[CentOS] Not firewall, but what?

On 05/08/2010 05:38 PM, Jussi Hirvi wrote:
> How can I turn stp on? In my /etc/xen/scripts/xen-network-common.sh 
> there is a section:
> 
>   # Don't create the bridge if it already exists.
>      if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
>          brctl addbr ${bridge}
>          brctl stp ${bridge} off
>          brctl setfd ${bridge} 0
>          sysctl -w "net.bridge.bridge-nf-call-arptables=0"
>          sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
>          sysctl -w "net.bridge.bridge-nf-call-iptables=0"
>          ip link set ${bridge} arp off
>          ip link set ${bridge} multicast off
>      fi
> 
> Is if safe to turn stp "on" there (instead of "off"? (Requires xend 
> restart at least, I suppose.) Or is there a better way to turn stp on 
> permanently?

STP is safe to turn on, but there is a small start up and tiny
performance hit - that's why its off by default.  All the bridges on
your network have to establish relationships with each other, which can
take 10-15 seconds depending on you network.  Also, its not just the
bridges on that box that you have to worry about: any other bridges on
other boxes that are on the same network also need STP turned on.  Your
old Fedora box may be a potential culprit.

I've never used Xen, so I can't give any firm advice.
That looks like the place where the bridge is created, so at a guess,
that's where you want to turn it on.  Not to sure about turning ARP or
MULTICAST off though -- that might interfere with STP.

> The box has 2 physical if cards, and both of them are used for bridges 
> (xenbr0 and xenbr1).

Yeah. Thinking you definitely need STP.  You can turn it on temporarily
with

	brctl stp xenbr0 on
	brctl stp xenbr1 on

wait a few seconds and run

	brctrl showstp xenbr0

to see what's going on, and also see if it fixes your problem.

Hope this helps

Kal