VLANs is this right?

Steve Bertrand steve at ipv6canada.com
Mon Jul 5 22:58:55 UTC 2010 

On 2010.07.05 12:57, David Kelly wrote:
> On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote:
>>
>> Criteria:
>>     - HostA must never directly talk to HostB.
>>     - Both hostA and hostB have an Internet connection.
>>
>> What I have to work with:
>>     proCurve switch which supports VLANs.
>>     2x Intel NICs in FreeBSD which support VLANs.
> 
> Am thinking you are approaching it the wrong way.

I wasn't going to, but I'd like to respond to your post. In no way am I
attempting to knock the fact that you tried to help, I'd just like to
clarify a few things...

My personal belief is that the OP is approaching this in the best
possible way.

> Not familiar with the specifics of a ProCurve switch but that's a high
> end unit, not a Netgear. I would expect you could configure the switch
> to disallow the MAC addresses from talking to each other of hostA and
> hostB.

I would expect a residential-grade NetGear be configured in such a way,
not a higher-end switch.

> Furthermore, it would be even easier to disallow hostB from within
> hostA's firewall. And do the same at hostB.

Easier if you have 2-10 machines, that are not laptops, and never get
replaced.

Your expectations are not scalable, nor do they provide a network-wide
solution. If the OPs network grows to 200 vlans with 15k hosts,
maintaining such a setup is no where near feasible. This is why the
'higher-end' gear allows such functions.

By putting users (ie. client systems, or even business functional units)
into vlans, security policies can be enacted in one fell swoop (one ACL,
aka firewall rule) within the device they access the other portions of
the network.

Generally, MAC filtering is used to place a specific nic into its proper
vlan, or to deny it access to the network in general (based on an
allowed-only list). Personally, I've never seen it used to filter
host-host traffic before.

Also, using vlans also limits the size of broadcast domains. Not too
long ago, I consulted for a company that had ~4k machines within one IP
subnet. They questioned why they should replace their unmanaged switches
with managed ones in the course of my work, so I generated an example.

It is *trivial* in FBSD to trunk vlans, and firewall them off from one
another (notes: I use Quagga to assign v4 addresses to my sub-ints, so
the syntax may be off. However, FBSD 7.2 accepts this as valid. Also, I
do it a bit differently in production (one line), but I don't have
access to the boxes I do it on, and I forget the exact syntax):

# ipfw add 100 deny all from any to any recv em5.10 xmit em5.11
# ipfw add 110 deny all from any to any recv em5.11 xmit em5.10

fwiw, depending on the switch, it may even be able to do some of this L3
functionality inherently.

Steve

More information about the freebsd-questions mailing list