Date: Mon, 05 Jul 2010 18:59:03 -0400 From: Steve Bertrand <steve@ipv6canada.com> To: David Kelly <dkelly@hiwaay.net> Cc: freebsd-questions@FreeBSD.org Subject: Re: VLANs is this right? Message-ID: <4C3263B7.9020705@ipv6canada.com> In-Reply-To: <20100705165746.GB10990@Grumpy.DynDNS.org> References: <AANLkTilW7eTmmdUtRlXpRX3CT_vuOkE2M0eDB_qiiauW@mail.gmail.com> <20100705165746.GB10990@Grumpy.DynDNS.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2010.07.05 12:57, David Kelly wrote: > On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote: >> >> Criteria: >> - HostA must never directly talk to HostB. >> - Both hostA and hostB have an Internet connection. >> >> What I have to work with: >> proCurve switch which supports VLANs. >> 2x Intel NICs in FreeBSD which support VLANs. > > Am thinking you are approaching it the wrong way. I wasn't going to, but I'd like to respond to your post. In no way am I attempting to knock the fact that you tried to help, I'd just like to clarify a few things... My personal belief is that the OP is approaching this in the best possible way. > Not familiar with the specifics of a ProCurve switch but that's a high > end unit, not a Netgear. I would expect you could configure the switch > to disallow the MAC addresses from talking to each other of hostA and > hostB. I would expect a residential-grade NetGear be configured in such a way, not a higher-end switch. > Furthermore, it would be even easier to disallow hostB from within > hostA's firewall. And do the same at hostB. Easier if you have 2-10 machines, that are not laptops, and never get replaced. Your expectations are not scalable, nor do they provide a network-wide solution. If the OPs network grows to 200 vlans with 15k hosts, maintaining such a setup is no where near feasible. This is why the 'higher-end' gear allows such functions. By putting users (ie. client systems, or even business functional units) into vlans, security policies can be enacted in one fell swoop (one ACL, aka firewall rule) within the device they access the other portions of the network. Generally, MAC filtering is used to place a specific nic into its proper vlan, or to deny it access to the network in general (based on an allowed-only list). Personally, I've never seen it used to filter host-host traffic before. Also, using vlans also limits the size of broadcast domains. Not too long ago, I consulted for a company that had ~4k machines within one IP subnet. They questioned why they should replace their unmanaged switches with managed ones in the course of my work, so I generated an example. It is *trivial* in FBSD to trunk vlans, and firewall them off from one another (notes: I use Quagga to assign v4 addresses to my sub-ints, so the syntax may be off. However, FBSD 7.2 accepts this as valid. Also, I do it a bit differently in production (one line), but I don't have access to the boxes I do it on, and I forget the exact syntax): # ipfw add 100 deny all from any to any recv em5.10 xmit em5.11 # ipfw add 110 deny all from any to any recv em5.11 xmit em5.10 fwiw, depending on the switch, it may even be able to do some of this L3 functionality inherently. Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C3263B7.9020705>