On Feb 22, 2011, at 1:20 PM, kevin wrote: >> There is a also the caveat: The switch will probably _not_ forward the STP > BPDU's from one port to another. > > You were correct -- my initial testing confirmed this. Would the same issue > arise if I employed a gateway IP on the /bridge/ instead, and used CARP as a > failover mechanism? The firewall no longer becomes transparent pass > through/firewall. I have not done carp with bridges and I'm not 100% certain > the same STP forwarding problems wouldn't arise, even with an IP assigned. > > Such as : > > [switch 1 (vlan 1)] > | | > [fw1 gw1] -- CARP -- [fw2 gw1] > | | > [switch 1 (vlan 2)] > > > Thanks, > > Kevin > >
Carp is a failover mechanism like HSRP and VRRP, I have difficulties to understand that it works on a bridge. (Only the device in between talks CARP , it cannot broadcast an IP on the bridge, because thenit would become L3 instead of L2). You could ofcourse use HSRP/VRRP related things and have the gateway address(es) move when a failure is detected. A lot of companies use those kind of setups, but personally I havent seen one of them having multiple providers with different IP space to get to the internet. What is the problem in setting up such a lab to test whether that works as you would want to? (Why are they bridges in the first place and not active firewalls? It's not that strange to have an active firewall between the evil internet and the internal network..) -- /"\ Best regards, | re...@freebsd.org \ / Remko Lodder | X http://www.evilcoder.org/ | Quis custodiet ipsos custodes / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
