From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 12:18:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0DD716A4CE for ; Mon, 5 Apr 2004 12:18:16 -0700 (PDT) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id D26F043D39 for ; Mon, 5 Apr 2004 12:18:16 -0700 (PDT) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 67D3F153882; Mon, 5 Apr 2004 09:18:16 -1000 (HST) Date: Mon, 5 Apr 2004 09:18:16 -1000 From: Clifton Royston To: freebsd-security@freebsd.org Message-ID: <20040405191815.GB17961@lava.net> Mail-Followup-To: freebsd-security@freebsd.org, Adrian Penisoara References: <20040405190109.A9FB416A4D0@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040405190109.A9FB416A4D0@hub.freebsd.org> User-Agent: Mutt/1.4.2i cc: Adrian Penisoara Subject: Re: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 19:18:17 -0000 > Message: 4 > Date: Mon, 5 Apr 2004 18:08:49 +0200 > From: Sten Daniel S?rsdal > Subject: RE: Controlling access at the Ethernet level > To: "Adrian Penisoara" , > Cc: freebsd-isp@freebsd.org > > > > What would you recommand ? Are there any other elegant solutions ? > > > How about using 802.1Q vlan's and dedicate a vlan to each port. > If more than 4000 users then add more gateways. > > Just be sure to go for switches that allow you to deny incoming > already tagged packets on the user side as some switches passes > already tagged packets. While this sounds theoretically like a good solution, in my experience many midrange switches (e.g. HP Procurve 25xx and 40xx- series) do not handle large numbers of VLANs well; they seem to consume RAM and CPU roughly proportional to number of active VLANs, and past some threshold you see packet loss. As one of the constraints mentioned was "can't pay to add managed switches" I would be cautious about this solution unless you *know* that all the switches handle large numbers of VLANs well, or you'll be trying to troubleshoot a network with unexplained and intermittent packet loss. Just a warning from experience, FWIW. -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss