Re: Bridges

From: Wilkinson, Alex (alex.wilkinson_at_dsto.defence.gov.au)
Date: 09/29/05

  • Next message: Yar Tikhiy: "Re: Bridges" 
    Date: Thu, 29 Sep 2005 08:44:09 +0930
To: Peter Jeremy <PeterJeremy@optushome.com.au>

        0n Thu, Sep 29, 2005 at 04:47:32AM +1000, Peter Jeremy wrote:

    >On Wed, 2005-Sep-28 03:29:33 -0700, Luigi Rizzo wrote:
    >>On Wed, Sep 28, 2005 at 02:21:53PM +0400, Yar Tikhiy wrote:
    >>> On Sun, Sep 25, 2005 at 05:22:38AM +1000, Peter Jeremy wrote:
    >>> >
    >>> > Since I've recently needed it, neither bridge.c nor if_bridge.c allow
    >>> > you to bridge VLAN trunks (you can bridge individual VLANs but that
    >>> > becomes unwieldly when you have dozens of VLANs). I have code to do
    >>> > this in bridge.c.
    >>>
    >>> Couldn't you bridge across the parent, or trunk, physical interfaces
    >>> carrying tagged VLAN traffic then? (Of course, hardware support for
    >>> VLAN should be turned off on them in that case.)
    >
    >That's actually what I was trying to do.
    >
    >>yes in fact i was wondering what's wrong with that because
    >>we have been using bridge.c like this for ages now...
    >
    >The problem is that the current bridge code only considers the MAC
    >address for forwarding. When VLANs are in use, this is incorrect as
    >both the MAC address and VLAN tag must be considered. The difference
    >is crucial when you have the same MAC address appearing in multiple
    >VLANs. This can occur when using DECnet Phase IV or Solaris with
    >Cassini NICs - both of which have a per-host MAC address rather than a
    >per-NIC MAC address.
    >
    >As an example, consider a system with a host-based MAC address that
    >has two NICs. One NIC attaches to VLAN 123 on switch a, the other
    >attaches to VLAN 124 on switch b [this is the situation we have in our
    >test lab]. If I then attempt to join trunks from both switches using
    >bridge(4), it sees the same MAC address on both bridged interfaces and
    >shuts down. In reality, this situation is safe because the MAC
    >addresses are in different VLANs.

    Peter,

    What is the difference between a "per-host MAC address" and a "per-NIC
    MAC address" ?

     - aW
    _______________________________________________
    freebsd-arch@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-arch
    To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

  • Next message: Yar Tikhiy: "Re: Bridges"

    Relevant Pages

    • Re: arp-proxy
      ... The reason why I have to proxy-arp mac between VLANs is that one mac ... a broadcast from the service subnet should appear on all customer VLANs ... > a device on the service network, otherwise customers wouldn't be able to ...
      (freebsd-net)
    • Re: Blocking a MAC address at the router
      ... We could set DROPs on a few vlans and cover most of the ... > networks a MAC might reappear. ... > 5 routers and cover most of our main location. ... Clever users could change laptop MAC address as well. ...
      (comp.dcom.sys.cisco)
    • Re: Bridges
      ... > The problem is that the current bridge code only considers the MAC ... When VLANs are in use, this is incorrect as ... of good and not-so-good reasons for the same MAC address to appear ...
      (freebsd-arch)
    • Re: Blocking a MAC address at the router
      ... We could set DROPs on a few vlans and cover most of the ... >> networks a MAC might reappear. ... We're looking to turn our honeypot report around more regularly and ... block all infected PCs from generating so much useless traffic. ...
      (comp.dcom.sys.cisco)