On 3/25/07, Jason Dixon <[EMAIL PROTECTED]> wrote:
It works fine if you're using secure VLANs.  But if you have the
money for a VLAN-capable switch, you might as well use dedicated
interfaces.  But it *can* be done easily and securely.

But isn't the hope then that there's no "leakage" and that you can't
easily do something like that arp-based thing used to sniff a switch?
I know, I know, my design at my last company included using vlans this
way too, but I kept the internal vlans on internal switches, and
external vlans on external, physically separate, switches[1].

-me
[1]  I inherited a situation where the *entire* inside network was
reachable via this external, outside the firewall, switch, via the
vlan.  Being that we did not require the services of the network
fuckup fairy because we had our very own personal NotWork
Engineer[TM], I had to move quickly to make sure he did not suddenly
turn on routing on that 3550, for example.
[TM]  "I have a CCNP, but, like, Cisco, um, lost my certificate.
Yeah, that's it"  Of course, it's been a *LONG* time since I saw any
ccnp who could not set a default route on cisco equipment.  Who likes
to build single channel etherchannels.  Who likes to build routing
loops.  Who actually built a 10/8 network - and we had 40+ remote/wan
locations!!!!!!  Yes, you read it right - no subnets!  Where the
design was so bad that the recent external audit of the network had
the consultants snickering every few minutes, and when he couldn't
stand it anymore, he'll call me over, "hey, psst, you've gotta come
see this..."

Reply via email to