Jeremy Jones wrote:> question is this: should the vlan interfaces on the linux firewall be > created first, then bridged; or should the bridge interface be created, then > vlans bound to that? > > Here's the first: > > ip link set eth0 up > ip link set eth1 up > vconfig set_bind_mode PER_DEVICE > vconfig set_name_type DEV_PLUS_VID_NO_PAD > vconfig add eth0 4 > vconfig add eth1 4 > vconfig add eth0 51 > vconfig add eth1 51<snip>> And the second: > > ip link set eth0 up > ip link set eth1 up > brctl addbr br0 > brctl addif br0 eth0 > brctl addif br0 eth1<snip>> I lean towards the first, as it gives me more interfaces to filter, and thusJeremy, I have no specific experience with a situation like yours. But, that won't stop me from rendering an opinion... :-) I, too, would lean toward the first at least partly for the reason you describe. But, you should also consider untagged frames and frames with other VLAN IDs. The second configuration should bridge all frames (tagged or untagged), while the first will only be bridging frames with VLAN IDs of 4 or 51. I'm not sure which is your desired behaviour, but I suspect it is the first configuration which you should prefer. Hth... John -- John W. Linville linville@tuxdriver.com
<I apologize if this arrives twice... I sent it first from an non-subscribed address, don't know if that'll get to the list or not --JJ> Hi folks, I have an implementation question regarding bridging on a linux box between a catalyst trunk port and a cisco 26something w/802.1q subinterfaces. So right now, there's no vlan trunking going on on the link my bridging firewall sits on, but I'm going to need to bridge two vlans, 4 and 51. My question is this: should the vlan interfaces on the linux firewall be created first, then bridged; or should the bridge interface be created, then vlans bound to that? Here's the first: ip link set eth0 up ip link set eth1 up vconfig set_bind_mode PER_DEVICE vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add eth0 4 vconfig add eth1 4 vconfig add eth0 51 vconfig add eth1 51 ip link set eth0.4 up ip link set eth1.4 up ip link set eth0.51 up ip link set eth1.51 up brctl addbr br0 brctl addif br0 eth0.4 brctl addif br0 eth1.4 brctl stp br0 off ip link set br0 up brctl addbr br1 brctl addif br1 eth0.51 brctl addif br1 eth1.51 brctl stp br1 off ip link set br1 up And the second: ip link set eth0 up ip link set eth1 up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl stp br0 off ip link set br0 up vconfig set_bind_mode PER_KERNEL vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add br0 4 vconfig add br0 51 ip link set br0.4 up ip link set br0.51 up I lean towards the first, as it gives me more interfaces to filter, and thus more flexibility with my iptables rules. Just looking for the wisdom of experience... Thanks, Jeremy Jones