Configure linux bridges and VLANs with vlan_filtering

This article provides a detailed guide on how to setup and configure Linux bridges with VLAN configurations. It covers step-by-step instructions for creating bridges and managing VLANs to enhance network communications.

Summary

[I] General presentation

*What is a linux bridge ?

A Linux bridge is a networking device that connects multiple network segments together. It operates at the data link layer of the OSI model and allows for communication between different network interfaces of the system.

It works by forwarding data packets between network interfaces, effectively creating a single, unified network. This allows for efficient communication and data transfer between devices on the same network.

It can be configured in various ways to suit different network environments and requirements. Some possible configurations include multiple ports settings, VLAN support and advanced features such as bonding multiple network interfaces or integration with virtual machines.

The flexibility and versatility of Linux bridge make it a valuable tool for managing network connectivity in a variety of setups.

*What is the VLAN support ?

VLAN, or Virtual Local Area Network, is a way of dividing a physical network into multiple logical networks. In a Linux context, VLANs can be created using using VLAN tagging on network interfaces. Each VLAN operates as a separate broadcast domain, allowing for enhanced network security and organization.

Basically, when enabling VLAN traffic the corresponding network interface will allow 802.1Q tagged traffic passing through it. THe IP packets will be tagged with a VLAN ID.

*VLAN trunking vs access mode

The VLAN port access or trunk modes are setting that can be configured on a network port (like switch port) to specify and configure the type of traffic allowed to pass through the ports.

In VLAN access mode, the network traffic VLAN tagging is handled directly by the interface, allowing outgoing packets to be tagged with the corresponding VLAN ID and ingoing packets to be untagged accordingly. Access mode is commonly used for connecting end devices like computers or printers to the network.

In VLAN trunk mode, the interfaces only allows to handle and forward incoming network packets depending on the VLAN ID tagging they presents. In other words, network interfaces configured in trunk mode will not alter or modify network packets 802.1Q options (VLAN IDs) but only make decisions to accept or drop packets depending on their currently given 802.1Q tags (VLAN IDs) trunking is often used to connect switches or routers together.

In summary, trunking allows for the segregation and routing of multiple VLANs, while access mode keeps devices within a single VLAN for increased security and control.

*About vlan_filtering feature

Tagged & Untagged : These flags specify the egress property (traffic output). In general, tagged ports should be your trunk ports and untagged ports should be your access ports. By specifying a tagged port the bridge will always set a VLAN tag for packets that are being sent out through this port (egress). By specifying an untagged port the bridge will always remove the VLAN tag from egress packets.

PVID : This flag specify the ingress property (traffic input). It will set any untagged traffic with a specified VLAN ID on ingress.

[II] List interfaces, bridges and vlan configurations

*list bridges

root@linux:#
ip link show type bridge

*list interface associated to bridges

root@linux:#
bridge link

*show vlans bridge infos

root@linux:#
bridge vlan show

[III] Bridge VLAN configuration with bridge vlan_filtering

Lets picturize the situation

Lets assume 3 interfaces ETH0, ETH1 and ETH2. ETH0 is the WAN interface, while ETH1 & ETH2 are the LAN interfaces.

The following procedure will configure the network stack as to have any traffic passing through ETH1 or ETH2 being VLAN tagged when leaving the bridge in ETH0.

*Create the bridge interface

root@linux:#
ip link add br0 type bridge
root@linux:#
ip link set br0 up

*Enable VLAN filter

root@linux:#
ip link set br0 type bridge vlan_filtering 1

*Attach eth0, eth1 and eth2 interfaces to the bridge.

root@linux:#
ip link set eth0 master br0
root@linux:#
ip link set eth1 master br0
root@linux:#
ip link set eth2 master br0

*Configure the LAN interfaces VLANs

root@linux:#
bridge vlan add dev eth1 vid 10 pvid untagged master
root@linux:#
bridge vlan add dev eth2 vid 20 pvid untagged master

Configure the bridge eth0 interface to only accept VLANS 10 & 20 tagged taffic (trunk)

root@linux:#
bridge vlan add dev eth0 vid 10
root@linux:#
bridge vlan add dev eth0 vid 20

Thats it! Your bridge is now configured to tag & untag the traffic passing to the interfaces depending on the egress or ingress directions.

Back