> -----Original Message----- > From: Paul Mansfield [mailto:[email protected]] > Sent: Tuesday, February 16, 2010 2:45 AM > To: [email protected] > Subject: Re: [pfSense Support] OT: physical interface v vlan > > On 16/02/10 05:42, Chris Buechler wrote: > > This depends on how much you trust your switches, and more so, how > > much you trust your admins. It's usually easier to inadvertently > > configure something on the wrong VLAN than it is to plug something > > into the wrong switch. Especially if you have people without much > ... > > +1 > > I don't know if it is still the case* but ciscos by default allow > negotiation of a port between access and trunk, so if someone on a PC > connected to your switch turned on .1q they could in theory access all > your vlans. > > "switchport nonegotiate" is the magic command to disable it - apply to > all ports > > A lot comes down to whether someone has physical access to the switch > itself, in some offices you can't protect access to the switch > providing > service to end users. > > Personally I too like to segregate external/WAN traffic from LAN by > having a separate switch; that would then be "locked away" in the > computer room next to the firewalls to avoid tampering - accidental or > malicious. > > Even if I did only have one switch for WAN and LAN, would probably use > separate physical interfaces on firewall into the switch so that you > could clearly label the unfirewalled ports and use differently coloured > cables; it also makes it easier to measure WAN traffic if it's on a > port > by itself.
Some gratuitous use of the 'switchport trunk allowed vlan x, y-z' command helps with switches that aren't physically securable. If you limit the vlans the vulnerable switch is able to send up the trunk, it can help contain or mitigate damage. I do this on all of my firewalls that have dot1q out, so that it is impossible to tag the public vlan on the private switchport, or vice versa. Best Regards, Nathan Eisenberg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
