Linux VLAN Configuration
Within this document, we'll explore the setup of Linux bridging and VLANs to achieve layer two isolation. Additionally, we'll delve into inter-VLAN routing, facilitating communication across distinct VLANs.
Required Linux Modules
root@dent-1:~# lsmod
bridge 413696 1 br_netfilter
stp 12288 2 bridge
llc 16384 3 bridge,stp
Topology:
Configuration:
the configuration here will cover dent-1 config only.
Requirements
- Configure
enp0s11as access VLAN 10 ondent-1anddent-2. - Configure
enp0s12as access VLAN 20 ondent-1. - Configure
enp0s4andenp0s5links as trunk links with VLAN 10 and 20 allowed and tagged ondent-1. - Configure
enp0s4andenp0s5links as trunk links with VLAN 10 and 20 allowed and tagged ondent-2. - Create interface VLAN10 (SVI) on
dent-1with IP address 192.168.10.1/24. - Create interface VLAN20 (SVI) on
dent-1with IP address 192.168.20.1/24. - Create interface VLAN10 (SVI) on
dent-2with IP address 192.168.10.2/24.
Access Port Configuration:
- create bridge
br1withvlan_filterandstp_stateenabled.
- ONM-CLI
- IPROUTE2
- NETCONF
dent-1(config)# links-iproute2
dent-1(config-links-iproute2)# bridge br1
dent-1(config-bridge[name='br1'])# admin-status up
dent-1(config-bridge[name='br1'])# br-info vlan_filtering 1
dent-1(config-bridge[name='br1'])# br-info stp_state 1
ip link add name br1 type bridge stp_state 1 vlan_filtering 1
ip link set br1 up
<config>
<links xmlns="urn:okda:iproute2:ip:link" xmlns:yang="urn:ietf:params:xml:ns:yang:1">
<bridge>
<name>br1</name>
<br-info>
<stp_state>1</stp_state>
<vlan_filtering>1</vlan_filtering>
</br-info>
</bridge>
</links>
</config>
warning
By default, STP is disabled on the bridge.
Since we have redundancy links, we need to enable it.
- add
enp0s11andenp0s12to bridgebr1using master argument. and add their respective vlans asuntaggedandpvid
- ONM-CLI
- IPROUTE2
- NETCONF
dent-1(config-links-iproute2)# link enp0s11
dent-1(config-[name='enp0s11'])# master br1
dent-1(config-[name='enp0s11'])# bridge-conf vlan 10
dent-1(config-vlan[vid='10'])# pvid true
dent-1(config-vlan[vid='10'])# untagged true
dent-1(config-vlan[vid='10'])# exit
dent-1(config-[name='enp0s11'])# exit
dent-1(config-links-iproute2)# link enp0s12
dent-1(config-[name='enp0s12'])# master br1
dent-1(config-[name='enp0s12'])# bridge-conf vlan 20
dent-1(config-vlan[vid='20'])# pvid true
dent-1(config-vlan[vid='20'])# untagged true
dent-1(config-vlan[vid='20'])# commit
ip link set name enp0s11 master br1 up
ip link set name enp0s12 master br1 up
bridge vlan add vid 20 dev enp0s12 pvid untagged
bridge vlan add vid 10 dev enp0s11 pvid untagged
<config>
<links xmlns="urn:okda:iproute2:ip:link" xmlns:yang="urn:ietf:params:xml:ns:yang:1">
<link>
<name>enp0s11</name>
<master>br1</master>
<bridge-conf>
<vlan>
<vid>10</vid>
<pvid>true</pvid>
<untagged>true</untagged>
</vlan>
</bridge-conf>
</link>
<link>
<name>enp0s12</name>
<master>br1</master>
<bridge-conf>
<vlan>
<vid>20</vid>
<pvid>true</pvid>
<untagged>true</untagged>
</vlan>
</bridge-conf>
</link>
</links>
</config>
info
The PVID option indicates that any incoming traffic
from this link will be placed in the specified VLAN.
The untagged option indicates that all egress traffic on this
interface will be untagged. Both options are equivalent to
Cisco's switchport mode access command.
Trunk Prot Configuration:
- add
enp0s4andenp0s5to bridgebr1, then add VLAN 10 and 20 to them as tagged VLANs
- ONM-CLI
- IPROUTE2
- NETCONF
dent-1(config-links-iproute2)# link enp0s4
dent-1(config-[name='enp0s4'])# admin-status up
dent-1(config-[name='enp0s4'])# master br1
dent-1(config-[name='enp0s4'])# bridge-conf vlan 10
dent-1(config-vlan[vid='10'])# exit
dent-1(config-[name='enp0s4'])# bridge-conf vlan 20
dent-1(config-vlan[vid='20'])# exit
dent-1(config-[name='enp0s4'])# exit
dent-1(config-links-iproute2)# link enp0s5
dent-1(config-[name='enp0s5'])# admin-status up
dent-1(config-[name='enp0s5'])# master br1
dent-1(config-[name='enp0s5'])# bridge-conf vlan 10
dent-1(config-vlan[vid='10'])# exit
dent-1(config-[name='enp0s5'])# bridge-conf vlan 20
dent-1(config-vlan[vid='20'])# commit
ip link set name enp0s4 up master br1 up
ip link set name enp0s5 up master br1 up
bridge vlan add vid 10 dev enp0s4
bridge vlan add vid 20 dev enp0s4
<config>
<links xmlns="urn:okda:iproute2:ip:link" xmlns:yang="urn:ietf:params:xml:ns:yang:1">
<link>
<name>enp0s4</name>
<admin-status>up</admin-status>
<master>br1</master>
<bridge-conf>
<vlan>
<vid>10</vid>
</vlan>
<vlan>
<vid>20</vid>
</vlan>
</bridge-conf>
</link>
<link>
<name>enp0s5</name>
<admin-status>up</admin-status>
<master>br1</master>
<bridge-conf>
<vlan>
<vid>10</vid>
</vlan>
<vlan>
<vid>20</vid>
</vlan>
</bridge-conf>
</link>
</links>
</config>
info
With trunk ports, we simply add the VLANs to the ports without
specifying PVID or untagged. This is equivalent to Cisco's
switchport trunk allowed vlan 10,20 command.
Inter VLAN Routing Configuration:
to allow access between PC1 and PC2, we need to enable inter-vlan routing between VLAN10 and VLAN20.
- create
br1.10andbr2.20VLAN interfaces, assign ips to them, then add VLAN 10 and 20 to bridgebr1link.
- ONM-CLI
- IPROUTE2
- NETCONF
dent-1# conf t
dent-1(config)# links-iproute2
dent-1(config-links-iproute2)# vlan br1.10
dent-1(config-[name='br1.10'])# device br1
dent-1(config-[name='br1.10'])# vlan-info id 10
dent-1(config-[name='br1.10'])# admin-status up
dent-1(config-[name='br1.10'])# ip 192.168.10.10/24
dent-1(config-[name='br1.10'])# exit
dent-1(config-links-iproute2)# vlan br1.20
dent-1(config-[name='br1.20'])# device br1
dent-1(config-[name='br1.20'])# vlan-info id 20
dent-1(config-[name='br1.20'])# admin-status up
dent-1(config-[name='br1.20'])# ip 192.168.20.10/24
dent-1(config-[name='br1.20'])# exit
dent-1(config-links-iproute2)# bridge br1
dent-1(config-bridge[name='br1'])# bridge-conf vlan 10
dent-1(config-vlan[vid='10'])# self true
dent-1(config-vlan[vid='10'])# exit
dent-1(config-bridge[name='br1'])# bridge-conf vlan 20
dent-1(config-vlan[vid='20'])# self true
dent-1(config-vlan[vid='20'])# commit
ip link add name br1.10 up link br1 type vlan protocol 802.1q id 10
ip address add 192.168.10.10/24 dev br1.10
ip link add name br1.20 up link br1 type vlan protocol 802.1q id 20
ip address add 192.168.20.10/24 dev br1.20
bridge vlan add vid 10 dev br1 self
bridge vlan add vid 20 dev br1 self
<config>
<links xmlns="urn:okda:iproute2:ip:link" xmlns:yang="urn:ietf:params:xml:ns:yang:1">
<vlan>
<name>br1.10</name>
<admin-status>up</admin-status>
<device>br1</device>
<ip>
<address>192.168.10.10/24</address>
</ip>
<vlan-info>
<id>10</id>
</vlan-info>
</vlan>
<vlan>
<name>br1.20</name>
<admin-status>up</admin-status>
<device>br1</device>
<ip>
<address>192.168.20.10/24</address>
</ip>
<vlan-info>
<id>20</id>
</vlan-info>
</vlan>
<bridge>
<name>br1</name>
<bridge-conf>
<vlan>
<vid>10</vid>
<self>true</self>
</vlan>
<vlan>
<vid>20</vid>
<self>true</self>
</vlan>
</bridge-conf>
</bridge>
</links>
</config>
Full configuration:
- ONM-CLI
- IPROUTE2
- NETCONF
link enp0s4
admin-status up
master br1
bridge-conf vlan 10
bridge-conf vlan 20
link enp0s5
admin-status up
master br1
bridge-conf vlan 10
bridge-conf vlan 20
bridge br1
admin-status up
bridge-conf vlan 10
self true
bridge-conf vlan 20
self true
br-info stp_state 1
br-info vlan_filtering 1
vlan br1.10
admin-status up
device br1
ip 192.168.10.10/24
vlan-info id 10
vlan br1.20
admin-status up
device br1
ip 192.168.20.10/24
vlan-info id 20
ip link add name br1 type bridge stp_state 1 vlan_filtering 1 up
ip link add name br1.10 up link br1 type vlan protocol 802.1q id 10
ip link add name br1.20 up link br1 type vlan protocol 802.1q id 20
ip link set name enp0s4 up master br1
ip link set name enp0s5 up master br1
ip link set name enp0s11 master br1 up
ip link set name enp0s12 master br1 up
ip address add 192.168.10.10/24 dev br1.10
ip address add 192.168.20.10/24 dev br1.20
bridge vlan add vid 10 dev enp0s4
bridge vlan add vid 20 dev enp0s4
bridge vlan add vid 20 dev enp0s12 pvid untagged
bridge vlan add vid 10 dev enp0s11 pvid untagged
bridge vlan add vid 10 dev br1 self
bridge vlan add vid 20 dev br1 self
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<links xmlns="urn:okda:iproute2:ip:link" xmlns:yang="urn:ietf:params:xml:ns:yang:1">
<link>
<name>enp0s4</name>
<admin-status>up</admin-status>
<master>br1</master>
<bridge>
<vlan>
<vid>10</vid>
</vlan>
<vlan>
<vid>20</vid>
</vlan>
</bridge>
</link>
<link>
<name>enp0s5</name>
<admin-status>up</admin-status>
<master>br1</master>
<bridge>
<vlan>
<vid>10</vid>
</vlan>
<vlan>
<vid>20</vid>
</vlan>
</bridge>
</link>
<link>
<name>enp0s11</name>
<master>br1</master>
<bridge>
<vlan>
<vid>10</vid>
<pvid>true</pvid>
<untagged>true</untagged>
</vlan>
</bridge>
</link>
<link>
<name>enp0s12</name>
<master>br1</master>
<bridge>
<vlan>
<vid>20</vid>
<pvid>true</pvid>
<untagged>true</untagged>
</vlan>
</bridge>
</link>
<bridge>
<name>br1</name>
<br-info>
<stp_state>1</stp_state>
<vlan_filtering>1</vlan_filtering>
</br-info>
<bridge-conf>
<vlan>
<vid>10</vid>
<self>true</self>
</vlan>
<vlan>
<vid>20</vid>
<self>true</self>
</vlan>
</bridge-conf>
</bridge>
<vlan>
<name>br1.10</name>
<admin-status>up</admin-status>
<device>br1</device>
<ip>
<address>192.168.10.10/24</address>
</ip>
<vlan-info>
<id>10</id>
</vlan-info>
</vlan>
<vlan>
<name>br1.20</name>
<admin-status>up</admin-status>
<device>br1</device>
<ip>
<address>192.168.20.10/24</address>
</ip>
<vlan-info>
<id>20</id>
</vlan-info>
</vlan>
</links>
</config>
</edit-config>
</rpc>