L2TPv3 VLAN Pseudowires

The Linux kernel has included full VLAN support since around 2.6.29, offering flexible options for VLAN tagging of L2TP traffic.

VLAN traffic can be carried in L2TPv3 ethernet pseudowires or in L2TPv3 VLAN pseudowires. Ethernet pseudowires carry untagged ethernet frames, or VLAN tagged frames. VLAN pseudowires carry VLAN tagged frames of only one VLAN and never any untagged frames. prol2tpd supports L2TPv3 ethernet and VLAN pseudowire types.

Adding VLAN tags to traffic

Linux allows VLAN tags to be added to traffic at the device level using the ip tool. For example:

ip link add link eth1 name eth1.802 type vlan id 802

This creates a new VLAN device eth1.802 on device eth1. All traffic sent from eth1.802 will be tagged with the VLAN ID 802. Incoming traffic with be filtered for the VLAN ID 802, and will have the VLAN tags stripped. This creates the equivalent to a VLAN access port on a managed switch.

Since L2TP pseudowires are represented as virtual devices in the network stack, it is possible to add a VLAN tagging interface to an ethernet pseudowire in exactly the same way as any other network device:

site-A:# ip link add link l2tpeth0 name l2tpeth0.500 type vlan id 500

This creates a new VLAN device l2tpeth0.500 with VLAN ID 500.

In practice, VLAN interfaces can be added to l2tpeth interfaces automatically when L2TPv3 ethernet sessions are established using a session-up script. For more information, see the integration points page.

Bridging VLAN devices

Once you have created one or more tagged VLAN devices it is possible to bridge them using the brctl tool:

site-A:# brctl addbr br0
site-A:# brctl addif br0 l2tpeth0.500
site-A:# brctl addif br0 eth1

This creates a new bridge, br0, and adds eth1 and l2tpeth0.500 to the bridge. Since incoming traffic on l2tpeth0.500 is stripped of VLAN tags by the kernel this effectively removes the VLAN tags from the L2TP traffic before bridging that traffic onto eth1 at site-A.

Combining the ip and brctl tools it is possible to employ sophisticated VLAN schemes with L2TP. Incoming L2TP traffic may have its VLAN tags stripped or modified; and untagged traffic may be tagged to be sent out on a local VLAN.

The session-up script can be used to automate adding l2tpeth interfaces to a Linux bridge.

VLAN Pseudowires

VLAN pseudowires offer a method of passing a VLAN over an IP tunnel where the configuration at each tunnel peer is automated. In prol2tpd, VLAN pseudowires are configured by setting pseudowire_type vlan in the pseudowire profile. e.g.

pseudowire profile one {
    pseudowire_type vlan
    vlan_id 802
    bridge_name br1
    mtu 1500

When a session is established using this pseusowire profile, prol2tpd creates an l2tpeth interface in the same way that it does for ethernet pseudowires and it also creates a vlan interface for the configured VLAN tag (vlan_id). It is the vlan interface that carries traffic. A session-up script can add the vlan interface to the indicated bridge.

IEEE 802.1ad (QinQ)

Linux has supported IEEE 802.1ad since kernel version 3.10, released in June 2013.

Configuration of a QinQ setup uses the same ip link command as single-tagged VLAN, using an extra proto argument to the command to specify the EtherType to be used.

For example:

ip link add link eth0 eth0.24 type vlan proto 802.1ad id 24
ip link add link eth0.24 eth0.24.371 type vlan proto 802.1Q id 371

The first command selects VLAN tag 24 from traffic on eth0 and presents it on eth0.24. The second command then selects VLAN tag 371 from traffic on eth0.24 and presents it on eth0.24.371.

To automate this using a session-up script would require adding commands similar to this. However, there is currently no parameter in the pseudowire profile for defining the QinQ id so this would have to be configured using a value extracted from user_data in the session profile.

You are reading the manual of ProL2TP: enterprise class L2TP software for Linux systems

Learn more about ProL2TP and register for a free trial