[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: vlans in a firewall

On Sun, Aug 17, 2003 at 09:28:32AM -0600, John Repass wrote:
> My question is this:  Can I treat say bond0.433 and bond0.434 as completely 
> seperate interfaces for iptables purposes?  What I mean to say is, I know I 
> can do it, can I do it as safely as the old fashioned method of configuring 
> one port to be vlan 433 and one on 434, one internal, one external, or with  
> putting a firewall in-line with each internet connection?

Both the old method (one physical port per vlan) and the new method
(multiple physical ports in a trunk using tagged vlans) are (somewhat)
unsafe *if* the switch uses a single MAC address table for all the
VLANs.  Just make sure that the model / version of Cisco switch / IOS
firmware supports separate tables per VLAN and you should be able to
tread bond0.433 and bond0.434 as completely separate interfaces.

Hope this helps,


Luca Filipozzi
"Linux gives us the power to crush those that oppose us." - switchlinux
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D

Reply to: