LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-02-2005, 01:42 PM   #1
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
STP (Spanning Tree) on Bridge


I have a transparent firewalling bridge between two VLANs on Cisco switches. I had STP disabled, but now after over a year I wanted to enable it, so I did. I have eth0 and eth1 connected each to a different VLAN and on different Cisco switches, and eth0 and eth1 are bridged as "br0". However, I also have ebtables running on the bridge - and my rules are as follows (from my init.d script):

Code:
                # set up packet filtering on the bridge to only allow ARP and IPv4 Ethernet packets
                # note ebtables is the bridging at layer 2 (Ethernet, below TCP/IP)
                echo "Starting ebtables firewalling..."
                $EBTABLES -t filter -P FORWARD DROP #default to drop all not explicitly allowed
                $EBTABLES -t filter -A FORWARD -p ARP -j ACCEPT #allow ARP (resolve ip addresses to mac addresses)
                $EBTABLES -t filter -A FORWARD -p IPv4 -j ACCEPT #allow TCP/IP
                $EBTABLES -t filter -A FORWARD -j DROP #deny everything else
                $EBTABLES --zero
Note that ebtables defaults to ACCEPT for its INPUT and OUTPUT chain.

My question is: Is there anything in the STP protocol that requires it to it be forwarded through the bridge, as my rules would block that, rather than just sent and received on the two NICs? Best I can tell by packet sniffing the STP protocol on my workstations, STP is only sent from a mac address specific to the port on the Cisco switch and sent to a special STP mac address.

Thanks,
Josh
 
Old 12-02-2005, 07:52 PM   #2
winsnomore
Member
 
Registered: May 2004
Location: USA
Distribution: #1 PCLinuxOS -- for laughs -> Ubuntu, Suse, Mepis
Posts: 315

Rep: Reputation: 31
STP's purpose is to kill endless routed packets .. if your bridge blocks it .. then there is no need to worry about it.
 
Old 12-05-2005, 08:12 AM   #3
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Original Poster
Rep: Reputation: 16
Right, but the problem is without STP on the Linux bridge and with it blocking STP traffic, it seems to me if you would connect a crossover cable between the two VLANs somewhere else you could still generate the broadcast storm and take down my network.
 
Old 12-05-2005, 11:00 AM   #4
genlee
Member
 
Registered: Jul 2003
Distribution: Solaris 8/9, gentoo
Posts: 41

Rep: Reputation: 15
Spanning Tree uses bpdu's to communicate between devices. As long as your bridge is forwarding multicast traffic, it will work.
 
Old 12-05-2005, 06:02 PM   #5
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

i must say i don't really understand what use is your bridge, or your vlans...
one configures vlans to isolate 2 network segments, so that you don't get polluted by broadcasts, traffic that's definitly not for you etc...

so, what you wouldn't want, would be having a layer 2 link in-between your 2 vlans... you'll loose your isolation!! vlan interconnection should be done (and is done) at layer 3.

usually, you manage as well to set up two different IP networks for two vlans (vlan 100: 192.168.100.0/24, vlan 102: 192.168.102.0/24), this way you use a router to route packets between the 2 vlans.

but even if your 2 vlans use the same IP network, you have to go to layer 3:
Say a packet comes in eth0 from vlan 100.
It's ethernet header includes a field saying "I'm in vlan 100"
It comes into eth0, the ethernet header is removed so as to check the packet content.
According to the dest IP, you have to forward it
It goes to eth1 output queue
Since eth1 is in vlan 101, the ethernet header will include this info.

Note that Cisco switches are nice, if the packet is not tagged (no vlan info in the ethernet header), then if the interface of the switch is in a non-native vlan and is not a trunk, it will add the vlan tag for you (would be the case if you didn't configured vlans on your Linux box).

Note 2: Cisco switches are not nice towards packets that are not in the correct vlan. A packet that is tagged as vlan 100 and comes into a port of a cisco switch configured as vlan 101 will be dropped...

So, as your bridge is in fact working at layer 3 (even if it routes from a lan into the same lan) it shouldn't be part of STP.
The only setup I can see in which it would be better to activate STP is if your vlan 100 and vlan 101 spread accross the bridge (you have machines in both vlans on both interface of the bridge). In this case, to be compliant with Cisco and with the spaning tree protocol, you must have an instance of spanning tree per vlan, which means creating vlans in your Linux box (eth0.100 and eth1.100 in vlan 100, eth0.101 and eth1.101 in vlan 101), and then creating 2 bridges (br100 with eth0.100 and eth1.100; br101 with eth0.101 and eth1.101). Be cafrefull, you must use the same vlan numbers as in the ciscos, as this number is written in the ethernet frames. Take care as well of the native vlan used by cisco: the vlan 1 is called native by Cisco boxes, which means that ethernet frames are not tagged (whereas I believe Linux would tag the frames of vlan 1... I'm not sure about this one, it should be checked.... I think there must be a way to configure native vlan on Linux boxes as well).
 
Old 12-06-2005, 09:15 AM   #6
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Original Poster
Rep: Reputation: 16
Well, I think this page answered all my questions:

http://www.cisco.com/univercd/cc/td/...m#xtocid287961

Looks like BPDUs go from switch to switch and do not need to be forwarded.

Anyway, I'll explain why I am bridging two vlans at layer 2 and not layer 3. We had a subnet (192.168.0.0/24) with many PCs and many other devices on it. We wanted to add some extra security to who/what can access these devices as they are mission critical and don't have much security built into them. Switching them to their own subnet and routing to them would be an ideal solution, however ip addresses weren't allocated in a way that would make it easy to split the subnet and changing the ip address on many of them requires expensive downtime (things run continuously) and requires reconfiguration via a serial port connection (timeconsuming to go around to each one).

So the easier thing to do was to leave the PCs on VLAN 101, make a new vlan 102, then switch the network ports the devices were plugged into to vlan 102. Then you could connect a Cisco port set to vlan 101 and one set to vlan 102 with a crossover cable and everything would work - conceptually similar to having two separate unmanaged switches - one with all the PCs plugged into it, and one with all the devices plugged into it - and then connecting the two separate switches with a crossover cable. I then replace the crossover cable with the Linux bridge and use ebtables, the bridge-nf patch, and iptables to control what ethernet and ipv4 traffic can cross the bridge. I can drop broadcasts from going through it with iptables rules, and the Linux bridge does not even need to know about the vlans - there are no vlan tag in the ethernet headers of packets passing through it.

Its worked great so far, until last week a hardware or electrical problem on one of the Cisco switches or a device connected to it caused the switch to send vlan 101 traffic on vlan 102 and I did not have STP enabled on the Linux bridge, so the loop caused address flaps on other switches which took down some of my network for a couple minutes. So I enabled STP on the bridge, but wasn't sure if I'd need ebtables rules to allow it.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Spanning Tree query balajee Linux - Networking 2 09-29-2005 03:40 AM
the bible = the tree of the knowledge of good and evil () Jesus = the tree of life Michael111 General 2 04-14-2004 04:28 PM
Linux bridge with iptables and STP wkm001 Linux - Networking 1 02-04-2004 01:37 PM
Spanning tree (for bridge)????? RWild Linux - Networking 8 02-21-2003 12:54 PM
need a P-Tree (Patricia Tree) library manaskb Programming 1 11-02-2002 06:15 PM


All times are GMT -5. The time now is 05:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration