On 2017-03-19 15:33, James Knott wrote:
On 03/19/2017 10:27 AM, Carlos E. R. wrote:
On 2017-03-19 03:19, James Knott wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes. VLANs can be used to provide isolation. A managed switch can be used to
On 03/18/2017 05:38 PM, Carlos E. R. wrote: provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited. [Paranoid hat on]
But that isolation is logical. The switch can say that some cables are one vlan, some other cables are another, and thus each vlan is physically isolated. However, at the input to the switch all vlan travel on the same cable, perhaps to the router, and then anything connected to that router can sniff the traffic. A hacker could hack the router and access both external and private only network, say.
What you are referring to is called a "trunk port", which carries VLANs between switches. It is possible to limit what VLANs are carried on that trunk. An access port only has the VLAN it's configured for. Security is always important, so you limit access to the network, including the router. Routers can be configured to require a password, SSH etc. to make them more difficult to access. Another thing that can be done it to put the management interface on a separate VLAN, with limited access. i.e. don't send that VLAN over trunks where it's not needed.
So you see, we are going now to separate cables, as I said initially. The configuration is similar to having two separate switches connected to the same router (for internet), each one handling a different subnet. But instead we do the separation logically using a single switch instead, which is cheaper. Ie, "virtual" LANs. However, the cables connected to the switch carry only one LAN. One VLAN. [Paranoid hat on] Maybe the switch can be hacked by the bad guys. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))