VLAN Aware Bridge and DHCP

I am using a vlan aware bridge on VyOS 1.4 with four trunk ports (eth1, eth2, eth3, eth4) connected to managed switches and clients connected to access ports on those managed switches.

 bridge br0 {
     enable-vlan
     member {
         interface eth1 {
             allowed-vlan 10
             allowed-vlan 20
             allowed-vlan 30
         }
         interface eth2 {
             allowed-vlan 10
             allowed-vlan 20
             allowed-vlan 30
         }
         interface eth3 {
             allowed-vlan 10
             allowed-vlan 20
             allowed-vlan 30
         }
         interface eth4 {
             allowed-vlan 10
             allowed-vlan 20
             allowed-vlan 30
         }
     }
     stp
     vif 10 {
         address 10.10.1.1/24
     }
     vif 20 {
         address 10.20.1.1/24
     }
     vif 30 {
         address 10.30.1.1/24
     }
 }

 ethernet eth1 {
     hw-id 00:...
 }
 ethernet eth2 {
     hw-id 00:...
 }
 ethernet eth3 {
     hw-id 00:...
 }
 ethernet eth4 {
     hw-id 00:...
 }

I have configured DHCP for each VLAN:

 shared-network-name VLAN10 {
     subnet 10.10.1.0/24 {
         default-router 10.10.1.1
         domain-name vlan10.example....
         exclude 10.10.1.1
         name-server 10.10.1.7
         range 0 {
             start 10.10.1.20
             stop 10.10.1.254
         }
     }
 }
 shared-network-name VLAN20 {
     subnet 10.20.1.0/24 {
         default-router 10.20.1.1
         domain-name vlan20.example....
         exclude 10.20.1.1
         name-server 10.20.1.7
         range 0 {
             start 10.20.1.150
             stop 10.20.1.199
         }
     }
 }
 shared-network-name VLAN30 {
     subnet 10.30.1.0/24 {
         default-router 10.30.1.1
         domain-name vlan30.example....
         exclude 10.30.1.1
         name-server 10.30.1.7
         range 0 {
             start 10.30.1.20
             stop 10.30.1.254
         }
     }
 }

There is no firewall as shown below:

# show firewall
Configuration under specified path is empty

The vlan aware bridge works when static IP addresses are assigned to clients on the managed switches but I am not able to ping the bridge IP addresses specified in the br0 vif 10, 20, 30.

I need VyOS to issue DHCP leases to the clients connected to the managed switches, but no DHCP leases are being assigned to the clients.

Where am I going wrong please?

Do you see requests and responses in the dump?

monitor traffic interface br0.10 filter "port 67"

Thank you,

Since my first post, I have tried to add an IP address on a different port (not part of the bridge), so that the dhcp-server has somewhere to listen

 ethernet eth5 {
     address 10.1.1.1/24
     description management
     hw-id 00:...
     vif 10 {
         address 10.10.1.254/24
     }
     vif 20 {
         address 10.20.1.254/24
     }
     vif 30 {
         address 10.30.1.254/24
     }
 }

I’ve now added a dhcp-relay as follows:

 dhcp-relay {
     interface br0.10
     interface eth5.10
     server 10.10.1.254
 }

When I run the monitor command, I get the following:

$ monitor traffic interface br0.10 filter "port 67"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:35:25.642708 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:68:00:9e, length 300
17:35:26.643547 IP 10.10.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
17:35:29.865106 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:68:00:9e, length 300
17:35:29.865484 IP 10.10.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
17:35:34.641668 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:68:00:9e, length 300
17:35:34.642058 IP 10.10.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
17:35:43.625960 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:68:00:9e, length 300
17:35:43.626332 IP 10.10.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
17:36:00.548393 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:68:00:9e, length 300
17:36:00.548801 IP 10.10.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300

Just to clarify my previous post, it’s still not working, the dhcp-relay hasn’t fixed the problem.

Where am I going wrong?

Required dump on the client site, why don’t they get address
Wireshark or tcpdump

There are two problem statements that seem to have the same root cause.

The client is attached to an access port on the managed switch with a static IP address of 10.10.1.6.

Problem 1: The client cannot ping the bridge vif 10 address (10.10.1.1), but the ARP request is visible in the traffic monitor, so it traverses the managed switch and the trunk port and it arrives in VyOS.

$ monitor traffic interface br0.10
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:46:54.274522 ARP, Request who-has 10.10.1.1 tell 10.10.1.6, length 46
22:46:54.274571 ARP, Reply 10.10.1.1 is-at 00:e0:67:18:17:5b (oui Unknown), length 28

Wireshark running on the client shows that the ARP reply is never received.

Problem 2: The client on VLAN10 cannot get an IP address from the DHCP server.

Wireshark running on the client shows that the DHCP reply is never received.

Do I need to enable anything on the vlan aware bridge to permit these responses to be sent back to the client?

Hi @kirbz
I created a lab with your configuration, but was unable to reproduce your issue. Try to update on last rolling release.

Sorry @kirbz
I reproduced your problem on the last rolling release. I have just created bug report ⚓ T4632 Vlan aware bridge not working

Thank you, u/zrail on Reddit also noticed the bug and helped me with a workaround