Gaah! I hate private vlans

Toggle sidebar Toggle sidebar
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Having used them for a long time trying to match a security policy to dozens of private vlans (hosts on the same subnet cannot communicate with eachtoerh) is truly frightening.

If there weren't so many "ifs, ands or buts" limitations to the ASICs it wouldn't be such a big deal.

I hate getting this deep into the gear, but it looks like I have to. What I have designed apparently can't be done and I meet with the application/security/network folks to figure out a workaround. grrrrrr.

Don't they understand???? I just design it....it's your job to figure it out!
 
G

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
I remember VLANs...hmmm....so many burnt brain cells:D


I'll buy you a :beer: to cool off if you are ever in the area....
 
P

p0lar

Senior member
Nov 16, 2002
634
0
76
Originally posted by: spidey07
Having used them for a long time trying to match a security policy to dozens of private vlans (hosts on the same subnet cannot communicate with eachtoerh) is truly frightening.

If there weren't so many "ifs, ands or buts" limitations to the ASICs it wouldn't be such a big deal.

I hate getting this deep into the gear, but it looks like I have to. What I have designed apparently can't be done and I meet with the application/security/network folks to figure out a workaround. grrrrrr.

Don't they understand???? I just design it....it's your job to figure it out!
Click to expand...

Have you tried combining that and input ACLs on the switchports (depending on the switch and IOS)? I've had to do that before.. it was excruciatingly painful to manage afterwards, even with proper documentation.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: p0lar
Have you tried combining that and input ACLs on the switchports (depending on the switch and IOS)? I've had to do that before.. it was excruciatingly painful to manage afterwards, even with proper documentation.
Click to expand...

yeah, i thought of that. the management aspect of VACLs prevented me from doing that. Just didn't seem like a good idea.

I had them redo some patch work to work with the blades they were dealing with to overcome the ASIC limitations.

6500s all around.

My main rant is these guys are supposed to know this stuff and raise the issue.
 
P

p0lar

Senior member
Nov 16, 2002
634
0
76
Originally posted by: spidey07
yeah, i thought of that. the management aspect of VACLs prevented me from doing that. Just didn't seem like a good idea.
Click to expand...
Yeah, really depends on who you've got in place to manage it and how static it is. Headaches ensue otherwise.

I had them redo some patch work to work with the blades they were dealing with to overcome the ASIC limitations.

6500s all around.
Click to expand...
IOS or CatOS?


 
P

p0lar

Senior member
Nov 16, 2002
634
0
76
Originally posted by: spidey07
native IOS

I've had tons of trouble with private vlans and catOS.
Click to expand...

Yeah, it's been a few years since I messed with the 6500s and PVLANs, but it was exclusively on the CatOS. I agree wholeheartedly.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom