On 03/19/2017 10:27 AM, Carlos E. R. wrote:
On 2017-03-19 03:19, James Knott wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes. VLANs can be used to provide isolation. A managed switch can be used to
On 03/18/2017 05:38 PM, Carlos E. R. wrote: provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited. [Paranoid hat on]
But that isolation is logical. The switch can say that some cables are one vlan, some other cables are another, and thus each vlan is physically isolated. However, at the input to the switch all vlan travel on the same cable, perhaps to the router, and then anything connected to that router can sniff the traffic. A hacker could hack the router and access both external and private only network, say.
What you are referring to is called a "trunk port", which carries VLANs between switches. It is possible to limit what VLANs are carried on that trunk. An access port only has the VLAN it's configured for. Security is always important, so you limit access to the network, including the router. Routers can be configured to require a password, SSH etc. to make them more difficult to access. Another thing that can be done it to put the management interface on a separate VLAN, with limited access. i.e. don't send that VLAN over trunks where it's not needed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org