[Bridge] Bridging Vlan traffic on routed network

Alex Font drmaligno at gmail.com
Wed Jul 10 10:29:33 UTC 2013 

Hi everybody!

As a part of a NAC implementation, I've created a new VLAN for the
"isolated" devices, from this VLAN, the computers in it, are not able to
communicate with nothing, except what I want (via iptables).
So, the thing is that I'm trying to bridge some traffic from one
"isolation" VLAN (VLAN 3) to the "production" VLAN (VLAN 800).
I'm working on a routed network (Enterasys routing) that take care of
routing and VLAN tagging stuff of course...

The point is that I want that the linux box filter the packets between
those VLAN's, but I've tried with brctl and ebtables, but at first, the
"isolated" computer was not able to reach the servers on the "production"
VLAN (I was seeing the ARP requests from the PC, asking for the MAC of its
gateway) and after a few tries I managed to put it working, but after a few
minutes, the entire network went down... :( So, definately, I'm doing
something wrong...

Here's an example of the scenario:

VLAN 110: 172.26.0.0/16 (gw: 172.26.135.136)
VLAN 800: 172.20.0.0/16 (gw: 172.20.135.136)
VLAN 3: (isolation, no routed by the Enterasys)

___________________
| PC isolated (VLAN 3)|
172.20.135.136                         ____________
|IP: 172.26.135.109    |
__172.26.135.136_                       |                    |
|GW: 172.26.135.136  |------->| Cisco 3560 |---(trunk)---->|Enterasys
Router|----VLAN3---------|Linux Bridge  |
---------------------------------

|--------------------------|-----VLAN800-----|     Box          |

                                                        |
                           |---------------------|

|

VLAN800

|

------------

| Server|

------------

IP:172.20.100.2

GW:172.20.135.136

As you can see, the packets from the Router to the bridge box arrive
"tagged"... I've tried also configuring the port of "VLAN800" to the Linux
Box as an "access port", but the packets never came again to the linux box
(I only see the computer ARP requests coming from the VLAN3, passing
through the bridge and leaving by the "access" interface...)

So, I configured both ports of Enterasys router as "tagged ports" and the
linux bridge box as the following:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
vconfig add eth0 800
vconfig add eth1 3
brctl addbr br0
brctl addif br0 eth0.800
brctl addif br0 eth1.3

With this configuration, the computer can communicate with the servers, but
after a while, the entire network goes down! :-/

What would be the best way to do this kind of packet forwarding. I know
that this work can be done with the Router itself, but it's not able to
filter the packets as iptables does (fine grained)... so that's why I'm
putting the linux bridge between those VLANs.

What I'm missing?

Thanks in advance!!

PS: By the way, STP is disabled in the router and also in the Linux bridge
box.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bridge/attachments/20130710/840868b1/attachment.html>

More information about the Bridge mailing list