PF Transparent Bridge Firewall + CARP

Wed Dec 16 11:49:05 PST 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin wrote:
> 
> 
> 
> My environment would be better described as the following :
> 
>        [router]
>           |
> [------switch 1 [vlan1]------]
>   |                |
> [FW1]--{pfsync}--[FW2]
>   |                |
> [------switch 1 [vlan2]------]
>           |
>       [clients] 
> 
> Also, I'm assumine em2 is a physical interface, which I probably will have
> to implement on fw2. Do you forsee problems doing this through vlans instead
> of two switches?
> 

This poses some interesting questions:

1) Do you have 2 physical interfaces in each FW?

2) If the answer to 1 in yes, your ports into vlan 1+2 are access ports?

3) If you disable spanning tree in the ports will the switch forward the
STP BPDUS ingressing on one port to another port on the switch (that has
STP disabled)?

If you and up with 1-3 yes then you are ok with one switch if any is no
then you will need to get a second switch.

You may be able to achieve the desired results with one switch if your
switch supports MSTP but I have never tried it.  I assume that the port
would be detected as RSTP and the switch would convert the RSTP frame
into an MSTP frame with the appropriate vlans bits toggled.

Tom

- --
TJU13-ARIN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLKTlUAAoJEMSwVS7lr0OdWJoH/1AAkR6DcGBHXbIjIYKGrllP
0Q0Zbgj5dDOcsuPt2qSbpA3Wj0uCk2GeE2ZL7k4IkhurnXZH1o9FxfcZCqRE/KfV
UbCvxwp5II5dFu099ioL77XzevJHQyQerzKPManEafzR74WxEbTfzSbgPE6cjDzj
xDO8jNilHbeAzRPhYF0AOjTgOCkHPyEXchgVtwGKYh6Hq70BurnL/8x0zp2koHgL
kKgjpVZF+ZNlBRvTYyI9J4UTQkArfAxCPQg72wUEmqO1B4E1V1gdqq6sHt2U4OKW
oRVzfA6cy/2TT0rk6e55MD7+GqPnOF2jsAE0P3sLS3QYAIirEBDsRPcDlKOqaq8=
=7p+9
-----END PGP SIGNATURE-----