Date: Sat, 19 Feb 2011 12:32:12 -0500 From: Tom Judge <tom@tomjudge.com> To: kevin <k@kevinkevin.com> Cc: freebsd-net@freebsd.org, 'Nikos Vassiliadis' <nvass@gmx.com> Subject: Re: Bridging + VLANS + RSTP / MSTP Message-ID: <4D5FFE9C.30005@tomjudge.com> In-Reply-To: <00a501cbd04f$2276b5b0$67642110$@com> References: <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com> <4D5FD91F.20704@gmx.com> <4D5FDCF1.6050909@gmx.com> <00a501cbd04f$2276b5b0$67642110$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1C1D810054B52101522B7485
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 19/02/2011 11:07, kevin wrote:
>> No, you have to specify stp there. The default STP mode is RSTP.
>> If you don't specify stp, you'll get a dumb ethernet bridge.
> Thanks very much for clarification. This helps me immensely. My room fo=
r
> testing is limited so this will help me take the right steps necessary.=
>
> One quick last question : would you recommend pfsync in this scenario,
> between bridges? I've been hearing a lot of issues with pfsync but I'm =
not
> sure what behavior to expect in a bridging scenario such as this one.
>
This setup with pfsync will work ok as long as you have the STP setup
correctly.
As to the STP.
I can see an issue with this setup if you are using a single switch and
2 firewalls.
You will have the following links:
<switch - port 1> - <firewall 1 - port 1>
<switch - port 2> - <firewall 1 - port 2>
<switch - port 3> - <firewall 2 - port 1>
<switch - port 4> - <firewall 2 - port 2>
In this setup it does not matter where the root bridge is, each of the
firewalls will always have on port in disguarding state as both ports
lead back to the same peer bridge. With states such as:
fw 1 - 1: forwarding
fw 2 - 1: forwarding
fw 1 - 2: disguarding - backup
fw 2 - 2: disguarding - backup
If you disable STP on the ports for the firewalls you will have virtual
links:
<firewall 1 - port 1> - <firewall 2 - port 1>
<firewall 1 - port 2> - <firewall 2 - port 2>
This will create the following states (the same as above):
fw 1 - 1: forwarding
fw 2 - 1: forwarding
fw 1 - 2: disguarding - backup
fw 2 - 2: disguarding - backup
There is a also the caveat: The switch will probably _not_ forward the
STP BPDU's from one port to another. This is because if the switch is a
properly compliant bridge it will not forwards the frames as they are
marked as link local ethernet multicast frame which is not allowed to
forwarded by a bridge per the ethernet spec. If this is indeed the case
you will make an instant forwarding loop in your network when you try to
make it work.
You will need to introducing a 4th STP speaking device to the
configuration with a topology such as this:
< switch 1 >
| | |
| <fw1>-<fw 2>
| | |
< switch 2 >
Where the link between switch 1 and 2 is a trunk with both the vlans on
it. This way you can set the root bridge to firewall 1 and firewall 2
as the second highest priority and the switches equal 3rd priorities. I
would also recommend that FW 1 and 2 have opposite vlan assignments on
each switch, this way you can add a 3rd port to each firewall and link
them together, and you will be able to survive a switch failure as well.
_______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
--------------enig1C1D810054B52101522B7485
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNX/6gAAoJEMSwVS7lr0OdwysIAJXhPkcSi2Pdo6AySGkNJGCZ
tijgpaGmkRKKugrSTg4zKidLpJYNsqTvFUBWHGsu6wFavpEc1Pz8LvwI6iyzeo7a
BA4ievF/BXOCOPArb3wIif9biYxfdJAjoeVQh1EuIv/5svvdR02iF+rs1dmIuPri
pXON6JJEIejxmzKgA5EXiMKm1clBXDMMgQflm39KtSXeH7c2zoVVBKeL0ZoKfEGm
ZWjeeFNE9WtvP9MNunZmtNP4o5GUMGz87SVflZNM+Gq5j3aKmx2/Bc4Qe6cTKJo1
ZZLwh4issfIAIflixOzm4F4S8047+LxU9WbVlcGqa0V2hNZCT8ukyXFlaTfz0lg=
=j+2t
-----END PGP SIGNATURE-----
--------------enig1C1D810054B52101522B7485--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D5FFE9C.30005>