Site Navigation

Date:      Sat, 19 Feb 2011 16:52:15 +0200
From:      Nikos Vassiliadis <nvass@gmx.com>
To:        kevin <k@kevinkevin.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Bridging + VLANS + RSTP / MSTP
Message-ID:  <4D5FD91F.20704@gmx.com>
In-Reply-To: <00a201cbd03f$2bdc3540$83949fc0$@com>
References:  <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 2/19/2011 4:13 PM, kevin wrote:
>
>> Could you send your ifconfig bridge output from both firewalls?
>> If STP is turned off on the four switch ports that the firewalls are
>> patched, one of the two firewalls must be root of the spanning tree.
>
> I believe if you don't specify 'stp' in the rc.conf ifconfig statement,
> freebsd by default sets the bridge as 'rstp' :

Yes, that's correct.

>
> sdh-fw# ifconfig
> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>  metric 0 mtu
> 1500
>          ether 06:c7:a9:50:41:17
>          id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>          maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
>          root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>          member: bge1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>                  ifmaxaddr 0 port 3 priority 128 path cost 55
>          member: bge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>                  ifmaxaddr 0 port 2 priority 128 path cost 55
>

There is no active STP there. The port should look like this:
<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>

You should also see the bridge's ID and not 00:00:00:00:00:00:
>          id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15

You should also see the root bridge's ID of the STP domain:
>          root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0

A bridge will look like this:
bridge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 
1500
         ether a2:ae:00:08:a7:ab
         inet 10.16.0.2 netmask 0xff000000 broadcast 10.255.255.255
         id 00:17:d6:a9:31:e7 priority 16384 hellotime 2 fwddelay 15
         maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
         root id 00:12:cf:69:e9:ea priority 16384 ifcost 14183 port 4
         member: epair14b 
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp
                 role designated state forwarding
         member: epair13b 
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp
                 role designated state forwarding
         member: epair10b 
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp
                 role alternate state discarding
...


And the root bridge will look like this:
bridge4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 
1500
         ether ae:6e:5a:9d:9b:5c
         inet 10.16.0.4 netmask 0xff000000 broadcast 10.255.255.255
         id 00:12:cf:69:e9:ea priority 16384 hellotime 2 fwddelay 15
         maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
         root id 00:12:cf:69:e9:ea priority 16384 ifcost 0 port 0
         member: epair18b 
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp
                 role designated state forwarding
         member: epair17b 
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp
                 role designated state forwarding
         member: epair11a 
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp
                 role designated state forwarding
...






>
>> Be sure that STP is *really* turned off on the switch, use tcpdump on the
>> physical ports for this.
>
> Should I just turn off STP for every port on the switch or just the ports
> connected to the bridge?

Just the ports connected to the bridging firewalls. Your topology looks 
like this,
correct?

http://img811.imageshack.us/i/bridgingfw.png/

The switch must act as a plain ethernet switch, no stp, no BPDU 
filtering, no nothing.
The STP on the firewalls will handle the loop in the topology.

Be *sure* that STP is active on the firewalls and the two firewall are 
in a single
STP domain(can talk STP to each other), otherwise a L2 loop will do a 
DoS on your
firewalls...

HTH, Nikos

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D5FD91F.20704>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact