On Sat, Jul 12, 2008 at 01:09:40AM -0300, Giancarlo Razzolini wrote: > > > Wow... I've used 5 interfaces also, but for different internet links. > Try do multi routing when you have lot's of different ip's of different > ranges on the same if. Your pf rules will be a mess and, in some cases, > it just does not work. Also, it is like we never heard of switch > vulnerabilities allowing people on one vlan to see traffic of other > vlans. Blindly trusting the switches is like being driven by a blind > guy, it can crash every moment. I believe that there is a reason for > everything, even using lots of network cards. Martin, i believe that > using 4-port cards can have it benefits. Heard a lot of good things from > the intel 4-port cards. Also, their performance isn't hit that hard, > because the intel one s are pci-e.
I knew it was a matter of time before the "vlan insecurity" bullshit hit the fan. RTFA. Who says anything about "blindly trusting" switches? If you can't correctly configure VLANs on your switches, and filter on vlan(4) interfaces in PF, you shouldn't be administering production networks. There's nothing functionally different between: $ext_if="em0" and $ext_if="vlan0" I've developed networks with over a dozen routed VLAN segments on a single physical GbE link. With carp(4) interfaces on top. It's easy. In fact, it's a hell of a lot less error- and failure-prone than managing 5 interfaces. If you're not going to use the features that came with those $5k switches you just bought, you might as well stick with $100 Netgears from Best Buy. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
