network segmentation without using vlans

Anthony de Boer adb-tlug-AbAJl/g/NLXk1uMJSBkQmQ at public.gmane.org
Tue Feb 19 23:11:29 UTC 2008


Teddy Mills wrote:
> 
> Standard 24 port switch.
> Some 20 servers on it.
> 
> I want all 20 servers not to 'see' each others traffic at all.
> All 20 servers are on the same subnet. (ack)

There's a Cisco feature for that, but you'd need a Cisco managed switch
with that feature in order to have it.  Basically it lets you let each
host see the router (or other designated super-host), and it see each
host, but no packets can flow between hosts.  This feature can be used to
allow several hosts to talk to NFS storage while not having a backdoor
network to each other, or to allow a backup or admin server to talk to
several colo servers without that being a backdoor network between those
colo servers.

Unfortunately I don't recall what the feature is called, or the IOS
incantation that causes it, because the shops that were using it split
server admin from net admin and I didn't get to touch the switches myself.

Note that even in the normal case, a switch routes normal unicast traffic
directly to the destination port without it touching the other ports, so
only broadcast traffic is seen by all hosts.  There are unfortunately
games that can be played with forged ARP packets and the like if a host
wants to hijack a neighbour's traffic, though.

Going to separate subnets (perchance with an 802.1q VLAN switch and
trunking to an 802.1q-enabled Linux router) would be another option.

-- 
Anthony de Boer
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list