From owner-freebsd-net@FreeBSD.ORG Sat Feb 19 17:51:14 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC264106564A for ; Sat, 19 Feb 2011 17:51:14 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from tomjudge.vm.bytemark.co.uk (tomjudge.vm.bytemark.co.uk [80.68.91.100]) by mx1.freebsd.org (Postfix) with ESMTP id 6B0EC8FC08 for ; Sat, 19 Feb 2011 17:51:14 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id AF2CBDCB3C; Sat, 19 Feb 2011 17:32:20 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at tomjudge.vm.bytemark.co.uk Received: from tomjudge.vm.bytemark.co.uk ([127.0.0.1]) by localhost (tomjudge.vm.bytemark.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0sEj3Q9vk7u; Sat, 19 Feb 2011 17:32:18 +0000 (GMT) Received: from Tom-Judges-MacBook-Pro.local (unknown [192.168.205.10]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id E5545DCB3B; Sat, 19 Feb 2011 17:32:16 +0000 (GMT) Message-ID: <4D5FFE9C.30005@tomjudge.com> Date: Sat, 19 Feb 2011 12:32:12 -0500 From: Tom Judge User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: kevin References: <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com> <4D5FD91F.20704@gmx.com> <4D5FDCF1.6050909@gmx.com> <00a501cbd04f$2276b5b0$67642110$@com> In-Reply-To: <00a501cbd04f$2276b5b0$67642110$@com> X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1C1D810054B52101522B7485" Cc: freebsd-net@freebsd.org, 'Nikos Vassiliadis' Subject: Re: Bridging + VLANS + RSTP / MSTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2011 17:51:14 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1C1D810054B52101522B7485 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 19/02/2011 11:07, kevin wrote: >> No, you have to specify stp there. The default STP mode is RSTP. >> If you don't specify stp, you'll get a dumb ethernet bridge. > Thanks very much for clarification. This helps me immensely. My room fo= r > testing is limited so this will help me take the right steps necessary.= > > One quick last question : would you recommend pfsync in this scenario, > between bridges? I've been hearing a lot of issues with pfsync but I'm = not > sure what behavior to expect in a bridging scenario such as this one. > This setup with pfsync will work ok as long as you have the STP setup correctly. As to the STP. I can see an issue with this setup if you are using a single switch and 2 firewalls. You will have the following links: - - - - In this setup it does not matter where the root bridge is, each of the firewalls will always have on port in disguarding state as both ports lead back to the same peer bridge. With states such as: fw 1 - 1: forwarding fw 2 - 1: forwarding fw 1 - 2: disguarding - backup fw 2 - 2: disguarding - backup If you disable STP on the ports for the firewalls you will have virtual links: - - This will create the following states (the same as above): fw 1 - 1: forwarding fw 2 - 1: forwarding fw 1 - 2: disguarding - backup fw 2 - 2: disguarding - backup There is a also the caveat: The switch will probably _not_ forward the STP BPDU's from one port to another. This is because if the switch is a properly compliant bridge it will not forwards the frames as they are marked as link local ethernet multicast frame which is not allowed to forwarded by a bridge per the ethernet spec. If this is indeed the case you will make an instant forwarding loop in your network when you try to make it work. You will need to introducing a 4th STP speaking device to the configuration with a topology such as this: < switch 1 > | | | | - | | | < switch 2 > Where the link between switch 1 and 2 is a trunk with both the vlans on it. This way you can set the root bridge to firewall 1 and firewall 2 as the second highest priority and the switches equal 3rd priorities. I would also recommend that FW 1 and 2 have opposite vlan assignments on each switch, this way you can add a 3rd port to each firewall and link them together, and you will be able to survive a switch failure as well. _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --------------enig1C1D810054B52101522B7485 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNX/6gAAoJEMSwVS7lr0OdwysIAJXhPkcSi2Pdo6AySGkNJGCZ tijgpaGmkRKKugrSTg4zKidLpJYNsqTvFUBWHGsu6wFavpEc1Pz8LvwI6iyzeo7a BA4ievF/BXOCOPArb3wIif9biYxfdJAjoeVQh1EuIv/5svvdR02iF+rs1dmIuPri pXON6JJEIejxmzKgA5EXiMKm1clBXDMMgQflm39KtSXeH7c2zoVVBKeL0ZoKfEGm ZWjeeFNE9WtvP9MNunZmtNP4o5GUMGz87SVflZNM+Gq5j3aKmx2/Bc4Qe6cTKJo1 ZZLwh4issfIAIflixOzm4F4S8047+LxU9WbVlcGqa0V2hNZCT8ukyXFlaTfz0lg= =j+2t -----END PGP SIGNATURE----- --------------enig1C1D810054B52101522B7485--