> > On 14 Feb 2002, at 9:03, [EMAIL PROTECTED] wrote:
> > (b) A large switch with VLANs is often more expensive than two
> > smaller switches. VLANs are of limited utility unless you are
> > also trunking together multiple switches, in which case they allow
> > you to define a logical division into subnets that is independent
> > of your physical distribution across switches.
> > But in the case of the DMZ, the logical and physical partitioning
> > of the network really ought to match.
ON DMZs you usually have 1 or two systems from one customer, and a great
many in summary. Having to establish a switch for all of them is not an
option.
Besides settng up a VLAN, the other alternative is to go with Cisco "secure"
mode. It will allow all client ports only to communicate to one main
upstream port. If you have not much intra-dmz traffic, this might be enough
for you.
On the other hand, I dont know about VLAN compromise, and the technology is
actually pretty trivial. So I think it is a good additional tool for
separation in those mixed application or mixed customer environemnts.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
