Questions about bridging VLANs

Question

If, across the same building, I have two physically separate networks to connect devices together via simple switches, my understanding is that I could save myself some hardware-complexity if I were to instead use smart-switches, connect them to each other via trunk-ports, and have them assign their different ports which connect to the devices to one of two VLANs depending on which "physical" network the device should belong to.

In the scenario of the two independent physical networks, if I wanted to combine them into one physical network, all I would need to do on the hardware side is to connect a switch between the two. If I understand correctly, I could equivalently plug a linux router between the two and bridge the two ports that two networks are connected to.

To do the same thing in the scenario of the VLANs, I could connect a router to the switch via a trunk port, create the virtual interfaces eth0.10 and eth0.20 (for example) and bridge those two together. Would this work as expected?

Reason I am asking is because I was just thinking about how traffic would be forwarded by the switches. In the case of a physical network, each switch builds an ARP table that tells it which MAC addresses can be reached by which port. And if one port is connected to another switch, that port should eventually get sent all traffic for all MAC addresses that are connected to that other switch.

Let's say I have the following physical network layout:

 ____________     ___________     __________     ___________     ____________
|            |   |           |   |          |   |           |   |            |
| Device 1   |___| Network 1 |___| "Bridge" |___| Network 2 |___| Device 2   |
| MAC ...:01 |   | Switch    |   | Switch   |   | Switch    |   | MAC ...:02 |
|____________|   |___________|   |__________|   |___________|   |____________|

Now, if Device 1 wants to send a packet to Device 2, Switch 1 knows that MAC ...:02 is connected somewhere to its right port, so it passes the packet to the bridge-switch, etc.

If I were to change the network to the following layout instead:

 ____________               ________               ____________
|            |             |        |             |            |
| Device 1   |_____________| Smart  |_____________| Device 2   |
| MAC ...:01 |  VLAN ID 1  | Switch |  VLAN ID 2  | MAC ...:02 |
|____________|             |________|             |____________|
                               ||
                               || Trunk
                           ____||____
                          |          |
                          | "Bridge" |
                          | Router   |
                          |__________|

Then, if Device 1 wanted to send a packet to Device 2, the smart switch should not just send the packet out of its right port, simply because that's where the destination MAC address matches. Instead it needs to forward the packet out the bottom port to the bridge-router, which should then send it back out of its top port, but tagged for VLAN 2 now, rather than VLAN 1.

This would imply that both, the smart switch and the bridge-router would need to maintain two (or more) independent ARP tables, one for each VLAN, and, in the case of the smart switch, MAC ...:02 should be linked to the right port iff the traffic belongs to VLAN 2 and it should be linked to the bottom port iff the traffic belongs to VLAN 1.

Is that what's happening? Or can this setup not work as the smart switches would get confused?

Also, is my understanding as described above correct at all? :)

possible duplicate of [How do VLANs work?](http://serverfault.com/questions/188350/how-do-vlans-work) — Evan Anderson, Jan 18 '14 at 04:02
@EvanAnderson I love the selected answer to that question. Great summary. I believe it matches my understanding pretty well. I was trying to have my question go a bit further into one of the specifics, though: Do smart switches and routers maintain independent ARP tables for each VLAN, in which the same MAC address can appear associated with different ports? I would say, that should be the way it has to work, but it also seems like a bit of a fringe case to even come across, so it might not actually be implemented this way. — Markus A., Jan 18 '14 at 04:59
@MarkusA. the implementation question (`Do switches maintain independent ARP tables for each vLAN?`) might be a good question for the [Network Engineering Stack Exchange site](http://networkengineering.stackexchange.com/about) - particularly if you're asking about a specific company's switches (Cisco vs HP vs Netgear...) — voretaq7, Jan 23 '14 at 06:02

score 5 · Accepted Answer · answered Jan 18 '14 at 05:04

5

The term "smart switch" that you're using isn't a standard term. I think you mean "switch that supports VLANs" when you say "smart switch".

Switches maintain layer 2 adjacency tables. These tables identify physical port and MAC address associations and allow the switch to direct traffic only to the intended destination. These aren't actually "ARP tables"-- they have nothing to do with mapping layer 3 addresses to layer 2 addresses. These are actually tables that map layer 2 addresses to what, arguably, are layer 1 addresses.

In a switch that supports VLANs the adjacency table will also take into account port VLAN memberships to prevent direct layer 2 communication between adjacent devices that aren't connected to ports that are members of the same VLAN, and to limit flooding of frames (non-unicast frames and frames destined for unknown destinations) to a single VLAN.

Routers don't maintain layer 2 adjacency tables, but they do maintain ARP tables. A router will typically maintain at least one ARP table for each logical interface, mapping layer 3 addresses to layer 2 addresses for that interface's media. A router doesn't specifically "care" about VLANs, per se. A VLAN will be presented to a router as a logical sub-interface of a physical interface (eth0.1 on a Linux machine, for example, representing VLAN 1 on the eth0 interface), and an ARP table will be maintained if that logical sub-interface has an IP address assigned.

answered Jan 18 '14 at 05:04

Evan Anderson

141,071
19
191
328

Sorry for getting the terminology wrong. You interpreted correctly what I meant to say. :) So, in summary, if the switches are tagging the trunk-traffic correctly and I'm just looking at only configuring the "router on a stick", then the two VLAN interfaces eth0.1 and eth0.2 behave exactly the same way as if they were two distinct physical interfaces eth1 and eth2. I can bridge them, and do everything else I could if they were distinct physical interfaces, and the switches will take care of the rest? – Markus A. Jan 18 '14 at 05:18
Your router is, very likely, _not_ going to allow you to bridge logical sub-interfaces. That defeats the purposes of logical sub-interfaces. Selectively bridging traffic at layer 2 is something that is possible, but a highly non-standard thing. – Evan Anderson Jan 18 '14 at 05:23
Reason I'm asking is, I am trying to achieve what you mentioned in your answer to the other question: "not to use a separate subnet for every VLAN". To do that, can I just set up a bridge between eth0.1 and eth0.2 in the router and all is well, just as if I was to plug a physical switch between the two physically distinct networks? Or is there anything else I need to keep in mind (other than the performance hit from the shared trunk connection)? There's no way to get the same result by playing with the VLAN membership of different "access" ports on my "smart" layer 2 switch, correct? – Markus A. Jan 18 '14 at 05:27
Do you understand that what you're asking for can also be achieve by just eliminating the VLANs assigned to "eth0.1" and "eth0.2" and just putting all the hosts in the same VLAN? That's exactly what's going to happen when you bridge them together. – Evan Anderson Jan 18 '14 at 05:29
Sorry... just saw your next comment... So if I can't bridge the interfaces, what would be a good way to do this? :) – Markus A. Jan 18 '14 at 05:29
Yep. But what I was hoping to do is have a firewall filter that drops packets from the bridge to do access control. Here's my original question that I'm trying to make some headway on: http://serverfault.com/questions/568165/cross-vlan-sharing-and-auto-discovery-of-selective-resources :) – Markus A. Jan 18 '14 at 05:30
If this is all getting back to "auto-discovery" protocols then my answer to your other question is the "best way". There is no "magic wand". If you don't want the separation that VLANs creates then don't use them. Otherwise, live with them. – Evan Anderson Jan 18 '14 at 05:30
Sorry just saw your answer there now... let me read it. – Markus A. Jan 18 '14 at 05:31
There are lots of great reasons to want to bridge two vlans, like if you wanted to use physdev matches to firewall intra-broadcast domain traffic. I think the question asked is somewhat confused, but this salty answer about bridging vlans is not helpful in general. – Jun 02 '18 at 20:06

Questions about bridging VLANs

1 Answers1