Need to remove 802.1Q tagging

Need to remove 802.1Q tagging

[Duane Larson]

I have the following scenario

Internet Access
       |
       |
UserPortal AAA Device
       |
       |
       |
       |
Cisco CMTS Cable Modem Router
       |
       |
Cable Modem Cloud



The issue we have is that the UserPortal device is a Linux box and all
the traffic that will come from the Cable modem clients will be tagged
with VLANs.  The UserPortal can't be configured with all the VLAN
interfaces because some sites will have close to 2000 VLANs.  So I ran
across ebtables and brctl and it sounds like it might be able to solve
my issue.  This is the topology I am thinking might work

Internet Access
       |
       |
UserPortal AAA Device
       |
       |
Linux Bridge/ebtables
       |
       |
Cisco CMTS Cable Modem Router
       |
       |
Cable Modem Cloud


I am thinking that the two interfaces on the Linux box will be bridged
(in transparent mode) and when traffic passes through the linux box
the vlan 802.1q tag can be removed and then the traffic goes to the
UserPortal device without issue.  And when the traffic comes back from
the UserPortal to the Cisco CMTS Cable Modem Router the Linux Bridge
will be able to send the traffic to the client that initiated the
conversation in the first place.

Is my thinking correct?  Will this work?  What all do I need to be
aware of and are there any current examples that point to what I am
trying to do???  I am very new to netfilter and ebtables (I found out
about it last night).  I have a project that is very close to failing
unless we can find some type of layer 2 solution.

Any help or pointers are appreciated.

Re: Need to remove 802.1Q tagging

[Marek Kierdelewicz]

Hi,

>I am thinking that the two interfaces on the Linux box will be bridged
>(in transparent mode) and when traffic passes through the linux box
>the vlan 802.1q tag can be removed and then the traffic goes to the
>Is my thinking correct?  Will this work?  What all do I need to be
>aware of and are there any current examples that point to what I am
>trying to do???  I am very new to netfilter and ebtables (I found out
>about it last night).

Your idea should work.

Let's assume that "south" interface of Linux bridge on your diagram is
eth0 and "north" is eth1.

You can bridge all eth0.X vlan interfaces and eth1 to single bridge
with stp off. You should probably filter traffic on that bridge
and allow anything but eth0.x <-> eth1. It's also a good thing to setup
filtering ruleset before you start bridging (l'oops :).

I've similar solution working very well in production environment. It
involves providing pppoe on multiple vlans.

If you need any more implementation details please feel free to ask on
prv.

Best regards,
Marek Kierdelewicz

Re: Need to remove 802.1Q tagging

[Duane Larson]

Would the following work

ebtables -A INPUT -i eth0.10 -o eth1 -j DROP    <-------- Block
eth0.10 vlan from sending traffic to eth1
ebtables -A INPUT -i eth0.+ -o eth1 -j DROP      <------ BLock all
vlans from sending traffic to eth1

On Fri, Oct 7, 2011 at 2:52 PM, Marek Kierdelewicz <marek@piasta.pl> wrote:
> Hi,
>
>>I am thinking that the two interfaces on the Linux box will be bridged
>>(in transparent mode) and when traffic passes through the linux box
>>the vlan 802.1q tag can be removed and then the traffic goes to the
>>Is my thinking correct?  Will this work?  What all do I need to be
>>aware of and are there any current examples that point to what I am
>>trying to do???  I am very new to netfilter and ebtables (I found out
>>about it last night).
>
> Your idea should work.
>
> Let's assume that "south" interface of Linux bridge on your diagram is
> eth0 and "north" is eth1.
>
> You can bridge all eth0.X vlan interfaces and eth1 to single bridge
> with stp off. You should probably filter traffic on that bridge
> and allow anything but eth0.x <-> eth1. It's also a good thing to setup
> filtering ruleset before you start bridging (l'oops :).
>
> I've similar solution working very well in production environment. It
> involves providing pppoe on multiple vlans.
>
> If you need any more implementation details please feel free to ask on
> prv.
>
> Best regards,
> Marek Kierdelewicz
>



-- 
--
*--*--*--*--*--*
Duane
*--*--*--*--*--*
--

Re: Need to remove 802.1Q tagging

[Marek Kierdelewicz]

Hi,

>Would the following work
>ebtables -A INPUT -i eth0.10 -o eth1 -j DROP    <-------- Block
>eth0.10 vlan from sending traffic to eth1
>ebtables -A INPUT -i eth0.+ -o eth1 -j DROP      <------ BLock all
>vlans from sending traffic to eth1

That was an error on my end. I should have written "You should probably
filter traffic on that bridge and allow ONLY eth0.x <-> eth1".

You can achieve this with following rule:

ebtables -A FORWARD -i eth0.+ -o eth0.+ -j DROP

Default policy is accept, so only specified traffic will be filtered.On

Best regards,
Marek Kierdelewicz