> The low-end Cisco ASA 5505 requires VLAN configuration since it is > just a switch. > The Cisco ASA 5510 has four Ethernet ports. If you need more, just > use VLAN. > Perhaps, Cisco is expecting a firewalled network to use managed > switches. Is it best practice? Why is there a resistance to VLAN in > the pfSense community?
You'll note that the *switch* vendors are generally the ones pushing VLANs on firewalls: I don't think this is a coincidence. Of course, every major firewall vendor does support VLANs now, and most also support LAGs, because many people do use them. I wouldn't say I put up any "resistance" to VLANs, nor anything I've seen in this thread. It's just that experience has shown many of us (me, anyway) that implementing VLANs adds another layer of complexity. VLAN-on-LAG adds another layer on top of that. Every additional layer we have to work with increases the possibility of making errors. (In my experience, the occurrence of errors roughly doubles with each layer added.) And in what is usually the most secure device on the network - the firewall - you don't want to make errors. Especially when, more often than not, the firewall is the *only* secure device on the network! As I indicated in my post, using VLANs allows for new and (*cough*) interesting failure modes that you just don't have to deal with otherwise. Note that I do use VLANs and will continue to do so. The largest network I've designed (for a regional ISP) trunks over 100 different VLANs back to the core, and there's a Cisco 7206 with >100 subifs managing it all quite happily, even their two upstream pipes are trunked in on VLANs, and "internal" and "external" networks share the same wire in many places, separated only by tags. Most of my firewall deployments do use VLANs; one must be much more careful when doing so. I have encountered (and caused!) problems that would not have occurred in a non-VLAN environment. So if you don't *need* VLANs, don't use them. If you *need* VLANs, go ahead and use them. Just like any other technology. > I sold a Cisco Catalyst 3500XL with 48 Fast Ethernet ports for $35 > a couple of months ago on eBay. I don't think cost is the issue. I agree. Chris also pointed this out a few posts ago. Although it could be argued that GigE "smart" switches still aren't negligibly cheap: I think the cheapest one I can get in Canada is around $300. Still not very expensive, especially compared to the firewall hardware I'd need to actually route data at over 100Mbps. -Adam --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
