VLAN on top of a bridge

artiz

artiz

Hi!

It seems like official way to do VLANs and bridges it to create VLAN interfaces on the physical interfaces and then create a bridge for each VLAN

Something like this:
Code: 
ifconfig em0 name lan0 up
ifconfig em1 name lan1 up

ifconfig vlan create vlan 10 vlandev lan0 name lan0.10
ifconfig vlan create vlan 10 vlandev lan1 name lan1.10
ifconfig vlan create vlan 101 vlandev lan0 name lan0.101
ifconfig vlan create vlan 101 vlandev lan1 name lan1.101

ifconfig bridge create name br-test.10 up
ifconfig br-test.10 addm lan0.10 stp lan0.10 addm lan1.10 stp lan1.10

ifconfig bridge create name br-test.101 up
ifconfig br-test.101 addm lan0.101 stp lan0.101 addm lan1.101 stp lan1.101

ifconfig br-test.10 192.168.10.2/24
ifconfig br-test.101 192.168.101.2/24

But this gets quickly out of hand when there are bunch of vlans or physical interfaces

Somewhat cleaner option would be to attach all of the physical interfaces to a single bridge and then tap VLANs from there. Unfortunaly you can't add VLAN interface to a bridge directly. But if you create a epair(4) interface and add one end to the bridge and use other end for VLANs then it works quite well. All the traffic is nicely bridged and VLANs can be easily added if needed.

Code: 
ifconfig em0 name lan0 up
ifconfig em1 name lan1 up

ifconfig bridge create name br-test up
ifconfig br-test addm lan0 stp lan0 addm lan1 stp lan1

ifconfig epair create name br-test-trunk up
ifconfig epair0b name br-test-con up
ifconfig br-test addm br-test-con
ifconfig vlan create vlan 10 vlandev br-test-trunk name br-test.10 up
ifconfig vlan create vlan 101 vlandev br-test-trunk name br-test.101 up

ifconfig br-test.10 192.168.10.2/24
ifconfig br-test.101 192.168.101.2/24

So the question is that are there any mayor downsides to using this epair hack to do VLANs on top of the bridge?
 
It's highly likely I'm misunderstanding but wouldn't having br-test.10 and br-test.101 connected to the same bridge, bridge those VLANs? Surely that's not what you are trying to do.
 
sand_man said:
It's highly likely I'm misunderstanding but wouldn't having br-test.10 and br-test.101 connected to the same bridge, bridge those VLANs?
Click to expand...
Sort of. They're connected through br-test, yes. But this is tagged traffic, so the VLANs themselves aren't connected to each other (the VLAN tags keep them separate). You got mixed up between tagged and untagged, and that's quite easy to overlook (and the source of many misconfigurations).
 
I was in a similar situation. I didn't know that you can not create VLANs directly on a bridge interface (Actually I could create VLANs on a bridge interface on Linux and was trying the same on FreeBSD/OPNsense). So your question helped me solved my problem using epairs. Now I have the same question: are there any downsides to using epairs? Will FreeBSD support adding VLANs directly to a bridge?
Thanks
Saumya
 
You must log in or register to reply here.
Back
Top