From owner-freebsd-net@freebsd.org  Sat Aug 15 03:46:09 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D20609B9D2C
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat, 15 Aug 2015 03:46:09 +0000 (UTC)
 (envelope-from lists@jnielsen.net)
Received: from webmail2.jnielsen.net (webmail2.jnielsen.net [50.114.224.20])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "webmail2.jnielsen.net",
 Issuer "freebsdsolutions.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 248821EB1
 for <freebsd-net@freebsd.org>; Sat, 15 Aug 2015 03:46:08 +0000 (UTC)
 (envelope-from lists@jnielsen.net)
Received: from [192.168.2.123] (c-50-160-123-105.hsd1.ut.comcast.net
 [50.160.123.105]) (authenticated bits=0)
 by webmail2.jnielsen.net (8.15.1/8.15.1) with ESMTPSA id t7F3JqEY013587
 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO);
 Fri, 14 Aug 2015 21:19:55 -0600 (MDT)
 (envelope-from lists@jnielsen.net)
X-Authentication-Warning: webmail2.jnielsen.net: Host
 c-50-160-123-105.hsd1.ut.comcast.net [50.160.123.105] claimed to be
 [192.168.2.123]
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: vlan+bridge questions
From: John Nielsen <lists@jnielsen.net>
X-Mailer: iPhone Mail (12H143)
In-Reply-To: <CANp8tbUo2tJekEnJ7rvteJN0HehhKT6gEoHajvavcku+d=Opzw@mail.gmail.com>
Date: Fri, 14 Aug 2015 21:19:51 -0600
Cc: FreeBSD Net <freebsd-net@freebsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1468D6AA-1368-4B3E-B9A1-24D5B7489A02@jnielsen.net>
References: <CANp8tbUo2tJekEnJ7rvteJN0HehhKT6gEoHajvavcku+d=Opzw@mail.gmail.com>
To: Hooshang F <ebastan10@gmail.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2015 03:46:09 -0000

> On Aug 14, 2015, at 11:57 AM, Hooshang F <ebastan10@gmail.com> wrote:
>=20
> We need to install a freebsd firewall (pf). The freebsd
> box needs to be placed in bridge mode in the middle of a VLAN truck
> link between 2 Cisco switches. The em0 and em1 ports
> are connected to the trunk ports on the 2 switches.
>=20
> We are going to:
>=20
> 1- Define two vlan interfaces for vlan id X.
>    one with em0 as parent and the other on top of em1.
> 2- Create a bridge interface.
> 3- Add the two vlan interfaces as members of the bridge.
> 4- Repeat 1-3 for every vlan id used in the network.
>=20
> 2 questions:
>=20
> 1- Is not there a simpler method which does not involve creating so
>    many vlans & bridges? For instance, is it possible to have
>    a truck interface which accepts 'all' vlan IDs (like cisco) instead
>    of creating two vlan interface per ID?
>=20
> 2-  How the untagged traffic should be bridged? Cisco switches
>     send out packets untagged if vlan ID is equal to the trunk port
>    'native' vlan id. To bridge this packets, we should create
>    a bridge with em0 and em1 as members, but that will
>    effectively disables bridging on vlan interfaces. Right?

Same answer for both questions: bridge the parent interfaces. If you need vl=
an interfaces, create them as children of the single bridge interface.=20=