multiple vlans on a port?

[jimfixit]

I haven't read anything that says you can set a port to more than one vlan. You can make it a 'trunk port' to pickup some or all of your vlans...but...isn't a 'trunk' by definition supposed to hook two switches together?

Here's the deal: our security team just invested in a product called websense to block web site access (it replaces surfcontrol). Users on the main vlan get blocked and get a web page that tells them why.

Users in any other vlan get blocked but they get the ubiquitous page not found from IE. I trapped packets and here is what is happening: the websense devices sends the blocked page out but, it's sending it with a source IP address of the web site. The workstation never receives the packets containing the page, according to ethereal.

The CCNA test on switching never covered the case of "suppose some guy just spoofs a source address outside your network...what would the switch do with the packet"? It was mainly all about layer 2 at that point. But just working with a workstation, if I give my workstation some bogus address that isn't part of the vlan that it connects to, it can't get it's traffic to go anywhere and that is what this unit appears to be doing....

Any thoughts?

 

[MrNick0483]

You are correct in the first part of your statement that a trunk port can be in multiple vlans at the same time, while an access port can only be in one. A trunk port is for passing 802.1Q tagged packets to the correct VLAN between switches. the only time you can hook a server to a trunk port is if the NIC supports 802.1q, which most newer NIC's are. As for the problems you are having you may have to wait for the more advanced users to answer.

 

[jimfixit]

Actually I think I may have stumbled on the answer although I don't like it.

Seems the version of IOS we have on the 3750 stack: 12.2(25r) SE1 has a feature that prevents spoofing which is how this product does what it does. I have turned off port security to no avail. For now I've moved this websense unit to a 3550 switch and that has fixed the entire issue. I have a case in with TAC to see how or if I can turn that off or if I can at least log it to confirm that it is the cause of the issue.

I don't know maybe SE stands for Security Enabled??!

 

[green6]

How are you redirecting web page requests to the WebSense Server?

I've used WebSense in the past and used the built-in redirect functionality of a PIX firewall to get request to the WebSense Server. The WebSense Server than tells the PIX to allow or disallow the requested webpage.

You are right about a PC with a spoofed IP being unable to get out of a VLAN. The IP address generally needs to be in the subnet that the VLAN is configured for with the proper default gateway of a router.
If the PC attempts to send traffic to an IP outside it's configured subnet it will attemp to send to the default-gateway which would not be the correct gateway of the VLAN.

Hope I'm not confusing the issue, really it comes down to how you are redirecting http request to WebSense.