[PLUG] Replace ethernet switch with Linux bridge?

Daniel Pittman daniel at rimspace.net
Sun Feb 13 19:58:45 UTC 2011 

On Sun, Feb 13, 2011 at 02:38, someone <plug_1 at robinson-west.com> wrote:

> Is this something that is doable to go from a dumb switch that doesn't care
> what MAC addresses are connecting to a smart switch that does?

As in, to get the "smart" switch deal without having to lay out the
money for one?

> Currently, my DSL modem is bridged and I have 5 global IP addresses.
> I use a Netgear 10/100baseTX 8 port switch to connect all my servers to my
> modem.  Question is, can I simulate the switch with a Linux server and
> be more careful about which MAC addresses get service?  I also want this
> bridge machine to have one of the global IP addresses.  Naturally, I
> want to implement an alarm feature for when and if a foreign computer
> is detected.
>
> Is implementing a smart switch the sort of thing that the Linux
> bridging code is used for?

Well, you can, but there might be an easier solution.  Anyway, first:
you absolutely can bridge multiple ethernet ports together and Linux
will behave like a big switch.  You get the effect of the Linux system
having a single Ethernet card connected to that virtual switch, too.

If you do that you have to ask if the system you are deploying has
access to a sufficient number of Ethernet ports, of course, and also
if you have the bus, memory and CPU bandwidth to deliver sufficient
(ideally, full) rate across the entire switch.

You can add port locking using ebtables or iptables to limit
communication to systems that are in your whitelist (but remember that
the MAC is trivially faked), or something smarter like 802.1x
authentication.

Alerts for new arp stuff could be hung off either the {eb,ip}tables
logs, or off some arp watching daemon.

Anyway, what I would do is just lay out the couple of hundred dollars
to get a switch that would do 802.1x access control, and port MAC
locking, so that you can have fixed ports for things that have real
limits, and just use 802.1x to auth any other port that gets connected
to.

Regards,
    Daniel
-- 
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <daniel at rimspace.net>
✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285
♲ Made with 100 percent post-consumer electrons

More information about the PLUG mailing list