[c-nsp] Briding 2 Vlans on a 2950 switch with a security appliance
Arturo Servin
aservin at remoteconfig.net
Sat May 21 18:29:25 EDT 2005
Christian Zeng wrote:
>* Arturo Servin <aservin at remoteconfig.net> wrote:
>
>
>
>> I think the problem is with SPT and with a wrong deployment of the
>>Root Bridge in the topology.
>>
>>
>
>Hmm, not sure about the root bridge deployment part - correct me if I'm
>wrong.
>
>A single switch with 2 VLANs and PVST and no other STP-capable device
>around should be the root bridge for each VLAN, shouldn't it?
>
>If the IPS does not do any STP it would simply forward BPDUs from one
>VLAN to the other, because PVST BPDU frame's destination address is
>multicast, IIRC. So the switch sees an incoming BPDU at IPS switchport
>in VLAN #2 coming from IPS switchport in VLAN #1 and vice versa.
>
>I'm not sure what happens to the root status for both VLANs when such a
>BPDU is received. Because of PVST I think that the switch detects the
>misconfiguration - it receives a BPDU with information for VLAN #1 on
>VLAN #2 and therefore puts the port in inconsistent state. This happens
>in a distributed topology too, when non-root bridges receiving wrong
>BPDU frames from a neighbour (can be also non-root).
>
>As long as the IPS bridge does not care about STP, this problem remains
>until forwarding of BPDUs through the IPS switchports is disabled.
>
>BPDU filter (not only guard) on both ports or disabling STP completly
>should do the trick, simply because there seems to be no reasons to have
>STP running.
>
>Best regards,
>
>Christian
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
I tought you had 2 switches.
-as
--
Remote Config, The Remote Configuration Company
http://www.remoteconfig.net
Global Service Offices
contact at remoteconfig.net
More information about the cisco-nsp
mailing list