VLAN and the IEEE 802.1Q VLAN implemented by Linux

VLAN and the IEEE 802.1Q VLAN implemented by Linux

The concept of VLANs

Introduction to VLAN Technology Vlanvlan overview

Ethernet is a data network communication technology based on CSMA/CD (Carrier sense multiple access/collision Detect, carrier listening multi-access/collision detection), which can cause serious conflict and broadcast flooding when the host number is high. , a significant decrease in performance, or even the unavailability of a network. LAN interconnection via switches while resolving the serious problem of conflict (collision), it is still not possible to isolate broadcast messages. In this case, VLAN (virtual local Area network) technology, this technology can divide a LAN into multiple logical Lan--vlan, each VLAN is a broadcast domain, The inter-host communication within a VLAN is the same as in a LAN, and the VLAN is not directly interoperable, so that broadcast messages are limited to one VLAN, as shown in 1.

Figure 1 VLAN

VLAN partitioning is not constrained by physical locations: Hosts that are not in the same physical location range can belong to the same VLAN, and a VLAN contains users that can be connected to the same switch or across switches, or even across routers.

The advantages of VLANs are as follows:

L Limit broadcast domains. Broadcast domains are limited to one VLAN, saving bandwidth and improving network processing power.

l enhance the security of LAN. The two beginning between VLANs is isolated from one another, that is, a user within a VLAN cannot communicate directly with users in other VLANs, and if different VLANs are to be communicated, they need to go through three-tier devices such as routers or layer three switches.

• Flexible building of virtual workgroups. With VLANs, you can divide different users into different workgroups, and users of the same workgroup do not have to be confined to a fixed physical range, and network construction and maintenance are more convenient and flexible.

VLAN principle

To enable a network device to distinguish messages from different VLANs, a field that identifies the VLAN needs to be added to the message. Since the normal switch works on the data link layer of the OSI model, the Data Link layer encapsulation of the message can only be identified. Therefore, if you add a recognition field, you need to add it to the Data Link layer package as well.

IEEE introduced the IEEE 802.1Q protocol standard for standardizing VLAN implementations in 1999, with a unified set of message structures with VLAN identification.

Traditional Ethernet data frames are encapsulated by the destination MAC address and the source MAC address as a Type field of the upper layer protocol, as shown in 2.

Figure 2 Traditional Ethernet Frame Encapsulation format

Where da represents the destination MAC address, SA represents the source MAC address, and type indicates the protocol type to which the message belongs.

The IEEE 802.1Q protocol specifies a VLAN Tag that encapsulates 4 bytes after the destination MAC address and the source MAC address to identify information about the VLAN.

Figure 3 The constituent fields of the VLAN tag

As shown in 3, the VLAN Tag contains four fields, namely Tpid (tag Protocol Identifier, Tag protocol identifier), priority, CFI (Canonical format Indicator, standard format indication bit), and VLAN ID.

L Tpid is used to determine if this data frame has VLAN Tag, the length is 16bit, the default value is 0x8100.

L priority indicates the 802.1P precedence of the message with a length of 3bit, see "QoS Configuration" in "QoS fascicle" for details.

The CFI field identifies whether the MAC address is encapsulated in a standard format on different transport media, length 1bit, and a value of 0 indicates that the MAC address is encapsulated in a standard format, 1 is encapsulated in a nonstandard format, and the default value is 0.

The VLAN ID identifies the number of the VLAN to which the message belongs, with a length of 12bit and a value range of 0~4095. Since 0 and 4095 hold values for the protocol, the VLAN ID range is 1~4094.

The network device uses the VLAN ID to identify the VLAN to which the message belongs, and the packet is processed according to whether the packet carries VLAN tag and the VLAN tag value carried.

Configuring VLANs on Linux

Part I: Core concepts of VLANs

Speaking of IEEE 802.1q, are known to be VLAN, said VLAN, basically there is no blind area, network Foundation. However, when it comes to configuration, the basic owner can jingle the configuration commands for Cisco or H3C devices, and there is a lot of doubt about the VLAN configuration of Linux. I think there are two reasons why these questions exist:
1. There is still no understanding of the nature of VLANs.
No matter your CISCO/H3C command is more proficient, if you do not understand the vconfig of Linux, then it will not be able to disguise your understanding of the concept of simple;
2. Not familiar with Linux implementation of virtual network device style

You may already understand 802.1q, and perhaps you have read the documentation of the IEEE, but you do not understand the virtual devices such as Linux Bridge,tap,bond, and you will not be able to configure VLANs successfully.

For the understanding of the VLAN concept, there are a few points to emphasize:
1.VLAN separated the broadcast domain;
2. A single VLAN simulates a regular switched Ethernet, so the VLAN splits a physical switch into one or more logical switches;
3. Communication between different VLANs requires three layers of participation;
4. When multiple switches cascade, the VLAN is identified by VID, which is inserted into the standard Ethernet frame, which is called tag;
5. Most of the tags are not end-to-end, generally on the upstream of the first VLAN switch to hit the tag, the last VLAN switch downlink tag removal;
6. Only when a data frame does not hit the tag can not distinguish which VLAN belongs to the tag, can be removed as soon as possible to remove the tag;
7. Finally, the IEEE 802.1q solves the tag problem with VLANs. In addition to the IEEE 802.1q, the rest is related to implementations, and although Cisco and H3C implementations are similar, Linux can be quite different from them.
The key to see at last 3 o'clock, namely 3,4,5. This is the most difficult part of the VLAN, but once you understand it, there is no VLAN left. To make the narrative and configuration more convenient, Cisco and other vendors define a lot of details that are not defined in the IEEE 802.1q standard, including but not limited to the following:

• 1. Each VLAN switch port needs to be bound to a VLAN ID;
• 2. Each VLAN switch port is in one of the following three categories: Access,trunk,hybrid.
• 2.1.access Port: The data frames received from such ports are not tagged, and the data frames emitted from such ports are not tagged;
• 2.2.trunck Port: Data frames received from such ports are tagged, data frames from such ports need to be tagged (regardless of the default VLAN);
• 2.3.hybrid Port: Slightly

We don't really need to delve into the CISCO/H3C's commands and what the difference is between the three types of port type, and there are three types of port types that are completely designed to make the concept of VLANs (the final IEEE 802.1q standard) very handy. Plainly, the trunk port exists because of the last resort, because there are multiple VLAN data frames through a single physical link, do not play tag is not able to distinguish between the respective VLAN, so there is the IEEE 802.1q standard, defines a tag inserted into the ether frame, In order for this theoretical thing to be used, the vendor defines a series of conceptual things, such as the link that is associated with the tag is the trunk link, and so on.
Thus, we can completely leave out any configuration commands, put aside any vendor-defined things, fully follow the IEEE 802.1q standard and our needs to understand the VLAN, so after that, you can definitely implement any VLAN configuration on Linux. First we define our needs and the network topology that meets the requirements, and the key to see how to wire them.
1. Situation one. Internal communication of the same VLAN 1.1. Communicating on different ports of the same VLAN on the same switch

1.2. Communication of different ports on different switches

2. Situation two. Communication between different VLANs 2.1. Communication between different VLANs of the same switch

2.2. Communication of different VLANs on different switches
As can be seen from the above 1.2, in order to save the cable and avoid loops, the same link between the two ports of the two VLAN switch needs to host different VLAN data frames, in order to enable each other to identify exactly which VLAN each data frame belongs to, it is very obvious that the data frame tag, so the above 1.2 port J and Port K The data frame between the links on the link needs to be tagged, Port J and Port K belong to two VLANs, VLAN M and VLAN N, respectively. In other words, as long as a port needs to transmit and receive data frames belonging to more than one VLAN, then the data frame emitted from that port is tagged, the data frame received from the port can be identified by tag which VLAN it belongs to, in terms of cisco/h3c and other manufacturers, it is the trunk port , a link between two Trunck ports belongs to the trunk link.
We know that, in general, our PC is directly connected to a regular two-layer switch or a VLAN-enabled switch port, and our PC usually emits regular Ethernet data frames that are not tagged, They may not know what the 802.1q is, however, the purpose of the VLAN is to put some PCs in one VLAN, and other PCs in another VLAN to achieve isolation, then it is obvious that one way is to partition the VLAN-enabled switches in one VLAN, while others are zoned in another VLAN, all the ports of a VLAN actually form a logical two-layer regular switch, with a PC belonging to a VLAN connected on the port of the same VLAN, in order to extend the VLAN, due to the limit of the number of single switch ports, cascade switch is required, The Cascade link then carries different VLAN traffic at the same time, so cascading links become trunk links, all links are not cascading links are direct links, in terms of vendor terminology is access link (note, here is not talk about hybrid), natural, The ports on both ends of the access link are not tag-independent, so they can be connected to a PC or a regular switch and a non-trunk port of a VLAN switch simply by "No tag passthrough, tag removal".
The content of the VLAN is basically the above, divided into three parts:
1. Design purposes;Isolate broadcast domains, conserve physical devices, isolate security policy domains
2.IEEE 802.1q;Provides a standard protocol for cascading scenarios that extend VLANs
3. How to use VLANs;Some ports are zoned as a VLAN, based on the MAC address or something ...
In fact, as to how to divide the VLAN, the standard does not give any hard rules, as long as the port belonging to the same VLAN is completely otherwise the standard IEEE 802 series, in other words, all the switches belonging to the same VLAN all the same VLAN port is completely an Ethernet, Pass through the etheric frame.
To this end, we have basically forgotten to configure Trunk,access, based on port-zoned VLAN commands, the mind left behind is only the core concept of the VLAN, using these core concepts, we can configure the full VLAN scheme on Linux, If you go to the hard set Cisco configuration, then the result is just sad. For example, if you ask: How to configure port for access on Linux, how to allocate some NICs to a VLAN on Linux ...
Understanding Linux Bridge knows that Linux itself can implement multiple bridge devices, because the Linux bridge is soft, so a Linux box can be configured in a number of logical meaning of bridge, Multiple bridge devices must communicate through the third layer, and the third layer is the Ethernet boundary, so a Linux box can simulate multiple Ethernet, and different bridge devices can represent different VLANs.

Part Two: VLANs on Linux

The VLAN on Linux is different from the VLAN on the CISCO/H3C, the latter VLAN is the existing LAN, then V, that is, there is a large LAN, then divided into different VLANs, and Linux is the opposite, Since the Linux bridge device is a logical device that is created, Linux needs to create a VLAN, create a bridge to associate to the VLAN, and create a VLAN that is simple:
Ifconfig eth0 0.0.0.0 up
Vconfig eth0 10
Ifconfig eth0.10 up
When using Vconfig to create a eth0.10, it is a "real meaning" of the virtual network card device, similar to br0,tap0,bond0, such as, in this virtual network card is bound to a real network card eth0, that is, the data from the eth0 This real network card issued, The ". 10" in eth0.10 means that it can host a data frame of VLAN 10 and tag it before it is issued via Eth0. Then tag this thing is naturally through eth0.10 this virtual device Hard_xmit to complete, in this hard_xmit, after the corresponding tag, then call Eth0 Hard_xmit will actually send the data, as shown:

So a real physical NIC like Ethx, which can host data frames from multiple VLANs, is the trunk port, as shown here:

The Linux VLAN tool Vconfig uses ETHX.Y to add the VLAN ID y vlan to the Ethx trunk port. Analogy CISCO/H3C, we've created the trunk, To summarize: Using Vconfig to create a ethx.y virtual appliance, a trunk is created, where ETHX is the trunk port, and y represents the ID of the VLAN data frame that the trunk link of the trunk port can host, and we create the Ethx.a,ethx.b,ethx.c,et HX.D, it means that ETHX can host a data frame of VLAN A,vlan B,vlan C,vlan D.
Next, let's look at how to create an access port. First of all, since the Linux bridge is virtual and logical, it is possible to create a VLAN and then dynamically create bridge based on that VLAN instead of "Configuring VLAN ID for each port", we need to do it very simply:
To create a VLAN:
Ifconfig eth0 0.0.0.0 up
Vconfig eth0 10
Ifconfig eth0.10 up
To create bridge for the VLAN:
Brctl ADDBR Brvlan10
Brctl addif brvlan10 eth0.10
To add a network card for this VLAN:
Ifconfig eth1 0.0.0.0 up
Brctl addif brvlan10 eth1
Ifconfig eth2 0.0.0.0 up
Brctl addif brvlan10 eth2
...
That's it. From this point on, eth1 and eth2 are the access ports for VLAN 10, and eth0 is a trunk port, which is used when cascaded VLANs are not needed, but only if you need to extend the VLAN 10, then you can connect the eth1 to a two-layer regular switch or hub ... Similarly, you can create another VLAN, and also cascade upstream VLAN switches via eth0:
ifconfig eth0 0.0.0.0 up
Vconfig eth0 20
Ifconfig eth0.20 up
Brctl ADDBR Brvlan20
Brctl addif Brvlan20 eth0.20
Ifconfig Eth5 0.0.0.0 up
Brctl addif Brvlan20 Eth5
As shown in the following:

This basically took care of the VLAN configuration on Linux, and then there is the next content, that is, the communication between the VLANs. This point of knowledge is the simplest, and that is to use routing, for which many people equate VLAN-enabled three-layer switches with routers. Since the use of routing requires an IP address as a gateway, then how to address the IP addresses of the natural is an unavoidable problem, we want to configure this IP where? To be sure, it must be configured somewhere in the current VLAN, so we have multiple places to configure this IP:

1. On a router interface that belongs to a VLAN, and the router has a route to the destination VLAN (the router interface is the trunk port).

2. On a ethx.y virtual interface belonging to a VLAN, and the Linux box has a route to the specified VLAN a (most obviously, the Ethx '. a virtual interface).

3. On a bridge device belonging to a VLAN (Linux bridge defaults to a local interface, IP address can be configured), and the Linux box has a route to the specified VLAN a (most obviously, owns Ethx '). A virtual interface or a bridge device for the target VLAN).

The 1 and 2 are actually no different, essentially looking for an IP address to configure the place, in most cases use 2, but if the same VLAN in the same Linux box configured with two trunk ports, then you need to use bridge address, such as the following configuration:
Brctl ADDBR Brvlan10
Brctl addif brvlan10 eth0.10
Brctl addif brvlan10 eth1.10
Ifconfig Brvlan10 up
At this time there are two ethx.y type of virtual interface, in order to not make the routing conflict, only one IP can be configured, then this IP address can only be configured on the BRVLAN10. Regardless of whether the configuration on bridge or configuration on the ethx.y, is to go IP routing, as long as the MAC address point to any local interface, the NETIF_RECEIVE_SKB call Handle_bridge when the data frame is directed to the local IP routing to handle. Linux as a software, it does not natively implement hardware cache forwarding, so for Linux, so-called three-layer switching is actually a route.
Let's take a look at a tagged data frame. When the tag is removed, in the definition, it is removed from the access port, but semantically, as long as the access port can be guaranteed to send a data frame without tag, so there is no strict requirements for when to remove the tag. On the VLAN implementation of Linux, Packet_type func acts as a third-level handler to handle 802.1q data frames separately, 802.1q at this time and IP protocol in an equal position, the Func function of the VLAN vlan_skb_ Recv is just like the IP processing function IP_RCV. In Linux implementation of the VLAN, only if a port received a data frame, and the data frame is sent to the local time, it will reach the third layer of the Packet_type func processing, otherwise it will only be processed by the second layer, that is, bridge logic processing, The native bridge implementation of Linux does not handle 802.1q data frames or even recognize it. The entire trunk port transceiver data frames, IEEE 802.1q frame processing, and inter-VLAN communication are as follows:

So far, the VLAN essentials of Linux have been basically finished, and with these understandings, I would like to design a single-arm Linux box is not difficult, the single-arm device is the biggest advantage is to save physical equipment, but also to achieve isolation. This configuration is not complex, if you do not want to implement the VLAN can also use IP addr Add Dev ... Increased virtual IP, however, the benefit of VLAN implementation is that it can be linked to an existing three-layer switch or directly to the trunk of a standard IEEE 802.1q-enabled device.
Mechanism platform, strategy opera. Now that the VLAN implementation Mechanism has been clear to the chest, then its shortcomings are estimated you also see, how to overcome it? Pvlan said the real is a VLAN alternative. It solves the problem of IP network segment isolation between VLANs, how do we implement it on Linux? This is not difficult, nothing more than to add some access control strategy on the LAN, it can be implemented purely software, and even can use ebtables/arptables/iptables to achieve a pvlan. If the VLAN is a hard-to-implement VLAN, then Pvlan is purely a soft implementation of the VLAN, even do not need to partition what VLAN, everyone is in an IP network segment, only need to configure the access control policy, so that the same IP subnet host can only communicate with the default gateway, And there's no communication between them, so say, even if you don't know the term "isolated VLAN", "Community VLAN", you've actually implemented a pvlan.

Part III: some summary

1. You need to first plan your network topology instead of first researching how VLANs are configured on Linux and how they are implemented;
2. You need to understand the purpose of the VLAN design in depth, what to configure;
3. You need to know which concepts are core and which are not required for VLANs.
4. No matter what platform the VLAN is configured on, only two points are required: a. Which ports belong to which vlan;b. Which port is a cascade port that belongs to more than one VLAN.
5. Others do not have to memorize, are floating clouds ...

Other

Reference

http://www.h3c.com.cn/Products___Technology/Technology/LAN/Other_technology/Technology_recommend/ 200805/605887_30003_0.htm
http://blog.csdn.net/dog250/article/details/7354590

VLAN and the IEEE 802.1Q VLAN implemented by Linux