Hi,
we're running the standard linux bridge setup (redundant bridge) for 5 years
now. So first of all, thanks to everyone involved for implementing the bridging
feature in Linux.
Now I'm trying to bridge hosts connected to VLAN'ed Cisco switches using
linux bridge.
I'm testing the following setup (Kernel 2.6.19, bridge-utils 1.2 on both
bridges)
http://i147.photobucket.com/albums/r293/mrennt/BridgeProblem.jpg
The diagram shows how everything is setup. I'm not happy with the block of
eth0 on BRIDGE2, although I'm able to reach the IP configured on the bridge
interface, I'm not sure if this is the correct STP behaviour, because eth0
is blocked, thus it shouldn't respond!?
Both Cisco switches (2950) have VLANs 1,10,20,31,32,33,34,50 configured.
Here's what I've done so far:
- Changed the multicast address on both bridges in order to not conflict with
the Cisco switches spanning tree (as described in
http://lists.osdl.org/pipermail/bridge/2005-October/001116.html)
- Enabled the bpdufilter on the trunk connections of both switches
- On the bridges: filtering requests originating in one VLAN going into another
VLAN
i.e. ebtables -A FORWARD -i vlan10 -o ! eth0 -j DROP
Here's the output of brctl of both bridges.
I'm not sure about the attachement policy in this mailinglist, so I'm
not posting the output below as attachement, sorry if it's hard to read. :/
Let me know if a copy via mail is better.
ON SERVER "BRDIGE1"
---------------------------------------------------------
# brctl show br0
bridge name bridge id STP enabled interfaces
br0 0000.000423c1e5f2 yes eth0
vlan10
vlan20
vlan30
vlan31
vlan32
vlan33
vlan34
vlan50
# brctl showstp br0
br0
bridge id 0000.000423c1e5f2
designated root 0000.000423c1e5f2
root port 0 path cost 0
max age 4.00 bridge max age 4.00
hello time 1.00 bridge hello time 1.00
forward delay 4.00 bridge forward delay 4.00
ageing time 300.00
hello timer 0.25 tcn timer 0.00
topology change timer 0.00 gc timer 0.06
flags
eth0 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 100
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.48
flags
vlan10 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags CONFIG_PENDING
vlan20 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8003 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags
vlan30 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8004 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags
vlan31 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8005 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags
vlan32 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8006 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags
vlan33 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8007 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags
vlan34 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8008 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags
vlan50 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 1
designated bridge 0000.000423c1e5f2 message age timer 0.00
designated port 8009 forward delay timer 0.00
designated cost 0 hold timer 0.24
flags CONFIG_PENDING
---------------------------------------------------------
vlan50 is always CONFIG_PENDING (after the very first state change).
The port id is 0000 (all zeroes) on all ports, it used to be 8000 some time ago,
not sure when it changed. Is this correct, doesn't look correct to me to
have 0000 on all ports.
ON SERVER "BRDIGE2"
---------------------------------------------------------
# brctl show br0
bridge name bridge id STP enabled interfaces
br0 0064.00116b333a97 yes eth0
vlan10
vlan20
vlan30
vlan31
vlan32
vlan33
vlan34
vlan50
# brctl showstp br0
br0
bridge id 0064.00116b333a97
designated root 0000.000423c1e5f2
root port 2 path cost 19
max age 4.00 bridge max age 4.00
hello time 1.00 bridge hello time 1.00
forward delay 4.00 bridge forward delay 4.00
ageing time 300.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 0.06
flags
eth0 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 100
designated bridge 0000.000423c1e5f2 message age timer 3.35
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan10 (0)
port id 0000 state forwarding
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan20 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8003 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan30 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8004 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan31 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8005 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan32 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8006 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan33 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8007 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan34 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8008 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vlan50 (0)
port id 0000 state blocking
designated root 0000.000423c1e5f2 path cost 19
designated bridge 0000.000423c1e5f2 message age timer 3.11
designated port 8009 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
---------------------------------------------------------
Same thing about the port ids on "BRIDGE2"
In order to achived the desired setup (as shown in the diagram), I thought all
vlan ports would be blocked and eth0 would be unblocked. Really weird why vlan10
is not blocked, it's configured on both cisco switches and a on BRIDGE1.
Here's an abstract of the startscript I'm using (on BRIDGE1):
---------------------------------------------------------
BR_IF_DMZ=eth0
BR_IF_MZ=eth1
BR_NAME=br0
BR_PRIO=1
BR_IF_DMZ_COST=100
BR_IF_MZ_COST=1
VLAN=/etc/vlan.conf # one vlan id per line
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ifconfig $BR_IF_DMZ down
/sbin/ifconfig $BR_IF_MZ down
# /sbin/ifconfig $BR_IF_DMZ 0.0.0.0 promisc || return=$rc_failed
# /sbin/ifconfig $BR_IF_MZ 0.0.0.0 promisc || return=$rc_failed
/sbin/ifconfig $BR_IF_DMZ 0.0.0.0 up || return=$rc_failed
/sbin/ifconfig $BR_IF_MZ 0.0.0.0 up || return=$rc_failed
$BRCTL addbr $BR_NAME || return=$rc_failed
$BRCTL addif $BR_NAME $BR_IF_DMZ || return=$rc_failed
# Basic Settings
sleep 1
$BRCTL sethello $BR_NAME 1 || return=$rc_failed
$BRCTL setmaxage $BR_NAME 4 || return=$rc_failed
$BRCTL setfd $BR_NAME 4 || return=$rc_failed
$BRCTL stp $BR_NAME on || return=$rc_failed
$BRCTL setbridgeprio $BR_NAME $BR_PRIO || return=$rc_failed
$BRCTL setpathcost $BR_NAME $BR_IF_DMZ $BR_IF_DMZ_COST || return=$rc_failed
echo "$BRCTL setpathcost $BR_NAME $BR_IF_DMZ $BR_IF_DMZ_COST"
for file in $BR_NAME $BR_IF_DMZ $BR_IF_MZ;
do
echo "1" > /proc/sys/net/ipv4/conf/${file}/proxy_arp;
echo "1" > /proc/sys/net/ipv4/conf/${file}/forwarding;
done;
# Setup VLAN Interfaces
# Use vlan<id> name type
$VCONFIG set_name_type VLAN_PLUS_VID_NO_PAD
while read conf ; do
case "$conf" in
\#*|"") ;; # Ignore empty lines and comments
*)
pattern=[[:space:]]*\#*
vlan="${conf%%$pattern}" # Remove Whitespaces and comments
# Add VLAN to internal interface
$VCONFIG add $BR_IF_MZ $vlan
# Add VLAN to brdige
$BRCTL addif $BR_NAME vlan$vlan || return=$rc_failed
sleep 1
$BRCTL setpathcost $BR_NAME vlan$vlan $BR_IF_MZ_COST ||
return=$rc_failed
# /sbin/ifconfig vlan$vlan 0.0.0.0 promisc || return=$rc_failed
/sbin/ifconfig vlan$vlan 0.0.0.0 up || return=$rc_failed
# VLAN zu VLAN Verkehr mit ebtables bereits auf L2 unterbinden
$EBTABLES -A FORWARD -i vlan$vlan -o ! $BR_IF_DMZ -j DROP ||
return=$rc_failed
echo "1" > /proc/sys/net/ipv4/conf/vlan$vlan/proxy_arp;
echo "1" > /proc/sys/net/ipv4/conf/vlan$vlan/forwarding;
esac
done < $VLAN
# End VLAN Setup
sleep 5
ifconfig br0 192.168.1.93 netmask 255.255.255.0
---------------------------------------------------------
Here's ebtables output:
Bridge chain: FORWARD, entries: 8, policy: ACCEPT
-i vlan10 -o ! eth0 -j DROP
-i vlan20 -o ! eth0 -j DROP
-i vlan30 -o ! eth0 -j DROP
-i vlan31 -o ! eth0 -j DROP
-i vlan32 -o ! eth0 -j DROP
-i vlan33 -o ! eth0 -j DROP
-i vlan34 -o ! eth0 -j DROP
-i vlan50 -o ! eth0 -j DROP
No rules in iptables so far.
-------------------------
So is the behaviour of STP correct or is this wrong?
Thanks to anyone taking the time reading this through. ;)
Best,
Michael
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer