From: Nick Carter <ncarter100@gmail.com>
To: David Lamparter <equinox@diac24.net>
Cc: Stephen Hemminger <shemminger@linux-foundation.org>,
netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD
Date: Wed, 29 Jun 2011 23:46:03 +0100 [thread overview]
Message-ID: <BANLkTi=4-xYNyaBOzeL04VioK8D0Q8secg@mail.gmail.com> (raw)
In-Reply-To: <20110628214637.GE2121496@jupiter.n2.diac24.net>
On 28 June 2011 22:46, David Lamparter <equinox@diac24.net> wrote:
> On Tue, Jun 28, 2011 at 10:22:53PM +0100, Nick Carter wrote:
>> > I beg to differ, there very much is. You never ever ever want to be
>> > running STP with 802.1X packets passing through... some client will shut
>> > down your upstream port, your STP will break and you will die in a fire.
>> >
>> > The general idea, though, is that a STP-enabled switch is an intelligent
>> > switch. And an intelligent switch can speak all those pesky small
>> > side-dish protocols.
> [...]
>> >> > (Some quick googling reveals that hardware switch chips special-drop
>> >> > 01:80:c2:00:00:01 [802.3x/pause] and :02 [802.3ad/lacp] and nothing
>> >> > else - for the dumb ones anyway. It also seems like the match for pause
>> >> > frames usually works on the address, not on the protocol field like we
>> >> > do it...)
>> >> 'Enterprise' switches drop :03 [802.1x]
>> >
>> > They also speak STP, see above about never STP+1X :)
>> But if you turn off STP they wont start forwarding 802.1x.
>
> Yes, hence my suggestion to have a knob for all of the link-local
> ethernet groups. (Which I'm still not actually endorsing, just placing
> the idea)
>
>> Also having STP on and forwarding 802.1x would be useful (but
>> non-standard) in some cheap redundant periphery switches, connecting
>> to a couple of 'core' switches acting as 802.1x authenticators.
>
> That wouldn't really make much sense since those central 802.1X
> authenticators wouldn't be able switch the client-facing ports on and
> off.
Although its non standard, it is common for authenticators to do
802.1X per source mac rather than per port. Also the central
authenticator ports can be routed not bridged. So i dont think you
can rule out the "STP on plus 802.1x being forwarded" requirement.
> Instead, you now have to (1) disable the port switching to make
> sure your upstreams stay on and (2) deal with 802.1X clients being
> re"routed" by STP to different authenticators that don't know them.
Well if the authenticators are pointed at a remote ACS then they will
know them. And again even though non-standard, 802.1X 'mac move'
functionality exists.
Nick
>
>
> -David
>
>
next prev parent reply other threads:[~2011-06-29 22:46 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-23 21:39 [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD Nick Carter
2011-06-23 22:29 ` Stephen Hemminger
2011-06-24 18:29 ` Nick Carter
2011-06-24 19:08 ` Stephen Hemminger
2011-06-24 21:29 ` Nick Carter
2011-06-24 23:33 ` Nick Carter
2011-06-28 15:02 ` David Lamparter
2011-06-28 15:10 ` Stephen Hemminger
2011-06-28 16:00 ` David Lamparter
2011-06-28 18:34 ` Nick Carter
2011-06-28 18:58 ` David Lamparter
2011-06-28 20:00 ` Nick Carter
2011-06-28 20:22 ` David Lamparter
2011-06-28 20:54 ` Nick Carter
2011-06-28 21:04 ` David Lamparter
2011-06-28 21:22 ` Nick Carter
2011-06-28 21:46 ` David Lamparter
2011-06-28 22:03 ` [PATCH 1/2] bridge: ignore pause & bonding frames David Lamparter
2011-06-28 22:03 ` [PATCH 2/2] bridge: pass through 802.1X & co. in 'dumb' mode David Lamparter
2011-06-29 22:56 ` Nick Carter
2011-06-28 22:10 ` [PATCH v2] bridge: ignore pause & bonding frames David Lamparter
2011-06-29 22:46 ` Nick Carter [this message]
2011-06-29 23:34 ` [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD Stephen Hemminger
2011-07-01 10:16 ` David Lamparter
2011-07-01 14:58 ` Michał Mirosław
2011-07-01 15:16 ` bridge vs. bonding/pause frames (was: Forward EAPOL...) David Lamparter
2011-07-01 17:59 ` Michał Mirosław
2011-07-01 21:10 ` Nick Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTi=4-xYNyaBOzeL04VioK8D0Q8secg@mail.gmail.com' \
--to=ncarter100@gmail.com \
--cc=davem@davemloft.net \
--cc=equinox@diac24.net \
--cc=netdev@vger.kernel.org \
--cc=shemminger@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).