Re: Bridging Vlan traffic on routed network

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Alex,

On Wed, Jul 10, 2013 at 03:37:16PM +0200, Alex Font wrote:
> [...]
> 
> Here's an example of the scenario:

The network diagram is totally garbled, I cannot see anything. :-(

> [...]
> So, I configured both ports of Enterasys router as "tagged ports" and
> the linux bridge box as the following:
> 
> ifconfig eth0 0.0.0.0
> ifconfig eth1 0.0.0.0
> vconfig add eth0 800
> vconfig add eth1 3
> brctl addbr br0
> brctl addif br0 eth0.800
> brctl addif br0 eth1.3
> 
> With this configuration, the computer can communicate with the
> servers, but after a while, the entire network goes down! :-/

Bridging the VLANs 800 and 3 together might have created a loop. That would
be the most common way to bring down a network after some minutes using a
switch.

> What would be the best way to do this kind of packet forwarding. I
> know that this work can be done with the Router itself, but it's not
> able to filter the packets as iptables does (fine grained)... so
> that's why I'm putting the linux bridge between those VLANs.

What kind of Enterasys router do you use? Their higher end multi-layer
switches can do very fine grained filtering. The Cisco 3560 switch should
allow a lot of fine grained filtering as well.

> PS: By the way, STP is disabled in the router and also in the Linux
> bridge box.

Why did you disable STP? You need it on all access ports (together with
spanguard (Enterasys) resp. bpdu guard (Cisco)) to mitigate the impact
of rogue switches and cables. (Of course you can still create a loop by
filtering out the BPDUs, so you still need broadcast and multicast limiters
on your switch ports as well).

Anyway, I'd think that you should not bridge the isolated VLAN with any
other VLAN, but provide remediation services (resp. whatever you want to
provide there) using a VLAN interface on the server.

HTH,
Erik
-- 
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it.
                        -- Brian W. Kernighan
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux