Bridging + VLANS + RSTP / MSTP
Nikos Vassiliadis
nvass at gmx.com
Sat Feb 19 14:53:22 UTC 2011
On 2/19/2011 4:13 PM, kevin wrote:
>
>> Could you send your ifconfig bridge output from both firewalls?
>> If STP is turned off on the four switch ports that the firewalls are
>> patched, one of the two firewalls must be root of the spanning tree.
>
> I believe if you don't specify 'stp' in the rc.conf ifconfig statement,
> freebsd by default sets the bridge as 'rstp' :
Yes, that's correct.
>
> sdh-fw# ifconfig
> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
> ether 06:c7:a9:50:41:17
> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> member: bge1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> ifmaxaddr 0 port 3 priority 128 path cost 55
> member: bge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> ifmaxaddr 0 port 2 priority 128 path cost 55
>
There is no active STP there. The port should look like this:
<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
You should also see the bridge's ID and not 00:00:00:00:00:00:
> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
You should also see the root bridge's ID of the STP domain:
> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
A bridge will look like this:
bridge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
ether a2:ae:00:08:a7:ab
inet 10.16.0.2 netmask 0xff000000 broadcast 10.255.255.255
id 00:17:d6:a9:31:e7 priority 16384 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:12:cf:69:e9:ea priority 16384 ifcost 14183 port 4
member: epair14b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair13b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair10b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp
role alternate state discarding
...
And the root bridge will look like this:
bridge4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
ether ae:6e:5a:9d:9b:5c
inet 10.16.0.4 netmask 0xff000000 broadcast 10.255.255.255
id 00:12:cf:69:e9:ea priority 16384 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:12:cf:69:e9:ea priority 16384 ifcost 0 port 0
member: epair18b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair17b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair11a
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp
role designated state forwarding
...
>
>> Be sure that STP is *really* turned off on the switch, use tcpdump on the
>> physical ports for this.
>
> Should I just turn off STP for every port on the switch or just the ports
> connected to the bridge?
Just the ports connected to the bridging firewalls. Your topology looks
like this,
correct?
http://img811.imageshack.us/i/bridgingfw.png/
The switch must act as a plain ethernet switch, no stp, no BPDU
filtering, no nothing.
The STP on the firewalls will handle the loop in the topology.
Be *sure* that STP is active on the firewalls and the two firewall are
in a single
STP domain(can talk STP to each other), otherwise a L2 loop will do a
DoS on your
firewalls...
HTH, Nikos
More information about the freebsd-net
mailing list