On Thu, Mar 01, 2007 at 12:07:32PM -0600, Bill Marquette wrote: > Will the switch send vlan 1 tagged or untagged? If it's tagged, just > create vlan1 on the pfsense box. If it's going to send it untagged
Stupid question: if I have two switches (a HP ProCurve 2650 and a Netgear GS724T to be precise, which are both quite reasonable products for the price tag, especially if you reflash the Netgear firmware, which is buggy out of the box), which are both vlan-capable (it's supposedly standartized, whatever little that means in this business), can I make tagged vlans which span across two or more switches? > (most switches will for "native" vlans), then you'll need an IP on the > physical interface (I'm not entirely sure if we support that setup). Apropos of nothing, I managed to down my hoster's network segment by an inadvertent ARP storm, made with pfSense (it's a great dual-use product, doubles as a nuclear weapon in a pinch). I had a firewall with two interfaces (two firewalls, in fact) on the same switch. While playing around with the port-based vlans (I tried to not have two interfaces on the same VLAN, thinking that Something Bad might happen, and was proven right) I managed to actually put two interfaces on the same (main) VLAN, which took everything offline (and my entire subnet banned because of a DoS) in a mere few seconds. It required a manual intervention (switching off the firewalls by power button), disabling the switch ports, and unbanning the network to get me back in business. The firewalls were still unaccessible (I almost triggered another ARP storm by trying to get back to them, but this time fortunately managed to disable the port in time), but fortunately I had a crossover serial to a Linux machine in the rack, and a PDU which allowed me to remotely power-cycle the firewalls, so I could reconfigure the firewalls via the serial console (I used minicom, which is in the Debian depository -- anyone knows anything more basic?). The other firewall, unfortunately, lacked such a crossover serial, so it's dead until a physical visit, or at least until I pay for a pair of remote hands, and a crossover cable. Well, this means that I have to try a filtered bridge next, and think later about pfsync/carp cluster failover. Moral: networking is unsuitable for dumb people. -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
signature.asc
Description: Digital signature
