[ previous ] [ next ] [ threads ]
 From:  Lee Sharp <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Virtual LAN?
 Date:  Tue, 16 Nov 2010 09:02:52 -0500
On 11/16/2010 01:36 AM, jonr at destar dot net wrote:
> Quoting GD Incorporation <rbasuki at gdincorporation dot com>:
>> However, I still want to confirm few things, can anyone helped me:
>> 1. If I use 2 switches, do I still need to use VLAN Supported switches?
>> Based on the pictures you sent me it seemed I do :) Please confirm me on
>> this.

No.  This is the traditional way.  Each switch is a real LAN, not a 
virtual LAN.

>> 2. If I use 2 switches, would this be the correct structure? (I only
>> have 2
>> LAN CARDS, one for WAN, and one for LAN). At the bottom picture, should I
>> connect the switch 1 to switch 2 by LAN?

Than you need a 3rd nic.  To support multiple interfaces, you either 
need multiple interfaces, or vlan aware equipment.

>> 3. If the structure above is correct, then I would need only 1 Switch to
>> support VLAN (Switch 1). Is this correct?

Yes, only the one switch need to be vlan aware, and you can leave the AP 
with switch (that sounds a lot like a cheap consumer grade router) as a 
real LAN of th correct port on the vlan switch.

> To some top=posting is a sin and you might be in danger of eternal hell
> fire and losing your immortal soul if you continue doing it. So, what
> you will want to do is post below any replies and trim out everything
> that does not pertain to your next question in the thread.

Bottom posting (What Jon did) and inline posting (What I did) are much 
easier to read.  Top posting can be harder to figure out.  That will 
make some people spit and scream.  Others (Like me) may just not try to 
figure out your question, and move on to the next e-mail.  While more 
polite, my reaction is actually worse, as you never know why you are not 
getting clear answers to your questions.

 > Question 1: Yes, get yourself a couple of new switches that support
 > VLAN. Let your boss know that he will need to pony up and buy new
 > switches to achieve what he wants. Otherwise all the traffic will be
 > able to be sniffed and you will have no real security, just packets with
 > vlan tags that dont do anything. This is a perfect time for you to get
 > these switches and be able to expand your networking knowledge by being
 > able to play with better hardware at no expense to you. :)

In most cases, arp poisoning will bust the vlan segmentation, and I can 
still sniff whatever I want.  Vlan is a lot of things (easy, convenient, 
quieter) but secure ain't one of them.  The best security is alwayse 
physical security.