http://net.doit.wisc.edu/~dwcarder/captivator/linux_trunking_bridging.txt
How to set up 802.1q trunking and bridging on Linux, which
is the first step to creating a Captivator-gw appliance.
This example has eth2 as one side of the bridge (and will
be our inside interface) and eth3 as the outside interface.
Both eth2 and eth3 could use the same vlan tags (numbers)
for each bridge, or optionally we can use different tags for
each side of the bridge. If you want to connect the
Captivator-gw appliance to the same switch, you will need to
use different vlan tags on the internal and external
interfaces. In our environment under which Captivator-gw
was developed, the switch/router used is a Cisco Catalyst
6500 which may help clear up this vlan numbing issue for
you. In theory if you use seperate vlan tags, you could
implement Captivator-gw all with one interface.
Dealing with spanning-tree when hopping vlans is specific to
your environment and left as an excersise for the reader.
(The easiest (and perhaps dangerous for you) workaround is shown
in the cisco ios config example below).
Example:
------------ ------------
| router | | router |
------------ ------------
| |
vlan 970 vlan 972
| |
| |
-----------------------------
| |
| cisco IOS switch |---- trunk ---> to access points
| | 971,973 and public jacks
| Gi3/1 Gi3/2 |
-----------------------------
| |
| |
trunk trunk
970,972 971,973
| |
-----------------------
| eth2 eth3 |
| |
| Captivator-gw |
-----------------------
------- Linux config --------------------
# Disable routing just in case:
echo 0 > /proc/sys/net/ipv4/ip_forward
# setup vlans:
modprobe 8021q
/sbin/vconfig add eth2 970
/sbin/vconfig add eth2 972
/sbin/vconfig add eth3 971
/sbin/vconfig add eth3 973
# You should see:
#
# Added VLAN with VID == 970 to IF -:eth2:-
# Added VLAN with VID == 972 to IF -:eth2:-
# Added VLAN with VID == 971 to IF -:eth3:-
# Added VLAN with VID == 973 to IF -:eth3:-
# bring interfaces up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth2.970 up
ifconfig eth2.972 up
ifconfig eth3.971 up
ifconfig eth3.973 up
# setup bridging
# create a bridge called "br970" and put vlans 970 and 971 in it
brctl addbr br970
brctl addif br970 eth2.970
brctl addif br970 eth3.971
# create a bridge called "br972" and put vlans 972 and 973 in it
brctl addbr br972
brctl addif br972 eth2.972
brctl addif br972 eth3.973
# bring the bridge virtual interfaces up on each bridge
ifconfig br970 192.168.70.5 netmask 255.255.254.0 up
ifconfig br972 192.168.72.5 netmask 255.255.254.0 up
# verify the bridging config looks legit:
brctl show
# You should see something like:
#
# bridge name bridge id STP enabled interfaces
# br970 8000.000423ab99d8 no eth2.970
# eth3.971
# br972 8000.000423ab99d8 no eth2.972
# eth3.973
brctl showmacs br970
# port no mac addr is local? ageing timer
# 2 00:02:b3:ce:f5:fb no 274.74
# 1 00:04:23:ab:99:d8 yes 0.00
# 2 00:04:23:ab:99:d9 yes 0.00
# 1 00:0a:8b:bf:70:40 no 28.79
brctl showmacs br972
# port no mac addr is local? ageing timer
# 2 00:02:b3:ce:f6:0f no 11.69
# 1 00:04:23:ab:99:d8 yes 0.00
# 2 00:04:23:ab:99:d9 yes 0.00
# 1 00:0a:8b:bf:70:40 no 11.69
# You're more or less done with the Linux side of things. Now
# you can set up your firewall rules.
-------- Cisco IOS config bits (in case you were wondering): ----------
conf t
vlan 970-973
!
int gi3/1
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 970,972
switchport mode trunk
no mdix auto
storm-control broadcast level 10.00
spanning-tree bpdufilter enable
no cdp enable
!
int gi3/2
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 971,973
switchport mode trunk
no mdix auto
storm-control broadcast level 10.00
spanning-tree bpdufilter enable
no cdp enable
!
end
---------------
$Id: linux_trunking_bridging.txt,v 1.2 2005/04/06 15:48:08 dwcarder Exp $
扫一扫
1418
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
