Bridging + VLANS + RSTP / MSTP
Remko Lodder
remko at elvandar.org
Tue Feb 22 21:02:16 UTC 2011
On Feb 22, 2011, at 1:20 PM, kevin wrote:
>> There is a also the caveat: The switch will probably _not_ forward the STP
> BPDU's from one port to another.
>
> You were correct -- my initial testing confirmed this. Would the same issue
> arise if I employed a gateway IP on the /bridge/ instead, and used CARP as a
> failover mechanism? The firewall no longer becomes transparent pass
> through/firewall. I have not done carp with bridges and I'm not 100% certain
> the same STP forwarding problems wouldn't arise, even with an IP assigned.
>
> Such as :
>
> [switch 1 (vlan 1)]
> | |
> [fw1 gw1] -- CARP -- [fw2 gw1]
> | |
> [switch 1 (vlan 2)]
>
>
> Thanks,
>
> Kevin
>
>
Carp is a failover mechanism like HSRP and VRRP, I have difficulties to understand
that it works on a bridge. (Only the device in between talks CARP , it cannot broadcast
an IP on the bridge, because thenit would become L3 instead of L2).
You could ofcourse use HSRP/VRRP related things and have the gateway address(es)
move when a failure is detected. A lot of companies use those kind of setups, but personally
I havent seen one of them having multiple providers with different IP space to get to the internet.
What is the problem in setting up such a lab to test whether that works as you would want to?
(Why are they bridges in the first place and not active firewalls? It's not that strange to have an
active firewall between the evil internet and the internal network..)
--
/"\ Best regards, | remko at FreeBSD.org
\ / Remko Lodder |
X http://www.evilcoder.org/ | Quis custodiet ipsos custodes
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-net
mailing list