Dumb switches are now too smart for my good
Here's an ironic thing: basic switches these days are now too smart for their own good, or at least for my good. The issue is that even theoretically dumb switches are VLAN aware, which means that they will only pass VLAN tagged packets if they've been told about the particular VLAN is tagged for.
The problem this creates is that it is now impossible to have a generic traffic monitoring switch. What you'd like to have is a small switch that's pre-configured with a mirror port that you could just transparently splice in at any spot in your network to debug traffic. Ideally this switch would be generic, so that it would work anywhere and everywhere in your network fabric, no matter what else was going on.
(You won't be able to monitor the full 2 Gb of potential traffic, but in many situations you don't need to because the link isn't that saturated.)
But this doesn't work if you want to splice the switch into a spot that's carrying tagged VLANs, because if the switch doesn't know about one of the VLANs it will just drop that VLAN's packets. Which is far from transparent.
You can't configure the switch to pass all possible VLANs, because no switch can be configured with anywhere near 4094 VLANs. You can try to configure the switch to pass all VLANs that are in use at your site, but this is both prone to errors as configurations change over time and limits where you can plug in the switch (you have to put it in front of something of yours that would drop any stray VLANs anyways).
(We actually ran into this with the switch that our traffic tracking system uses to take a tap of the traffic going through our NAT gateway. We added a new subnet on our core switch infrastructure and to the NAT gateway but forgot to update the traffic tap switch, and were very puzzled for a while as machines on the subnet couldn't talk to the NAT gateway to get out to the world.)
Comments on this page:Written on 04 December 2007.