On Tue, Jun 03, 2008 at 03:00:59PM -0700, Steven Kurylo wrote:
> > Try searching for "bridge" instead. Routing is really a layer-3
> > concept. STP is a layer-2 protocol, it really does 2 things;
>
> Yes but when you buy a layer 3 switch from cisco or dlink, it does all
> the stuff the lower layer switches can do too.
>
> > Is the proposed linux box going to route, bridge or both? What exactly
> > is your functional goal; segment the IP network to isolate sections,
> > provide redundant wiring paths for the Ethernet, etc?
>
> There will be multiple edge switches that will have multiple vlans on
> them. I want the linux router to be the default gateway for all those
> vlans and with iptables decide which vlan can reach what. So I need a
> vlan trunk from a switch to linux router.
OK, got it. Should be the standard stuff, like a NAT box but without
the address translation. You can probably do a lot of it with the
routing tables on linux with the ip command (assuming the rules are
simple).
>
> Then, for redundancy, I want multiple trunks. The best way I know of,
> and what I'd do with cisco gear, is use a couple cables and use STP to
> do failover.
You could do that but 802.3ad (aka multi-link trunking/link aggregation)
would probably work better. You double up the available bandwidth but
it would continue to work at reduced capacity if a link fails.
OpenBSD has supported this for a while, I assume it's probably in
Linux as well. For the OBSD description, see:
http://www.onlamp.com/pub/a/bsd/2005/10/20/openbsd_3_8.html
>
> So that would mean I'd have to bridge two linux NICs together and then
> I can run STP. Then linux would have eth0 (or whatever the name is at
> this point, br0?) and break out the vlans (eth0.1 eth0.2 eth0.3), then
> finally I can apply iptables rules to those interfaces.
Yup, sounds about right except I look at using the ip routing table to
do most of the work. Use iptables if you want funkier allow/deny
firewalling functionality between VLANs. Logically it should look
equivalent to a router box with a heap of ethernet ports although
I've never built anything with more than 4.
Relying on the routing tables to do the routing will also allow you to
make use of RIP or OSPF (or even BGP) routing protocols if you want to
integrate WAN, VPN or multiple Internet links into the picture.
Your routing and MLT should obviate the need for STP.
OTOH, if you wanted to do something like this for redundant physical
paths, STP could be helpful:
<edge switch 1>------<edge switch 2>
\ /
\ /
\ X
\ /
<core router>
If the cable between the core and switch 2 were severed, there is still a
separate physical path via switch 1. The link between sw1 and sw2 would
activate if the direct link between cr and sw2 were severed.
Any or all of the link could be multi-link trunks (in theory).
>
> This seems to be a start for me:
> http://gentoo-wiki.com/HOWTO_setup_a_gentoo_bridge#Bridging_With_VLANs
>
> Though I seem to recall a couple years ago an project to bring all
> this together. Can't find it right now.
OpenBSD has emulated most of the 802.Nx for many years, some of that
documentation may help explain the concepts and get some of the right
jargon to find the Linux analogue. Sorry I can be more help, I've
never played with the bridging functions under Linux.
Received on Tue Jun 3 17:23:03 2008
This archive was generated by hypermail 2.1.8 : Tue Jun 03 2008 - 17:23:07 CST