vlan with no parent?

[mlager]

I'm trying to do something simple. I have a system with a single physical interface, bce0. I want to create a vlan0 with another address on the same subnet as the address of bce0 and then assign that vlan0 address to a jail. Main reasoning is so I can monitor the traffic for the jail separately.

I have enabled the system as a gateway in rc.conf. bce0 has 172.16.2.135. I did:

ifconfig vlan0 create
ifconfig vlan0 inet 172.16.2.136 netmask 255.255.255.0

I didn't assign vlan0 to bce0. I can ping 172.16.2.136 locally from the system, but not from other devices on the network. What am I missing here? Is this even possible?

 

[phoenix]

If you don't associate it with a physical NIC, how do you expect it to put packets onto the physical wire?

You have created an internal / virtual interface that is not part of any physical network.

 

[mlager]

If I make the parent bce0, should I automatically be able to ping the address on vlan0 from the network or would the interface HAVE to be plugged into a vlan supported switch? Right now its just plugged into a cheap network switch.

Originally, I thought that it being on the same subnet it would be pingable without assigning a parent would be ok.

 

[ecazamir]

When ifconfig creates the vlan interface, it has no parent assigned to it:

# /sbin/ifconfig vlan1 create
# /sbin/ifconfig vlan1
vlan1: flags=8002<BROADCAST,MULTICAST> metric 0 mtu 1500
	[color="Red"]ether 00:00:00:00:00:00[/color]
	[color="Red"]vlan: 0 parent interface: <none>[/color]

At this time, vlan1 has no ethernet address and no parent interface.
The parent interface must be added on a second /sbin/ifconfig execution:

# /sbin/ifconfig vlan1 vlan 10 vlandev bge1
# ifconfig vlan1
vlan1: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	[color="Green"]ether 00:30:05:46:05:1c[/color]
	media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
	status: active
	[color="Green"]vlan: 10 parent interface: bge1[/color]

Look for 'flags': the interface isn't up yet. it is required another command:

# /sbin/ifconfig vlan1 up

or

# /sbin/ifconfig vlan1 inet 192.0.2.1/24
# /sbin/ifconfig vlan1
vlan1: flags=8843<[color="SeaGreen"]UP[/color],BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:30:05:46:05:1c
	inet 192.0.2.1 netmask 0xffffff00 broadcast 192.0.2.255
	media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
	status: active
	vlan: 10 parent interface: bge1

FreeBSD vlan interfaces support 802.1q VLAN tagging. If you only need another IP address on the same network, use multiple IP addresses (aliases).

[FILE]/etc/rc.conf[/FILE]
ifconfig_bce0="up"
ipv4_addrs_bce0="192.0.2.1/[color="DarkOrange"]24[/color] 192.0.2.2/[color="DarkOrange"]32[/color] 192.0.2.3/[color="DarkOrange"]32[/color]"

Make sure only the first address within subnet uses the full subnet mask, the others need only /32 netmask.

Here's how I configure vlan interfaces:

[FILE]/etc/rc.conf[/FILE]
cloned_interfaces="disc0 vlan10 vlan11 vlan12"
# the parent interface should be 'up'
ifconfig_rl0="up"
# vlan 10 - parent is rl0, support for 802.1q VLAN id 10
ifconfig_vlan10="vlan 10 vlandev rl0"
ipv4_addrs_vlan10="1xx.xx.xx.xx/30"
# vlan 11 - parent is rl0, support for 802.1q VLAN id 11
ifconfig_vlan11="vlan 11 vlandev rl0"
ipv4_addrs_vlan11="8x.xx.xx.xx/30"
# To make things fuzzy: use VLAN id 3 for the virtual interface vlan12
# vlan 12 - parent is rl0, support for 802.1q VLAN id 3
ifconfig_vlan12="vlan 3 vlandev rl0"
ipv4_addrs_vlan12="8x.xx.xx.xy/30"

 

[SirDice]

or would the interface HAVE to be plugged into a vlan supported switch?

Yes, the switch needs to know how to deal with VLAN tagged packets.

http://en.wikipedia.org/wiki/IEEE_802.1Q

 

[phoenix]

If I make the parent bce0, should I automatically be able to ping the address on vlan0 from the network or would the interface HAVE to be plugged into a vlan supported switch? Right now its just plugged into a cheap network switch.

You need a switch that has 802.11q vLAN support.

Originally, I thought that it being on the same subnet it would be pingable without assigning a parent would be ok.

vLANs allow you to create separate logical/virtual networks on top of one physical network. But you need to have support for the virtual networks in all the connected switches.