Jim MacLeod wrote:
>
> For many people using a VLAN to separate inside traffic from outside
> traffic is a very big security topic.
Hm this reminds me of a support case I got involved in a couple
of weeks ago.
$customer tried to connect one of our HA firewall clusters to
a big, new, shiny expensive switch and couldn't get it to work
properly. Each interface pair was connected to separate port-based
VLANs on the switch.
Fact: We re-use the same hardware addresses on all interfaces.
They had figured out that this caused the problems with the switch.
And, here's the kicker: $customer wanted us to change this
behavior so that it'd work with their switch.
This is where I smiled and decided to call this a
safety feature rather than a problem.
(I forget the switch make and model. I do however remember
that it was fairly new. I could find out what it was, but I
think that this nicely illustrates the point about switches
still being designed for performance, not security.)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
Ynlre 8 frphevgl fbyhgvbaf: uggc://yneg.onqs00q.bet
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
