On Nov 21, 22:29, Carlos Murillo wrote:
> This reminds me of a quirk in the EE department's network; some NT boxes
> here rely on some flavor of NIS for authentication, but they have to
> be ping'ed every few seconds at a specific port or the NT yp client
> dies. To avoid that, one of the servers sends a bogus yp packet to
> _every_ IP address on the network every now and then. Unix machines
> don't like it; portmap logs in a couple flavors unix have to be disabled
> in order not to generate an entry every few seconds. In others,
> /etc/syslog.conf can be modified to avoid this. Fortunately, we're behind
> a firewall. But having to acommodate idiotic NT needs sure sucks.
Agreed. This is geting a bit off-topic[1] but that's the sort of thing
VLANs are for. You could use an intelligent switch (or hub) and put all
the NT systems in a separate VLAN from the Unix boxes. Some systems (eg
Enterasys/Cabletron) can do that for you automatically by seeing what
does/does not generate certain protocol packets. A VLAN is a single
broadcast domain, so the broadcast to the NT machines will be restricted to
the NT machines, never reaching the Unix boxes, regardless of subnet
numbers and network topology[2]. We've been using VLANs for similar
purposes since 1995, though in our case it's mostly to restrict Appletalk
and IPX to a range of ports (spread around several dozen switches and hubs)
and to separate staff, student and management subnets. Recently I've also
put the DHCP servers into a separate VLAN, and restricted the connections,
so no-one can run a rogue DHCP server.
[1] VLANs are too recent (mid 1990s) to properly be the province of
classiccmp.
[2] Of course, you could also do this by assigning all the NT boxes to a
separate subnet if you have a spare number range. The advantage of VLANs
is that they can overlap; machines can be members of more than one for
different purposes.
--
Pete Peter Turnbull
Dept. of Computer Science
University of York
Received on Wed Nov 22 2000 - 03:01:42 GMT