Re: Q: Controlling access at the Ethernet level

From: Clifton Royston (cliftonr_at_lava.net)
Date: 04/05/04

  • Next message: Dan Ros: "RE: Controlling access at the Ethernet level" 
    Date: Mon, 5 Apr 2004 09:18:16 -1000
To: freebsd-security@freebsd.org

    > Message: 4
    > Date: Mon, 5 Apr 2004 18:08:49 +0200
    > From: Sten Daniel S?rsdal<sten.daniel.sorsdal@wan.no>
    > Subject: RE: Controlling access at the Ethernet level
    > To: "Adrian Penisoara" <ady@freebsd.ady.ro>,
    > Cc: freebsd-isp@freebsd.org
    >
    >
    > > What would you recommand ? Are there any other elegant solutions ?
    > >
    > How about using 802.1Q vlan's and dedicate a vlan to each port.
    > If more than 4000 users then add more gateways.
    >
    > Just be sure to go for switches that allow you to deny incoming
    > already tagged packets on the user side as some switches passes
    > already tagged packets.

      While this sounds theoretically like a good solution, in my
    experience many midrange switches (e.g. HP Procurve 25xx and 40xx-
    series) do not handle large numbers of VLANs well; they seem to consume
    RAM and CPU roughly proportional to number of active VLANs, and past
    some threshold you see packet loss.

      As one of the constraints mentioned was "can't pay to add managed
    switches" I would be cautious about this solution unless you *know*
    that all the switches handle large numbers of VLANs well, or you'll be
    trying to troubleshoot a network with unexplained and intermittent
    packet loss. Just a warning from experience, FWIW.

      -- Clifton 

    -- 
          Clifton Royston  --  cliftonr@tikitechnologies.com 
         Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
                                                                 -- Dr. Seuss
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Dan Ros: "RE: Controlling access at the Ethernet level"

    Relevant Pages

    • RE: Firewall and VLAN security design
      ... Because of the way that switches deal with broadcasts, ... The SAFE methodology calls for defence in depth and Private VLANS are one of ... Firewall and VLAN security design ... > This is a FAQ, and the usual answer is that no, VLAN separation is ...
      (Security-Basics)
    • Re: Single domain two IP subnets
      ... hardware or any of the complexities of "network hardward ... I never criticize anyone's typing as long as the words can ... Cisco ISL VLANS are history. ... Newer Cisco switches don't even support ISL ...
      (microsoft.public.win2000.dns)
    • Re: [fw-wiz] Vlans as effective security measures?
      ... The Cisco bug DB has plenty of entries for switches with "bleeding ... VLANs are a cheap/convenient way of defining subnets and moving ports ... >And cars crash and cars burn and people are dying in cars all the ...
      (Firewall-Wizards)
    • Re: vlan tags and ISA2004, what´s the story?
      ... >Well the switches are Layer2 Devices and VLANs are Layer3, ... the Switch port that the ISA plugs into with the Internal Interface ... The Router can be a hardware Router device,...it ...
      (microsoft.public.isa.configuration)
    • RE: VLAN Question
      ... It's only your assertion that the ... motivation for VLANs was to split up large switches that I disagree with, ... numbers of ports. ...
      (Security-Basics)