[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-tech-net
Subject: Re: vlan(4), native vlan/vlan1, OpenBSD v.s. NetBSD behavior
From: "Brian A. Seklecki" <lavalamp () spiritual-machines ! org>
Date: 2005-12-16 6:19:43
Message-ID: 1134713983.31392.10.camel () compulsion
[Download RAW message or body]
> Are you sure it's not tagged ? Don't you see them also on vlan1 ?
> Some fxp devices support hardware 802.1q, and in this case tcpdump
> doesn't show you the vlan tag for packets received.
Yes; incoming is only seen on the physical. tcpdump(8) show no tag.
Outbound is seen in tcpdump(8) on both the logical (w/o) and physical
(with the tag).
Essentially the answer is: Don't use VLAN1 to isolate insecure devices.
Each vendor has different uses for it.
More insightful discussion at:
http://marc.theaimsgroup.com/?t=113459493000002&r=1&w=2 from tech@
Thx everyone.
~BAS
> > [...]
> > So it seems that NetBSD has some "magic code"(r) to deal with the native
> > VLAN, because most admins assume that a VLAN router can see a VLAN1
> > interface on a trunk regardless if the packets are tagged or not.
>
> Packets received from an interface are passed to the IP stack, and
> the IP stack won't check the interface the packet came from, unless
> you set net.inet.ip.checkinterface to 1 (weak host model vs strong
> host model - both have pros and cons). So you could receive the packet from
> any interface (physical, or another vlan), it would be processed,
> it's not something magic with vlan1.
>
> OpenBSD may have a different default for net.inet.ip.checkinterface (if
> it's possible to choose at all the behavior on openbsd)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic