Re: nested vlans: safe to use?
Stuart Henderson s...@spacehopper.org wrote: There's also a diff at http://www.mail-archive.com/misc@openbsd.org/msg65694.html that switches ethertype so you can interoperate with other vendors QinQ (it will need updating for -current). I think I'll pick that one up and see about getting it into the tree. -- Christian naddy Weisgerber na...@mips.inka.de
Re: nested vlans: safe to use?
something like this: http://www.openbsd.org/papers/asiabsdcon2010_vether/index.html especially page 6/7... /Pete On 11. mai 2010, at 13.45, Toni Mueller wrote: Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure out what the current state of affairs wrt. OpenBSD is. On the other side of the wires or fibres, I'll be talking to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on the other side(s). The desired setup looks like this: data centre LAN --- switch --- WAN --- home (OpenBSD) I want to run at least three vlans across the WAN link, and need to keep the vlans strictly separated. I also need to do traffic shaping on a per-vlan basis. :/ TIA! Kind regards, --Toni++
Re: nested vlans: safe to use?
Hi, On Wed, 12.05.2010 at 01:09:55 +, Stuart Henderson s...@spacehopper.org wrote: First talk to your wan provider, they might either be able to allocate you a couple of vlans that they'll carry for you, or do QinQ (i.e. you feed the provider plain vlans, and they appear directly at the other side). I would very much prefer to abstain from reshuffling vlans in the remote data centre. If possible, I'll try to arrange for non-overlapping vlan ids, which would solve the immediate problem, but could allow for unauthorized use of vlans (eg. what if someone reconfigures their vlan stuff, and suddenly their packets enter the wrong vlan?). I need to prevent this scenario. Using QinQ directly would be much better. The carrier said that they will transport all packets up to 64k per frame fully transparently, w/o any alteration. I need to re-hash the frametype issue, though. In-tree, there is the option of 'ifconfig vlanXXX vlandev vlanYYY which might get you somewhere. This uses the same ethertype on inner and outer vlans and doesn't interoperate with other vendors vlan stacking, but you might be able to do something with it (or maybe you'll just confuse your providers switches). So I can't change the frame types on a per-vlan basis, eg. to match their respective switches' expectations... hmmm. There's also a diff at http://www.mail-archive.com/misc@openbsd.org/msg65694.html that switches ethertype so you can interoperate with other vendors QinQ (it will need updating for -current). Thanks for pointing this out! I'll have a close look. But usually you just feed plain vlans to the wan provider and they handle translation or stacking.. ?!? I also need to do traffic shaping on a per-vlan basis. This does seem to work but I'm under the impression that queueing should be done on the physical interface (vlandev). I don't know how useful this really is. I need to limit and/or reserve bandwidth of individual vlans on the (one) wan pipe. Kind regards, --Toni++
Re: nested vlans: safe to use?
Hi, On Wed, 12.05.2010 at 14:23:18 +0200, Pete Vickers p...@systemnet.no wrote: http://www.openbsd.org/papers/asiabsdcon2010_vether/index.html especially page 6/7... thanks, but... I may have mis-stated the problem. I have no bandwidth or fragmentation problem, but rather a configuration problem in a Metro-LAN-like setting. Oh... and I forgot to add CARP into the mix - I want to automatically fail over the whole stack of vlans to a second router of mine when one interface fails. Kind regards, --Toni++
Re: nested vlans: safe to use?
On 2010/05/12 20:35, Toni Mueller wrote: The carrier said that they will transport all packets up to 64k per frame fully transparently, w/o any alteration. I need to re-hash the frametype issue, though. Sounds like there's nothing to do and it should just work then... But usually you just feed plain vlans to the wan provider and they handle translation or stacking.. ?!? If they're doing nested vlans (tag stacking), usually you feed them frames, they add their own tag to get the frames across their network, and decapsulate when they handover to you.
Re: nested vlans: safe to use?
On Wed, 12.05.2010 at 19:48:47 +0100, Stuart Henderson s...@spacehopper.org wrote: But usually you just feed plain vlans to the wan provider and they handle translation or stacking.. ?!? If they're doing nested vlans (tag stacking), usually you feed them frames, they add their own tag to get the frames across their network, and decapsulate when they handover to you. Erm, this sounds backwards to me. I am the guy who needs to stack some - possibly already stacked - vlans at the remote end, in the data centre, and then feed this into the pipe (easy), and decapsulate multiple times at home, and encapsulate everything at home before sending it out through the wan pipe again, to be decapsulated in the data centre and distributed to various other people there. -- Kind regards, --Toni++
Re: nested vlans: safe to use?
Stuart Henderson s...@spacehopper.org wrote: In-tree, there is the option of 'ifconfig vlanXXX vlandev vlanYYY which might get you somewhere. If I remember correctly, at the time I added support for hardware vlan tagging, this kind of stacking did not work--and I don't think this has changed. -- Christian naddy Weisgerber na...@mips.inka.de
nested vlans: safe to use?
Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure out what the current state of affairs wrt. OpenBSD is. On the other side of the wires or fibres, I'll be talking to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on the other side(s). The desired setup looks like this: data centre LAN --- switch --- WAN --- home (OpenBSD) I want to run at least three vlans across the WAN link, and need to keep the vlans strictly separated. I also need to do traffic shaping on a per-vlan basis. :/ TIA! Kind regards, --Toni++
Re: nested vlans: safe to use?
On 11/05/2010 12:45, Toni Mueller wrote: Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure out what the current state of affairs wrt. OpenBSD is. On the other side of the wires or fibres, I'll be talking to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on the other side(s). The desired setup looks like this: data centre LAN --- switch --- WAN --- home (OpenBSD) I want to run at least three vlans across the WAN link, and need to keep the vlans strictly separated. I also need to do traffic shaping on a per-vlan basis. :/ First of all, how will you connect from home to the data center? Normal household broadband? Can't do VLAN's over that. If you have leased lines for example, say from an office to datacenter, then you can do it but only if they are VLAN clear. I had some links once from Office to different sites from a company called Adapt, but they where not VLAN clear and it was problem which we had to work around, and it wasn't that bad but once we installed VLAN clear lines it was much better.
Re: nested vlans: safe to use?
On 5/11/2010 8:22 AM, Michal wrote: First of all, how will you connect from home to the data center? Normal household broadband? Can't do VLAN's over that. Wouldn't a VPN bridge solve that problem? http://openvpn.net/bridge.html
Re: nested vlans: safe to use?
On 2010-05-11, Toni Mueller openbsd-m...@oeko.net wrote: Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure out what the current state of affairs wrt. OpenBSD is. On the other side of the wires or fibres, I'll be talking to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on the other side(s). The desired setup looks like this: data centre LAN --- switch --- WAN --- home (OpenBSD) I want to run at least three vlans across the WAN link, and need to keep the vlans strictly separated. First talk to your wan provider, they might either be able to allocate you a couple of vlans that they'll carry for you, or do QinQ (i.e. you feed the provider plain vlans, and they appear directly at the other side). But then again they might be like one I've used which *strips* tags! In-tree, there is the option of 'ifconfig vlanXXX vlandev vlanYYY which might get you somewhere. This uses the same ethertype on inner and outer vlans and doesn't interoperate with other vendors vlan stacking, but you might be able to do something with it (or maybe you'll just confuse your providers switches). There's also a diff at http://www.mail-archive.com/misc@openbsd.org/msg65694.html that switches ethertype so you can interoperate with other vendors QinQ (it will need updating for -current). But usually you just feed plain vlans to the wan provider and they handle translation or stacking.. I also need to do traffic shaping on a per-vlan basis. This does seem to work but I'm under the impression that queueing should be done on the physical interface (vlandev).
