>First, if you really don't like the Securefast stuff, you can always _turn
>it off_.  Every Cabletron switch, either by a setting in a given firmware,
>or by loading a different firmware, can operate instead in traditional
>802.1q mode, giving you your "expected" behavior.

Yes, but in this case our IT group wanted to run securefast for other reasons.

>
>However, Securefast adds one thing I've _never_ seen in any other VLAN
>implementation - a _useful_ user mobility capability.  It uses the layer 2
>address, which (despite standards saying it doesn't have to be) is globally
>unique for basically anything _other_ than sparcs (thank/blame the card
>manufacturers for this), as one of the possible identifiers for a station's
>VLAN memberships, instead of being limited to only using ports as
>identifiers.  This allows an end station to be plugged in _anywhere_ in the
>switched network, and still retain the _same VLAN memberships and privileges,
>and associated data_.  You can take your laptop from your desk and plug it in
>somewhere across the building and still be part of the same logical network
>segment, using the same IP address, routing data, etc.  Nothing else I have
>seen, even the proposed experimental 802.1x extensions, comes anywhere close
>to this for mobility.

Oh this makes sense...Let's use the MAC as a vlan key and ignore any standards
about station based MAC even though it's been in use for 15+ years.
Plus it sounds like all I need to do is roll over my MAC to someone elses
and I start getting their traffic.

I've also yet to see HSRP work at all in these environments. Seems this
wonderful feature gets confused when the routers switch active ports.


>
>As a side note, you _can_ set the VLAN manager to "allow duplicates" for a
>given MAC address.  I don't pretend to know all the little caveats involved
>in doing so, because generally, and especially given that, for example, the
>MAC address space is _five orders of magnitude bigger_ than the IP address
>space,

I don't know if this was an option when we deployed but I doubt it. My guess
is enough folks screaming about cabletron about their non-standard stuff. 
(I've never been happy with these switches related to random traffic problems
and vlan leakage)

 it _just doesn't make sense to have multiple interfaces have the same
>MAC address._  The manufacturers have gone to so much trouble to give every
>card it's own address - why waste it?
>

Because you're not supposed to? You can have card or station based MAC
addressing for a device attaching to a network. Plus the fact that using
the MAC address as essentially a security key to say what logical network
you'll hook to is ridiculous. Most systems allow you to reset the MAC on
an interface so this isn't exactly a solid basis to make network membership
on.

In any case I agree this is quite off-topic so this thread should really
die.

James