search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16.05k stars 2.57k forks source link

Add "general" mode to 802.1Q VLAN #17516

Open dreng opened 1 month ago

dreng commented 1 month ago

NetBox version

v4.1.1

Feature type

Change to existing functionality

Proposed functionality

When editing interfaces you may select one of the following 802.1Q Modes: Access, Tagged or Tagged (All). I propose to add a mode "General" and a PVID field and to allow to assign more than one untagged VLAN.

Use case

I'm not sure if this is part of the 802.1Q standard, but a couple of switches (e.g. cisco, dell) support a "general" mode, where you are able to configure more than one untagged VLAN (egress) to a port. Ingress VLAN is always the PVID in this case. It is reasonable to be able to document if general mode has been configured for a port and which untagged VLANs belong to that port.

See also https://www.cisco.com/c/en/us/td/docs/switches/lan/csbss/CBS220/CLI-Guide/b_220CLI/vlan_commands.html#ID-00005845

Database changes

Alternatively, the following change can also be made (less work and probably backwards compatible):

External dependencies

None

v0tti commented 1 month ago

Although I think that setting multiple untagged VLANs should be supported by NetBox (because vendors support it on their devices, not because I can think of any real-world use case for it), I would opt not to name the mode "general" in NetBox. This seems to imply some sort of default mode, which it is absolutely not. Many users who are not familiar with the concept of multiple untagged VLANs will probably be confused by this.

dreng commented 1 month ago

I agree that "general" might be confusing. It did indeed, when I first stumbled upon this term on a Cisco switch. I'm completely open to other terms. If there's an official term, we should use it (as said before, I don't know if general VLAN complies to the standard anyway). That said, I think there should be a recognition value in the switches that you work on.

Suggestions welcome!

As for a real-world example: Imagine you want to receive traffic on your desktop PC (VLAN 10) from a switchport you are not connected to (and you are not even connected to the same switch). This can be done with RSPAN. You set the source port to the port you want to sniff and the destination to a special VLAN, let's say 666. In order to receive traffic from the mirrored port on VLAN 666, you have to either use tagged VLAN and configure you network card to receive packets that are tagged with 666. Or you configure the switchport to be untagged 666 instead of 10. The latter would kick you out of the "normal" VLAN. The former would require your network card and OS/driver to support this and that you have enough permissions on your desktop PC. With general VLAN you could receive traffic from a second VLAN (666) easily. Sent packets would always be sent on the PVID (10), but that's not a problem, because you just want to receive packets (for Wireshark e.g.).