From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Samad Date: Tue, 19 Jun 2007 23:03:25 +0000 Subject: Re: [LARTC] Linux bridging and cascaded switches Message-Id: <20070619230325.GR24808@samad.com.au> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============2094493708==" List-Id: References: <925A849792280C4E80C5461017A4B8A210B8D8@mail733.InfraSupportEtc.com> In-Reply-To: <925A849792280C4E80C5461017A4B8A210B8D8@mail733.InfraSupportEtc.com> To: lartc@vger.kernel.org --===============2094493708== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uX7BrQs69PbBafpd" Content-Disposition: inline --uX7BrQs69PbBafpd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 19, 2007 at 05:54:46PM -0500, Greg Scott wrote: > Hi - > =20 > Still plugging away at my Linux bridge/firewall and thinking through the > consequences. In a normal firewall situation, the Internet is on one > side, the internal LAN on the other. Duh! But now, with a Linux bridge > in the middle, the whole thing becomes one big messy LAN. So we have a > scenario that looks like this: >=20 > Internal---User---Core-----Firewall---Internet---Internet router > Servers switch switch (Bridged) switch (and default GW for > internal servers) >=20 out of curiosity why would you want to bridge at the firewall. is this mea= nt=20 to be a drop in-line firewall appliance > The scenario is a little more complex than I drew above because the > internal side has more than one LAN segment participating in the bridge. > I'm working on a way to simulate all this here - before going into > production - but I have a big question; >=20 > That firewall/bridge is no longer a router - it's a bridge. Well, a > bridge that also does a bunch of stateful IP layer 3 filtering. So now, > it will participate in a spanning tree setup with all those switches, on > both sides of it - right? I'm guessing I want to turn off STP in this > case. Am I on the right track? if there is only 1 way to connect from the corporate (private LAN) to the= =20 public (internet) then I don't think you will need STP - it was meant to st= op=20 loops in ethernet segments. If you have multiple paths you might still need it >=20 > Thanks >=20 > - Greg Scott > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >=20 --uX7BrQs69PbBafpd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGeGC9kZz88chpJ2MRAoCTAJ9Zgev/TIlqdx4yo3w/RQQ2BnR3iwCg9zYD 5l7BGVKG1yzp21wBycXPT2o= =sspl -----END PGP SIGNATURE----- --uX7BrQs69PbBafpd-- --===============2094493708== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============2094493708==--