Re: Ethernet Bridging Question
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 04/04/04
- Next message: bdjw: "Installing Proxim Orinoco Silver"
- Previous message: Bob Hauck: "Re: how to remove loopback interface on red hat linux 9?"
- In reply to: Mark: "Ethernet Bridging Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 4 Apr 2004 10:27:59 -0700
mab_145@yahoo.com (Mark) wrote in message news:<d6934954.0404030425.7d8d29f6@posting.google.com>...
> What I have:
>
> I have a rather unique setup I am working on. My goal is to
> construct a transparent firewall using an ethernet bridge (Nothing
> unique here). However, in the setup I have, only part of the "normal"
> ethernet traffic flow arrives at my device. The rest is filtered at a
> higer level (in fact bypasses the filter - i.e. not interesting
> traffic). In the setup, I have two Gig-E interfaces on the transparent
> filter. They are connected to two known Gig-E interfaces. So the
> bridge really has nothing it needs to learn I know which device is
> connected to which interface.
>
> Question:
>
> Can I "stuff" the ethernet bridge tables to prevent the learning.
> Then set the timeout to some really long time to make the startup time
> reliable and quick?
>
> Thanks in advance.
> ----
> Mark
Since no one else has replied, I'll give you my 2 c's.
The "learning" is automatic and, afaik, cannot be avoided in Linux.
You would not gain much, if anything, because what is learned is just
the map of MACs -> ports which is derived from the sending of frames
to the switch. The switch does not generate any query or lookup
traffic on its own.
If you need to run STP, you couldn't "stuff" the tables anyway --
traffic filtering/forwarding to avoid loops on redundant links, etc.
require learning. STP has about the slowest convergence of any
"routing" protocol out there -- that is the main source of the slow
times in bringing up links or failing over to redundant links. But it
is "transparent" for whatever that may buy you.
Your biggest concern is going to be the interrupt processing required
by the GigaE flow rate, regardless of how you have your Linux box set
up. I suspect you might actually get higher throughput with the
proper setup of a forwarding host/router than a bridge in Linux due to
the extensive tweaking available (and needed at GigaE speeds). And
for the IP traffic that will be generated (and the arps) a bridge is
no use in and of itself -- it forwards all broadcasts to all ports.
I've never been that taken with the idea of running a Linux bridge --
I see it more as a crutch for implementing features "more easily" that
can also be implemented via policy routing. The _need_ to interface
with switches/VLANs changes the equation, but switch prices being what
they are today I still question the wisdom of a Linux bridge -- those
ethernet cards in promiscuous mode give me the willies.
There is nothing "magical" about switch _speeds_ -- they derive from
the simplistic forwarding algorithm, which in turn can be wired into
an ASIC, ie., the processing takes place _at_the_port_. You don't get
that with a Linux switch and the few "tests" we did in the high school
lab showed no significant speed advantage with 10Mbps or 100Mbps cards
compared to full duplex operation through a forwarding host. 1000Mbps
-- who knows, but I have my doubts (and you may end up with many
signaling problems).
hth,
prg
email above disabled
- Next message: bdjw: "Installing Proxim Orinoco Silver"
- Previous message: Bob Hauck: "Re: how to remove loopback interface on red hat linux 9?"
- In reply to: Mark: "Ethernet Bridging Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
