On Fri, 04 May 2007 06:10:46 -0700, Clint Pachl <[EMAIL PROTECTED]> wrote: > Jason Dixon wrote: >> On Thu, 03 May 2007 23:18:38 -0700, Clint Pachl <[EMAIL PROTECTED]> > wrote: >> >>> Axton wrote: >>> >>>> On 5/2/07, Matiss Miglans <[EMAIL PROTECTED]> wrote: >>>> >>>>> Hi >>>>> Scenario 1 will be right. >>>>> Don't mix there "normal" ethernet with vlan's. >>>>> >>>>> Jonathan Whiteman wrote: >>>>> >>>>>> Lets say I'm setting up vlan devices so that 4 completely separate >>>>>> subnets' gateways can share same ethernet port on the router. Is it >>>>>> more appropriate to give the physical device itself an ip address > and >>>>>> then create 3 vlan devices, or to give the physical device no ip >>>>>> >>>>> address >>>>> >>>>>> at all and create 4 vlan devices? Or? >>>>>> >>> I have a hypothetical question regarding security concerning this > setup. >>> Would it be more secure to have 4 physically different interfaces each >>> connected to a single VLAN? > > Mistake, sorry. I meant to say "connected to different VLANs", not > "connected to a single VLAN". > >> And what exactly is more secure about having 4 different physical > interfaces connected to the same VLAN? That doesn't make any sense, > unless you're talking about trunking the 4 interfaces, then adding a vlan > interface on top. All of which has nothing to do with VLAN security. >> > > Are there security advantages to having 4 physical interfaces of a > router connected to 4 switch ports, with each switch port belonging to a > different VLAN? Or, a single physical interface connected to a single > switch port that belongs to 4 VLANs?
If you understood VLANs, you'd realize what a silly question this is. If you want to use 4 physical interfaces for segregated routing, do it... just don't bother with vlan interfaces (on your router). However, if you'd prefer to minimize the amount of physical interfaces... or possibly trunk them and layer vlan interfaces on top, that's fine too. You're mixing your OSI layers. Seriously, go back and read about VLANs and trunking/bonding. > The second option obviously saves you some interfaces and switchports, > albeit a decrease in bandwidth, but does it make you more vulnerable to > VLAN attacks (e.g. VLAN spoofing/hopping)? See above. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
