On 16/02/10 05:42, Chris Buechler wrote: > This depends on how much you trust your switches, and more so, how > much you trust your admins. It's usually easier to inadvertently > configure something on the wrong VLAN than it is to plug something > into the wrong switch. Especially if you have people without much ...
+1 I don't know if it is still the case* but ciscos by default allow negotiation of a port between access and trunk, so if someone on a PC connected to your switch turned on .1q they could in theory access all your vlans. "switchport nonegotiate" is the magic command to disable it - apply to all ports A lot comes down to whether someone has physical access to the switch itself, in some offices you can't protect access to the switch providing service to end users. Personally I too like to segregate external/WAN traffic from LAN by having a separate switch; that would then be "locked away" in the computer room next to the firewalls to avoid tampering - accidental or malicious. Even if I did only have one switch for WAN and LAN, would probably use separate physical interfaces on firewall into the switch so that you could clearly label the unfirewalled ports and use differently coloured cables; it also makes it easier to measure WAN traffic if it's on a port by itself. * encountered on our cisco 3560G and 3560E switches which are fairly up to date http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=3 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
