This article was reproduced from: http://blog.chinaunix.net/uid-20786208-id-4291059.html
Technorati Tags: Linux VLAN
--------------------------I am the Happy dividing line--------------------------------------------------
The first part: The core concept of VLAN speaking of IEEE 802.1q, are known to be VLANs, said VLAN, basically there is no blind area, network Foundation. However, when it comes to configuration, the basic owner can jingle the configuration commands for Cisco or H3C devices, and there is a lot of doubt about the VLAN configuration of Linux. I think there are two reasons why these questions exist:
1. There is still no understanding of the nature of VLANs.
No matter your CISCO/H3C command is more proficient, if you do not understand the vconfig of Linux, then it will not be able to disguise your understanding of the concept of simple;
2. Not familiar with Linux implementation of virtual network device style
You may already understand 802.1q, and perhaps you have read the documentation of the IEEE, but you do not understand the virtual devices such as Linux Bridge,tap,bond, and you will not be able to configure VLANs successfully.
For the understanding of the VLAN concept, there are a few points to emphasize:
1.VLAN separate the broadcast domain;
2. A single VLAN simulates a regular switched Ethernet, so the VLAN splits a physical switch into one or more logical switches;
3. Communication between different VLANs requires three levels of participation;
4. When multiple switches cascade, the VLAN is identified by VID, which is inserted into the standard Ethernet frame, which is called tag;
5. Most of the tags are not end-to-end, Generally on the uplink the first VLAN switch hits the tag, the last VLAN switch of the downlink removes the tag;
6. Only when a data frame does not hit the tag can not distinguish which VLAN belongs to which the tag, can be removed as soon as possible to remove the tag;
7. Eventually, The IEEE 802.1q solves the tag problem with VLANs. In addition to the IEEE 802.1q, the rest is related to implementations, and although Cisco and H3C implementations are similar, Linux can be quite different from them.
Key look at last 3 o'clock, which is 3,4,5. This is the most difficult part of the VLAN, but once you understand it, there is no VLAN left. To make the narrative and configuration more convenient, Cisco and other vendors define a lot of details that are not defined in the IEEE 802.1q standard, including but not limited to the following:
1. Each VLAN switch port needs to be bound to a VLAN ID; 2. Each VLAN switch port is in one of the following three categories: Access,trunk,hybrid. 2.1.access Port: Data frames received from such ports are not tagged, data frames from such ports are not tagged; 2.2.trunck ports: Data frames received from such ports are tagged and data frames from such ports need to be tagged ( Regardless of the default VLAN); 2.3.hybrid Port: Slightly we don't really need to delve into CISCO/H3C's commands and what the difference is between the three type of port types, there are three types of port types that are completely designed to integrate the concept of VLANs (the final IEEE 802.1q standard) Very convenient to use. Plainly, the trunk port exists because of the last resort, because there are multiple VLAN data frames through a single physical link, do not play tag is not able to distinguish between the respective VLAN, so there is the IEEE 802.1q standard, defines a tag inserted into the ether frame, In order for this theoretical thing to be used, the vendor defines a series of conceptual things, such as the link that is associated with the tag is the trunk link, and so on.
Thus, we can completely leave out any configuration commands, put aside any vendor-defined things, fully follow the IEEE 802.1q standard and our needs to understand the VLAN, so after that, you can definitely implement any VLAN configuration on Linux. First we define our needs and the network topology that meets the requirements, and the key to see how to wire them. 1. Situation one. Internal communication of the same VLAN 1.1. Communicating on different ports of the same VLAN on the same switch
1.2. Communication of different ports on different switches
2. Situation two. Communication between different VLANs 2.1. Communication between different VLANs of the same switch
2.2. Communication of different VLANs on different switches As can be seen from the above 1.2, in order to save the cable and avoid loops, the same link between the two ports of the two VLAN switch needs to host different VLAN data frames, in order to enable each other to identify exactly which VLAN each data frame belongs to, it is very obvious that the data frame tag, so the above 1.2 port J and Port K The data frame between the links on the link needs to be tagged, Port J and Port K belong to two VLANs, VLAN M and VLAN N, respectively. In other words, as long as a port needs to transmit and receive data frames belonging to more than one VLAN, then the data frame emitted from that port is tagged, the data frame received from the port can be identified by tag which VLAN it belongs to, in terms of cisco/h3c and other manufacturers, it is the trunk port , a link between two Trunck ports belongs to the trunk link.
We know that, in general, our PC is directly connected to a regular two-layer switch or a VLAN-enabled switch port, and our PC usually emits regular Ethernet data frames that are not tagged, They may not know what the 802.1q is, however, the purpose of the VLAN is to put some PCs in one VLAN, and other PCs in another VLAN to achieve isolation, then it is obvious that one way is to partition the VLAN-enabled switches in one VLAN, while others are zoned in another VLAN, all the ports of a VLAN actually form a logical two-layer regular switch, with a PC belonging to a VLAN connected on the port of the same VLAN, in order to extend the VLAN, due to the limit of the number of single switch ports, cascade switch is required, The Cascade link then carries different VLAN traffic at the same time, so cascading links become trunk links, all links are not cascading links are direct links, in terms of vendor terminology is access link (note, here is not talk about hybrid), natural, The ports on both ends of the access link are not tag-independent, so they can be connected to a PC or a regular switch and a non-trunk port of a VLAN switch simply by "No tag passthrough, tag removal".
The content of the VLAN is basically the above, divided into three parts: 1. Isolate broadcast domains for design purposes, conserve physical devices, isolate security policy domain 2.IEEE 802.1q provides a standard protocol for cascading scenarios for extended VLANs 3. How to use VLANs to partition some ports into a VLAN Based on MAC address or something ...
In fact, as to how to divide the VLAN, the standard does not give any hard rules, as long as the port belonging to the same VLAN is completely otherwise the standard IEEE 802 series, in other words, all the switches belonging to the same VLAN all the same VLAN port is completely an Ethernet, Pass through the etheric frame.
To this end, we have basically forgotten to configure Trunk,access, based on port-zoned VLAN commands, the mind left behind is only the core concept of the VLAN, using these core concepts, we can configure the full VLAN scheme on Linux, If you go to the hard set Cisco configuration, then the result is just sad. For example, if you ask: How to configure port for access on Linux, how to allocate some NICs to a VLAN on Linux ...
Understanding Linux Bridge knows that Linux itself can implement multiple bridge devices, because the Linux bridge is soft, so a Linux box can be configured in a number of logical meaning of bridge, Multiple bridge devices must communicate through the third layer, and the third layer is the Ethernet boundary, so a Linux box can simulate multiple Ethernet, and different bridge devices can represent different VLANs. The second part: VLAN on Linux Linux and VLAN on the CISCO/H3C is different, the latter VLAN is the existing LAN, and then V, that is, there is a large LAN, then divided into different VLANs, and Linux is the opposite, Since the Linux bridge device is a logical device that is created, Linux needs to create a VLAN, create a bridge to associate to the VLAN, and create a VLAN that is simple:
ifconfig eth0 0.0.0.0 up
Vconfig eth0 10
Ifconfig eth0.10 up
When using Vconfig to create a eth0.10, it is a "real meaning" of the virtual network card device, similar to br0,tap0,bond0, such as, in this virtual network card is bound to a real network card eth0, that is, the data from the eth0 This real network card issued, The ". 10" in eth0.10 means that it can host a data frame of VLAN 10 and tag it before it is issued via Eth0. Then tag this thing is naturally through eth0.10 this virtual device Hard_xmit to complete, in this hard_xmit, after the corresponding tag, then call Eth0 Hard_xmit will actually send the data, as shown:
So a real physical NIC like Ethx, which can host data frames from multiple VLANs, is the trunk port, as shown here:
The Linux VLAN tool Vconfig uses ETHX.Y to add the VLAN ID y vlan to the Ethx trunk port. Analogy CISCO/H3C, we've created the trunk, To summarize: Using Vconfig to create a ethx.y virtual appliance, a trunk is created, where ETHX is the trunk port, and y represents the ID of the VLAN data frame that the trunk link of the trunk port can host, and we create the Ethx.a,ethx.b,ethx.c,et HX.D, it means that ETHX can host a data frame of VLAN A,vlan B,vlan C,vlan D.
Next, let's look at how to create an access port. First of all, since the Linux bridge is virtual and logical, it is possible to create a VLAN and then dynamically create bridge based on that VLAN instead of "Configuring VLAN ID for each port", we need to do it very simply:
To create a VLAN:
Ifconfig eth0 0.0.0.0 up
Vconfig eth0 10
Ifconfig eth0.10 up
to create bridge for the VLAN:
Brctl ADDBR Brvlan10
Brctl addif brvlan10 eth0.10
to add a network card for this VLAN:
Ifconfig eth1 0.0.0.0 up
Brctl addif brvlan10 eth1
Ifconfig eth2 0.0.0.0 up
Brctl addif brvlan10 eth2
...
That's it. From this point on, eth1 and eth2 are the access ports for VLAN 10, and eth0 is a trunk port, which is used when cascaded VLANs are not needed, but only if you need to extend the VLAN 10, then you can connect the eth1 to a two-layer regular switch or hub ... Similarly, you can create another VLAN, and also cascade upstream VLAN switches via eth0:
ifconfig eth0 0.0.0.0 up
Vconfig eth0 20
Ifconfig eth0.20 up
Brctl ADDBR Brvlan20
Brctl addif Brvlan20 eth0.20
Ifconfig Eth5 0.0.0.0 up
Brctl addif Brvlan20 Eth5
As shown in the following:
This basically took care of the VLAN configuration on Linux, and then there is the next content, that is, the communication between the VLANs. This point of knowledge is the simplest, and that is to use routing, for which many people equate VLAN-enabled three-layer switches with routers. Since the use of routing requires an IP address as a gateway, then how to address the IP addresses of the natural is an unavoidable problem, we want to configure this IP where? To be sure, it must be configured somewhere in the current VLAN, so we have multiple places to configure this ip:1. The router interface that belongs to a VLAN, and the router has a route to the destination VLAN (the router interface is the trunk port). 2. On a ethx.y virtual interface belonging to a VLAN, and the Linux box has a route to the specified VLAN a (most obviously, the Ethx '. a virtual interface). 3. On a bridge device belonging to a VLAN (Linux bridge defaults to a local interface, IP address can be configured), and the Linux box has a route to the specified VLAN a (most obviously, owns Ethx '). A virtual interface or a bridge device for the target VLAN). The 1 and 2 are actually no different, essentially looking for an IP address to configure the place, in most cases use 2, but if the same VLAN in the same Linux box configured with two trunk ports, then you need to use bridge address, such as the following configuration:
Brctl ADDBR Brvlan10
Brctl addif brvlan10 eth0.10
Brctl addif brvlan10 eth1.10
Ifconfig Brvlan10 up
At this time there are two ethx.y type of virtual interface, in order to not make the routing conflict, only one IP can be configured, then this IP address can only be configured on the BRVLAN10. Regardless of whether the configuration on bridge or configuration on the ethx.y, is to go IP routing, as long as the MAC address point to any local interface, the NETIF_RECEIVE_SKB call Handle_bridge when the data frame is directed to the local IP routing to handle. Linux as a software, it does not natively implement hardware cache forwarding, so for Linux, so-called three-layer switching is actually a route.
Let's take a look at a tagged data frame. When the tag is removed, in the definition, it is removed from the access port, but semantically, as long as the access port can be guaranteed to send a data frame without tag, so there is no strict requirements for when to remove the tag. On the VLAN implementation of Linux, Packet_type func acts as a third-level handler to handle 802.1q data frames separately, 802.1q at this time and IP protocol in an equal position, the Func function of the VLAN vlan_skb_ Recv is just like the IP processing function IP_RCV. In Linux implementation of the VLAN, only if a port received a data frame, and the data frame is sent to the local time, it will reach the third layer of the Packet_type func processing, otherwise it will only be processed by the second layer, that is, bridge logic processing, The native bridge implementation of Linux does not handle 802.1q data frames or even recognize it. The entire trunk port transceiver data frames, IEEE 802.1q frame processing, and inter-VLAN communication are as follows:
So far, the VLAN essentials of Linux have been basically finished, and with these understandings, I would like to design a single-arm Linux box is not difficult, the single-arm device is the biggest advantage is to save physical equipment, but also to achieve isolation. This configuration is not complex, if you do not want to implement the VLAN can also use IP addr Add Dev ... Increased virtual IP, however, the benefit of VLAN implementation is that it can be linked to an existing three-layer switch or directly to the trunk of a standard IEEE 802.1q-enabled device.
Mechanism platform, strategy opera. Now that the VLAN implementation Mechanism has been clear to the chest, then its shortcomings are estimated you also see, how to overcome it? Pvlan said the real is a VLAN alternative. It solves the problem of IP network segment isolation between VLANs, how do we implement it on Linux? This is not difficult, nothing more than to add some access control strategy on the LAN, it can be implemented purely software, and even can use ebtables/arptables/iptables to achieve a pvlan. If the VLAN is a hard-to-implement VLAN, then Pvlan is purely a soft implementation of the VLAN, even do not need to partition what VLAN, everyone is in an IP network segment, only need to configure the access control policy, so that the same IP subnet host can only communicate with the default gateway, And there's no communication between them, so say, even if you don't know the term "isolated VLAN", "Community VLAN", you've actually implemented a pvlan.
Part III: Some summary
1. You need to first plan your network topology instead of first researching how VLANs are configured on Linux and how they are implemented;
2. You need to understand the purpose of the VLAN design in depth, what to configure;
3. You need to know which concepts are core and which are not required for VLANs.
4. No matter what platform the VLAN is configured on, only two points are required: a. Which ports belong to which vlan;b. Which port is a cascade port that belongs to more than one VLAN.
5. Others do not have to memorize, are floating clouds ...
-------------------I am the end of the split line----------------------
IEEE 802.Q VLANs implemented by Linux