Bridging + VLANS + RSTP / MSTP

Tom Judge tom at tomjudge.com
Sat Feb 19 17:51:14 UTC 2011 

On 19/02/2011 11:07, kevin wrote:
>> No, you have to specify stp there. The default STP mode is RSTP.
>> If you don't specify stp, you'll get a dumb ethernet bridge.
> Thanks very much for clarification. This helps me immensely. My room for
> testing is limited so this will help me take the right steps necessary.
>
> One quick last question : would you recommend pfsync in this scenario,
> between bridges? I've been hearing a lot of issues with pfsync but I'm not
> sure what behavior to expect in a bridging scenario such as this one.
>

This setup with pfsync will work ok as long as you have the STP setup
correctly.

As to the STP.

I can see an issue with this setup if you are using a single switch and
2 firewalls.

You will have the following links:

<switch - port 1> - <firewall 1 - port 1>
<switch - port 2> - <firewall 1 - port 2>
<switch - port 3> - <firewall 2 - port 1>
<switch - port 4> - <firewall 2 - port 2>

In this setup it does not matter where the root bridge is, each of the
firewalls will always have on port in disguarding state as both ports
lead back to the same peer bridge. With states such as:

fw 1 - 1: forwarding
fw 2 - 1: forwarding
fw 1 - 2: disguarding - backup
fw 2 - 2: disguarding - backup


If you disable STP on the ports for the firewalls you will have virtual
links:

<firewall 1 - port 1> - <firewall 2 - port 1>
<firewall 1 - port 2> - <firewall 2 - port 2>

This will create the following states (the same as above):

fw 1 - 1: forwarding
fw 2 - 1: forwarding
fw 1 - 2: disguarding - backup
fw 2 - 2: disguarding - backup

There is a also the caveat:  The switch will probably _not_ forward the
STP BPDU's from one port to another. This is because if the switch is a
properly compliant bridge it will not forwards the frames as they are
marked as link local ethernet multicast frame which is not allowed to
forwarded by a bridge per the ethernet spec.  If this is indeed the case
you will make an instant forwarding loop in your network when you try to
make it work.

You will need to introducing a 4th STP speaking device to the
configuration with a topology such as this:


<        switch 1         >
    |        |           |
    |    <fw1>-<fw 2>
    |        |           |
<        switch 2         >

Where the link between switch 1 and 2 is a trunk with both the vlans on
it.  This way you can set the root bridge to firewall 1 and firewall 2
as the second highest priority and the switches equal 3rd priorities.  I
would also recommend that FW 1 and 2 have opposite vlan assignments on
each switch, this way you can add a 3rd port to each firewall and link
them together, and you will be able to survive a switch failure as well.



_______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20110219/b702f220/signature.pgp

More information about the freebsd-net mailing list