On 2/19/2011 4:13 PM, kevin wrote:
Could you send your ifconfig bridge output from both firewalls?
If STP is turned off on the four switch ports that the firewalls are
patched, one of the two firewalls must be root of the spanning tree.
I believe if you don't specify 'stp' in the rc.conf ifconfig statement,
freebsd by default sets the bridge as 'rstp' :
Yes, that's correct.
sdh-fw# ifconfig
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
ether 06:c7:a9:50:41:17
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: bge1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 55
member: bge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 55
There is no active STP there. The port should look like this:
<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
You should also see the bridge's ID and not 00:00:00:00:00:00:
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
You should also see the root bridge's ID of the STP domain:
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
A bridge will look like this:
bridge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
ether a2:ae:00:08:a7:ab
inet 10.16.0.2 netmask 0xff000000 broadcast 10.255.255.255
id 00:17:d6:a9:31:e7 priority 16384 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:12:cf:69:e9:ea priority 16384 ifcost 14183 port 4
member: epair14b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair13b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair10b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp
role alternate state discarding
...
And the root bridge will look like this:
bridge4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
ether ae:6e:5a:9d:9b:5c
inet 10.16.0.4 netmask 0xff000000 broadcast 10.255.255.255
id 00:12:cf:69:e9:ea priority 16384 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:12:cf:69:e9:ea priority 16384 ifcost 0 port 0
member: epair18b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair17b
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 8 priority 128 path cost 14183 proto rstp
role designated state forwarding
member: epair11a
flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
ifmaxaddr 0 port 7 priority 128 path cost 14183 proto rstp
role designated state forwarding
...
Be sure that STP is *really* turned off on the switch, use tcpdump on the
physical ports for this.
Should I just turn off STP for every port on the switch or just the ports
connected to the bridge?
Just the ports connected to the bridging firewalls. Your topology looks
like this,
correct?
http://img811.imageshack.us/i/bridgingfw.png/
The switch must act as a plain ethernet switch, no stp, no BPDU
filtering, no nothing.
The STP on the firewalls will handle the loop in the topology.
Be *sure* that STP is active on the firewalls and the two firewall are
in a single
STP domain(can talk STP to each other), otherwise a L2 loop will do a
DoS on your
firewalls...
HTH, Nikos
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
