[Bridge] Bridge - vlan - bond

[Bridge] Bridge - vlan - bond

[Sander Klein]

Hi list,

I have a problem with using bonding, with vlans and bridging. I'm trying
to create the following situation:

Network overview:

               +------+
+--------+     |blade |
|        |-----|switch| eth0 +------+
|        |     |      |------|      |
|        |     +------+      |      |
| switch |                   | host |
|        |     +------+      |      |
|        |     |blade |------|      |
|        |-----|switch| eth1 +------+
+--------+     |      |
               +------+

Situation on the host:

+----+
|eth0|------+
+----+      |
         +-----+   +---------+   +-----+
         |bond0|---|bond0.101|---|br101|
         +-----+   +---------+   +-----+
+----+      |
|eth1|------+
+----+


Now, as soon as the bridge comes up I get the error 'bond0.101: received
packet with  own address as source address'. This happens every time I
start a new sessioen to a host. Sniffing with tcpdump and wireshark on
br101 show all arp packets 2 times. I cannot figure out why this is
happening. When I create this situation without the bridge I do not get
duplicate traffic, so it's not coming from the network.

My config is:

auto bond0
iface bond0 inet manual
        slaves eth0 eth1
        bond_primary eth0
        bond_mode active-backup
        bond_miimon 100

auto bond0.101
iface bond0.101 inet manual

auto br0
iface br0 inet static
        bridge_ports bond0.101
        bridge_stp off
        address 192.168.1.25
        netmask 255.255.255.0
        gateway 192.168.1.1

I've tried this with the stock Debian Lenny kernel (2.6.26) and 2.6.32. Am
I doing something wrong here?

Greets,

Sander Klein

Re: [Bridge] Bridge - vlan - bond

[Sebastian Gottschall (DD-WRT)]

Sander Klein schrieb:
> Hi list,
>
> I have a problem with using bonding, with vlans and bridging. I'm trying
> to create the following situation:
>
> Network overview:
>
>                +------+
> +--------+     |blade |
> |        |-----|switch| eth0 +------+
> |        |     |      |------|      |
> |        |     +------+      |      |
> | switch |                   | host |
> |        |     +------+      |      |
> |        |     |blade |------|      |
> |        |-----|switch| eth1 +------+
> +--------+     |      |
>                +------+
>
> Situation on the host:
>
> +----+
> |eth0|------+
> +----+      |
>          +-----+   +---------+   +-----+
>          |bond0|---|bond0.101|---|br101|
>          +-----+   +---------+   +-----+
> +----+      |
> |eth1|------+
> +----+
>
>
> Now, as soon as the bridge comes up I get the error 'bond0.101: received
> packet with  own address as source address'. This happens every time I
> start a new sessioen to a host. Sniffing with tcpdump and wireshark on
> br101 show all arp packets 2 times. I cannot figure out why this is
> happening. When I create this situation without the bridge I do not get
> duplicate traffic, so it's not coming from the network.
>   
i dont think that you can do with bonding what you want, because you 
just connected them to a switch
you can only bond interface together which are bonded on the opposite 
site too

so your local eth0 and eth1 is bonded and the remote site input must be 
bonded too. a switch cannot bond, a switch only switches, so it outputs 
the same packets on all ethernet connectors
so

remote:                                        local
bond0 --- eth0   ------------- eth0 --- bond0
       |  ---- eth1  ------------- eth1 --- |


i hope you understand what i mean. so bond0 is the local usable 
interface on each site which splits the traffic on 2 ethernet interfaces 
depending on your bonding algorithm. a switch only duplicates packets



> My config is:
>
> auto bond0
> iface bond0 inet manual
>         slaves eth0 eth1
>         bond_primary eth0
>         bond_mode active-backup
>         bond_miimon 100
>
> auto bond0.101
> iface bond0.101 inet manual
>
> auto br0
> iface br0 inet static
>         bridge_ports bond0.101
>         bridge_stp off
>         address 192.168.1.25
>         netmask 255.255.255.0
>         gateway 192.168.1.1
>
> I've tried this with the stock Debian Lenny kernel (2.6.26) and 2.6.32. Am
> I doing something wrong here?
>
> Greets,
>
> Sander Klein
>
> _______________________________________________
> Bridge mailing list
> Bridge@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/bridge
>
>   


-- 
Mit freundlichen Grüssen / Regards

Sebastian Gottschall / CTO 

NewMedia-NET GmbH - DD-WRT 
Firmensitz:  Wormser Straße 5 - 7, 64625 Bensheim
Registergericht: Amtsgericht Darmstadt, HRB 25473
Geschäftsführer: Peter Steinhäuser, Christian Scheele
http://www.dd-wrt.com
email: s.gottschall@dd-wrt.com
Tel.: +496251-582650 / Fax: +496251-5826565 

Re: [Bridge] Bridge - vlan - bond

[Nicolas de Pesloüan]

Sander Klein wrote :
> Hi list,
> 
> I have a problem with using bonding, with vlans and bridging. I'm trying
> to create the following situation:

Can you please also describe what you try to achieve, and not only your setup ?

What are the expected effects ?

Your bonding setup (active-backup) will lead to one port enabled and one disabled.

Why don't you simply use eth0.101 and eth1.101 as two ports of br101, and enable stp ?

Enabling stp would achieve the same result : one port in forwarding state and one in the blocked state.

	Nicolas.

> Network overview:
> 
>                +------+
> +--------+     |blade |
> |        |-----|switch| eth0 +------+
> |        |     |      |------|      |
> |        |     +------+      |      |
> | switch |                   | host |
> |        |     +------+      |      |
> |        |     |blade |------|      |
> |        |-----|switch| eth1 +------+
> +--------+     |      |
>                +------+
> 
> Situation on the host:
> 
> +----+
> |eth0|------+
> +----+      |
>          +-----+   +---------+   +-----+
>          |bond0|---|bond0.101|---|br101|
>          +-----+   +---------+   +-----+
> +----+      |
> |eth1|------+
> +----+
> 
> 
> Now, as soon as the bridge comes up I get the error 'bond0.101: received
> packet with  own address as source address'. This happens every time I
> start a new sessioen to a host. Sniffing with tcpdump and wireshark on
> br101 show all arp packets 2 times. I cannot figure out why this is
> happening. When I create this situation without the bridge I do not get
> duplicate traffic, so it's not coming from the network.
> 
> My config is:
> 
> auto bond0
> iface bond0 inet manual
>         slaves eth0 eth1
>         bond_primary eth0
>         bond_mode active-backup
>         bond_miimon 100
> 
> auto bond0.101
> iface bond0.101 inet manual
> 
> auto br0
> iface br0 inet static
>         bridge_ports bond0.101
>         bridge_stp off
>         address 192.168.1.25
>         netmask 255.255.255.0
>         gateway 192.168.1.1
> 
> I've tried this with the stock Debian Lenny kernel (2.6.26) and 2.6.32. Am
> I doing something wrong here?
> 
> Greets,
> 
> Sander Klein
> 
> _______________________________________________
> Bridge mailing list
> Bridge@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/bridge
> 

Re: [Bridge] Bridge - vlan - bond

[Sander Klein]

Hi,

> Can you please also describe what you try to achieve, and not only your
> setup ?
> 
> What are the expected effects ?

Sorry, I will. What I am trying to achieve is high availability. The host
I'm building this on will be a kvm host with virtual machines which runs
the images from a nfsmount. I need to have multiple vlans on this host
which are then bridged to the virtual machines. What I want is that if the
switch connected to eth0 fails, all traffic will go through eth1. The final
setup will be the following:

+------+   +------+
| core |---|blade |   +-----+
|switch|   |switch|---|eth0 |
+------+   +------+   |     |
   |                  |Host |
+------+   +------+   |     |
| core |---|blade |---|eth1 |
|switch|   |switch|   +-----+
+------+   +------+

> Your bonding setup (active-backup) will lead to one port enabled and one
> disabled.

That's okay with me. I don't need the speed, only the redundancy. I could
use alb or tlb but since I'm testing right now active-backup it easier.

> Why don't you simply use eth0.101 and eth1.101 as two ports of br101,
and
> enable stp ?

Since the switches that connect to eth0 and eth1 have a crappy stp
implementation (its a supermicro blade chassis) it's pain to get it
working. Moreover, converging with stp is a bit slow. Bonding will do this
in 100ms or faster while stp might take 30 seconds or so.

The setup works perfectly as long as I don't use bridging. But I need the
bridging to get the network to the virtual machines.

Greets,

Sander Klein

Re: [Bridge] Bridge - vlan - bond

[richardvoigt]

On Sat, Dec 5, 2009 at 10:30 AM, Sander Klein <roedie@roedie.nl> wrote:
> Hi list,
>
> I have a problem with using bonding, with vlans and bridging. I'm trying
> to create the following situation:
>
> Network overview:
>
>               +------+
> +--------+     |blade |
> |        |-----|switch| eth0 +------+
> |        |     |      |------|      |
> |        |     +------+      |      |
> | switch |                   | host |
> |        |     +------+      |      |
> |        |     |blade |------|      |
> |        |-----|switch| eth1 +------+
> +--------+     |      |
>               +------+
>
> Situation on the host:
>
> +----+
> |eth0|------+
> +----+      |
>         +-----+   +---------+   +-----+
>         |bond0|---|bond0.101|---|br101|
>         +-----+   +---------+   +-----+
> +----+      |
> |eth1|------+
> +----+
>
>
> Now, as soon as the bridge comes up I get the error 'bond0.101: received
> packet with  own address as source address'. This happens every time I
> start a new sessioen to a host. Sniffing with tcpdump and wireshark on
> br101 show all arp packets 2 times. I cannot figure out why this is
> happening. When I create this situation without the bridge I do not get
> duplicate traffic, so it's not coming from the network.

I have something very similar.  That message is a warning, not an
error, and over a year of experience suggests that it can be safely
ignored.

(my actual setup is a firewall without enough ports to directly
connect all attached networks -- the switch tags traffic with the
particular port it arrives on and passes it to a trunk port, the linux
box is connected to two such trunk ports in the active-backup bonding
mode, and bridges all the VLANs together forcing the traffic through
iptables/ebtables.  I don't think the warning occurs in this part of
the configuration.  There's also a traffic shaper appliance with a
history of unreliability between the firewall and the main internet
gateway, stp is used to prefer to send traffic through the traffic
shaper, but activate a direct link whenever the shaper fails.  On this
second bridge I encounter the same warning you do, but not for arp
traffic, only stp pdus which are periodically sent to check whether
the shaper appliance is ok.  I guess the issue is that the shaper
appliance passes pdus through unchanged, if it were doing stp
processing then the pdus incoming to the linux box would not have the
linux box's other vlan port as sender and not trigger the warning.)

Are any of your VLANs transparently bridged together elsewhere in the network?

When you see the arp packet twice in wireshark, is it in the same VLAN
both times?

I believe you can also use some of the logging actions in iptables to
list which physical port (of the bonding members) a particular packet
arrived on.


>
> My config is:
>
> auto bond0
> iface bond0 inet manual
>        slaves eth0 eth1
>        bond_primary eth0
>        bond_mode active-backup
>        bond_miimon 100
>
> auto bond0.101
> iface bond0.101 inet manual
>
> auto br0
> iface br0 inet static
>        bridge_ports bond0.101
>        bridge_stp off
>        address 192.168.1.25
>        netmask 255.255.255.0
>        gateway 192.168.1.1
>
> I've tried this with the stock Debian Lenny kernel (2.6.26) and 2.6.32. Am
> I doing something wrong here?
>
> Greets,
>
> Sander Klein
>
> _______________________________________________
> Bridge mailing list
> Bridge@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/bridge
>

Re: [Bridge] Bridge - vlan - bond

[Sander Klein]

Hi,

On Sun, 6 Dec 2009 11:17:56 -0600, "richardvoigt@gmail.com"
<richardvoigt@gmail.com> wrote:
> Are any of your VLANs transparently bridged together elsewhere in the
> network?

No.
 
> When you see the arp packet twice in wireshark, is it in the same VLAN
> both times?

I see the packet twice in the bridge interface which is on top of the
bond0.101 interface. When sniffing the bond0.101 interface I only see the
packet once. Sniffing the bond0 interface doesn't show anything and
sniffing eth0 show the arp traffic only once, which I'm not sure if this is
normal. Sniffing on eth1 shows no traffic at all which is to be expected
since it is in backup state.

> I believe you can also use some of the logging actions in iptables to
> list which physical port (of the bonding members) a particular packet
> arrived on.

I'll have a look at this. But since I do not think the packet comes from
the network. I really think the bridge has something to do with it.

Greets,

Sander

Re: [Bridge] Bridge - vlan - bond

[Nicolas de Pesloüan]

Sander Klein wrote:
> Hi,
> 
>> Can you please also describe what you try to achieve, and not only your
>> setup ?
>>
>> What are the expected effects ?
> 
> Sorry, I will. What I am trying to achieve is high availability. The host
> I'm building this on will be a kvm host with virtual machines which runs
> the images from a nfsmount. I need to have multiple vlans on this host
> which are then bridged to the virtual machines. What I want is that if the
> switch connected to eth0 fails, all traffic will go through eth1. The final
> setup will be the following:
> 
> +------+   +------+
> | core |---|blade |   +-----+
> |switch|   |switch|---|eth0 |
> +------+   +------+   |     |
>    |                  |Host |
> +------+   +------+   |     |
> | core |---|blade |---|eth1 |
> |switch|   |switch|   +-----+
> +------+   +------+
> 
>> Your bonding setup (active-backup) will lead to one port enabled and one
>> disabled.
> 
> That's okay with me. I don't need the speed, only the redundancy. I could
> use alb or tlb but since I'm testing right now active-backup it easier.
> 
>> Why don't you simply use eth0.101 and eth1.101 as two ports of br101,
> and
>> enable stp ?
> 
> Since the switches that connect to eth0 and eth1 have a crappy stp
> implementation (its a supermicro blade chassis) it's pain to get it
> working. Moreover, converging with stp is a bit slow. Bonding will do this
> in 100ms or faster while stp might take 30 seconds or so.

If stp is a problem, you can try the rstp user-space implementation.
> 
> The setup works perfectly as long as I don't use bridging. But I need the
> bridging to get the network to the virtual machines.

You should consider using a VM software that does not require bridge to get the network to the VM 
:-) (VirtualBox for example).

Anyway, if we assume br101 is "duplicating" this packet in some way, let's try and figure out why.

Can you please provide the output of the following commands:

ip addr
brctl show
brctl showmacs br101
cat /proc/net/bonding/bond0

	Nicolas.