Vishwas Manral wrote: > Hi Ben, > > Thanks for the reply. I am not very aware of the Linux implementation > you have but am eager to find out (or even help enhance). I have seen > one other Linux implementation of a VLAN in the past. > > I have a few points to ask: - > > >>Bridging between MAC-VLAN interfaces does not make sense to me, so I > > think > >>this probably doesn't work in any useful manner. > > 1. I am not sure of how the implementation is but Mac-Based VLAN should > only be used to resolve a VLAN based on source Mac-Address when the > packet comes in untagged. Once the VLAN is resolved the bridging > functionality is done the same way as for any other VLAN bridging send > packet only on port that is part of the VLAN. Bridging and VLANs are separate projects, and work independently of each other. I don't know if the bridging code would properly handle MAC vlans, as I've never tried it, and I doubt that they have either since the patch is not in the kernel proper. Also, my code allows MAC-VLANs to run on top of 802.1Q vlans as well as normal un-tagged ports :) > Mac-Based VLAN is necessary in conditions where client can roam and > hence the port on which the packet from a client arrives is not fixed. > We can have a Mac-Based VLAN database for the same, and in this > condition a Mac-based VLAN is necessary. User-space could manage this by moving the MAC-VLANs and/or changing the bridging setup as needed. My personal needs do not involve this type of use, but I'll accept patches if they help out such a project (and do not degrade other performance/use). > > 2. > >>The Linux MAC-VLAN stuff is not in the official kernel, but I have >>done fairly extensive testing on the mode that matches on the >>destination MAC. > > I am not sure of what you mean by Mac-destination based VLAN? Do you in > case the packet is a multicast or a broadcast packet send the packet to > all the addresses on the VLAN? I do not encase it at all, it is purely a local classification. Machines outside of the Linux box cannot tell whether or not I'm using MAC-VLANs. I use this to emulate loads of virtual interfaces with a single machine, primarily for my LANforge traffic generation testing tools. If you filter on the source MAC, you can have some very limitted security, and can make more interesting firewall/routing decisions easily. But, you must be aware that it is trivial to change one's MAC address, so do not use this for any serious type of security. > > 3. > >>Port-based VLANs mean nothing unless you are bridging, and Linux >>already supports bridging regular ethernet interfaces and 802.1Q > > VLANs, > >>so this is supported as well. > > Could you explain this further, I am a bit confused? Try searching the bridging HOWTOs, I think they will have info that will help you understand better. Ben -- Ben Greear <greearb@xxxxxxxxxxxxxxx> Candela Technologies Inc http://www.candelatech.com
