Posted on by miguel

VLANs, Bridges, Managed Bridge On Linux Oh My!

You can use a Linux server as a managed bridge if you would want to.

The discerning reader would point out that this is already possible however, without spoiling the ending I will come back to this point at the end.

Keep on reading…

A Few Definitions

First, we need to state what a VLAN is, what a bridge is, and what a switch is.

  • A VLAN is any broadcast domain that is partitioned and isolated for a network at the OSI layer 2.
    1. This is achieved by tagging (labeling) a packet as belonging to a VLAN (i.e., 100)
    2. Thus, if a packet with VLAN 100 enters an interface that belongs to VLAN 100, it is allowed.
    3. If the packet has no tag, an untagged packet, it will be allowed since it is considered part of the native VLAN of the port to where it is going.
    4. If a tagged packet enters a port that belongs to a different VLAN  it will be discarded. Of course, this should never happen unless you misconfigured your VLANS.
    5. A trunk then is a special port that allows several VLANs to traverse a device, this allows switches to extend the network.
    6. Of course, there are more subtleties but for our purposes, this is good enough.
  • A bridge allows two or more ports to communicate as if they were in the same domain.
    1. Above basically means that multiple networks will be able to communicate with each other.
    2. A VLAN has no effect on this since a bridge does not check for VLAN membership it just passes traffic.
  • Thus, an unmanaged switch is a collection of ports belonging to a bridge.
  • A managed switch then is a collection of ports belonging to a VLAN, the ports in term belong to a particular bridge. The VLAN ensures that only tagged packets enter specifics port and the bridge allows all the networks (and the devices behind) to communicate among them.

A Managed Bridge on Linux

How do we go about this? Well, you create a trunk first that allows you to pass VLANs to the Linux server from a managed switch.

We will refer to figure 1.

Figure 1.

We create VLANs 100 and 200 and assign them as subinterfaces of port eth1.

sudo ip link add link eth1 name eth1.100 type vlan id 100
sudo ip link set eth1.100 up
sudo ip link add link eth1 name eth1.200 type vlan id 200
sudo ip link set eth1.200 up
sudo ip addr add 192.168.100.2/24 dev eth1.100
sudo ip addr add 192.168.200.2/24 dev eth1.200

The commands above will:

  1. Set subinterfaces on port eth1, the subinterfaces are configured with the VLANs in question.
  2. Enable the subinterfaces.
  3. Configure IP addresses so we can ping them from the managed switch in Figure 1.

At this point, eth1 is configured as a trunk if you configured port fa1/0 on the managed switch as a trunk and the VLAN interfaces as stated in Figure 1. you will be able to ping each other.

What if you want to add eth4 as part of VLAN 100?

You can go through the same procedure.

sudo ip link add link eth4 name eth4.100 type vlan id 100
sudo ip link set eth4.100 up

You do not need to configure an IP address. Now if you configured a device behind the unmanaged switch with IP address 192.168.100.10/24 and try pinging 192.168.100.1, it will fail.

The reason is simple, even though eth4.100 is part of VLAN 100 unless it is part of a bridge it will not be able to communicate across the unmanaged switch.

sudo brctl addbr br1
sudo brctl addif br1 eth1.100
sudo brctl addif br1 eth4.100

We are using the bridge utilities to create the bridge and add the corresponding ports.

After doing this you can ping the device behind the unmanaged switch from the managed switch.

Voila, you have created a managed switch on a Linux server.

Once again the discerning reader will realize that eth4.100 is similar to a port on a Cisco switch configured as a switch port.

If you have several Ethernet ports on your Linux server then you can add as many VLANS on it and if you also want to route you could use Zebra which is an open-source routing daemon that supports, BGP, OSPF, and RIP.

Of course, rather than use a server you could get an enclosure, a 1u or 2u, and install your favorite Linux distro.

However, as stated at the beginning of this post there are a few devices that already implement this.

Force 10 for example runs free BSD, a Unix-like operating system. After the switch boots up, it runs a script that presents the user with a shell similar to Cisco’s CLI.

Another such interface is VyOS, a Linux distro that can run on virtual machines, containers, or bare metal.

Thus you can install it on an enclosure and after booting does the same thing as Force 10. The shell interface is different though but not that difficult.

VyOS has the advantage that it is also a layer 3 device (Force 10 is also a layer 3 device) and can run a firewall and thus do NAT.

If you want to have managed switch on Linux and want to build it yourself VyOS is your best bet.

If your Linux server needs to access several  VLANs and you do not need the additional setup to act as a managed bridge, then you can just configure your distro of choice and trunk the interface to your managed switch and you will be ok.

There you have it.

Ciao.

Leave a Reply

Your email address will not be published. Required fields are marked *