software bridge loops suck, too

I didn’t realize that I had two of my machines attached to openvpn from the same l2 segment. It caused a network outage for about 24 hours. Sorry for the downtime folks.

I believe that if I turn on stp for all nodes which have two legs in to the same l2, I can avoid this type of problem in the future. But I don’t think the broadcast network overhead for managing the spanning tree is worth it. Especially for vlans which span counties.

Wait, I think LD1 is in the same county as the vlan hub. How about “vlans which span legislative districts.”

Hello from LD40, Orcas3! Reporting from F5 HQ/LD36 in Seattle.

I use the following tools to manage my vlans and bridges:

vlan, bridge-utils and openvpn

I verify my tls certs with perl.

#!/usr/bin/perl -wT

use strict;

use Log::Log4perl;

Log::Log4perl->init('/etc/openvpn/log4perl.conf') or die "couldn't init logger: $!";

my $logger = Log::Log4perl->get_logger('tls-verify');

$logger->debug("verifying tls cert for config [$ENV{config}]");

my($network) = ($ENV{config} =~ m:^/etc/openvpn/(.*?).conf$:);

my($certificate_depth) = ($ARGV[0] =~ /^(\d+)$/);

my($locality,$organization,$org_unit,$common_name) =
  ($ARGV[1] =~ m{/C=US/ST=Washington/L=(.*?)/O=(.*?)/(?:OU=(.*?)/)?CN=(.*)$});

$logger->debug("X509_NAME_oneline: [$ARGV[1]");

my %network_cn =
   vl3  =>  [ '',
   vl12 =>  [ '',
   vl245 => [ '',

if( exists $network_cn{$network} ){
  exit 0 if $network_cn{$network}->[$certificate_depth] eq $common_name;
  $logger->error("common name: [$common_name], network: [$network], depth: [$certificate_depth]");
  $logger->error("network: [$network]");

exit 1;

2 responses to “software bridge loops suck, too”

Leave a Reply

%d bloggers like this: