Bridging Vlan traffic on routed network

[Alex Font <drmaligno@xxxxxxxxx>]

Hi everybody!

As a part of a NAC implementation, I've created a new VLAN for the "isolated" devices, from this VLAN, the computers in it, are not able to communicate with nothing, except what I want (via iptables).
So, the thing is that I'm trying to bridge some traffic from one "isolation" VLAN (VLAN 3) to the "production" VLAN (VLAN 800).
I'm working on a routed network (Enterasys routing) that take care of routing and VLAN tagging stuff of course...

The point is that I want that the linux box filter the packets between those VLAN's, but I've tried with brctl and ebtables, but at first, the "isolated" computer was not able to reach the servers on the "production" VLAN (I was seeing the ARP requests from the PC, asking for the MAC of its gateway) and after a few tries I managed to put it working, but after a few minutes, the entire network went down... :( So, definately, I'm doing something wrong...

Here's an example of the scenario:

VLAN 110: 172.26.0.0/16 (gw: 172.26.135.136)

VLAN 800: 172.20.0.0/16 (gw: 172.20.135.136)

VLAN 3: (isolation, no routed by the Enterasys)

___________________

| PC isolated (VLAN 3)|                                                  172.20.135.136                         ____________

|IP: 172.26.135.109    |                                               __172.26.135.136_                       |                    |

|GW: 172.26.135.136  |------->| Cisco 3560 |---(trunk)---->|Enterasys Router|----VLAN3---------|Linux Bridge  |

---------------------------------                                               |--------------------------|-----VLAN800-----|     Box          |

                                                                                          |                                        |---------------------|
                                                                                          |

                                                                                        VLAN800
                                                                                          |
                                                                                      ------------

                                                                                      | Server|
                                                                                      ------------

                                                                                   IP:172.20.100.2

                                                                                   GW:172.20.135.136

As you can see, the packets from the Router to the bridge box arrive "tagged"... I've tried also configuring the port of "VLAN800" to the Linux Box as an "access port", but the packets never came again to the linux box (I only see the computer ARP requests coming from the VLAN3, passing through the bridge and leaving by the "access" interface...)

So, I configured both ports of Enterasys router as "tagged ports" and the linux bridge box as the following:

ifconfig eth0 0.0.0.0

ifconfig eth1 0.0.0.0

vconfig add eth0 800

vconfig add eth1 3

brctl addbr br0

brctl addif br0 eth0.800

brctl addif br0 eth1.3

With this configuration, the computer can communicate with the servers, but after a while, the entire network goes down! :-/

What would be the best way to do this kind of packet forwarding. I know that this work can be done with the Router itself, but it's not able to filter the packets as iptables does (fine grained)... so that's why I'm putting the linux bridge between those VLANs.

What I'm missing?

Thanks in advance!!

PS: By the way, STP is disabled in the router and also in the Linux bridge box.