0

On RHEL based systems network is supposed to be managed by NetworkManager. I would like to build a persistent configuration of a VLAN-aware bridge that survives reboots. Building on top of the excellent answer by A.B., I have created a network configuration for a virtual machine running Alma Linux 9.4 that receives VLAN 1 tagged traffic and is reachable from management VLAN. But how to make this persistent? Can it be done using standard network management tool, NetworkManager?

# cat mkbr2.sh 
ip link add name bridge0 type bridge vlan_filtering 1 vlan_default_pvid 0
ip link set dev ens192 master bridge0
ip link set bridge0 up
bridge vlan add vid 1 dev bridge0 pvid untagged self
bridge vlan add vid 2-4094 dev ens192
bridge vlan add vid 1 dev ens192 pvid
ip addr add 10.200.200.106/24 dev bridge0
ip route add default via 10.200.200.10

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master bridge0 state UP group default qlen 1000
    link/ether 00:0c:29:44:89:b3 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
6: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:44:89:b3 brd ff:ff:ff:ff:ff:ff
    inet 10.200.200.106/24 scope global bridge0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe44:89b3/64 scope link 
       valid_lft forever preferred_lft forever

# bridge -compressvlans vlan show
port              vlan-id  
ens192            1 PVID
                  2-4094
bridge0           1 PVID Egress Untagged
Improve this question

1 Answer 1

Reset to default
1

Old school method of building VLAN bridges

This is how I build my bridges with nmcli on my router. I have 3 VLANs (10=lan, 11=guest, 12=iot) and I put each of those on their own bridge. I also put the WAN on its own bridge. So between them we can see direct interfaces, VLAN interfaces, DHCP and static configurations! This doesn't use bridge filtering but uses one bridge per VLAN, which can be useful in nft rules or as a simple bridge target for qemu VMs; just specify the bridge name!

WAN=enp2s0
LAN=enp3s0

# Clean up any residual configurations
nmcli connection delete $WAN $LAN.10 $LAN.11 $LAN.12 br-lan br-guest br-iot br-wan >/dev/null 2>&1
nmcli device delete $LAN.10 $LAN.11 $LAN.12 >/dev/null 2>&1

# Configure internet (WAN)

nmcli device set $WAN autoconnect yes

nmcli connection add type bridge con-name br-wan ifname br-wan bridge.stp no ipv4.method auto ipv6.method disabled
nmcli connection add type bridge-slave con-name $WAN ifname $WAN master br-wan


# Configure the separate VLANs

nmcli device set $LAN autoconnect no

nmcli connection add type bridge con-name br-lan ifname br-lan bridge.stp no ip4 192.168.0.1/24 ipv6.method disabled
nmcli connection add type vlan con-name $LAN.10 ifname $LAN.10 vlan.parent $LAN vlan.id 10 slave-type bridge master br-lan
nmcli device set $LAN.10 autoconnect yes

nmcli connection add type bridge con-name br-guest ifname br-guest bridge.stp no ip4 192.168.2.1/24 ipv6.method disabled
nmcli connection add type vlan con-name $LAN.11 ifname $LAN.11 vlan.parent $LAN vlan.id 11 slave-type bridge master br-guest
nmcli device set $LAN.11 autoconnect yes

nmcli connection add type bridge con-name br-iot ifname br-iot bridge.stp no ip4 192.168.3.1/24 ipv6.method disabled
nmcli connection add type vlan con-name $LAN.12 ifname $LAN.12 vlan.parent $LAN vlan.id 12 slave-type bridge master br-iot
nmcli device set $LAN.12 autoconnect yes

The result is something like this:

% nmcli con show
NAME              UUID                                  TYPE       DEVICE    
br-wan            0102b304-effc-4437-a70a-aa3360d4d3e0  bridge     br-wan    
br-lan            acf41256-e68b-40a8-a85a-944eb95035a6  bridge     br-lan    
br-guest          a3c962bb-e605-46aa-8d43-7cb9db4ebad1  bridge     br-guest  
br-iot            f7715bbd-1a7c-41fb-bfb0-5ddc2900048a  bridge     br-iot    
enp2s0            e966376e-39e5-4789-aaaa-5a2c0154323d  ethernet   enp2s0    
enp3s0.10         bfd85eca-989c-499c-89d2-cb4f57d0cde9  vlan       enp3s0.10 
enp3s0.11         a63e60ce-e808-499e-bfb1-aedb5ee83541  vlan       enp3s0.11 
enp3s0.12         2d775836-ab3b-4ccb-a120-c32e2ec0efc7  vlan       enp3s0.12 
lo                87342e58-0839-4e20-9db0-2d653faa117c  loopback   lo

New method using bridge VLAN filtering

An alternate method using the newer bridge-filtering can also be done in a similar manner

On this test machine, ens2 is the external network interface. So we build a bridge with vlan filtering enabled and a default PVID, then we add the interface to the bridge and define the VLANs associated to the port.

nmcli con del mybridge
nmcli conn add type bridge con-name mybridge ifname mybridge bridge.stp no ipv4.method auto ipv6.method disabled bridge.vlan-filtering 1 bridge.vlan-default-pvid 1

nmcli con delete ens2
nmcli con add type bridge-slave con-name ens2 ifname ens2 master mybridge bridge-port.vlans "1 pvid,2-4094"

Now we can see the results are similar to what you previously had:

# bridge -compressvlans vlan show
port              vlan-id  
ens2              1 PVID
                  2-4094
mybridge          1 PVID Egress Untagged

# nmcli con show
NAME      UUID                                  TYPE      DEVICE   
mybridge  19ed366a-a954-45bc-8f12-ad5ac004ce29  bridge    mybridge 
ens2      621368c3-f973-4865-886b-808bda61d389  ethernet  ens2     
lo        ed24d02e-2e25-4f84-a38f-20d42147a582  loopback  lo
Improve this answer
3
  • Thanks for sharing! It seems that you are using bridges without VLAN filtering as described here. Ironically, the article is published in RedHat ecosystem yet they don't tell me how to properly integrate that in a running system. Commented Sep 17, 2024 at 20:35
  • 1
    @shpokas OK, I've updated the answer showing the bridge-filtering method as well. Personally I prefer the old school way :-) Commented Sep 17, 2024 at 22:45
  • This is what I wanted to achieve. It was not clear to me how "vlan_filtering" translates into nmcli VLAN sub-commands. Thank you for your time and effort to clarify this! Commented Sep 18, 2024 at 8:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.