* Giancarlo Razzolini <grazzol...@gmail.com> [2014-08-05 18:36]: > On 05-08-2014 03:36, Henning Brauer wrote: > > the 90s are over. > Yep, I know Henning. Vlan's are pretty secure. But they add complexity > and if you use physical separation you can mitigate problems caused by > misconfiguration. Either on OpenBSD itself or on the switches. As I > said, my personal preference is to physically separate the networks. But > I've used vlans and I will use again, surely. I just don't like to use > them, specifically, when I don't have control of the entire network.
Your preferences are your preferences, you're free to do that - just like you're free to stab a knife in your eye. > > however, classification can happen anywhere, so assign queues on your > > vlan interface and create them on the physical one, things will Just > > Work (tm). sth like "match out on vlanX queue foo" really just tags > > the packet "should go to queue foo". once the packet hits an outbound > > interface, we check wether queue foo exists there and if so use it. > This is one of the greatest features of pf, in my opinion. This > flexibility is what make pf what it is. this bit is not so much pf actually. we have stopped looking at pf as an isolated component many many years ago, and instead take the "whole picture" approach - so it's really our network stack. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
