configuration.rst 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458
  1. .. SPDX-License-Identifier: GPL-2.0
  2. =======================================
  3. DSA switch configuration from userspace
  4. =======================================
  5. The DSA switch configuration is not integrated into the main userspace
  6. network configuration suites by now and has to be performed manually.
  7. .. _dsa-config-showcases:
  8. Configuration showcases
  9. -----------------------
  10. To configure a DSA switch a couple of commands need to be executed. In this
  11. documentation some common configuration scenarios are handled as showcases:
  12. *single port*
  13. Every switch port acts as a different configurable Ethernet port
  14. *bridge*
  15. Every switch port is part of one configurable Ethernet bridge
  16. *gateway*
  17. Every switch port except one upstream port is part of a configurable
  18. Ethernet bridge.
  19. The upstream port acts as different configurable Ethernet port.
  20. All configurations are performed with tools from iproute2, which is available
  21. at https://www.kernel.org/pub/linux/utils/net/iproute2/
  22. Through DSA every port of a switch is handled like a normal linux Ethernet
  23. interface. The CPU port is the switch port connected to an Ethernet MAC chip.
  24. The corresponding linux Ethernet interface is called the conduit interface.
  25. All other corresponding linux interfaces are called user interfaces.
  26. The user interfaces depend on the conduit interface being up in order for them
  27. to send or receive traffic. Prior to kernel v5.12, the state of the conduit
  28. interface had to be managed explicitly by the user. Starting with kernel v5.12,
  29. the behavior is as follows:
  30. - when a DSA user interface is brought up, the conduit interface is
  31. automatically brought up.
  32. - when the conduit interface is brought down, all DSA user interfaces are
  33. automatically brought down.
  34. In this documentation the following Ethernet interfaces are used:
  35. *eth0*
  36. the conduit interface
  37. *eth1*
  38. another conduit interface
  39. *lan1*
  40. a user interface
  41. *lan2*
  42. another user interface
  43. *lan3*
  44. a third user interface
  45. *wan*
  46. A user interface dedicated for upstream traffic
  47. Further Ethernet interfaces can be configured similar.
  48. The configured IPs and networks are:
  49. *single port*
  50. * lan1: 192.0.2.1/30 (192.0.2.0 - 192.0.2.3)
  51. * lan2: 192.0.2.5/30 (192.0.2.4 - 192.0.2.7)
  52. * lan3: 192.0.2.9/30 (192.0.2.8 - 192.0.2.11)
  53. *bridge*
  54. * br0: 192.0.2.129/25 (192.0.2.128 - 192.0.2.255)
  55. *gateway*
  56. * br0: 192.0.2.129/25 (192.0.2.128 - 192.0.2.255)
  57. * wan: 192.0.2.1/30 (192.0.2.0 - 192.0.2.3)
  58. .. _dsa-tagged-configuration:
  59. Configuration with tagging support
  60. ----------------------------------
  61. The tagging based configuration is desired and supported by the majority of
  62. DSA switches. These switches are capable to tag incoming and outgoing traffic
  63. without using a VLAN based configuration.
  64. *single port*
  65. .. code-block:: sh
  66. # configure each interface
  67. ip addr add 192.0.2.1/30 dev lan1
  68. ip addr add 192.0.2.5/30 dev lan2
  69. ip addr add 192.0.2.9/30 dev lan3
  70. # For kernels earlier than v5.12, the conduit interface needs to be
  71. # brought up manually before the user ports.
  72. ip link set eth0 up
  73. # bring up the user interfaces
  74. ip link set lan1 up
  75. ip link set lan2 up
  76. ip link set lan3 up
  77. *bridge*
  78. .. code-block:: sh
  79. # For kernels earlier than v5.12, the conduit interface needs to be
  80. # brought up manually before the user ports.
  81. ip link set eth0 up
  82. # bring up the user interfaces
  83. ip link set lan1 up
  84. ip link set lan2 up
  85. ip link set lan3 up
  86. # create bridge
  87. ip link add name br0 type bridge
  88. # add ports to bridge
  89. ip link set dev lan1 master br0
  90. ip link set dev lan2 master br0
  91. ip link set dev lan3 master br0
  92. # configure the bridge
  93. ip addr add 192.0.2.129/25 dev br0
  94. # bring up the bridge
  95. ip link set dev br0 up
  96. *gateway*
  97. .. code-block:: sh
  98. # For kernels earlier than v5.12, the conduit interface needs to be
  99. # brought up manually before the user ports.
  100. ip link set eth0 up
  101. # bring up the user interfaces
  102. ip link set wan up
  103. ip link set lan1 up
  104. ip link set lan2 up
  105. # configure the upstream port
  106. ip addr add 192.0.2.1/30 dev wan
  107. # create bridge
  108. ip link add name br0 type bridge
  109. # add ports to bridge
  110. ip link set dev lan1 master br0
  111. ip link set dev lan2 master br0
  112. # configure the bridge
  113. ip addr add 192.0.2.129/25 dev br0
  114. # bring up the bridge
  115. ip link set dev br0 up
  116. .. _dsa-vlan-configuration:
  117. Configuration without tagging support
  118. -------------------------------------
  119. A minority of switches are not capable to use a taging protocol
  120. (DSA_TAG_PROTO_NONE). These switches can be configured by a VLAN based
  121. configuration.
  122. *single port*
  123. The configuration can only be set up via VLAN tagging and bridge setup.
  124. .. code-block:: sh
  125. # tag traffic on CPU port
  126. ip link add link eth0 name eth0.1 type vlan id 1
  127. ip link add link eth0 name eth0.2 type vlan id 2
  128. ip link add link eth0 name eth0.3 type vlan id 3
  129. # For kernels earlier than v5.12, the conduit interface needs to be
  130. # brought up manually before the user ports.
  131. ip link set eth0 up
  132. ip link set eth0.1 up
  133. ip link set eth0.2 up
  134. ip link set eth0.3 up
  135. # bring up the user interfaces
  136. ip link set lan1 up
  137. ip link set lan2 up
  138. ip link set lan3 up
  139. # create bridge
  140. ip link add name br0 type bridge
  141. # activate VLAN filtering
  142. ip link set dev br0 type bridge vlan_filtering 1
  143. # add ports to bridges
  144. ip link set dev lan1 master br0
  145. ip link set dev lan2 master br0
  146. ip link set dev lan3 master br0
  147. # tag traffic on ports
  148. bridge vlan add dev lan1 vid 1 pvid untagged
  149. bridge vlan add dev lan2 vid 2 pvid untagged
  150. bridge vlan add dev lan3 vid 3 pvid untagged
  151. # configure the VLANs
  152. ip addr add 192.0.2.1/30 dev eth0.1
  153. ip addr add 192.0.2.5/30 dev eth0.2
  154. ip addr add 192.0.2.9/30 dev eth0.3
  155. # bring up the bridge devices
  156. ip link set br0 up
  157. *bridge*
  158. .. code-block:: sh
  159. # tag traffic on CPU port
  160. ip link add link eth0 name eth0.1 type vlan id 1
  161. # For kernels earlier than v5.12, the conduit interface needs to be
  162. # brought up manually before the user ports.
  163. ip link set eth0 up
  164. ip link set eth0.1 up
  165. # bring up the user interfaces
  166. ip link set lan1 up
  167. ip link set lan2 up
  168. ip link set lan3 up
  169. # create bridge
  170. ip link add name br0 type bridge
  171. # activate VLAN filtering
  172. ip link set dev br0 type bridge vlan_filtering 1
  173. # add ports to bridge
  174. ip link set dev lan1 master br0
  175. ip link set dev lan2 master br0
  176. ip link set dev lan3 master br0
  177. ip link set eth0.1 master br0
  178. # tag traffic on ports
  179. bridge vlan add dev lan1 vid 1 pvid untagged
  180. bridge vlan add dev lan2 vid 1 pvid untagged
  181. bridge vlan add dev lan3 vid 1 pvid untagged
  182. # configure the bridge
  183. ip addr add 192.0.2.129/25 dev br0
  184. # bring up the bridge
  185. ip link set dev br0 up
  186. *gateway*
  187. .. code-block:: sh
  188. # tag traffic on CPU port
  189. ip link add link eth0 name eth0.1 type vlan id 1
  190. ip link add link eth0 name eth0.2 type vlan id 2
  191. # For kernels earlier than v5.12, the conduit interface needs to be
  192. # brought up manually before the user ports.
  193. ip link set eth0 up
  194. ip link set eth0.1 up
  195. ip link set eth0.2 up
  196. # bring up the user interfaces
  197. ip link set wan up
  198. ip link set lan1 up
  199. ip link set lan2 up
  200. # create bridge
  201. ip link add name br0 type bridge
  202. # activate VLAN filtering
  203. ip link set dev br0 type bridge vlan_filtering 1
  204. # add ports to bridges
  205. ip link set dev wan master br0
  206. ip link set eth0.1 master br0
  207. ip link set dev lan1 master br0
  208. ip link set dev lan2 master br0
  209. # tag traffic on ports
  210. bridge vlan add dev lan1 vid 1 pvid untagged
  211. bridge vlan add dev lan2 vid 1 pvid untagged
  212. bridge vlan add dev wan vid 2 pvid untagged
  213. # configure the VLANs
  214. ip addr add 192.0.2.1/30 dev eth0.2
  215. ip addr add 192.0.2.129/25 dev br0
  216. # bring up the bridge devices
  217. ip link set br0 up
  218. Forwarding database (FDB) management
  219. ------------------------------------
  220. The existing DSA switches do not have the necessary hardware support to keep
  221. the software FDB of the bridge in sync with the hardware tables, so the two
  222. tables are managed separately (``bridge fdb show`` queries both, and depending
  223. on whether the ``self`` or ``master`` flags are being used, a ``bridge fdb
  224. add`` or ``bridge fdb del`` command acts upon entries from one or both tables).
  225. Up until kernel v4.14, DSA only supported user space management of bridge FDB
  226. entries using the bridge bypass operations (which do not update the software
  227. FDB, just the hardware one) using the ``self`` flag (which is optional and can
  228. be omitted).
  229. .. code-block:: sh
  230. bridge fdb add dev swp0 00:01:02:03:04:05 self static
  231. # or shorthand
  232. bridge fdb add dev swp0 00:01:02:03:04:05 static
  233. Due to a bug, the bridge bypass FDB implementation provided by DSA did not
  234. distinguish between ``static`` and ``local`` FDB entries (``static`` are meant
  235. to be forwarded, while ``local`` are meant to be locally terminated, i.e. sent
  236. to the host port). Instead, all FDB entries with the ``self`` flag (implicit or
  237. explicit) are treated by DSA as ``static`` even if they are ``local``.
  238. .. code-block:: sh
  239. # This command:
  240. bridge fdb add dev swp0 00:01:02:03:04:05 static
  241. # behaves the same for DSA as this command:
  242. bridge fdb add dev swp0 00:01:02:03:04:05 local
  243. # or shorthand, because the 'local' flag is implicit if 'static' is not
  244. # specified, it also behaves the same as:
  245. bridge fdb add dev swp0 00:01:02:03:04:05
  246. The last command is an incorrect way of adding a static bridge FDB entry to a
  247. DSA switch using the bridge bypass operations, and works by mistake. Other
  248. drivers will treat an FDB entry added by the same command as ``local`` and as
  249. such, will not forward it, as opposed to DSA.
  250. Between kernel v4.14 and v5.14, DSA has supported in parallel two modes of
  251. adding a bridge FDB entry to the switch: the bridge bypass discussed above, as
  252. well as a new mode using the ``master`` flag which installs FDB entries in the
  253. software bridge too.
  254. .. code-block:: sh
  255. bridge fdb add dev swp0 00:01:02:03:04:05 master static
  256. Since kernel v5.14, DSA has gained stronger integration with the bridge's
  257. software FDB, and the support for its bridge bypass FDB implementation (using
  258. the ``self`` flag) has been removed. This results in the following changes:
  259. .. code-block:: sh
  260. # This is the only valid way of adding an FDB entry that is supported,
  261. # compatible with v4.14 kernels and later:
  262. bridge fdb add dev swp0 00:01:02:03:04:05 master static
  263. # This command is no longer buggy and the entry is properly treated as
  264. # 'local' instead of being forwarded:
  265. bridge fdb add dev swp0 00:01:02:03:04:05
  266. # This command no longer installs a static FDB entry to hardware:
  267. bridge fdb add dev swp0 00:01:02:03:04:05 static
  268. Script writers are therefore encouraged to use the ``master static`` set of
  269. flags when working with bridge FDB entries on DSA switch interfaces.
  270. Affinity of user ports to CPU ports
  271. -----------------------------------
  272. Typically, DSA switches are attached to the host via a single Ethernet
  273. interface, but in cases where the switch chip is discrete, the hardware design
  274. may permit the use of 2 or more ports connected to the host, for an increase in
  275. termination throughput.
  276. DSA can make use of multiple CPU ports in two ways. First, it is possible to
  277. statically assign the termination traffic associated with a certain user port
  278. to be processed by a certain CPU port. This way, user space can implement
  279. custom policies of static load balancing between user ports, by spreading the
  280. affinities according to the available CPU ports.
  281. Secondly, it is possible to perform load balancing between CPU ports on a per
  282. packet basis, rather than statically assigning user ports to CPU ports.
  283. This can be achieved by placing the DSA conduits under a LAG interface (bonding
  284. or team). DSA monitors this operation and creates a mirror of this software LAG
  285. on the CPU ports facing the physical DSA conduits that constitute the LAG slave
  286. devices.
  287. To make use of multiple CPU ports, the firmware (device tree) description of
  288. the switch must mark all the links between CPU ports and their DSA conduits
  289. using the ``ethernet`` reference/phandle. At startup, only a single CPU port
  290. and DSA conduit will be used - the numerically first port from the firmware
  291. description which has an ``ethernet`` property. It is up to the user to
  292. configure the system for the switch to use other conduits.
  293. DSA uses the ``rtnl_link_ops`` mechanism (with a "dsa" ``kind``) to allow
  294. changing the DSA conduit of a user port. The ``IFLA_DSA_CONDUIT`` u32 netlink
  295. attribute contains the ifindex of the conduit device that handles each user
  296. device. The DSA conduit must be a valid candidate based on firmware node
  297. information, or a LAG interface which contains only slaves which are valid
  298. candidates.
  299. Using iproute2, the following manipulations are possible:
  300. .. code-block:: sh
  301. # See the DSA conduit in current use
  302. ip -d link show dev swp0
  303. (...)
  304. dsa master eth0
  305. # Static CPU port distribution
  306. ip link set swp0 type dsa master eth1
  307. ip link set swp1 type dsa master eth0
  308. ip link set swp2 type dsa master eth1
  309. ip link set swp3 type dsa master eth0
  310. # CPU ports in LAG, using explicit assignment of the DSA conduit
  311. ip link add bond0 type bond mode balance-xor && ip link set bond0 up
  312. ip link set eth1 down && ip link set eth1 master bond0
  313. ip link set swp0 type dsa master bond0
  314. ip link set swp1 type dsa master bond0
  315. ip link set swp2 type dsa master bond0
  316. ip link set swp3 type dsa master bond0
  317. ip link set eth0 down && ip link set eth0 master bond0
  318. ip -d link show dev swp0
  319. (...)
  320. dsa master bond0
  321. # CPU ports in LAG, relying on implicit migration of the DSA conduit
  322. ip link add bond0 type bond mode balance-xor && ip link set bond0 up
  323. ip link set eth0 down && ip link set eth0 master bond0
  324. ip link set eth1 down && ip link set eth1 master bond0
  325. ip -d link show dev swp0
  326. (...)
  327. dsa master bond0
  328. Notice that in the case of CPU ports under a LAG, the use of the
  329. ``IFLA_DSA_CONDUIT`` netlink attribute is not strictly needed, but rather, DSA
  330. reacts to the ``IFLA_MASTER`` attribute change of its present conduit (``eth0``)
  331. and migrates all user ports to the new upper of ``eth0``, ``bond0``. Similarly,
  332. when ``bond0`` is destroyed using ``RTM_DELLINK``, DSA migrates the user ports
  333. that were assigned to this interface to the first physical DSA conduit which is
  334. eligible, based on the firmware description (it effectively reverts to the
  335. startup configuration).
  336. In a setup with more than 2 physical CPU ports, it is therefore possible to mix
  337. static user to CPU port assignment with LAG between DSA conduits. It is not
  338. possible to statically assign a user port towards a DSA conduit that has any
  339. upper interfaces (this includes LAG devices - the conduit must always be the LAG
  340. in this case).
  341. Live changing of the DSA conduit (and thus CPU port) affinity of a user port is
  342. permitted, in order to allow dynamic redistribution in response to traffic.
  343. Physical DSA conduits are allowed to join and leave at any time a LAG interface
  344. used as a DSA conduit; however, DSA will reject a LAG interface as a valid
  345. candidate for being a DSA conduit unless it has at least one physical DSA conduit
  346. as a slave device.