On Mon, 10 Sep 2001 [EMAIL PROTECTED] wrote:
> Now *that* brings up an interesting point.
>
> Hubs scale linearly (within cetain limits) -- add more hubs, you
> have more ports onto the smae collision domain.
> Switches don't. Each switch has its own ARP tables and switch
> fabric and adds its own latency, and there is no way you can
> duplicate the precise behaviour of a big switch with a bunch of
> little switches.
>
> So: when I first looked at VLANs, my obvious question was "Why do
> I want my big switch to emulate a bunch of smaller switches? If I
> needed smaller broadcast domains, it would have been much cheaper to
> buy smaller switches!"
> There are two other pieces of the VLAN puzzle which help answer
> that question. One is trunking -- the ability to distribute a bunch
> of logical layer-3 domains over a completely different layer-2
> topology. (This seems to sound cooler in theory than I've seen it
> used so far in practice, but in general eliminating dependencies
> between layers *should* be a good thing.)
Yeah- I'd have to argue that it's a misfeature the way it's normally
deployed.
>
> The other is that a routing blade in a switch, routing between the
> VLANs, seems to be a whole lot more cost effective (and easier to
> manage centrally) than a whole bunch of small routers.
I'll give you easy to manage hands-down (though I'll take away redundancy
and topologic flexibility), but I'm not so certain that it's a whole lot
more cost effective operationally. Granted, it does depend on your scale
points- but per-port costs when I did the last large-scale implementation
of this (with 7513's at the backbone) wasn't horribly more (of course back
then 5500s weren't cheap either.)
I'm also not sure of the collision effects of home-running all the
workstations to a central switch (for a company architecture, obviously
for a server farm it's a no brainer.) That's ok though, we'll just watch
them all use wireless next, right? [Today's exercise is for those
contemplating wireless to decide how they'd respond to a DoS attack on the
802.11b frequencies in their immediate vicinity.]
> I *like* the idea of small routers -- whether the segments use
> small hubs or small switches -- but I think that battle may already
> be lost to the "VLANS + routing engine" alternative.
You know, all we need is a backplane for those tiny Cisco routers....
I think there are two key problems we face with V* technologies, first of
all, people don't understand the level of compartmentalization they have
by avoiding those technologies, and second of all, I think we're at a
point where if it's cheap and works 85% of the time well, then it's a win
over more expensive and works 98% of the time. It's too bad that
technology managers aren't taught to amortize costs for equipment more
than worrying about bottom line budgets though...
Having fairly recently gone through the mental exercise of trying to
regain compartmentalization with IPSec, I think it's safe to say there's
not a lot of hope on the way.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
