ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА












     АРХИВ :: Inet-Admins
Inet-Admins mailing list archive (inet-admins@info.east.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [inet-admins] Ethernet VLANs



Добрый день!

> >
> > Можно ли с помощью VLANов сделать полность независимые сегменты ?
> > Интересует разделение сегментов/VLANов для построения защиты.
> 
> Они и есть независимые.
А как обстоят дела на практике ? У меня есть информация, что при большом
трафике вообще из свича обычный концентратор может получиться:

2000-03-13-12:57:54 Aaron D. Turner:
> Not sure if it is still true, but Bay Swiches used to have a
> problem enforcing VLAN's when two ports had the same client MAC
> (as often is the case of Sun's).
>
> This can be a major security problem.  Cisco I know doesn't have
> this problem, but most security people will argue against using
> VLAN's for security.  Most peole recommend different physical
> switches.

Ciscos have had troubles with packet leakage in strange
circumstances as well; I seem to recall something about being able
to unilaterally turn your switch port into an ISL port or something
like that.

I've checked this opinion with a techie at a major switch vendor,
and they enthusiastically liked my statement: VLANs are a
performance optimization, designed to help decrease the size of a
broadcast domain to a fraction of a switch. They are intended to
help improve flexibility, allowing the user to have multiple
isolated broadcast domains in a single physical switch; with the
high early price-per-port of switches, and the limited numbers of
distinct sizes (e.g. 8-port, 12-port, 16-port, 32-port), being able
to carve a larger switch up into VLANs was a big help for customers
pricing reasonable configs, while trying to keep their traffic
organized for performance reasons. But VLANs were always and solely
a performance hack. Leaking packets between isn't a design failure
of a VLAN unless the leakage consists of enough packets to have a
performance impact. For security barriers, use separate boxes, or
boxes like routers that are designed to make guarantees about
packets only going to the right place.
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html



 




Copyright © Lexa Software, 1996-2009.