Asymmetric VLANs with Linux

Asymmetric VLANs can be useful under certain circumstances, for example to isolate some class of ports from each other while allowing them to talk to a central server. One example of that might be a hotel network, where the network endpoints in each customer’s hotel room should not be able to talk to each other, but all rooms need to talk to a central hotel server.

What we mean by asymmetric VLAN here is that a different VLAN ID is used for each direction of traffic, e.g. VLAN ID 2001 is used for transmission to all isolated hosts (i.e. hotel rooms), while VLAN ID 2002 is used for all traffic back from the isolated hosts (hotel rooms).

Typically endpoints on a VLAN network do not need to understand VLAN tags but, under certain circumstances (particularly in switching equipment), you might find that you have a Linux host that needs to communicate on these two VLANs and treat them as a single network. Linux must, therefore, be configured to send packets on one VLAN ID (e.g. 2001) and receive packets on a different VLAN ID (e.g. 2002), but treat them as the same physical network. This can be achieved on Linux using 802.1Q / VLAN and bonding support from the kernel.

On Linux we create two virtual interfaces, one for each VLAN/VID direction (e.g. eth0.2001 and eth0.2002). We then bond them together to create a new virtual device (e.g. vlanb0). All packets are transmitted using one VID, and received via the other. The individual VLAN interfaces (e.g. eth0.2002) only ever see packets go in one direction, but they are bonded together in vlanb0 which is the main interface on which we set our IP address.

We use the active-­backup bonding mode with a primary interface to specify the VLAN used for transmission. We also enable all_slaves_active so that packets are allowed in via the receiving interface (typically by default this is off, and we can only receive packets via the active/primary interface).

Note: all instructions are run as root.

Ensure bonding and 802.1Q VLAN modules are loaded:

# modprobe bonding
# modprove 8021q

Create VLAN interfaces:

# vconfig add eth0 2001
# vconfig add eth0 2002

Create our virtual bonded interface:

# echo +vlanb0 > /sys/class/net/bonding_masters

Put into active-­backup mode which makes one interface (our transmission­ direction VID) the one used for transmission:

# ifconfig vlanb0 down
# echo active­backup > /sys/class/net/vlanb0/bonding/mode
# ifconfig vlanb0 up

Bond our two unidirectional VLAN interfaces to the virtual vlanb0 interface:

# ifconfig eth0.2001 down
# ifconfig eth0.2002 down
# echo +eth0.2001 > /sys/class/net/vlanb0/bonding/slaves
# echo +eth0.2002 > /sys/class/net/vlanb0/bonding/slaves

Specify which of the two VIDs should be used for sending on this end (could be 2001 or 2002):

# echo eth0.2001 > /sys/class/net/vlanb0/bonding/primary

Ensure that the other VLAN interface (the receive ­only direction VID) is allowed to receive packets:

# echo 1 > /sys/class/net/vlanb0/bonding/all_slaves_active

Set the IP address for the network on the bonded interface:

# ifconfig vlanb0 netmask

You should now have a working interface vlanb0 which sends packets via eth0.2001 and receives packets via eth0.2002.

Bookmark and Share This Article
[] [Digg] [Google] [Reddit] [Slashdot] [StumbleUpon] [Technorati] [Twitter] [Yahoo!] [Email]
This entry was posted in HowTo and tagged , , , , . Bookmark the permalink.

Comments are closed.