VLANS - Tough Question

DoDo1975 · n00b Joined: 20 Jun 2006 Posts: 1

Hello,

I think this is a toughy.

I have an access point that does dynamic 802.1q vlan tagging, where the vlan is taken from a radius server, so basically I have a vlan trunk going from my access point to my switch. My switch is vlan capable, but my internet gateway is not. I am able to put an untagged device on any 1 vlan, but the port will not allow more than 1 untagged vlan. It can be a member of as many tagged vlans as I want.

I have 4 different vlans (2-5), that all traverse from my access point to my switch. Using a packet sniffer, I see all is fine and the computers have proper vlan tags. I can make the switch a member of all the vlans, and then I can ping the switch from all the machines, but only 1 can get out to the internet at a time (whichever is on the same vlan as the gateway).

I do not need to be on separate vlans when I hit the switch, but do need to be coming from the access point. There is a device in the middle that maps services onto vlans.

I have inserted a second linux machine (gentoo) with 2 network cards between the switch and the access point. Basically I want it to do this.

-Bridge packets
-When trunk side is incoming side I want vlan tag removed
-When switch side is incoming side I want to flood the frame to all 4 vlans (for simplicity so I dont need a table to keep track of which bridge ports = what vlans)

This basically will strip the vlan tag on outgoing frames, and then replicate incoming frames 4 times, 1 with each vlan tag. This will allow me internet access from these machines.

I thought I could achieve this by creating 4 vlan interfaces and bridging them together with the other ethernet port, but it is not stripping the tags. I have also tried brouting the frames but also have had no luck.

If anyone can help it would be much appreciated.

JL
Canada

think4urs11 · Posted: Wed Jun 21, 2006 6:27 am Post subject:

how about 'simply' using the gentoo machine as default gw for the WLan-Vlans?
The tagged side gets an IP out of each vlan beeing default gw for that and the lan-side gets one out of your normal ip range. Default gw for this machine would be your gw to internet.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

arpad · Posted: Wed Jun 21, 2006 6:38 am Post subject:

Hi!

I think you didn't want to bridge. If the vlan2-5 + ethX can act like a bridge the clients can communicate with each other because the birdge will "throw back" the packet to another VLAN. I think it's not good for you. If it's not a problem why do you using 802.1Q tagging?
IMHO the config you specified can work but you need to set the MTU correctly on both side. The 802.1Q tagging puts 4 extra bytes before the IP header so also IMHO in this case the maximum MTU is 1496 not 1500. The Linux bridge implementation needs to the MTU set the same at all the bridge interfaces.
I used VLANs to giving Internet access to our subscribers ( approx. 1000 ). I managed this problem on L3 not L2. So I set up a router which handled the routing between the VLANs.

PS: You can't more than one untagged VLAN on a switch's port because untagged means nothing added to packet (it's a normal IP packet). So the other side will have no idea from the current packets VLAN information. The untagged is just a local configuration in the switch while tagged is changing the packets so afterall it isn't local.

PPS: Sorry for my bad English.

think4urs11 · Posted: Wed Jun 21, 2006 6:47 am Post subject:

arpad · Posted: Wed Jun 21, 2006 7:00 am Post subject:

think4urs11 · Posted: Wed Jun 21, 2006 5:55 pm Post subject:

snis · Posted: Wed Jun 21, 2006 8:41 pm Post subject: