Hi Guys, I am fairly new to OpenBSD, so I just being learning from all of you. This subject I can help out a bit. VLANs was design to separate broadcast domains, not be a security feature. It is more of a side effect and companies tout that it can be used for security. Newer codes are much better like Jason said.
Lachian, hopefully you have a manageable switch that can create VLANs. You will have to create a VLAN for each of your subnets and add the appropriate ports into those VLANs. I would suggest that you use something other than VLAN 1 (default VLAN) for your two VLANs. On the port that is going to connect to your OpenBSD box, the port will be a member of both VLANs and turn on VLAN tagging (802.1Q) on the switch. If it is a Cisco switch using dot1q not ISL. You will have to turn on IP Forwarding, configure the VLANs, and enable VLAN tagging on the OpenBSD box. Look up ifconfig(8). Hopefully, this is only a temporary solution. Network traffic on that NIC will see twice as much as normal, since it receives and sends it out the same NIC. If you do not use VLANs, you will see broadcast coming from both of your subnets. If you bring up a sniffer, you should see them. Also, if the employees are clever they can just change their IP Address to become part of the new network and by pass any firewalling you might be doing on your OpenBSD box. :( bofh, I feel sorry for network. Meet too many of those guys in the networking field, but most of them never had any certs though. I really doubt that he had a CCNP unless he memorized some kind of brain dump to get it. People like that devalue the certs in our industry. rc On 3/25/07, J.C. Roberts <[EMAIL PROTECTED]> wrote:
On Sunday 25 March 2007 11:09, Jason Dixon wrote: > > (Hark! -I think I hear the infamous "wooshing" sound of a quickly > > approaching clue stick) > > I'm not sure of the date of this article, but it seems to cover all > of your questions. > > http://www.cisco.com/en/US/products/hw/switches/ps708/ > products_white_paper09186a008013159f.shtml > Excellent! Thanks Jason. > > Since you know real world usage of VLANs far better than most (and > > certainly better than me), your insights on using OpenBSD to > > properly secure VLANs seem totally MetaBUGable! > > VLANs really aren't the black magic most folks seem to think. Even > Gillian Anderson has mastered the art of packet switching. > > http://www.routergod.com/gilliananderson/ > http://www.routergod.com/gilliananderson/part2.html Now that was *really* unfair -you know I'm a sucker for redheads. :-) jcr
