RE: mac address filtering [7:72684]
WELL You can set port security by blade (module) to make it easier, but if you want to be able to move from one port to another that's gonna be tough. I don't know of any 3rd party software that manages that but I wouldn't be surprised if it was out there.An option you might want to explore is setting up a MAC-access list. The question really is how tight you want security to be and what sort of trade off you are willing to accept for the convenience. You can even set up the MAC-access list and associate traffic for a VLAN and what to do with that traffic. But you are getting back to a granular management that might make it easier to just set the security by port again. check out this page on Cisco's site. http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1214ea1/3550cr/cli1.htm#23702 Good luck. Let us know how you work it out. David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72692t=72684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: mac address filtering [7:72684]
use VMPS -Nakul Skarphedinsson Arni V. wrote in message news:[EMAIL PROTECTED] Hi I have some catalyst 2950 and 3550 switches, that I need to control the mac addresses of the machines that are alowed to connect to the switches, i.e. something similar to port security, but i dont want to configure it per port, but rather for a whole switch or vlan, what would be the best way to accomplish this ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72698t=72684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: mac address filtering [7:72684]
I know that the following is not MAC security based, but I think you are looking for something like EAPOL Security. Here is a link http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008007f395.html Skarphedinsson Arni V. wrote: Hi I have some catalyst 2950 and 3550 switches, that I need to control the mac addresses of the machines that are alowed to connect to the switches, i.e. something similar to port security, but i dont want to configure it per port, but rather for a whole switch or vlan, what would be the best way to accomplish this ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72714t=72684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address filtering [7:63463]
Router(config)#access-list ? IP standard access list IP extended access list IPX SAP access list Extended 48-bit MAC address access list IPX summary address access list IP standard access list (expanded range) Protocol type-code access list IP extended access list (expanded range) DECnet access list XNS standard access list XNS extended access list Appletalk access list 48-bit MAC address access list IPX standard access list IPX extended access list dynamic-extended Extend the dynamic ACL abolute timer rate-limitSimple rate-limit specific access list Router(config)#access-list 700 deny 1234.1234.1234 ..00ff Router(config)#access-list 700 permit .. .. Router(config)#int fa0/0 Router(config-if)#access-expression input smac(700) Therefor the deny mac is obviously denying that first mac and then we're permitting everything else Keep in mind that MAc's are in hexadecimel and therefor the inverse mask (ACL remember) is .. which is kind of like going 255.255.255.255 (any) for an ip access-list. Don't fret about the access-expression. That's the only way to apply certain ACL's using Boolean algebraic expression. smac(700) being source-mac of using address 700. You can also use dmac(700) being the destination. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63486t=63463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address [7:62251]
Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. I don't think that's so. A host will have an ARP cache entry for its gateway. That would be the destination MAC. The source MAC would be that of the sending host itself. Using its own ARP cache, the gateway would re-write both the source and destination MAC if the destination was, in fact, directly attached to (or reachable via) another Ethernet interface. If not, and the packet needed to cross some serial WAN link, both MACs would simply be stripped off. Every L3 device strips off source and dest. MAC at ingress. Whether or not a new source and dest. MAC is encapsulated around the IP packet depends on whether or not the destination is reachable via another Ethernet interface. If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62354t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address [7:62251]
s vermill wrote: Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. I don't think that's so. Did you misplace your comment? I think his first comment is correct, but then a following one is strangely worded. See below. A host will have an ARP cache entry for its gateway. That would be the destination MAC. The source MAC would be that of the sending host itself. Using its own ARP cache, the gateway would re-write both the source and destination MAC if the destination was, in fact, directly attached to (or reachable via) another Ethernet interface. If not, and the packet needed to cross some serial WAN link, both MACs would simply be stripped off. Every L3 device strips off source and dest. MAC at ingress. Whether or not a new source and dest. MAC is encapsulated around the IP packet depends on whether or not the destination is reachable via another Ethernet interface. Or Token Ring, FDDI, LocalTalk. :-) If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. Here's where he went astray. As I mentioned earlier, a serial interface doesn't have a MAC address and the data-link-layer protocols used across serial interfaces don't have MAC addresses in them. The sentence isn't parsable, (sorry Larry!) but may indicate some additional misunderstanding. The fact that the next hop has a Layer 3 address isn't of major significance when talking about forwarding traffic and the addresses that end up in the forwarded packet. The IP addresses don't change end-to-end. MAC addresses on LANs change, hop by hop. WANs don't have MAC addresses. Yes, routing protocols exchange next hop info using IP addresses. So, if we're considering Ethernet, at some point the source router must have found out the MAC address of the destination router using ARP. The router will put its own MAC address in the source field and the destination (next hop) router's MAC address in the destination field. In the case of a T1 point-to-point link, a MAC address isn't necessary since it's not a shared medium and there's no need to identify which station should receive the frame. There is only one other station! Now, Frame Relay is shared in the cloud. The DLCI would help the L2 switches in the cloud forward the frame correctly. Inverse ARP would help the router map a L3 next hop address to a DLCI, if I understand it correctly. Priscilla However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62368t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address [7:62251]
Priscilla Oppenheimer wrote: s vermill wrote: Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. I don't think that's so. Did you misplace your comment? No. I disagree that a source MAC re-write would be all that takes place when crossing a L3 device. Host A, sending to an off-subnet Host B, would use its own MAC as the source and the L3 device interface MAC as the destination. The L3 device strips both at ingress. If, in fact, the destination is on a directly attached shared medium, the source MAC is re-writen to that of the egress interface. The destination MAC is whatever the L3 device has in the ARP cache for Host B. Both source and destination MACs change when crossing a L3 device. Doesn't it sound like Larry is saying that the source MAC is all that changes and not the destination MAC? Or maybe I just took that wrong? I think his first comment is correct, but then a following one is strangely worded. See below A host will have an ARP cache entry for its gateway. That would be the destination MAC. The source MAC would be that of the sending host itself. Using its own ARP cache, the gateway would re-write both the source and destination MAC if the destination was, in fact, directly attached to (or reachable via) another Ethernet interface. If not, and the packet needed to cross some serial WAN link, both MACs would simply be stripped off. Every L3 device strips off source and dest. MAC at ingress. Whether or not a new source and dest. MAC is encapsulated around the IP packet depends on whether or not the destination is reachable via another Ethernet interface. Or Token Ring, FDDI, LocalTalk. :-) If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. Here's where he went astray. As I mentioned earlier, a serial interface doesn't have a MAC address and the data-link-layer protocols used across serial interfaces don't have MAC addresses in them. The sentence isn't parsable, (sorry Larry!) but may indicate some additional misunderstanding. The fact that the next hop has a Layer 3 address isn't of major significance when talking about forwarding traffic and the addresses that end up in the forwarded packet. The IP addresses don't change end-to-end. MAC addresses on LANs change, hop by hop. WANs don't have MAC addresses. Yes, routing protocols exchange next hop info using IP addresses. So, if we're considering Ethernet, at some point the source router must have found out the MAC address of the destination router using ARP. The router will put its own MAC address in the source field and the destination (next hop) router's MAC address in the destination field. In the case of a T1 point-to-point link, a MAC address isn't necessary since it's not a shared medium and there's no need to identify which station should receive the frame. There is only one other station! Now, Frame Relay is shared in the cloud. The DLCI would help the L2 switches in the cloud forward the frame correctly. Inverse ARP would help the router map a L3 next hop address to a DLCI, if I understand it correctly. Priscilla However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62372t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address [7:62251]
s vermill wrote: Priscilla Oppenheimer wrote: s vermill wrote: Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. I don't think that's so. Did you misplace your comment? No. I disagree that a source MAC re-write would be all that takes place when crossing a L3 device. Host A, sending to an off-subnet Host B, would use its own MAC as the source and the L3 device interface MAC as the destination. The L3 device strips both at ingress. If, in fact, the destination is on a directly attached shared medium, the source MAC is re-writen to that of the egress interface. The destination MAC is whatever the L3 device has in the ARP cache for Host B. Both source and destination MACs change when crossing a L3 device. Doesn't it sound like Larry is saying that the source MAC is all that changes and not the destination MAC? Or maybe I just took that wrong? I think that maybe Larry was saying that the only time it would be *necessary* to change the source MAC is when traversing a L3 device. He isn't necessarily saying that only the source MAC would change when crossing one. Sorry Larry. I think that was a mis-read on my part. I think his first comment is correct, but then a following one is strangely worded. See below A host will have an ARP cache entry for its gateway. That would be the destination MAC. The source MAC would be that of the sending host itself. Using its own ARP cache, the gateway would re-write both the source and destination MAC if the destination was, in fact, directly attached to (or reachable via) another Ethernet interface. If not, and the packet needed to cross some serial WAN link, both MACs would simply be stripped off. Every L3 device strips off source and dest. MAC at ingress. Whether or not a new source and dest. MAC is encapsulated around the IP packet depends on whether or not the destination is reachable via another Ethernet interface. Or Token Ring, FDDI, LocalTalk. :-) If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. Here's where he went astray. As I mentioned earlier, a serial interface doesn't have a MAC address and the data-link-layer protocols used across serial interfaces don't have MAC addresses in them. The sentence isn't parsable, (sorry Larry!) but may indicate some additional misunderstanding. The fact that the next hop has a Layer 3 address isn't of major significance when talking about forwarding traffic and the addresses that end up in the forwarded packet. The IP addresses don't change end-to-end. MAC addresses on LANs change, hop by hop. WANs don't have MAC addresses. Yes, routing protocols exchange next hop info using IP addresses. So, if we're considering Ethernet, at some point the source router must have found out the MAC address of the destination router using ARP. The router will put its own MAC address in the source field and the destination (next hop) router's MAC address in the destination field. In the case of a T1 point-to-point link, a MAC address isn't necessary since it's not a shared medium and there's no need to identify which station should receive the frame. There is only one other station! Now, Frame Relay is shared in the cloud. The DLCI would help the L2 switches in the cloud forward the frame correctly. Inverse ARP would help the router map a L3 next hop address to a DLCI, if I understand it correctly. Priscilla However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now [EMAIL PROTECTED
Re: MAC Address [7:62251]
s vermill wrote: s vermill wrote: Priscilla Oppenheimer wrote: s vermill wrote: Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. I don't think that's so. Did you misplace your comment? No. I disagree that a source MAC re-write would be all that takes place when crossing a L3 device. Host A, sending to an off-subnet Host B, would use its own MAC as the source and the L3 device interface MAC as the destination. The L3 device strips both at ingress. If, in fact, the destination is on a directly attached shared medium, the source MAC is re-writen to that of the egress interface. The destination MAC is whatever the L3 device has in the ARP cache for Host B. Both source and destination MACs change when crossing a L3 device. Doesn't it sound like Larry is saying that the source MAC is all that changes and not the destination MAC? Or maybe I just took that wrong? I think that maybe Larry was saying that the only time it would be *necessary* to change the source MAC is when traversing a L3 device. That's how I read it. (He was comparing it to a L2 device.) The word only is an evil word that editors hate. :-) P. He isn't necessarily saying that only the source MAC would change when crossing one. Sorry Larry. I think that was a mis-read on my part. I think his first comment is correct, but then a following one is strangely worded. See below A host will have an ARP cache entry for its gateway. That would be the destination MAC. The source MAC would be that of the sending host itself. Using its own ARP cache, the gateway would re-write both the source and destination MAC if the destination was, in fact, directly attached to (or reachable via) another Ethernet interface. If not, and the packet needed to cross some serial WAN link, both MACs would simply be stripped off. Every L3 device strips off source and dest. MAC at ingress. Whether or not a new source and dest. MAC is encapsulated around the IP packet depends on whether or not the destination is reachable via another Ethernet interface. Or Token Ring, FDDI, LocalTalk. :-) If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. Here's where he went astray. As I mentioned earlier, a serial interface doesn't have a MAC address and the data-link-layer protocols used across serial interfaces don't have MAC addresses in them. The sentence isn't parsable, (sorry Larry!) but may indicate some additional misunderstanding. The fact that the next hop has a Layer 3 address isn't of major significance when talking about forwarding traffic and the addresses that end up in the forwarded packet. The IP addresses don't change end-to-end. MAC addresses on LANs change, hop by hop. WANs don't have MAC addresses. Yes, routing protocols exchange next hop info using IP addresses. So, if we're considering Ethernet, at some point the source router must have found out the MAC address of the destination router using ARP. The router will put its own MAC address in the source field and the destination (next hop) router's MAC address in the destination field. In the case of a T1 point-to-point link, a MAC address isn't necessary since it's not a shared medium and there's no need to identify which station should receive the frame. There is only one other station! Now, Frame Relay is shared in the cloud. The DLCI would help the L2 switches in the cloud forward the frame correctly. Inverse ARP would help the router map a L3 next hop address to a DLCI, if I understand it correctly. Priscilla However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing
Re: MAC Address [7:62251]
Sorry for the confusion. My indication to the original post was meant to say that the source mac address will change from hop to hop...and the destination mac address, the source and dest. ip address's should remain the same. As Scott says,the routers may change more than the mac address's when the packet is re-wrote, but I didn't think that level of detail was asked in the question My answer about wan issues was incorrect as Priscilla pointed out...which obviously points out my lack of day to day knowledge on the wan side. Larry Letterman Network Engineer Cisco Systems - Original Message - From: Priscilla Oppenheimer To: Sent: Monday, February 03, 2003 12:45 PM Subject: Re: MAC Address [7:62251] s vermill wrote: s vermill wrote: Priscilla Oppenheimer wrote: s vermill wrote: Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. I don't think that's so. Did you misplace your comment? No. I disagree that a source MAC re-write would be all that takes place when crossing a L3 device. Host A, sending to an off-subnet Host B, would use its own MAC as the source and the L3 device interface MAC as the destination. The L3 device strips both at ingress. If, in fact, the destination is on a directly attached shared medium, the source MAC is re-writen to that of the egress interface. The destination MAC is whatever the L3 device has in the ARP cache for Host B. Both source and destination MACs change when crossing a L3 device. Doesn't it sound like Larry is saying that the source MAC is all that changes and not the destination MAC? Or maybe I just took that wrong? I think that maybe Larry was saying that the only time it would be *necessary* to change the source MAC is when traversing a L3 device. That's how I read it. (He was comparing it to a L2 device.) The word only is an evil word that editors hate. :-) P. He isn't necessarily saying that only the source MAC would change when crossing one. Sorry Larry. I think that was a mis-read on my part. I think his first comment is correct, but then a following one is strangely worded. See below A host will have an ARP cache entry for its gateway. That would be the destination MAC. The source MAC would be that of the sending host itself. Using its own ARP cache, the gateway would re-write both the source and destination MAC if the destination was, in fact, directly attached to (or reachable via) another Ethernet interface. If not, and the packet needed to cross some serial WAN link, both MACs would simply be stripped off. Every L3 device strips off source and dest. MAC at ingress. Whether or not a new source and dest. MAC is encapsulated around the IP packet depends on whether or not the destination is reachable via another Ethernet interface. Or Token Ring, FDDI, LocalTalk. :-) If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. Here's where he went astray. As I mentioned earlier, a serial interface doesn't have a MAC address and the data-link-layer protocols used across serial interfaces don't have MAC addresses in them. The sentence isn't parsable, (sorry Larry!) but may indicate some additional misunderstanding. The fact that the next hop has a Layer 3 address isn't of major significance when talking about forwarding traffic and the addresses that end up in the forwarded packet. The IP addresses don't change end-to-end. MAC addresses on LANs change, hop by hop. WANs don't have MAC addresses. Yes, routing protocols exchange next hop info using IP addresses. So, if we're considering Ethernet, at some point the source router must have found out the MAC address of the destination router using ARP. The router will put its own MAC address in the source field and the destination (next hop) router's MAC address in the destination field. In the case of a T1 point-to-point link, a MAC address isn't necessary since it's not a shared medium and there's no need to identify which station should receive the frame. There is only one other station! Now, Frame Relay is shared in the cloud. The DLCI would help the L2 switches in the cloud forward the frame correctly. Inverse ARP would help the router map a L3 next hop address to a DLCI, if I understand it correctly. Priscilla
Re: MAC Address [7:62251]
In most cases you will only re-write the source mac address when traversing across a L3 device. If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62306t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address [7:62251]
Larry Letterman wrote: In most cases you will only re-write the source mac address when traversing across a L3 device. If you go across a layer 2 network, all the mac address's would typically be part of the same broadcast domain and not need to be changed. If you go across a T1 or Frame it will still be mapped to or have an assigned IP Address that constitutes a layer 3 hop and write its mac address in the frame. A serial interface doesn't have a MAC address and the protocols used across a serial link don't have MAC addresses in their headers. If I misunderstood your point, just let me know. I'm sure you will! :-) Prisiclla However if I am wrong here, Priscilla or Howard or Chuck will let me know...:) Larry Letterman Network Engineer Cisco Systems - Original Message - From: Cisco Newbie To: Sent: Friday, January 31, 2003 11:42 AM Subject: RE: MAC Address [7:62251] First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62318t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address [7:62251]
Cisco Newbie wrote: I have a question that has been bothering me. If a packet traverses a L3 devices, does the sorce MAC changes? When does/doesn't the source MAC address changes? thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now The source MAC changes everytime the IP packet moves through a L3 device. Even in Multilayer Switching (MLS), where an Ethernet switch moves the packet across L3 boundaries on behalf of the router, it re-writes the source MAC to that of the router so it looks as if it traversed the router. A L2 network is entirely self-contained. There is no significance of a MAC from on L2 network to another. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62264t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address [7:62251]
s vermill wrote: Cisco Newbie wrote: I have a question that has been bothering me. If a packet traverses a L3 devices, does the sorce MAC changes? When does/doesn't the source MAC address changes? thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now The source MAC changes everytime the IP packet moves through a L3 device. Yes, and that's also true for an AppleTalk, IPX, DECnet, Banyan packet, for what it's worth. Not a whole lot, I suppose, although it may help one understand a router's behavior. A router takes in a frame on an input interface, decapsulates it from the L2 header, figures out the output interface, and deals with the relevant L2 issues for the type of L2 protocol on the output interface, including puttting on a new L2 header. For example, if the output interface is Ethernet, the router does CSMA and makes sure the frame is transmitted without encountering a (legal) collision. If it were Token Ring or FDDI, the router would make the output interface could get a token and attach the frame. If it's Frame Relay, it doesn't have to do much, since that's not a shared medium. The router would not, however, in most cases, monitor whether the frame arrived intact. With most L2 protocols, it has no way of knowing that. Priscilla Even in Multilayer Switching (MLS), where an Ethernet switch moves the packet across L3 boundaries on behalf of the router, it re-writes the source MAC to that of the router so it looks as if it traversed the router. A L2 network is entirely self-contained. There is no significance of a MAC from on L2 network to another. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62271t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC ADDRESS TO IP ADDRESS [7:62272]
raj wrote: hi there. I have a mac address on my network and need a tool to enter the mac address in and get the ip address from it. any tool or any windows command line function or even any cisco router/switch function has that capability? thank you. You can do a 'sh apr' on a router or something and look it up. But IPs aren't embedded in MACs (except the special case of multicast, but even then you couldn't recover the entire IP because only 23 bits of the IP are embedded). You can also use a sniffer! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62274t=62272 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address [7:62251]
First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62275t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC ADDRESS TO IP ADDRESS [7:62272]
How about this, nothin fancy but it's effective:) C3640A#sh arp | incl 00d0.064a.d400 Internet 172.28.64.1 0 00d0.064a.d400 ARPA Ethernet1/0 C3640A# Dave raj wrote: hi there. I have a mac address on my network and need a tool to enter the mac address in and get the ip address from it. any tool or any windows command line function or even any cisco router/switch function has that capability? thank you. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62276t=62272 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC ADDRESS TO IP ADDRESS [7:62272]
Raj, There's a free utility available called Kiwi's cattools. It has an option available to build a 'master arp table file' from the cisco devices you setup in the program, which you can then view in excel. The file will contain the MAC and the IP and you can search on either. If you haven't used the program before it might take you a bit to set it up depending on how many devices you have, but it's pretty handy. I just used it to automatically change an entry on some dial peer groups on about 15 routers, much easier than logging in and doing it manually. Kris. -Original Message- From: raj [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 2:10 PM To: [EMAIL PROTECTED] Subject: MAC ADDRESS TO IP ADDRESS [7:62272] hi there. I have a mac address on my network and need a tool to enter the mac address in and get the ip address from it. any tool or any windows command line function or even any cisco router/switch function has that capability? thank you. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62279t=62272 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address [7:62251]
Cisco Newbie wrote: First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Yep. If the IP packet is destined for a non-Ethernet WAN interface, the appropriate L2 header is encapsulated around it. In the case of T1 PPP, an HDLC-like header is used. There no longer is any source or destination MAC address to be found. They are both stripped off at the ingress Ethernet interface of the router. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62280t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address [7:62251]
Cisco Newbie wrote: First, thanks for all that responded. One clarification that I need address is the following: If I cross a L3 router and the outgoing interface is something other than Ethernet, will the L2 frame show a new MAC address? In other words, if my outgoing interface is say T1 PPP or even a dial-up, should I be seeing a new MAC address? Well, the old MAC address is definitely gone. It was stripped off on ingress. T1 PPP and dial-up don't use MAC addresses, so there won't be a new one as the packet traversse that link. But the packet will end up on a router or access server at the other end probably, which will output the packet to Ethernet or some other LAN probably and put in new MAC addresses. Priscilla Is it only when I cross a L3 device AND my outgoing interface is a share medium like Ethernet that a new MAC address will be placed on the frame? Thanks. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62286t=62251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address in router ARP table [7:48377]
Are you practicing in the lab? If so, just reboot the router. If not, let me know. Carl Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48380t=48377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address in router ARP table [7:48377]
Is rebooting the only solution? I am thinking of any other possible method... -Original Message- From: Carl Timm To: [EMAIL PROTECTED] Sent: 09/07/2002 2:13 PM Subject: RE: MAC address in router ARP table [7:48377] Are you practicing in the lab? If so, just reboot the router. If not, let me know. Carl Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48388t=48377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address in router ARP table [7:48377]
clear arp-cache Is rebooting the only solution? I am thinking of any other possible method... -Original Message- From: Carl Timm To: [EMAIL PROTECTED] Sent: 09/07/2002 2:13 PM Subject: RE: MAC address in router ARP table [7:48377] Are you practicing in the lab? If so, just reboot the router. If not, let me know. Carl Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48394t=48377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address in router ARP table [7:48377]
Lim, Two things regarding your post. 1. You can clear a single ARP CACHE entry using SNMP. Check this link... http://www.cisco.com/warp/public/477/SNMP/clear_arp.shtml 2. Clearing the ARP-CACHE or REBOOTING the router will NOT allow you to duplicate a used STATICALLY assigned IP address. I don't know the rest of your network topology, so I'm assuming the IP you want to use for another host is statically assigned to another host. Yes you'll have to hunt this host down wherever it is and change its IP or release its DHCP-assigned IP. HTH, Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bob Timmons Sent: Tuesday, July 09, 2002 7:30 AM To: [EMAIL PROTECTED] Subject: Re: MAC address in router ARP table [7:48377] clear arp-cache Is rebooting the only solution? I am thinking of any other possible method... -Original Message- From: Carl Timm To: [EMAIL PROTECTED] Sent: 09/07/2002 2:13 PM Subject: RE: MAC address in router ARP table [7:48377] Are you practicing in the lab? If so, just reboot the router. If not, let me know. Carl Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48399t=48377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address in router ARP table [7:48377]
Shot in the dark here. =) How about clear ip nat trans? Could you use that to clear the errant NAT entry to free up that IP address? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48401t=48377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address and switch [7:42226]
At 11:35 AM 4/22/02, Phil Barker wrote: 2.In order to run the spanning tree protocol the switch needs to send multicast packets out any of its ports (BPDUs'). These BPDU's need a source MAC address to distinguish themselves from each other. 1. I think the 1024 MAC Addresses is referring to how many MAC Addresses it could store in memory for the purpose of switching/bridging. i.e once 1024 MAC addresses have been learned it would not add any others to the table since the memory would be exhausted. Phil, Your answer makes sense, but remember this is Cisco we're talking about! ;-) The link says The supervisor engine has a pool of 1024 MAC addresses that are used as the bridge IDs for the VLAN spanning trees. The link is referring to the switch's own MAC addresses, not the ones in its bridging table. The switch has so many MAC addresses because Cisco supports one spanning tree per VLAN. There's a different bridge ID for each VLAN. Your are right, of course, that a bridge has a bridging table that stores the MAC addresses and port numbers for stations outside the bridge that the bridge has learned about. This is also sometimes called the MAC address table or content addressable memory (CAM). The Cisco Catalyst 1900 (low-end) switch can remember 1024 MAC addresses. A high-end switch such as the Catalyst 6000 can remember 32,000 MAC addresses. You are also right that the source address in a BPDU message is the MAC address of the port on the bridge that is transmitting the message. (The IEEE requires a bridge to have a distinct MAC address for each port.) A bridge also has a Bridge ID, as mentioned. The low-order subfield of a Bridge ID is a 6-byte MAC address assigned to the bridge. This is a hard-coded number that is not designed to be changed by the user. Some Cisco switches use one of the MAC addresses of the switch supervisor module for the Bridge ID, whereas other Cisco switches use a MAC address assigned to the backplane of the switch. Priscilla Phil. --- Tony Chen wrote: Please help a curious mind here, the link is to a white paper describing how to configuring spanning tree. In the document it describes each switch has 1024 mac address. Configuring spanning tree http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_2/config/spantree.htm#xtocid2879613 MAC Address Allocation The supervisor engine has a pool of 1024 MAC addresses that are used as the bridge IDs for the VLAN spanning trees. You can use the show module command to view the MAC address range for the supervisor engine. Each switch has 1024(MAC)addresses. If I connected port 8 switch A to port 8 switch B with RJ45 crossover cable. 1. Will I have 2048 MAC addresses? 2. Do Ethernet switch come with their own MAC address? Tony *** This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it, and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you. - Visit http://www.ballfoundation.org for our latest news. [EMAIL PROTECTED] __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42251t=42226 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address and switch [7:42226]
I was going to post the same answer (there's one built-in MAC for each supported VLAN) but I didn't have any documents or info to back me up. and I didn't wanna look like a fool =) (like I've NEVER done that... HA) So I'll ride your coattails and say Yeah... that's what I was going to say Mike W. Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Phil, Your answer makes sense, but remember this is Cisco we're talking about! ;-) The link says The supervisor engine has a pool of 1024 MAC addresses that are used as the bridge IDs for the VLAN spanning trees. The link is referring to the switch's own MAC addresses, not the ones in its bridging table. The switch has so many MAC addresses because Cisco supports one spanning tree per VLAN. There's a different bridge ID for each VLAN. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42256t=42226 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: mac address searcher [7:37143]
CiscoWorks/Campus Manager knows to do that. Sasa CCIE #8635 steve skinner wrote: Guys, you assistance if you please.. i am looking for a new tool to help me automate a task... i work for a global company with multiple it teams,who like to move multiple it servers willy-nilly... i suppport the switches 65`s but due to politics i am not allowed to set port secuirty on them... is there any tool out there that will queiry a cisco switch and tell me if it has a MAC record in its cam table.. i have got 60 65`s in 18 different MAN locations...and christ knows how many servers... it`s just i am lazy and dont want to keep typing Sh ip arp and sh cam dyn all the time... any help would be great. TIA steve _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp; Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37181t=37143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address format [7:35179]
ROTFL Chris Charlebois wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Simple. Follow this procedure. 1) Get a clean sheet of white paper and a #2 pencil. 2) Write down, in pencil, the MAC address from the Cisco Router exactly as displayed, but leave space between each character. 3) Using the eraser end of the pencil, erase all periods. 4) Using the pencil, insert a colon after every 2nd number. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35403t=35179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address format [7:35179]
Simple. Follow this procedure. 1) Get a clean sheet of white paper and a #2 pencil. 2) Write down, in pencil, the MAC address from the Cisco Router exactly as displayed, but leave space between each character. 3) Using the eraser end of the pencil, erase all periods. 4) Using the pencil, insert a colon after every 2nd number. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35194t=35179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address format [7:35203]
Those are both valid MAC formats. Your router's MAC is 00:08:00:50:8d:b2. Same hex digits, different way of writing them. Hal -Original Message- From: Charles Lomotey [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 7:08 AM To: [EMAIL PROTECTED]; Logan, Harold; Charles Lomotey; [EMAIL PROTECTED] Subject: MAC Address format Hi All, I have to a MAC address shown as 0008.0050.8db2 on my cisco and want to block it on my 3com lan switch which has MAC addresses in the format eg. 00:01:03:28:4c:3d How do I convert the Cisco MAC to this other format? Charles _ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35203t=35203 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address format [7:35203]
In fairness to the original poster, different manufacturers, and even within Cisco, different product lines, have different ways of entering/configuring MAC's. True, a MAC is 48 bits, and true, there are different ways of representing them. Most books I have read use the .. format. some sources might use colons instead of periods. But in terms of configuration, on a Cisco router the configuration format is 1224.5678.abcd while on a catalyst 5000 switch the format is 12-34-56-78-ab-cd The guy who posted the original question noted that on 3com garbage equipment the format is 12:23:56:78:ab:cd Chuck Logan, Harold wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Those are both valid MAC formats. Your router's MAC is 00:08:00:50:8d:b2. Same hex digits, different way of writing them. Hal -Original Message- From: Charles Lomotey [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 7:08 AM To: [EMAIL PROTECTED]; Logan, Harold; Charles Lomotey; [EMAIL PROTECTED] Subject: MAC Address format Hi All, I have to a MAC address shown as 0008.0050.8db2 on my cisco and want to block it on my 3com lan switch which has MAC addresses in the format eg. 00:01:03:28:4c:3d How do I convert the Cisco MAC to this other format? Charles _ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35208t=35203 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac address for Serial Ports?? [7:31898]
Serial interfaces don't have MAC addresses. IPX is a special case because the network-layer node address IS the MAC address. Think about frame formats and identifications for WAN protocols. What identifies the sender in Frame Relay? A DLCI. How about ATM? A VPI/VCI pair. How about PPP? No need because it's point-to-point. How about HDLC. No need because it's point-to-point (in Cisco HDLC anyway). How does a network layer address get mapped to a data-link identifier? Static mapping or Inverse ARP for some protocols. PPP has the NCP which sits between the two layers. Priscilla At 02:51 PM 1/14/02, Cisco Nuts wrote: Hello, Is there a way of verifying that a serial port in borrowing the mac address of the Ethernet/Tr port when it is connecting to another router in an IP network? I see this in an ipx network but not in an ip network. sh ipx int s0 I tried the debug ip packet, detail, debug arp, debug broadcast etc. but I am not seeing that the serial port is using a mac address. What test can I do on my router to check that the serial port does borrow the first available Mac address of a Ethernet port on a router? Thank you. _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31904t=31898 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac address for Serial Ports?? [7:31898]
At 10:50 PM 1/14/02, Cisco Nuts wrote: Sorry Priscilla but I am trying to understand, IP does not need a mac address to get to the next hop( on a point-to-point netw - PPP or HDLC)!! Why? Because it is a point-to-point as you say? But I thought ip was layer three. It is Layer 3, but in most cases to send an IP packet requires a Layer 2 address also. But not if there's only one possible recipient, the other end of the point-to-point link. I'm not sure I understand your confusion, but maybe this will help. Compare IP on a LAN to IP on a WAN. For example, assume you have configured IP addresses on some Ethernet stations and also on some router serial interfaces and you're doing some pinging. A LAN device sends an ARP packet to find the MAC address that maps to the destination IP address. On a point-to-point WAN, a device doesn't do this. It assumes there's only one place the packet can go -- to the other end. Also compare this to Frame Relay and ATM. In this case, a device learns in advance through Inverse ARP which data-link identifier to use when sending to an IP address. Maybe the point is just too obvious or you haven't thought about the fact that a point-to-point link is a special case Please send questions to the group. I like to answer to the group so that everyone benefits from the answer and any discussion that follows. Priscilla I understand in terms of ATM or FR but ip on a point-to-point? Am I missing something here? Sorry, can you help? From: Priscilla Oppenheimer Reply-To: Priscilla Oppenheimer To: [EMAIL PROTECTED] Subject: Re: Mac address for Serial Ports?? [7:31898] Date: Mon, 14 Jan 2002 15:37:15 -0500 Serial interfaces don't have MAC addresses. IPX is a special case because the network-layer node address IS the MAC address. Think about frame formats and identifications for WAN protocols. What identifies the sender in Frame Relay? A DLCI. How about ATM? A VPI/VCI pair. How about PPP? No need because it's point-to-point. How about HDLC. No need because it's point-to-point (in Cisco HDLC anyway). How does a network layer address get mapped to a data-link identifier? Static mapping or Inverse ARP for some protocols. PPP has the NCP which sits between the two layers. Priscilla At 02:51 PM 1/14/02, Cisco Nuts wrote: Hello, Is there a way of verifying that a serial port in borrowing the mac address of the Ethernet/Tr port when it is connecting to another router in an IP network? I see this in an ipx network but not in an ip network. sh ipx int s0 I tried the debug ip packet, detail, debug arp, debug broadcast etc. but I am not seeing that the serial port is using a mac address. What test can I do on my router to check that the serial port does borrow the first available Mac address of a Ethernet port on a router? Thank you. _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Priscilla Oppenheimer http://www.priscilla.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31919t=31898 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac address for Serial Ports?? [7:31898]
Thank you very much. Yes, I do understand now. Regards. From: Priscilla Oppenheimer Reply-To: Priscilla Oppenheimer To: [EMAIL PROTECTED] Subject: Re: Mac address for Serial Ports?? [7:31898] Date: Mon, 14 Jan 2002 18:33:24 -0500 At 10:50 PM 1/14/02, Cisco Nuts wrote: Sorry Priscilla but I am trying to understand, IP does not need a mac address to get to the next hop( on a point-to-point netw - PPP or HDLC)!! Why? Because it is a point-to-point as you say? But I thought ip was layer three. It is Layer 3, but in most cases to send an IP packet requires a Layer 2 address also. But not if there's only one possible recipient, the other end of the point-to-point link. I'm not sure I understand your confusion, but maybe this will help. Compare IP on a LAN to IP on a WAN. For example, assume you have configured IP addresses on some Ethernet stations and also on some router serial interfaces and you're doing some pinging. A LAN device sends an ARP packet to find the MAC address that maps to the destination IP address. On a point-to-point WAN, a device doesn't do this. It assumes there's only one place the packet can go -- to the other end. Also compare this to Frame Relay and ATM. In this case, a device learns in advance through Inverse ARP which data-link identifier to use when sending to an IP address. Maybe the point is just too obvious or you haven't thought about the fact that a point-to-point link is a special case Please send questions to the group. I like to answer to the group so that everyone benefits from the answer and any discussion that follows. Priscilla I understand in terms of ATM or FR but ip on a point-to-point? Am I missing something here? Sorry, can you help? From: Priscilla Oppenheimer Reply-To: Priscilla Oppenheimer To: [EMAIL PROTECTED] Subject: Re: Mac address for Serial Ports?? [7:31898] Date: Mon, 14 Jan 2002 15:37:15 -0500 Serial interfaces don't have MAC addresses. IPX is a special case because the network-layer node address IS the MAC address. Think about frame formats and identifications for WAN protocols. What identifies the sender in Frame Relay? A DLCI. How about ATM? A VPI/VCI pair. How about PPP? No need because it's point-to-point. How about HDLC. No need because it's point-to-point (in Cisco HDLC anyway). How does a network layer address get mapped to a data-link identifier? Static mapping or Inverse ARP for some protocols. PPP has the NCP which sits between the two layers. Priscilla At 02:51 PM 1/14/02, Cisco Nuts wrote: Hello, Is there a way of verifying that a serial port in borrowing the mac address of the Ethernet/Tr port when it is connecting to another router in an IP network? I see this in an ipx network but not in an ip network. sh ipx int s0 I tried the debug ip packet, detail, debug arp, debug broadcast etc. but I am not seeing that the serial port is using a mac address. What test can I do on my router to check that the serial port does borrow the first available Mac address of a Ethernet port on a router? Thank you. _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Priscilla Oppenheimer http://www.priscilla.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Priscilla Oppenheimer http://www.priscilla.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31922t=31898 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
And I would like to add a comment about something I took for granted. I assumed that a wireless sniffer couldn't see traffic if its MAC address was not on the list of MAC addresses at the access point. I thought it wouldn't be able to join the wireless network. I was wrong. It can see traffic (unless the traffic is WEP or LEAP encrypted, I would guess). The host running the sniffer can't actually use the access point to reach the wired network (because of the MAC access control lists) but it can still see packets on the wireless RF side. I guess that makes sense, but it surprised me. One caveat: this testing was done with access control lists configured on a non-Cisco access point, so may not apply to a Cisco access point. Anyone know? (Also, it's a bit different from applying the access control lists on the wired switch which we were discussing. In that case, one wouldn't assume that there was any security on the wireless side, I guess.) Priscilla At 11:44 PM 11/15/01, Andras Bellak wrote: I missed something in my last reply that some folks might not take for granted - once you have sniffed the mac address of a wireless card, changing your card to match is simple - I did it on a card integrated into a notebook inside of 30 seconds - you set it in the GUI even. Andras -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 7:10 PM To: [EMAIL PROTECTED] Subject: RE: Mac Address filtering on a 3512XL [7:26398] Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several wireless sniffers available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken Howard C. Berkowitz 11/15/01 02:24PM I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26516t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac Address filtering on a 3512XL [7:26398]
I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26409t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac Address filtering on a 3512XL [7:26398]
Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken Howard C. Berkowitz 11/15/01 02:24PM I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26424t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several wireless sniffers available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken Howard C. Berkowitz 11/15/01 02:24PM I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26432t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
Welcome to the next big security nightmare. There are so many issues with trying to secure the access point, at some point you'll just want to sit in a corner with your arms around your knees rocking. In the meantime, here are a couple of thoughts/issues to look at. 1. Running WEP is almost useless. At least with WEP you've left the key under the doormat, not in the lock. One issue that you'll run across with higher encryption levels with WEP is the variance in network card software across manufacturers. Of the 4 different cards that we've had on the network here, we've had 4 sets of maximum and minimum key lengths, and there is no happy medium. 2. Running MAC filtering is good, if you want to keep track of all the MACs that you'll end up with. Anyone who has ever worked a network that used it's own MAC scheme knows what I'm talking about. Another issue that we've run into with MAC filtering is the lack of ease of distributing your filter list across multiple access points. (I'm a bit of a hypocrite - we use MAC filtering on our network ;-} ) 3. The ability to disable responding to a broadcast on your access point is a great start. Our Orinoco (I know, Avaya sucks) access points have a setting that tells the unit to not respond to any requests unless the card is set with the same network name as the base station. This won't stop somebody sniffing, but it does hide the unit from the apps that initially find the access points. 4. Accept that you'll have to use a different method for security, and plan your platform/app around it. We have had great success with Movian on our WinCE handhelds, connecting to an interface on a VPN-3030 in order to access the network. I know that this setup also works with a PIX, as it was our test environment. 5. Watch out for cars with funny antennas and laptops on the front seat. (#3 takes care of part of this problem.) That all said, I think we as industry professionals have a lot to learn about deploying a secure wireless network. I do know that whenever I deploy one, I start the design process by putting on my paranoid hat. Good luck, and good learning. Andras -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 7:10 PM To: [EMAIL PROTECTED] Subject: RE: Mac Address filtering on a 3512XL [7:26398] Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several wireless sniffers available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken Howard C. Berkowitz 11/15/01 02:24PM I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26436t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac Address filtering on a 3512XL [7:26398]
Yes, I do have a goal in mind. I just purchased some wireless equipment and
would like to restrict the MAC addresses allowed in. 40 bit encryption is
not good enough for the paranoid like me. It seems the network name is
advertised. To me, that security really sucks.
OK. I'll assume the filter is at the ingress switch, and you want to
use the source address as a safeguard.
First, let's review the command:
access-list access-list-number {permit | deny} address mask
700-799
what confuses some people is the address is the 48-bit MAC
address and the mask is also 48 bits. Otherwise, the masking logic is
just like an IP access list.
Let's say you want to permit all sources with the Cisco manufacturer
code 0c (there are others). You don't care what the other 24 bits
are.
Therefore, your access list rule would be
access-list 700 permit .0c00. .00FF.
You could have an access-list rule for each device, with a
.. mask. Think long and hard about how you would maintain
that
Besides, it's another challenge. Next, maybe a VPN tunnel. :-)
Ken
Howard C. Berkowitz 11/15/01 02:24PM
I am wanting to configure a mac-address filter on my switch but need some
help. Has anyone done this?
Thanks.
Ken
Well, yes. But to coin a phrase, and to put it into a better context,
what problem are you trying to solve? I find people learn better
when they have a goal in mind, then look at configuration
alternatives and how they relate to the problem.
Howard
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26440t=26398
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Mac Address filtering on a 3512XL [7:26398]
I missed something in my last reply that some folks might not take for granted - once you have sniffed the mac address of a wireless card, changing your card to match is simple - I did it on a card integrated into a notebook inside of 30 seconds - you set it in the GUI even. Andras -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 7:10 PM To: [EMAIL PROTECTED] Subject: RE: Mac Address filtering on a 3512XL [7:26398] Ken, this comes up regularly with customers who want to do wireless, as if wireless will solve some great problem of theirs. well, in the case of my customers, there are indeed some great vertical applications that make this a wonderful technology. but... yes, mac filtering is one way to provide some modicum of security. spoofing mac's is not the first thing that enters the hacker's mind, so I've heard, but I would not rely on any one method to ensure a secure net. remember that there are several wireless sniffers available, so mac information can be decoded, and later spoofed. some folks I have spoken with do a number of things, including WEP, LEAP, and IPSec or L2TP from the wireless end device into the network, end to end. some folks go so far as to encrypt everything on storage devices, so that even if the wireless authentication is broken, it does hacker no good. if your app is hand-held based these may not be options. then you are back to the mac filtering. still, you might want to think about upping to 128 WEP anyway. how concerned are you about the integrity and confidentiality of the data going over the wireless? more so or less so than if that same data were available via VPN across the internet or via dial up access? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Thursday, November 15, 2001 3:18 PM To: [EMAIL PROTECTED] Subject: Re: Mac Address filtering on a 3512XL [7:26398] Yes, I do have a goal in mind. I just purchased some wireless equipment and would like to restrict the MAC addresses allowed in. 40 bit encryption is not good enough for the paranoid like me. It seems the network name is advertised. To me, that security really sucks. Besides, it's another challenge. Next, maybe a VPN tunnel. :-) Ken Howard C. Berkowitz 11/15/01 02:24PM I am wanting to configure a mac-address filter on my switch but need some help. Has anyone done this? Thanks. Ken Well, yes. But to coin a phrase, and to put it into a better context, what problem are you trying to solve? I find people learn better when they have a goal in mind, then look at configuration alternatives and how they relate to the problem. Howard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26443t=26398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bandwidth was: RE: MAC address and VLANs [7:23950]
I can see the recruiters' ads now... Wanted: Network Engineer to work in tropical paradise. Requires OSPF, EIGRP, MPLS, BGP, and crocodile wrestling. Benefits include health plan, life insurance, and Rambo survival knife. http://www.dantesknife.com/combat.htm I'm up way too late. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 11:26 PM To: Chuck Larrieu Subject: RE: Bandwidth was: RE: MAC address and VLANs [7:23950] I haven't been to any of those particular spots myself, but I don't think any of them have a reputation for paradise. If they were, we wouldn't need an office there :-( But for some of our remote sites, I'm told that the crocodiles are the price you pay for living in paradise - lovely beach, but don't get out of your four wheel drive... Excuse me while I go back to gazing out the window at the sunshine... ;-) JMcL Chuck Larrieu To: Cisco Mail List , dsl.com cc: Subject: RE: Bandwidth was: RE: MAC address 25/10/2001 and VLANs [7:23950] 01:12 pm eat your heart out ;- the price you pay for living in paradise... Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 24, 2001 5:50 PM To: [EMAIL PROTECTED] Subject: Bandwidth was: RE: MAC address and VLANs [7:23950] Hmmph. Glad you can afford DS3 links everywhere. I'll bet there's not a single carrier that would offer DS3 to Nhulunbuy, Thursday Island, or Charleville... at least not for a cost less than the GDP of a reasonably sized country... JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 25/10/2001 10:40 am - Chuck Larrieu To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] Sent by: nobody@groups tudy.com 25/10/2001 09:52 am Please respond to Chuck Larrieu hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck [lots of good stuff snipped] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24083t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
I'm curious... how bad do the collisions look? With so many hubs, I would think that would consume more bandwidth than the broadcasts. Ken Carroll Kong 10/24/01 11:34PM [snip] Well, I admit, my response was a bit clouded by the fact that one of our clients recently requested a redesign of their flat beyond flat network. Call it justification! They are using, UGH, 10BaseT Hubs with some nasTY (with an iintentional capital T and Y), daisy chaining hub action, which REALLY exacerbated performance loss.Not to mention it's all Bay GEAR! Evil! :) Admittedly, that IS changing the premise of Priscilla's original statement. The network I am working on is HARDLY the epitome of the modern day model system Priscilla described. I am guessing with solid switches across the board, it might very well be pretty darn good in terms of performance. I was just curious where the new practical bar was raised to. If the situation is with 10BaseT hubs, I would not be surprised if performance is really becoming an issue where broadcasts become a percentage of your daily bandwidth. Where broadcasts are probably far more often being that even unicast packets are broadcasted on the wonderous layer 1 repeater technology known as hubs. With all switches, I am not too sure I can say clearly otherwise, but I was just wondering how far is a practical limit in today's modern systems? On top of that, yes, all in moderation. If we take either approach to the extreme, we clearly see significant flaws. No one wants to run subnets of 2 usable hosts each for their entire network and smash their catalyst 6509 with routing modules to oblivion. No one wants to run the 30,000 flat network from HecK. (Ok, maybe some people do...) Look Ma, no routers! On the side, you just noticed your statement impies that some would run multiple VLANs with a single subnet? I guess you would depend on having at least one port on both VLANs to get interconnectivity? Would that be like bridging? (unifying two layer 2 networks). Her statements on the windows protocol seem correct. Ugh, I got to whip out the old sniffer again. Or read up again. I could have sworn I STILL saw a multitude of crap flying every second on my old college network even after we went to a switch. I should try again since her points seem quite valid. Hm. Although broadcasting was necessary, in the more extreme case, does it make sense for a quote server to broadcast to another quote server? There is a small subsegment of don't cares for the quotes, it seems like multicast is more ideal, but probably not necessary. No matter, I am sure the demigods of broadcast control had a working solution. :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24090t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
Caroll, I just love the little jokes and grunts you throw into your messages. Makes reading technical stuff fun to read when you can just picture the person writing it going UGH in the middle of a paragraph. Thanks for making the reading fun *grin* Tim -Original Message- From: Carroll Kong [SMTP:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:34 AM To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] At 08:32 PM 10/24/01 -0700, Chuck Larrieu wrote: interesting points, and well taken. if one takes VLANs to be synonymous with subnets then sure. your 10.0.0.0/16 thought reminds me of the good old days when the Xylan marketing team was out hawking their flatten the network religion. In this respect I am a traditionalist - route where you can, and bridge where you must. yeah, I keep forgetting that Windows does some broadcasting, but recall that I come out of the brokerage industry, where broadcast was a necessity. How else would quote machines work? Upwards of 80-90% of our LAN traffic during market hours was broadcast. So how much broadcast traffic can a couple hundred windoze boxes really create, and just how badly does that really effect network performance? Particularly if you are running a fully switched environment, or even in a hubbed environment, assuming 12-24 port hubs? When I was young and foolish, I ran my network on daisy chained 48 port hubs, and I think I got up to around 125 stations and printers before I regretted my foolishness. This was in that self same brokerage firm, with the outrageous broadcast traffic. I know a Major Bank where they at one time ran segments of 700-100 end stations. And survived to a certain degree. ( although they were the masters of broadcast control :- ) As I said, your points are well taken. the application drives most things, but the architecture surely drives others. thanks. Chuck Well, I admit, my response was a bit clouded by the fact that one of our clients recently requested a redesign of their flat beyond flat network. Call it justification! They are using, UGH, 10BaseT Hubs with some nasTY (with an iintentional capital T and Y), daisy chaining hub action, which REALLY exacerbated performance loss.Not to mention it's all Bay GEAR! Evil! :) Admittedly, that IS changing the premise of Priscilla's original statement. The network I am working on is HARDLY the epitome of the modern day model system Priscilla described. I am guessing with solid switches across the board, it might very well be pretty darn good in terms of performance. I was just curious where the new practical bar was raised to. If the situation is with 10BaseT hubs, I would not be surprised if performance is really becoming an issue where broadcasts become a percentage of your daily bandwidth. Where broadcasts are probably far more often being that even unicast packets are broadcasted on the wonderous layer 1 repeater technology known as hubs. With all switches, I am not too sure I can say clearly otherwise, but I was just wondering how far is a practical limit in today's modern systems? On top of that, yes, all in moderation. If we take either approach to the extreme, we clearly see significant flaws. No one wants to run subnets of 2 usable hosts each for their entire network and smash their catalyst 6509 with routing modules to oblivion. No one wants to run the 30,000 flat network from HecK. (Ok, maybe some people do...) Look Ma, no routers! On the side, you just noticed your statement impies that some would run multiple VLANs with a single subnet? I guess you would depend on having at least one port on both VLANs to get interconnectivity? Would that be like bridging? (unifying two layer 2 networks). Her statements on the windows protocol seem correct. Ugh, I got to whip out the old sniffer again. Or read up again. I could have sworn I STILL saw a multitude of crap flying every second on my old college network even after we went to a switch. I should try again since her points seem quite valid. Hm. Although broadcasting was necessary, in the more extreme case, does it make sense for a quote server to broadcast to another quote server? There is a small subsegment of don't cares for the quotes, it seems like multicast is more ideal, but probably not necessary. No matter, I am sure the demigods of broadcast control had a working solution. :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24092t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address and VLANs [7:23950]
Not only VLAN helped solving broadcast problem, but also helped unicast problem. I used to run into problem with some UDP application on a pretty large flat network. When some 100M/full-duplex start talking, 10M workstations were freeze. Sniffer showed me that caused by a unicast storm. Eventually, I learned that if a unicast is sent while switch didn't have or forgot its destination's MAC, it flood. No 100M workstation been affected, but all 10's died. couple second later, it calmed down. (switches started to know where the destination's MAC). However, it happened again and again. VLAN helps first to restrict problem in ONE VLAN, second prevent the switches don't have the VLAN from being affected. Priscilla Oppenheimer wrote: The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more information on this feature, search Cisco's website using the keyword phrase switchport multi. As for answering NetEng's question--I can't quite determine where multiple MAC addresses share the same switch port. Could you identify which switch that is? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Sent: Tuesday, October 23, 2001 3:48 PM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] Cisco will recognize multiple macs on a single port but they must all be in the same vlan. Vlan assignment is per port. Your other option would be to replace the non cisco hub with a cisco switch which is trunked to the main switch. -- -=Repy to group only... no personal=- NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Here's my situtation. I have a corporate PC with an IP address of 10.10.x.x and in the same office (and same physical network) another device with an IP address of 192.168.10
Re: MAC address and VLANs [7:23950]
I couldn't agree more on this issue, Jeff. Norton's Ghost is Notorius for hogging much of the backplane bandwidth on CAT5500s during a unicast TCP session. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 jeffrey wang cc: Sent by: Subject: Re: MAC address and VLANs [7:23950] nobody@groupst udy.com 10/25/01 12:08 PM Please respond to jeffrey wang Not only VLAN helped solving broadcast problem, but also helped unicast problem. I used to run into problem with some UDP application on a pretty large flat network. When some 100M/full-duplex start talking, 10M workstations were freeze. Sniffer showed me that caused by a unicast storm. Eventually, I learned that if a unicast is sent while switch didn't have or forgot its destination's MAC, it flood. No 100M workstation been affected, but all 10's died. couple second later, it calmed down. (switches started to know where the destination's MAC). However, it happened again and again. VLAN helps first to restrict problem in ONE VLAN, second prevent the switches don't have the VLAN from being affected. Priscilla Oppenheimer wrote: The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more inf
RE: MAC address and VLANs [7:23950]
Well, now you're really talking about the dark ages. ;-) You are back to the early 1990s discussion about upgrading hubs to switches. That's a good idea so that each port has 100 Mbps (or 10 Mbps) rather than all ports sharing bandwidth and being in the same collision domain. I can't think of any reason not to upgrade to switches at this point. It's difficult to even buy a 100-Mbps hub any more. (I tried and they sent me a switch!) The upgrade is quite seamless (unlike the upgrade from switches to VLAN-aware switches.) This has nothing to do with the late 1990s question of broadcasts which came about when people started replacing routers with switches and designing a network that was a large broadcast domain. They thought they had solved all their problems but they hadn't because a switch forwards broadcasts, whereas a router does not, of course. VLANs let you divide up those broadcast domains and be smarter about the flooding of unknown unicasts (as someone else mentioned, which was a good point.) But VLANs bring with them all sorts of other management headaches. It's a tradeoff that doesn't need to be made in many modern networks, despite what Cisco tells you. The materials that we read about broadcasts in switched networks come from studies Cisco did in 1994. And some books still have that silly triangle that a Cisco marketing engineer (now that's an oxymoron!) designed in 1994. Yes, I know that VLANs have other advantages (supposedly) besides dividing up broadcast domains, and I warned people up front that my point of view was controversial, but I'm sticking to it. ;-) With regards to your practical limits, Cisco has some guidelines (but once again they are based on OLD data ;-) A broadcast domain shouldn't have more than a few hundred nodes. Also, with regards to your comment about sniffing on a switched network. Remember that all you see is broadcasts and traffic to your port (unless you mirror other ports) so you get a skewed view. So have we beat this one to death yet? I enjoyed the discussion. (I hope we didn't put everyone else to sleep! ;-) Priscilla Well, I admit, my response was a bit clouded by the fact that one of our clients recently requested a redesign of their flat beyond flat network. Call it justification! They are using, UGH, 10BaseT Hubs with some nasTY (with an iintentional capital T and Y), daisy chaining hub action, which REALLY exacerbated performance loss.Not to mention it's all Bay GEAR! Evil! :) Admittedly, that IS changing the premise of Priscilla's original statement. The network I am working on is HARDLY the epitome of the modern day model system Priscilla described. I am guessing with solid switches across the board, it might very well be pretty darn good in terms of performance. I was just curious where the new practical bar was raised to. If the situation is with 10BaseT hubs, I would not be surprised if performance is really becoming an issue where broadcasts become a percentage of your daily bandwidth. Where broadcasts are probably far more often being that even unicast packets are broadcasted on the wonderous layer 1 repeater technology known as hubs. With all switches, I am not too sure I can say clearly otherwise, but I was just wondering how far is a practical limit in today's modern systems? On top of that, yes, all in moderation. If we take either approach to the extreme, we clearly see significant flaws. No one wants to run subnets of 2 usable hosts each for their entire network and smash their catalyst 6509 with routing modules to oblivion. No one wants to run the 30,000 flat network from HecK. (Ok, maybe some people do...) Look Ma, no routers! On the side, you just noticed your statement impies that some would run multiple VLANs with a single subnet? I guess you would depend on having at least one port on both VLANs to get interconnectivity? Would that be like bridging? (unifying two layer 2 networks). Her statements on the windows protocol seem correct. Ugh, I got to whip out the old sniffer again. Or read up again. I could have sworn I STILL saw a multitude of crap flying every second on my old college network even after we went to a switch. I should try again since her points seem quite valid. Hm. Although broadcasting was necessary, in the more extreme case, does it make sense for a quote server to broadcast to another quote server? There is a small subsegment of don't cares for the quotes, it seems like multicast is more ideal, but probably not necessary. No matter, I am sure the demigods of broadcast control had a working solution. :) -Carroll Kong Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24124t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations
Re: MAC address and VLANs [7:23950]
Priscilla, Never fear, I and many others I think, consider any discussion you're a part of a MUST READ! So feel free to .. Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco Regional Networking Academy Priscilla Oppenheimer wrote: Well, now you're really talking about the dark ages. ;-) You are back to the early 1990s discussion about upgrading hubs to switches. That's a good idea so that each port has 100 Mbps (or 10 Mbps) rather than all ports sharing bandwidth and being in the same collision domain. I can't think of any reason not to upgrade to switches at this point. It's difficult to even buy a 100-Mbps hub any more. (I tried and they sent me a switch!) The upgrade is quite seamless (unlike the upgrade from switches to VLAN-aware switches.) This has nothing to do with the late 1990s question of broadcasts which came about when people started replacing routers with switches and designing a network that was a large broadcast domain. They thought they had solved all their problems but they hadn't because a switch forwards broadcasts, whereas a router does not, of course. VLANs let you divide up those broadcast domains and be smarter about the flooding of unknown unicasts (as someone else mentioned, which was a good point.) But VLANs bring with them all sorts of other management headaches. It's a tradeoff that doesn't need to be made in many modern networks, despite what Cisco tells you. The materials that we read about broadcasts in switched networks come from studies Cisco did in 1994. And some books still have that silly triangle that a Cisco marketing engineer (now that's an oxymoron!) designed in 1994. Yes, I know that VLANs have other advantages (supposedly) besides dividing up broadcast domains, and I warned people up front that my point of view was controversial, but I'm sticking to it. ;-) With regards to your practical limits, Cisco has some guidelines (but once again they are based on OLD data ;-) A broadcast domain shouldn't have more than a few hundred nodes. Also, with regards to your comment about sniffing on a switched network. Remember that all you see is broadcasts and traffic to your port (unless you mirror other ports) so you get a skewed view. So have we beat this one to death yet? I enjoyed the discussion. (I hope we didn't put everyone else to sleep! ;-) Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24174t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
As well as it should when you're transferring 100's of megabytes of data; it's not exactly like downloading a web page. That's where CAR rears its ugly face, no? WAYNE BAETY, MCSE, A1C, USAF Network Systems Trainer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, October 26, 2001 1:52 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] I couldn't agree more on this issue, Jeff. Norton's Ghost is Notorius for hogging much of the backplane bandwidth on CAT5500s during a unicast TCP session. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 jeffrey wang cc: Sent by: Subject: Re: MAC address and VLANs [7:23950] nobody@groupst udy.com 10/25/01 12:08 PM Please respond to jeffrey wang Not only VLAN helped solving broadcast problem, but also helped unicast problem. I used to run into problem with some UDP application on a pretty large flat network. When some 100M/full-duplex start talking, 10M workstations were freeze. Sniffer showed me that caused by a unicast storm. Eventually, I learned that if a unicast is sent while switch didn't have or forgot its destination's MAC, it flood. No 100M workstation been affected, but all 10's died. couple second later, it calmed down. (switches started to know where the destination's MAC). However, it happened again and again. VLAN helps first to restrict problem in ONE VLAN, second prevent the switches don't have the VLAN from being affected. Priscilla Oppenheimer wrote: The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more information on this feature, search Cisco's website using the keyword phrase switchport multi. As for answering
RE: MAC address and VLANs [7:23950]
Oops, I forgot to complete that thought Hence, the second most important reason for routingdrum roll Traffic Policing. Is this the start of another Dave's Top Ten? Essentially, large flat networks probably also have no internal security and no internal traffic cops. Now that's ugly. -Original Message- From: Baety Wayne A1C 18 CS/SCBX Sent: Friday, October 26, 2001 11:14 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: MAC address and VLANs [7:23950] As well as it should when you're transferring 100's of megabytes of data; it's not exactly like downloading a web page. That's where CAR rears its ugly face, no? WAYNE BAETY, MCSE, A1C, USAF Network Systems Trainer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, October 26, 2001 1:52 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] I couldn't agree more on this issue, Jeff. Norton's Ghost is Notorius for hogging much of the backplane bandwidth on CAT5500s during a unicast TCP session. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 jeffrey wang cc: Sent by: Subject: Re: MAC address and VLANs [7:23950] nobody@groupst udy.com 10/25/01 12:08 PM Please respond to jeffrey wang Not only VLAN helped solving broadcast problem, but also helped unicast problem. I used to run into problem with some UDP application on a pretty large flat network. When some 100M/full-duplex start talking, 10M workstations were freeze. Sniffer showed me that caused by a unicast storm. Eventually, I learned that if a unicast is sent while switch didn't have or forgot its destination's MAC, it flood. No 100M workstation been affected, but all 10's died. couple second later, it calmed down. (switches started to know where the destination's MAC). However, it happened again and again. VLAN helps first to restrict problem in ONE VLAN, second prevent the switches don't have the VLAN from being affected. Priscilla Oppenheimer wrote: The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual
Re: MAC address and VLANs [7:23950]
Thanks for the replies. The two MAC addresses would come from the two PC's
in an office. The would both connect in to a hub and then the hub would
uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from
what you and Dennis stated this will not work. I appreciate the comments
though.
Collin
Leigh Anne Chisholm wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Actually, that's not correct. The original specification for VLANs from
what I understand mandates that only one VLAN can be assigned to a port,
but
manufacturers such as 3COM decided to do otherwise and support multiple
VLANs per port. Cisco responded by creating (on certain switches such as
the Catalyst 2900XL) an administrator to configure a port to be a member
of
more than one VLAN at a time when using a membership mode known as
Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual
number of VLANs to which the port can belong depends on the capability of
the switch itself. Although the concept is similar, this membership mode
is
different than trunking. The caveat to this feature is that the
Multi-VLAN membership mode cannot be configured on a switch if one or more
ports on the switch have been configured to trunk.
For more information on this feature, search Cisco's website using the
keyword phrase switchport multi.
As for answering NetEng's question--I can't quite determine where multiple
MAC addresses share the same switch port. Could you identify which switch
that is?
-- Leigh Anne
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Dennis
Sent: Tuesday, October 23, 2001 3:48 PM
To: [EMAIL PROTECTED]
Subject: Re: MAC address and VLANs [7:23950]
Cisco will recognize multiple macs on a single port but they must
all be in
the same vlan. Vlan assignment is per port. Your other option
would be to
replace the non cisco hub with a cisco switch which is trunked to the
main
switch.
--
-=Repy to group only... no personal=-
NetEng wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Here's my situtation. I have a corporate PC with an IP address of
10.10.x.x
and in the same office (and same physical network) another
device with an
IP
address of 192.168.100.x Both devices are connected to a small
hub/switch
which in turn is connected to a cisco switch. Can I have the
10.10.x.x be
apart of one vlan and the 192.168.100.x be a member of another or the
default vlan? Can cisco switches recognize multiple MAC addresses on a
single switch port (if so, how many?) and be smart enough to know
which
vlan
which MAC address belongs to? This would save me hours (otherwise I
have
to
run cable for connections to our corporate network and
connections to our
test network in every cube :-( ). TIA
PS I understand the best way to do this would be to connect each
device
into
the cisco switch, but I only have a single cable run to each
cube/office
(corporate pc)10.10.x.x
|
PC PC (test network) 192.168.100.x
| |
\/
\ /
SWITCH/HUB (non-cisco)
|
|
CISCO SWITCH
VLANs
--
| || |
| corp || test |
---
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24011t=23950
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address and VLANs [7:23950]
Here are the answers that you need plain and simple: Yes you can have many, many different MAC address on the same switch port. This happens when a hub with multiple PCs is uplinked to one Cisco switchport. But that DOESN'T solve YOUR problem. There are two simple ways to get TWO distinct VLANs through one CAT5 cable. The first way allows you to maintain 100MB speed and/or Full Duplex: 1. Purchase a cheap non-cisco switch that supports 802.1q trunking or a Cisco switch that does either ISL or 802.1q trunking. The one caveat here is that if your MAIN switch in the closet is a CAT4000, you will HAVE to do 802.1q. Or, if you are running old switch code on a CAT5500, you will have to get a cheap Cisco switch that does ISL trunking. 2. Place the cheap switch at your desk and configure your single CAT5 cable to be either an ISL or 802.1q trunk on your MAIN switch, and on your little desktop switch. Bingo, you can then configure any ports on the desktop switch to support any VLANs in your VTP domain. The Cheapest way to solve your problem forces you to do only 10MB speed. You might be able to support Full Duplex over this configuration: 1. Simply spilt the CAT5 cable. You can either purchase splitters or make your own. A CAT5 splitter has a male RJ-45 on one end and two female RJ-45s on its other end, labeled port A and port B. You will need one for the jack at your desk and one for the wiring frame in the wiring closet. You will then run individual CAT5 patch cables from the splitter to two distinct switch ports on your MAIN switch and configure each of them to different VLANs. Wallah! You will then have two ports at your desk on two different VLANs. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 NetEng cc: Sent by: Subject: Re: MAC address and VLANs [7:23950] nobody@groupstudy. com 10/24/01 09:52 AM Please respond to NetEng Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more information on this feature, search Cisco's website using the keyword phrase switchport multi. As for answering NetEng's question--I can't quite determine where multiple MAC addresses share the same switch port. Could you identify which switch that is? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Sent: Tuesday, October 23, 2001 3:48 PM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] Cisco will recognize multiple macs on a single port but they must all be in the same vlan. Vlan assignment is per port. Your other option would be to replace the non cisco hub with a cisco switch which is trunked to the main switch. -- -=Repy to group only... no personal=- NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Here's my situtation. I have a corporate PC with an IP address of 10.10.x.x and in the same office (and same physical network) another device with an IP address of 192.168.10
Re: MAC address and VLANs [7:23950]
Here are the answers that you need plain and simple: Yes you can have many, many different MAC address on the same switch port. This happens when a hub with multiple PCs is uplinked to one Cisco switchport. But that DOESN'T solve YOUR problem. There are two simple ways to get TWO distinct VLANs through one CAT5 cable. The first way allows you to maintain 100MB speed and/or Full Duplex: 1. Purchase a cheap non-cisco switch that supports 802.1q trunking or a Cisco switch that does either ISL or 802.1q trunking. The one caveat here is that if your MAIN switch in the closet is a CAT4000, you will HAVE to do 802.1q. Or, if you are running old switch code on a CAT5500, you will have to get a cheap Cisco switch that does ISL trunking. 2. Place the cheap switch at your desk and configure your single CAT5 cable to be either an ISL or 802.1q trunk on your MAIN switch, and on your little desktop switch. Bingo, you can then configure any ports on the desktop switch to support any VLANs in your VTP domain. The Cheapest way to solve your problem forces you to do only 10MB speed. You might be able to support Full Duplex over this configuration: 1. Simply spilt the CAT5 cable. You can either purchase splitters or make your own. A CAT5 splitter has a male RJ-45 on one end and two female RJ-45s on its other end, labeled port A and port B. You will need one for the jack at your desk and one for the wiring frame in the wiring closet. You will then run individual CAT5 patch cables from the splitter to two distinct switch ports on your MAIN switch and configure each of them to different VLANs. Wallah! You will then have two ports at your desk on two different VLANs. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 NetEng cc: Sent by: Subject: Re: MAC address and VLANs [7:23950] nobody@groupstudy. com 10/24/01 09:52 AM Please respond to NetEng Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more information on this feature, search Cisco's website using the keyword phrase switchport multi. As for answering NetEng's question--I can't quite determine where multiple MAC addresses share the same switch port. Could you identify which switch that is? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Sent: Tuesday, October 23, 2001 3:48 PM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] Cisco will recognize multiple macs on a single port but they must all be in the same vlan. Vlan assignment is per port. Your other option would be to replace the non cisco hub with a cisco switch which is trunked to the main switch. -- -=Repy to group only... no personal=- NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Here's my situtation. I have a corporate PC with an IP address of 10.10.x.x and in the same office (and same physical network) another device with an IP address of 192.168.10
Re: MAC address and VLANs [7:23950]
The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more information on this feature, search Cisco's website using the keyword phrase switchport multi. As for answering NetEng's question--I can't quite determine where multiple MAC addresses share the same switch port. Could you identify which switch that is? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Sent: Tuesday, October 23, 2001 3:48 PM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] Cisco will recognize multiple macs on a single port but they must all be in the same vlan. Vlan assignment is per port. Your other option would be to replace the non cisco hub with a cisco switch which is trunked to the main switch. -- -=Repy to group only... no personal=- NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Here's my situtation. I have a corporate PC with an IP address of 10.10.x.x and in the same office (and same physical network) another device with an IP address of 192.168.100.x Both devices are connected to a small hub/switch which in turn is connected to a cisco switch. Can I have the 10.10.x.x be apart of one vlan and the 192.168.100.x be a member of another or the default vlan? Can cisco switches recognize multiple MAC addresses on a single switch port (if so, how many?) and be smart enough to know which vlan which MAC address belongs to? This would save me hours (otherwise I have to run cable for connections to our corporate network and connections to our test network in every cube :-( ). TIA PS I understand the best way to do this would be to connect each device into the cisco switch, but I only have a single cable run to each cube/office (corporate pc)10.10.x.x | PC PC (test networ
Re: MAC address and VLANs [7:23950]
Great Points. I've decided to check out wireless for the corporate stuff and
the wired network for the lab/test. It sounds better than being a cable
jockey :-) Thanks for all the insights.
Collin
Priscilla Oppenheimer wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
The multi-VLAN feature that Leigh Anne mentioned might solve your problem.
The Cisco switch port could be associated with two VLANs that way. You
didn't say which switch you have, and this feature may not be available on
all Cisco switches, though.
Assuming that you don't want to upgrade the little switch to one that does
802.1Q or ISL, another somewhat radical fix to the problem might be to not
use VLANs. My philosophy is that once VLANs get to the point of causing
more problems then they fix, I eliminate them. ;-)
One of the main things VLANs were supposed to fix was excessive broadcasts
causing too many CPU interruptions on numerous workstations in a large,
flat, switched network.
Lately I have taken to making the controversial statement that this
problem
doesn't exist on many modern networks. These days workstations have
amazingly fast CPUs. They are not bogged down by processing broadcasts.
Also, as we eliminate older desktop protocols such as AppleTalk and IPX,
what is still sending broadcasts? An ARP here or there is not a big
problem. And ARPs don't actually happen that often. A PC keeps the
data-link-layer address of its default gateway and other communication
partners for a long time.
Also, a lot of PC NICs used to be stupid about multicasts and interrupt
the
CPU for irrelevant multicasts for which the PC was not registered to
listen. I bet that bug has been fixed by now.
VLANs have other benefits (security, dividing up management and
administrative domains, etc.) But if broadcasts are the issue, one should
ask:
Which protocol send broadcasts and how often?
How fast are the CPUs?
And that is my latest harangue against my least favorite LAN technology
(VLANs!)
Priscilla
At 09:52 AM 10/24/01, NetEng wrote:
Thanks for the replies. The two MAC addresses would come from the two
PC's
in an office. The would both connect in to a hub and then the hub would
uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2,
from
what you and Dennis stated this will not work. I appreciate the comments
though.
Collin
Leigh Anne Chisholm wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Actually, that's not correct. The original specification for VLANs
from
what I understand mandates that only one VLAN can be assigned to a
port,
but
manufacturers such as 3COM decided to do otherwise and support
multiple
VLANs per port. Cisco responded by creating (on certain switches such
as
the Catalyst 2900XL) an administrator to configure a port to be a
member
of
more than one VLAN at a time when using a membership mode known as
Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the
actual
number of VLANs to which the port can belong depends on the capability
of
the switch itself. Although the concept is similar, this membership
mode
is
different than trunking. The caveat to this feature is that the
Multi-VLAN membership mode cannot be configured on a switch if one or
more
ports on the switch have been configured to trunk.
For more information on this feature, search Cisco's website using the
keyword phrase switchport multi.
As for answering NetEng's question--I can't quite determine where
multiple
MAC addresses share the same switch port. Could you identify which
switch
that is?
-- Leigh Anne
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of
Dennis
Sent: Tuesday, October 23, 2001 3:48 PM
To: [EMAIL PROTECTED]
Subject: Re: MAC address and VLANs [7:23950]
Cisco will recognize multiple macs on a single port but they must
all be in
the same vlan. Vlan assignment is per port. Your other option
would be to
replace the non cisco hub with a cisco switch which is trunked to
the
main
switch.
--
-=Repy to group only... no personal=-
NetEng wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Here's my situtation. I have a corporate PC with an IP address of
10.10.x.x
and in the same office (and same physical network) another
device with an
IP
address of 192.168.100.x Both devices are connected to a small
hub/switch
which in turn is connected to a cisco switch. Can I have the
10.10.x.x be
apart of one vlan and the 192.168.100.x be a member of another or
the
default vlan? Can cisco switches recognize multiple MAC addresses
on
a
single switch port (if so, how many?) and be smart enough to know
which
vlan
which MAC address belongs to? This would save me hours (otherwise
I
ha
RE: MAC address and VLANs [7:23950]
hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is different than trunking. The caveat to this feature is that the Multi-VLAN membership mode cannot be configured on a switch if one or more ports on the switch have been configured to trunk. For more information on this feature, search Cisco's website using the keyword phrase switchport multi. As for answering NetEng's question--I can't quite determine where multiple MAC addresses share the same switch port. Could you identify which switch that is? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Sent: Tuesday, October 23, 2001 3:48 PM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] Cisco will recognize multiple macs on a single port but they must all be in the same vlan. Vlan assignment is per port. Your other option would be to replace the non cisco hub with a cisco switch which is trunked to the main switch. -- -=Repy to group only... no personal=- NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Here's my situtation. I have a corporate PC with an IP address of 10.10.x.x and in the same office (and same physical network) another device with an IP address of 192.168.100.x Both devices are connected to a small hub/switch which in turn is connected to a cisco switch. Can I have the 10.10.
RE: MAC address and VLANs [7:23950]
I cut a large portion of this the previous message. My argument in that is that, we DO have broadcasting monsters. It is known as Windows based PCs. NetBIOS over TCP/IP, announcing wondrous information and trying to get information so they can perform their wonderful elections and create master browsers. Trying to resolve NetBIOS names so they can find their friendly PDC or BDC of the day. Or how about WINS and it's excellent method of doing discerning which names goes where. All automagic at the cost of the network. While what you speak is true, and in a network bereft of windows mongers, I would agree, I think that in a modern system you can still run into issues. According to your logic, it seems like you would be ok with forging a 10.0.0.0/16 network and chaining along switches instead of breaking them into subnets along with their accused VLANs. I suppose with enough good 10/100 Switches you are ok. This might be problematic on a 10BaseT network as the broadcast snowball into huge gobs of bandwidth draining gunk. (I guess this rolls into the non-modern network though) I have a client who used some 10 base hubs too, and just band aided it with a few switches here and there. NetBIOS over TCP/IP sends broadcasts quite frequently. I almost dare say within a minute. CPUs can vary, and there is always the aging 486 on the fringe. I guess ultimately on a solid 10/100Base Switched network you do pose a good point. However, do you think that a nasty 10.0.0.0/16 network might be going a bit too far even with the latest technology? In that case, we can argue, who really needs routing protocols internally? Just slap up the good old super flat network and have a default gateway and rarely call in the big dogs to make changes. Just throw a few statics to the few other super flat networks and we got an enterprise solution. :) Not trying to pick a bone with you. I agree with you, but I am curious where do you feel is the threshold? You say until it breaks, but I want to deploy a better solution before we get to that. At 07:52 PM 10/24/01 -0400, Chuck Larrieu wrote: hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla ___ Priscilla Oppenheimer http://www.priscilla.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24061t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Bandwidth was: RE: MAC address and VLANs [7:23950]
Hmmph. Glad you can afford DS3 links everywhere. I'll bet there's not a single carrier that would offer DS3 to Nhulunbuy, Thursday Island, or Charleville... at least not for a cost less than the GDP of a reasonably sized country... JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 25/10/2001 10:40 am - Chuck Larrieu To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] Sent by: nobody@groups tudy.com 25/10/2001 09:52 am Please respond to Chuck Larrieu hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck [lots of good stuff snipped] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24063t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
Priscilla, I'm going to open my mouth wide in preparation for my size 11 foot. while I agree with your core message, I tend to believe that you may be looking at a typical modern network through rose colored glasses. For example, I have been working with 3 small/medium (700-1000+ hosts) sized networks recently. All 3 flat and all 3 suffering from excessive broadcasts. I agree that in an ideal situation, the PCs have 1000Mhz+ processors, 100Mb full-duplex connections, and only IP across the wire. However, while a commendable vision, I just don't see it that way in the field. There are always older PCs on the network, substandard cabling, a myriad of protocols (typically from network printers operating with the default protocols), and/or other issues that just can't be easily and quickly fixed. In the cases of my clients previously mentioned, VLANs are the immediate cure. Priscilla, I surely mean absolutely no disrespect, so I guess we'll just have to agree to disagree that VLANs are still a good thing! Besides, I don't believe we can ever say they won't be useful but rather we'll just need fewer and fewer of them as the size of our well designed IP networks grow because of the reasons you already mentioned. Rik -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:52 PM To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership
RE: MAC address and VLANs [7:23950]
solution before we get to that. At 07:52 PM 10/24/01 -0400, Chuck Larrieu wrote: hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla ___ Priscilla Oppenheimer http://www.priscilla.com -Carroll Kong Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24072t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
At 10:36 PM 10/24/01, Rik Guyler wrote: Priscilla, I'm going to open my mouth wide in preparation for my size 11 foot. while I agree with your core message, I tend to believe that you may be looking at a typical modern network through rose colored glasses. For example, I have been working with 3 small/medium (700-1000+ hosts) sized networks recently. All 3 flat and all 3 suffering from excessive broadcasts. How do you know that's the problem? What are the symptoms of the problem, what is the rate of broadcasts, and how do you know that the broadcasts are causing the symptoms? I agree that in an ideal situation, the PCs have 1000Mhz+ processors, 100Mb full-duplex connections, and only IP across the wire. Well, I admit I forgot about Windoze. ;-) See my other message. However, while a commendable vision, I just don't see it that way in the field. There are always older PCs on the network, substandard cabling, a myriad of protocols (typically from network printers operating with the default protocols), It would be easier to fix the printers and print servers than implement VLANs?? ;-) and/or other issues that just can't be easily and quickly fixed. In the cases of my clients previously mentioned, VLANs are the immediate cure. Priscilla, I surely mean absolutely no disrespect, so I guess we'll just have to agree to disagree that VLANs are still a good thing! Besides, I don't believe we can ever say they won't be useful but rather we'll just need fewer and fewer of them as the size of our well designed IP networks grow because of the reasons you already mentioned. Rik -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:52 PM To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain
RE: Bandwidth was: RE: MAC address and VLANs [7:23950]
eat your heart out ;- the price you pay for living in paradise... Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 24, 2001 5:50 PM To: [EMAIL PROTECTED] Subject: Bandwidth was: RE: MAC address and VLANs [7:23950] Hmmph. Glad you can afford DS3 links everywhere. I'll bet there's not a single carrier that would offer DS3 to Nhulunbuy, Thursday Island, or Charleville... at least not for a cost less than the GDP of a reasonably sized country... JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 25/10/2001 10:40 am - Chuck Larrieu To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] Sent by: nobody@groups tudy.com 25/10/2001 09:52 am Please respond to Chuck Larrieu hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck [lots of good stuff snipped] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24076t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
interesting points, and well taken. if one takes VLANs to be synonymous with subnets then sure. your 10.0.0.0/16 thought reminds me of the good old days when the Xylan marketing team was out hawking their flatten the network religion. In this respect I am a traditionalist - route where you can, and bridge where you must. yeah, I keep forgetting that Windows does some broadcasting, but recall that I come out of the brokerage industry, where broadcast was a necessity. How else would quote machines work? Upwards of 80-90% of our LAN traffic during market hours was broadcast. So how much broadcast traffic can a couple hundred windoze boxes really create, and just how badly does that really effect network performance? Particularly if you are running a fully switched environment, or even in a hubbed environment, assuming 12-24 port hubs? When I was young and foolish, I ran my network on daisy chained 48 port hubs, and I think I got up to around 125 stations and printers before I regretted my foolishness. This was in that self same brokerage firm, with the outrageous broadcast traffic. I know a Major Bank where they at one time ran segments of 700-100 end stations. And survived to a certain degree. ( although they were the masters of broadcast control :- ) As I said, your points are well taken. the application drives most things, but the architecture surely drives others. thanks. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Carroll Kong Sent: Wednesday, October 24, 2001 5:20 PM To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] I cut a large portion of this the previous message. My argument in that is that, we DO have broadcasting monsters. It is known as Windows based PCs. NetBIOS over TCP/IP, announcing wondrous information and trying to get information so they can perform their wonderful elections and create master browsers. Trying to resolve NetBIOS names so they can find their friendly PDC or BDC of the day. Or how about WINS and it's excellent method of doing discerning which names goes where. All automagic at the cost of the network. While what you speak is true, and in a network bereft of windows mongers, I would agree, I think that in a modern system you can still run into issues. According to your logic, it seems like you would be ok with forging a 10.0.0.0/16 network and chaining along switches instead of breaking them into subnets along with their accused VLANs. I suppose with enough good 10/100 Switches you are ok. This might be problematic on a 10BaseT network as the broadcast snowball into huge gobs of bandwidth draining gunk. (I guess this rolls into the non-modern network though) I have a client who used some 10 base hubs too, and just band aided it with a few switches here and there. NetBIOS over TCP/IP sends broadcasts quite frequently. I almost dare say within a minute. CPUs can vary, and there is always the aging 486 on the fringe. I guess ultimately on a solid 10/100Base Switched network you do pose a good point. However, do you think that a nasty 10.0.0.0/16 network might be going a bit too far even with the latest technology? In that case, we can argue, who really needs routing protocols internally? Just slap up the good old super flat network and have a default gateway and rarely call in the big dogs to make changes. Just throw a few statics to the few other super flat networks and we got an enterprise solution. :) Not trying to pick a bone with you. I agree with you, but I am curious where do you feel is the threshold? You say until it breaks, but I want to deploy a better solution before we get to that. At 07:52 PM 10/24/01 -0400, Chuck Larrieu wrote: hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them
RE: MAC address and VLANs [7:23950]
At 08:32 PM 10/24/01 -0700, Chuck Larrieu wrote: interesting points, and well taken. if one takes VLANs to be synonymous with subnets then sure. your 10.0.0.0/16 thought reminds me of the good old days when the Xylan marketing team was out hawking their flatten the network religion. In this respect I am a traditionalist - route where you can, and bridge where you must. yeah, I keep forgetting that Windows does some broadcasting, but recall that I come out of the brokerage industry, where broadcast was a necessity. How else would quote machines work? Upwards of 80-90% of our LAN traffic during market hours was broadcast. So how much broadcast traffic can a couple hundred windoze boxes really create, and just how badly does that really effect network performance? Particularly if you are running a fully switched environment, or even in a hubbed environment, assuming 12-24 port hubs? When I was young and foolish, I ran my network on daisy chained 48 port hubs, and I think I got up to around 125 stations and printers before I regretted my foolishness. This was in that self same brokerage firm, with the outrageous broadcast traffic. I know a Major Bank where they at one time ran segments of 700-100 end stations. And survived to a certain degree. ( although they were the masters of broadcast control :- ) As I said, your points are well taken. the application drives most things, but the architecture surely drives others. thanks. Chuck Well, I admit, my response was a bit clouded by the fact that one of our clients recently requested a redesign of their flat beyond flat network. Call it justification! They are using, UGH, 10BaseT Hubs with some nasTY (with an iintentional capital T and Y), daisy chaining hub action, which REALLY exacerbated performance loss.Not to mention it's all Bay GEAR! Evil! :) Admittedly, that IS changing the premise of Priscilla's original statement. The network I am working on is HARDLY the epitome of the modern day model system Priscilla described. I am guessing with solid switches across the board, it might very well be pretty darn good in terms of performance. I was just curious where the new practical bar was raised to. If the situation is with 10BaseT hubs, I would not be surprised if performance is really becoming an issue where broadcasts become a percentage of your daily bandwidth. Where broadcasts are probably far more often being that even unicast packets are broadcasted on the wonderous layer 1 repeater technology known as hubs. With all switches, I am not too sure I can say clearly otherwise, but I was just wondering how far is a practical limit in today's modern systems? On top of that, yes, all in moderation. If we take either approach to the extreme, we clearly see significant flaws. No one wants to run subnets of 2 usable hosts each for their entire network and smash their catalyst 6509 with routing modules to oblivion. No one wants to run the 30,000 flat network from HecK. (Ok, maybe some people do...) Look Ma, no routers! On the side, you just noticed your statement impies that some would run multiple VLANs with a single subnet? I guess you would depend on having at least one port on both VLANs to get interconnectivity? Would that be like bridging? (unifying two layer 2 networks). Her statements on the windows protocol seem correct. Ugh, I got to whip out the old sniffer again. Or read up again. I could have sworn I STILL saw a multitude of crap flying every second on my old college network even after we went to a switch. I should try again since her points seem quite valid. Hm. Although broadcasting was necessary, in the more extreme case, does it make sense for a quote server to broadcast to another quote server? There is a small subsegment of don't cares for the quotes, it seems like multicast is more ideal, but probably not necessary. No matter, I am sure the demigods of broadcast control had a working solution. :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24080t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address and VLANs [7:23950]
Cisco will recognize multiple macs on a single port but they must all be in
the same vlan. Vlan assignment is per port. Your other option would be to
replace the non cisco hub with a cisco switch which is trunked to the main
switch.
--
-=Repy to group only... no personal=-
NetEng wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Here's my situtation. I have a corporate PC with an IP address of
10.10.x.x
and in the same office (and same physical network) another device with an
IP
address of 192.168.100.x Both devices are connected to a small hub/switch
which in turn is connected to a cisco switch. Can I have the 10.10.x.x be
apart of one vlan and the 192.168.100.x be a member of another or the
default vlan? Can cisco switches recognize multiple MAC addresses on a
single switch port (if so, how many?) and be smart enough to know which
vlan
which MAC address belongs to? This would save me hours (otherwise I have
to
run cable for connections to our corporate network and connections to our
test network in every cube :-( ). TIA
PS I understand the best way to do this would be to connect each device
into
the cisco switch, but I only have a single cable run to each cube/office
(corporate pc)10.10.x.x
|
PC PC (test network) 192.168.100.x
| |
\/
\ /
SWITCH/HUB (non-cisco)
|
|
CISCO SWITCH
VLANs
--
| || |
| corp || test |
---
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23957t=23950
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
Actually, that's not correct. The original specification for VLANs from
what I understand mandates that only one VLAN can be assigned to a port, but
manufacturers such as 3COM decided to do otherwise and support multiple
VLANs per port. Cisco responded by creating (on certain switches such as
the Catalyst 2900XL) an administrator to configure a port to be a member of
more than one VLAN at a time when using a membership mode known as
Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual
number of VLANs to which the port can belong depends on the capability of
the switch itself. Although the concept is similar, this membership mode is
different than trunking. The caveat to this feature is that the
Multi-VLAN membership mode cannot be configured on a switch if one or more
ports on the switch have been configured to trunk.
For more information on this feature, search Cisco's website using the
keyword phrase switchport multi.
As for answering NetEng's question--I can't quite determine where multiple
MAC addresses share the same switch port. Could you identify which switch
that is?
-- Leigh Anne
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Dennis
Sent: Tuesday, October 23, 2001 3:48 PM
To: [EMAIL PROTECTED]
Subject: Re: MAC address and VLANs [7:23950]
Cisco will recognize multiple macs on a single port but they must
all be in
the same vlan. Vlan assignment is per port. Your other option
would be to
replace the non cisco hub with a cisco switch which is trunked to the main
switch.
--
-=Repy to group only... no personal=-
NetEng wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Here's my situtation. I have a corporate PC with an IP address of
10.10.x.x
and in the same office (and same physical network) another
device with an
IP
address of 192.168.100.x Both devices are connected to a small
hub/switch
which in turn is connected to a cisco switch. Can I have the
10.10.x.x be
apart of one vlan and the 192.168.100.x be a member of another or the
default vlan? Can cisco switches recognize multiple MAC addresses on a
single switch port (if so, how many?) and be smart enough to know which
vlan
which MAC address belongs to? This would save me hours (otherwise I have
to
run cable for connections to our corporate network and
connections to our
test network in every cube :-( ). TIA
PS I understand the best way to do this would be to connect each device
into
the cisco switch, but I only have a single cable run to each cube/office
(corporate pc)10.10.x.x
|
PC PC (test network) 192.168.100.x
| |
\/
\ /
SWITCH/HUB (non-cisco)
|
|
CISCO SWITCH
VLANs
--
| || |
| corp || test |
---
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23965t=23950
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address and VLANs [7:23950]
Interesting... looked it up on Cisco's site... thanks...
--
-=Repy to group only... no personal=-
Leigh Anne Chisholm wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Actually, that's not correct. The original specification for VLANs from
what I understand mandates that only one VLAN can be assigned to a port,
but
manufacturers such as 3COM decided to do otherwise and support multiple
VLANs per port. Cisco responded by creating (on certain switches such as
the Catalyst 2900XL) an administrator to configure a port to be a member
of
more than one VLAN at a time when using a membership mode known as
Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual
number of VLANs to which the port can belong depends on the capability of
the switch itself. Although the concept is similar, this membership mode
is
different than trunking. The caveat to this feature is that the
Multi-VLAN membership mode cannot be configured on a switch if one or more
ports on the switch have been configured to trunk.
For more information on this feature, search Cisco's website using the
keyword phrase switchport multi.
As for answering NetEng's question--I can't quite determine where multiple
MAC addresses share the same switch port. Could you identify which switch
that is?
-- Leigh Anne
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Dennis
Sent: Tuesday, October 23, 2001 3:48 PM
To: [EMAIL PROTECTED]
Subject: Re: MAC address and VLANs [7:23950]
Cisco will recognize multiple macs on a single port but they must
all be in
the same vlan. Vlan assignment is per port. Your other option
would be to
replace the non cisco hub with a cisco switch which is trunked to the
main
switch.
--
-=Repy to group only... no personal=-
NetEng wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Here's my situtation. I have a corporate PC with an IP address of
10.10.x.x
and in the same office (and same physical network) another
device with an
IP
address of 192.168.100.x Both devices are connected to a small
hub/switch
which in turn is connected to a cisco switch. Can I have the
10.10.x.x be
apart of one vlan and the 192.168.100.x be a member of another or the
default vlan? Can cisco switches recognize multiple MAC addresses on a
single switch port (if so, how many?) and be smart enough to know
which
vlan
which MAC address belongs to? This would save me hours (otherwise I
have
to
run cable for connections to our corporate network and
connections to our
test network in every cube :-( ). TIA
PS I understand the best way to do this would be to connect each
device
into
the cisco switch, but I only have a single cable run to each
cube/office
(corporate pc)10.10.x.x
|
PC PC (test network) 192.168.100.x
| |
\/
\ /
SWITCH/HUB (non-cisco)
|
|
CISCO SWITCH
VLANs
--
| || |
| corp || test |
---
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23968t=23950
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Mac address [7:21170]
On a switch you can configure port level security: Dave chris wrote: Is there any way to config you switch/router to prompt you when a certain Mac address is plugged in or online. Rather than setting the cam table aging to 3 days. -Original Message- From: dragi radovanovic [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 10:45 AM To: [EMAIL PROTECTED] Subject: RE: Can I configure 2 leased line for single channel ? [7:21105] If you change the encap to ppp, you can build a multilink bundle, and have a pipe going between you routers. Do search on configuring virtual template on cisco.com Dragi -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21176t=21170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address: [7:9547]
These are broadcast.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tan Chee Leong Sent: Friday, June 22, 2001 1:51 PM To: [EMAIL PROTECTED] Subject: MAC Address: [7:9547] Hi, In a small LAN with two routers I found the following MAC addresses appearing. 00:00:00:00:00:01 ff:ff:ff:ff:ff:ff Most of the time I see it coming from the routers. Is there a special meaning to this? Pardon me for my weak networking knowledge. Cheers, Chee Leong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9583t=9547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address of interfaces in PIX 515R [7:5544]
How about 'sh int e0' ? Sean Graham wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I am in the process of setting up a PIX515 for use with a cable modem. The provider DHCP's the address to the clients. I want to use the PIX to connect to the modem but the ISP secure the DHCP request by MAC address of the interface. I have to inform them what it is before it will lease the new IP address. What is the easiest way to find out the MAC address of the Ethernet interfaces in the PIX. I can't see an obvious command. Many thanks, Sean FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5558t=5544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address of interfaces in PIX 515R [7:5544]
Try show int e0 e1 etc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5559t=5544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address of interfaces in PIX 515R [7:5544]
In enable mode, show interface. Or just ping your box from the PIX and look at your arp cache. - Original Message - From: Sean Graham To: Sent: Wednesday, May 23, 2001 11:12 AM Subject: Re: MAC address of interfaces in PIX 515R [7:5544] show commands aren't available Dyson Kuben wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Try show int e0 e1 etc FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5592t=5544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address to port tool [7:221]
No matter what, you won't have to check all the switches. Just check the central switch like this: show mac-address-table address .. (insert your mac here) and then if that is a downlink port to another switch, check which switch is connected to that port with the same command. You could script this, some things that might save you time would be using the description field for each downlink to say which switch is connected to it (or use a static table in your program), and using Expect for the interaction would make your life very easy. Jon Mitchell Loudcloud, Inc. *not speaking for my employer* John Chang wrote: We have 11 3500 XL series switches. 10 are connected to 1 switch. There is only 1 VLAN. Basic diagram: switches | | | | | | Switch | | | | | switches Is there a tool out there that will easily tell me which port a particular MAC address is connected to at any given time? Preferable something I can do a simple search for the MAC address and it will show me the port. The problem I'm having is that we have a DHCP server and I hate all these BAD_ADDRESS. When I ping the IP address it is live so someone is manually entering the IP address. I don't want to go through all the switches to find the MAC address since it will be too time consuming. Thanks. FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=242t=221 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address
show cam {dynamic | static | permanent} mod_num/port_num, if this is a
set-based switch.
HTH,
Evan
-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 05, 2001 3:52 PM
To: [EMAIL PROTECTED]
Subject: MAC address
On a network with 12 switches all connected to 1 core switch using the
default vlan 1. What is the best way to find out which port the MAC
address is broadcasted from? Thanks.
_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re : MAC Address to IP Address conversion
Title: Re : MAC Address to IP Address conversion Hello All, I am looking for some sniffer software that could show me a list of MAC Address to IP Address mapping of my network. I checked with the trial copies of CNAPro and Sniffer PRO would could not find the functionality. Can anyone suggest. Thanks Regards Amit
RE: Re : MAC Address to IP Address conversion
Title: RE: Re : MAC Address to IP Address conversion Got the list from my Router's ARP cache -Original Message- From: Amit Gupta (EHPT) IS-IT [SMTP:[EMAIL PROTECTED]] Sent: Sunday, November 26, 2000 3:19 PM To: '[EMAIL PROTECTED]' Subject: Re : MAC Address to IP Address conversion Hello All, I am looking for some sniffer software that could show me a list of MAC Address to IP Address mapping of my network. I checked with the trial copies of CNAPro and Sniffer PRO would could not find the functionality. Can anyone suggest. Thanks Regards Amit
Re: Re : MAC Address to IP Address conversion
Another trick that works to make sure you get everything is to first clear the arp cache (clear arp-cache) and then ping the broadcast address (either the all zeroes broadcast, or if you just want one net, then ping that network's broadcast, i.e. if your net is 209.149.135.0/24, then ping 209.149.135.255). Every device that falls in that range (barring any subnet masking mistakes), and if all machines are powered on will answer the router's pings. Now do your "show arp", you'll get a very accurate mac to ip address table. Amit Gupta (EHPT) IS-IT wrote: [EMAIL PROTECTED]"> Got the list from my Router's ARP cache -Original Message-From:Amit Gupta (EHPT) IS-IT [SMTP:[EMAIL PROTECTED]]Sent:Sunday, November 26, 2000 3:19 PMTo:'[EMAIL PROTECTED]'Subject:Re : MAC Address to IP Address conversionHello All,I am looking for some sniffer software that could show me a list of MAC Address to IP Address mapping of my netwo! rk.I checked with the trial copies of CNAPro and Sniffer PRO would could not find the functionality.Can anyone suggest.Thanks RegardsAmit _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address in SUN Firewall.
There's a saying in the computer industry: That's just because that's the way it is.. Ok, maybe I made it up. set local-mac-address, to TRUE at the eeprom. HTH, (hope that helps) DDM On Mon, 16 Oct 2000, Sim, CT (Chee Tong) wrote: Hi.. Dear all, I have a SUN firewall which got 3 interfaces, but when I do a ifconfig -a on the sun, I got 3 different IP on 3 interfaces but all the MAC address are the same. Later on, I went to check on other sun machine which got more than one NIC, I found all of the NIC within one machine possess the same MAC address too Why? Tong == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address support for c1900 series
So basically it's a "trunk link" that you set as a "network port"? Or is it just any port that are basically not use a whole lot and you do not mind having the broadcast whenever a MAC needs to be learned so that way your CAM table stays within the 1024 address range for the 1900's? Doesn't the CAM work on a FIFO base? I am still not too clear on this. Also, what is the command on the switch to tell it that it's a network port? "neal rauhauser" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The little switches have a limited MAC address table. If you know you have a link where they're going to see more MACs than they can hold you set it to be a 'network' port and the switch doesn't learn MACs from there. This is meant for a large campus environment where you have a 19xx serving a workgroup. I've worked on some real cluster (*#$%s over the years and I've never seen a real world situation where this would be needed. I'd like to hear from anyone else if they've been in some shop of horrors where this configuration was required. Daniel Boutet wrote: I was looking at the specs and it says that it supports 1024 MAC address. My understanding is that it is what the CAM table will support at one time. But the specs also states: "Unlimited MAC addresses support on configurable network port" This, I don't get. Can anyone explain? Thanks **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associate-Announcement.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- "Just do the steps that you've been shown by everyone you've ever known until the dance becomes your very own" - Jackson Browne **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address support for c1900 series
When you set a Network Port on the switch, it will not flood a packet with an unknown destination MAC address out all of the ports. Packets with unknown destination MAC addresses are "drained" out the network port. The only practical application where I can see using a "network port" is if the MAC addresses of all the devices attached to the switch have been statically set in the switch. In this case, the switch would know about all the devices that it has to talk to, and we can send the packet with the unknown destination MAC address out the network port, hopefully to find its way to the proper destination. The problem that you will find by using a network port is that if the MAC addresses of the other devices that are connected to the switch have not been statically set, they may appear to "dropp off the network" Network printers are a big problem because they usually generate very little traffic, so the switch doesn't learn the MAC address. If you printer is sitting on port 7, and you have defined a network port, there is a good chance that any packets that are supposed to go to the printer will actually go out the network port and never find their way to the printer. In most applications, I have found it reasonable NOT to use the network port. If you do use it, you will want to make sure that you understand why you are using it, and the limitations of using it. In the Cat 1900, I believe the setting to set a network port is in the System Menu. ""Daniel Boutet"" [EMAIL PROTECTED] wrote in message 8pdi8m$nsg$[EMAIL PROTECTED]">news:8pdi8m$nsg$[EMAIL PROTECTED]... So basically it's a "trunk link" that you set as a "network port"? Or is it just any port that are basically not use a whole lot and you do not mind having the broadcast whenever a MAC needs to be learned so that way your CAM table stays within the 1024 address range for the 1900's? Doesn't the CAM work on a FIFO base? I am still not too clear on this. Also, what is the command on the switch to tell it that it's a network port? "neal rauhauser" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The little switches have a limited MAC address table. If you know you have a link where they're going to see more MACs than they can hold you set it to be a 'network' port and the switch doesn't learn MACs from there. This is meant for a large campus environment where you have a 19xx serving a workgroup. I've worked on some real cluster (*#$%s over the years and I've never seen a real world situation where this would be needed. I'd like to hear from anyone else if they've been in some shop of horrors where this configuration was required. Daniel Boutet wrote: I was looking at the specs and it says that it supports 1024 MAC address. My understanding is that it is what the CAM table will support at one time. But the specs also states: "Unlimited MAC addresses support on configurable network port" This, I don't get. Can anyone explain? Thanks **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associate-Announcement.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- "Just do the steps that you've been shown by everyone you've ever known until the dance becomes your very own" - Jackson Browne **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address support for c1900 series
The little switches have a limited MAC address table. If you know you have a link where they're going to see more MACs than they can hold you set it to be a 'network' port and the switch doesn't learn MACs from there. This is meant for a large campus environment where you have a 19xx serving a workgroup. I've worked on some real cluster (*#$%s over the years and I've never seen a real world situation where this would be needed. I'd like to hear from anyone else if they've been in some shop of horrors where this configuration was required. Daniel Boutet wrote: I was looking at the specs and it says that it supports 1024 MAC address. My understanding is that it is what the CAM table will support at one time. But the specs also states: "Unlimited MAC addresses support on configurable network port" This, I don't get. Can anyone explain? Thanks **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associate-Announcement.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- "Just do the steps that you've been shown by everyone you've ever known until the dance becomes your very own" - Jackson Browne **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address
Question 1, 2, 4: Explanation of address resolution regarding MAC addresses. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm#xtocid193923 Question 3: Router packet handling http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/routing.htm#xtocid249344 Karen E Young Network Engineer ELF Technologies, Inc [EMAIL PROTECTED] Oscar Rau osca003@attgTo: Cisco GroupStudy [EMAIL PROTECTED] lobal.net cc: Sent by: Subject: MAC address nobody@groups tudy.com 08/08/00 03:46 PM Please respond to Oscar Rau While an IP packet is being packaged to be delivered at the Ethernet frame stage, how is the destination MAC address determined? Is the destination MAC address going to be MAC address of the local gateway or the remote host? Is the MAC changed by the network devices (routers) along the way until it has been delivered to the destination Ethernet IP address? If a MAC address is, 01 23 45 67 89 11 Which half is the vendor specific portion? Where would the multicast bit and locally administered MAC address bit be located? Thank you in advance. -- Oscar Rau [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address
Good explanation in the replies. One note - if the MAC address is 01 23 45 67 89 11 it is a multicast address on Ethernet. An odd number in the second nibble indicates a group i.e. multicast address. First a computer does looks in it's arp (Address resolution protocol) cache to see if it already has an IP to MAC in it's database. If it does not the computer generally will do an ARP broadcast which all systems see and the computer using that ip address will respond with it's MAC address the Mac is stored in the cache and the frame is sent to that computer. If the IP address is not local, and the router see's the arp and has a destination to that IP or IP network it will respond with it's own mac and the frame will be delivered to the router who will then route it to the appropraite network/system. The first 6 are the manufacturer code. -Original Message- From: Oscar Rau [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 08, 2000 6:46 PM To: Cisco GroupStudy Subject: MAC address While an IP packet is being packaged to be delivered at the Ethernet frame stage, how is the destination MAC address determined? Is the destination MAC address going to be MAC address of the local gateway or the remote host? Is the MAC changed by the network devices (routers) along the way until it has been delivered to the destination Ethernet IP address? If a MAC address is, 01 23 45 67 89 11 Which half is the vendor specific portion? Where would the multicast bit and locally administered MAC address bit be located? Thank you in advance. -- Oscar Rau [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address
Hi Oscar, Q1: "While an IP packet is being packaged to be delivered at the Ethernet frame stage, how is the destination MAC address determined?" A1: The Address Resolution Protocol (ARP) is used to determine the destination MAC address when only the destination IP is known. The source host will broadcast an ARP request to all hosts on the local network asking the owner of the destination IP address to respond. Only the host that owns the destination IP will respond (using a unicast packet) with an ARP reply saying "Here's my MAC address...". All other hosts will ignore the ARP request since it does not pertain to them. Q2: "Is the destination MAC address going to be the MAC address of the local gateway or the remote host?" A2: It depends. If the destination host is on the local network (i.e., source destination are connected to the same segment) then the destination MAC will the MAC address of the remote host. However, if the destination host is on a remote network then the destination MAC will be the address of the local gateway (router). The reason for this is that the ARP request (which is broadcast) will not be forwarded by the router. Therefore, the remote host will never have a chance to reply to the ARP request since it will never see it. In cases such as these, the router will respond to an ARP request on behalf of a remote host - this is known as Proxy ARP. Q3: "Is the MAC changed by the network devices (routers) along the way until it has been delivered to the destination Ethernet IP address?" A3: Yes, the destination MAC addresses will change hop to hop (router to router) as the packet travels across the network. On the other hand, the destination IP address will remain the same until it reaches its destination. Q4: "Which half is the vendor specific portion?" A4: The vendor specific portion of the MAC address (also known as the OUI - Organizationally Unique Identifier) is the first 24 bits (3 bytes) of the MAC. In your example, this would be 01 23 45. Q5: "Where would the multicast bit and locally administered MAC address bit be located?" A5: The multicast bit is the low-order bit of the first octet of an ethernet address. This bit should be set to 1 for multicast mode. For example, given the MAC address 08 01 02 03 04 05, the multicast address would be 09 01 02 03 04 05 (last bit in the first byte changed from 0 to 1). As far as the locally administered bit is concerned, that should be bit number 7 (out of 48) of the MAC. Again, 1 means local, 0 means global or IEEE administered. HTH, Marcus At 10:46 PM 08/08/2000 +, Oscar Rau wrote: While an IP packet is being packaged to be delivered at the Ethernet frame stage, how is the destination MAC address determined? Is the destination MAC address going to be MAC address of the local gateway or the remote host? Is the MAC changed by the network devices (routers) along the way until it has been delivered to the destination Ethernet IP address? If a MAC address is, 01 23 45 67 89 11 Which half is the vendor specific portion? Where would the multicast bit and locally administered MAC address bit be located? Thank you in advance. -- Oscar Rau [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Marcus Walton Lucent Technologies, Inc. NetworkCare Professional Services Division "The Knowledge Behind the Network" ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC address
the destination MAC is determined by ARP broadcast. The node with the corresponding IP address will then reply by sending out its MAC address. Once know, the sending node will keep a cache of the ARP - IP mapping for a certain period of time. "Oscar Rau" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... While an IP packet is being packaged to be delivered at the Ethernet frame stage, how is the destination MAC address determined? Is the destination MAC address going to be MAC address of the local gateway or the remote host? Is the MAC changed by the network devices (routers) along the way until it has been delivered to the destination Ethernet IP address? If a MAC address is, 01 23 45 67 89 11 Which half is the vendor specific portion? Where would the multicast bit and locally administered MAC address bit be located? Thank you in advance. -- Oscar Rau [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Address ACL's
Without playing with a router, I think you could probably do like a route-map statement that uses an access list, i.e. if packet = this, set next hop to here. HTH Dave -Original Message- From: Ed [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 03, 2000 7:01 PM To: [EMAIL PROTECTED] Subject: Re: MAC Address ACL's I actually just found that ACL's 700 - 799 are used for MAC's. Does anyone have any idea on forcing the destination address for a denied client? What we're trying to do is pop a web page for denied clients. Sorry for the waste of the first message. Thanx in advance! --Ed ""Ed"" [EMAIL PROTECTED] wrote in message 8mcsm5$1ra$[EMAIL PROTECTED]">news:8mcsm5$1ra$[EMAIL PROTECTED]... I've been told by a trusted friend that it's possible to filter on the MAC address and if it's denied, to proxy the denied box to a specific web sight. I've been looking through CCO but not having much luck. Anyone else have some thoughts? --Ed ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address ACL's
I actually just found that ACL's 700 - 799 are used for MAC's. Does anyone have any idea on forcing the destination address for a denied client? What we're trying to do is pop a web page for denied clients. Sorry for the waste of the first message. Thanx in advance! --Ed ""Ed"" [EMAIL PROTECTED] wrote in message 8mcsm5$1ra$[EMAIL PROTECTED]">news:8mcsm5$1ra$[EMAIL PROTECTED]... I've been told by a trusted friend that it's possible to filter on the MAC address and if it's denied, to proxy the denied box to a specific web sight. I've been looking through CCO but not having much luck. Anyone else have some thoughts? --Ed ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address ACL's
SWAG I am not sure, but you seem to be mixing layer 2, 3, and 4. Filter on a MAC addy, to a different IP for web traffic. If you knew the source IP, then you might be able to do some sort of route map. Match IP goes through NAT with one IP on inside, no match goes through as different IP inside (choose which match or no match would be the www denied server)./SWAG Think it would be easier to just filter the IP addresses on the webserver and give them a denied page. Ed wrote: I actually just found that ACL's 700 - 799 are used for MAC's. Does anyone have any idea on forcing the destination address for a denied client? What we're trying to do is pop a web page for denied clients. Sorry for the waste of the first message. Thanx in advance! --Ed ""Ed"" [EMAIL PROTECTED] wrote in message 8mcsm5$1ra$[EMAIL PROTECTED]">news:8mcsm5$1ra$[EMAIL PROTECTED]... I've been told by a trusted friend that it's possible to filter on the MAC address and if it's denied, to proxy the denied box to a specific web sight. I've been looking through CCO but not having much luck. Anyone else have some thoughts? --Ed ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAC Address
http://memphis.supersharewareman.com/Apps/2449.asp Check this out ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
