Linux Bridge vlan filtering

linux網橋支持vlan filtering過濾功能後，咱們不仔再須要經過子接口的形式進行vlan劃分，簡化了vlan配置。

1. bridge vlan說明

man bridge能夠了解到，linux經過以下命令進行vlan filtering的配置：

bridge vlan { add | del } dev DEV vid VID [ pvid ] [ untagged ] [ self ] [ master ]

選項說明：

pvid：端口的默認vlan，全部從該端口輸入的沒有攜帶vlan的報文，會被打上該vlan標籤，該選項只對輸入報文有效。

untagged：端口的untag vlan，輸出報文攜帶該vlan時，會被剝離。

通常狀況下pvid和untagged是同時使用的，對應於cisco的switchport trunk native vlan

self

master

這兩個選項在幫助手冊上是這麼解釋的：

self   the vlan is configured on the specified physical device. Required if the device is the bridge device.
master the vlan is configured on the software bridge (default).

個人理解是：self表示該vlan是添加再bridge設備上的，並且給橋添加vlan時必須且只能攜帶該選項，不然會報錯：

ubuntu@VM-126-137-ubuntu:~$ sudo ip link add Bridge up type bridge vlan_filtering 1
ubuntu@VM-126-137-ubuntu:~/bgp-lab$ sudo bridge vlan add vid 100 dev Bridge self
ubuntu@VM-126-137-ubuntu:~/bgp-lab$ 
ubuntu@VM-126-137-ubuntu:~/$ sudo bridge vlan add vid 100 dev Bridge master
RTNETLINK answers: Operation not supported
ubuntu@VM-126-137-ubuntu:~/$ sudo bridge vlan add vid 100 dev Bridge 
RTNETLINK answers: Operation not supported
ubuntu@VM-126-137-ubuntu:~/$

master表示該vlan是添加再bridge的端口設備上的，該選項是默認的，給橋上的端口添加vlan時能夠不指定該參數。

ubuntu@ubuntu:~/$ sudo ip link del Bridge
ubuntu@ubuntu:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
ubuntu@ubuntu:~/$ sudo ip link set eth1 master Bridge
ubuntu@ubuntu:~/$ sudo bridge vlan add vid 100 dev Bridge self
ubuntu@ubuntu:~/$ sudo bridge vlan add vid 100 dev eth1 
ubuntu@ubuntu:~/$ sudo bridge vlan add vid 100 dev eth1 master
ubuntu@ubuntu:~/$ 
ubuntu@ubuntu:~/$ sudo bridge vlan add vid 100 dev eth1 self
RTNETLINK answers: Operation not supported
ubuntu@ubuntu:~/$ 
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids
eth1         1 PVID Egress Untagged
         100

Bridge   1 PVID Egress Untagged
         100

ubuntu@ubuntu:~/$

添加橋時，默認會以 pvid untagged形式添加的默認vlan 1中，不少廠商會把vlan 1做爲保留vlan，不容許用戶配置。

ubuntu@ubuntu:~/$ sudo ip link del Bridge
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids

ubuntu@ubuntu:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids

Bridge   1 PVID Egress Untagged

ubuntu@ubuntu:~/$

端口加入橋時，也會默認以 pvid untagged形式添加的默認vlan 1中，

ubuntu@ubuntu:~/$ sudo ip link del Bridge
ubuntu@ubuntu:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
ubuntu@ubuntu:~/$ sudo ip link set eth1 master Bridge
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids
eth1         1 PVID Egress Untagged

Bridge   1 PVID Egress Untagged

ubuntu@ubuntu:~/$

也能夠刪除默認vlan 1

ubuntu@ubuntu:~/$ sudo bridge vlan del vid 1 dev enp4s0f0 master
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids
enp129s0f0np0
enp129s0f1np1
enp4s0f0         100

Bridge   1 PVID Egress Untagged
         100

ubuntu@ubuntu:~/$ sudo bridge vlan del vid 1 dev Bridge self
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids
enp4s0f0         100

Bridge   100

ubuntu@ubuntu:~/$

2.實驗

2.1 ubuntu配置

ubuntu@ubuntu:~/$ sudo ip link add Bridge up type bridge vlan_filtering 1
ubuntu@ubuntu:~/$ sudo ip link set eth1 master Bridge
ubuntu@ubuntu:~/$ sudo bridge vlan add vid 100 dev Bridge self
ubuntu@ubuntu:~/$ sudo bridge vlan add vid 100 dev eth1 master
ubuntu@ubuntu:~/$ sudo ip link add link Bridge name Vlan100 up type vlan id 100 
ubuntu@ubuntu:~/$ sudo ip addr add 10.0.2.1/24 dev Vlan100
ubuntu@ubuntu:~/$ sudo bridge vlan show
port    vlan ids
eth1         1 PVID Egress Untagged
         100

Bridge   1 PVID Egress Untagged
         100

ubuntu@ubuntu:~/$

2.2 交換機配置

SWITCH# exit
SWITCH> enable 
SWITCH# show vlan
+-----------+--------------+---------+----------------+-----------------------+
| VLAN ID   | IP Address   | Ports   | Port Tagging   | DHCP Helper Address   |
+===========+==============+=========+================+=======================+
+-----------+--------------+---------+----------------+-----------------------+
SWITCH# configure terminal 
SWITCH(config)# vlan 100
SWITCH(config)# interface eth25GE 47
SWITCH(config-if)# switchport mode 
access  trunk   
SWITCH(config-if)# switchport mode trunk 
SWITCH(config-if)# switchport trunk allowd vlan add 100
SWITCH(config-if)# exit
SWITCH(config)# interface vlan 100
SWITCH(config-if)# ip address 10.0.2.2/24
Add Vlan100 into default VRF
SWITCH(config-if)#

2.3 互ping

SWITCH(config-if)# do ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.196 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.219 ms
64 bytes from 10.0.2.1: icmp_seq=3 ttl=64 time=0.150 ms
^C
SWITCH(config-if)# 
--- 10.0.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2032ms
rtt min/avg/max/mdev = 0.150/0.188/0.219/0.030 ms
SWITCH(config-if)# 
ubuntu@ubuntu:~/$ ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=0.308 ms
64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.245 ms
64 bytes from 10.0.2.2: icmp_seq=3 ttl=64 time=0.262 ms
^C
--- 10.0.2.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.245/0.271/0.308/0.032 ms
ubuntu@ubuntu:~/$