[nsp] leaking vlans on a cat2950/cat6500-msfc2

[Matt Stockdale]

Actually, as near as I can tell, vlan1 isn't involved.. 

Here's the setup. the msfc2 on the 6500 is one of our inbound gateways,
running BGP with our peers. It receives traffic for a network behind a
firewall, whose interface is on a class C (206.252.146.0/24) and vlan
(60) dedicated for router<->firewall communication. It says hey, look, I
have a static route for this netblock over a machine on vlan60, and I
also have a virtual interface on that vlan, so it sends the packets
there, over the vlan60 int. unicast, source MAC the msfc2, dest MAC the
hw address of the firewall's external interface. Yet, on other firewalls
on the network, connected to other 2950's (which are all trunked to a
switch w/ dot1q, but not always trunked to the 6500 in question), they
all see these packets. Bizzare. I think at least one of the 2950's is
under warranty, so I'm going to try and involve cisco.

Thanks,
  Matt

On Fri, 2003-09-19 at 10:29, Turpin Mark Contr AFCA/GCF wrote:
> > -----Original Message-----
> > From: Matt Stockdale [mailto:mstockda at logicworks.net]
> > Sent: Thursday, September 18, 2003 12:49 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [nsp] leaking vlans on a cat2950/cat6500-msfc2
> > 
> > 
> > 
> > suggestions?
> > 
> 
> Good ole leaky VLANs.
> 
> http://www.sans.org/resources/idfaq/vlan.php
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
> 
> "it was concluded that the traffic from VLAN 1 
> was allowed to hop to other VLANs because the
> trunk port was also set (implicitly) to native VLAN 1."
> 
> Why did the 2950(s) send it?  I'm guessing it wasn't unicast?
> 
> cheers,
> Mark
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-- 
-----------------------
    Matt Stockdale
  Sr Network Engineer
mstockda at logicworks.net