-
Notifications
You must be signed in to change notification settings - Fork 7
Bridge and VLAN
Linux bridge is a way to connect two ethernet segments together in a protocol independent way. Packets are forwarded based on the ethernet address, rather than the IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.
The Linux bridge code implements a subset of the ANSI/IEEE 802.1d standard. [1]. Bridge and VLAN are supported on Linux kernels 2.4.x and 2.6.x.
Linux Bridge supports the following bridge types, defined by 1EEE 802.1Q standard:
- VLAN-Unaware Bridge : Bridge that does not recognize VLAN Tagged Packets. This is the default.
- VLAN-Aware Bridge : Bridge that recognizes packets with with one or more VLAN tags and a port can be configured as a tagged or untagged member of a VLAN.
- Create a Bridge (By default, a linux bridge is VLAN-unaware):
ip link add name br0 type bridge
- Delete a Bridge:
ip link del dev br0
- Set a Bridge to be VLAN-aware:
ip link set dev br0 type bridge vlan_filtering 1
A Linux bridge forwards packets based on FDB data.
- To display bridge FDB data:
bridge fdb
Example Output:
52:54:00:12:35:01 dev sw1p1 master br0 permanent
00:02:00:00:02:00 dev sw1p1 master br0 offload
00:02:00:00:02:00 dev sw1p1 self
52:54:00:12:35:02 dev sw1p2 master br0 permanent
00:02:00:00:03:00 dev sw1p2 master br0 offload
00:02:00:00:03:00 dev sw1p2 self
33:33:00:00:00:01 dev eth0 self permanent
01:00:5e:00:00:01 dev eth0 self permanent
33:33:ff:00:00:00 dev eth0 self permanent
01:80:c2:00:00:0e dev eth0 self permanent
33:33:00:00:00:01 dev br0 self permanent
01:00:5e:00:00:01 dev br0 self permanent
33:33:ff:12:35:01 dev br0 self permanent
Entries with offload
and extern_learn
flags are externally learned entries (hardware FDB)
- Adding a net device port to the bridge
ip link set dev sw0p1 master br
- Removing a net device port from the bridge
ip link set dev sw0p1 nomaster
- Adding 2 ports (sw0p1 and sw0p2) to a VLAN-aware bridge
ip link set dev br0 type bridge vlan_filtering 1
ip link set dev sw0p1 master br0
ip link set dev sw0p2 master br0
- Show PVID of a port. By default, ingress/egress untagged packets use the default port PVID.
bridge vlan show dev sw0p1
port vlan ids
sw0p1 1 PVID Egress Untagged
- Add a port to a VLAN
bridge vlan add vid 20 dev sw0p1
bridge vlan show dev sw0p1
Output:
port vlan ids
sw0p1 1 PVID Egress Untagged 20
- Change the PVID of the Port using the PVID flag
$ bridge vlan add vid 20 dev sw0p1 pvid
$ bridge vlan show dev sw1p5
Output:
port vlan ids
sw1p5 1 Egress Untagged 20 PVID
Multiple VLAN-unaware bridges can be created. This can be used, for example, to separate FDBs, as shown in the following example:
ip link add name br1 type bridge
ip link add name br2 type bridge
ip link set dev swp1 master br1
ip link set dev swp2 master br2
The following bridge port attributes can be configured:
- Learning – Controls whether a given port will learn MAC addresses from received traffic or not.
If learning is off, the bridge will end up flooding any traffic for which it has no FDB entry. By default this flag is on. - Flooding – controls whether a given port floods unicast traffic for which there is no FDB entry. By default, this flag is on.
- Bridge port locked – a port that is not a subject to flooding unknown (UC, MC) traffic, nor to an automatic learning when locked.
Locked port forwards only mac-authorized traffic (SA MAC address is persistent in the FDB - user should add a static FDB entry, which is treated as mac-auth entry).
In case if there's no mac-authorized entries in the FDB, port's only capable of trapping the PAE (802.1x) packets.
To set learning and flooding attributes:
bridge link set dev DEV learning {on/off} flood {on/off}
Forwarding Database (FDB) is managed by the bridge driver.
In Linux, FDB entries can be one of the following:
-
A static FDB entry can be moved to a different port via learning.
-
A sticky FDB entry does not change its port due to learning.
Initially, all entries are treated as static. Once the first upstream patch is published, a request with changes to Switchdev fdb notification will add support for the entry type. -
To add a static FDB entry:
bridge fdb add ADDR dev DEV master static [sticky] [vlan VID]
-
To delete the static FDB entry:
bridge fdb delete ADDR dev DEV master static [vlan VID]
- Before changing the mode of a Bridge, you must unbind any switch ports that are bound to it.
Changing the bridge mode while switch ports are bound to it, generates an error.
Network Configurations
- Switch Port
- Layer 2
- Layer 3
- Dynamic SCT
- Quality of Service (QoS)
- Access Control Lists (ACL)
- Network Address Translation (NAT)
- Debugging Tools and and Methods
- Resources and Releases
- Marvell® Switchdev Slim (Single-CPU) mode guide