Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:dsa:dsa-mini-tutorial [2021/08/03 12:22] – created richb-hanoverdocs:guide-user:network:dsa:dsa-mini-tutorial [2023/10/19 02:58] – [Introduction] saudiqbal
Line 1: Line 1:
-===== DSA Mini-Tutorial =====+====== DSA Mini-Tutorial ======
  
-/* NOTE TO EDITORS... +===== Introduction =====
-I have already incorporated some of the information from the Preface into the article. +
-I moved the remainder to the end the page, and we can continue to incorporate what's not redundant. +
--richb-hanover +
-*/  +
-==== Introduction ====+
  
 DSA stands for [[https://www.kernel.org/doc/html/latest/networking/dsa/dsa.html|Distributed Switch Architecture]]  DSA stands for [[https://www.kernel.org/doc/html/latest/networking/dsa/dsa.html|Distributed Switch Architecture]] 
Line 16: Line 11:
 **This DSA Mini-Tutorial explains how DSA works with OpenWrt,**  **This DSA Mini-Tutorial explains how DSA works with OpenWrt,** 
 and how it is configured with the LuCI web interface and the ''uci'' configuration file at ''/etc/config/network''. and how it is configured with the LuCI web interface and the ''uci'' configuration file at ''/etc/config/network''.
 +
 +(**Note**: DSA support does not affect wireless configuration in ''/etc/config/wireless''. In particular the wireless config option ifname continues to be valid for specifying a custom name for a WiFi interface.)
  
 **If you are upgrading your OpenWrt device to 21.02 or later,**  **If you are upgrading your OpenWrt device to 21.02 or later,** 
-you should read the [[:playground:richb:converting-to-dsa|Converting to DSA]] and [[:playground:richb:to2102|Upgrading to OpenWrt 21.02.0]] articles.+you should read the [[:docs:guide-user:network:dsa:converting-to-dsa|Converting to DSA]] and 
 +[[:docs:guide-user:network:dsa:upgrading-to-2102|Upgrading to OpenWrt 21.02.0]] articles
 +There is also a [[https://www.youtube.com/watch?v=qeuZqRqH-ug|very good Youtube video from onemarcfifty]] that talks about the theory of VLANs and describes the differences between OpenWrt 19.0x and 21.0x.
  
-==== Terminology ====+//This page is a Work In Process. It contains requests for information from future editors. Specifically, it needs:// 
 +  * //An example for a config file for wireless in Item 1 below// 
 +  * //A discussion of configuring wireless devices and interfaces// 
 +  * //Careful vetting of the information for Items 3 & 4 below// 
 + //If you can contribute your knowledge, we would be pleased for the help.//
  
-In DSA, each //physical// switch port as well as wireless and CPU ports have a separate Linux identity, +===== Terminology =====
-and is assigned its own name like ''lan1'', ''lan2'', ''wan'', ''wlan1'', etc.+
  
-DSA switch ports can be operate as "standalone" //devices// (this is the norm for the WAN and CPU port) +//NOTE: This section is under heavy revision (mid-September 2022). Please refer to the **DSA Terminology** conversation on the OpenWrt-devel mailing list for the latest information. http://lists.openwrt.org/pipermail/openwrt-devel/2022-September/thread.html //
-or can be collected into a DSA //bridge interface//. +
-Each physical port can be a member of only a single bridge. +
-Bridged interfaces forward packets between member ports as needed, handling the traffic at +
-the hardware level to maintain performance. +
-A bridge device functions like a simple unmanaged (hardware) switch all ports can talk together, +
-but are separate form other ports in a different device.+
  
-In DSA, each //interface// configures protocolan IP address, and other attributes onto a //device.//+<del>DSA distinguishes between **interfaces** and **networks**. 
 + 
 +  * **Interfaces** (sometimes called "network interfaces" or "devices") are the software names given to physical connections that convey bits/frames to other computers. They operate at layer 2 in the protocol stack and generally have a MAC address along with several other configurable parameters. //(TRUE?)// 
 +    * //Interfaces// identify and configure hardware components of the device: individual Ethernet switch portswireless radios, USB networking devices, VLANs, or virtual ethernets.  //(TRUE?)// 
 +    * A //bridge// is an interface that groups several individual interfaces together so they can be treated as single entity. A bridge functions like a separate unmanaged (hardware) switchforwarding traffic between member ports as needed at the hardware level to maintain performance. Each interface can be a member of only a single bridge. //(TRUE?)// 
 + 
 +  * **Networks** route IP packets and operate at layer 3 in the protocol stack. //(TRUE?)// 
 +    * A //network// is associated with single //interface// that sends/receives its packets. //(TRUE?)// 
 +    * //Networks// get their IP address parameters by the choice of protocol: Static, DHCP, PPP, 6in4, Wireguard, OpenVPN, etc. //(TRUE?)// 
 +  
 +**Naming Conventions:** //Interfaces// are assigned a name like ''lan1'', ''lan2'', ''wan'', ''wlan1'', ''vlan1'', etc. By convention, a bridge gets a prefix of ''br-'', like ''br-lan''. //Networks// by convention, have upper-case names, such as ''LAN'', ''WAN'', ''WG1'', etc.</del> 
 + 
 +===== OpenWrt and DSA =====
  
 OpenWrt configuration facilities allow you to configure the ports of your device OpenWrt configuration facilities allow you to configure the ports of your device
Line 43: Line 51:
   - Multiple networks using VLAN tagging   - Multiple networks using VLAN tagging
  
-=== 1. Bridging all LAN ports ===+//**NOTE:** THE TERMINOLOGY FOR LuCI IS NOT ENTIRELY CONSISTENT WITH THE DEFINITIONS ABOVE. STAY TUNED AS THIS PAGE IS UPDATED.// 
 + 
 +==== 1. Bridging all LAN ports ====
  
 In the initial (and very common) scenario, all LAN switch ports are bridged together into a single 'br-lan' device. In the initial (and very common) scenario, all LAN switch ports are bridged together into a single 'br-lan' device.
Line 52: Line 62:
 The first image shows all the LAN ports (''lan1'' .. ''lan4'') are part of a //Bridge device// named "br-lan". The first image shows all the LAN ports (''lan1'' .. ''lan4'') are part of a //Bridge device// named "br-lan".
 The second image shows an interface ("LAN") that incorporates the "br-lan" device and been assigned a static address 192.168.1.1. The second image shows an interface ("LAN") that incorporates the "br-lan" device and been assigned a static address 192.168.1.1.
 +
 +To add a wireless device (such as ''wlan0''), open **Network -> Wireless**. Edit the //Device Configuration// section to select the proper radio channel etc. Edit the //Interface Configuration// section (third image) to select the desired interface (from the Network: dropdown) and the SSID, security mode, etc.
  
 {{:media:dsa:dsa-01-device.png}} {{:media:dsa:dsa-01-device.png}}
  
 {{:media:dsa:dsa-01-interface.png}} {{:media:dsa:dsa-01-interface.png}}
 +
 +{{:media:dsa:dsa-01-wireless.png}}
  
 **Configuration file for a Bridged LAN:** **Configuration file for a Bridged LAN:**
 The first half of the file below shows how the ''config device'' section groups the physical ports into a //bridge device// named 'br-lan'. The first half of the file below shows how the ''config device'' section groups the physical ports into a //bridge device// named 'br-lan'.
-The ''config interface 'lan' '' section then incorporates that 'br-lan' device, and sets its IP protocol type, address, etc.+The ''config interface 'lan' '' section then incorporates that 'br-lan' device, and sets its IP protocol type, address, etc. //Need to add the configuration for ''wlan0'' to this file.//
  
 <code> <code>
Line 79: Line 93:
 </code> </code>
  
-=== 2. Multiple bridged networks ===+==== 2. Multiple bridged networks ====
  
 OpenWrt can set up its switch to group multiple ports together into different bridge //interfaces// so their traffic remains separate, even though devices are plugged into the same router. For example, it might be useful to set aside certain ports for "home use" and others for "office use" OpenWrt can set up its switch to group multiple ports together into different bridge //interfaces// so their traffic remains separate, even though devices are plugged into the same router. For example, it might be useful to set aside certain ports for "home use" and others for "office use"
Line 137: Line 151:
 </code> </code>
  
-//No editing beyond this point... // +==== 3. Multiple networks using VLANs ====
- +
-=== 3. Multiple networks using VLANs ===+
  
 Ports can also be separated (grouped) using single bridge with multiple VLANs. Ports can also be separated (grouped) using single bridge with multiple VLANs.
 That requires assigning interfaces to correct software VLANs. That requires assigning interfaces to correct software VLANs.
 +//This item needs careful vetting... //
  
 Example: Example:
Line 186: Line 199:
 </code> </code>
  
-=== 4. Multiple networks using VLAN tagging ===+==== 4. Multiple networks using VLAN tagging ====
  
 With proper bridge VLAN configuration it's also possible for selected port to use VLAN tagged traffic. With proper bridge VLAN configuration it's also possible for selected port to use VLAN tagged traffic.
 It also requires assigning OpenWrt interface to the correct software VLAN. It also requires assigning OpenWrt interface to the correct software VLAN.
 +//This item needs careful vetting... //
  
 Example: Example:
Line 230: Line 244:
 </code> </code>
  
-== Previous Preface == +==== 5Firewall zones for VLANs ====
-/*  +
-I moved all the remaining information from the preface down here so we know +
-what else needs to be incorporated. +
--richb-hanover +
-*/+
  
-**Preface:** This is draft description of the [[https://www.kernel.org/doc/html/latest/networking/dsa/dsa.html|Distributed Switch Architecture]] +Every interface should have correctly configured firewall zone
-used for networking in OpenWrt 21.02 and newer.+However, if you want to only use layer 2 and not layer 3 routing on a VLAN (only switching, no traffic between VLANs), you can set the interface as unmanaged (option proto 'none'), in which case do not set a firewall zone for the interface.
  
-The article needs to address the following questions:+Keep in mind, that at least one interface should have an address (static or DHCP) in order to connect to the device for administrative purposes. That interface must be associated with a firewall zone (or rules) to accept input.
  
-  * Is it correct to say that 'config device..." collects ports into a bridge, and then "config interface" specifies the protocol, addresses, etc for a device?  +Examplewhere VLAN 1, 2 and 3 are only used for switching and VLAN 1 can be used to connect to the device:
-If you set "option type" as "bridge", "config device" will create a bridge interface and bridge the specified ports +
-  config device +
-    option type 'bridge' +
-    option name 'br0' +
-    list ports 'lan1' +
-    list ports 'lan2' +
-    list ports 'lan3' +
-    list ports 'lan4' +
-    list ports 'wan'+
  
-This is more of a tiny detail than a question someone would have for DSA. Bridging is not so different under DSA.+config/network 
 +<code> 
 +config device 'switch' 
 + option name 'switch' 
 + option type 'bridge' 
 + option macaddr 'REDACTED' 
 + list ports 'lan1' 
 + list ports 'lan2' 
 + list ports 'lan3' 
 + list ports 'lan4'
  
-  * Is it correct to say "device => Layer 2; interface => Layer 3"? +config bridge-vlan 'lan_vlan' 
-This is nonsensical and should be removed.+ option device 'switch' 
 + option vlan '1' 
 + list ports 'lan1:u*' 
 + list ports 'lan4:t'
  
-A network interface is a software or hardware interface between two pieces of equipment or protocol layers in a computer network. It is not a protocol itself, therefore cannot abide on any of the OSI layers.+config bridge-vlan 
 + option device 'switch' 
 + option vlan '2' 
 + list ports 'lan1:u*' 
 + list ports 'lan4:t'
  
-  * Where can people get advice about why they would prefer approach 2, 3, or 4? +config bridge-vlan 
-There will be only one approach, this should be removed in the future+ option device 'switch' 
 + option vlan '3
 + list ports 'lan3:u*' 
 + list ports 'lan4:t'
  
-  * How do people route between various interfaces? +config interface 'lan' 
-This is routing, unrelated to switching, should be removed+ option proto 'dhcp' 
 + option device 'switch.1' 
 +  
 +config interface 'iot' 
 + option proto 'none' 
 + option device 'switch.2'
  
-This tutorial should explain configuring switch ports and VLANs on DSA architecture, not routing.+config interface 'guest' 
 + option proto 'none' 
 + option device 'switch.3' 
 +</code>
  
-  * How do firewalls come into play? +config/firewall 
-This is unrelated to switching and there's not much, if not at all of a difference, should be removed +<code> 
-  * How do the wireless interfaces come into play?+config defaults 
 + option syn_flood '1
 + option input 'ACCEPT' 
 + option output 'ACCEPT' 
 + option forward 'REJECT'
  
-**I think this article should address these questions:**+config zone 
 + option name 'lan' 
 + option input 'ACCEPT' 
 + option output 'ACCEPT' 
 + option forward 'ACCEPT' 
 + list network 'lan' 
 +</code>
  
-  * How can I configure VLANs and switch ports using DSA on OpenWrt? +==== 6. Security Considerations with VLANs ====
-  * How can I configure wireless interfaces with VLANs? (Simply: How can I attach my wireless interfaces to networks?+
-  * How can I convert my swconfig configuration to DSA?+
  
-**Notes from Arınç ÜNAL (arinc9)**+See [[https://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging|Wikipedia - VLAN Hopping]]
  
-The current naming OpenWrt has is incorrect and confusing. The "interfaces" under Network -> Interfaces actually represent networks. The actual interfaces are called "device" which is not necessarily wrong but implies as if they only have to be physical interfaces.+  * If using separated VLANs, it is often recommended not to use VLAN 1 for any data networks. This is because VLAN 1 is often hardcoded as a default on a lot of networking equipment and is therefore more often used in attacks and prone to accidental misconfiguration.
  
-When you run ip link, each entry represents an interface on the systemSome are physical, some are logical interfaces.+  * It is also often recommended to change the native VLAN on all trunk ports to an unused VLAN ID to explicitly only allow tagged traffic on trunk portsNote that some hardware doesn't allow to mix tagged with untagged VLAN on one port, so this method cannot be used on it.
  
-UCI treats "config interface" as configuring networks but "config device" as configuring interfaces.+  * Similarly, for added security any unused LAN ports can be also added (as u|*) to an unused VLAN ID.
  
-If you head to Network -> Wireless and assign wireless interface to a networkit will literally call the networks under Network -> Interfaces as "Network".+As an example let's assume setup where:  
 +  * VLANS 1020 and 30 are used for seperated VLANs without any layer 3 routing 
 +  * the ports lan1 and lan2 are trunked ports with all VLANs  
 +  * port lan3 is only for untagged VLAN 1 
 +  * port lan4 is unused 
 +  * VLAN 90 is not used anywhere else and is only there for added security
  
-So, in my opinion:+<code> 
 ++---------+-------+------+------+------+------+ 
 +| VLAN ID | Local | lan1 | lan2 | lan3 | lan4 | 
 ++---------+-------+------+------+------+------+ 
 +|    10          |    |  u|* |   
 ++---------+-------+------+------+------+------+ 
 +|    20          |    |    |   
 ++---------+-------+------+------+------+------+ 
 +|    30          |    |    |   
 ++---------+-------+------+------+------+------+ 
 +|    90          u|* |  u|* |    |  u|* | 
 ++---------+-------+------+------+------+------+ 
 +</code>
  
-  * "config interface" should be renamed to "config network"+<code> 
 +config device 'switch' 
 + option name 'switch' 
 + option type 'bridge' 
 + option macaddr 'REDACTED' 
 + list ports 'lan1' 
 + list ports 'lan2' 
 + list ports 'lan3' 
 + list ports 'lan4'
  
-  * "config device" should be renamed to "config interface"+config bridge-vlan 'lan_vlan' 
 + option device 'switch' 
 + option vlan '10' 
 + list ports 'lan1:t' 
 + list ports 'lan2:t' 
 + list ports 'lan3:u*'
  
-**End of Preface**+config bridge-vlan 
 + option device 'switch' 
 + option vlan '20' 
 + list ports 'lan1:t' 
 + list ports 'lan2:t'
  
 +config bridge-vlan
 + option device 'switch'
 + option vlan '30'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
  
-==== config-network-device ====+config bridge-vlan 
 + option device 'switch' 
 + option vlan '90' 
 + list ports 'lan1:u*' 
 + list ports 'lan2:u*' 
 + list ports 'lan4:u*' 
 + option local '0'
  
-=== Wulfy23 Sample Preface === +config interface 'lan
- + option proto 'dhcp' 
-Major changes to the structuring of config/network definitions to clarify and more clearly differentiate + option device 'switch.10' 
-between what are physical and logical network components. The previous 'manglingof physical devices +  
-under the 'ifname' moniker has been dropped in favor of a clearly defined 'device' section or property+config interface 'iot' 
- + option proto 'none' 
-Simply;+ option device 'switch.20'
  
-=== interface === +config interface 'guest' 
- + option proto 'none
-'**interface**= logical OS level L3 network component with a friendly name addressing, higher level properties and a reference to an underlying physical 'devicegrouping or a single adapter as the device + option device 'switch.30' 
- +</code>
-=== device === +
- +
-'**device**= physical grouping of 'adapters' and in the case of dsa 'ports' or similar L2/L1 network device properties and components to be referenced by a logical 'interface' section, 'type' and 'macaddr' being L2 properties are also migrated to the 'device' section+
  
 +Note: Because local is not checked for VLAN 90, OpenWrt won't even create a device for it and there should be no interface for it, unlike the other VLANs.
  
-In the simplest terms... where previously an 'ifname' was used was used within an 'interface' section... now a 'device' property must be present usually accompanied by a separately defined device section which will containing groupings of 'ports' which map to underlying physical adapters. 
  
-**It is important to note: the samples below are examples that utilize this network-device change, and, the term 'swconfig>dsa'  does not represent the config restructuring as a whole.** 
  • Last modified: 2024/10/15 17:13
  • by palebloodsky