vlan基础



1 man命令

NAME
       vconfig - VLAN (802.1q) configuration program.

SYNOPSIS
       vconfig [lots of long options]

DESCRIPTION
       The  vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual ethernet devices which repre‐
       sents the virtual lans on the physical lan.

OPTIONS
       add [interface-name] [vlan-id]
              Creates a vlan-device on [interface-name]. The resulting vlan-device will be called according to the nameing convention set.

       rem [vlan-device]
              Removes the named vlan-device.

       set_flag [vlan-device] 0 | 1
              When 1 (the default since 2.6.18), ethernet header reorders are turned on.  Dumping the device will appear  as  a  common  ethernet  device
              without  vlans.  When  0 however, ethernet headers are not reordered, which results in vlan tagged packets when dumping the device. Usually
              the default gives no problems, but some packet filtering programs might have problems with it.

       set_egress_map [vlan-device] [skb-priority] [vlan-qos]
              This flags that outbound packets with a particular skb-priority should be tagged with the particular vlan priority  vlan-qos.  The  default
              vlan priority is 0.

       set_ingress_map [vlan-device] [skb-priority] [vlan-qos]
              This  flags  that  inbound  packets with the particular vlan priority vlan-qos should be queued with a particular skb-priority. The default
              skb-priority is 0.

       set_name_type VLAN_PLUS_VID | VLAN_PLUS_VID_NO_PAD | DEV_PLUS_VID | DEV_PLUS_VID_NO_PAD
              Sets the way vlan-device names are created. Use vconfig without arguments to see the different formats.

       NOTES  VLAN will use Broadcom's NICE interface when the network device supports it. This is necessary, since usually the hardware of these devices
              already  removes  the vlan tag from the ethernet packet. The set_flag option on vlan-devices created on such a physical network device will
              be ignored.  Dumping the network-device will show only untagged(non-vlan) traffic, and dumping the  vlan-devices  will  only  show  traffic
              intended for that vlan, without the tags.

FILES
       /proc/net/vlan/config
       /proc/net/vlan/[vlan-device]

2 vlan

By Linux Foundatio... - November 19, 2009 - 10:23am

• networking

Linux vlan implementation

See also http://www.candelatech.com/~greear/vlan.html Candelatech's page.

1. What are vlans ?

Vlans are a way to split up a layer2 broadcasting domain, by allowing multiple broadcast domains that each have a number (1-4096), and that can contain individual hosts, which are then not able to talk to eachother without passing through another device first (such as a firewall). VLANs allow you to create multiple separated networks with only a single switch.

In order to make a linux host capable of being present on multiple vlans (so that it can forward traffic to it) on a single interface, you will need the vlan support. All packets come in over a single interface, but they are delivered to "vlan-subinterfaces" where they can be firewalled, routed, or anything else.

In a vlan-capable network there are 2 types of connections :
         "access" connections and
         "trunk" connections.
Simply put, an access connection looks like a normal connection to an ethernet switch, only that switch will only forward your packets within the same vlan, so they will not be able to reach ports that are in a different vlan.
"Trunk" ports can communicate with multiple vlans, but you need to send special packets that contain both the packet and an indication in what vlan they are to be forwarded. On these links you use the linux vlan support to create virtual interfaces that are in different vlans.

2. Two standards

There are 2 ways of doing vlans in networks : 802.1q and ISL. ISL came first, and was a cisco proprietary protocol that they built into their switches while the dot1Q standard was still in development. Only cisco switches support this protocol, and linux does not. 802.1q is a standard specifying how it can be implemented, what the packet format is, ... You can find it here http://www.cisco.com/warp/public/473/741_4.html.

2.1 ISL

Not covered here. See http://www.cisco.com/warp/public/473/741_4.html

2.1 802.1q

Normally you will find in the ethernet 802.3 header the following for a vlan packet :

Packet type	Preamble	Start frame delimiter	Destination MAC address	Source MAC address	dot1q identifier	tag type (4 bits)	vlan ID (12 bits)	packet type field	data	padding	FCS
Normal ethernet tcp packet	1010101010101010101 (62 alternating bits)		00:10:C6:C0:61:CD	00:13:CE:47:06:86	not present	not present	not present	0x0800	<insert ip packet here>	<insert padding if packet too small	<checksum>
VLAN packet	1010101010101010101 (62 alternating bits)		00:10:C6:C0:61:CD	00:13:CE:47:06:86	0x8100	QOS bits	VLAN ID	0x800	<insert ip packet here>	<insert padding if packet too small	<checksum>

So VLAN packets can be identified by their TYPE field, which is set to 0x8100. If the packet is to be received, the VLAN tag is to be stripped of the packet, and a second TYPE field will have to be interpreted. It is possible to insert multiple VLAN tags, although this is not supported on linux, nor is it supported on many devices. (Search cisco dot1q tunnel implementation).

3. How does it work on a protocol level ?

For VLAN support a special type of ethernet packet was created. It basically has an extra header that allows you to specify what vlan the packet is in. And
-> for access ports, the switch will add (or overwrite) this value on any incoming packet before forwarding
-> for trunk ports, the value is supposed to be present. If it is not, the value of the "native vlan" will be added.

So basically you have an ethernet frame containing tcp data :

Ethernet/IP/tcp/<data>

The switch will transform this packet into this on access ports :

Ethernet/VLAN/IP/tcp/<data>

and on trunk ports you simply get the full packet.

3. How does it work in the linux kernel for administration

3.1 The vconfig tool

Using the vconfig tool you can add a VLAN subinterface. Say you have configured the switch eth1 is connected to to send packets in the vlans 810 and 820. Then you can do

 vconfig add eth0 810
 vconfig add eth0 820

And two new interfaces will be defined "eth0.810" and "eth0.820" which behave exactly like ordinary interfaces, and it is as if they are connected to different networks. So you should use different IP subnets on them.

You could also run DHCP on only one of these interfaces, and have a number of switchports which support DHCP and some which should not.

To enable routing between the different vlans, do :

 echo 1 > /proc/sys/net/ipv4/ip_forward

After which the devices on the network will be able to talk to eachother, after you set a route on them

 (on the client devices in an access port :)
 route add <network on other vlan> netmask <the netmask of the network> gw <the ip of the vlan router on the correct vlan>

After you do this on 2 devices, they should be able to ping eachother. (Why two ? The packets need to get from A->B and from B->A, so 2 routes are needed before ping will work)

4. The kernel implementation

4.1 Packet reception

When a hardware driver receives a packet, it will receive the packet into a sk_buff structure (defined in include/linux/sk_buff.h), and it will set the ->dev member to it's own interface,
after which the packet is passed to the netif_rx ( net/core/dev.c ) or receive_skb ( net/core/dev.c). So basically receiving a packet works like this :

 struct sk_buff * skb;
 skb = dev_alloc_skb();
 /* fill in some data in the skb */
 skb->dev = my interface struct
 netif_rx(skb);

When an interface receives a VLAN packet (if the interfaces have vlan acceleration) the call to netif_rx will be replaced by :

 vlan_hwaccel_rx(skb, vlan_group, vlan_tag)

Which will then immediately overwrite the skb->dev to the correct subinterface and pass it on to the netif_rx routine.