Hi all, I've to establish a highly redundant firewall cluster with openbsd, but I got stuck with the config. The config:
- 2 CORE0 routers ( Cisco 7xxx ) - 2 FW running OpenBSD 4.9 - 2 internal Cisco 3750g switches ( SW01&SW02 ) Please find attached the draft of the network infrastructure ( or just view it here: http://img69.imageshack.us/img69/9414/monofwdraft.png ) In the external side of the FWs, I've 5 VLANS: 90-95 for separate data flows ( 1 for public internet ). In the internal side we've 4 VLANS: 40-44 The internal Ciscos are configured with RSTP and are connected to each other directly with one VTP domain, SW01 being the master. The FW's ports are all trunk ports with allowed VLANs 40-44. What I can't establish: how to build the bridges with VLANs on top of them? I've tried several ways, none of them worked well. Some scenarios it worked partly: when I set hme2 to vlan40's vlandev, I could see the machines in VLAN 40, but when I disconnected hme2 - the traffic should switch to hme2 then - the connection broke. My latest try was this config ( just for vlan40 now ): ifconfig hme2 up ifconfig hme3 up ifconfig vether0 create ifconfig vlan40 create ifconfig vlan40 vlandev vether0 ifconfig vlan40 inet 192.168.240.1 255.255.255.0 ifconfig vlan40 up ifconfig vether0 up ifconfig bridge1 create ifconfig bridge1 add hme2 ifconfig bridge1 add hme3 ifconfig bridge1 add vether0 ifconfig bridge1 stp hme2 ifconfig bridge1 stp hme3 ifconfig bridge1 stp vether0 ifconfig bridge1 spanpriority 61400 # avoid being the root bridge ifconfig bridge1 up When I try to ping 192.168.240.251 ( linux host in vlan 40 ) I see the packets in vlan40 ( tcpdump -ni vlan40 ), but the packet doesn't get to vether0 :( ( I see just the BPDU packets of the RSTP on vether0 ). Any suggestions? How should I bulid the bridge with full VLAN redundancy and RSTP? Thanks, Tamas [demime 1.01d removed an attachment of type image/png which had a name of MonoFW_draft.png]
