Hi everybody!
As a part of a NAC implementation, I've created a new VLAN for the
"isolated" devices, from this VLAN, the computers in it, are not able
to communicate with nothing, except what I want (via iptables).
So, the thing is that I'm trying to bridge some traffic from one
"isolation" VLAN (VLAN 3) to the "production" VLAN (VLAN 800).
I'm working on a routed network (Enterasys routing) that take care of
routing and VLAN tagging stuff of course...
The point is that I want that the linux box filter the packets between
those VLAN's, but I've tried with brctl and ebtables, but at first,
the "isolated" computer was not able to reach the servers on the
"production" VLAN (I was seeing the ARP requests from the PC, asking
for the MAC of its gateway) and after a few tries I managed to put it
working, but after a few minutes, the entire network went down... :(
So, definately, I'm doing something wrong...
Here's an example of the scenario:
VLAN 110: 172.26.0.0/16 (gw: 172.26.135.136)
VLAN 800: 172.20.0.0/16 (gw: 172.20.135.136)
VLAN 3: (isolation, no routed by the Enterasys)
___________________
| PC isolated (VLAN 3)|
172.20.135.136 ____________
|IP: 172.26.135.109 |
__172.26.135.136_ | |
|GW: 172.26.135.136 |------->| Cisco 3560 |---(trunk)---->|Enterasys
Router|----VLAN3---------|Linux Bridge |
---------------------------------
|--------------------------|-----VLAN800-----| Box
|
|
|---------------------|
|
VLAN800
|
------------
| Server|
------------
IP:172.20.100.2
GW:172.20.135.136
As you can see, the packets from the Router to the bridge box arrive
"tagged"... I've tried also configuring the port of "VLAN800" to the
Linux Box as an "access port", but the packets never came again to the
linux box (I only see the computer ARP requests coming from the VLAN3,
passing through the bridge and leaving by the "access" interface...)
So, I configured both ports of Enterasys router as "tagged ports" and
the linux bridge box as the following:
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
vconfig add eth0 800
vconfig add eth1 3
brctl addbr br0
brctl addif br0 eth0.800
brctl addif br0 eth1.3
With this configuration, the computer can communicate with the
servers, but after a while, the entire network goes down! :-/
What would be the best way to do this kind of packet forwarding. I
know that this work can be done with the Router itself, but it's not
able to filter the packets as iptables does (fine grained)... so
that's why I'm putting the linux bridge between those VLANs.
What I'm missing?
Thanks in advance!!
PS: By the way, STP is disabled in the router and also in the Linux bridge box.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
