[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTi=4-xYNyaBOzeL04VioK8D0Q8secg@mail.gmail.com>
Date: Wed, 29 Jun 2011 23:46:03 +0100
From: Nick Carter <ncarter100@...il.com>
To: David Lamparter <equinox@...c24.net>
Cc: Stephen Hemminger <shemminger@...ux-foundation.org>,
netdev@...r.kernel.org, davem@...emloft.net
Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD
On 28 June 2011 22:46, David Lamparter <equinox@...c24.net> wrote:
> On Tue, Jun 28, 2011 at 10:22:53PM +0100, Nick Carter wrote:
>> > I beg to differ, there very much is. You never ever ever want to be
>> > running STP with 802.1X packets passing through... some client will shut
>> > down your upstream port, your STP will break and you will die in a fire.
>> >
>> > The general idea, though, is that a STP-enabled switch is an intelligent
>> > switch. And an intelligent switch can speak all those pesky small
>> > side-dish protocols.
> [...]
>> >> > (Some quick googling reveals that hardware switch chips special-drop
>> >> > 01:80:c2:00:00:01 [802.3x/pause] and :02 [802.3ad/lacp] and nothing
>> >> > else - for the dumb ones anyway. It also seems like the match for pause
>> >> > frames usually works on the address, not on the protocol field like we
>> >> > do it...)
>> >> 'Enterprise' switches drop :03 [802.1x]
>> >
>> > They also speak STP, see above about never STP+1X :)
>> But if you turn off STP they wont start forwarding 802.1x.
>
> Yes, hence my suggestion to have a knob for all of the link-local
> ethernet groups. (Which I'm still not actually endorsing, just placing
> the idea)
>
>> Also having STP on and forwarding 802.1x would be useful (but
>> non-standard) in some cheap redundant periphery switches, connecting
>> to a couple of 'core' switches acting as 802.1x authenticators.
>
> That wouldn't really make much sense since those central 802.1X
> authenticators wouldn't be able switch the client-facing ports on and
> off.
Although its non standard, it is common for authenticators to do
802.1X per source mac rather than per port. Also the central
authenticator ports can be routed not bridged. So i dont think you
can rule out the "STP on plus 802.1x being forwarded" requirement.
> Instead, you now have to (1) disable the port switching to make
> sure your upstreams stay on and (2) deal with 802.1X clients being
> re"routed" by STP to different authenticators that don't know them.
Well if the authenticators are pointed at a remote ACS then they will
know them. And again even though non-standard, 802.1X 'mac move'
functionality exists.
Nick
>
>
> -David
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists