[ale] KVM and Cisco

George L. Allen glallen01 at gmail.com
Sun May 17 23:06:18 EDT 2015 

port-security would definitely do it.

The trunk may or may-not be necessary. If you setup the trunk, and your frames
aren't tagged because the port on your computer isn't setup as a trunk, then
you'll probably just dump all your traffic into your default vlan (vlan 1,
unless otherwise assigned.)

As stated, if you do multiple vlans, you must use a trunk.

Spanning tree will not shut the port based on how many mac addresses it sees. It
does it based on BPDU exchange - the switches send 'bridge protocol data units'
to compare switch mac addresses, elect a 'root' swich, and figure out the best
paths to the root switch, with the ultimate goal of eliminating layer-2 loops.

Only switches (or linux bridges) will send bpdus to each other in order to
prevent loops and broadcast storms.

bpduguard automatically disables a port if it recieves a bpdu (meaning another
switch is connected). This feature is designed for access ports where spanning
tree portfast is enabled, to prevent the port from creating a loop because
portfast skips some of the loop prevention steps. (See [1]). One safe fix here
is to drop both portfast and bpduguard from the port, while leaving it as an
accessport. It will take longer to activate, but will handle bpdus from your
linux bridge, and prevent loops and broadcast storms if you happen to do
something interesting like connect two physical ports from the same vm-host to
your network and the same virtual bridge.

The port-security however, does set the switch into err-disable state based on
how many, and/or which mac-addresses it sees. In the case of the port facing
your vm-host, I would just turn it off. On user-facing office ports, it's good
to have on, short of an 802.1x access control type setup, to prevent people from
plugging in unmanaged consumer switches which don't always run spanning-tree and
can cause layer-2 loops and broadcast storms.

What's the output of "show run interface <portname>", "show run | inc span"
and "brctl show"?

Another short example of both the linux and cisco side is here: 
http://net.doit.wisc.edu/~dwcarder/captivator/linux_trunking_bridging.txt


[1] http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10586-65.html
[2] Understanding Rapid Spanning Tree Protocol
    http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html
[3] brctl(8)
    brctl stp <bridge> <state> controls this bridge  instance’s  participation
    in the spanning tree protocol. If <state> is "on" or "yes" the STP will be
    turned on, otherwise it will be turned off.  When turned  off, the  bridge
    will not send or receive BPDUs, and will thus not participate in the
    spanning tree protocol.



On Fri, May 15, 2015 at 01:40:41PM -0400, Brian Gill wrote:
>I think trunk mode is the way to go.  If you use multiple vlans, it's the
>only way to go.
>
>Trunk mode changes the switch port from an access port, which allows a
>single device to be connected, to a trunk, which will allow multiple
>devices to be connected on the same port.  Because you have multiple guests
>running in KVM, the switch sees the bridge port on the KVM host as another
>switch, causing the port to be shut down by spanning tree.
>
>Brian
>
>On Fri, May 15, 2015 at 12:45 PM, Chuck Payne <terrorpup at gmail.com> wrote:
>
>> Brain thank, I was thinking it might be trunk. Trunk would be best? I only
>> ask because I found this right before your e-mail.
>>
>> Maximum MAC Addresses: 1
>>
>> I read that would cause issues and shut down the port. So I tried
>>
>> config t
>> inter Gi0/39
>> switchport port-security maximum 25
>>
>> Maximum MAC Addresses      : 25
>>
>> Now I can ping my from my guest
>>
>> But if I have more than 132 hosts, the arp table could fill it up,
>> correct. So trunk would be best.
>>
>>
>> On Fri, May 15, 2015 at 9:37 AM, Brian Gill <thebriangill at gmail.com>
>> wrote:
>>
>>> On the switch, you need to set the port as a trunk port.  The commands
>>> would look like:
>>>
>>> Switch#conf t
>>> Enter configuration commands, one per line.  End with CNTL/Z.
>>> Switch(config)#int g1/0/x or fa0/x (depending on your switch model where
>>> x is your switch port)
>>> Switch(config-if)#switchport mode trunk
>>> Switch(config-if)#end
>>> Switch#wr  (save your config!)
>>> Building configuration...
>>> [OK]
>>> Switch#
>>>
>>>
>>>
>>>
>>> On Fri, May 15, 2015 at 12:12 AM, Chuck Payne <terrorpup at gmail.com>
>>> wrote:
>>>
>>>> Guys,
>>>>
>>>> I might have sent this before, so sorry, but Cisco is driving me crazy.
>>>>
>>>> We are currently upgrading out network gear, which is a mix Cisco Small
>>>> Business and Netgear Smart switches. We don't have any vlans. Our KVM
>>>> servers are working with them with no issues.
>>>>
>>>> We purchased a couple of Cisco 2960-x switches. We  were trying to move
>>>> a couple of our Red Hat KVM servers to it, but we are having issues getting
>>>> the bridge device to work the same way.
>>>>
>>>> The first thing we noticed is that the switch turn off the port when w
>>>> e hooked up the bridge port to the switch. We found out that it was
>>>> cause by bpdugard.  We disable able and the bridge was able to connect aand
>>>> we could connect to the bridge of the server from other boxes, but we could
>>>> not connect to any of the guest on the that bridge.
>>>>
>>>> Now, when I am KVM host, I can ping the guest. When I am the guess I can
>>>> ping the host bridge ip.
>>>>
>>>> Example
>>>>
>>>> Host Br3  10.0.0.10  < - - - - - - > 10.0.0.12 Guest eth0
>>>>
>>>> External Box 10.0.0.5 ---> 10.0.0.10 Host xxxxxx 10.0.0.12 Guest
>>>>
>>>> Guest 10.0.0.12 --> 10.0.0.10 Host xxxx 10.0.0.5 External Box
>>>>
>>>> Here what bridge control show
>>>>
>>>> bridge name	bridge id		STP enabled	interfaces
>>>> br3		8000.d4ae52a5feb2	yes		em2
>>>> 							vnet19
>>>>
>>>> On the switch I have turn on spanning tree hoping that would help.
>>>>
>>>> Is there something I need to do on the KVM side? Do have to set the port maybe as trunk? I am total lost, sorry I am not Cisco Guru. I know someone has ran into this.
>>>>
>>>>
>>>> --
>>>> Terror PUP a.k.a
>>>> Chuck "PUP" Payne
>>>>
>>>> 678 636 9678
>>>> -----------------------------------------
>>>> Discover it! Enjoy it! Share it! openSUSE Linux.
>>>> -----------------------------------------
>>>> openSUSE -- Terrorpup
>>>> openSUSE Ambassador/openSUSE Member
>>>> skype,twiiter,identica,friendfeed -- terrorpup
>>>> freenode(irc) --terrorpup/lupinstein
>>>> Register Linux Userid: 155363
>>>>
>>>> Have you tried SUSE Studio? Need to create a Live CD,  an app you want
>>>> to package and distribute , or create your own linux distro. Give SUSE
>>>> Studio a try.
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>> --
>> Terror PUP a.k.a
>> Chuck "PUP" Payne
>>
>> 678 636 9678
>> -----------------------------------------
>> Discover it! Enjoy it! Share it! openSUSE Linux.
>> -----------------------------------------
>> openSUSE -- Terrorpup
>> openSUSE Ambassador/openSUSE Member
>> skype,twiiter,identica,friendfeed -- terrorpup
>> freenode(irc) --terrorpup/lupinstein
>> Register Linux Userid: 155363
>>
>> Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
>> package and distribute , or create your own linux distro. Give SUSE Studio
>> a try.
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>

>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list