Newer linux kernels have gotten support for vlan aware bridges, that also support tagged and untagged switchports
Implementing this into vyos should be quite easy as there's not allot of parameteres to fiddle with to get this working.
I've implemented an example for this in http://github.com/runborg/vyatta-cfg-system/ that has the basic implementation for it. but for the moment does not have any safety-checks in place in the configuration scripts, and are also missing the op-mode scripts to get information out of the bridge.
**Enable vlan-aware bridge**
```
interfaces {
bridge br0 {
vlan-aware
}
}
```
This will activate vlan awareness for the bridge. from this point on everything will be blocking on members until the phy interface is configured with vlan information. it sets the `vlan_filtering` option the bridge to 1
**Creating Vlan L3 interfaces**
```
interfaces {
bridge br0 {
vif 3 {
address 10.0.0.1/24
....
}
}
}
```
This is done exactly like on `ethernet` and `bonding`, it creates a vlan subinterface with the .1q tag specified in the `vif` statement
it is created as a normal `br0.3` interface of the type `vlan` linked to the interface `br0`.
In the same step the vlan-awareness is added on the bridge so that traffic is accepted into this bridge vlan interface.
technically in the backend there is no connection between the vlan id and the sub-interface-id, but in vyos this is fixed to the same value.
**Adding bridge on ethernet interface**
to add this interface to a physical interface two new parameters are added to specify tagging and untagged vlan on the bridge interface.
```
interfaces {
ethernet eth0 {
bridge-group {
bridge br0
native-vlan 1
tagged-vlan 2
tagged-vlan 3
}
}
}
```
`native-vlan` and `tagged-vlan` here adds the bindings to the correct vlan inside the bridge.
**Improvements**
- For not this is only implemented on physical ethernet interface, but there might be other places it needs to be implemented.
- There is for now no op-mode changes, op-mode scripts for getting vlan/mac tables needs to be created for a full implementation.
- As linux does not have a native understanding of vlans as eg. cisco and juniper switches do, you don't create a vlan in itself, but the vlan is created when the first binding to it is created on a interface. it might be that its better to create a list of "allowed" vlans on the `br` interface where you can name interfaces and so on.. that also makes it posible to make a `tagged-vlan all` on the physical interfaces to make it tag all created vlans. i've not decided on the best thing to do here yet.
- There needs to be created checks so that the user don't configure ip parameters on the `br` interface itself when in vlan-aware mode. because when in this mode all ip parameters are configured inside the vlan submode (also for the native/pvid vlan) (this needs to be verified, but is at the moment my understanding)
- you are able to create a `brX vif Y` interface without enabling vlan-aware bridge.. but that should not be supported. and a check has to be made to check that no vifs exists if vlan support is disabled.. and check for vlan-awareness on creation of a vif
- The current implementation only adds the options needed for the basic implementation in `vyatta-cfg-system`, to get a working solution `vyatta-quagga`, `vyatta-firewall`, `vyatta-cfg-qos` and `vyatta-ipv6-rtradv` needs to be extended to create templates for these interfaces.
if anyone else wants to contribute to this you are all welcome to create PR's against my branch for now
As a side not this is a **router acting as a switch** not a **switch acting as a router** and the switch part will not function exactly as on commercial switches.
This is a new feature it could potentially be merged back to crux, but i'm developing it for current and it's not my choice if this will be back-ported.
as this is a new feature it could potentially be merged back to crux, but i'm developing it for current and it's not my choice if this will be back-ported.
I'mif anyone else wants to contribute to this you are all welcome to create PR's against my branch for now.
I'm also interested in comments and other input on this before i create a PR on current.