Changes between Initial Version and Version 1 of linux/vlan

Timestamp:

10/22/2017 05:28:45 AM (7 years ago)

Author:

trac

Comment:

--

linux/vlan

@@ +1 @@
+[[PageOutline]]
+
+= VLANs =
+[https://en.wikipedia.org/wiki/IEEE_802.1Q IEEE 802.1Q IEEE 802.1Q] is the networking standard that supports Virtual LANs (VLANs) on an Ethernet network (Layer 3 networking).
+
+The advantages of a VLAN are:
+ * increased switching efficiency
+ * network segmentation
+ * security
+ * trunks
+ * ability to sub-divide a LAN for security purposes
+
+In order to use VLAN's you need:
+ 1. a switch that supports IEEE 802.1Q
+ 2. a NIC (Network Interface Card) that supports 802.1Q (Not all network drivers support VLAN)
+ 3. 802.1Q support in the kernel (8021q module, CONFIG_VLAN_8021Q)
+
+VLANs work by applying a '''tag''' to each frame (which increases the header size by 4 bytes). The tag contains an 'ID' and a 'prority'. The priority can be used for a quality of service (QoS) scheme known IEEE 802.1p.
+
+Only portions of a network which are VLAN-aware (802.1Q compliant) can include VLAN tags - traffic on other segments (802.1D conformant) will not contain tags. When a frame enters the VLAN-aware portion a tag is added to denote the VLAN info (membership etc).
+
+In general, you add a VLAN tag to a network port (on a managed switch, for example), and that switch port will drop all packets that don't have the specified VLAN ID, while allowing those with the appropriate VLAN ID to continue on.
+
+Here is an image showcasing a potential use case for VLANs:
+
+[[Image(http://wiki.mikrotik.com/images/9/9a/Image12005.gif)]]
+
+Generally speaking, VLAN tagging is done on a switch basis, though you can also use Linux to listen to VLAN tagged packets on interface devices.
+
+== Linux VLAN support ==
+The Linux network layer supports VLAN if built with CONFIG_VLAN_8021Q. To create a VLAN you need to slave it off a physical interface port. Note that the physical interface will still accept 'un-tagged' traffic, but only traffic matching the VLAN ID will be presented to the virtual interface.
+
+The Linux {{{ip}}} utility from the ip-route2 package allows the manipulation of the network stack on the Layer 3 network layer.
+
+Examples:
+ * use {{{ip link add}}} to create VLAN ID 5 slaved off physical interface eth0:
+{{{#!bash
+ip link add link eth0 name eth0.5 type vlan id 5
+ifconfig eth0.5 192.168.1.100 up
+}}}
+  - adds a 'link' object to the {{{eth0}}} nic with a name of {{{eth0.5}}} (the name can be anything but it is convention to use the <physical>.<id>)
+  - any packets leaving {{{eth0.5}}} will be tagged with VLAN ID #5
+  - only packets coming into {{{eth0}}} tagged with VLAN ID #5 will be presented to {{{eth0.5}}}
+ * use {{{ip link set}}} to re-configure the VLAN:
+{{{#!bash
+}}}
+ * use {{{ip link show}}} to show the sate of a VLAN:
+{{{#!bash
+$ ip -d link show eth0.5
+5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
+    link/ether f8:bc:12:8c:23:21 brd ff:ff:ff:ff:ff:ff promiscuity 0
+    vlan protocol 802.1Q id 5 <REORDER_HDR>
+}}}
+  - {{{eth0.1@eth0}}} is using the IEEE 802.1Q standard with VLAN id 42.
+ * use tcpdump to show information when you receive a packet on this nic with the VLAN ID of 5:
+{{{#!bash
+tcpdump -i eth0 -Uw - | tcpdump -en -r - vlan 5
+}}}
+ * delete a VLAN interface:
+{{{#!bash
+ifconfig eth0 down
+ip link delete eth0.5
+}}}
+
+See [http://linux.die.net/man/8/ip ip(8)] or [https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf here] for more info
+
+Alternatively the Linux {{{vconfig}}} (which is a bit older and deprecated) can be used as well.
+
+Examples:
+ * create VLAN ID 5 slaved off physical interface eth0:
+{{{#!bash
+vconfig add eth0 5
+ifconfig eth0.5 192.168.1.100 up
+}}}
+ * show info about a VLAN ID (older kernels only):
+{{{#!bash
+# cat /proc/net/vlan/config
+VLAN Dev name    | VLAN ID
+Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
+eth0.5         | 5  | eth0
+# cat /proc/net/vlan/eth0.5
+eth0.5  VID: 5   REORDER_HDR: 1  dev->priv_flags: 1
+         total frames received            4
+          total bytes received          252
+      Broadcast/Multicast Rcvd            0
+
+      total frames transmitted            8
+       total bytes transmitted          688
+Device: eth0
+INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
+ EGRESS priority mappings:
+}}}
+ * remove VLAN ID 5
+{{{#!bash
+vconfig rem eth0.5
+}}}
+
+See [http://linux.die.net/man/8/vconfig vconfig(8)] for more info
+
+
+[=#hardware]
+== Hardware Support ==
+Many Gateworks products have ethernet MAC's or switch devices that support VLAN tagging.
+
+[=#ventana]
+=== Ventana ===
+All on-board NIC's on Ventana boards support 802.1Q VLAN Tagging:
+ * Freescale FEC (eth0 on most boards)
+ * Marvell Sky2 (eth1 on GW54xx/GW53xx)
+ * Intel i210 (igb driver) (eth0 and eth1 on GW5520 and MAC on GW16083)
+
+The Ventana [wiki:ventana/expansion#GW16083Ethernetexpansionmezzanine GW16083 Ethernet Expansion Mezzanine] supports VLAN tagging in the OpenWrt BSP via [wiki:OpenWrt/swconfig swconfig] as well as DSA support.
+
+
+[=#laguna]
+=== Laguna ===
+The on-board NIC's on Laguna boards support 802.1Q VLAN Tagging.
+
+[=#ixp4xx]
+=== Avila / Cambria (ixp4xx) ===
+The Avila and Cambria products based off the Intel XScale processor support VLAN tagging as well but some software customatization is needed:
+ - make sure you have the ixp4xx-microcode package in your firmware
+ - edit build_dir/target-armeb_vrte*/IxNpeMicrocode?.h file:
+  - comment out IX_NPEDL_NPEIMAGE_NPEA_ETH_SPAN_FIREWALL_VLAN_QOS_HDR_CONV
+  - uncomment IX_NPEDL_NPEIMAGE_NPEA_ETH_LEARN_FILTER_SPAN_FIREWALL
+  - for more info see IxNpeMicrocode?.c:3348 'NPE FIRMWARE IMAGE'
+ - rebuild ixp4xx-microcode package and reinstall in /lib/firmware
+ - apparently switching to the ETH_LEARN_* firmware causes issues with bridging and STP so this isn't a 'fix' but a change based on use case. Likely needs more investigation
+
+For more info on IXP4xx VLAN see:
+ - ​http://lists.gateworks.com/avila/2010-September.txt
+​ - https://dev.openwrt.org/ticket/7945
+
+
+[=#openwrt]
+= OpenWrt VLAN support (swconfig) =
+OpenWrt has its own light-weight application and kernel driver that configures 'embedded switches' and supports per-port management including VLAN configuration. Being light-weight it does not represent each port as a network interface and thus you can not sun higher level protocols such as STP, LLDP, etc on a per-port basis (for that, see #dsa below).
+
+Please see our OpenWrt [wiki:OpenWrt/swconfig swconfig] page for more details.
+
+
+[=#dsa]
+= Linux Distributed Switch Architecture =
+The Linux Distributed Switch Architecture (DSA) is a framework for Ethernet Switch chips present on Embedded boards. When supported each external port of the switch is available as a Network Interface Card (NIC) such that higher level protocols can act at the port level.
+
+In other words each physical port on the switch becomes a network interface in Linux and this allows protocols such as STP, LLDP, etc to run at a port level.
+
+
+== GW16083 Ethernet Expansion Mezzanine ==
+The GW16083 Ethernet Expansion Mezzanine has DSA support in the latest Gateworks Yocto and OpenWrt BSPs.
+
+Note that while the MV88E6176 switch can tag/untag frames automatically according to VLAN configuration which does not require the CPU port to be 'up', if you need to do any other protocol level networking packets must enter the CPU and thus the cpu port needs to be 'up'. Typically the GW16083 PCI NIC routing to the CPU interface is the 2nd network interface (eth1).
+
+For example, a GW54xx + GW16083:
+{{{#!bash
+root@ventana:~# ls /sys/class/net/
+can0   eth0   eth1   eth2   lo     sit0   wlan0
+root@ventana:~# grep -H DRIVER=igb /sys/class/net/*/device/uevent
+/sys/class/net/eth1/device/uevent:DRIVER=igb
+root@ventana:~# ifconfig eth1 up
+[  233.512754] igb: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+[  233.582674] igb 0000:06:00.0 eth1: igb PHY driver [MV88E6176] (mii_bus:phy_addr=0000:06:00.0-157:10)
+[  233.592314] 8021q: adding VLAN 0 to HW filter on device eth1
+root@ventana:~# [  234.494007] Distributed Switch Architecture driver version 0.1
+[  234.500007] eth1[0]: detected a Marvell 88E6176 switch
+[  234.583752] libphy: dsa slave smi: probed
+[  235.208987] MV88E6176 0000:06:00.0-157:10: registered GW16083 DSA switch
+
+root@ventana:~# ls /sys/class/net/
+can0   eth0   eth1   eth2   lan1   lan2   lan3   lan4   lan5   lan6   lo     sit0   wlan0
+}}}
+ * Notice how we use {{{grep -H DRIVER=igb /sys/class/net/*/device/uevent}}} to show which NIC belongs to the Intel I210 on the GW16083. Note that on a GW552x you will see three NIC's all using igb.
+ * Notice how until the Intel I210 on the GW16083 is brought up the lan1 - lan6 NIC's are not present
+ * The lan numbering matches the silkscreen. Please refer to the following table:
+||= Connector =||= Silkscreen =||= DSA Name =||
+|| J7          || Ethernet1    || lan1       ||
+|| J8          || Ethernet2    || lan2       ||
+|| J9          || Ethernet3    || lan3       ||
+|| J10         || Ethernet4    || lan4       ||
+|| J3/J4       || Ethernet5    || lan5       ||
+|| J2/J4       || Ethernet6    || lan6       ||
+
+OpenWrt BSP Notes:
+ * Note that on OpenWrt by default the 2nd NIC on a GW552x/GW53xx/GW54xx is configured as the {{{wan}}} interface and brought up with dhcp running on it. If you want to use dhcp you will want to run it on a port interface instead (ie lan1 through lan6)
+ * On boards with a single on-board NIC (ie GW51xx/GW52xx) you will need to bring eth1 up manually before you can see lan1 - lan6 (or configure it to come up via OpenWrt's network configuration)