[Bridge] openBSD Bridge

Geoff Wiener gwiener at aenigmacorp.com
Wed Jul 9 03:25:38 PDT 2008

Dear List;


This is my first post to this list, I have tried to find the answer to
this question on my own but have not been able to get anything
definitive.  Please excuse me if this question has been asked before.
The main question is this.  "Is this bridge code the same as what is
implemented in openBSD?"  Can someone point me to some definitive
information about this?


I am involved in Layer 2 firewalls implementation project.  A precedent
exists in the customer organisation for the use of openBSD for this
purpose.  In the most recent implementation the design has a layer 2
loop built in for redundancy which is handled by Cisco PVST.  We
discovered that the bridging software in openBSD 4.3 does not pass Cisco


My research has lead me to the following:




The above link discusses how the bridge works and mentions that the
bridge itself can be configured as a STP bridge, but that it STP can
also be disabled.  Since openBSD bridges use RSTP (Rapid Spanning Tree)
not PVST as required by the customer we elected to disable RSTP on the


The next URL is to a message posted this list by user Cameron Schaus, On
Fri, 08 Dec 2006 18:24:07 -0500 which is responded Stephen Hemminger.




Cameron describes a scenario in detail which completely describes our
scenario at a very basic level.  In particular he asks of the behaviour
of the bridging has changed from 2.1.15 and 2.1.17 as he noticed that
BPDU's are no longer being passed.  Stephen replied, "The change was
intentional because the bridge follows the 802 spec and doesn't pass
link local multicast frames. If you are running STP on the network, you
need to run STP on the bridge."


Further investigation produced the following thread
On Mon Apr 23 16:56:14 PDT 2007, Stephen Hemminger comments that it is
more important to allow networking devices other than the bridging
software to manage the topology.   "I think if STP is disabled, the
bridge would be more stable if it just forwarded the spanning tree
packets.  The rationale is that if someone leaves STP off on one bridge,
but there are multiple paths from a bridge that is using spanning tree;
then the bridge that is doing STP will see and break the potentially
disastrous network loop.  Therefore, I suggest the following (probably
not until 2.6.22)", a code sample follows.


We confirmed this in the lab.  The first test consisted of a CentOS 5.1
host running the kernel.  This kernel behaved exactly like
openBSD and blocked PVST BPDUs.  Rather than re-compile a post 2.6.22
kernel for CentOS it was easier to install Ubuntu 8.04 (Hardy Heron) on
the same server and carry out the test again.  The Ubuntu kernel was
2.6.24-19-generic.  In this test the PVST BPDU's were passed correctly
through the Linux host allowing the switch to block one of the links.
The bridge behaved as per our design by allowing PVST BPDUs to pass.

Can someone comment on our findings?  Was a decision made initially to
prevent PVST BPDU's from passing and then a change made to allow it?  I
am not a developer and have not gone through the code.  The above
evidence, and our lab testing, tends to point to this.  I am seeking an
additional, authoritative verification.  Stephen if you are able to
spare a couple of minutes to comment on this we would be grateful for
your thoughts. 


Thank you for reading, many thanks and best regards - In any case we
love the open source bridge software and thank you all for your efforts.


Geoff Wiener

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/bridge/attachments/20080709/c66b064e/attachment.htm 

More information about the Bridge mailing list