From owner-freebsd-net@FreeBSD.ORG Tue Feb 22 21:02:16 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F8C0106564A for ; Tue, 22 Feb 2011 21:02:16 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [IPv6:2a01:4f8:63:1281::3]) by mx1.freebsd.org (Postfix) with ESMTP id 087978FC13 for ; Tue, 22 Feb 2011 21:02:16 +0000 (UTC) Received: from [10.0.2.10] (caelis.elvandar.org [83.163.38.147]) by mailgate.jr-hosting.nl (Postfix) with ESMTPSA id EE6E11CC4A; Tue, 22 Feb 2011 22:02:12 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Remko Lodder In-Reply-To: <003f01cbd28a$ea03d2b0$be0b7810$@com> Date: Tue, 22 Feb 2011 22:02:10 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com> <4D5FD91F.20704@gmx.com> <4D5FDCF1.6050909@gmx.com> <00a501cbd04f$2276b5b0$67642110$@com> <4D5FFE9C.30005@tomjudge.com> <003f01cbd28a$ea03d2b0$be0b7810$@com> To: kevin X-Mailer: Apple Mail (2.1082) Cc: 'Tom Judge' , freebsd-net@freebsd.org, 'Nikos Vassiliadis' Subject: Re: Bridging + VLANS + RSTP / MSTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2011 21:02:16 -0000 On Feb 22, 2011, at 1:20 PM, kevin wrote: >> There is a also the caveat: The switch will probably _not_ forward = the STP > BPDU's from one port to another.=20 >=20 > You were correct -- my initial testing confirmed this. Would the same = issue > arise if I employed a gateway IP on the /bridge/ instead, and used = CARP as a > failover mechanism? The firewall no longer becomes transparent pass > through/firewall. I have not done carp with bridges and I'm not 100% = certain > the same STP forwarding problems wouldn't arise, even with an IP = assigned. >=20 > Such as : >=20 > [switch 1 (vlan 1)] > | | > [fw1 gw1] -- CARP -- [fw2 gw1] > | | > [switch 1 (vlan 2)] >=20 >=20 > Thanks, >=20 > Kevin >=20 >=20 Carp is a failover mechanism like HSRP and VRRP, I have difficulties to = understand that it works on a bridge. (Only the device in between talks CARP , it = cannot broadcast an IP on the bridge, because thenit would become L3 instead of L2). You could ofcourse use HSRP/VRRP related things and have the gateway = address(es) move when a failure is detected. A lot of companies use those kind of = setups, but personally I havent seen one of them having multiple providers with different IP = space to get to the internet. What is the problem in setting up such a lab to test whether that works = as you would want to? (Why are they bridges in the first place and not active firewalls? It's = not that strange to have an active firewall between the evil internet and the internal network..) --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | X http://www.evilcoder.org/ | Quis custodiet ipsos custodes / \ ASCII Ribbon Campaign | Against HTML Mail and News