Removing VLAN tag from outgoing broadcasts

Removing VLAN tag from outgoing broadcasts

[Michael Robinson]

I've set up a Linux (Ubuntu 10.04) server with multiple VLANs.
Routing is enabled for all interfaces.  The 'eth2' interface is
basically used as a VLAN trunk:

eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.190.2  Bcast:192.168.190.255  Mask:255.255.255.0
          inet6 addr: fe80::210:18ff:fe0a:ac42/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10952 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:955923 (955.9 KB)  TX bytes:1535021 (1.5 MB)
          Interrupt:17

eth2.2049 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0
          inet6 addr: fe80::210:18ff:fe0a:ac42/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3853 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4721 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:246915 (246.9 KB)  TX bytes:504861 (504.8 KB)

eth2.2050 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.102.1  Bcast:192.168.102.255  Mask:255.255.255.0
          inet6 addr: fe80::210:18ff:fe0a:ac42/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4437 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5311 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:463381 (463.3 KB)  TX bytes:730316 (730.3 KB)


The setup appears to work fine.  Now, for reasons beyond my control, I
must change the behavior so all outgoing broadcast/multicast packets
are sent untagged (regardless of their source).  I'm hoping that this
would be possible with ebtables, but not being very familiar with it
yet I was hoping for some guidance.  Is this possible?

Thanks,
-Mike

Re: Removing VLAN tag from outgoing broadcasts

[Gáspár Lajos]

Hi Mike,

2011-10-17 21:16 keltezéssel, Michael Robinson írta:
> I've set up a Linux (Ubuntu 10.04) server with multiple VLANs.
> Routing is enabled for all interfaces.  The 'eth2' interface is
> basically used as a VLAN trunk:

> The setup appears to work fine.  Now, for reasons beyond my control, I
> must change the behavior so all outgoing broadcast/multicast packets
> are sent untagged (regardless of their source).  I'm hoping that this
> would be possible with ebtables, but not being very familiar with it
> yet I was hoping for some guidance.  Is this possible?
I do not understand you...

If you remove the VLAN tags then how would your switch (or any other 
network device) know where/whom the packets belonging to?!?
There "must" be an untagged VLAN in your network... So every untagged 
packet will go that way... Every tagged packet will go to its own network...

You signal with the VLAN tag that you want to sent a packet to a network...

But maybe I am wrong... :D

Swifty

Re: Removing VLAN tag from outgoing broadcasts

[Michael Robinson]

(forgot to "reply all")

> I do not understand you...
>
> If you remove the VLAN tags then how would your switch (or any other network
> device) know where/whom the packets belonging to?!?
> There "must" be an untagged VLAN in your network... So every untagged packet
> will go that way... Every tagged packet will go to its own network...
>
> You signal with the VLAN tag that you want to sent a packet to a network...
>
> But maybe I am wrong... :D
>
> Swifty

> I do not understand you...
>
> If you remove the VLAN tags then how would your switch (or any other network
> device) know where/whom the packets belonging to?!?
> There "must" be an untagged VLAN in your network... So every untagged packet
> will go that way... Every tagged packet will go to its own network...
>
> You signal with the VLAN tag that you want to sent a packet to a network...
>
> But maybe I am wrong... :D
>
> Swifty

Thanks for the reply.  There is a native (untagged) VLAN on the trunk.
 It's the eth2 interface.  So if I understand you correctly, I need to
redirect the classified packets to the eth2 interface...is that
correct?  How is that specified in a rule?  Note, that I'm just
getting familiar with ebtables/iptables.

Thanks,
-Mike

Re: Removing VLAN tag from outgoing broadcasts

[Gáspár Lajos]

Hi Mike,

> Thanks for the reply.  There is a native (untagged) VLAN on the trunk.
>   It's the eth2 interface.  So if I understand you correctly, I need to
> redirect the classified packets to the eth2 interface...is that
> correct?  How is that specified in a rule?  Note, that I'm just
> getting familiar with ebtables/iptables.
>

I think I was not clear enough... :D

So, if you send out the packets without any VLAN tags then they will not 
be seen on your tagged VLANs...

Imagine the whole VLAN thing as the following:
- You can slice up your real LAN to smaller VLANs.. :D
- You can connect to these networks with only ONE cable... (From the 
switch's pov: this is a port.)
- On the port there may be many tagged VLANs...
- And there may be AN untagged VLAN... (Forget about "General ports" !!!)
- If the port is "Access port" then it can only send/receive to one 
untagged VLAN (The tagging is managed internally by the switch.)
- If the port is "Trunk port" then you can do the tagging magic... One 
untagged and many tagged VLANs on this port...

So far this is what you have...
Now if you want to remove the tags then let the switch do the job for you...
(AFAIK the switch will remove/insert the specific VLAN id of the packets 
if the port is an Access port...)

I would do this:
port 1 (you) : Trunk port, VLAN 1 untagged, VLAN 2049 tagged, VLAN 2050 
tagged
port 2 (network 2049) : Access port, VLAN 2049 untagged
port 3 (network 2050) : Access port, VLAN 2050 untagged


Maybe you can find more info in the 4th message in this topic:
http://homecommunity.cisco.com/t5/Switches/access-general-or-trunk-Tagged-or-not-Getting-desperate/td-p/161352

Swifty

Re: Removing VLAN tag from outgoing broadcasts

[Michael Robinson]

> I think I was not clear enough... :D
>
> So, if you send out the packets without any VLAN tags then they will not be
> seen on your tagged VLANs...
>
> Imagine the whole VLAN thing as the following:
> - You can slice up your real LAN to smaller VLANs.. :D
> - You can connect to these networks with only ONE cable... (From the
> switch's pov: this is a port.)
> - On the port there may be many tagged VLANs...
> - And there may be AN untagged VLAN... (Forget about "General ports" !!!)
> - If the port is "Access port" then it can only send/receive to one untagged
> VLAN (The tagging is managed internally by the switch.)
> - If the port is "Trunk port" then you can do the tagging magic... One
> untagged and many tagged VLANs on this port...
>
> So far this is what you have...
> Now if you want to remove the tags then let the switch do the job for you...
> (AFAIK the switch will remove/insert the specific VLAN id of the packets if
> the port is an Access port...)
>
> I would do this:
> port 1 (you) : Trunk port, VLAN 1 untagged, VLAN 2049 tagged, VLAN 2050
> tagged
> port 2 (network 2049) : Access port, VLAN 2049 untagged
> port 3 (network 2050) : Access port, VLAN 2050 untagged
>
>
> Maybe you can find more info in the 4th message in this topic:
> http://homecommunity.cisco.com/t5/Switches/access-general-or-trunk-Tagged-or-not-Getting-desperate/td-p/161352
>
> Swifty

Thanks for your patience.  I should provide more information.  My
current setup works as you describe.  eth2 is behaving as a trunk with
the two tagged VLANs and one native (untagged) VLAN.  I can connect to
a managed switch and separate the various VLAN traffic, including the
native "untagged" VLAN.  All is well there.

Now I need to connect eth2 directly to a (non-standard) device (don't
ask :) that will take care of the broadcasts, but they must be
untagged.  So I was hoping to create a rule that would essentially
direct the outgoing VLAN-tagged broadcasts to the native VLAN
(untagged).

Thanks,
-Mike

Re: Removing VLAN tag from outgoing broadcasts

[Gáspár Lajos]

Hi Mike,
> Now I need to connect eth2 directly to a (non-standard) device (don't
> ask :) that will take care of the broadcasts, but they must be
> untagged.  So I was hoping to create a rule that would essentially
> direct the outgoing VLAN-tagged broadcasts to the native VLAN
> (untagged).
>
>

As I mentioned before: (AFAIK) the switch WILL remove the VLAN tag on an 
Access Port...
If I understand you right you want to send ALL broadcast packets to this 
device...
If so then maybe you need the TEE target in the iptables/netfilter 
framework...
Jan Engelhardt can help you with that... :D

I would:
- set up a new VLAN (2051),
- put the other side (this non-standard device) on an Access Port,
- copy (with TEE) the traffic to this new VLAN...
(Or just forget the first two steps and use an other ethernet interface 
and a cross-link cable :D )

Hope that helps. :D

Swifty

Re: Removing VLAN tag from outgoing broadcasts

[Michael Robinson]

> As I mentioned before: (AFAIK) the switch WILL remove the VLAN tag on an
> Access Port...
> If I understand you right you want to send ALL broadcast packets to this
> device...
> If so then maybe you need the TEE target in the iptables/netfilter
> framework...
> Jan Engelhardt can help you with that... :D
>
> I would:
> - set up a new VLAN (2051),
> - put the other side (this non-standard device) on an Access Port,
> - copy (with TEE) the traffic to this new VLAN...
> (Or just forget the first two steps and use an other ethernet interface and
> a cross-link cable :D )
>
> Hope that helps. :D
>
> Swifty

Thanks for the suggestion, I'll look into the TEE target.

-Mike