VLANs is this right?

David Kelly dkelly at hiwaay.net
Tue Jul 6 04:35:11 UTC 2010 

On Jul 5, 2010, at 5:59 PM, Steve Bertrand wrote:

> On 2010.07.05 12:57, David Kelly wrote:
>> On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote:
>>>
>>> Criteria:
>>>    - HostA must never directly talk to HostB.
>>>    - Both hostA and hostB have an Internet connection.
>>>
>>> What I have to work with:
>>>    proCurve switch which supports VLANs.
>>>    2x Intel NICs in FreeBSD which support VLANs.
>>
>> Am thinking you are approaching it the wrong way.
>
> I wasn't going to, but I'd like to respond to your post. In no way  
> am I
> attempting to knock the fact that you tried to help, I'd just like to
> clarify a few things...
>
> My personal belief is that the OP is approaching this in the best
> possible way.
>
>> Not familiar with the specifics of a ProCurve switch but that's a  
>> high
>> end unit, not a Netgear. I would expect you could configure the  
>> switch
>> to disallow the MAC addresses from talking to each other of hostA and
>> hostB.
>
> I would expect a residential-grade NetGear be configured in such a  
> way,
> not a higher-end switch.

Generally a residential SOHO Netgear switch is unmanaged and not  
configurable. Sometimes this grade of gear gets confused when one  
moves a host from one port to another that it must be power cycled to  
clear the error from its MAC tables.

>> Furthermore, it would be even easier to disallow hostB from within
>> hostA's firewall. And do the same at hostB.
>
> Easier if you have 2-10 machines, that are not laptops, and never get
> replaced.
>
> Your expectations are not scalable, nor do they provide a network-wide
> solution. If the OPs network grows to 200 vlans with 15k hosts,
> maintaining such a setup is no where near feasible. This is why the
> 'higher-end' gear allows such functions.

I didn't hear "scalable" in the specification, only hostA, hostB, one  
ProCurve, and one FreeBSD gateway/router connected to the internet.

> By putting users (ie. client systems, or even business functional  
> units)
> into vlans, security policies can be enacted in one fell swoop (one  
> ACL,
> aka firewall rule) within the device they access the other portions of
> the network.

As long as the switch (which you have control over) encapsulates a  
specific port to a VLAN then you are correct in that VLAN is the best  
way. But if one must configure the untrusted host to only speak VLAN  
then one doesn't have the desired security.

--
David Kelly N4HHE, dkelly at HiWAAY.net
========================================================================
Whom computers would destroy, they must first drive mad.

More information about the freebsd-questions mailing list