Topic: using *BSD for VLAN frame tagging?

I ask this out of curiosity.  Perhaps someone here knows the history.

Each of the *BSD's provide functionality to tag frames with specific VLAN's.  As I understand, such frame tagging was initially introduced in FreeBSD, but soon ported to OpenBSD & NetBSD.  Given that most business-caliber switches today offer VLAN functionality, where is VLAN tagging in the *BSD's used today?  My guess is that the commercial switch offerings can provide greater throughput given that the logic is implemented at the ASIC level instead of software, but I'm still curious as to *BSD uses...

Thanks, all.

Re: using *BSD for VLAN frame tagging?

We (School District 73) use it for our in-town fibre network.

The provincial government provides the switches at either end of the fibre links and provides us with a trunk port that carries the vLAN tags for each of the networks.  Our FreeBSD box handles the traffic shaping, packet filtering, and routing for those vLANs.

Works quite nicely.

Re: using *BSD for VLAN frame tagging?

phoenix wrote:

Our FreeBSD box handles the traffic shaping, packet filtering, and routing for those vLANs.

Thanks for your reply.  Assuming this FreeBSD box is within the interior or your network, what filtering & shaping is being done?

Re: using *BSD for VLAN frame tagging?

Our connection to the Internet is 100 Mbps.  That's from the board office out to the rest of the world (we're hoping to bump this to 200 Mbps or even 1 Gbps this year).

The connection to each of the remote sites on the fibre network is 1000 Mbps.  That's from the board office out to the schools.  All of these connect to our vlan box.  Off one interface on the vlan box is a DMZ that contains the file/print servers for the remote sites (all running via Xen VMs).

The vlan box has ipfw rules to only allow the remote sites to access their own Xen VMs, and to limit outgoing connections (general Internet traffic) to 10 Mbps per vlan.  This is done via a single 70 Mbps pipe, and 7 queues of the same weight.  This guarantees each site 10 Mbps of Internet traffic, but allows them to use up to 70 Mbps if there's no traffic from other sites.

This way, traffic to/from the board office and our public servers can use up to 100 Mbps of traffic if we really want.  Traffic between the Internet and schools on the fibre network is limited to 70 Mbps, but traffic between the schools and the board office is 100 Mbps (limited by 100 Mbps NIC in the school firewall).

Dummynet allows us to give the remote sites enough bandwidth to be useful, without any one site hogging everything.  (That's the theory, at least.)

There's also currently a few public server's in the DMZ off the vlan, so there are ipfw rules to allow certain traffic to those as well.

We're in the planning stages to re-work the network here at the board office to make things a little nicer (remove a few hops and switches), add some redundancy to the core firewalls/routers via carp(4), and to move all the public servers from behind the vlan box to our real DMZ.  This will also allow us to shape the traffic for connections to/from the board office.

Right now, it looks something like:

Internet  <-->  sbo firewall  <-->  vlan box  <-->  fibre network  <-->  various sites
                     |                  |
         sbo dmz  <-/ \-> sbo lan       \-> vlan dmz

What it will eventually look like is something like this:

Internet  <-->  vlan box  <-->  fibre network  <-->  various sites
                                      |
                                      \->  sbo firewall  <-->  sbo lan
                                                |
                                                \-> sbo dmz

Re: using *BSD for VLAN frame tagging?

Thanks for taking the time to describe the design.

It looks like you have a lot of traffic going through your FreeBSD VLAN box.  I assume it only has 100Mbps NIC's in it?

Likewise, I'm assuming that most of the generated traffic stays within the fiber network, but any connections out to the Internet are throttled down to 100Mbps & this is considered acceptable.

Anyway, I'm intrigued by what school systems do because they have tight budgets & stiff requirements because of the harsh realities of so many people wanting access.

Thanks, again!

Re: using *BSD for VLAN frame tagging?

The vlan box has 2 gigabit NICs and a 10/100 NIC.  One gigabit link connects to the fibre network.  One gigabit link connects to the DMZ for the fibre network.  The 10/100 link is to the firewall for the board office (which connects to the Internet).

Traffic between the schools on the fibre network and the board office (which is the termination point for the fibre links and the central hub for all fibre traffic) is limited by the school firewall to 100 Mbps.  We don't want this to be the full gigabit, as that would saturate the fibre switch at the board office.  Maybe, down the line, if we expand the fibre switch to 24-ports, we can do some link aggregation on the vlan box or maybe get a 10 Gbps port, and bump the school <--> board office link to 1 Gbps.  Until then, 100 Mbps it is.

The vlan box then throttles that traffic down to 10 Mbps for each vlan (70 Mbps combined), for traffic that is destined to/from the Internet.

So, traffic from the schools to the Internet is 10-70 Mbps, traffic between schools is 100 Mbps, and traffic from the schools to servers in the fibre DMZ is 100 Mbps.


Once our upgrade plan is finalised, the hardware arrives, is tested, and is put in place, things will be a little different.   The vlan box will have 3 gigabit links:  one for the fibre network, one for the fibre dmz, and one for the Internet connection.

Traffic between schools and the vlan box will still be limited to 100 Mbps.

Traffic between schools and the servers in the fibre dmz will still be limited to 100 Mbps.

Traffic to the Internet will be bumped up to 25 Mbps per vlan, with 200 Mbps max.

The nice thing about being a school district in British Columbia, Canada, is that we have a provincial IT body that manages all the Internet connections for all the educational institutions in the province.  PLNet (the Provincial Learning Network) installs, upgrades, and manages the Internet connections for all our schools.   We've seen our rural schools go from Switched-56 (56 Kbps leased lines), to 2 Mbps ADSL, to 4 Mbps ADSL, to dual-4 Mbps ADSL.  Some sites have E10 (10 Mbps) lines, with plans to move to E100 (100 Mbps).  Our elementary schools have either 4 Mbps ADSL or 2 Mbps wireless.  Our slowest site uses 10 Mbps satellite.  We (the school district) don't pay for any of that.  We (the citizens) pay for it via our taxes.

We can't say much that's good about our government, but at least in this area, they are ahead of the curve.  smile