If you take a network and divide it into two vlans the idea is you're
creating two distinct network spaces on one physical network. Logically
they are independent even though they use the same wires. By bridging
them together you join the two at layer2 effectively undoing all the
benefits gained by creating the vlans. You really want to connect the
vlans at layer3 (routing).
-Jeff
-----Original Message-----
From: bridge-bounces@lists.osdl.org
[mailto:bridge-bounces@lists.osdl.org] On Behalf Of Ryan McConigley
Sent: Friday, August 26, 2005 5:56 AM
To: bridge@lists.osdl.org
Subject: [Bridge] Question about VLANs, bridges and switches
I have a question about bridges, vlans and switches. We had
been using
a bridge to provide filtering between our student labs and the main
network. All the filtering does is check that a known IP matches a
known MAC address, this stops students plugging in laptops and stealing
an IP address. (And yes, we know about the MAC spoofing issues too)
The connection was nice and simple, basically:
[Main switch]-----<bridge firewall>-------[Lab Switch]
And it was working fine. Then of course, earlier this year, we
upgraded our network and the guy who did it created vlans so now we're
bridging from
Vlan_1 to Vlan_2 on seperate ports on the same switch.
That has apparently been working fine as well, but when one of
the uni network guys looked at it he freaked and started going on about
the problems of arp broadcasts and he was insisting we replace it
immediately, but of course, couldn't provide any suggestions as to how
to replace it. Since we're in a university and things appeared to be
working normally, I did what seemed natural... I ignored him. (Mainly
because it was the middle of semester and changing things then is bad)
Step forward a few months and here I am currently building two
replacement firewalls, so I thought I'd ask the list about problems with
bridging vlans on the same switch.
I'll admit, the switch sees the mac address on two ports with
each port being on different vlans, so there could be some issues there,
but also everything seems to be working fine. The two seem to
contradict each other or maybe we're just being lucky and not noticing
problems.
So, anyone have any suggestions? Is what we're doing
good/bad/suicidal? Or does anyone have any suggestions how it could be
done better? This new box I'm giving VLAN functionality and possibly
some routing too, still figuring out exactly how to put everything
together and what is needed.
Cheers,
Ryan.
--
Ryan McConigley - Systems Administrator _.-,
Computer Science University of Western Australia .--'
'-._
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 _/`- _
'.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan
'----'._`.----. \
`
\;
"You're just jealous because the voices are talking to me"
;_\
Stephen Hemminger
2007-Apr-18 17:22 UTC
[Bridge] Question about VLANs, bridges and switches
On Fri, 26 Aug 2005 17:56:16 +0800 Ryan McConigley <ryan@csse.uwa.edu.au> wrote:> > I have a question about bridges, vlans and switches. We had been using > a bridge to provide filtering between our student labs and the main > network. All the filtering does is check that a known IP matches a known > MAC address, this stops students plugging in laptops and stealing an IP > address. (And yes, we know about the MAC spoofing issues too) The > connection was nice and simple, basically: > > [Main switch]-----<bridge firewall>-------[Lab > Switch] > > And it was working fine. Then of course, earlier this year, we upgraded > our network and the guy who did it created vlans so now we're bridging from > Vlan_1 to Vlan_2 on seperate ports on the same switch. > > That has apparently been working fine as well, but when one of the uni > network guys looked at it he freaked and started going on about the > problems of arp broadcasts and he was insisting we replace it immediately, > but of course, couldn't provide any suggestions as to how to replace > it. Since we're in a university and things appeared to be working > normally, I did what seemed natural... I ignored him. (Mainly because it > was the middle of semester and changing things then is bad) > > Step forward a few months and here I am currently building two replacement > firewalls, so I thought I'd ask the list about problems with bridging vlans > on the same switch.There are problems with some switches because they may not treat VLAN's as real separate networks. The switch is really a bridge, and if forwards broadcasts between VLAN's you will end up creating a loop in your network: [Switch] --->- VLAN1 ->- [ Bridge ] ---<- VLAN2 -<- And the broadcast will ping pong forever. Spanning Tree would help, but the Switch may or may not do STP, and the Bridge needs to have STP turned on.
I have a question about bridges, vlans and switches. We had been using
a bridge to provide filtering between our student labs and the main
network. All the filtering does is check that a known IP matches a known
MAC address, this stops students plugging in laptops and stealing an IP
address. (And yes, we know about the MAC spoofing issues too) The
connection was nice and simple, basically:
[Main switch]-----<bridge firewall>-------[Lab
Switch]
And it was working fine. Then of course, earlier this year, we upgraded
our network and the guy who did it created vlans so now we're bridging from
Vlan_1 to Vlan_2 on seperate ports on the same switch.
That has apparently been working fine as well, but when one of the uni
network guys looked at it he freaked and started going on about the
problems of arp broadcasts and he was insisting we replace it immediately,
but of course, couldn't provide any suggestions as to how to replace
it. Since we're in a university and things appeared to be working
normally, I did what seemed natural... I ignored him. (Mainly because it
was the middle of semester and changing things then is bad)
Step forward a few months and here I am currently building two replacement
firewalls, so I thought I'd ask the list about problems with bridging vlans
on the same switch.
I'll admit, the switch sees the mac address on two ports with each port
being on different vlans, so there could be some issues there, but also
everything seems to be working fine. The two seem to contradict each other
or maybe we're just being lucky and not noticing problems.
So, anyone have any suggestions? Is what we're doing
good/bad/suicidal? Or does anyone have any suggestions how it could be
done better? This new box I'm giving VLAN functionality and possibly some
routing too, still figuring out exactly how to put everything together and
what is needed.
Cheers,
Ryan.
--
Ryan McConigley - Systems Administrator _.-,
Computer Science University of Western Australia .--'
'-._
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 _/`- _
'.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan
'----'._`.----. \
` \;
"You're just jealous because the voices are talking to me"
;_\