IP Forwarding Control and Special Interfaces

IP forwarding essentially turns a gateway into a router that is capable of forwarding IP datagrams between directly attached physical or virtual interfaces. In firewall setups, it is often desirable to disable IP forwarding during bootup and firewall initialization for security purposes, not to leave a gateway vulnerable during the booting routine before the firewall inspection engine resumes forwarding control. It is also a good idea to make sure IP forwarding is disabled before the firewall terminates at system shutdown. Example 3-2 demonstrates how you can enable/disable IPv4 and multicast forwarding via sysctl parameters. This is possible for IPv6 as well.

Example 3-2. Linux IP Forwarding-Related sysctl Variables

[root@callisto:~#] sysctl -a | grep forwarding

net.ipv4.conf.pimreg.mc_forwarding = 1

net.ipv4.conf.pimreg.forwarding = 1

net.ipv4.conf.ipsec0.mc_forwarding = 0

net.ipv4.conf.ipsec0.forwarding = 1

net.ipv4.conf.eth1.mc_forwarding = 1

net.ipv4.conf.eth1.forwarding = 1

net.ipv4.conf.eth0.mc_forwarding = 1

net.ipv4.conf.eth0.forwarding = 1

net.ipv4.conf.lo.mc_forwarding = 0

net.ipv4.conf.lo.forwarding = 1

net.ipv4.conf.default.mc_forwarding = 0

net.ipv4.conf.default.forwarding = 1

net.ipv4.conf.all.mc_forwarding = 1

net.ipv4.conf.all.forwarding = 1

VLAN Subinterface Support and Trunk Termination (802.1Q)

If you are connecting a UNIX gateway's Ethernet interfaces to a switch or router, you can use this interface to act as an access link or uplink. This interface can also connect multiple VLAN subinterfaces and act as a pipe (trunk) for all these interfaces.

For VLAN tagging, two methods exist: the Cisco System proprietary Inter-Switch Link (ISL) flavor, and the standardized IEEE 802.1Q method. In fact, what we call an uplink is a special case of trunk carrying only one (untagged) VLAN, usually the default VLAN of the switch. Therefore, a UNIX gateway can route between these VLANs ("router on a stick") or form a pipe to a Cisco neighbor using the same subinterface scheme and VLAN tagging. They form logical interfaces on both Cisco and UNIX gateways.

Note that VLANs result in separated broadcast/multicast domains with Media Access Control (MAC) layer isolation. They are a popular way of separating customer access and services in data centers or service provider server segments and are also widely deployed to segment enterprise entities into multiple VLAN realms that can span hundreds of switches.

To support large VLAN switched environments with a lot of trunks, Cisco has developed the proprietary VLAN Trunking Protocol (VTP), which enables switching hierarchies to flood VLAN information on trunk ports. In fact, VLANs are the Ethernet equivalent of a subinterface concept similar to the features Frame Relay provides on serial WAN interfaces or ATM on dedicated ATM interfaces. However, you need to be aware of VLAN security issues, especially if customers are directly connected to the access port of a switch (MAC-level access). In this case, there exists the possibility of VLAN security penetration and denial-of-service (DoS) attacks under certain circumstances, such as heavy load, MAC address spoofing, malicious VLAN labeling from access ports, trunk and spanning-tree manipulation, and so on. This is especially a matter of concern in cable provider access networks and modern metro networks.

All UNIX operating systems under discussion in this chapter support the standardized IEEE 802.1Q VLAN tagging mechanism as long as this option is enabled in the kernel. (See Appendix A for more information.) VTP is not supported under UNIX. The actual configuration of VLAN interfaces usually happens via the ifconfig command on BSD and via the vconfig command on Linux.

VLAN tagging adds protocol overhead (4 octets in the case of 802.1Q) to the Ethernet frame. This has to be accounted for by manually reducing the maximum frame size via the ifconfig command. Otherwise the network interface card (NIC) driver will silently discard the giant frame. In fact, these giants (also called jumbo frames) are a general caveat in Multiprotocol Label Switching (MPLS) and IP Security (IPSec) setups as well. Tagging always adds overhead. You can alter the maximum transmission unit (MTU) by typing ifconfig {interface} mtu 1496 on Linux or BSD.


It is often necessary to alter the MAC address of an Ethernet interface. In particular, cable broadband providers control and provision access via MAC addresses. Whether changing the "burned-in" address is possible or not depends on the hardware and the NIC driver (and therefore the availability of special utilities for this particular purpose). It is not a general feature of the ifconfig command you can rely on.

Alias or Secondary Interfaces

Secondary (alias) interfaces can satisfy the requirements to support multiple addresses on one physical interface. This can also be accomplished with VLANs, as discussed in the VLAN section, with the benefit of MAC layer separation. With an alias address configured, the interface essentially listens to relevant traffic on two segments or a second address within the same broadcast domain. This feature has been supported for a long time on almost all operating systems and is popular for virtual web servers. It is referred to as secondary addresses on Cisco routers and virtual interfaces on Sun Solaris. Examples follow in Chapter 5.