[Bridge] Bridging vlans

[Bridge] Bridging vlans

[Jeremy Jones]

Hi folks,

I have an implementation question regarding bridging on a linux box between
a catalyst trunk port and a cisco 26something w/802.1q subinterfaces.

So right now, there's no vlan trunking going on on the link my bridging
firewall sits on, but I'm going to need to bridge two vlans, 4 and 51.  My
question is this:  should the vlan interfaces on the linux firewall be
created first, then bridged; or should the bridge interface be created, then
vlans bound to that?

Here's the first:

ip link set eth0 up
ip link set eth1 up
vconfig set_bind_mode PER_DEVICE
vconfig set_name_type DEV_PLUS_VID_NO_PAD
vconfig add eth0 4
vconfig add eth1 4
vconfig add eth0 51
vconfig add eth1 51
ip link set eth0.4 up
ip link set eth1.4 up
ip link set eth0.51 up
ip link set eth1.51 up
brctl addbr br0 
brctl addif br0 eth0.4
brctl addif br0 eth1.4
brctl stp br0 off
ip link set br0 up
brctl addbr br1 
brctl addif br1 eth0.51
brctl addif br1 eth1.51
brctl stp br1 off
ip link set br1 up

And the second:

ip link set eth0 up
ip link set eth1 up
brctl addbr br0 
brctl addif br0 eth0
brctl addif br0 eth1
brctl stp br0 off
ip link set br0 up
vconfig set_bind_mode PER_KERNEL
vconfig set_name_type DEV_PLUS_VID_NO_PAD
vconfig add br0 4
vconfig add br0 51
ip link set br0.4 up
ip link set br0.51 up

I lean towards the first, as it gives me more interfaces to filter, and thus
more flexibility with my iptables rules.  Just looking for the wisdom of
experience...

Thanks,
Jeremy Jones

[Bridge] Bridging vlans...

[Jeremy Jones]

<I apologize if this arrives twice...  I sent it first from an
non-subscribed address, don't know if that'll get to the list or not --JJ>

Hi folks,

I have an implementation question regarding bridging on a linux box between
a catalyst trunk port and a cisco 26something w/802.1q subinterfaces.

So right now, there's no vlan trunking going on on the link my bridging
firewall sits on, but I'm going to need to bridge two vlans, 4 and 51.  My
question is this:  should the vlan interfaces on the linux firewall be
created first, then bridged; or should the bridge interface be created, then
vlans bound to that?

Here's the first:

ip link set eth0 up
ip link set eth1 up
vconfig set_bind_mode PER_DEVICE
vconfig set_name_type DEV_PLUS_VID_NO_PAD
vconfig add eth0 4
vconfig add eth1 4
vconfig add eth0 51
vconfig add eth1 51
ip link set eth0.4 up
ip link set eth1.4 up
ip link set eth0.51 up
ip link set eth1.51 up
brctl addbr br0 
brctl addif br0 eth0.4
brctl addif br0 eth1.4
brctl stp br0 off
ip link set br0 up
brctl addbr br1 
brctl addif br1 eth0.51
brctl addif br1 eth1.51
brctl stp br1 off
ip link set br1 up

And the second:

ip link set eth0 up
ip link set eth1 up
brctl addbr br0 
brctl addif br0 eth0
brctl addif br0 eth1
brctl stp br0 off
ip link set br0 up
vconfig set_bind_mode PER_KERNEL
vconfig set_name_type DEV_PLUS_VID_NO_PAD
vconfig add br0 4
vconfig add br0 51
ip link set br0.4 up
ip link set br0.51 up

I lean towards the first, as it gives me more interfaces to filter, and thus
more flexibility with my iptables rules.  Just looking for the wisdom of
experience...

Thanks,
Jeremy Jones

Re: [Bridge] Bridging vlans...

[John W. Linville]

Jeremy Jones wrote:

> question is this:  should the vlan interfaces on the linux firewall be
> created first, then bridged; or should the bridge interface be created, then
> vlans bound to that?
> 
> Here's the first:
> 
> ip link set eth0 up
> ip link set eth1 up
> vconfig set_bind_mode PER_DEVICE
> vconfig set_name_type DEV_PLUS_VID_NO_PAD
> vconfig add eth0 4
> vconfig add eth1 4
> vconfig add eth0 51
> vconfig add eth1 51

<snip>

> And the second:
> 
> ip link set eth0 up
> ip link set eth1 up
> brctl addbr br0 
> brctl addif br0 eth0
> brctl addif br0 eth1

<snip>

> I lean towards the first, as it gives me more interfaces to filter, and thus

Jeremy,

I have no specific experience with a situation like yours.  But, that 
won't stop me from rendering an opinion... :-)

I, too, would lean toward the first at least partly for the reason you 
describe.  But, you should also consider untagged frames and frames with 
other VLAN IDs.  The second configuration should bridge all frames 
(tagged or untagged), while the first will only be bridging frames with 
VLAN IDs of 4 or 51.  I'm not sure which is your desired behaviour, but 
I suspect it is the first configuration which you should prefer.

Hth...

John
-- 
John W. Linville
linville@tuxdriver.com

RE: [Bridge] Bridging vlans...

[Jeremy Jones]

Now, with iptables, under the first scenario (creating 2 vlan interfaces per
physical interface, and bridging the vlan interfaces), can I safely DROP
everything to, from, or through eth0 & eth1?  That is, assuming I don't want
to forward any untagged frames.

So:

iptables -N only_tagged
iptables -A only_tagged -j LOG --log-prefix " untagged? "
iptables -A only_tagged -j DROP
iptables -A INPUT -i eth0 -j only_tagged
iptables -A INPUT -i eth1 -j only_tagged
iptables -A OUTPUT -i eth0 -j only_tagged
iptables -A OUTPUT -i eth1 -j only_tagged
iptables -A FORWARD -i eth0 -j only_tagged
iptables -A FORWARD -i eth1 -j only_tagged

Then do my more granular filtering on the vlan interfaces...

(guess this would be something to ask the vlan mailing list people -- but
what the heck, this list isn't terribly busy anyway)

I imagine I'll have to come up with a fairly complex matrix of --physdev-in,
--physdev-out, etc. combinations.  Yikes.

Jeremy

> -----Original Message-----
> From: bridge-bounces@lists.osdl.org 
> [mailto:bridge-bounces@lists.osdl.org] On Behalf Of John W. Linville
> Sent: Thursday, March 25, 2004 5:56 AM
> To: Jeremy Jones
> Cc: bridge@lists.osdl.org
> Subject: Re: [Bridge] Bridging vlans...
> 
> 
> Jeremy,
> 
> I have no specific experience with a situation like yours.  But, that 
> won't stop me from rendering an opinion... :-)
> 
> I, too, would lean toward the first at least partly for the 
> reason you 
> describe.  But, you should also consider untagged frames and 
> frames with 
> other VLAN IDs.  The second configuration should bridge all frames 
> (tagged or untagged), while the first will only be bridging 
> frames with 
> VLAN IDs of 4 or 51.  I'm not sure which is your desired 
> behaviour, but 
> I suspect it is the first configuration which you should prefer.
> 
> Hth...
> 
> John
> -- 

Re: [Bridge] Bridging vlans...

[John W. Linville]

Again, I'm no expert.  I hope someone will correct me if I'm wrong, blah 
blah blah...

To start, I think you should be using ebtables rather than iptables.  As 
I understand things, the ebtables stuff works at Layer-2.

I guess your purpose is to log untagged packets?  Are packets belonging 
to VLAN interfaces visible to the parent interface? (It seems intuitive 
that they would not be, but I really don't know.)  If not, then 
something like what you propose below should work (given ebtables 
instead of iptables).  If the VLAN packets ARE visible on the parent 
interface, then you will need to do some additional checking to make 
sure that the frames are actually untagged.  You may want to do this 
anyway so as to differentiate between untagged frames and frames tagged 
for an "unknown" VLAN.

Again, hth... :-)

John

Jeremy Jones wrote:
> Now, with iptables, under the first scenario (creating 2 vlan interfaces per
> physical interface, and bridging the vlan interfaces), can I safely DROP
> everything to, from, or through eth0 & eth1?  That is, assuming I don't want
> to forward any untagged frames.
> 
> So:
> 
> iptables -N only_tagged
> iptables -A only_tagged -j LOG --log-prefix " untagged? "
> iptables -A only_tagged -j DROP
> iptables -A INPUT -i eth0 -j only_tagged
> iptables -A INPUT -i eth1 -j only_tagged
> iptables -A OUTPUT -i eth0 -j only_tagged
> iptables -A OUTPUT -i eth1 -j only_tagged
> iptables -A FORWARD -i eth0 -j only_tagged
> iptables -A FORWARD -i eth1 -j only_tagged
> 
> Then do my more granular filtering on the vlan interfaces...
> 
> (guess this would be something to ask the vlan mailing list people -- but
> what the heck, this list isn't terribly busy anyway)
> 
> I imagine I'll have to come up with a fairly complex matrix of --physdev-in,
> --physdev-out, etc. combinations.  Yikes.
> 
> Jeremy
> 
> 
>>-----Original Message-----
>>From: bridge-bounces@lists.osdl.org 
>>[mailto:bridge-bounces@lists.osdl.org] On Behalf Of John W. Linville
>>Sent: Thursday, March 25, 2004 5:56 AM
>>To: Jeremy Jones
>>Cc: bridge@lists.osdl.org
>>Subject: Re: [Bridge] Bridging vlans...
>>
>>
>>Jeremy,
>>
>>I have no specific experience with a situation like yours.  But, that 
>>won't stop me from rendering an opinion... :-)
>>
>>I, too, would lean toward the first at least partly for the 
>>reason you 
>>describe.  But, you should also consider untagged frames and 
>>frames with 
>>other VLAN IDs.  The second configuration should bridge all frames 
>>(tagged or untagged), while the first will only be bridging 
>>frames with 
>>VLAN IDs of 4 or 51.  I'm not sure which is your desired 
>>behaviour, but 
>>I suspect it is the first configuration which you should prefer.
>>
>>Hth...
>>
>>John
>>-- 
> 
> 
> 
> 
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> http://lists.osdl.org/mailman/listinfo/bridge

Re: [Bridge] Bridging vlans

[Bart De Schuymer]

On Thursday 25 March 2004 01:23, Jeremy Jones wrote:
> So right now, there's no vlan trunking going on on the link my bridging
> firewall sits on, but I'm going to need to bridge two vlans, 4 and 51.  My
> question is this:  should the vlan interfaces on the linux firewall be
> created first, then bridged; or should the bridge interface be created,
> then vlans bound to that?

You'll need the first. The second method will only work if the packets are 
destined for the bridge itself.

cheers,
Bart

[Bridge] Bridging VLANs

[R Harper]

Hi I have a simple question

I want to bridge both normal ethernet frames and VLAN packets
do I have to explicitly bridge the VLAN packets (e.g. vconfig br0 30)  or 
are they bridge by default
Is it sufficient to configure a VLAN bridge like this or am I forgetting 
something?

regards
R.Harper

_________________________________________________________________
F� alle de nye og sjove ikoner med MSN Messenger http://messenger.msn.dk/

RE: [Bridge] Bridging VLANs

[Josef Brunner]

remember the use of the vconfig command. it helps you to define "access
ports" that means that you can tell the system what default vlan (or vlans)
to use for a certain interface (so that it can remove the vlan tag from the
trunked packet)...

if you want to bridge all your  traffic - including vlan traffic - just
confige the bridge in a "normal behaviour". 

just one question: by saying vlan traffic you mean trunk or trunked or
tagged traffic, right ? 

josef 
 

-----Original Message-----
From: R Harper
To: bridge@lists.osdl.org
Sent: 22.09.2005 14:34
Subject: [Bridge] Bridging VLANs

Hi I have a simple question

I want to bridge both normal ethernet frames and VLAN packets
do I have to explicitly bridge the VLAN packets (e.g. vconfig br0 30)
or 
are they bridge by default
Is it sufficient to configure a VLAN bridge like this or am I forgetting

something?

regards
R.Harper

_________________________________________________________________
Få alle de nye og sjove ikoner med MSN Messenger
http://messenger.msn.dk/

 <<ATT38976.txt>> 

_______________________________________________________________________________
Disclaimer

This message may contain confidential information solely for its
intended recipients and others may not distribute, copy or use it. If
you have received this communication in error please tell us either by
return e-mail or at the numbers above and delete it, and any copies of
it.

[Bridge] Bridging VLANs

[Diego Woitasen]

Hi,
I'm working on a network where I have 13 VLANs (using 802.1q). I need
to build a transition escenario bridging the VLANs with a Linux
Bridge. My Linux box has the trunk incoming from eth1, so to bridge
them I use:

brctl addbr superbridge
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
for ((i = 200; i <= 212; i++)); do
 vconfig add eth1 $i
 ip link set vlan$i
 brctl addif superbridge vlan$i
done
ip link superbrige up

I think that should work but I want to hear another opinions, advices
or just tell me if that wouldn't work.

Regards,
 Diego

-- 
Diego Woitasen
XTECH