[Bridge] Linux Bridge + STP + VLAN

M.Rennt at gmx.net M.Rennt at gmx.net
Sat Dec 9 18:20:20 PST 2006


Hi,

we're running the standard linux bridge setup (redundant bridge) for 5 years now. So first of all, thanks to everyone involved for implementing the bridging feature in Linux.

Now I'm trying to bridge hosts connected to VLAN'ed Cisco switches using linux bridge.

I'm testing the following setup (Kernel 2.6.19, bridge-utils 1.2 on both bridges)

http://i147.photobucket.com/albums/r293/mrennt/BridgeProblem.jpg

The diagram shows how everything is setup. I'm not happy with the block of eth0 on BRIDGE2, although I'm able to reach the IP configured on the bridge interface, I'm not sure if this is the correct STP behaviour, because eth0 is blocked, thus it shouldn't respond!?

Both Cisco switches (2950) have VLANs 1,10,20,31,32,33,34,50 configured.

Here's what I've done so far:

- Changed the multicast address on both bridges in order to not conflict with the Cisco switches spanning tree (as described in http://lists.osdl.org/pipermail/bridge/2005-October/001116.html)
- Enabled the bpdufilter on the trunk connections of both switches
- On the bridges: filtering requests originating in one VLAN going into another VLAN
  i.e. ebtables -A FORWARD -i vlan10 -o ! eth0 -j DROP

Here's the output of brctl of both bridges.

I'm not sure about the attachement policy in this mailinglist, so I'm not posting the output below as attachement, sorry if it's hard to read. :/
Let me know if a copy via mail is better.


ON SERVER "BRDIGE1"
---------------------------------------------------------
# brctl show br0
bridge name     bridge id               STP enabled     interfaces
br0             0000.000423c1e5f2       yes             eth0
                                                        vlan10
                                                        vlan20
                                                        vlan30
                                                        vlan31
                                                        vlan32
                                                        vlan33
                                                        vlan34
                                                        vlan50


# brctl showstp br0
br0
 bridge id              0000.000423c1e5f2
 designated root        0000.000423c1e5f2
 root port                 0                    path cost                  0
 max age                   4.00                 bridge max age             4.00
 hello time                1.00                 bridge hello time          1.00
 forward delay             4.00                 bridge forward delay       4.00
 ageing time             300.00
 hello timer               0.25                 tcn timer                  0.00
 topology change timer     0.00                 gc timer                   0.06
 flags                  


eth0 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                100
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8001                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.48
 flags                  

vlan10 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8002                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  CONFIG_PENDING 

vlan20 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8003                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  

vlan30 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8004                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  

vlan31 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8005                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  

vlan32 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8006                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  

vlan33 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8007                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  

vlan34 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8008                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  

vlan50 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                  1
 designated bridge      0000.000423c1e5f2       message age timer          0.00
 designated port        8009                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.24
 flags                  CONFIG_PENDING 

---------------------------------------------------------

vlan50 is always CONFIG_PENDING (after the very first state change).

The port id is 0000 (all zeroes) on all ports, it used to be 8000 some time ago, not sure when it changed. Is this correct, doesn't look correct to me to have 0000 on all ports.




ON SERVER "BRDIGE2"
---------------------------------------------------------
#  brctl show br0
bridge name     bridge id               STP enabled     interfaces
br0             0064.00116b333a97       yes             eth0
                                                        vlan10
                                                        vlan20
                                                        vlan30
                                                        vlan31
                                                        vlan32
                                                        vlan33
                                                        vlan34
                                                        vlan50


#  brctl showstp br0
br0
 bridge id              0064.00116b333a97
 designated root        0000.000423c1e5f2
 root port                 2                    path cost                 19
 max age                   4.00                 bridge max age             4.00
 hello time                1.00                 bridge hello time          1.00
 forward delay             4.00                 bridge forward delay       4.00
 ageing time             300.00
 hello timer               0.00                 tcn timer                  0.00
 topology change timer     0.00                 gc timer                   0.06
 flags                  


eth0 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                100
 designated bridge      0000.000423c1e5f2       message age timer          3.35
 designated port        8001                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan10 (0)
 port id                0000                    state                forwarding
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8002                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan20 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8003                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan30 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8004                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan31 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8005                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan32 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8006                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan33 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8007                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan34 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8008                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

vlan50 (0)
 port id                0000                    state                  blocking
 designated root        0000.000423c1e5f2       path cost                 19
 designated bridge      0000.000423c1e5f2       message age timer          3.11
 designated port        8009                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags                  

---------------------------------------------------------

Same thing about the port ids on "BRIDGE2"

In order to achived the desired setup (as shown in the diagram), I thought all vlan ports would be blocked and eth0 would be unblocked. Really weird why vlan10 is not blocked, it's configured on both cisco switches and a on BRIDGE1.



Here's an abstract of the startscript I'm using (on BRIDGE1):

---------------------------------------------------------
BR_IF_DMZ=eth0
BR_IF_MZ=eth1
BR_NAME=br0
BR_PRIO=1
BR_IF_DMZ_COST=100
BR_IF_MZ_COST=1
VLAN=/etc/vlan.conf # one vlan id per line


echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/ifconfig $BR_IF_DMZ down
/sbin/ifconfig $BR_IF_MZ down

# /sbin/ifconfig $BR_IF_DMZ 0.0.0.0 promisc || return=$rc_failed
# /sbin/ifconfig $BR_IF_MZ 0.0.0.0 promisc || return=$rc_failed
/sbin/ifconfig $BR_IF_DMZ 0.0.0.0 up || return=$rc_failed
/sbin/ifconfig $BR_IF_MZ 0.0.0.0 up || return=$rc_failed

$BRCTL addbr $BR_NAME || return=$rc_failed
$BRCTL addif $BR_NAME $BR_IF_DMZ || return=$rc_failed

# Basic Settings

sleep 1

$BRCTL sethello $BR_NAME 1 || return=$rc_failed
$BRCTL setmaxage $BR_NAME 4 || return=$rc_failed
$BRCTL setfd $BR_NAME 4 || return=$rc_failed
$BRCTL stp $BR_NAME on || return=$rc_failed
$BRCTL setbridgeprio $BR_NAME $BR_PRIO || return=$rc_failed
$BRCTL setpathcost $BR_NAME $BR_IF_DMZ $BR_IF_DMZ_COST || return=$rc_failed
echo "$BRCTL setpathcost $BR_NAME $BR_IF_DMZ $BR_IF_DMZ_COST"

for file in $BR_NAME $BR_IF_DMZ $BR_IF_MZ;
do
	echo "1" > /proc/sys/net/ipv4/conf/${file}/proxy_arp;
	echo "1" > /proc/sys/net/ipv4/conf/${file}/forwarding;
done;

# Setup VLAN Interfaces

# Use vlan<id> name type
$VCONFIG set_name_type VLAN_PLUS_VID_NO_PAD

while read conf ; do
         case "$conf" in
        \#*|"") ;;              # Ignore empty lines and comments
        *)
          pattern=[[:space:]]*\#*
          vlan="${conf%%$pattern}"  # Remove Whitespaces and comments

          # Add VLAN to internal interface
          $VCONFIG add $BR_IF_MZ $vlan

          # Add VLAN to brdige
          $BRCTL addif $BR_NAME vlan$vlan || return=$rc_failed

          sleep 1

          $BRCTL setpathcost $BR_NAME vlan$vlan $BR_IF_MZ_COST || return=$rc_failed
          # /sbin/ifconfig vlan$vlan 0.0.0.0 promisc || return=$rc_failed
          /sbin/ifconfig vlan$vlan 0.0.0.0 up || return=$rc_failed

          # VLAN zu VLAN Verkehr mit ebtables bereits auf L2 unterbinden
          $EBTABLES -A FORWARD -i vlan$vlan -o ! $BR_IF_DMZ -j DROP || return=$rc_failed

	  echo "1" > /proc/sys/net/ipv4/conf/vlan$vlan/proxy_arp;
	  echo "1" > /proc/sys/net/ipv4/conf/vlan$vlan/forwarding;

        esac
done < $VLAN

# End VLAN Setup

sleep 5

ifconfig br0 192.168.1.93 netmask 255.255.255.0

---------------------------------------------------------

Here's ebtables output:

Bridge chain: FORWARD, entries: 8, policy: ACCEPT
-i vlan10 -o ! eth0 -j DROP 
-i vlan20 -o ! eth0 -j DROP 
-i vlan30 -o ! eth0 -j DROP 
-i vlan31 -o ! eth0 -j DROP 
-i vlan32 -o ! eth0 -j DROP 
-i vlan33 -o ! eth0 -j DROP 
-i vlan34 -o ! eth0 -j DROP 
-i vlan50 -o ! eth0 -j DROP 


No rules in iptables so far.

-------------------------

So is the behaviour of STP correct or is this wrong?

Thanks to anyone taking the time reading this through. ;)

Best,

Michael
-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer



More information about the Bridge mailing list