hum.. let me postulate. my lan, my kids, my guests, the drive-bys, … the LG stuff, the Apple stuff, the whitebox stuff, appliances … smart meters, switches, thermostats, toilets, water flow controls, … Microsoft can talk to the x-box, but i have no desire for them t see/know anything else on the entertainment lan at the house….
manning bmann...@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 9July2015Thursday, at 13:00, Naslund, Steve <snasl...@medline.com> wrote: > Yes, and that is a problem. Usually because it is not granular enough and > there are a lot of ways to get onto another VLAN (physical access and packet > trickery). It is a pretty weak form of security policy. > > Now, if we assume that VLAN based security is weak and that most homes do not > generate enough broadcast traffic to be an issue, what exactly is the reason > that a residential customer needs a lot of VLANs? Answer, they probably > don't. A lot of residential users have a CPE device that does wireless, > routing, and DHCP assignments all in one. No need to create a guest VLAN on > that type of device. You simply assign an ACL that keeps the guest from > reaching any internal IP. Why would your refrigerator (or car, toaster, TV, > whatever) need to be on a separate subnet when the whole point is to create a > network where all of your stuff communicates? > > Us engineers need to make sure we don't generalize that a lot of residential > users do to their networks what we do to ours. We MIGHT have a reason for > several subnets to simulate different stuff. I am still waiting for a valid > example of a residential situation where VLANs are a useful addition. Oh, > and don't even try the QoS argument. I will tell you that LLDP > identification of the device and applying QoS policy based on the > identification is much more effective and transparent to the end user. > > Steven Naslund > Chicago IL > >> -----Original Message----- >> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tyler Applebaum >> Sent: Thursday, July 9, 2015 3:38 PM >> To: Naslund, Steve >> Cc: nanog@nanog.org >> Subject: RE: Dual stack IPv6 for IPv4 depletion >> >> Do people actually use VLANs for security? It's nice to implement them for >> organizational purposes and to prevent broadcast propagation. >
