Re: [pfSense Support] OT: physical interface v vlan
On 16/02/10 05:42, Chris Buechler wrote: This depends on how much you trust your switches, and more so, how much you trust your admins. It's usually easier to inadvertently configure something on the wrong VLAN than it is to plug something into the wrong switch. Especially if you have people without much ... +1 I don't know if it is still the case* but ciscos by default allow negotiation of a port between access and trunk, so if someone on a PC connected to your switch turned on .1q they could in theory access all your vlans. switchport nonegotiate is the magic command to disable it - apply to all ports A lot comes down to whether someone has physical access to the switch itself, in some offices you can't protect access to the switch providing service to end users. Personally I too like to segregate external/WAN traffic from LAN by having a separate switch; that would then be locked away in the computer room next to the firewalls to avoid tampering - accidental or malicious. Even if I did only have one switch for WAN and LAN, would probably use separate physical interfaces on firewall into the switch so that you could clearly label the unfirewalled ports and use differently coloured cables; it also makes it easier to measure WAN traffic if it's on a port by itself. * encountered on our cisco 3560G and 3560E switches which are fairly up to date http://www.ciscopress.com/articles/article.asp?p=29803seqNum=3 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OT: physical interface v vlan
I would like to know if somebody can tell me an advantange, other than raw throughput, of a router with multiple interfaces when compared with a router using few physical interfaces but vlans in their place. I cannot come up with one. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: physical interface v vlan
David Burgess wrote: I would like to know if somebody can tell me an advantange, other than raw throughput, of a router with multiple interfaces when compared with a router using few physical interfaces but vlans in their place. I cannot come up with one. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Physical segregation of network segments with differing security policies would be another. Admittedly, this is a philosophical difference, but I typically don't keep network segments that have different security stances on the same hardware if I can help it. Multiple LAN segments can certainly share the same physical hardware and just be segmented by VLANs, but I would shy away from having a LAN segment and a DMZ segment on the same switch and sharing the same NIC on the router/firewall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: physical interface v vlan
On Mon, Feb 15, 2010 at 5:28 PM, Gary Buckmaster g...@s4f.com wrote: David Burgess wrote: I would like to know if somebody can tell me an advantange, other than raw throughput, of a router with multiple interfaces when compared with a router using few physical interfaces but vlans in their place. I cannot come up with one. Physical segregation of network segments with differing security policies would be another. Admittedly, this is a philosophical difference, but I typically don't keep network segments that have different security stances on the same hardware if I can help it. Multiple LAN segments can certainly share the same physical hardware and just be segmented by VLANs, but I would shy away from having a LAN segment and a DMZ segment on the same switch and sharing the same NIC on the router/firewall. This depends on how much you trust your switches, and more so, how much you trust your admins. It's usually easier to inadvertently configure something on the wrong VLAN than it is to plug something into the wrong switch. Especially if you have people without much network knowledge messing with your switches. There are also possibilities, if your switch has bugs or is improperly configured, to hop between VLANs where that's impossible with physically separate switches. Most of it comes down to using a proper configuration, and ensuring it stays a proper configuration. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: physical interface v vlan
On Mon, Feb 15, 2010 at 10:42 PM, Chris Buechler cbuech...@gmail.com wrote: This depends on how much you trust your switches, and more so, how much you trust your admins. It's usually easier to inadvertently configure something on the wrong VLAN than it is to plug something into the wrong switch. Especially if you have people without much network knowledge messing with your switches. There are also possibilities, if your switch has bugs or is improperly configured, to hop between VLANs where that's impossible with physically separate switches. Most of it comes down to using a proper configuration, and ensuring it stays a proper configuration. Thanks for the replies. In summary, it looks like vlan's are more vulnerable to user error and security breach, but are technically as capable as a separate physical network. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org