On Sat, Jul 12, 2008 at 12:24:46AM -0400, Jason Dixon wrote:

quoted text
> I knew it was a matter of time before the "vlan insecurity" bullshit hit
> the fan.  RTFA.  Who says anything about "blindly trusting" switches?
> If you can't correctly configure VLANs on your switches, and filter on
> vlan(4) interfaces in PF, you shouldn't be administering production
> networks.  There's nothing functionally different between:
> 
> $ext_if="em0"
> 
> and
> 
> $ext_if="vlan0"
> 
> I've developed networks with over a dozen routed VLAN segments on a
> single physical GbE link.  With carp(4) interfaces on top.  It's easy.
> In fact, it's a hell of a lot less error- and failure-prone than
> managing 5 interfaces.  If you're not going to use the features that
> came with those k switches you just bought, you might as well stick
> with 0 Netgears from Best Buy.

Yep.

A few years ago when the "vlan insecurity bullshit" was all the rage we
happened to be upgrading our LAN to gigabit. I was a bit leery from the
experiences of dealing with Nortel's retarded (and proprietary)
protocol-based VLAN crap. But I didn't want that to taint our future.

So before deciding on a course of action (VLAN or physical separation) we
picked up a couple of Cisco 2960G's, put them on my workbench and *BEAT THE
FUCKING SHIT OUT OF THEM* trying all these VLAN hopping exploits that were
talked about. Nothing seemed to work: the switches did their job. On our
older Nortel 450's we did see some VLAN traffic leaking out when the things
were flooded but those units dated back to the late 90's or so. Tech changes
and improves.

Fast forward and we've got these 2960G's everywhere, a couple of 3750G's
doing the L3 work and feeding to the hardware out to the world. Nearly 20
VLANs going through various trunks (single gig and etherchannel). The stuff
just works well when configured properly.


 Gord