Ross Vandegrift <ross@xxxxxxxxxxx> wrote on 12/06/2009 14:52:14:
>
> On Fri, Jun 12, 2009 at 11:41:55AM +0200, Joakim Tjernlund wrote:
> > Yes, sets would be nice. However I wonder if this case isn't a bug
> > in any case:
> > Consider these VLANS:
> > eth0.4042
> > eth0.4043
> > eth0.4044
> >
> > Add them to a bridge and the bridge will pass pkgs between them, right?
> > However no real switch I know would do that because they are on
> > the same physical interface.
>
> No, that's not a problem at all. Any dot1q bridge would behave
> exactly as Linux does if it supports VLAN bridging (which at least
> Cisco, Nortel, and Juniper do in varying capcities).
>
> Moreover, any dot1q bridge that doesn't support VLAN bridging can
> (be careful!) have the feature added by adding one untagged port into
> each VLAN and cabling them to a dot1d bridge. Linux just saves you
> cables.
>
> The split-horizon rule is for flooding into a broadcast domain. For
> purposes of split-horizon flooding, each of your VLAN interfaces are
> physical interfaces - a broadcast frame arrived on one of the ports
> and needs to be flooded out all of the others.
hmm, then I don't understand how Private VLAN is supposed to work over
the interswitch port. If I understand you correctly, a Bcast pkg arriving
on VLAN 4042 will be forwarded back over 4043 and 4044 VLANs, then the
receiving switch will forward back these to pkgs once again and
it never stops?
I have updated the script you sent me, what do you think?
#.4042 = Promisc/Primary VLAN (P)
#.4043 = Isolated VLAN (I)
#.4044 = Community VLAN (C)
#These VLANs represent the interswitch port:
# Promisc ports only TX to P, but RX from P, C & I
# Community ports only TX to C VLAN, but RX from C & P
# Isolated ports only TX to I VLAN, but RX only P
#Note that pkgs must not be forwarded between the different uplinks.
P_UPLINK=eth0.4042
I_UPLINK=eth0.4043
C_UPLINK=eth0.4044
#PROMISC_IFS="eth1.1"
PROMISC_IFS=
ISOLATED_IFS="eth1.2"
COMM_IFS="eth1.3 eth1.4 eth1.5 eth1.6"
EB=/root/ebtables
"$EB" --init-table
#"$EB" --flush
"$EB" -P FORWARD DROP
# This will take care of all communications to/from a promiscuous
# interface, regardless of the role of the "other" interface
for interface in $PROMISC_IFS; do
"$EB" -A FORWARD -o $I_UPLINK -i $interface -j DROP
"$EB" -A FORWARD -o $C_UPLINK -i $interface -j DROP
"$EB" -A FORWARD -i $interface -j ACCEPT
"$EB" -A FORWARD -o $interface -j ACCEPT
done
"$EB" -A FORWARD -i $P_UPLINK -j ACCEPT
for iso in $ISOLATED_IFS; do
"$EB" -A FORWARD -i $iso -o $I_UPLINK -j ACCEPT
done
# Interfaces in a community need a full mesh of connectivity in
# addition to the above.
"$EB" -N IN_COMMUNITY
"$EB" -P IN_COMMUNITY DROP
"$EB" -N OUT_COMMUNITY
"$EB" -P OUT_COMMUNITY DROP
for comm in $COMM_IFS; do
"$EB" -A IN_COMMUNITY -i $comm -j ACCEPT
"$EB" -A OUT_COMMUNITY -o $comm -j ACCEPT
done
"$EB" -A OUT_COMMUNITY -o $C_UPLINK -j ACCEPT
for comm in $COMM_IFS; do
"$EB" -A FORWARD -i $comm -j OUT_COMMUNITY
"$EB" -A FORWARD -o $comm -j IN_COMMUNITY
done
_______________________________________________
Bridge mailing list
Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/bridge
