Date: Tue, 13 Sep 2005 08:23:20 -0700 (PDT) From: Danial Thom <danial_thom@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: VLAN interfaces on FreeBSD; performance issues Message-ID: <20050913152320.27919.qmail@web33305.mail.mud.yahoo.com> In-Reply-To: <8A38568B-D5B4-4EE7-AFB5-FF6C0D1285C6@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Charles Swiger <cswiger@mac.com> wrote: > On Sep 12, 2005, at 11:49 AM, Sten Daniel > Sørsdal wrote: > >> The essence of multihoming is having two (or > more) distinct NICs. > > > > so if i had two vlan's with an ip on both. > wouldnt this qualify it as > > multihoming? would i somehow no longer need > to configure the > > computer as > > though it was a multihomed? > > I don't fully understand the question you are > asking. If you have > one physical connection (one NIC, one Cat5 > cable), you can only > connect to a single collision domain, even if > you use VLANs (or set > up IP aliases on different subnets, etc). > > -- > -Chuck its not clear why Chuck keeps answering since he clearly doesn't understand the question. You can, of course, multihome with one nic, and Spanning Tree and "collision domains" have nothing to do with anything, simply by routing to the correct router. The trick is your scheme for determining the correct router. It makes little difference if they are on the same wire or even the same numbered network. If your routing table says "route 10.1.1/24 to 200.1.1.1 and route 10.2.1/24 to 200.1.1.2" you're multi-homed on a single wire. "Multi-homing" refers to having more than one network egress (ie 2 or more upstream providers) and the ability to "decide" which one to send specific traffic to. You're making a big mess of your network for little reason, except perhaps to thwart the competely incompetent. If you don't have servers isolated they can sniff and learn whatever you're doing, and if not and they know the numbering of their wire they can learn the associated vlan tag in about 200ms by trying every combination until something works. If you want to secure the IP-to-machine use a MAC-IP firewall enforcement, which is less work and more effective than renumbering your entire network with VLAN tagging. Buying into Cisco's schemes are more about locking you into using their equipment then anything useful. That's one thing thats a constant over time. Danial __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050913152320.27919.qmail>