On Tue, Jul 25, 2006 at 12:27:08PM -0400, Chris Buechler wrote:
> >to 1) use the mini-ITX system to protect any system but the switch
> yes. You can also protect the switch's IP by setting up a dedicated
> management VLAN. All decent switches support this.
I actually want the switch IP to remain before the firewall
(it's locked down to a couple of specific IPs anyway).
That's not a bug but a feature, in case I screw up with
the firewall rules.
> >2) by removing the VLANs I should be able to recover from a
> >misconfigured or defect firewall.
> No. When you have VLAN's, it's the same as having a bunch of
> individual switches. Different broadcast domains, and different IP
Exactly -- with the management IP giving me the possibility to undo
the damage, by fusing the virtual switches into one again.
> subnets on each. If there isn't anything to route between them, your
> network is dead.
Actually the switch can do some minimal routing, but I don't
think I will need it.
> >If I do the above, can I still do VLAN isolation of each
> >individual host on the switch? (how?)
> Depending on what kind of switch, you may be able to put all hosts in
> a single VLAN and prevent them from talking to each other (google
> PVLAN, and/or check out the docs for your switch).
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE