Wednesday, January 18, 2012

Layer 2 over Layer 3 using Linux built-in features

Often it's not necessary to encrypt traffic when tunneling L2 network over L3 in corporate environment. I hear, you say use OpenVPN, tinc, gvpe, n2n etc. Now, did you know that there's easy built-in solution that has been part of Linux kernel since 2.6.29? If you need encryption just use IPsec to protect GRE traffic.



Example below assumes you have eth0 with 172.31.0.1 for Host A and 172.31.0.2 for Host B.

Connect test PC to Host A port eth1 and try pinging Host B (10.10.10.2). Yes, it really is that easy.

P.S. Test your setup well as usually you can't get full 1500 byte MTU with configuration like this!

Host A:
ip link add gretap0 type gretap local 172.31.0.1 remote 172.31.0.2
ip link set dev gretap0 up
ip link set dev eth1 up
brctl addbr br0
brctl addif br0 gretap0
brctl addif br0 eth1
ip addr add 10.10.10.1/24 dev br0
ip link set br0 up

Host B:
ip link add gretap0 type gretap local 172.31.0.2 remote 172.31.0.1
ip link set dev gretap0 up
ip link set dev eth1 up
brctl addbr br0
brctl addif br0 gretap0
brctl addif br0 eth1
ip addr add 10.10.10.2/24 dev br0
ip link set br0 up

No comments: