Re: vlans in a firewall

To: debian-security@lists.debian.org
Subject: Re: vlans in a firewall
From: Luca Filipozzi <lfilipoz@debian.org>
Date: Sun, 17 Aug 2003 08:53:40 -0700
Message-id: <[🔎] 20030817155340.GA10843@bofh.ece.ubc.ca>
In-reply-to: <[🔎] E19oPSK-0004Ls-00@thorin.repass.org>
References: <[🔎] E19oPSK-0004Ls-00@thorin.repass.org>

On Sun, Aug 17, 2003 at 09:28:32AM -0600, John Repass wrote:
> My question is this:  Can I treat say bond0.433 and bond0.434 as completely 
> seperate interfaces for iptables purposes?  What I mean to say is, I know I 
> can do it, can I do it as safely as the old fashioned method of configuring 
> one port to be vlan 433 and one on 434, one internal, one external, or with  
> putting a firewall in-line with each internet connection?

Both the old method (one physical port per vlan) and the new method
(multiple physical ports in a trunk using tagged vlans) are (somewhat)
unsafe *if* the switch uses a single MAC address table for all the
VLANs.  Just make sure that the model / version of Cisco switch / IOS
firmware supports separate tables per VLAN and you should be able to
tread bond0.433 and bond0.434 as completely separate interfaces.

Hope this helps,

Luca

-- 
Luca Filipozzi
"Linux gives us the power to crush those that oppose us." - switchlinux
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D

Reply to:

References:
- vlans in a firewall
  - From: John Repass <repass@cymphony.net>

Prev by Date: vlans in a firewall
Next by Date: subscribe
Previous by thread: vlans in a firewall
Next by thread: subscribe
Index(es):
- Date
- Thread