# VLANS - Tough Question

## DoDo1975

Hello,

I think this is a toughy.

I have an access point that does dynamic 802.1q vlan tagging, where the vlan is taken from a radius server, so basically I have a vlan trunk going from my access point to my switch.  My switch is vlan capable, but my internet gateway is not.  I am able to put an untagged device on any 1 vlan, but the port will not allow more than 1 untagged vlan.  It can be a member of as many tagged vlans as I want.

I have 4 different vlans (2-5), that all traverse from my access point to my switch.  Using a packet sniffer, I see all is fine and the computers have proper vlan tags.  I can make the switch a member of all the vlans, and then I can ping the switch from all the machines, but only 1 can get out to the internet at a time (whichever is on the same vlan as the gateway).

I do not need to be on separate vlans when I hit the switch, but do need to be coming from the access point.  There is a device in the middle that maps services onto vlans.

I have inserted a second linux machine (gentoo) with 2 network cards between the switch and the access point.  Basically I want it to do this.

-Bridge packets

-When trunk side is incoming side I want vlan tag removed

-When switch side is incoming side I want to flood the frame to all 4 vlans (for simplicity so I dont need a table to keep track of which bridge ports = what vlans)

This basically will strip the vlan tag on outgoing frames, and then replicate incoming frames 4 times, 1 with each vlan tag.  This will allow me internet access from these machines.

I thought I could achieve this by creating 4 vlan interfaces and bridging them together with the other ethernet port, but it is not stripping the tags.  I have also tried brouting the frames but also have had no luck.

If anyone can help it would be much appreciated.

JL

Canada

----------

## think4urs11

how about 'simply' using the gentoo machine as default gw for the WLan-Vlans?

The tagged side gets an IP out of each vlan beeing default gw for that and the lan-side gets one out of your normal ip range. Default gw for this machine would be your gw to internet.

----------

## arpad

Hi!

I think you didn't want to bridge. If the vlan2-5 + ethX can act like a bridge the clients can communicate with each other because the birdge will "throw back" the packet to another VLAN. I think it's not good for you. If it's not a problem why do you using 802.1Q tagging?

IMHO the config you specified can work but you need to set the MTU correctly on both side. The 802.1Q tagging puts 4 extra bytes before the IP header so also IMHO in this case the maximum MTU is 1496 not 1500. The Linux bridge implementation needs to the MTU set the same at all the bridge interfaces.

I used VLANs to giving Internet access to our subscribers ( approx. 1000 ). I managed this problem on L3 not L2. So I set up a router which handled the routing between the VLANs.

PS: You can't more than one untagged VLAN on a switch's port because untagged means nothing added to packet (it's a normal IP packet). So the other side will have no idea from the current packets VLAN information. The untagged is just a local configuration in the switch while tagged is changing the packets so afterall it isn't local.

PPS: Sorry for my bad English.

----------

## think4urs11

 *arpad wrote:*   

> IMHO the config you specified can work but you need to set the MTU correctly on both side. The 802.1Q tagging puts 4 extra bytes before the IP header so also IMHO in this case the maximum MTU is 1496 not 1500.

 

Nope - 802.1Q extends untagged packets by this 4 bytes. In other words q-tagged frames are 1504 bytes in total.

----------

## arpad

 *Think4UrS11 wrote:*   

>  *arpad wrote:*   IMHO the config you specified can work but you need to set the MTU correctly on both side. The 802.1Q tagging puts 4 extra bytes before the IP header so also IMHO in this case the maximum MTU is 1496 not 1500. 
> 
> Nope - 802.1Q extends untagged packets by this 4 bytes. In other words q-tagged frames are 1504 bytes in total.

 

That's right. But It doesn't means that the MTU on the Ethernet device is only 1496? The 4 byte are "eaten" by the tagging  :Smile: 

BTW my suggestion is also the L3 handling in this situation.

I just checked one of my routers and both of the ethX and vlanX has the same 1500 MTU... Interesting...

----------

## think4urs11

 *arpad wrote:*   

>  *Think4UrS11 wrote:*   Nope - 802.1Q extends untagged packets by this 4 bytes. In other words q-tagged frames are 1504 bytes in total. 
> 
> That's right. But It doesn't means that the MTU on the Ethernet device is only 1496? The 4 byte are "eaten" by the tagging 

 

actually i didn't write very exact i.e. a bit of crap  :Wink: 

Maximum Frame Size Ethernet: 1518 Byte

802.1Q Header Size: 4 Byte

max. MTU Ethernet: 1500 Byte

802.1Q-tagged frame size: 1522 Byte

max. MTU size stays at 1500

the tag itself is inserted into the 802.3 header between destination MAC and Length field.

Using Ciscos (proprietary) ISL for vlan tagging works a bit different.

----------

## snis

 *Quote:*   

> I have an access point that does dynamic 802.1q vlan tagging, where the vlan is taken from a radius server

 

I guess you are using IEEE802.1X as authentication to assign users to different VLAN's using the same SSID?

or...

Are you using Radius MAC authentication and assigning different MAC addresses with different VLAN's?

Why?   :Wink: 

 *Quote:*   

> I do not need to be on separate vlans when I hit the switch, but do need to be coming from the access point. There is a device in the middle that maps services onto vlans. 

 

So that's why?

You know that the normal usage of VLAN's is to separate broadcast domains, and that normaly a VLAN equals a subnet, for example:

VLAN 10 = 192.168.10.0/24 (192.168.10.0 - 192.168.10.255)

VLAN 20 = 192.168.20.0/24

But I'm guessing that you want to keep the services separated in different VLAN's, but wants the VLAN's to be mapped to the same subnet.

If I'm right you need to do the following:

1. Mapp the "subscriber" VLAN's to one router interface.

2. If you want the subscribers to be able to communicate between the VLAN's you will have to have support for "local" proxy arp on your router, because normaly a router with proxy arp won't send out a packet onto the same VLAN or Port that it came from.

How to do this in Linux I have no idea, I know Juniper can do it aswell as Extreme networks (they call it sub-VLAN's that are mapped to a Super-VLAN).

----------

