On 12/10/2014 12:31 PM, Anton Aylward wrote:
On 12/10/2014 11:51 AM, James Knott wrote:
Regardless, my testing also showed IPv4 broadcasts crossing from the native to VLAN and that is something that's not ever supposed to happen. There are still people out there who are thinking that VLAN desperation is a security measure, that its the same as having two physically separate switches.
That would depend on what you mean by security. It does provide separation of subnets, so that, for example, access to a restricted network can be blocked by a firewall. But it does nothing to stop someone from running Wireshark to see the traffic or bringing in another managed switch to give access to the forbidden subnet/VLAN. Regardless, it is another barrier to overcome, which most users won't be able to breach. As for someone bringing in a switch, there is also some protection against that, in that the port can be shut down if STP is detected on it. That said, security is a many layered thing. It's like an onion, with multiple layers, none of which can be guaranteed to be absolutely secure, but when they all stack up, it becomes more and more difficult to breach. VLANs are just one layer of that onion. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org