Добрый день!
> >
> > Можно ли с помощью VLANов сделать полность независимые сегменты ?
> > Интересует разделение сегментов/VLANов для построения защиты.
>
> Они и есть независимые.
А как обстоят дела на практике ? У меня есть информация, что при большом
трафике вообще из свича обычный концентратор может получиться:
2000-03-13-12:57:54 Aaron D. Turner:
> Not sure if it is still true, but Bay Swiches used to have a
> problem enforcing VLAN's when two ports had the same client MAC
> (as often is the case of Sun's).
>
> This can be a major security problem. Cisco I know doesn't have
> this problem, but most security people will argue against using
> VLAN's for security. Most peole recommend different physical
> switches.
Ciscos have had troubles with packet leakage in strange
circumstances as well; I seem to recall something about being able
to unilaterally turn your switch port into an ISL port or something
like that.
I've checked this opinion with a techie at a major switch vendor,
and they enthusiastically liked my statement: VLANs are a
performance optimization, designed to help decrease the size of a
broadcast domain to a fraction of a switch. They are intended to
help improve flexibility, allowing the user to have multiple
isolated broadcast domains in a single physical switch; with the
high early price-per-port of switches, and the limited numbers of
distinct sizes (e.g. 8-port, 12-port, 16-port, 32-port), being able
to carve a larger switch up into VLANs was a big help for customers
pricing reasonable configs, while trying to keep their traffic
organized for performance reasons. But VLANs were always and solely
a performance hack. Leaking packets between isn't a design failure
of a VLAN unless the leakage consists of enough packets to have a
performance impact. For security barriers, use separate boxes, or
boxes like routers that are designed to make guarantees about
packets only going to the right place.
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on
