Re: [pfSense-discussion] extending LAN private network
On Fri, 2009-04-03 at 12:34 -0700, David Rees wrote: > I'm fairly new to VLANs - why is it bad practice to use vlan1? > > -Dave Especially in a Cisco environment VLAN-1 is, beside being the default VLAN, also used by several management protocols like CDP, VTP, VQP, ... Some of them carries network sensitive information which you don't really want to expose to everybody. Try to keep your VLAN-1 on it own but this is not always possible. For instance old Cisco Wireless AP (or should I better say Aironet ?) force you to use VLAN-1 as management... -- This message has been scanned for viruses and dangerous content by MailGate, and is believed to be clean. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] extending LAN private network
Vlan 1 is usually the default and management VLAN. http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009 explains it in a Cisco context. -Original Message- From: David Rees [mailto:dree...@gmail.com] Sent: 03 April 2009 20:34 To: discussion@pfsense.com Cc: eu...@leitl.org Subject: Re: [pfSense-discussion] extending LAN private network On Fri, Apr 3, 2009 at 7:48 AM, Paul Mansfield wrote: > use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for > bonus points, use NAC and dynamic vlans to allow only approved devices > and put them on the right network. > > (we do something similar, vlan N is 192.168.N/24. it's bad practise to > use vlan1 so we start at 2) I'm fairly new to VLANs - why is it bad practice to use vlan1? -Dave - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 03, 2009 at 12:34:26PM -0700, David Rees wrote: > > (we do something similar, vlan N is 192.168.N/24. it's bad practise to > > use vlan1 so we start at 2) > > I'm fairly new to VLANs - why is it bad practice to use vlan1? Because VLAN ID 1 is the default VLAN? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 3, 2009 at 3:34 PM, David Rees wrote: > On Fri, Apr 3, 2009 at 7:48 AM, Paul Mansfield > wrote: >> use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for >> bonus points, use NAC and dynamic vlans to allow only approved devices >> and put them on the right network. >> >> (we do something similar, vlan N is 192.168.N/24. it's bad practise to >> use vlan1 so we start at 2) > > I'm fairly new to VLANs - why is it bad practice to use vlan1? > Security reasons. Vulnerable to VLAN hopping/dropping in some circumstances. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 3, 2009 at 7:48 AM, Paul Mansfield wrote: > use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for > bonus points, use NAC and dynamic vlans to allow only approved devices > and put them on the right network. > > (we do something similar, vlan N is 192.168.N/24. it's bad practise to > use vlan1 so we start at 2) I'm fairly new to VLANs - why is it bad practice to use vlan1? -Dave - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
>at some later stage. Go to a /22 if you're worried about running out. > What can be some of the problems with a private /16 address space? The same thing that's happening now because GE, Xerox, HP, DEC, Apple, and Ford were given /8's :D Who knows, you could run into a situation where you need to VPN connect this location with another that uses a 192.168.x address that is encompassed in your /16 designation, but wouldn't have been in a /23. It's always easier to grow than it is to shrink. BTW, I like the vlan solution too, gives you more control. Regards, Adrian - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 03, 2009 at 03:48:33PM +0100, Paul Mansfield wrote: > > use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for > bonus points, use NAC and dynamic vlans to allow only approved devices > and put them on the right network. I like this suggestion. Looks like the way to go. > (we do something similar, vlan N is 192.168.N/24. it's bad practise to > use vlan1 so we start at 2) -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 03, 2009 at 01:52:46PM +0100, Greg Hennessy wrote: > >What he said :-). > > > >Using a /16 is guaranteed to come back and bite you in the posterior I can use 192.168.x.0 with x coding for specific things, like storeys, or admin addresses. >at some later stage. Go to a /22 if you're worried about running out. What can be some of the problems with a private /16 address space? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for bonus points, use NAC and dynamic vlans to allow only approved devices and put them on the right network. (we do something similar, vlan N is 192.168.N/24. it's bad practise to use vlan1 so we start at 2) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] extending LAN private network
What he said :-). Using a /16 is guaranteed to come back and bite you in the posterior at some later stage. Go to a /22 if you're worried about running out. Greg From: Aarno Aukia [aarnoau...@gmail.com] Sent: 03 April 2009 13:33 To: discussion@pfsense.com; eu...@leitl.org Subject: Re: [pfSense-discussion] extending LAN private network Yes, altough you could move to 192.168.0.0/23<http://192.168.0.0/23> first, already doubling the number of usable addresses... -Aarno On Fri, Apr 3, 2009 at 13:25, Eugen Leitl mailto:eu...@leitl.org>> wrote: It seems I'll be running out of LAN addresses on the local 192.168.0.0/24<http://192.168.0.0/24> soon. Is boosting it as easy as moving to 192.168.0.0/16<http://192.168.0.0/16> on the LAN tab, and adjusting the netmask for all the hosts? Or am I overlooking something? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com<mailto:discussion-unsubscr...@pfsense.com> For additional commands, e-mail: discussion-h...@pfsense.com<mailto:discussion-h...@pfsense.com> Commercial support available - https://portal.pfsense.org -- Aarno Aukia ETH Zurich / Atrila GmbH +41764000464
Re: [pfSense-discussion] extending LAN private network
Yes, altough you could move to 192.168.0.0/23 first, already doubling the number of usable addresses... -Aarno On Fri, Apr 3, 2009 at 13:25, Eugen Leitl wrote: > > It seems I'll be running out of LAN addresses on the local 192.168.0.0/24soon. > Is boosting it as easy as moving to 192.168.0.0/16 on the LAN tab, and > adjusting > the netmask for all the hosts? Or am I overlooking something? > > -- > Eugen* Leitl http://leitl.org";>leitl http://leitl.org > __ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Aarno Aukia ETH Zurich / Atrila GmbH +41764000464
[pfSense-discussion] extending LAN private network
It seems I'll be running out of LAN addresses on the local 192.168.0.0/24 soon. Is boosting it as easy as moving to 192.168.0.0/16 on the LAN tab, and adjusting the netmask for all the hosts? Or am I overlooking something? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
