|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: nanog@nanog.org From: manning <bmanning@karoshi.com> In-Reply-To: <9578293AE169674F9A048B2BC9A081B401C70978BF@MUNPRDMBXA1.medline.com> Date: Thu, 9 Jul 2015 20:42:15 -0700 To: "Naslund, Steve" <SNaslund@medline.com> Cc: "nanog@nanog.org" <nanog@nanog.org> Errors-To: nanog-bounces@nanog.org hum.. let me postulate. =20 my lan, my kids, my guests, the drive-bys, =85 the LG stuff, the Apple = stuff, the whitebox stuff, appliances =85 smart meters, switches, = thermostats, toilets, water flow controls, =85 =20 Microsoft can talk to the x-box, but i have no desire for them t = see/know anything else on the entertainment lan at the house=85. manning bmanning@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 9July2015Thursday, at 13:00, Naslund, Steve <SNaslund@medline.com> = wrote: > Yes, and that is a problem. Usually because it is not granular enough = and there are a lot of ways to get onto another VLAN (physical access = and packet trickery). It is a pretty weak form of security policy. >=20 > Now, if we assume that VLAN based security is weak and that most homes = do not generate enough broadcast traffic to be an issue, what exactly is = the reason that a residential customer needs a lot of VLANs? Answer, = they probably don't. A lot of residential users have a CPE device that = does wireless, routing, and DHCP assignments all in one. No need to = create a guest VLAN on that type of device. You simply assign an ACL = that keeps the guest from reaching any internal IP. Why would your = refrigerator (or car, toaster, TV, whatever) need to be on a separate = subnet when the whole point is to create a network where all of your = stuff communicates? >=20 > Us engineers need to make sure we don't generalize that a lot of = residential users do to their networks what we do to ours. We MIGHT = have a reason for several subnets to simulate different stuff. I am = still waiting for a valid example of a residential situation where VLANs = are a useful addition. Oh, and don't even try the QoS argument. I will = tell you that LLDP identification of the device and applying QoS policy = based on the identification is much more effective and transparent to = the end user. >=20 > Steven Naslund > Chicago IL >=20 >> -----Original Message----- >> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Tyler = Applebaum >> Sent: Thursday, July 9, 2015 3:38 PM >> To: Naslund, Steve >> Cc: nanog@nanog.org >> Subject: RE: Dual stack IPv6 for IPv4 depletion >>=20 >> Do people actually use VLANs for security? It's nice to implement = them for organizational purposes and to prevent broadcast propagation. >=20
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |