I think you should look at post #6. What you want to do is often accomplished using bonding. The bridge is configured as if it were a single interface and the switch prunes the additional interface. If the interface being used fails the second is the failover.

Bonding requires coordination with the upstream device (switch) to make it look like a single link. I have not yet found any such capability in my switch. Bonding is also generally done for increased bandwidth, which I don't need. I have gigabit now, and don't even need anywhere near 100 megabit.

I just want simple redundancy. And if things were to work in the way I think of as logical, this would be working redundancy with no special feature on the switch end. There's ONE bug I'm seeing which if solved might well make it all work, anyway. That bug is where packets arriving on the "other" interface don't get to the process (it's UDP for DNS). Everything is symmetrical except for the order of interfaces in the list of interfaces. Yet always one works and the other does not, with no relation to which might be plugged in or not.

If packets arriving on any interface always went to the listening process (UDP in this case), then a cable failure, even if it failed to be detected (e.g. the interface stays in RUNNING state even though data won't go through anymore), then eventually when ARP entries expire, they will be re-acquired only through the interface that is actually working. That should achieve redundancy without bonding.

The problem was that Ubuntu set the sysctl variable "rp_filter" to "1" AND the rp_filter implementation seems to have a timing bug relative to ARP entry expirations.

The fix/workaround is to set /proc/sys/net/ipv4/conf/*/rp_filter to the value "0". This is probably best done in file "/etc/sysctl.conf" with:Apparently, the ARP entries were expiring, and before new ones could be established via an attempt to send traffic to the IP address that had sent packets (as DNS queries), rp_filter kicked in and was discarding the packets. Apparently rp_filter utilizes the ARP table as well as the routing table to determine the reverse path to validate the packet source. Since the ARP entry had expired to go back to the source, it treated it as an invalid packet.

My network doesn't need this security feature, anyway, so it's easy for me to turn it off. Now I have fallback redundancy between two multihomed ethernet interfaces.