[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF, VLANS, and Bridges


First I would like to thank you for your assistance. I've been trying to get a complex bridging system set up, and one of the most important parts (and what I figured would be the easiest part of the project) would be setting up trunking between a 2900xl and an OpenBSD box.

I managed to get things working right fine after quite a bit of messing around. Turns out that OpenBSD has a few little problems with STP. Any priorities dont work, nor costs, or anything. Fustrating nontheless.

The problem I was having is that the Cisco 2900xl was detecting a network loop (even though that none existed) and was blocking the trunked vlans. If you disable STP for any of the vlans you are briding on the Cisco side, things seem to work okay. I think this is a bug on the Cisco side of things (although OpenBSD needs a crapload of work on STP).

I also have a quicker and easier way to change the number of bridges and vlans if you're interested, have a look at man config.

if you get into config, and change 265 and 266 (i think anyhow, you can use find vlan and find bridge to get the numbers if they are different) and set them to whatever number you want, and quit/save. Now boot with the modified kernel, and viola! No recompile needed.

I would again like to thank you for your help, as this has been a cause of much stress for two weeks now.

-- -- Dave Wintrip NetFlash Systems Administrator [email protected] www.netflash.net (519) 741-8167

Eaton, Andy wrote:
I have a few e-mails in my inbox requesting what boils down to a how to so here it is.

If there are questions and problems after this, please feel free to contact me.

Complete How To:

First, there are a couple of gotchas with the Cisco equipment dealing with native vlans. For those of you using Catalyst 2900XL?s I don?t think there is a problem they don?t really care about the native vlans as much as the 3550?s.

1. Set up the routing between your vlans on your layer three device. In my case it was a Catalyst 6509.

2. Trunking on the Catalyst 3550 details:

Configure the vlans on the trunk of the 3550. The following is to remind you to set the native vlan. If you don?t the switch will block the port and no traffic will flow. You will know this when

the router tells you there is a native vlan mismatch.

1. Get enable on the switch.

2. At the console type conf t

3. configure the interface that the trunk is on. IE. int gi0/1

4. use command switchport trunk native vlan ?X?.



1. First you will need to get the src for the OS with cvsup look at http://www.openbsd.org/anoncvs.html

2. Once you get the source, you will need to rebuild the kernel with extra bridge and vlan support.

IE. you need two vlans on the BSD box for every one vlan that you are trying to filter. You need one bridge for every vlan you are trying to filter.

Example: you have 10 vlans on your layer 3 device, meaning 20 vlans and 10 bridges on the BSD box.

For those that haven?t played with the kernel much, the changes you need to make are in /usr/src/sys/conf/GENERIC. Edit that file and change the number of bridges and vlans that are

listed for pseudo-device vlan and pseudo-device bridge. Build the kernel and reboot. All should work by default if you follow the 3.3 stable tree.

3. The next thing to do would be to edit the sysctl.conf file in etc and uncomment the following line:

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

Do this so that it comes up the next time you boot the machine. If you don?t want to reboot now use sysctl to set the parameter.

4. Now you need to edit the interfaces and bridges:

The follow is an example:

1st bring up your two bridge interfaces: assuming the 9841?s or the 9d41?s from Syskonnect





2nd bring up the vlan interfaces.


vlan 20 vlandev sk0


vlan 20 vlandev sk1


vlan 123 vlandev sk0


vlan 123 vlandev sk1


vlan 145 vlandev sk0


vlan 145 vlandev sk1

The vlans on the BSD box do not correlate to the vlans on your switch or layer3 device!!

3rd bring up the bridges

bridgename.bridge0 should have the following:

add vlan0

add vlan1



add vlan2

add vlan3



add vlan4

add vlan5


And so on for every bridge you need. After you edit all these files, the easiest thing to do is reboot.

One very important thing that can?t happen, is bridging the actual NIC interfaces together. If you bring up a bridge

with the following:


add sk0

add sk1


all of your vlan traffic will flow over the bridge0 and not over the vlanned bridges. IE. You can?t filter anything.

(Thank you to Henning Brauer).

Other than everything above, be careful as to what you make your native vlan because it traverses the sk interfaces and can?t be filtered either.

It may be good to leave it the default and set the layer 3 device (Cisco) to 1 and the set the native vlan on the trunk of the 3550 to 1 as well so that it won?t matter.

I have not tested this on other switches!!!

The throughput on the device with 2.2 GHz XEON proc, 2GB ram, and separate 64bit-66MHz buses is about 290Mbits/sec with a packet size of 576B.

I have yet to be able to throw small packets at it because when I change the MTU on the XP or 2000 machines they can no longer log in. I may put some

Unix machines behind it and try that. A 1GHz, 512MB ram, and a shared 32bit-33MHz bus will push 153Mbits/sec. If you take the firewall out of the picture,

the throughput is about 70% of a Gig connection, IE 695Mbits/sec. With the fastest machine you can get right now, I believe you may be able to stuff about

330Mbits/sec through it. That is as fast a cisco PIX 525 $10-$20000 but way below a PIX 535 at a mere $30-$75000 depending on configurations.

What would be really cool is if you could use EtherChannel on the 6509 and 3550 to aggregate more that one port and use multiple bridges. The problem I see

is trying to keep the state table the same between the two bridges. If anyone has any ideas on this I would like to hear them.

If anyone knows a good way to really tune the kernel to get closer to line speed out of a bridging device I would be interested in that as well. I have been looking and everything

I have seen has already been tuned as far as tcp and udp window sizes etc.

Thanks for everyone?s help getting this to work:


Henning Brauer

David Gwynne (Loki)

Andrew Eaton