On Thursday, 02/20/2014 at 03:08 EST, "Pavelka, Tomas" <[email protected]> wrote: > We have a problem where frames that pass through a Linux bridge do not reach > the gateway outside of the mainframe box. We have set up an experiment that > reproduces the problem, which looks like this: > > (LINUX1) - <private vswitch> - (LINUXBR) - <public vswitch> - OSA - gateway > > The problem is that in this setup we cannot ping the gateway. But, under a > different setup: > > (LINUX1) - <private vswitch> - (LINUXBR) - <public vswitch> - (LINUX2) > > Both LINUX1 and LINUX2 can communicate. Moreover, LINUX2 can ping the gateway > (the OSA card is still connected to the public vswitch, I just did not put it > in the picture). > > Some more details that may be important: > - Both public and private vswitch are layer 2 > - LINUXBR runs RHEL 6 and uses bridge-utils to create the bridge > - private vswitch is not connected to any OSA card > > We have played with TCPDUMP and found that ARP (broadcast) packets do reach the > gateway and come back, but ping's ICMP (unicast) packets get dropped. This led > us to the following hypothesis: If there is a unicast packet originating from a > MAC address not known to public vswitch, it gets dropped somewhere on the way > between LINUXBR and the gateway. > > Does anyone know any settings that could affect filtering done either by the > vswitch or by the OSA card? We asked our hardware people but they did not know > of anything that could cause the problems. But a more targeted question could > help if we knew what to ask for.
Two guests cannot use the same MAC address, even if they are on different VSWITCHes. This is true even if you permit the bridging guest to set its own MAC address (MACPROTECT OFF). [NOTE: Everyone should have VMLAN MACPROTECT ON in SYSTEM CONFIG.] So you cannot implement a layer 2 bridge with VSWITCHes. Further, the VSWITCH is already acting as an IEEE 802.3 layer 2 bridge and its filtering database will drop unicast frames destined for unknown MAC addresses. What is LINUXBR doing for you that the VSWITCH cannot do for you? Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
