[Bridge] RFC: Simple Private VLAN impl.

richardvoigt at gmail.com richardvoigt at gmail.com
Fri Jun 12 21:29:31 PDT 2009


>> If you want linux to act like a physical switch:
>>
>> add ethN.0 to br0
>> add ethN.1 to br1
>> add ethN.j to brj
>>
>> all VLANs will be isolated from each other just like a simple
>> VLAN-capable switch.
>>
>> If you don't want traffic from VLAN 4042 to go out over VLAN 4043,
>> don't add them to the same bridge instance.
>
> But why should I not be able to add both 4043 and 4044 to the same bridge?

You are able to add them to the same bridge.  Doing so will pass
traffic between them.  That's what a bridge does.  If you don't want
traffic bridged, don't put them in the same bridge.  But you
experienced the expected and desirable behavior corresponding to
adding multiple interfaces to a bridge, and then you come to the list
saying "Doctor, it hurts when I do this."

Linux supports multiple bridge interfaces.  If you want multiple
private networks isolated from each other, use a new bridge instance
for each.  That's what multiple bridge instances are for.  If you want
a server to serve clients in multiple VLANs, make the server listen on
multiple interfaces (these can be VLANs on a single physical link).
That simplifies the MAC address table and cuts down on broadcast
traffic as well.  Then you don't have the complexity of ebtables to
block traffic between ports, every VLAN is fully connected using its
own bridge instance and no traffic crosses to a different VLAN at all.


More information about the Bridge mailing list