[ previous ] [ next ] [ threads ]
 
 From:  "Anthony Brock" <Anthony underscore Brock at ous dot edu>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Pay for a new function?
 Date:  Thu, 30 Sep 2004 12:33:16 -0700
This is a significant issue with the older HP switches (2424M, 4000M, 8000M, etc) when shipping
multiple VLANs down a single link. I don't know about their more modern equipment. However, you're
not likely to notice unless you're mixing vendors.

In my case, mixing the HP equipment with Cisco caused the Cisco STP protocol to go nuts (the STP
protocol would see the same packet on two separate VLAN (on the same interface) and then assume the
existence of a network loop. Also, the problem becomes more noticeable during high traffic loads
across multiple VLANs.

The worst part is that BOTH companies knew about the issue, but wouldn't discuss it as an option
until we presented them with proof. At that point, they admitted that there "might" have been
previously reported problems. *sigh*

Tony


>>> Jim Gifford <baadpuppy at gmail dot com> 09/29/04 04:45PM >>>
I've personally never experienced this problem.  What brands of
switches exhibit this broken behavior?

I've tested VLANs on some models of Cisco and on the summit and alpine
models of Extreme switches and never saw traffic I shouldn't have.

I would love to know which switches do this wrong so I don't make the
mistake of buying one.

Thanks,
jim

PS, if a VLAN "leaks", isn't that in violation of 802.1Q?


On Wed, 29 Sep 2004 22:19:29 +0200, Axel Eble <axel dot eble at gmail dot com> wrote:
> On Wed, 29 Sep 2004 15:08:49 -0400, Jim Gifford <baadpuppy at gmail dot com> wrote:
> > I think the general consensus is that separate ip subnets (broadcast
> > domains) should get separate ethernet collision domains.  Whether this
> > is done with multiple physical interfaces or by using VLANs is
> > immaterial.  Having this separation is more secure than not having it.
> 
> As long as you know the risks - maybe. I've seen too many switches
> pass packets across VLAN borders.
> 
> > That's just my opinion.
> >
> > I've been communicating with Dennis off-list about the problem he is
> > trying to solve and trying to come up with a different way of solving
> > it instead of using the "multinetting" solution.
> 
> Thanks - that's the spirit!
> 
> > jim
> 
> 
> 
> Axel
> 
> --

> VoIP: 8002887 at sipgate dot de * cell: +49.178.285-3265
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch