On 05-08-2014 03:36, Henning Brauer wrote: > the 90s are over. Yep, I know Henning. Vlan's are pretty secure. But they add complexity and if you use physical separation you can mitigate problems caused by misconfiguration. Either on OpenBSD itself or on the switches. As I said, my personal preference is to physically separate the networks. But I've used vlans and I will use again, surely. I just don't like to use them, specifically, when I don't have control of the entire network. > you are mistaken, queueing on vlan is pretty meaningless. Never did tried to queue on vlans, so I was clearly mistaken. > > however, classification can happen anywhere, so assign queues on your > vlan interface and create them on the physical one, things will Just > Work (tm). sth like "match out on vlanX queue foo" really just tags > the packet "should go to queue foo". once the packet hits an outbound > interface, we check wether queue foo exists there and if so use it. This is one of the greatest features of pf, in my opinion. This flexibility is what make pf what it is.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
