Contributed by
sean
on
from the hitting-your-gear-with-hammers dept.
Teguh Iskanto S. writes:
I was looking for a good reference website for redundant OBSD transparent firewall setups and came across this website (http://seattlecentral.edu/~dmartin/docs/bridge.html). Although the document states that it uses 3.6 for the setups but I think it's still quite relevant and applicable. I've also searched through undeadly for any similar posts on this topic and found nothing, so I was thinking it might be useful to post this topic to undeadly as anyone might find it useful.
Note:
The article mentioned uses Cisco switches with STP as the fail over mechanism since CARP doesn't work with bridges. As well, using STP for fail over is not very timely (30 seconds to a minute minimum) but definitely another approach to the problem.
(Comments are closed)
Comments
By
Anonymous Coward (205.156.117.1)
on
"The article mentioned uses Cisco switches with STP as the fail over mechanism since CARP doesn't work with bridges."
Could you not have an IP-enabled third interface on each box with a tight pf ruleset (or maybe a crossover cable) to only allow it to communicate with the other bridge's third interface, and vice-versa?
The timing on spanning tree -can- be adjusted on Cisco and OpenBSD. As I understand it, there's also support for fast spanning tree in FreeBSD. I don't know much about it... the author emailed me to as about getting rid of clause 3 & 4 in my spanning tree implementation in OpenBSD. Someone want to port it?
Comments
By
sthen (85.158.44.146)
on
> The timing on spanning tree -can- be adjusted on Cisco and OpenBSD. As I understand it, there's also support for fast spanning tree in FreeBSD.
here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file. here is a simple patch to teach tcpdump(8) about RSTP, changes to bridge(4) are a little more...involved...
Comments
By
Brad (216.138.195.228) brad at comstyle dot com
on
> here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file.
Just like the separate source file OpenBSD has had for STP for almost 6 years now?
> here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file.
>
> Just like the separate source file OpenBSD has had for STP for almost 6 years now?
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bridgestp.c
ah sorry, yes. I misunderstood their commit message, they actually moved it to a separate kernel module. that's one of their smaller changes then.
> "Cisco switches with STP"
>
> Doesn't bridge(4) do STP as well?
Yup. Works fine.
By
Pete (80.203.236.21)
on
> "Cisco switches with STP"
>
> Doesn't bridge(4) do STP as well?
yes, but not RSTP, which brings the failover delay down to a more reasonable period.
/Pete
Comments
By
djm@ (206.59.235.113)
on
> yes, but not RSTP, which brings the failover delay down to a more
> reasonable period.
yeah, RSTP (802.1w) would be very nice to have. it has been on my todo list for years now...
Comments
By
reyk@ (82.82.167.119)
on
> yes, but not RSTP, which brings the failover delay down to a more
> reasonable period.
>
> yeah, RSTP (802.1w) would be very nice to have. it has been on my todo list for years now...
it's mostly done
By
reyk@ (82.83.63.114)
on
see http://marc.theaimsgroup.com/?l=openbsd-tech&m=116377683029589&w=2
By Anonymous Coward (205.156.117.1) on
"The article mentioned uses Cisco switches with STP as the fail over mechanism since CARP doesn't work with bridges."
Could you not have an IP-enabled third interface on each box with a tight pf ruleset (or maybe a crossover cable) to only allow it to communicate with the other bridge's third interface, and vice-versa?
By Jason L. Wright (134.20.35.80) jason@openbsd.org on http://www.thought.net/jason
Comments
By sthen (85.158.44.146) on
here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file. here is a simple patch to teach tcpdump(8) about RSTP, changes to bridge(4) are a little more...involved...
Comments
By Brad (216.138.195.228) brad at comstyle dot com on
Just like the separate source file OpenBSD has had for STP for almost 6 years now?
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bridgestp.c
Comments
By sthen (85.158.44.146) on
>
> Just like the separate source file OpenBSD has had for STP for almost 6 years now?
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bridgestp.c
ah sorry, yes. I misunderstood their commit message, they actually moved it to a separate kernel module. that's one of their smaller changes then.
By Anonymous Coward (87.79.237.121) on
Doesn't bridge(4) do STP as well?
Comments
By Jason L. Wright (134.20.35.80) jason@openbsd.org on http://www.thought.net/jason
>
> Doesn't bridge(4) do STP as well?
Yup. Works fine.
By Pete (80.203.236.21) on
>
> Doesn't bridge(4) do STP as well?
yes, but not RSTP, which brings the failover delay down to a more reasonable period.
/Pete
Comments
By djm@ (206.59.235.113) on
> reasonable period.
yeah, RSTP (802.1w) would be very nice to have. it has been on my todo list for years now...
Comments
By reyk@ (82.82.167.119) on
> reasonable period.
>
> yeah, RSTP (802.1w) would be very nice to have. it has been on my todo list for years now...
it's mostly done
By reyk@ (82.83.63.114) on
RSTP will increase the transition time.