From owner-freebsd-net@FreeBSD.ORG Sat Feb 19 14:53:21 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1CA41065679 for ; Sat, 19 Feb 2011 14:53:21 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.42]) by mx1.freebsd.org (Postfix) with SMTP id 57CFB8FC14 for ; Sat, 19 Feb 2011 14:53:21 +0000 (UTC) Received: (qmail invoked by alias); 19 Feb 2011 14:53:19 -0000 Received: from adsl-39.79.107.47.tellas.gr (EHLO [192.168.73.192]) [79.107.47.39] by mail.gmx.com (mp-eu001) with SMTP; 19 Feb 2011 15:53:19 +0100 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1/NNkRICpzNYmmsuWqbVPo9YLS7OUsUTRRl+ITxko 67SRaE2CUkMW7r Message-ID: <4D5FD91F.20704@gmx.com> Date: Sat, 19 Feb 2011 16:52:15 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: kevin References: <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com> In-Reply-To: <00a201cbd03f$2bdc3540$83949fc0$@com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-net@freebsd.org Subject: Re: Bridging + VLANS + RSTP / MSTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2011 14:53:22 -0000 On 2/19/2011 4:13 PM, kevin wrote: > >> Could you send your ifconfig bridge output from both firewalls? >> If STP is turned off on the four switch ports that the firewalls are >> patched, one of the two firewalls must be root of the spanning tree. > > I believe if you don't specify 'stp' in the rc.conf ifconfig statement, > freebsd by default sets the bridge as 'rstp' : Yes, that's correct. > > sdh-fw# ifconfig > bridge0: flags=8843 metric 0 mtu > 1500 > ether 06:c7:a9:50:41:17 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: bge1 flags=143 > ifmaxaddr 0 port 3 priority 128 path cost 55 > member: bge0 flags=143 > ifmaxaddr 0 port 2 priority 128 path cost 55 > There is no active STP there. The port should look like this: You should also see the bridge's ID and not 00:00:00:00:00:00: > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 You should also see the root bridge's ID of the STP domain: > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 A bridge will look like this: bridge2: flags=8843 metric 0 mtu 1500 ether a2:ae:00:08:a7:ab inet 10.16.0.2 netmask 0xff000000 broadcast 10.255.255.255 id 00:17:d6:a9:31:e7 priority 16384 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:12:cf:69:e9:ea priority 16384 ifcost 14183 port 4 member: epair14b flags=1c7 ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp role designated state forwarding member: epair13b flags=1c7 ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp role designated state forwarding member: epair10b flags=1c7 ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp role alternate state discarding ... And the root bridge will look like this: bridge4: flags=8843 metric 0 mtu 1500 ether ae:6e:5a:9d:9b:5c inet 10.16.0.4 netmask 0xff000000 broadcast 10.255.255.255 id 00:12:cf:69:e9:ea priority 16384 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:12:cf:69:e9:ea priority 16384 ifcost 0 port 0 member: epair18b flags=1c7 ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp role designated state forwarding member: epair17b flags=1c7 ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp role designated state forwarding member: epair11a flags=1c7 ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp role designated state forwarding ... > >> Be sure that STP is *really* turned off on the switch, use tcpdump on the >> physical ports for this. > > Should I just turn off STP for every port on the switch or just the ports > connected to the bridge? Just the ports connected to the bridging firewalls. Your topology looks like this, correct? http://img811.imageshack.us/i/bridgingfw.png/ The switch must act as a plain ethernet switch, no stp, no BPDU filtering, no nothing. The STP on the firewalls will handle the loop in the topology. Be *sure* that STP is active on the firewalls and the two firewall are in a single STP domain(can talk STP to each other), otherwise a L2 loop will do a DoS on your firewalls... HTH, Nikos