IEEE 802.1Q VLAN in Linux (1)

VLAN is a new data exchange technology that logically divides LAN devices into network segments to implement virtual working groups. The 802.1Q protocol is also known as the "VirtualBridgedLocalAreaNetworks" (Virtual bridging LAN) protocol, which mainly specifies VLAN implementation methods. This blog post will re-interpret the Protocol and demonstrate the principles and configurations of Inter-Vlan communication.

Core concepts of VLAN

Speaking of IEEE 802.1q, we all know VLAN. Speaking of VLAN, there is basically no blind zone and the network base. However, when it comes to configuration, basically everyone can speak out the configuration commands of Cisco or H3C devices in the same way, but there are a lot of questions about Linux VLAN configuration. I think there are two reasons for these questions:

1. I still have no understanding of the nature of VLAN.

No matter how familiar your Cisco/H3C commands are, if you cannot understand the Linux vconfig, you cannot conceal your understanding of the concept;

2. unfamiliar with Linux virtual network device Style

You may have understood 802.1q and read IEEE documents. However, you do not understand Linux virtual devices such as Bridge, tap, and bond, therefore, you cannot configure the VLAN smoothly.

To understand the concept of VLAN, we should emphasize the following points:

1. VLAN separates broadcast domains;

2. A single VLAN simulates a conventional Ethernet switch. Therefore, a VLAN divides a physical switch into one or more logical switches;

3. layer-3 communication is required between different VLANs;

4. When multiple switches are cascade, VLAN IDs are identified by vids. This ID is inserted into standard ethereframes, which are called tags;

5. Most tags are not end-to-end. Generally, the first VLAN switch is tagged on the uplink, And the last VLAN switch on the downlink is removed;

6. Only when a data frame is not tagged cannot distinguish the VLAN to which it belongs. If the data frame can be removed, the tag should be removed as soon as possible;

7. Finally, IEEE 802.1q solves the VLAN tag problem. Except for IEEE 802.1q, the rest are related to implementation. Although the implementation of Cisco and H3C is very similar, Linux can be quite different from them.

The key is the last three points, namely, 3, 4, and 5. This is the most difficult part of a VLAN, but once it is understood, there is nothing left on the VLAN. Cisco and other vendors have defined many details to make the description and configuration more convenient.These details are not defined in the IEEE 802.1q standard, including but not limited to the following:

1. Each VLAN switch port must be bound with a VLAN id;

2. Each VLAN switch port belongs to one of the following three types: access, trunk, and hybrid.

2.1.access port: The data frame received from this class port is not tagged, and the data frame sent from this class port is not tagged;

2.2.trunck port: The data frame received from this port type is tagged, and the data frame sent from this port type needs to be tagged (the default VLAN is not considered );

2.3.hybrid port: omitted

In fact, we do not need to go into the command of Cisco/H3C and what is the difference between the three types of ports. The reason why there are three types of ports is to fully implement the concept of VLAN (the final IEEE 802.1q standard) it is easy to use. To put it bluntly, the trunk port exists because it is a last resort, because data frames belonging to multiple VLANs must pass through a single physical link. Without tags, it is impossible to distinguish which VLAN they belong, therefore, with the IEEE 802.1q standard, a tag is defined to be inserted into an Ethernet frame. In order to make this theoretical thing available, the vendor defines a series of conceptual things, for example, the tag-related link is a trunk link.

Therefore, we can discard any configuration command and anything defined by any vendor to fully understand the VLAN in accordance with the IEEE 802.1q standard and our requirements, you can implement any VLAN configuration perfectly on Linux.First, let's define our requirements and the network topology that meets the requirements. The key is how to connect them.

1. Scenario 1. communication within the same VLAN

1. Communication between different ports in the same vlan of the same vswitch

. Communication between different ports of different vswitches

2. Case 2. Communication between different VLANs

2. 1. Communication between different VLANs of the same switch

2. Communication between different VLANs of different vswitches

From the above 1.2, we can see that in order to save cables and avoid loops, the same link between the two ports of the two VLAN switches must carry different VLAN data frames, to enable each other to identify the VLAN to which each data frame belongs, it is obvious that a tag is used for the data frame, therefore, the data frame on the link between port J and port K in Port 1.2 needs to be tagged. Both port J and port K belong to two VLANs, VLAN m and VLAN n, respectively. In other words, as long as a port needs to transmit and receive data frames belonging to multiple VLANs, the data frames sent from the port must be tagged, the data frame received from this port can identify the VLAN it belongs to by tag. In terms of Cisco/H3C, It is the trunk port, the link between two trunck ports belongs to the trunk link.

We know that, in general, our PC is directly connected to a conventional L2 Switch or a switch port supporting VLAN, while our PC usually sends out conventional Ethernet data frames, these data frames do not have tags, and they may not know what 802.1q is. However, the purpose of a VLAN is to place some PCs in a VLAN, to isolate another PC in another VLAN, it is obvious that some ports of a switch that supports VLAN are allocated in one VLAN, while some other ports are located in another VLAN, all the ports in one VLAN form a logical layer-2 common switch, a pc with the same VLAN is connected to a port with the same VLAN. To expand the VLAN, in view of the number of ports of a single switch, cascade switches are required, the cascade link carries different VLAN traffic at the same time, so the cascade link becomes a trunk link, and all links that are not cascade links are direct links, in terms of vendor terms, it is an access Link (note that hybrid is not mentioned here). Naturally, ac The ports at both ends of the cess link are irrelevant to the tag. You only need to "no tag pass-through, remove tags ", therefore, it can be connected to a PC, a conventional switch, or a non-trunk port of a VLAN switch.

The VLAN content is divided into three parts:

1. design purpose

Isolates broadcast domains, saves physical devices, and isolates security policy domains.

2. IEEE 802.1q

Provides a standard protocol for VLAN scalability cascading solutions.

3. How to Use VLAN

Classify some ports into a VLAN Based on the MAC address or something...

In fact, as for how to divide VLANs, there is no rigid rule in the standard, as long as it can ensure that the ports belonging to the same VLAN are completely else the IEEE 802 series standard, in other words, all the ports in the same VLAN of all switches in the same VLAN are exactly one Ethernet, And the Ethernet frame is passthrough.

So far, we have basically forgotten to configure the trunk, access, and port VLAN-based commands. What we leave in our mind is the core concept of VLAN. Using these core concepts, we can configure the complete VLAN scheme on Linux. If you configure Cisco hard, the result is only sad. For example, if you ask: how to configure port access on Linux and how to route some NICs to a VLAN on Linux...

All users who understand Linux Bridge know that Linux itself can implement multiple Bridge devices. Because Linux Bridge is soft, a Linux Box can be configured with multiple logical bridges, multiple Bridge devices must communicate with each other through the third layer, and the third layer is the Ethernet boundary. Therefore, a Linux Box can simulate multiple Ethernet networks, different Bridge devices can represent different VLANs.