Hi,
I am hoping someone could give me a clue to solve an issue where I try
to insert a bridge in between a cisco router and a cisco switch that are
configure with vlan in between them. I reduce the test setup to a
minimum and I can't find a way to do it yet. I am obviously missing
something stupid.
The test setup
-------------- --------------
| | | |
| Cisco 26xx | | Cisco 2950 | -> vlan 1 computers
| Vlan 1 & 2 | ---> | Vlan 1 & 2 |
| | | | -> vlan 2 computers
-------------- ---------------
I want to test with
-------------- ----------- --------------
| Cisco | | | | |
| 2921 | | | | Cisco 2950 | -> vlan 1 computers
| Vlan 1 & 2 | -> | OpenBSD | -> | Vlan 1 & 2 |
| | | Bridge | | | -> vlan 2 computers
-------------- ----------- ---------------
When the bridge have an IP configure on it for access via SSH form the
Internet, with is no problem and is on Vlan1.
I can configure PF to filter on the bridge, but when I try to add a vlan
interface 2, it kills the traffic between the cisco router and the
switch switch.
Here dc0 is facing the cisco router and dc1 the switch, looks like I
can't pass vlan through the bridge. I try many possibility, even some
totally illogical just ion case and obviously it didn't work.
As long as I have no vlan configure on the OpenBSD, all pass through no
problem, but as soon as I try to put the Vlan2, so that I can filter on
that interface, nothing goes and I remove PF all together. so it's not
even in the picture.
This should be very simple, however, I am at a lost to make this work.
Is it possible, or is it assume that the Vlan have to originate of the
OpenBSD box itself on the physical interface, or can it pass it from one
interface to the next.
I deleted all my configuration now and left it as a simple bridge, but I
really would lie to be able to insert the vlan in the bridge.
Is that stupid to do?
The reason why I need to do this is because I need to migrate a setup
where I have about 250 vlan with the setup above, but with much bigger
equipment and I can't take it down to replace it, so I need to do it in
step. inserting an OpenBSD router in between and put it as a bridge to
start with as each vlan is migrated over is doable and doesn't create a
time constrained as much. The process take more time yes, but is more
totally transparent to the users.
So, I thought that it should work like this in the test setup.
Vlan 1 use 10.0.1.0/24
Vlan 2 use 10.0.2.0/24
The cisco router have 10.0.1.1 on vlan 1 and 10.0.2.1 on vlan 2
And test computers use respective IP's on each vlan where the switch
itself is configure with fix vlan port access to force the use of the
wanted vlan on the computer side to be sure it's on that vlan and is
confirmed as well before the addition of the bridge.
# cat hostname.dc0
inet 10.0.1.2 255.255.255.0 NONE media 100baseTX mediaopt full-duplex
description Uplink
# cat hostname.dc1
up media 100baseTX mediaopt full-duplex description LAN
# cat bridgename.bridge0
add dc0 add dc1 up
Now, if I try what I think should be logical
ifconfig vlan2 create
ifconfig vlan2 vlandev dc0
ifconfig vlan2 up
brconfig bridge0 add vlan2 up
I can still use the vlan2 on the switch side, reach the bridge, but it
will not reach the cisco router. So, anything that is on the vlan2 will
not cross over and reach the external world anymore. Killing the vlan2
interface will restore that traffic from the internal vlan2.
I have to say, this might not be the best idea trying to do this as it
would be more logical to have the vlan originate from the opensbd box
itself, I agree, but shouldn't this be possible to do however?
I can't get it to work in the lab and I am running out of ideas, or may
be I just try to do something to stupid in the first place.
Any suggestions would be greatly appreciated, or even a simple, "no it's
not possible to do" would be nice to as i would stop loosing my mind
trying to make it work.
I think it definitely should be possible to do for sure, but I am be
wrong as testing kind of show me it's not going to fly.
Daniel
