>> >I knew it was a matter of time before the "vlan insecurity" bullshit hit >> >the fan. RTFA. Who says anything about "blindly trusting" switches? >> >If you can't correctly configure VLANs on your switches, and filter on >> >vlan(4) interfaces in PF, you shouldn't be administering production >> >networks. There's nothing functionally different between: >> > >> >I've developed networks with over a dozen routed VLAN segments on a >> >single physical GbE link. With carp(4) interfaces on top. It's easy. >> >In fact, it's a hell of a lot less error- and failure-prone than >> >managing 5 interfaces. If you're not going to use the features that >> >came with those $5k switches you just bought, you might as well stick >> >with $100 Netgears from Best Buy. >> >> Oh dear gracious goodness me. >> >> $5K switches >> >> Can I sell you a few? Or tell me what brand you buy so I >> can buy stock? >> >> And who is your power company so I can buy stock? >> >> And who is your landlord so I can buy shares? >> >> I'm sorry, but my application doesn't seem to bear any resemblance >> to yours. Certainly my constraints are very different. > >How ironic, given that I'm suggesting using *fewer* resources. Let that >sink in for a while.
Knock it off, guys. One guy's psycho ex-girlfriend is another's new princess. It's simplistic to knock someone's else deployment environment without understanding the full scope of details. The devil is in the details. I have a number of environments where 1q trunks and VLAN segments work wonders. I also have a major critical infrastructure environment where whinging about $5k is a shrug of the shoulders. In this latter case, I'd prefer that the bleary-eyed telecom tech getting pulled out of bed at 3am be able to quickly get things back up and running by swapping out an access switch connected to the firewall by a single, simple ethernet tether than call the engineering consultant (me) out of bed. This applies even moreso when the affected site might be a switch yard in the middle of nowhere and it's going to cost upward of $2k just to mobilize a truck to get there. In certain instances, the more elegant and manageable solution involves an octopus of cables and a storehouse of interchangeable parts. In others, it's an elegant layering of services on one cable. Then again, I work in a world where documentation is done on CAD stations, is reviewed and stamped and impacts can cost millions and potentially human life. "Self-documenting" firewall rules in a config file won't cut it. You guys can discuss CAM flooding on $50 DLinks and excess wiring and HVAC requirements all you want. Not every problem is a nail and not every solution is a hammer. Sometimes you need to spend $100 and others $10k+. Sometimes you really just want a semi-retarded switch but that is good to -40C and runs on anything from 24 to 130VDC AND 120VAC simultaneously or that is Class 1/Div 2 rated. YMMV but please respect the fact that the requirements of others may differ rather drastically from your own personal experiences. --J
