interface option to strip tagged vlans on output

[grafnu]

Add a option (list of vlans) to strip any tagged vlans on output. This enables using vlans to control output distribution based on input ACLs using VLAN tags, but not to have the vlan tag exposed externally.

    interfaces:
        1:
            tagged_vlans: [ 100, 200 ]
        2:
            tagged_vlans: [ 100, 200 ]
            strip_tagged_vlans: [ 200 ]

would do something like this:

t=8 p=9008,in_port=1,dl_vlan=100 actions=output:1,output:2,strip_vlan t=8 p=9008,in_port=1,dl_vlan=200 actions=output:1.strip_vlan,output:2

So that vlan 200 strips the vlan tag before output:2, but vlan 100 does not. This can then be used in combination with ACL in rules that push a vlan tag to create internal send broadcast domains.

[KitL]

Some of my colleagues have mentioned they would want to be able to configure rewriting vlan tags on ports, including adding/removing.

Would that cover your use case? Or are you looking to do this with multiple vlans on a single port? Because faucet would not be able to cope with what to do with untagged packets arriving in that case.

If you are looking just to monitor broadcast on multiple vlans, I'd prefer to configure that more explicitly. I guess my concern is just that with this configuration it seems a little ambiguous with what happens to packets arriving on that port so that will likely cause misconfiguration at some point.

On 10 January 2018 at 23:37, Trevor notifications@github.com wrote:

Add a option (list of vlans) to strip any tagged vlans on output. This enables using vlans to control output distribution based on input ACLs using VLAN tags, but not to have the vlan tag exposed externally.

interfaces:
    1:
        tagged_vlans: [ 100, 200 ]
    2:
        tagged_vlans: [ 100, 200 ]
        strip_tagged_vlans: [ 200 ]

would do something like this:

t=8 p=9008,in_port=1,dl_vlan=100 actions=output:1,output:2,strip_vlan t=8 p=9008,in_port=1,dl_vlan=200 actions=output:1.strip_vlan,output:2

So that vlan 200 strips the vlan tag before output:2, but vlan 100 does not. This can then be used in combination with ACL in rules that push a vlan tag to create internal send broadcast domains.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/faucetsdn/faucet/issues/1483, or mute the thread https://github.com/notifications/unsubscribe-auth/AB48FXxAx3fnDGnW8j-xMH45YIfjMUSbks5tJJLTgaJpZM4RZHPP .

[grafnu]

The exact use case uses vlan tag to control broadcast domains -- i.e., curate an explicit list of who can/should receive a broadcast packet based off of an acl_in. So yes, it does require multiple vlans on a single port. And then a tagged VLAN is added based off of acl_in, so it is not required to handle multiple different vlans on input (they are assigned essentially based off of src address).

So, it's not "monitoring" broadcast -- but rather restricting it to specific destinations. If you're worried about ambiguity, then something like "strip_output_vlans" seems like it would work.

The basic logic I'm looking for is: 1) Packet arrives with no tagged vlan 2) ACL rules assign VLAN 3) output ports identified by tagged vlan 4) strip vlan tag before output

This all works perfectly except for step #4.