Selective Vlan Assignments

P

plrpilot

New Member
Sep 22, 2023
6
0
1
I have a trunked network line going to a single interface. I would like to selectively route a few vlans (10,20,21) to a single network interface as tagged traffic. There are many more vlans than this on the original trunk, but I only want these vlans to route to my monitoring container. This traffic is already tagged on the original trunk -- I'm just trying to get it to a single interface. While I could untag it to separate network interfaces, I need to verify the actual vlan tags via layer 2 monitoring. The full use case is much more complex than this, but this example would give me enough info to solve my challenge.

Question: How can I selectively route multiple vlans to a single virtual interface?

My current setup is:

  • eno12409np1 (physical interface)
  • vmbr2 -> eno12409np1
    • labzone ->vmbr2
    • net10->labzone, tag 10
    • net20->labzone, tag 20
    • net 21->labzone, tag 21
    • etc...

Code: 
cat /etc/network/interfaces

auto lo
iface lo inet loopback

iface eno8303 inet manual

auto eno12409np1
iface eno12409np1 inet manual
#Lab Trunk

auto vmbr0
iface vmbr0 inet static
        address 10.200.100.45/24
        gateway 10.200.100.1
        bridge-ports eno8303
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
        bridge-ports eno12409np1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

source /etc/network/interfaces.d/*

Code: 
cat /etc/network/interfaces.d/sdn
#version:16

auto VNET10
iface VNET10
        bridge_ports vmbr2.10
        bridge_stp off
        bridge_fd 0
        alias VLAN 10 NET

auto VNET20
iface VNET20
        bridge_ports vmbr2.20
        bridge_stp off
        bridge_fd 0
        alias VLAN 20 NET

auto VNET21
iface VNET21
        bridge_ports vmbr2.21
        bridge_stp off
        bridge_fd 0
        alias VLAN 21 NET
 
Last edited:
Untested if it works, but I'd try to set `bridge-vids 10 20 21` on vmbr2 and connect your container directly to `vmbr2`. Don't set a tag on the interface of your container and you should see tagged packets inside your container.

(As mentioned, I did not test it, never had that requirement)
 
This is promising -- it DOES work for a single bridge, but isn't quite the full solution that I need.

I have different monitors that need to monitor different sets of vlans in context. To use the bridge-vids setting, I would need to define multiple bridges to the same physical interface, which doesn't seem possible. I'm getting errors when I try to create multiple bridges to the same physical interface. Ideas?
 
I ended up finding the solution -- very similar to the solution by mgabriel, but in a different place. The bridge-vids is great if you need to do some preliminary filtering of vlans to the host bridge.

For my case, I needed to map the interfaces to the host bridge, and do the filtering at the interface at the container or vm level instead of at the bridge level.

For LXC containers:

edit the /etc/pve/lxc/xyz.conf, where xyz is the container id.

Let's also assume that you added a network interface and assigned it to vmbr2.

net1: name=eth0,bridge=vmbr2[B],[COLOR=rgb(184, 49, 47)]trunks=10;21,[/COLOR][/B]firewall=1,hwaddr=BC:24:11:00:00:00,type>

Thetrunks=a;b filters a particular interface for the listed vids. The traffic will retain the vlan tags, which is critical for my usecase.

For VMs, the same process applies, but the conf file is in: /etc/pve/qemu-server/xyz.conf
 
You must log in or register to reply here.
Top Bottom