The Linux VLAN HOWTO VLAN Mailing list: vlan@candelatech.com Kristjan Kotkas kristjan@data.ee Ben Greear greearb@candelatech.com
NOTE: If you can get ping to work, but telnet/http/ssh/etc hangs, then you most likely have a driver that is broken with regard to 802.1Q vlans. There are various patches for different drivers below. As a last ditch effort, you can set the MTU on your VLAN interface to 1496 as opposed to 1500. If you are unaware of the consequences of such a thing, please consider getting supported hardware and/or ask the writer of your driver for a patch. --Ben
Homepage: http://scry.wanfear.com/~greear/vlan.html Mailing List: VLAN@Scry.WANfear.com
This document is part of the Linux HOWTO project. The copyright notice is the following: Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions. All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below. In short, we wish to promote dissemination of this information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs. If you have questions, please contact Tim Bynum, the Linux HOWTO coordinator, at linux-howto@sunsite.unc.edu via email.
As usual: the author IS NOT responsible for any damage. For the correct wording, see the relevant part of the GNU GPL 0.1.1
Thanks to Ben Greear http://www.candelatech.com/~greear for the VLAN project and also to all the people who have contributed to the project.
What is VLAN is not described in this document. Info on the VLAN protocol can be found at http://standards.ieee.org/getieee802/download/802.1Q-1998.pdf.
NOTE: This is fairly old. I'm leaving it in for historical reasons, but
be aware that VLAN is included in the later 2.4 kernels, so most folks do
NOT have to patch their kernel. --Ben
* Linux kernel 2.2.14
* Vlan 0.0.10 Patched into it
* Cisco Catalyst 2900XL
* 3Com 3C509B NIC using patched driver 3c59x
Currently VLAN is not part of the kernel distribution so you need to patch
it into a supported Linux kernel and re-compile.
You need the kernel source. If you don't have it already, you can get from
ftp.kernel.org or from one of its mirrors. If this scares you, read the
KERNEL-HOWTO.
It is assumed that you have the linux kernel source extracted, and found at:
$HOME/linux If your setup is different, then some of these commands may
need to be slightly different.
Download the VLAN package from the vlan homepage and extract it's contents.
tar -xvzf vlan*.tar.gz
Go to the vlan directory, build the vlan tools by just typing:
make
After this you get a programm named <vconfig>. This program manages all VLAN
specific configurations.
Now patch the kernel.
Go to the linux directory
cd linux
(if you installed the kernel source from some rpm based distribution it is
something like /usr/src/linux)
patch the kernel by typing:
patch -p 1 < $HOME/vlan/vlan.patch (patch is in the vlan directory)
Time to compile your kernel. Use the make menuconfig command in your
linux directory to select your kernel options. The option related to
802.1Q VLANs is found under the Networking options.
Additional help for kernel compilation can be found in KERNEL-HOWTO
Assuming your kernel compiled cleanly, you are now ready to use it.
Install your kernel in the normal manner (fix up your /etc/lilo.conf file
appropriately and run lilo as root.)
Reboot your computer and choose your new kernel.
As your computer comes back to life, there will be little sign that you are
now 802.1Q capable.
You should see something like this:
802.1Q VLAN Support v0.10 Ben Greear <greearb@candelatech.com>
vlan Initialization complete.
Your system is now vlan ready, lets configure some vlans:
I'm assuming that your VLAN capable network card is eth0.
First, set the eth0 state to down:
ifconfig eth0 down
Ben's Note: Regarding the next section, you can run plain ethernet
and VLAN over the same NIC, but you may not want to..Whatever your previous netconf was, you should move everything to vlans. This means, that you don't set ip address to the real interface, but set it to vlan interface. To set your eth0 with no ip: ifconfig eth0 0.0.0.0 up !note! YOU MUST SET THE ETH0 TO UP, or it wont work. (ifconfig eth0 up) Add some vlans; goto your vlan directory where you previously compiled vconfig and type: vconfig add eth0 2 ! Little note about VLAN 1. In Cisco systems it is the default VLAN so you MUST start using vlans from 2. This will create device vlan0002 to your system. Linux will think, that it is just another network device, so you can configure it like any other. Also you should see the interface by typing ifconfig -a Lets make some conf on the vlan then: ifconfig -i vlan0002 10.0.231.1 broadcast 10.0.231.0 netmask 255.255.255.0 up This ends the configuration at the linux side.
From: Craig Metz: cmetz@inner.net Extreme configuration example: create vlan v42 config vlan v42 tag 42 config vlan v42 add port 10 tagged ... will create a vlan named v42, whose 802.1Q tag is 42, and connect port 10 (tag 42) to that vlan.
Cisco Conf configure the port you want to use as the trunk: telnet switch or use the console port ena (will prompt for password, so have it ready) conf t interface FastEthernet0/24 (it doesnt have to be 0/24) duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 2 switchport mode trunk This conf will do the following: Set the port to full duplex mode; force the port to 100Mb mode; set the port vlan encapsulation to support 802.1Q; tell the switch that the port is allowed to run vlans through (even if you set just VLAN 2, cisco will automatically add VLAN 1 and VLAN 1002-1005) to the port and set the port to trunk mode aswell. Trunk mode tells the switch that a number of VLANS can go through it. Last line is usually the mother of all screw-ups. If you forget that, you won't get your VLAN working. Simple as that. Now configure some other port to be used as the destination for the vlan: conf t interface FastEthernet0/1 duplex half speed 10 switchport access vlan 2 end Here we tell the switch to force the port 1 to half duplex 10Mb mode (normal 10 Mb NIC) and only traffic from interface VLAN 2 can go through this port. also you can use a number of ports with VLAN 2, like a HUB ;) You should now connect some other device to port 1. Let it have an ip of eg. 10.0.231.2 mask 255.255.255.0 Ping linux from it ping 10.0.231.1 If it replies scream: "YESS!!" This means, that VLAN is working. Hard truth: It's not over, till its over. if this works, then you are out of the woods, if not, well I hear that tcpdump is a good tool ;-) and tcpdump that came with the vlan package even better tool. (if you want to dump, use the one that came with vlan package)NOTE: Ethereal also supports VLANs, and is much more beautiful than tcpdump, if you have GUI capabilities.
If you can ping the linux and from linux the host, you should try the following at linux side: ping -s 1476 10.0.231.2 If there is no reply, there is something foggy with the NIC. and you should start debugging. If ping -s 100 10.0.231.2 works, then it is most likely an MTU problem with your NIC/Driver.
Here is a patch sent in by Ben McKeegan:
Dear VLAN list members,
Courtesy of my new employer, I've finally got around to updating my tulip
vlan patch for use with linux 2.4.x. I've also taken the opportunity to
do a rewrite and fix various (non-critical) flaws in my previous patch
(which was against 2.2.x). The patch allows the driver to receive vlan
frames with maximum MTU.
Hopefully this rewrite will help satisfy some of the concerns of the 2.4
kernel driver maintainers and thus aid inclusion of the patch in the
main driver.
The old patch would erroneously allow incoming frames sized between 1519
and 1536 bytes excluding the CRC. The new patch should correctly limit
this to 1518, the maximum size for VLANs. The old patch also needlessly
increased various constants.
I believe there was some suggestion that the old patch disabled all length
error checking and opened the system to DoS attacks from massively
oversized packets. This is was never really the case, although the above
mentioned bug did exist. The patch only disabled checking of the 'Frame
Too Long' flag which indicates the frame exceeds 1518 bytes (including the
CRC). The NIC does not take any special action when this flag is set and
it does not stop the buffers getting filled up - the protection against
DoS comes from the receive timer which has a separate error flag that gets
set when length exceeds 2048 bytes. The 'Frame Too Long' flag is
basically just a summary of the length bits that are passed as part of the
same descriptor as the flag. The patch just explicitly checks the length
instead of relying on the flag.
The unpatched driver uses 'magic number' constants to check the receive
status code. Having worked out what these meant from the documentation,
in the old patch I replaced them with a similar magic number. The new
patch replaces them with a series of verbose enumerations. Any worthwhile
compiler should optimize these down to a single constant, but these make
the code much easier to read. (In fact, its a lot easier to tell what the
patched driver does than what the unpatched driver does.
I have tested the new patch on our own systems (using chipset 21143 rev
65), and it works ok, but I would appreciate feedback from other people.
With a lot of testing and a bit of luck and persuasion this patch might
make it into the kernel.
Ben, I would be grateful if you could update the section of your how-to
containing my old patch, and add a note about the problems with the old
patch alongside it. (Perhaps someone else may wish to backport the new
patch to 2.2)
Regards,
Ben McKeegan.
diff -ur linux-2.4.19/drivers/net/tulip/interrupt.c linux-2.4.19-tulip-vlan/drivers/net/tulip/interrupt.c
--- linux-2.4.19/drivers/net/tulip/interrupt.c Fri Nov 9 21:45:35 2001
+++ linux-2.4.19-tulip-vlan/drivers/net/tulip/interrupt.c Mon Sep 16 13:17:40 2002
@@ -122,14 +122,36 @@
/* If we own the next entry, it is a new packet. Send it up. */
while ( ! (tp->rx_ring[entry].status & cpu_to_le32(DescOwned))) {
s32 status = le32_to_cpu(tp->rx_ring[entry].status);
+ short pkt_len;
if (tulip_debug > 5)
printk(KERN_DEBUG "%s: In tulip_rx(), entry %d %8.8x.\n",
dev->name, entry, status);
if (--rx_work_limit < 0)
- break;
- if ((status & 0x38008300) != 0x0300) {
- if ((status & 0x38000300) != 0x0300) {
+ break;
+
+ /*
+ Omit the four octet CRC from the length.
+ (May not be considered valid until we have
+ checked status for RxLengthOver2047 bits)
+ */
+ pkt_len = ((status >> 16) & 0x7ff) - 4;
+
+ /*
+ Maximum pkt_len is 1518 (1514 + vlan header)
+ Anything higher than this is always invalid
+ regardless of RxLengthOver2047 bits
+ */
+
+ if ((status & (RxLengthOver2047 |
+ RxDescCRCError |
+ RxDescCollisionSeen |
+ RxDescRunt |
+ RxDescDescErr |
+ RxWholePkt)) != RxWholePkt
+ || pkt_len > 1518 ) {
+ if ((status & (RxLengthOver2047 |
+ RxWholePkt)) != RxWholePkt) {
/* Ingore earlier buffers. */
if ((status & 0xffff) != 0x7fff) {
if (tulip_debug > 1)
@@ -138,31 +160,21 @@
dev->name, status);
tp->stats.rx_length_errors++;
}
- } else if (status & RxDescFatalErr) {
+ } else {
/* There was a fatal error. */
if (tulip_debug > 2)
printk(KERN_DEBUG "%s: Receive error, Rx status %8.8x.\n",
dev->name, status);
tp->stats.rx_errors++; /* end of a packet.*/
- if (status & 0x0890) tp->stats.rx_length_errors++;
+ if (pkt_len > 1518 ||
+ status & RxDescRunt) tp->stats.rx_length_errors++;
if (status & 0x0004) tp->stats.rx_frame_errors++;
if (status & 0x0002) tp->stats.rx_crc_errors++;
if (status & 0x0001) tp->stats.rx_fifo_errors++;
}
} else {
- /* Omit the four octet CRC from the length. */
- short pkt_len = ((status >> 16) & 0x7ff) - 4;
struct sk_buff *skb;
-#ifndef final_version
- if (pkt_len > 1518) {
- printk(KERN_WARNING "%s: Bogus packet size of %d (%#x).\n",
- dev->name, pkt_len, pkt_len);
- pkt_len = 1518;
- tp->stats.rx_length_errors++;
- }
-#endif
-
#ifdef CONFIG_NET_HW_FLOWCONTROL
drop = atomic_read(&netdev_dropping);
if (drop)
diff -ur linux-2.4.19/drivers/net/tulip/tulip.h linux-2.4.19-tulip-vlan/drivers/net/tulip/tulip.h
--- linux-2.4.19/drivers/net/tulip/tulip.h Fri Nov 9 21:45:35 2001
+++ linux-2.4.19-tulip-vlan/drivers/net/tulip/tulip.h Mon Sep 16 11:55:33 2002
@@ -186,11 +186,44 @@
enum desc_status_bits {
DescOwned = 0x80000000,
- RxDescFatalErr = 0x8000,
+
+ /*
+ Error summary flag is logical or of 'CRC Error',
+ 'Collision Seen', 'Frame Too Long', 'Runt' and
+ 'Descriptor Error' flags generated within tulip chip.
+ */
+ RxDescErrorSummary = 0x8000,
+
+ RxDescCRCError = 0x0002,
+ RxDescCollisionSeen = 0x0040,
+
+ /*
+ 'Frame Too Long' flag is set if packet length including CRC
+ exceeds 1518. However, a full sized VLAN tagged frame is
+ 1522 bytes including CRC.
+
+ The tulip chip does not block oversized frames, and if this
+ flag is set on a receive descriptor it does not indicate
+ the frame has been truncated. The receive descriptor also
+ includes the actual length. Therefore we can safety ignore
+ this flag and check the length ourselves.
+ */
+ RxDescFrameTooLong = 0x0080,
+ RxDescRunt = 0x0800,
+ RxDescDescErr = 0x4000,
RxWholePkt = 0x0300,
+
+ /*
+ Top three bits of 14 bit frame length (status bits 27-29)
+ should never be set as that would make frame over 2047 bytes.
+ The Receive Watchdog flag (bit 4) may indicate the length is
+ over 2048 and the length field is invalid.
+ */
+ RxLengthOver2047 = 0x38000010
};
+
enum t21041_csr13_bits {
csr13_eng = (0xEF0<<4), /* for eng. purposes only, hardcode at EF0h */
csr13_aui = (1<<3), /* clear to force 10bT, set to force AUI/BNC */
NOTE: Intel's e100 driver works out-of-the-box. --Ben
Here is a patch sent in by gleb@nbase.co.il
filename="linux-2.2.14-eepro100-vlan.patch"
--- linux/drivers/net/eepro100.c Tue Oct 26 20:53:40 1999
+++ linux1/drivers/net/eepro100.c Sun May 14 07:47:34 2000
@@ -377,12 +377,12 @@
const char i82557_config_cmd[22] = {
22, 0x08, 0, 0, 0, 0x80, 0x32, 0x03, 1, /* 1=Use MII 0=Use AUI */
0, 0x2E, 0, 0x60, 0,
- 0xf2, 0x48, 0, 0x40, 0xf2, 0x80, /* 0x40=Force full-duplex */
+ 0xf2, 0x48, 0, 0x40, 0xfa, 0x80, /* 0x40=Force full-duplex */
0x3f, 0x05, };
const char i82558_config_cmd[22] = {
22, 0x08, 0, 1, 0, 0x80, 0x22, 0x03, 1, /* 1=Use MII 0=Use AUI */
0, 0x2E, 0, 0x60, 0x08, 0x88,
- 0x68, 0, 0x40, 0xf2, 0xBD, /* 0xBD->0xFD=Force full-duplex */
+ 0x68, 0, 0x40, 0xfa, 0xBD, /* 0xBD->0xFD=Force full-duplex */
0x31, 0x05, };
/* PHY media interface chips. */