6

I am trying to bridge a dot1q trunk and cannot seem to figure it out. I am able to connect to hosts on the trunk with my eth0.2 interface but when I bridge the interface with br0 and try to connect I get nothing. Am I missing something simple here?

auto lo
iface lo inet loopback

auto br0
iface br0 inet manual
bridge_ports eth0
bridge_stp off
bridge_fd 9
bridge_hello 2
bridge_maxwait 0

auto br0.100
iface br0.100 inet static
address 192.168.100.99
netmask 255.255.255.0

auto eth0.2
iface eth0.2 inet static
 address 10.1.2.225
 netmask 255.255.255.0
 network 10.1.2.1
 broadcast 10.2.1.255
 gateway 10.1.2.1
 mtu 1500
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
imaiden
  • 71
  • 1
  • 1
  • 2
  • What operating system are you using? – Nils Aug 03 '12 at 20:12
  • is the only reason for br0 to send a trunked vlan out eth0.2? – Mike Pennington Aug 03 '12 at 20:18
  • No. That is there to manage the machine until I get it figured out. – imaiden Aug 03 '12 at 22:04
  • @imaiden you have several very good answers below. However, each one of them is asking "why bridge"? Please take the time to explain why you want to enable bridging on your interface(s) for sake of clarity. – gravyface Aug 15 '12 at 12:31
  • Since the time this question was asked, Linux bridge got VLAN filtering support: it can handle and dispatch VLANs to bridge ports according to the configuration (using the bridge command, not the obsolete brctl command), without ever requiring a vlan sub interface. – A.B Dec 11 '19 at 21:53

4 Answers4

11

If an interface (eth0 in your case) is added to a bridge, by default its VLAN subinterfaces (eth0.2) will no longer get the incoming traffic — all packets will be passed to the bridge. Before Linux 2.6.37 VLAN subinterfaces could sometimes work depending on your hardware (if the hardware and driver supported RX VLAN acceleration (NETIF_F_HW_VLAN_RX), VLANs were handled before bridging, and VLAN subinterfaces worked); since 2.6.37 the behavior is the same for all cards and drivers.

There are several solutions with different drawbacks:

  1. Add VLAN subinterfaces to the bridge instead of the physical interface. But in this case all ports of the bridge will have access to all VLANs, which is probably not desired.

  2. Use ebtables to pass 802.1Q tagged traffic to VLAN subinterfaces:

    ebtables -t broute -A BROUTING -i eth0 -p 802_1Q -j DROP

    (In the BROUTING chain ACCEPT means “bridge”, and DROP means “route”, or actually “process according to ethertype”, which for the 802_1Q type means “pass to the appropriate VLAN subinterface”.)

    In this case the bridge will not get any tagged traffic, but there will be slightly more overhead due to ebtables processing.

  3. Reconfigure the network to make all traffic on the interface tagged and avoid the need to bridge the untagged traffic at all.

Sergey Vlasov
  • 6,288
  • 1
  • 21
  • 30
  • 1
    Isn't this exactly what my config is doing? "Add VLAN subinterfaces to the bridge instead of the physical interface. But in this case all ports of the bridge will have access to all VLANs, which is probably not desired." This is what I am trying to accomplish at this point and I cannot figure out what it is I am doing wrong. – imaiden Aug 03 '12 at 21:57
  • What kernel version are you using? Bridging tagged packets works only since 2.6.37, or if you have a network card which does not have hardware support for 802.1Q. And now I don't understand why you need this bridge at all — what other interfaces will be added to the bridge? – Sergey Vlasov Aug 04 '12 at 11:53
4

Once you add an interface to a bridge, you should use the bridge interface and sub-interfaces for getting untagged and VLAN tagged packets.

So, in your example, you need to replace eth0.2 with br0.2.

You would have only one bridge (br0), but using the bridge sub-interfaces (e.g. br0.2), you can get traffic from any VLAN you like.

To pass all information from eth0 to br0, just add eth0 to br0 and call it a day. It appears you've already done this.

You may also want to toggle the following:

sudo sysctl net.bridge.bridge-nf-filter-vlan-tagged=1

This is 1 on my Jaunty box, but 0 on Lucid. I had to make it 1 for my bridge / VLAN setup to work again.

up_the_irons
  • 321
  • 1
  • 2
  • I tried the above mentioned configuration dint work on Ubuntu. is there any different concept for ubuntu. – Nagesh HS Jun 05 '18 at 06:31
3

There are few things being mixed together here. Tagging generally takes place on the actual ethernet interface (i.e. eth0.2) while bridging doesn't usually require any kind of explicit tagging (although there are exceptions to this).

OK - I am going to assume that you want VLAN 2 and VLAN 100 to pass over ethernet 0.

1.) You want to create eth0.2 and eth0.100. Don't put an IP address on either (inet manual).

2.) Create br2 and br100 (for convenience) and assign the IP's you'd like to use in these VLAN's (inet static).

3.) eth0.2 will be a bridge_port in br2. eth0.100 will be a bridge_port in br100.

rnxrx
  • 8,143
  • 3
  • 22
  • 31
  • Thanks for the help but I am trying to avoid setting up individual bridges for each vlan. I am trying to pass all the information on my eth0 interface to my br0. Right now it strips all the 8021.q information. – imaiden Aug 03 '12 at 21:48
  • 1
    What is the purpose of the bridges? What are you trying to bridge? You say you're trying to bridge a .1q trunk, but I don't see you bridging it to anything. If you're trying to bridge, you need bridges. But it sounds like you just want a few interface in different VLANs. You don't need any bridging for that. – David Schwartz Aug 03 '12 at 23:52
  • If you're just trying to put your host into a few VLAN's on a single physical interface then there's no need for bridging. If you want to be able to bridge traffic from one interface to another then you'll need bridge interfaces. The host needs to be made aware of the various VLAN tags in use regardless, however. – rnxrx Aug 04 '12 at 02:01
3

to make a long story short: tag your interfaces, and then add bridges. So, for vlan100 to be usable in a bridged mode, you will need

eth0 -> eth0.100 ->br100

To add another tag:

eth0 -> eth0.100 -> br100
........->eth0.101 -> br101

and so on

dyasny
  • 18,802
  • 6
  • 49
  • 64
  • I am trying to avoid using multiply bridges and need to find a way to have all the 802.1q traffic passed over the bridge. – imaiden Aug 03 '12 at 22:02
  • 1
    @imaiden: I don't get it. Pass over the bridge to what? Are you trying to bridge the two VLANs together? If so, that's kind of silly (just use one VLAN), but then add both interfaces to a single bridge. – David Schwartz Aug 03 '12 at 23:54
  • 2
    @DavidSchwartz: This is useful when you have multiple trunked ports, where you want all VLANs to go over the physical interfaces without consideration for VLAN micromanagement. Far simpler to put the VLANs on one bridge than onto multiple disparate bridges. – zaTricky Aug 03 '17 at 07:11
  • 1
    @zaTricky Oh, thanks. I didn't quite get that the VLANs would be tagged on the bridge. – David Schwartz Aug 03 '17 at 20:13