On Sun, Dec 14, 2008 at 09:51:03PM +0000, Stuart Henderson wrote: > Alternatively you could run your firewalls as bridges.
This is very much the same thing; just requires you to configure n+1 different vlans for each user, while a "private" vlan lets you do it more easily. On the other hand, I'd not feel safe on a "private" vlan unless the switches had MAC access control, which is a pain in the butt to maintain in some environments. Separate VLANs also allow customers that have many boxes to run whatever they want between their boxes while preventing that from leaking; with "private" vlans you have no idea who is originating traffic unless you enforce MAC access control and everything needs to go through your router. With static addressing and static MAC addresses a pvlan is OK; in the typical Cisco "hotel" config example with DHCP I'd not feel very safe. My philosophy being "keep switches dumb and do it with OpenBSD", it's much easier to just put a bridge firewalling OpenBSD box next to every switch. This allows you to stock spare switches with a simple config, port X = vlan X and so you don't have to worry about replacing them when they break and you are on holiday - just ask someone to put in a new switch and wire it like the old one. The small-ish (depth wise) Supermicro servers fit in the same rack unit with a switch, so all it costs is a few hundred watts of power per rack, and you probably could use many switches per router if you don't have serious inter-VLAN routing / bridging to do. Config wise few things can be worse than configuring separate subnets for everyone, anyway. -- Jussi Peltola
