[c-nsp] Briding 2 Vlans on a 2950 switch with a security appliance

Christian Zeng christian at zengl.net
Fri May 20 12:52:00 EDT 2005


* C. Jon Larsen <jlarsen at richweb.com> wrote:

>With a single upstream router and a downstream firewall/vpn gateway it 
>works well as I can plug the upstream device into the upstream port via 
>a crossover cable and the downstream device into the downstream port 
>via a crossover cable and it happily bridges away.

When traffic arrives in VLAN #1 and headed to VLAN #2, the switch
floods the frame to all ports in VLAN #1, because MAC addresses from
VLAN #2 are not known in VLAN #1. If the IPS acts as a bridge, it will
forward the frame to VLAN #2 and vice versa. This scheme does not change
when you're using 2 switches with only one VLAN instead of one switch
with 2 VLANs.

To avoid flooding, adding static MAC entries could be helpful (pointing
the MAC addresses from the other VLAN to the IPS port).

>This is the message logged by the switch:
>
>May 18 21:51:55: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state 
>to upMay 18 21:51:57: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU 
>on non trunk FastEthernet0/10 VLAN2.

It seems that not both ports the IPS is connected to are configured equally. 
Try to set both ports as "switchport mode access". 

If the IPS does not care about STP and you're sure that the switch will be
loop-free at any time, you should disable STP for both VLANs on the
switch. 

Best regards,

Christian


More information about the cisco-nsp mailing list