On Tue, Feb 15, 2005 at 12:17:05PM -0500, Aaron S. Joyner wrote: > I have numerous subnets, which are all identical. [..] > Any input anyone can offer about possible solutions, or even > providing further insight into the problem, would be most > appreciated. :) This is tough. VRF would work for you but it seems not quite mature from the web site. But it could be that the web is just out of date. The problem is that at some point in the Linux system any network connection will be represented only by an IP-adress and port combination, any information about the incoming port on the system (VLAN) will be lost at that point. (This is in the application, and applications only know IP addresses, unless they are written specifically to find out more.) When the application wants to reply it responds to the originator IP and port, and when the kernel has multiple routing choices the packet will always follow the first matching route. Your assumption that the problem is during reply is completely correct. There are two solutions that I can see. Both suck. One is to rewrite/extend all services that are running on the Linux system so that they do pay special attention to which interface the packet actually came in on, and use tricks that can be caught by iptables, and routing, to make responses go out the same path. The other is to NETMAP each VLAN into a different IP network. There is a NAT target in the kernel for this. This is NAT, so your applications may suffer with this option too. NETMAP is a 1:1 mapping of IP addresses from one IP network to another. This does not scale too well since there's only a limited number of private IP networks reserved. Which is better will depend on the applications you run. I hope this helps. //Peter
