[Bridge] Extract untagged traffic from bridge
Gionatan Danti
g.danti at assyoma.it
Thu Mar 18 07:53:58 UTC 2021
Hi list,
I have a question regarding the use of bridges with vlans.
Suppose I have a lanbr which bridges together eth0 and various virtual
interfaces. Putting aside bridge vlan filtering, any interface connected
to the bridge will see both untagged and tagged traffic.
To only see the tagged traffic portion of specific vlan I can simple
create a bridge vlan interface (eg: lanbr.10) and use that virtual
interface as a member of another bridge. In other words:
eth0 -> lanbr -> lanbr.10 -> vlan10br
Now, I wonder if it is possible to extract *only* the untagged traffic
from the lanbr bridge. Something similar to that:
eth0 -> lanbr -> lanbr.untagged -> untbr
Full disclosure: a virtual machine bridged on lanbr will see both tagged
and untagged traffic. This is fine for, say, a virtual firewall with a
trunk interface. However, I do not want any other VM residing on the
untagged bridge to see tagged traffic. So I need to confine these
machines to see only untagged packet.
One possible approach would be to use ebtables to drop 802.1q tagged
packets on lanbr unless they are for a specific virtual machine
interface (and it seems to work well), but I wonder if the same can be
obtained without calling ebtables into the mix.
Regards.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti at assyoma.it - info at assyoma.it
GPG public key ID: FF5F32A8
More information about the Bridge
mailing list