2-100
  bridge-pvid 101
  bridge-stp on

Here is the VLAN membership for that configuration:

cumulus@switch$ bridge -c vlan show
portvlan ids
swp1 101 PVID Egress Untagged
 2-100

swp9 101 PVID Egress Untagged
 2-100

bridge 101

The configuration file used is the interfaces file from ifupdown2 (and its addons), actually developed by Cumulus Networks to replace ifupdown, with a mostly compatible syntax, but much improved bridge and VLAN support.

Note 2

I didn't find any evidence of some special flag automatically flooding all VLANs to a bridge port. This kernel commit tells VID 4095 is documented in IEEE 802.1Q to have restrictions but allowed to be used for management operations as a wildcard match for the VID, but Linux doesn't seem to use such method.

10,352

Tom

Updated on September 18, 2022

Comments

Tom over 1 year
I have an ethernet port attached to a bridge:
```
$ brctl show
bridge name bridge id       STP enabled interfaces
eth0_bridge     8000.6a612bcc4723   yes     eth0
```
The bridge is VLAN-aware (ie /sys/class/net/eth0_bridge/bridge/vlan_filtering is 1). I want to be able to add other interfaces to that bridge and assign VLANs to them, like this:
```
ip link set eth1 master eth0_bridge
bridge vlan add dev eth1 vid 10 pvid untagged
```
This should connect untagged traffic on eth1 to VLAN 10 on eth0. But no traffic gets through until I:
```
bridge vlan add dev eth0 vid 10
```
Once I've done this, then everything works as needed. But is there no way to tell it that eth0 is a trunk port on bridge eth0_bridge that should carry all VLANs and then do the VLAN filtering on egress from the bridge?
Tom over 4 years

You, sir, are awesome.