On Tue, Jul 25, 2006 at 12:27:08PM -0400, Chris Buechler wrote:

> >to 1) use the mini-ITX system to protect any system but the switch
> >IP
> 
> yes.  You can also protect the switch's IP by setting up a dedicated
> management VLAN.  All decent switches support this.

I actually want the switch IP to remain before the firewall
(it's locked down to a couple of specific IPs anyway).
That's not a bug but a feature, in case I screw up with
the firewall rules.
 
> >2) by removing the VLANs I should be able to recover from a
> >misconfigured or defect firewall.
> >
> 
> No.  When you have VLAN's, it's the same as having a bunch of
> individual switches.  Different broadcast domains, and different IP

Exactly -- with the management IP giving me the possibility to undo
the damage, by fusing the virtual switches into one again.

> subnets on each.  If there isn't anything to route between them, your
> network is dead.

Actually the switch can do some minimal routing, but I don't
think I will need it.
 
> >If I do the above, can I still do VLAN isolation of each
> >individual host on the switch? (how?)
> >
> 
> Depending on what kind of switch, you may be able to put all hosts in
> a single VLAN and prevent them from talking to each other (google
> PVLAN, and/or check out the docs for your switch).

Thanks.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE