Assigning one of the phys devices as vlandev to a vlan is not working. I mean,
I can assign to them, but if vlan40 is assigned to hme2 and hme2 failes, than
vlan40 will be down and hosts in vlan40 are unreacheable.
So:
ifconfig hme2 up
ifconfig hme3 up
ifconfig vlan40 create
ifconfig vlan40 vlandev hme2
ifconfig vlan40 inet 192.168.240.1 255.255.255.0
ifconfig vlan40 up
ifconfig bridge1 create
ifconfig bridge1 add vlan40
ifconfig bridge1 add hme2
ifconfig bridge1 add hme3
ifconfig bridge1 stp hme2
ifconfig bridge1 stp hme3
ifconfig bridge1 stp vlan40
ifconfig bridge1 spanpriority 61400 # avoid being the root bridge
ifconfig bridge1 up
is not working :(
I want a solution, what is working with just one VLAN, so the VLAN is not
dependent ont he phys interface. In your solution, if I don't pull up vlan41,
than hme3 won't be in the bridge.
Cheers,
Tamas
-----Original Message-----
From: Claer [mailto:[email protected]]
Sent: Tuesday, June 21, 2011 12:00 PM
To: Dajka Tamas
Subject: Re: VLANs on bridge
On Tue, Jun 21 2011 at 10:11, Dajka Tamas wrote:
> Hi all,
Hi,
> I've to establish a highly redundant firewall cluster with openbsd, but I got
> stuck with the config.
> The config:
>
>
> - 2 CORE0 routers ( Cisco 7xxx )
>
> - 2 FW running OpenBSD 4.9
>
> - 2 internal Cisco 3750g switches ( SW01&SW02 )
>
> Please find attached the draft of the network infrastructure ( or just view it
> here: http://img69.imageshack.us/img69/9414/monofwdraft.png )
>
> In the external side of the FWs, I've 5 VLANS: 90-95 for separate data flows (
> 1 for public internet ).
> In the internal side we've 4 VLANS: 40-44
>
> The internal Ciscos are configured with RSTP and are connected to each other
> directly with one VTP domain, SW01 being the master. The FW's ports are all
> trunk ports with allowed VLANs 40-44.
>
> What I can't establish: how to build the bridges with VLANs on top of them?
>
> I've tried several ways, none of them worked well. Some scenarios it worked
> partly: when I set hme2 to vlan40's vlandev, I could see the machines in VLAN
> 40, but when I disconnected hme2 - the traffic should switch to hme2 then -
> the connection broke.
>
> My latest try was this config ( just for vlan40 now ):
>
> ifconfig hme2 up
> ifconfig hme3 up
> ifconfig vether0 create
> ifconfig vlan40 create
> ifconfig vlan40 vlandev vether0
> ifconfig vlan40 inet 192.168.240.1 255.255.255.0
> ifconfig vlan40 up
> ifconfig vether0 up
> ifconfig bridge1 create
> ifconfig bridge1 add hme2
> ifconfig bridge1 add hme3
> ifconfig bridge1 add vether0
> ifconfig bridge1 stp hme2
> ifconfig bridge1 stp hme3
> ifconfig bridge1 stp vether0
> ifconfig bridge1 spanpriority 61400 # avoid being the root bridge
> ifconfig bridge1 up
>
> When I try to ping 192.168.240.251 ( linux host in vlan 40 ) I see the packets
> in vlan40 ( tcpdump -ni vlan40 ), but the packet doesn't get to vether0 :( ( I
> see just the BPDU packets of the RSTP on vether0 ).
>
> Any suggestions? How should I bulid the bridge with full VLAN redundancy and
> RSTP?
A "stupid" one, did you try to bridge vlans one by one ?
ifconfig hme2 up
ifconfig hme3 up
ifconfig vether40 create
ifconfig vether40 inet 192.168.240.1 255.255.255.0
ifconfig vether40 up
ifconfig vlan40 create
ifconfig vlan40 vlandev hme2
ifconfig vlan41 create
ifconfig vlan41 vlandev hme3
ifconfig vlan40 up
ifconfig vlan41 up
ifconfig bridge1 create
ifconfig bridge1 add vlan40
ifconfig bridge1 add vlan41
ifconfig bridge1 add vether0
ifconfig bridge1 stp vlan40
ifconfig bridge1 stp vlan41
ifconfig bridge1 stp vether0
ifconfig bridge1 spanpriority 61400 # avoid being the root bridge
ifconfig bridge1 up
...
This is by far a bad solution but could be interesting for finding a better one.
Regards,
Claer
