IIRC any IOS 12.2+ image defaults to MSTP, so that’s probably what you’re running. If you’ve got two VLANs from the same switch connected via a pair of transparent-mode firewalls, then you’re running MSTP – no other combination would work at all, or rather you’d be having a different set of problems.
I don’t actually know if what you’re describing is possible. It all depends on whether FreeBSD passes BDUs transparently when in –stp mode or not. An alternative might be to switch back to non-PVSTP, i.e. regular single-instance RSTP, although if you have a complex L2 environment that will probably cause more problems than it solves. Hmm… I’ve spent quite a bit of time thinking about this, and barring Cisco doing something special with MSTP – I’m not completely familiar with MST – I don’t think your topology will ever work properly. (One thought: use Cisco’s IOS Object Tracking feature to take the secondary interface down until the primary goes down.) I’ve run into a similar problem on my own network with a different brand of firewall, but in my case I solved it by putting the firewalls into active/standby HA mode, and the standby pair doesn’t forward *any* traffic at all until it takes over… which is just as good as having STP disable a port from a loop-prevention standpoint. I don’t know if pfSense can be configured to do this. On an unrelated note: why on earth would your network engineer pick two VLAN IDs that are so trivially easy to get backwards with a typo? I hope that merely means that 7 through 65 are used for something else… (although I have seen “666” used for the unprotected Internet zone <grin>) -Adam Thompson <mailto:[email protected]> [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Austin G. Smith Sent: Monday, September 12, 2011 13:41 To: pfSense support and discussion Subject: [pfSense] FW: [pfSense Support] STP on Redundant Transparent Firewalls Apologies, PBX has nothing to do with any of it, I meant to type pfsense... Trying to do too much at once ;) I think we are using MSTP- I will have to 2x check w/ my network engineer. We are using a Cisco 6509, but not pvst I know for sure. I will try to elaborate as much as possible- we have vlan 6 - unprotected internet - external side of the transparent bridge vlan 66 - protected internet - internal side of the transparent bridge We have fw01 which is the primary pfsense instance, fw02 which is the secondary pfsense instance. Both fw01 and fw02 have a single uplink to 6 and 66. There is a 3rd nic setup on a mangement network, which is where CARP is configured and replicating. The issue is that fw01 and fw02 are not aware of each other enough to work together and realize one of them needs to put an interface in blocking mode to prevent the loop. Austin Smith, A+, NET+, SMBE, MCSA Director of Information Techology Digital Compass (404) 410-2708 direct (404) 410-2701 fax 949 W. Marietta Street, Suite x104 Atlanta, GA 30318 **For immediate assistance please contact our technical team at 888-640-2260** _____ From: Adam Thompson [[email protected]] Sent: Wednesday, September 07, 2011 12:34 PM To: [email protected] Subject: RE: [pfSense Support] STP on Redundant Transparent Firewalls Then STP *is* working. :-) I’m unclear on how you can have CARP functioning – or even what you’re attempting, actually – if the two pfSense boxes are covering different VLANs; can you provide more detail on your setup? Also, what flavour of STP are you using? STP? RSTP? MSTP? PVSTP? If you don’t know, just tell us what kind of switch(es) are involved. Lastly, what does your PBX have to do with any of this? -Adam Thompson <mailto:[email protected]> [email protected] From: Austin G. Smith [mailto:[email protected]] Sent: Tuesday, September 06, 2011 13:09 To: [email protected] Subject: [pfSense Support] STP on Redundant Transparent Firewalls Greetings- We have 2 pfsense machines that are bridged on different vlans operating as a transparent firewall. These machines are setup for CARP replication to each other, which is verified functioning. However, for somereason, the STP is not quite functioning on the secondary PBX. We have to keep one of the interfaces down, or we get in a loop situation. Has anyone experienced this behavior that can advise a work around? What are we missing here? Thank you- Austin Smith, A+, NET+, SMBE, MCSA Director of Information Techology Digital Compass (404) 410-2708 direct (404) 410-2701 fax 949 W. Marietta Street, Suite x104 Atlanta, GA 30318 **For immediate assistance please contact our technical team at 888-640-2260**
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
