[Gllug] A little OT: On the limits of VLANs

Russell Tester russell.tester at gmail.com
Thu Apr 29 09:56:31 UTC 2010


Hi Roger,

Sounds like what you really want is a Private VLAN configuration (or
Protected Ports in the case of a single switch), where your hosts are
configured as Isolated ports and your server is configured as a Promiscuous
port.

http://www.ciscosysteme.org/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

The advantage of this is the simplicity in the design that everything is on
one subnet. Unfortunately I can't see anywhere in the manual for your switch
that it supports this type of configuration :(.

I'd highly recommend keeping this traffic off your production network, and
Isolate it from your server too. Put these machines into a series of VLAN's
that are on the outside of your firewall (what sort of firewall do you have,
can it trunk 802.1q?), which has specified ports open inbound to your
server.

£0.02
Russ.

On Thu, Apr 29, 2010 at 9:03 AM, Andrew Back <andrew at osmosoft.com> wrote:

> On (08:58 29/04/10), Bruce Richardson wrote:
> > On Thu, Apr 29, 2010 at 08:41:52AM +0100, Andrew wrote:
> > > On (03:48 29/04/10), general_email at technicalbloke.com wrote:
> > >
> > > > It looks fairly straight forward to create several VLANs and, as I've
> > > > only got one switch I  don't think any of the known VLAN hopping
> hacks
> > > > apply to me. So what I was hoping to do was section off say 8 ports,
> put
> > > > them all on their own VLAN and then make one of my servers a member
> of
> > > > all 8 of those VLANs, the intended effect being that the machines
> > > > plugged into those 8 ports can not see each other but can see my
> server.
> > > > Is that something I could do with VLANs? The other scenario I'm
> > >
> > > You should just need to designate a port as "trunk" rather than be on a
> > > specific VLAN, and then on your host configure VLAN interfaces that
> pick up
> > > each of these.
> >
> > Um, only if you want the security of the network to be entirely
> > voluntary.  The OP said he wanted the machines not to be able to see
> > each other, so I would be plugging them into VLANned ports unless there
> > were a good reason for them to need to see more than one VLAN.
>
> Sorry, I should have been clearer: I meant the server on a trunk port and
> _not_ the other hosts, which would, as you pointed out, be pinned to a
> specific VLAN.
>
> > Why make the network configuration on your hosts more complex and more
> > fragile (and less secure) than it need be?  VLAN the switch, plug hosts
> > into the appropriate VLANs, get on with life.
>
> Not at all what I was suggesting.
>
> > The only host that should normally need to be aware of 802.1q trunking
> > would be a router that connected the VLANs.
>
> Quite.
>
> Cheers,
>
> Andrew
>
> > --
> > Bruce
> >
> > The ice-caps are melting, tra-la-la-la.  All the world is drowning,
> > tra-la-la-la-la.  -- Tiny Tim.
>
>
>
> > --
> > Gllug mailing list  -  Gllug at gllug.org.uk
> > http://lists.gllug.org.uk/mailman/listinfo/gllug
>
>
> --
> Andrew Back
> mailto:andrew at osmosoft.com
> http://carrierdetect.com
> --
> Gllug mailing list  -  Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20100429/77344dca/attachment.html>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list