> > Fact: We re-use the same hardware addresses on all interfaces. > > They had figured out that this caused the problems with the switch. > > Okay, I\'ll be the ignorant guy. Why do you do this?
We do it because it's the default on Sun with multiple interfaces (you can change that when needed). As long as the interfaces are on separate networks it isn't a problem. It has given us some insight into the trust worthyness of VLAN implementations, e.g. we found the Bay 450 switch mac CAM is shared between VLANs and if you have the same mac on two ports in different VLANs it gets confused about which vlan the device is in and hence which vlan traffic to that device should be sent to. We've also had Cisco 3524 switches crash/reboot and forget their vlan database so all ports appear on the base lan. When you have two different security zones on the same device it takes more than "it seems to work" to convince me that it's secure. I want some way of proving there's no inadvertent coupling between them or waiting for someone to discover and that it is sustainable over software updates and replacing it with a new model (Cisco 3524 is EOL the replacement model could be very different as it now includes layer 3 functionality) or a different manufacturer as they don't like Cisco Who's going to remember this after it's been installed for a few years? despite documentation successors may not be so diligent in validating what they do. Physically separate has its uses. brandon _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
