5

http://blog.ine.com/2008/07/14/private-vlans-revisited/

Has anyone tried private vlan's under Linux? Any experiences with them? My real question is does anybody have howtos regarding this?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
LanceBaynes
  • 39,295
  • 97
  • 250
  • 349
  • did you get any progress on this subject ? I'm researching same area and will be glad to some directions (to howtos) currently i'm reading vlan code will find out eventually but it's a long way to go ... – Ilya Sep 18 '11 at 12:35

4 Answers4

4

I don't know if Linux supports Cisco's concept of "private VLANs" per se, but what private VLANs essentially are is a link-layer firewall controlling which switch ports can talk to which other switch ports. So if you've got a Linux box with several Ethernet devices and are bridging between them (e.g. with the brctl tool), I think the tool you want is called ebtables. If you're familiar with iptables, it shouldn't be too hard to pick up from the man page.

Note, though, that describing all of the private VLAN concepts at once using ebtables might be complicated. And if you want to share PVLAN groupings with a Cisco switch (assuming that's possible), I'm guessing this isn't the way to go about it.

Jander
  • 16,272
  • 6
  • 50
  • 66
  • Linux supports 802.11q. While I dont know about ISL, I know that it's pretty much deprecated in Cisco now adays. – 3molo Apr 27 '11 at 08:11
  • That's true; Linux does support 802.1q. Maybe I should have said so outright, but I was assuming that we're not talking about 802.1q. – Jander May 02 '11 at 05:27
  • Note that Private VLANs aren't even port-based, but VLAN-based, so you can't implement them with simple rules looking at the ingress and egress ports. You have to actually look at the VLAN id when considering if the frame should be sent on a particular port. Of course it doesn't help that pretty much all documentation there is on the subject presents a table like the one quoted in the linked post, one that looks at it using port-based logic papering over what actually needs to happen when the frames come from a trunk port... – ilkkachu Dec 12 '21 at 16:25
2

This may help... Is it possible to enable port isolation on linux bridges https://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you are talking about a computer with multiple Ethernet ports and wanting all the ports to be 'in the same LAN' but set so they are protected and can't talk to each other, I only have a solution using BSD.

In FreeBSD, create a bridge and add ports to a bridge like this:

ifconfig bridge0 create
ifconfig bridge0 addm em0 addm em1 addm em2

Now you have a 'switch' with 6 ports. They can all see each other. To isolate ports em1 and em2 from each other (similar to PVLAN or 'switchport protected') you would run:

ifconfig bridge0 private em1 private em2 private

You can add an ip to the bridge as well...

ifconfig bridge0 10.12.14.1/24

Both ports would still see traffic from em0. If you wanted to isolate em0 as well:

ifconfig bridge0 private em0

More on this here: http://www.freebsd.org/doc/handbook/network-bridging.html#idp97030960

[yes, the initial question was a few years ago... I am looking for a Linux solution as well, but thought I'd share this BSD solution]

Community
  • 1
MonkeyBrains
  • 21
  • 2
1

I don't know what you mean by "private" VLAN's, but Linux does VLANs. The ip command from iproute2 can configure them. You do have to have a NIC and driver that supports it, but most do these days.

Keith
  • 7,828
  • 1
  • 27
  • 29
  • A PVLAN basically means putting each switchport on its own VLAN. This prevents a client from issuing broadcast traffic to anyone else on the LAN unless explicitly permitted. Used by campuses as part of rogue DHCP server prevention and such. – LawrenceC Apr 27 '11 at 11:21
  • I see. But from the on-the-wire, client-side perspective it's no different than a regular VLAN. – Keith Apr 27 '11 at 13:50
1

I'm sure there's a million ways to do it, but I've used 'vconfig' to add vlans in the past.

First add the vlan
'vconfig add eth0 123'

Now you can configure the sub interface
'ifconfig eth0.123 ...'

3molo
  • 191
  • 1
  • 6