Date: Tue, 22 Feb 2011 22:02:10 +0100 From: Remko Lodder <remko@elvandar.org> To: kevin <k@kevinkevin.com> Cc: 'Tom Judge' <tom@tomjudge.com>, freebsd-net@freebsd.org, 'Nikos Vassiliadis' <nvass@gmx.com> Subject: Re: Bridging + VLANS + RSTP / MSTP Message-ID: <F0110948-19F3-4F90-AFB9-53AF91DC0F96@elvandar.org> In-Reply-To: <003f01cbd28a$ea03d2b0$be0b7810$@com> References: <000c01cbcf94$35e76e20$a1b64a60$@com> <4D5FAC16.7080207@gmx.com> <00a201cbd03f$2bdc3540$83949fc0$@com> <4D5FD91F.20704@gmx.com> <4D5FDCF1.6050909@gmx.com> <00a501cbd04f$2276b5b0$67642110$@com> <4D5FFE9C.30005@tomjudge.com> <003f01cbd28a$ea03d2b0$be0b7810$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 22, 2011, at 1:20 PM, kevin wrote: >> There is a also the caveat: The switch will probably _not_ forward = the STP > BPDU's from one port to another.=20 >=20 > You were correct -- my initial testing confirmed this. Would the same = issue > arise if I employed a gateway IP on the /bridge/ instead, and used = CARP as a > failover mechanism? The firewall no longer becomes transparent pass > through/firewall. I have not done carp with bridges and I'm not 100% = certain > the same STP forwarding problems wouldn't arise, even with an IP = assigned. >=20 > Such as : >=20 > [switch 1 (vlan 1)] > | | > [fw1 gw1] -- CARP -- [fw2 gw1] > | | > [switch 1 (vlan 2)] >=20 >=20 > Thanks, >=20 > Kevin >=20 >=20 Carp is a failover mechanism like HSRP and VRRP, I have difficulties to = understand that it works on a bridge. (Only the device in between talks CARP , it = cannot broadcast an IP on the bridge, because thenit would become L3 instead of L2). You could ofcourse use HSRP/VRRP related things and have the gateway = address(es) move when a failure is detected. A lot of companies use those kind of = setups, but personally I havent seen one of them having multiple providers with different IP = space to get to the internet. What is the problem in setting up such a lab to test whether that works = as you would want to? (Why are they bridges in the first place and not active firewalls? It's = not that strange to have an active firewall between the evil internet and the internal network..) --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | X http://www.evilcoder.org/ | Quis custodiet ipsos custodes / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F0110948-19F3-4F90-AFB9-53AF91DC0F96>