Home page logo

nanog logo nanog mailing list archives

Re: maximum active vlans in a crisco 6509
From: "Bora Akyol" <akyol () akyol org>
Date: Tue, 20 Jun 2000 20:56:07 -0700

If you put all of the users on seperate switch ports, then would they be
able to snoop each other's traffic? At least the switches that I have seen
prevent this behavior unless you put a particular switch port in "monitor"

As long as all rooms in this hotel are on seperate switch ports, you would
basically be OK even without using VLANs.

Yes, multicast sessions, ARP requests etc can still be snooped.


----- Original Message -----
From: "Bennett Todd" <bet () rahul net>
To: "Roeland Meyer (E-mail)" <rmeyer () mhsc com>
Cc: "'Bob Biver'" <bbiver () hotmail com>; <nanog () merit edu>
Sent: Tuesday, June 20, 2000 8:45 PM
Subject: Re: maximum active vlans in a crisco 6509

Hash: SHA1

2000-06-20-23:01:45 Roeland Meyer (E-mail):
Bob Biver: Tuesday, June 20, 2000 7:28 PM
the docs say max 250, is this informational or a limit of
spanning tree?

If I recall correctly, that's also real close to the maximum
number of physical connections to the chasis, with all modules
installed. Personally, I've never run anywhere near that number.
I don't think it is useful to have less than 2 members in a vlan.
You would also be surpassing the bandwidth limitations of that
chasis, even if all the connections were 100baseTX.

For many uses, I think you certainly have a clear and reasonable
point. But while I don't know what the original poster had in mind,
I can fantasize a use for thousands of vlans, even on a switch that
doesn't have thousands of distinct ports. And without necessarily
exceeding available bandwidth.

Lessee, suppose I were designing something like an
internet-access-for-hotel-rooms, or thereabouts. Or suppose
otherwise I had thousands of users who didn't trust each other, at
all, who I didn't want to have sniffing each other's traffic, who
were just wanting to share access to an internet connection, itself
less than 100BaseT, maybe even much less.

One way I could fantasize doing it would be to assign a separate
VLAN to each port of as many different switches, interconnected with
802.1Q or ISL, as it took to provide ports to every room. Run one
802.1Q line into the one router in this picture, say a Linux box
using iproute2 for traffic shaping.

Ok, so maybe 6509s would be way overkill for this application, no
way you need that kind of backplane bandwidth. But as circumstances
emerge where you want to have a fully-routed network (next step up
the protocol ladder from a fully-switched network --- each host gets
its own dedicated router port) I can anticipate settings where VLANs
might get abused in a most remarkable way.

- -Bennett
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]