[c-nsp] Briding 2 Vlans on a 2950 switch with a security appliance

Arturo Servin aservin at remoteconfig.net
Sat May 21 04:55:12 EDT 2005


Christian Zeng wrote:

>* C. Jon Larsen <jlarsen at richweb.com> wrote:
>
>  
>
>>With a single upstream router and a downstream firewall/vpn gateway it 
>>works well as I can plug the upstream device into the upstream port via 
>>a crossover cable and the downstream device into the downstream port 
>>via a crossover cable and it happily bridges away.
>>    
>>
>
>When traffic arrives in VLAN #1 and headed to VLAN #2, the switch
>floods the frame to all ports in VLAN #1, because MAC addresses from
>VLAN #2 are not known in VLAN #1. If the IPS acts as a bridge, it will
>forward the frame to VLAN #2 and vice versa. This scheme does not change
>when you're using 2 switches with only one VLAN instead of one switch
>with 2 VLANs.
>
>To avoid flooding, adding static MAC entries could be helpful (pointing
>the MAC addresses from the other VLAN to the IPS port).
>
>  
>
>>This is the message logged by the switch:
>>
>>May 18 21:51:55: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state 
>>to upMay 18 21:51:57: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU 
>>on non trunk FastEthernet0/10 VLAN2.
>>    
>>
>
>It seems that not both ports the IPS is connected to are configured equally. 
>Try to set both ports as "switchport mode access". 
>
>If the IPS does not care about STP and you're sure that the switch will be
>loop-free at any time, you should disable STP for both VLANs on the
>switch. 
>
>Best regards,
>
>Christian
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>  
>
    I think the problem is with SPT and with a wrong deployment of the 
Root Bridge in the topology.

-as

-- 

Remote Config, The Remote Configuration Company
http://www.remoteconfig.net
Global Service Offices
contact at remoteconfig.net




More information about the cisco-nsp mailing list