|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7
From: Ramsey Tantawi (oscillations
gmail.com)
Date: Sat Nov 19 2005 - 11:35:44 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 11/19/05, Camiel Dobbelaar <cdsentia.nl> wrote:
>
> On Sat, 19 Nov 2005, Ramsey Tantawi wrote:
> > > For a redundant bridge setup you need spanning tree. See "stp" in the
> > > brconfig(8) manpage.
> >
> > I'm using unmanaged switches that don't support STP, so for now I'm out of luck.
>
> No, that's ok. You don't have to run STP on every device, only on the
> ones that might otherwise be able to create a loop.
Ah, I think I get it now.
For simple failover to a backup firewall, I would have these
bridgename.bridge0 configurations:
Master:
add fxp0
add rl0
stp fxp0
stp rl0
maxage 5
hellotime 2
priority 100
ifcost fxp0 100
ifcost rl0 55
up
Backup:
add fxp0
add rl0
stp fxp0
stp rl0
maxage 5
hellotime 2
priority 50000
ifcost fxp0 100
ifcost rl0 55
This would do the following:
--Enable Spanning tree protocol on both interfaces, and set interface
cost so rl0 will be the root port on the non-root bridge (the backup).
Thus master and backup will communicate on rl0. In normal operation
fxp0 would be blocked due to it's higher cost.
--Set priority of the primary lower so it will be the root bridge.
All interfaces can remain at default priority.
--Set maxage to 5 meaning that the maximum time failover will take is
5 seconds. Explicitly set hellotime to 2 for clarity.
Any errors in the above?
Thanks much,
Ramsey
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]