tap-bridge-tap : No LACP

Question

I have two switches connected via TAP interfaces. Each Virtual Switch port is connected to an individual TAP port and the TAP ports are joined via a Bridge.

SW1-port1 = TAP 11 <== BR121 ==> TAP 21 = SW2-port1
SW1-port2 = TAP 12 <== BR122 ==> TAP 22 = SW2=port2

If I configure the Switch ports as normal layer 3, they can ping each other, which means the setup above is working, however LACP packets get dropped and I cannot establish a port channel between the two (for educational purposes).

I can see LACP packets generated by the locally connected switch if I "tcpdump" the TAP interface, but somehow the LACP packet does not make it to the other end (to the other TAP I/F).

Could it be the Bridge absorbing the LACP packet? Is there a way to prevent this?

Thanks, Francesco

Answer 1

Yes, LACP uses the group address 01:80:C2:00:00:02, which is in the "do not relay" range: any 802.1D-compliant bridge must not forward these frames.

While Linux bridges allow configuring exceptions to this (via group_fwd_mask), this feature is meant for higher level protocols such as LLDP or 802.1X and explicitly refuses to add a bypass for the STP/LACP address.

(I think this makes a lot of sense, because these protocols are specifically meant to be used between two peers on opposite ends of a direct link, and would malfunction in various ways otherwise.)

Bridges classified as two-port MAC relays would be an exception: as they link exactly two interfaces, they can be transparent to LACP. However, as far as I know there is no native method of telling a Linux bridge to act as one.

It could be done using a userspace program to move frames between two interfaces, such as socat.

Alternatively you could run LACP between each of your vswitches and the Linux host (using either the bonding or teaming drivers), and then put the bridge on top of the two LAGs (bond interfaces).