Hi,
Is there any support at all for Cisco's PVST+ in Linux (kernel and
brctl) ? Please read on for what I'm trying to accomplish:
I'm trying to set up a redundant pair of filtering bridges connected
to two cisco 6500 hybrid L2/L3 switch/routers. At the edge of the
network I have a bunch of untrusted devices on a layer-2 subnet, and
the idea is to offer selective access to the subnet's default router
on the trusted side of the network. Here's a quick picture:
+---------------+ +---------------+
| .2 | .1 (HSRP) | .3 |
+-------+ - - - - - - - +-----------------+ - - - - - - - +-------+
| X | | vlanX (trusted) | | X |
Linux | Cisco | | Cisco | Linux
Bridge | 6500 | | 6500 | Bridge
| Y | | vlan Y | | Y |
+-------+ - + - + - + - +-----------------+ - + - + - + - +-------+
| | | | | (untrusted) | | | | |
+---+---+---+---+ +---+---+---+---+
| | | | | |
| | | +-------------+ | | |
| | +-----+ edge switch +-----+ | |
| | +-------------+ | |
| | | |
| | +-------------+ | |
| +---------+ edge switch +---------+ |
| +-------------+ |
| |
| +-------------+ |
+-------------+ edge switch +-------------+
+-------------+
The ciscos use pvstp+, and the problem is that when a Vlan-X BPDU is received
on a Vlan-Y (sub)interface, that subinterface is shut down due to a perceived
misconfiguration.
Is Linux equipped to handle this (by, e.g., translating the BPDUs received
over vlan X into BPDUs that would be appropriate to forward into vlan Y, and
vice versa) ?
If not, any other ideas on how to accomplish redundancy would be much
appreciated. The topology prevents me from inserting the linux bridge in
a way that would allow bridging between the same vlan on two different
physical interfaces.
Thanks much,
--Gabriel
On Mon, Feb 23, 2009 at 09:31:31PM (GMT-0500), L. Gabriel Somlo wrote:> If not, any other ideas on how to accomplish redundancy would be much > appreciated.IMHO you could do routing (+VRRP) directly on the linux boxes. The exact setup however (interfaces, VLANs, Hops, ...) obviously depends on your other constraints. -- Boris Dor?s
Thanks to all who responded. To sum it up, if X and Y are separate physical ports on the Cisco, configured in access mode, things seem to work and the loop is detected. What does not work is having X and Y be trunked over the same physical port. That is when the Cisco will shut down the trunked port due to "inconsistent BPDUs". The trunked vlans scenario only works when spanning-tree is disabled on the Cisco, and that is mutually exclusive with STP-based failover between two boxes. Thanks again, --Gabriel On Mon, Feb 23, 2009 at 09:31:31PM -0500, L. Gabriel Somlo wrote:> Hi, > > Is there any support at all for Cisco's PVST+ in Linux (kernel and > brctl) ? Please read on for what I'm trying to accomplish: > > I'm trying to set up a redundant pair of filtering bridges connected > to two cisco 6500 hybrid L2/L3 switch/routers. At the edge of the > network I have a bunch of untrusted devices on a layer-2 subnet, and > the idea is to offer selective access to the subnet's default router > on the trusted side of the network. Here's a quick picture: > > > +---------------+ +---------------+ > | .2 | .1 (HSRP) | .3 | > +-------+ - - - - - - - +-----------------+ - - - - - - - +-------+ > | X | | vlanX (trusted) | | X | > Linux | Cisco | | Cisco | Linux > Bridge | 6500 | | 6500 | Bridge > | Y | | vlan Y | | Y | > +-------+ - + - + - + - +-----------------+ - + - + - + - +-------+ > | | | | | (untrusted) | | | | | > +---+---+---+---+ +---+---+---+---+ > | | | | | | > | | | +-------------+ | | | > | | +-----+ edge switch +-----+ | | > | | +-------------+ | | > | | | | > | | +-------------+ | | > | +---------+ edge switch +---------+ | > | +-------------+ | > | | > | +-------------+ | > +-------------+ edge switch +-------------+ > +-------------+ > > The ciscos use pvstp+, and the problem is that when a Vlan-X BPDU is received > on a Vlan-Y (sub)interface, that subinterface is shut down due to a perceived > misconfiguration. > > Is Linux equipped to handle this (by, e.g., translating the BPDUs received > over vlan X into BPDUs that would be appropriate to forward into vlan Y, and > vice versa) ? > > If not, any other ideas on how to accomplish redundancy would be much > appreciated. The topology prevents me from inserting the linux bridge in > a way that would allow bridging between the same vlan on two different > physical interfaces. > > Thanks much, > --Gabriel