OpenBSD Journal

[Ask OBSDJ] Spanning tree protocol support in 2.9

Contributed by webmaster on from the alt.uses.for.bridge dept.

Ryan writes : "I was reading http://www.openbsd.org/29.html, specifically the section that says "802.1d spanning tree support for bridge(4).". Theoretically that means that you could use two ipfilter/PF machines in bridging mode and have a redundant firewall setup (less the state tables). I could not find any man pages or documentation on this feature and I was wondering if anyone has used this feature to setup something like this. Not knowing much about the spanning tree protocol other than the fact that it will allow you to make redundant links without creating network loops, I wonder if it would be possable just to use the spanning tree protocol built into most managed switches? Does anyone have any advice/opinions on this?"

(Comments are closed)


Comments
  1. By Nouveaux () nouveaux@graendal.lightconsulting.com on mailto:nouveaux@graendal.lightconsulting.com

    yes, you can use the stp (spanning tree protocol) on the switches. basically, something in the two paths needs to be blocked to prevent the looop, whether it's blocked at the bsd bridges or blocked at the port of the switches. if you enable stp on your switches, the bsd bridges should forward the spanning tree protocol between the two switches and one of the ports will be blocked. dislaimer: never tried it myself but theoretically, it should work.

    -Nouveaux

  2. By Blake () blake at two one one two dot net on www.2112.net

    See the man page for brconfig(8) . The 'stp' argument enables spanning tree, and you can also diddile with various parameters such as hellotime, forwarding delay, priority, etc.

  3. By Marco Brigham () marco.brigham@oneweb.be on mailto:marco.brigham@oneweb.be

    Hi there,

    I'm currently working on a dual bridging-firewall setup using stp for redundancy. This will be implemented in an Belgian ISP.

    Basically, we have 2 identically configured transparent firewalls, each with two DLINK quad cards (dc driver). We've setup 2 spanning trees with 4 bridges in total on the firewall side. These bridges have different priorities so that one backs up the other for a certain path and that both firewalls are working at any given time.

    From what I've seen, it works as advertised...traffic switches from one bridge to the other under a minute. Once the primary bridge is up, traffic switches back. Great stuff...

    Thanks a lot OBSD developers team ; )

  4. By David () on

    Does OpenBSD have a way to setup a redundant NAT firewall, i.e. one not in bridging mode.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]