[c-nsp] Briding 2 Vlans on a 2950 switch with a security appliance
Christian Zeng
christian at zengl.net
Sat May 21 09:10:33 EDT 2005
* Arturo Servin <aservin at remoteconfig.net> wrote:
> I think the problem is with SPT and with a wrong deployment of the
>Root Bridge in the topology.
Hmm, not sure about the root bridge deployment part - correct me if I'm
wrong.
A single switch with 2 VLANs and PVST and no other STP-capable device
around should be the root bridge for each VLAN, shouldn't it?
If the IPS does not do any STP it would simply forward BPDUs from one
VLAN to the other, because PVST BPDU frame's destination address is
multicast, IIRC. So the switch sees an incoming BPDU at IPS switchport
in VLAN #2 coming from IPS switchport in VLAN #1 and vice versa.
I'm not sure what happens to the root status for both VLANs when such a
BPDU is received. Because of PVST I think that the switch detects the
misconfiguration - it receives a BPDU with information for VLAN #1 on
VLAN #2 and therefore puts the port in inconsistent state. This happens
in a distributed topology too, when non-root bridges receiving wrong
BPDU frames from a neighbour (can be also non-root).
As long as the IPS bridge does not care about STP, this problem remains
until forwarding of BPDUs through the IPS switchports is disabled.
BPDU filter (not only guard) on both ports or disabling STP completly
should do the trick, simply because there seems to be no reasons to have
STP running.
Best regards,
Christian
More information about the cisco-nsp
mailing list