On Sun, 20 Nov 2005, Ramsey Tantawi wrote: > I set up failover of two redundant bridging firewalls using the > Spanning Tree Protocol options in bridge, and it worked great. > > However, when testing failover, it takes between 45 seconds to more > than 3 minutes for traffic to start flowing again. The interfaces > themselves change state in the expected timeframe, though. The entire > network is unmanged switches, and my guess is that the delay is due to > waiting for all the ARP caches to clear. Does this sound reasonable?
Definitely the MAC (not ARP) caches of the bridges and the switches. STP devices can help speed up transitions by timing out entries sooner when a topology change is detected. I'm not sure if the OpenBSD bridge does that, the unmanaged switches definitely don't. In this case you'd be better off with hubs... > To help, I set the bridge cache to flush every 20 seconds instead of > the default 240. It seems to help somewhat. I'm concerned though--is > this too frequent? With a two port bridge it won't really hurt. -- Cam
