Does VyOS support protocol-based VLANs?

Apachez · February 5, 2024, 6:52am

Does VyOS support protocol-based VLANs and if not, would it be much work to do so?

Here is an example using bridging from Mikrotik:

https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Protocol_Based_VLAN

First they create the bridge and attach physical interfaces to it.

Then they define the vlan mapping as in which VLANs will be tagged and which will be untagged for the bridge vs physical interfaces.

And finally they define the protocol-based VLANs which acts on ethertype (mac-protocol in the config example) to put frames based on ethertype into different VLANs.

While doing similar on a HPE Comware device the config is like (in below example ARP+IPv4 goes into shared VLAN100 but segmented with protected VLAN while for IPv6 each host (client) gets its own VLAN101…148 depending on interface in the switch):

vlan 100
 description UPLINK
 protocol-vlan 0 mode ethernetii etype 0806
 protocol-vlan 4 ipv4
#
vlan 101
 description 01_CUSTOMER_A
 protocol-vlan 6 ipv6
#
vlan 102
 description 02_CUSTOMER_B
 protocol-vlan 6 ipv6
#
interface GigabitEthernet1/0/1
 description 01_CUSTOMER_A
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 100 101 untagged
 port hybrid pvid vlan 3101
 port hybrid protocol-vlan vlan 100 0 
 port hybrid protocol-vlan vlan 100 4 
 port hybrid protocol-vlan vlan 101 6 
 port-isolate enable 
#
interface GigabitEthernet1/0/2
 description 02_CUSTOMER_B
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 100 102 untagged
 port hybrid pvid vlan 3102
 port hybrid protocol-vlan vlan 100 0 
 port hybrid protocol-vlan vlan 100 4 
 port hybrid protocol-vlan vlan 102 6 
 port-isolate enable 
#
interface Ten-GigabitEthernet1/1/1
 description 49_UPLINK
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 100 to 148
 port trunk pvid vlan 3100
#

Apart from Mikrotik and HPE Comware it seems like HP Aruba, Huawei, D-Link, Netgear, FS.com etc supports protocol-based VLANs.

Apachez · February 5, 2024, 6:59am

And to describe one of several usecases for protocol-based VLANs:

Its a nifty way to deal with IPv4/IPv6 dualstack at L2 accesslayer.

Where ethertype for ARP and IPv4 goes into a single VLAN who uses protected vlan (to segment hosts (clients) from each other), where for example a shared gateway is being used such as 192.0.2.254/24. Example VLAN100 for everybody doing ARP+IPv4 at SW1.

While for the ethertype IPv6 each host (client) goes into their own VLAN. This way each client gets their own VLAN for IPv6 traffic and by that their own /64 for SLAAC (and in our case a routed /56 ontop of that through DHCP6-PD aswell as statically). Example client at SW1-INT1 goes into VLAN101, SW1-INT2 goes into VLAN102 and so on.

What comes from the accesslayer (L2) to the aggregationlayer (L3) is VLAN100-148 where VLAN100 is for ARP+IPv4 while VLAN101…148 is for IPv6.

This is an effective way to mitigate all sort of layer2 based attacks when it comes to IPv6 since each host (client) are logically segmented away from each other (yet have their own /64 + /56 at the same time) and for IPv4 thats being dealt with protected vlan (and a shared /24 or whatever IPv4 size you prefer per accesswitch).

Ethertypes:

ARP: 0x0806
IPv4: 0x0800
IPv6: 0x86DD