From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 13:20:58 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5C5716A417 for ; Thu, 6 Dec 2007 13:20:58 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8DE7B13C468 for ; Thu, 6 Dec 2007 13:20:58 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id 14B4B1427AC; Thu, 6 Dec 2007 15:20:57 +0200 (EET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.2.3 Received: from iris (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id D1EA6142630; Thu, 6 Dec 2007 14:58:31 +0200 (EET) From: Nikos Vassiliadis To: Silver Salonen Date: Thu, 6 Dec 2007 15:01:34 +0200 User-Agent: KMail/1.9.7 References: <14188023.post@talk.nabble.com> <200712061321.48728.nvass@teledomenet.gr> <200712061331.39016.silver.salonen@gmail.com> In-Reply-To: <200712061331.39016.silver.salonen@gmail.com> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200712061501.35633.nvass@teledomenet.gr> Cc: freebsd-questions@freebsd.org Subject: Re: enabling if_bridge STP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2007 13:20:59 -0000 On Thursday 06 December 2007 13:31:38 Silver Salonen wrote: > On Thursday 06 December 2007 13:21, Nikos Vassiliadis wrote: > > On Thursday 06 December 2007 12:20:18 Atrox wrote: > > > Well, as I understand, in my case, STP should be enabled mainly on > > > TAP-interfaces as it would eliminate the scenario where, for an > > > example, ARP-requests from 192.168.1.1 for 192.168.3.1 reach > > > 192.168.2.1. Have I understood it correctly? > > > > It sounds like you want to isolate the ethernets, not bridge them. > > Bridging is not what you need, if I have understood correctly. > > > > You want to keep ARP and broadcasts to the relevant boxes, right? > > You have to use VLANs on your switch to achieve this, not bridging. > > Actually the final target is to connect all the 3 LANs over VPN, so that > they can browse eachother networks etc. When I did it, I could see > duplicate packets looping through all bridges, so I thought I'd bring in > STP. That's what it's for, right? Not really, STP must be used/needed in a dynamic environment to eliminate loops. Your environment doesn't seem dynamic to me. You can create a loop-free topology like this: http://users.teledomenet.gr/nvass/topology.png 1) 10.0.0.0/24 is the shared network. 2) bridge1 bridges eth0 and tap0 which is the VPN to the root-bridge. 3) bridge2 bridges eth0 and tap0 which is the VPN to the root-bridge. 4) root-bridge bridges eth0, tap0 and tap1. If you want STP, which you shouldn't normally using this topology, increase root-bridge's priority manually, in order to win the elections and be the root bridge. Note that the external interfaces are not participating in the bridge. HTH, Nikos