Yes, OT... But unless you've chosen to do something silly (like enabling MVRP, or blindly allowing all VLANs to an untrusted host) saying "VLANs aren't secure" is about as useful as "ICMP isn't secure". Please explain how VLANs are not secure when you have control of the devices on both ends of an 802.1Q-tagged link? That's no more or less secure than having multiple links to a switch running un-tagged ports on different VLANs. Or are you saying I should have a separate physical switch for each subnet?
I recall the performance question coming up at BSDCan, and Henning saying that under ideal circumstances, yes, OpenBSD could usefully fill a 10GE pipe, but that non-ideal circumstances would degrade performance faster than the equivalent $250k+ hardware 10GE router. Reyk@ is, I believe, running an entire company predicated on high-performance routing, including multiple-10GE but that's second-hand knowledge. Certainly OpenBSD is easily capable of pushing many gigabits per second of traffic, I just don't know what the absolute upper limits are today. -Adam On June 20, 2014 8:01:20 AM CDT, Boris Goldberg <bo...@twopoint.com> wrote: >Hello ML, > >Thursday, June 19, 2014, 2:21:38 AM, you wrote: > >Mm> I have four /24 subnets and currently have one subnet per ethernet >Mm> interface (1Gbit/s) on my openbsd firewall. Now I was wondering if >in >Mm> terms of performance (especially latency/pps) it is better to have >one >Mm> subnet per ethernet interface like I have now or to have the four >Mm> subnets on one single interface using vlan interfaces? > >Mm> The traffic/bandwidth here is not really an issue and the one >single >Mm> interface would be a 10 Gbit/s interface anyway so it can >accommodate >Mm> the traffic of 4 VLANs without problem. > >Mm> Note here that I would also be using the trunk interface to >aggregate >Mm> two 10 Gbit/s interfaces for redundancy. So my four VLANs would be >inside a trunk interface. > >Sorry for the OT, but haven't you had separated them for a reason on >the >first place? There is no real security separation between vlans. > > Also OT - is OBSD handling 10 gigabit interfaces at full capacity >already? > >-- >Best regards, > Boris mailto:bo...@twopoint.com -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
