• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Gaah! I hate private vlans

S

spidey07

No Lifer
Having used them for a long time trying to match a security policy to dozens of private vlans (hosts on the same subnet cannot communicate with eachtoerh) is truly frightening.

If there weren't so many "ifs, ands or buts" limitations to the ASICs it wouldn't be such a big deal.

I hate getting this deep into the gear, but it looks like I have to. What I have designed apparently can't be done and I meet with the application/security/network folks to figure out a workaround. grrrrrr.

Don't they understand???? I just design it....it's your job to figure it out!
 
Originally posted by: spidey07
Having used them for a long time trying to match a security policy to dozens of private vlans (hosts on the same subnet cannot communicate with eachtoerh) is truly frightening.

If there weren't so many "ifs, ands or buts" limitations to the ASICs it wouldn't be such a big deal.

I hate getting this deep into the gear, but it looks like I have to. What I have designed apparently can't be done and I meet with the application/security/network folks to figure out a workaround. grrrrrr.

Don't they understand???? I just design it....it's your job to figure it out!
Click to expand...

Have you tried combining that and input ACLs on the switchports (depending on the switch and IOS)? I've had to do that before.. it was excruciatingly painful to manage afterwards, even with proper documentation.
 
Originally posted by: p0lar
Have you tried combining that and input ACLs on the switchports (depending on the switch and IOS)? I've had to do that before.. it was excruciatingly painful to manage afterwards, even with proper documentation.
Click to expand...

yeah, i thought of that. the management aspect of VACLs prevented me from doing that. Just didn't seem like a good idea.

I had them redo some patch work to work with the blades they were dealing with to overcome the ASIC limitations.

6500s all around.

My main rant is these guys are supposed to know this stuff and raise the issue.
 
Originally posted by: spidey07
yeah, i thought of that. the management aspect of VACLs prevented me from doing that. Just didn't seem like a good idea.
Click to expand...
Yeah, really depends on who you've got in place to manage it and how static it is. Headaches ensue otherwise.

I had them redo some patch work to work with the blades they were dealing with to overcome the ASIC limitations.

6500s all around.
Click to expand...
IOS or CatOS?


 
Originally posted by: spidey07
native IOS

I've had tons of trouble with private vlans and catOS.
Click to expand...

Yeah, it's been a few years since I messed with the 6500s and PVLANs, but it was exclusively on the CatOS. I agree wholeheartedly.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top