On 3/25/07, Jason Dixon <[EMAIL PROTECTED]> wrote:
It works fine if you're using secure VLANs. But if you have the money for a VLAN-capable switch, you might as well use dedicated interfaces. But it *can* be done easily and securely.
But isn't the hope then that there's no "leakage" and that you can't easily do something like that arp-based thing used to sniff a switch? I know, I know, my design at my last company included using vlans this way too, but I kept the internal vlans on internal switches, and external vlans on external, physically separate, switches[1]. -me [1] I inherited a situation where the *entire* inside network was reachable via this external, outside the firewall, switch, via the vlan. Being that we did not require the services of the network fuckup fairy because we had our very own personal NotWork Engineer[TM], I had to move quickly to make sure he did not suddenly turn on routing on that 3550, for example. [TM] "I have a CCNP, but, like, Cisco, um, lost my certificate. Yeah, that's it" Of course, it's been a *LONG* time since I saw any ccnp who could not set a default route on cisco equipment. Who likes to build single channel etherchannels. Who likes to build routing loops. Who actually built a 10/8 network - and we had 40+ remote/wan locations!!!!!! Yes, you read it right - no subnets! Where the design was so bad that the recent external audit of the network had the consultants snickering every few minutes, and when he couldn't stand it anymore, he'll call me over, "hey, psst, you've gotta come see this..."