On Thu, Aug 5, 2010 at 1:25 PM, Bao Ha <[email protected]> wrote: > > Perhaps, Cisco is expecting a firewalled network to use managed > switches. Is it best practice? Why is there a resistance to VLAN in > the pfSense community? >
I don't think anyone in this thread is expressing resistance to VLANs in general, not me at least. Every network that runs this project uses VLANs in some fashion. None of them combine unfiltered Internet traffic on the same switch as networks behind the firewall though. That's the only point I'm trying to get across here. If you're putting unfiltered Internet traffic on the same switch as your internal networks, it's a simple fat finger to drop that traffic into your LAN. It's much harder to plug something into the wrong place inadvertently, and if you do, it's not going to work as expected, where a VLAN misconfiguration could put a port into both the unfiltered Internet segment and the LAN segment, so you may not notice. > I had somebody asked about at least ten port pfSense router with > ability adding more as needed. He wants to provide Internet to a > building but wants each tenant to be on a separate network. I asked > why doesn't he just use a managed switch and trunk everybody to the > router? > That's a good solution, exactly what we've done a number of times for similar scenarios, there are production setups like that running more than 100 VLANs on a box (and I did a proof of concept with 4000 VLANs assigned. you'll want 2.0 for 100+, 1.2.x is way too slow in processing interfaces). Everyone in their own VLAN, so if they're infected by some ARP poisoning tool, or plug their router in backwards adding a rogue DHCP server, etc. they can't impact anyone else. Depending on your switches there are other options like PVLANs, DHCP snooping, etc. Generally with lower end managed switches your only option is one VLAN per port, and that works fine. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
