Hi all,
I need to build a redundant FW layer; because of the present network
structure, the FW should be bridges. No option in this point .. :'(
My idea is to get redundancy using RSTP (Rapid Spanning Tree Protocol)
in the switches; so, the picture will be:
SWITCH 1
/ \
/ \
/ \
FW1--pfsync--FW2
\ /
\ /
\ /
SWITCH2
|
|
MY NETWORK
* Switch[1|2] and FW[1|2] has the RSTP active.
* FW1 and FW2 using a dedicated Xover link (pfsync)
I mount a box attached to switch1 and another one attached to switch2 to
make my tests. And I get:
* if I don't use the FW-bridge (only a wire) the switches use perfectly
the RSTP.
* if I use the FW-bridge, the RSTP only works for a while (4/8
minutes). Passing this time, RSTP dead and you get a wonderful and
terrific loop.
I've sniffed the traffic in both bridges NICs with tcpdump(1) and it's
clear: while the RSTP is working all it's fine. But, suddenly, RSTP
packets doesn't appear any more and the evil loop comes. ??????
The traffic generated for these tests has been a simple ping and iperf
between boxes attached to switch1 and switch2 respectively.
I don't know any reasons for that ugly behaviour. The fact is that the
switches works fine between them (they never suffers loops), but if you
put the OpenBSD bridges you get the described fail. I only see three the
options at these point:
* the bridge(4) RSTP implementation has a bug. I don't believe in this
option.
* the switches RSTP implementation is bad. The switches are D-Link 3024.
* the bridge(4) configuration is bad.
--
Thanks,
Jordi Espasa Clofent
