[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF, VLANS, and Bridges
First I would like to thank you for your assistance. I've been trying to
get a complex bridging system set up, and one of the most important
parts (and what I figured would be the easiest part of the project)
would be setting up trunking between a 2900xl and an OpenBSD box.
I managed to get things working right fine after quite a bit of messing
around. Turns out that OpenBSD has a few little problems with STP. Any
priorities dont work, nor costs, or anything. Fustrating nontheless.
The problem I was having is that the Cisco 2900xl was detecting a
network loop (even though that none existed) and was blocking the
trunked vlans. If you disable STP for any of the vlans you are briding
on the Cisco side, things seem to work okay. I think this is a bug on
the Cisco side of things (although OpenBSD needs a crapload of work on STP).
I also have a quicker and easier way to change the number of bridges and
vlans if you're interested, have a look at man config.
if you get into config, and change 265 and 266 (i think anyhow, you can
use find vlan and find bridge to get the numbers if they are different)
and set them to whatever number you want, and quit/save. Now boot with
the modified kernel, and viola! No recompile needed.
I would again like to thank you for your help, as this has been a cause
of much stress for two weeks now.
-- Dave Wintrip
NetFlash Systems Administrator
Eaton, Andy wrote:
I have a few e-mails in my inbox requesting what boils down to a how to
so here it is.
If there are questions and problems after this, please feel free to
Complete How To:
First, there are a couple of gotchas with the Cisco equipment dealing
with native vlans. For those of you using Catalyst 2900XL?s I don?t
think there is a problem they don?t really care about the native vlans
as much as the 3550?s.
1. Set up the routing between your vlans on your layer
three device. In my case it was a Catalyst 6509.
2. Trunking on the Catalyst 3550 details:
Configure the vlans on the trunk of the 3550. The
following is to remind you to set the native vlan. If you don?t the
switch will block the port and no traffic will flow. You will know this
the router tells you there is a native vlan mismatch.
1. Get enable on the switch.
2. At the console type conf t
3. configure the interface that the trunk is on. IE. int gi0/1
4. use command switchport trunk native vlan ?X?.
IF YOU DON?T DO THIS YOU WILL FIGHT YOURSELF THE WHOLE WAY TRUST ME!!!!
1. First you will need to get the src for the OS with cvsup
look at http://www.openbsd.org/anoncvs.html
2. Once you get the source, you will need to rebuild the kernel with
extra bridge and vlan support.
IE. you need two vlans on the BSD box for every one
vlan that you are trying to filter. You need one bridge for every vlan
you are trying to filter.
Example: you have 10 vlans on your layer 3
device, meaning 20 vlans and 10 bridges on the BSD box.
For those that haven?t played with the kernel much, the changes you
need to make are in /usr/src/sys/conf/GENERIC. Edit that file and
change the number of bridges and vlans that are
listed for pseudo-device vlan and pseudo-device bridge. Build the
kernel and reboot. All should work by default if you follow the 3.3
3. The next thing to do would be to edit the sysctl.conf
file in etc and uncomment the following line:
net.inet.ip.forwarding=1 # 1=Permit
forwarding (routing) of packets
Do this so that it comes up the next time you boot the
machine. If you don?t want to reboot now use sysctl to set the parameter.
4. Now you need to edit the interfaces and bridges:
The follow is an example:
1st bring up your two bridge interfaces: assuming
the 9841?s or the 9d41?s from Syskonnect
2nd bring up the vlan interfaces.
vlan 20 vlandev sk0
vlan 20 vlandev sk1
vlan 123 vlandev sk0
vlan 123 vlandev sk1
vlan 145 vlandev sk0
vlan 145 vlandev sk1
The vlans on the BSD box do not correlate to the
vlans on your switch or layer3 device!!
3rd bring up the bridges
bridgename.bridge0 should have the following:
And so on for every bridge you need. After you
edit all these files, the easiest thing to do is reboot.
One very important thing that can?t happen, is
bridging the actual NIC interfaces together. If you bring up a bridge
with the following:
all of your vlan traffic will flow over the
bridge0 and not over the vlanned bridges. IE. You can?t filter anything.
(Thank you to Henning Brauer).
Other than everything above, be careful as to what you make your native
vlan because it traverses the sk interfaces and can?t be filtered either.
It may be good to leave it the default and set the layer 3 device
(Cisco) to 1 and the set the native vlan on the trunk of the 3550 to 1
as well so that it won?t matter.
I have not tested this on other switches!!!
The throughput on the device with 2.2 GHz XEON proc, 2GB ram, and
separate 64bit-66MHz buses is about 290Mbits/sec with a packet size of 576B.
I have yet to be able to throw small packets at it because when I change
the MTU on the XP or 2000 machines they can no longer log in. I may put
Unix machines behind it and try that. A 1GHz, 512MB ram, and a shared
32bit-33MHz bus will push 153Mbits/sec. If you take the firewall out of
the throughput is about 70% of a Gig connection, IE 695Mbits/sec. With
the fastest machine you can get right now, I believe you may be able to
330Mbits/sec through it. That is as fast a cisco PIX 525 $10-$20000 but
way below a PIX 535 at a mere $30-$75000 depending on configurations.
What would be really cool is if you could use EtherChannel on the 6509
and 3550 to aggregate more that one port and use multiple bridges. The
problem I see
is trying to keep the state table the same between the two bridges. If
anyone has any ideas on this I would like to hear them.
If anyone knows a good way to really tune the kernel to get closer to
line speed out of a bridging device I would be interested in that as
well. I have been looking and everything
I have seen has already been tuned as far as tcp and udp window sizes etc.
Thanks for everyone?s help getting this to work:
David Gwynne (Loki)