tech-net: Re: vlan(4), native vlan/vlan1, OpenBSD v.s. NetBSD behavior

Subject: Re: vlan(4), native vlan/vlan1, OpenBSD v.s. NetBSD behavior
To: Brian A. Seklecki <lavalamp@spiritual-machines.org>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-net
Date: 12/15/2005 23:19:26
On Wed, Dec 14, 2005 at 04:02:49PM -0500, Brian A. Seklecki wrote:
> 
> All:
> 
> I've got a NetBSD 2.x box acting as a VLAN router for two Cisco 2924's 
> running IOS Version 12.0(5)WC10.
> 
> And I've also got an OpenBSD 3.7 box acting as a VLAN router for two Cisco 
> 2924s running IOS Version 12.0(5)WC11
> 
> Both have a VLAN1 interface configured where I stick insecure services 
> (like telnet to the switchs, SNMP to UPSs, Hardware IPMI, Dell DRAC cards,
> 
> nbsd$ ifconfig vlan1
> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         vlan: 1 parent: fxp0
>         address: 00:90:27:5d:f3:ee
>         inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
>         inet6 fe80::290:27ff:fe5d:f3ee%vlan1 prefixlen 64 scopeid 0x9
> 
> obsd% ifconfig vlan1
> vlan1: flags=8943<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         address: 00:50:da:28:37:7f
>         vlan: 1 parent interface: xl0
>         inet6 fe80::250:daff:fe28:377f%vlan1 prefixlen 64 scopeid 0x7
>         inet 10.0.0.3 netmask 0xfffffff8 broadcast 10.0.0.7
> 
> 
> [...]
> 
> When I ping from the Mgmnt./Vlan1 Interface on a c2924 to the IP assigned 
> to the Vlan1 interface on the NetBSD box in the same subnet, I see the
> 
> netbsd% tcpdump -i fxp0 'proto \icmp' -- Physical Interface:
> 14:24:21.337228 10.0.0.2 > mrvlan-vlan1: icmp: echo request seq 3271
> 14:24:21.340518 10.0.0.2 > mrvlan-vlan1: icmp: echo request seq 3271
> 14:24:21.343818 10.0.0.2 > mrvlan-vlan1: icmp: echo request seq 3271
> 14:24:21.346420 10.0.0.2 > mrvlan-vlan1: icmp: echo request seq 3271
> 14:24:21.349690 10.0.0.2 > mrvlan-vlan1: icmp: echo request seq 3271
> 
> The packets coming from the Cisco are untagged, but the subnet matches
> that assigned to int vlan1.

Are you sure it's not tagged ? Don't you see them also on vlan1 ?
Some fxp devices support hardware 802.1q, and in this case tcpdump
doesn't show you the vlan tag for packets received.

> [...]
> So it seems that NetBSD has some "magic code"(r) to deal with the native 
> VLAN, because most admins assume that a VLAN router can see a VLAN1 
> interface on a trunk regardless if the packets are tagged or not.

Packets received from an interface are passed to the IP stack, and
the IP stack won't check the interface the packet came from, unless
you set net.inet.ip.checkinterface to 1 (weak host model vs strong
host model - both have pros and cons). So you could receive the packet from
any interface (physical, or another vlan), it would be processed,
it's not something magic with vlan1.

OpenBSD may have a different default for net.inet.ip.checkinterface (if
it's possible to choose at all the behavior on openbsd)

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--