Paul, I understand your post up to this point:
> if the switch's port are set so that connected devices can't cause them > to flip from untagged to tagged mode (in cisco speak from access to > trunk - "switchport nonegotiate" I'm looking at the help file for my switch, and thinking this section is saying what you're saying: "Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled." Would you agree that Ingress Filtering on this switch appears to be the feature that you're describing? > but even so I still really want to physically isolate unfirewalled > network strands just in case! Point taken, from you and Chris as well. I should be able to get my hands on a used Cisco 3550 in the next few months to accomplish this. In the mean time I'm going to use this opportunity to learn the functions of my switch and improve my security practices. At this point I trust the small number of users on my OPT interfaces, however that will change. Thanks for the feedback. db --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
