[Bridge] Question about VLANs, bridges and switches

Stephen Hemminger shemminger at osdl.org
Tue Aug 30 13:43:54 PDT 2005


On Fri, 26 Aug 2005 17:56:16 +0800
Ryan McConigley <ryan at csse.uwa.edu.au> wrote:

> 
> 	I have a question about bridges, vlans and switches.    We had been using 
> a bridge to provide filtering between our student labs and the main 
> network.  All the filtering does is check that a known IP matches a known 
> MAC address, this stops students plugging in laptops and stealing an IP 
> address.  (And yes, we know about the MAC spoofing issues too)  The 
> connection was nice and simple, basically:
> 
>         [Main switch]-----<bridge firewall>-------[Lab 
> Switch]
> 
> 	And it was working fine.  Then of course, earlier this year, we upgraded 
> our network and the guy who did it created vlans so now we're bridging from 
> Vlan_1 to Vlan_2 on seperate ports on the same switch.
> 
> 	That has apparently been working fine as well, but when one of the uni 
> network guys looked at it he freaked and started going on about the 
> problems of arp broadcasts and he was insisting we replace it immediately, 
> but of course, couldn't provide any suggestions as to how to replace 
> it.  Since we're in a university and things appeared to be working 
> normally, I did what seemed natural... I ignored him.  (Mainly because it 
> was the middle of semester and changing things then is bad)
> 
> 	Step forward a few months and here I am currently building two replacement 
> firewalls, so I thought I'd ask the list about problems with bridging vlans 
> on the same switch.

There are problems with some switches because they may not treat
VLAN's as real separate networks. The switch is really a bridge,
and if forwards broadcasts between VLAN's you will end up creating
a loop in your network:

	[Switch]  --->- VLAN1 ->- [ Bridge ]
                  ---<- VLAN2 -<-

And the broadcast will ping pong forever. Spanning Tree would help,
but the Switch may or may not do STP, and the Bridge needs to have STP
turned on.




More information about the Bridge mailing list