From owner-freebsd-net@FreeBSD.ORG Sun Feb 20 10:51:31 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E4B1106564A for ; Sun, 20 Feb 2011 10:51:31 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.42]) by mx1.freebsd.org (Postfix) with SMTP id 81AF48FC08 for ; Sun, 20 Feb 2011 10:51:30 +0000 (UTC) Received: (qmail invoked by alias); 20 Feb 2011 10:51:29 -0000 Received: from adsl-124.91.140.30.tellas.gr (EHLO [192.168.73.192]) [91.140.30.124] by mail.gmx.com (mp-eu005) with SMTP; 20 Feb 2011 11:51:29 +0100 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX19YSI1vhGBYUHt/O4JG2AradHLp92z82PG8DZZx5S MyJvGKDHS17PeG Message-ID: <4D60F1E9.8020707@gmx.com> Date: Sun, 20 Feb 2011 12:50:17 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Tom Judge References: <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com> <4D5FD91F.20704@gmx.com> <4D5FDCF1.6050909@gmx.com> <00a501cbd04f$2276b5b0$67642110$@com> <4D5FFE9C.30005@tomjudge.com> In-Reply-To: <4D5FFE9C.30005@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-net@freebsd.org, kevin Subject: Re: Bridging + VLANS + RSTP / MSTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 10:51:31 -0000 On 2/19/2011 7:32 PM, Tom Judge wrote: > In this setup it does not matter where the root bridge is, each of the > firewalls will always have on port in disguarding state as both ports > lead back to the same peer bridge. With states such as: > > fw 1 - 1: forwarding > fw 2 - 1: forwarding > fw 1 - 2: disguarding - backup > fw 2 - 2: disguarding - backup > If I got the topology correctly, it is supposed to be like this: (Broadcast domain 1) | | | | | | (fw1) (fw2) | | | | | | (Broadcast domain 2) If fw1 is the root bridge, then it'll look like this: (Broadcast domain 1) | | | | D R (fw1) (fw2) D B | | | | (Broadcast domain 2) fw2 will have one root port and one backup, and the fw1 will have two designated ports. Since the switch will not take part in the STP, there is no single bridge. If I get the topology correctly... > > There is a also the caveat: The switch will probably _not_ forward the > STP BPDU's from one port to another. This is because if the switch is a > properly compliant bridge it will not forwards the frames as they are > marked as link local ethernet multicast frame which is not allowed to > forwarded by a bridge per the ethernet spec. If this is indeed the case > you will make an instant forwarding loop in your network when you try to > make it work. Yes this is true, but when a port is not running STP it is not considered to be part of a compliant bridge so there should be mechanism to allow forwarding BPDUs to the other bridges that run STP. Like when one combines simple unmanaged switches(with no STP functionality) with managed ones. The unmanaged ones simply forward everything they receive and the STP ones can detect and break the loops. Nikos