Date created: Friday, January 20, 2012 11:35:11 PM. Last modified: Monday, December 20, 2021 10:13:52 AM
Interface and bridge notes
Pemanant Tun/Tap interfaces on Debian/Ubuntu systems:
# We can't have both "iface tun50 inet" and "iface tun50 inet6" stanzas because it's guarantee which will run first.
# The first one must run pre-up to create the tun/tap interface, and the second one can't have that statement too.
# It will try to create the same interface and error out. Equally the first one to go down can't have the post-down
# statement to delete the tun/tap interface, the 2nd address-family set of commands will fail. Instead, the following works:
auto tun50
iface tun50 inet static
mtu 1390
address 192.168.254.1
netmask 255.255.255.254
# The pre-up command is required to create the interface
pre-up ip tuntap add tun50 mode tun
# Remote LAN IPv4
up route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.254.0
down route del -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.254.0
# IPv6
up ip -6 addr add fd::ff:0:0:0:1/64 dev tun50
# Remote LAN IPv6
post-up ip -6 route add 2000::/64 dev tun50
down ip -6 route del 2000::/64 dev tun50
post-up ip -6 route add blackhole 2000::/3
down ip -6 route del blackhole 2000::/3
# Delete the tun interface otherwise ifup will fail next time
post-down ip tuntap del tun50 mode tun
A quick overview on Debian/Ubuntu style systems:
#Add new vlan vconfig add eth0 120 #Add a new bridge interface sudo /usr/sbin/brctl addbr br0120 #Bind in a real interface sudo /usr/sbin/brctl addif br0120 eth0.120 #Configure it for start up vi /etc/network/interfaces allow-hotplug eth0 allow-hotplug eth1.120 auto eth0
iface eth0 inet static # mtu 1500 # 1500 is default
address 192.168.0.5 netmask 255.255.255.0 gateway 192.168.0.254
dns-nameservers 192.0.2.1 auto eth0.120 iface eth0.120 inet manual vlan_raw_device eth0 auto br0120 iface br0120 inet static address 192.168.10.5 network 255.255.255.0 bridge_ports eth0.120 bridge_stp off bridge_maxwait 0 bridge_fd 0 # IPv6 Static example iface eth0 inet6 static address 2001:db8::xxxx:yyyy netmask 64 gateway 2001:db8::xxxx:yy:zzzz
dns-nameservers xxx::yyy
# IPv6 DHCP/SLAAC example
iface eth0 inet6 auto
# Mixed IPv6 example
iface eth0 inet6 auto
privext 0
accept_ra 2
up ip -6 addr add 2001:db8::1234/64 dev eth0
up ip -6 route add fd:1:2:3/64 gw 2001:db8::5678 dev eth0
down ip -6 route del fd:1:2:3/64 gw 2001:db8::5678 dev eth0
down ip -6 addr del 2001:db8::1234/64 dev eth0
#Static routes vi /etc/network/if-up.d/static-routes-eth0 #!/bin/sh if [ "$IFACE" = "eth0" ]; then route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.50 fi #Check ifstate for ifdown and ifup cat /etc/network/run/ifstate lo=lo eth0.120=eth0.120 br0120=br0120 eth1=eth1 eth0=eth0
A quick overview for CentOS/RHEL:
# Check/load the VLAN tagging module lsmod | grep 802 sudo modprobe 8021q # Make it persistent echo "8021q" > /etc/modules-load.d/8021q.conf # Creat a VLAN tagged interface for the OS (remember, the kernel always absorbs the outter most VLAN tag): sudo vconfig add em2 501 Added VLAN with VID == 501 to IF -:em2:- [updata@localhost network-scripts]$ sudo cat /proc/net/vlan/config VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD em2.501 | 501 | em2 # Make the VLAN interface persistent # cat /etc/sysconfig/network-scripts/ifcfg-em2.501 TYPE=Ethernet BOOTPROTO=static IPV4_FAILURE_FATAL=no IPV6INIT=no IPV6_AUTOCONF=no IPV6_FAILURE_FATAL=no IPADDR=1.1.1.2 NETMASK=255.255.255.0 GATEWAY=1.1.1.1 DNS1=1.1.1.10 DNS2=1.1.1.20 DEFROUTE=yes PEERDNS=yes PEERROUTES=yes NAME=em2.501 DEVICE=em2.501 ONBOOT=yes NM_CONTROLLED=no VLAN=yes BRIDGE=br501 # Set up a bridge with the physical NIC sudo brctl addbr br0 sudo brctl addif br0 em2 # To make it persistent # cat /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge BOOTPROTO=none DELAY=0 NM_CONTROLLED=no NAME=br0 DEVICE=br0 ONBOOT=yes STP=off # cat /etc/sysconfig/network-scripts/ifcfg-em2 TYPE=Ethernet BOOTPROTO=static IPV4_FAILURE_FATAL=no IPV6INIT=no IPV6_AUTOCONF=no IPV6_FAILURE_FATAL=no NAME=em2 UUID=4f7acd96-97c6-49ea-9859-045c1857c758 DEVICE=em2 ONBOOT=yes NM_CONTROLLED=no BRIDGE=br0 # Create tagged VLANs on the bridge if a guest VM wanted tagged traffic for example, and not the OS sudo vconfig add br0 503 Added VLAN with VID == 503 to IF -:br0:- sudo vconfig add br0 504 Added VLAN with VID == 504 to IF -:br0:- sudo ip link set up dev br0 sudo ip link set up dev br0.503 sudo ip link set up dev br0.504 sudo cat /proc/net/vlan/config VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD br0.503 | 503 | br0 br0.504 | 504 | br0 em2.501 | 501 | em2 sudo brctl show bridge name bridge id STP enabled interfaces br0 8000.0ec608c9871f no em2 # To make the VLAN tagged bridge persisten # cat /etc/sysconfig/network-scripts/ifcfg-br0.503 TYPE=Ethernet BOOTPROTO=none DELAY=0 NM_CONTROLLED=no DEVICE=br0.503 ONBOOT=yes VLAN=yes # Adding a dummy interface... # Check/load the dummy interface module lsmod | grep dumm sudo modprobe dummy sudo ip link add name vnic21 type dummy sudo ip link set up dev vnic21
When a VLAN tagged interface exists on a physical NIC the Linux kernel trips the outer most VLAN tag off. This means a VM bridged with a physical NIC tagged VLAN logical interface won't receive tagged frames. In such a case the physical NIC must be added to a bridge and the VLAN tags added to the bridge only:
# Set up a bridge with the physical NIC, add VLANs to the bridge not the physical NIC, this NIC receives VLAN "tagged" outside traffic from different networks: sudo brctl addbr br0 sudo brctl addif br0 em2 sudo vconfig add br0 503 Added VLAN with VID == 503 to IF -:br0:- sudo vconfig add br0 504 Added VLAN with VID == 504 to IF -:br0:- sudo ip link set up dev br0 sudo ip link set up dev br0.503 sudo ip link set up dev br0.504 sudo cat /proc/net/vlan/config VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD br0.503 | 503 | br0 br0.504 | 504 | br0 sudo brctl show bridge name bridge id STP enabled interfaces br0 8000.0ec608c9871f no em2 # Add a trunking bridge between two VMs for inter-VM traffic sudo brctl addbr br1 sudo vconfig add br1 505 Added VLAN with VID == 505 to IF -:br1:- sudo vconfig add br1 506 Added VLAN with VID == 506 to IF -:br1:- sudo ip link set up dev br1 sudo ip link set up dev br1.505 sudo ip link set up dev br1.506 brctl show bridge name bridge id STP enabled interfaces br0 8000.0ec608c9871f no em2 br1 8000.6e095a72ee74 no sudo cat /proc/net/vlan/config VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD br0.503 | 503 | br0 br0.504 | 504 | br0 br1.505 | 505 | br1 br1.506 | 506 | br1 # Add a final trunk bridge on the other physical NIC which can be an "inside" interface, the second VM can bind to: sudo brctl addbr br2 sudo vconfig add br2 507 Added VLAN with VID == 505 to IF -:br1:- sudo vconfig add br2 508 Added VLAN with VID == 506 to IF -:br1:- sudo ip link set up dev br2 sudo ip link set up dev br2.507 sudo ip link set up dev br2.508 sudo brctl addif br2 em1 brctl show bridge name bridge id STP enabled interfaces br0 8000.0ec608c9871f no em2 br1 8000.6e095a72ee74 no br2 8000.425730355ccb no sudo cat /proc/net/vlan/config VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD br0.503 | 503 | br0 br0.504 | 504 | br0 br1.505 | 505 | br1 br1.506 | 506 | br1 br2.507 | 507 | br2 br2.508 | 508 | br2
This is the topology that has been created above:
Previous page: Bridge Notes
Next page: ipset