VLANs
VLANs are a way to get multiple Ethernet segments on a single piece of wire. You’ll sometimes see this referred to as 802.1q, tagging, or a combination of these terms.
In OpenBSD terms, one wire can carry multiple networks, and by configuring an additional interface, you can talk to those additional networks as if they had their own private wire. The wire can still carry only so much data, however, so all VLANs and the regular network (or native VLAN) that share the wire share the same pool of bandwidth.
VLAN frames that arrive at your network card are like regular Ethernet frames, with an additional header before the Ethernet frame that says “This is part of VLAN number such-and-such.” Each VLAN is identified by a number. VLAN number 1 is usually the native VLAN—the VLAN that arrives without any tagging whatsoever. For convenience, I’ll use the word “tagged” to describe how the VLAN is delivered to your host.
How would you use VLANs in OpenBSD? Perhaps you have a network divided into multiple Ethernet segments, such as outside the firewall, server area, and desktop clients. Or you might have one OpenBSD host that needs direct access to all of these segments. You could route all of these networks over a single physical wire. You might eventually hit bandwidth problems, but if you’re pushing more than 1Gpbs through your server, you can afford a second network card.
Configuring Switches
You must configure your switch to send the VLANs to your OpenBSD box as 802.1q or tagged, depending on the switch’s syntax. Cisco uses 802.1q, HP’s Procurve switches use tagged, and other vendors use whatever their prejudices dictate. There are dozens of different syntaxes to do this, so I won’t give a specific example. If the switch can’t send tagged VLANs to your server, you cannot use VLANs.
Configuring VLAN Devices
OpenBSD creates vlan(4) interfaces upon request. To create the device, you need to know which physical device you want to attach the VLAN to and the number of the VLAN you’re expecting.
Create the vlan interface with ifconfig.
# ifconfig vlanX vlan vlan# vlandev interface
I number my vlan interfaces after the VLAN number they’re used for. (You could create interface vlan0 and attach it to VLAN 3, but that’s too confusing for my feeble brain.) If you don’t specify the VLAN number, OpenBSD assigns the VLAN number from the number on the interface.
For example, here I create interface vlan3 and use it to access VLAN 3 over interface fxp0.
# ifconfig vlan3 vlandev fxp0
That’s really all there is to it. Now you can use ifconfig to display your new interface:
$ ifconfig vlan3
vlan3: flags=48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,INET6_PRIVACY> mtu 1500
lladdr 00:16:36:c0:58:a5
priority: 0
vlan: 3 parent interface: fxp0
groups: vlan
status: active
inet6 fe80::216:36ff:fec0:58a5%vlan3 prefixlen 64 scopeid 0x7
This looks exactly like any physical interface, and from your point of view, it is. You can add IP addresses just as you would to any other interface, assign routes, and get on with your life.
Configuring VLANs at Boot
To configure a VLAN interface at boot time, create a hostname.if file for it. For example, here’s the contents of a /etc/hostname.vlan3 that creates the vlan3 interface demonstrated in the previous section, assigns it to VLAN 3, and configures it automatically for both IPv4 and IPv6:
vlandev fxp0 dhcp rtsol
OpenBSD should find this file at boot and create the interface according to your commands.