VLAN Bridge with layer2 filtering
From: Csaba Urban (ucsaba_at_freemail.hu)
Date: 04/26/05
- Previous message: Abu Khaled: "Re: scaning the local network with arping/sh script"
- Next in thread: Jose M Rodriguez: "Re: VLAN Bridge with layer2 filtering"
- Reply: Jose M Rodriguez: "Re: VLAN Bridge with layer2 filtering"
- Reply: Richard Tector: "Re: VLAN Bridge with layer2 filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 26 Apr 2005 09:56:25 +0200 (CEST) To: freebsd-net@freebsd.org
Hi,
I have a number of users on a VLAN enabled switch - each users on his
own VLAN. They have fixed IP address sharing the same IP subnet and
gateway.
I want to grant them access to the internet throug a FreeBSD box
which prevents them from communicating with each other in Layer2
and which also prevents them to use other user's IP or MAC. I don't
want to use static ARP so it seems that best solution is a VLAN enabled
filtering bridge - in each VLAN only one certain IP address is allowed.
I am pretty new to FreeBSD and have a couple of questions:
1. FreeBSD 5.3 and em() driver: I have a Supermicro P4SCi board with
integrated Intel 82541 NICs. I see there are a lot off issues with the
em driver when using VLANs and I couldn't figure it out whether they
are already solved. Maybe it would be better to use other NICs?
2. Bridge setup: since in FreeBSD I can't give the bridge an IP address I
think I have to create a VLAN that doesn't belong to any of the users
and this vlan would have an IP - this will be the users' gateway
address:
ifconfig vlan0 inet 192.168.0.1 netmask 255.255.255.0
Other vlans are bridged with vlan0:
sysctl net.link.ether.bridge.config=vlan0,vlan1,vlan2,vlan3
Is it the right way of doing it?
3. MAC spoofing: if a user tries to use an other users MAC then there
will be two identical MACs on the bridge - in two separate VLANs. Can I
have the bridge transmit packets to both destination? If so, can I filter
packets later - when leaving the interface - whether the have the right
VLAN-IP combination?
4. Filtering ARP: I can't simply block ARP. Is there a way in IPFW to look
into ARP messages and filter out wrong VLAN-IP combinations?
5. Performance: there will be a number of VLANs here (200-300) with a
1Gbps link to the switch and 100Mbps to the internet. What
performance can I expect with a 2.4GHz P4 proc and 512MB RAM?
+1: if I want to set up a DHCP relay agent will it be able to determine in
which VLAN the request came in?
I would really appreciate any help!
thanks,
csaba
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Abu Khaled: "Re: scaning the local network with arping/sh script"
- Next in thread: Jose M Rodriguez: "Re: VLAN Bridge with layer2 filtering"
- Reply: Jose M Rodriguez: "Re: VLAN Bridge with layer2 filtering"
- Reply: Richard Tector: "Re: VLAN Bridge with layer2 filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
