VLAN interfaces on FreeBSD; performance issues
Chuck Swiger
cswiger at mac.com
Sun Sep 11 07:17:01 PDT 2005
Blake Covarrubias wrote:
> On Sep 10, 2005, at 8:37 AM, Chuck Swiger wrote:
[ ... ]
>> fxp is a good NIC hardware. However, if you are trying to connect
>> two distinct subnets, playing ISO layer-2 games with VLANs is not
>> going to result in a good substitute for layer-3 IP routing.
>>
>> You cannot truthfully multihome a machine with a single NIC.
>
> My goal is to make this machine a gateway for several servers that I
> need to segment that will be on different IP subnets. I could always
> just alias the IP's to the NIC on the gateway machine, but I need
> layer-2 separation for security.
If you need layer-2 seperation for security, then you need to put each of these
machines or tiny subnets on seperate hubs or switches. Simply putting them all
onto one switch and putting ports onto different VLANs does not give adequate
isolation in practice even from non-malicious traffic, as you might discover if
you monitor for ARP traffic leaking through (especially under high packet rate
load).
A malicious user can use mechanisms discussed here:
http://www.sans.org/resources/idfaq/vlan.php
http://archives.neohapsis.com/archives/sf/pentest/2001-06/0139.html
"Try not to use VLANs as a mechanism for enforcing security policy. They are
great for segmenting networks, reducing broadcasts and collisions and so forth,
but not as a security tool."
> I'm doing this for co-located servers
> (hence the need for segmentation) I don't think its feasible to add a
> NIC for every new machine.
You don't need a seperate NIC or hub for each new machine, but you ought to
have one for each distinct security domain (or client, or whatever).
(If my packets and their packets all go to the same switch port, my traffic is
not actually being isolated from their traffic, VLAN tagging or no.)
--
-Chuck
More information about the freebsd-isp
mailing list