On 2017-03-19 03:19, James Knott wrote:
On 03/18/2017 05:38 PM, Carlos E. R. wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes.
VLANs can be used to provide isolation. A managed switch can be used to provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited.
[Paranoid hat on] But that isolation is logical. The switch can say that some cables are one vlan, some other cables are another, and thus each vlan is physically isolated. However, at the input to the switch all vlan travel on the same cable, perhaps to the router, and then anything connected to that router can sniff the traffic. A hacker could hack the router and access both external and private only network, say. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))