[Gllug] A little OT: On the limits of VLANs

general_email at technicalbloke.com general_email at technicalbloke.com
Thu Apr 29 23:22:57 UTC 2010 

Andrew Back wrote:
> On (08:58 29/04/10), Bruce Richardson wrote:
>   
>> On Thu, Apr 29, 2010 at 08:41:52AM +0100, Andrew wrote:
>>     
>>> On (03:48 29/04/10), general_email at technicalbloke.com wrote:
>>>
>>>       
>>>> It looks fairly straight forward to create several VLANs and, as I've
>>>> only got one switch I  don't think any of the known VLAN hopping hacks
>>>> apply to me. So what I was hoping to do was section off say 8 ports, put
>>>> them all on their own VLAN and then make one of my servers a member of
>>>> all 8 of those VLANs, the intended effect being that the machines
>>>> plugged into those 8 ports can not see each other but can see my server.
>>>> Is that something I could do with VLANs? The other scenario I'm
>>>>         
>>> You should just need to designate a port as "trunk" rather than be on a
>>> specific VLAN, and then on your host configure VLAN interfaces that pick up
>>> each of these.
>>>       
>> Um, only if you want the security of the network to be entirely
>> voluntary.  The OP said he wanted the machines not to be able to see
>> each other, so I would be plugging them into VLANned ports unless there
>> were a good reason for them to need to see more than one VLAN.  
>>     
>
> Sorry, I should have been clearer: I meant the server on a trunk port and
> _not_ the other hosts, which would, as you pointed out, be pinned to a
> specific VLAN.
>  
>   

Thats all very encouraging, thanks guys! One last thing then...

If I configure my server's LAN card to be a member of all 8 VLANs would
linux* route (malicious) double encapsulated packets between VLANs by
default? i.e. do I need to do anything to it's network/firewall config
to mitigate against VLAN hopping exploits now that it looks like I'm
going to have to use a trunked port?

It's not actually important I'm mostly just curious what the default
behaviour is (and if it varies much by distro), in reality I'm planning
to configure the server firewall to block all incoming connection
requests and have the server initiate contact with an ssl certified boot
disk so I'm fairly sure no routing would be able to take place.

*Probably going to use Ubuntu desktop for the server but could use
anything with a window manager and python2.6 really so suggestions of
distros with less irrelevant crap to cull are welcome. Ease of updating
is probably top priority.

Cheers,

Roger.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list