On Sat, Jul 12, 2008 at 12:24:46AM -0400, Jason Dixon wrote: > I knew it was a matter of time before the "vlan insecurity" bullshit hit > the fan. RTFA. Who says anything about "blindly trusting" switches? > If you can't correctly configure VLANs on your switches, and filter on > vlan(4) interfaces in PF, you shouldn't be administering production > networks. There's nothing functionally different between: > > $ext_if="em0" > > and > > $ext_if="vlan0" > > I've developed networks with over a dozen routed VLAN segments on a > single physical GbE link. With carp(4) interfaces on top. It's easy. > In fact, it's a hell of a lot less error- and failure-prone than > managing 5 interfaces. If you're not going to use the features that > came with those $5k switches you just bought, you might as well stick > with $100 Netgears from Best Buy.
Yep. A few years ago when the "vlan insecurity bullshit" was all the rage we happened to be upgrading our LAN to gigabit. I was a bit leery from the experiences of dealing with Nortel's retarded (and proprietary) protocol-based VLAN crap. But I didn't want that to taint our future. So before deciding on a course of action (VLAN or physical separation) we picked up a couple of Cisco 2960G's, put them on my workbench and *BEAT THE FUCKING SHIT OUT OF THEM* trying all these VLAN hopping exploits that were talked about. Nothing seemed to work: the switches did their job. On our older Nortel 450's we did see some VLAN traffic leaking out when the things were flooded but those units dated back to the late 90's or so. Tech changes and improves. Fast forward and we've got these 2960G's everywhere, a couple of 3750G's doing the L3 work and feeding to the hardware out to the world. Nearly 20 VLANs going through various trunks (single gig and etherchannel). The stuff just works well when configured properly. Gord