Hi, we're running the standard linux bridge setup (redundant bridge) for 5 years now. So first of all, thanks to everyone involved for implementing the bridging feature in Linux. Now I'm trying to bridge hosts connected to VLAN'ed Cisco switches using linux bridge. I'm testing the following setup (Kernel 2.6.19, bridge-utils 1.2 on both bridges) http://i147.photobucket.com/albums/r293/mrennt/BridgeProblem.jpg The diagram shows how everything is setup. I'm not happy with the block of eth0 on BRIDGE2, although I'm able to reach the IP configured on the bridge interface, I'm not sure if this is the correct STP behaviour, because eth0 is blocked, thus it shouldn't respond!? Both Cisco switches (2950) have VLANs 1,10,20,31,32,33,34,50 configured. Here's what I've done so far: - Changed the multicast address on both bridges in order to not conflict with the Cisco switches spanning tree (as described in http://lists.osdl.org/pipermail/bridge/2005-October/001116.html) - Enabled the bpdufilter on the trunk connections of both switches - On the bridges: filtering requests originating in one VLAN going into another VLAN i.e. ebtables -A FORWARD -i vlan10 -o ! eth0 -j DROP Here's the output of brctl of both bridges. I'm not sure about the attachement policy in this mailinglist, so I'm not posting the output below as attachement, sorry if it's hard to read. :/ Let me know if a copy via mail is better. ON SERVER "BRDIGE1" --------------------------------------------------------- # brctl show br0 bridge name bridge id STP enabled interfaces br0 0000.000423c1e5f2 yes eth0 vlan10 vlan20 vlan30 vlan31 vlan32 vlan33 vlan34 vlan50 # brctl showstp br0 br0 bridge id 0000.000423c1e5f2 designated root 0000.000423c1e5f2 root port 0 path cost 0 max age 4.00 bridge max age 4.00 hello time 1.00 bridge hello time 1.00 forward delay 4.00 bridge forward delay 4.00 ageing time 300.00 hello timer 0.25 tcn timer 0.00 topology change timer 0.00 gc timer 0.06 flags eth0 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 100 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.48 flags vlan10 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8002 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags CONFIG_PENDING vlan20 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8003 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags vlan30 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8004 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags vlan31 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8005 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags vlan32 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8006 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags vlan33 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8007 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags vlan34 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8008 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags vlan50 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 1 designated bridge 0000.000423c1e5f2 message age timer 0.00 designated port 8009 forward delay timer 0.00 designated cost 0 hold timer 0.24 flags CONFIG_PENDING --------------------------------------------------------- vlan50 is always CONFIG_PENDING (after the very first state change). The port id is 0000 (all zeroes) on all ports, it used to be 8000 some time ago, not sure when it changed. Is this correct, doesn't look correct to me to have 0000 on all ports. ON SERVER "BRDIGE2" --------------------------------------------------------- # brctl show br0 bridge name bridge id STP enabled interfaces br0 0064.00116b333a97 yes eth0 vlan10 vlan20 vlan30 vlan31 vlan32 vlan33 vlan34 vlan50 # brctl showstp br0 br0 bridge id 0064.00116b333a97 designated root 0000.000423c1e5f2 root port 2 path cost 19 max age 4.00 bridge max age 4.00 hello time 1.00 bridge hello time 1.00 forward delay 4.00 bridge forward delay 4.00 ageing time 300.00 hello timer 0.00 tcn timer 0.00 topology change timer 0.00 gc timer 0.06 flags eth0 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 100 designated bridge 0000.000423c1e5f2 message age timer 3.35 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan10 (0) port id 0000 state forwarding designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8002 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan20 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8003 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan30 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8004 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan31 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8005 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan32 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8006 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan33 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8007 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan34 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8008 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vlan50 (0) port id 0000 state blocking designated root 0000.000423c1e5f2 path cost 19 designated bridge 0000.000423c1e5f2 message age timer 3.11 designated port 8009 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags --------------------------------------------------------- Same thing about the port ids on "BRIDGE2" In order to achived the desired setup (as shown in the diagram), I thought all vlan ports would be blocked and eth0 would be unblocked. Really weird why vlan10 is not blocked, it's configured on both cisco switches and a on BRIDGE1. Here's an abstract of the startscript I'm using (on BRIDGE1): --------------------------------------------------------- BR_IF_DMZ=eth0 BR_IF_MZ=eth1 BR_NAME=br0 BR_PRIO=1 BR_IF_DMZ_COST=100 BR_IF_MZ_COST=1 VLAN=/etc/vlan.conf # one vlan id per line echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ifconfig $BR_IF_DMZ down /sbin/ifconfig $BR_IF_MZ down # /sbin/ifconfig $BR_IF_DMZ 0.0.0.0 promisc || return=$rc_failed # /sbin/ifconfig $BR_IF_MZ 0.0.0.0 promisc || return=$rc_failed /sbin/ifconfig $BR_IF_DMZ 0.0.0.0 up || return=$rc_failed /sbin/ifconfig $BR_IF_MZ 0.0.0.0 up || return=$rc_failed $BRCTL addbr $BR_NAME || return=$rc_failed $BRCTL addif $BR_NAME $BR_IF_DMZ || return=$rc_failed # Basic Settings sleep 1 $BRCTL sethello $BR_NAME 1 || return=$rc_failed $BRCTL setmaxage $BR_NAME 4 || return=$rc_failed $BRCTL setfd $BR_NAME 4 || return=$rc_failed $BRCTL stp $BR_NAME on || return=$rc_failed $BRCTL setbridgeprio $BR_NAME $BR_PRIO || return=$rc_failed $BRCTL setpathcost $BR_NAME $BR_IF_DMZ $BR_IF_DMZ_COST || return=$rc_failed echo "$BRCTL setpathcost $BR_NAME $BR_IF_DMZ $BR_IF_DMZ_COST" for file in $BR_NAME $BR_IF_DMZ $BR_IF_MZ; do echo "1" > /proc/sys/net/ipv4/conf/${file}/proxy_arp; echo "1" > /proc/sys/net/ipv4/conf/${file}/forwarding; done; # Setup VLAN Interfaces # Use vlan<id> name type $VCONFIG set_name_type VLAN_PLUS_VID_NO_PAD while read conf ; do case "$conf" in \#*|"") ;; # Ignore empty lines and comments *) pattern=[[:space:]]*\#* vlan="${conf%%$pattern}" # Remove Whitespaces and comments # Add VLAN to internal interface $VCONFIG add $BR_IF_MZ $vlan # Add VLAN to brdige $BRCTL addif $BR_NAME vlan$vlan || return=$rc_failed sleep 1 $BRCTL setpathcost $BR_NAME vlan$vlan $BR_IF_MZ_COST || return=$rc_failed # /sbin/ifconfig vlan$vlan 0.0.0.0 promisc || return=$rc_failed /sbin/ifconfig vlan$vlan 0.0.0.0 up || return=$rc_failed # VLAN zu VLAN Verkehr mit ebtables bereits auf L2 unterbinden $EBTABLES -A FORWARD -i vlan$vlan -o ! $BR_IF_DMZ -j DROP || return=$rc_failed echo "1" > /proc/sys/net/ipv4/conf/vlan$vlan/proxy_arp; echo "1" > /proc/sys/net/ipv4/conf/vlan$vlan/forwarding; esac done < $VLAN # End VLAN Setup sleep 5 ifconfig br0 192.168.1.93 netmask 255.255.255.0 --------------------------------------------------------- Here's ebtables output: Bridge chain: FORWARD, entries: 8, policy: ACCEPT -i vlan10 -o ! eth0 -j DROP -i vlan20 -o ! eth0 -j DROP -i vlan30 -o ! eth0 -j DROP -i vlan31 -o ! eth0 -j DROP -i vlan32 -o ! eth0 -j DROP -i vlan33 -o ! eth0 -j DROP -i vlan34 -o ! eth0 -j DROP -i vlan50 -o ! eth0 -j DROP No rules in iptables so far. ------------------------- So is the behaviour of STP correct or is this wrong? Thanks to anyone taking the time reading this through. ;) Best, Michael -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
