Page MenuHomeVyOS Platform

Add support for VLAN-Aware bridges


Newer linux kernels have gotten support for vlan aware bridges, that also support tagged and untagged switchports

Implementing this into vyos should be quite easy as there's not allot of parameteres to fiddle with to get this working.
I've implemented an example for this in that has the basic implementation for it. but for the moment does not have any safety-checks in place in the configuration scripts, and are also missing the op-mode scripts to get information out of the bridge.

As this is a extension of the interface bridge implementations existing today it is implemented in the old style syntax for cfg-mode templates, op-mode is a decision point if they should be implemented in the new or old style. if they are implemented in the old-style syntax all scripts has to be made in python and follow the new-style layout.

Enable vlan-aware bridge

interfaces {
  bridge br0 {

This will activate vlan awareness for the bridge. from this point on everything will be blocking on members until the phy interface is configured with vlan information. it sets the vlan_filtering option the bridge to 1

Creating Vlan L3 interfaces

interfaces {
  bridge br0 {
    vif 3 {

This is done exactly like on ethernet and bonding, it creates a vlan subinterface with the .1q tag specified in the vif statement
it is created as a normal br0.3 interface of the type vlan linked to the interface br0.
In the same step the vlan-awareness is added on the bridge so that traffic is accepted into this bridge vlan interface.

technically in the backend there is no connection between the vlan id and the sub-interface-id, but in vyos this is fixed to the same value.

Adding bridge on ethernet interface
to add this interface to a physical interface two new parameters are added to specify tagging and untagged vlan on the bridge interface.

interfaces {
  ethernet eth0 {
    bridge-group {
      bridge br0
      native-vlan 1
      tagged-vlan 2
      tagged-vlan 3

native-vlan and tagged-vlan here adds the bindings to the correct vlan inside the bridge.


  • For not this is only implemented on physical ethernet interface, but there might be other places it needs to be implemented.
  • There is for now no op-mode changes, op-mode scripts for getting vlan/mac tables needs to be created for a full implementation.
  • As linux does not have a native understanding of vlans as eg. cisco and juniper switches do, you don't create a vlan in itself, but the vlan is created when the first binding to it is created on a interface. it might be that its better to create a list of "allowed" vlans on the br interface where you can name interfaces and so on.. that also makes it posible to make a tagged-vlan all on the physical interfaces to make it tag all created vlans. i've not decided on the best thing to do here yet.
  • There needs to be created checks so that the user don't configure ip parameters on the br interface itself when in vlan-aware mode. because when in this mode all ip parameters are configured inside the vlan submode (also for the native/pvid vlan) (this needs to be verified, but is at the moment my understanding)
  • you are able to create a brX vif Y interface without enabling vlan-aware bridge.. but that should not be supported. and a check has to be made to check that no vifs exists if vlan support is disabled.. and check for vlan-awareness on creation of a vif
  • The current implementation only adds the options needed for the basic implementation in vyatta-cfg-system, to get a working solution vyatta-quagga, vyatta-firewall, vyatta-cfg-qos and vyatta-ipv6-rtradv needs to be extended to create templates for these interfaces.

As a side not this is a router acting as a switch not a switch acting as a router and the switch part will not function exactly as on commercial switches.

This is a new feature it could potentially be merged back to crux, but i'm developing it for current and it's not my choice if this will be back-ported.

if anyone else wants to contribute to this you are all welcome to create PR's against my branch for now.
I'm also interested in comments and other input on this before i create a PR on current.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Event Timeline

runar created this task.Apr 25 2019, 10:40 AM
runar updated the task description. (Show Details)Apr 25 2019, 10:51 AM

Added a sidenote about switching on router and routing on switch

runar updated the task description. (Show Details)Apr 25 2019, 11:01 AM

added not on old-style cfg-mode templates

kmpm added a subscriber: kmpm.Apr 25 2019, 12:16 PM
pasik added a subscriber: pasik.Apr 28 2019, 9:58 AM
syncer assigned this task to runar.Aug 31 2019, 12:41 AM
syncer triaged this task as Normal priority.
syncer removed a project: VyOS 1.2 Crux.
maznu added a subscriber: maznu.Sep 23 2019, 3:39 PM
runar added a comment.Dec 5 2019, 7:21 PM

There have been some time since i've managed to work on this now, and in the mean-time the whole ethernet/bridge sertup have been rewritten into python, so i need to restart my work on this implementation , also the bridge membership part is moved around in the cli so information in this ticket is out-of-sync with the current implementation and needs to be rethinked

jjakob awarded a token.Dec 5 2019, 7:42 PM
jjakob added a subscriber: jjakob.