On Thu, Nov 09, 2006 at 11:04:19PM +0100, Frode Marton Meling wrote: > Hello > I have a server setup with the following network config: > > Default eth0 - 192.168.100.1 255.255.255.0 > GW:192.168.100.254 > VLAN2 eth0.2 - 0.0.0.2 255.255.255.255 > VLAN3 eth0.3 - 0.0.0.3 255.255.255.255 > VLAN4 eth0.4 - 0.0.0.4 255.255.255.255 > > The reason for this is that I run VMWare server and the other VLANS > are used by the VMWare server.. Without setting any IP, I got > errors.. That should not happen. It's perfectly legal to not have an IP address configured on an interface, and if you're bridging it may even interfere. > I have a VLAN truck from my HP-managed switch. All VLANS tagged > except Default VLAN (I have tried this with tagging on Default > VLAN also). Default VLAN or the native VLAN is untagged by definition, right? > If I add my linux desktop to VLAN4 and do a netdiscover, it will > find the 192.168.100.1 (I can not access it, but since it is > detectable from outside, it is a risk). I'm not sure I agree with your risk analysis, but let's stick to the point: netdiscover floods ARP requests for all private IP addresses. Your Linux VLAN box replies even though the request is coming in on a interface with a different address than the one in the request. Linux does this by default. Read more about rp_filter and arp_filter in /usr/src/linux/Documentation/networking/ip-sysctl.txt or consider implementing firewall rules to ensure your system behaves as intended. Hope this helps! //Peter
