Linux Bridge vlan filtering

Time:2021-6-7

After Linux bridge supports VLAN filtering function, we no longer need to divide VLAN by sub interface, which simplifies VLAN configuration.

1. Bridge VLAN description

man bridgeWe can see that Linux configures VLAN filtering through the following commands:

bridge vlan { add | del } dev DEV vid VID [ pvid ] [ untagged ] [ self ] [ master ]

Option Description:

pvid: the default VLAN of the port. All packets not carrying VLAN input from the port will be labeled with the VLAN label. This option is only valid for input packets.

untagged: the untag VLAN of the port. When the output message carries the VLAN, it will be stripped.

In general, PVID and untagged are used at the same time, corresponding to Cisco’sswitchport trunk native vlan

self

master

These two options are explained in the help book as follows:

self   the vlan is configured on the specified physical device. Required if the device is the bridge device.
master the vlan is configured on the software bridge (default).

My understanding is:selfIndicates that the VLAN is added to the bridge device, and the option must and can only be carried when adding a VLAN to the bridge, otherwise an error will be reported

[email protected]:~$ sudo ip link add Bridge up type bridge vlan_filtering 1
[email protected]:~/bgp-lab$ sudo bridge vlan add vid 100 dev Bridge self
[email protected]:~/bgp-lab$ 
[email protected]:~/$ sudo bridge vlan add vid 100 dev Bridge master
RTNETLINK answers: Operation not supported
[email protected]:~/$ sudo bridge vlan add vid 100 dev Bridge 
RTNETLINK answers: Operation not supported
[email protected]:~/$ 

masterIndicates that the VLAN is added to the port device of the bridge. This option is the default. You can not specify this parameter when adding a VLAN to the port of the bridge.

[email protected]:~/$ sudo ip link del Bridge
[email protected]:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
[email protected]:~/$ sudo ip link set eth1 master Bridge
[email protected]:~/$ sudo bridge vlan add vid 100 dev Bridge self
[email protected]:~/$ sudo bridge vlan add vid 100 dev eth1 
[email protected]:~/$ sudo bridge vlan add vid 100 dev eth1 master
[email protected]:~/$ 
[email protected]:~/$ sudo bridge vlan add vid 100 dev eth1 self
RTNETLINK answers: Operation not supported
[email protected]:~/$ 
[email protected]:~/$ sudo bridge vlan show
port    vlan ids
eth1         1 PVID Egress Untagged
         100

Bridge   1 PVID Egress Untagged
         100

[email protected]:~/$ 

When adding a bridge, the default VLAN 1 will be added in the form of PVID untagged by default. Many manufacturers will regard VLAN 1 as a reserved VLAN and do not allow users to configure it.

[email protected]:~/$ sudo ip link del Bridge
[email protected]:~/$ sudo bridge vlan show
port    vlan ids

[email protected]:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
[email protected]:~/$ sudo bridge vlan show
port    vlan ids

Bridge   1 PVID Egress Untagged

[email protected]:~/$ 

When the port is added to the bridge, it will also be added to the default VLAN 1 in the form of PVID untagged by default,

[email protected]:~/$ sudo ip link del Bridge
[email protected]:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
[email protected]:~/$ sudo ip link set eth1 master Bridge
[email protected]:~/$ sudo bridge vlan show
port    vlan ids
eth1         1 PVID Egress Untagged

Bridge   1 PVID Egress Untagged

[email protected]:~/$ 

You can also delete the default VLAN 1

[email protected]:~/$ sudo bridge vlan del vid 1 dev enp4s0f0 master
[email protected]:~/$ sudo bridge vlan show
port    vlan ids
enp129s0f0np0
enp129s0f1np1
enp4s0f0         100

Bridge   1 PVID Egress Untagged
         100

[email protected]:~/$ sudo bridge vlan del vid 1 dev Bridge self
[email protected]:~/$ sudo bridge vlan show
port    vlan ids
enp4s0f0         100

Bridge   100

[email protected]:~/$ 

2. Experiment

2.1 Ubuntu configuration

[email protected]:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
[email protected]:~/$ sudo ip link set eth1 master Bridge
[email protected]:~/$ sudo bridge vlan add vid 100 dev Bridge self
[email protected]:~/$ sudo bridge vlan add vid 100 dev eth1 master
[email protected]:~/$ sudo ip link add link Bridge name Vlan100 up type vlan id 100 
[email protected]:~/$ sudo ip addr add 10.0.2.1/24 dev Vlan100
[email protected]:~/$ sudo bridge vlan show
port    vlan ids
eth1         1 PVID Egress Untagged
         100

Bridge   1 PVID Egress Untagged
         100

[email protected]:~/$ 

2.2 switch configuration

SWITCH# exit
SWITCH> enable 
SWITCH# show vlan
+-----------+--------------+---------+----------------+-----------------------+
| VLAN ID   | IP Address   | Ports   | Port Tagging   | DHCP Helper Address   |
+===========+==============+=========+================+=======================+
+-----------+--------------+---------+----------------+-----------------------+
SWITCH# configure terminal 
SWITCH(config)# vlan 100
SWITCH(config)# interface eth25GE 47
SWITCH(config-if)# switchport mode 
access  trunk   
SWITCH(config-if)# switchport mode trunk 
SWITCH(config-if)# switchport trunk allowd vlan add 100
SWITCH(config-if)# exit
SWITCH(config)# interface vlan 100
SWITCH(config-if)# ip address 10.0.2.2/24
Add Vlan100 into default VRF
SWITCH(config-if)# 

2.3 mutual Ping

SWITCH(config-if)# do ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.196 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.219 ms
64 bytes from 10.0.2.1: icmp_seq=3 ttl=64 time=0.150 ms
^C
SWITCH(config-if)# 
--- 10.0.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2032ms
rtt min/avg/max/mdev = 0.150/0.188/0.219/0.030 ms
SWITCH(config-if)# 
[email protected]:~/$ ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=0.308 ms
64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.245 ms
64 bytes from 10.0.2.2: icmp_seq=3 ttl=64 time=0.262 ms
^C
--- 10.0.2.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.245/0.271/0.308/0.032 ms
[email protected]:~/$