Ben Greear wrote: "Didn't you just configured a router? I think your VLAN PC is routing between the two VLANs, which is perfectly normal. Or, maybe I mis-understand your setup" No you did not misunderstood the setup there is a router on PC B but my question is how to deal with different VLANs in the way to separate them totally. Is that so that this VLAN package does not inspect anything according to VLAN tag at the router only puts there the VLAN tag in the header and that is what it does?! SO if I need to control which VLAN is connected which than I need to use iptables to filter out the packages?! Another question is that if I have done with iptables two separated subnets which one of the is only for VLAN2 and another can have VLAN2 and VLAN3 workstation as well. Is it possible that I route only does packages form mixed VLAN subnet to another only VLAN2 subnet which packages are with VLAN2 tag?! Do you have any ideas how to do this?! -----Original Message----- From: vlan-bounces@xxxxxxxxxxxxxxx [mailto:vlan-bounces@xxxxxxxxxxxxxxx]On Behalf Of Ben Greear Sent: Thursday, September 16, 2004 8:18 PM To: Linux 802.1Q VLAN Subject: Re: [VLAN] About VLAN implementation Csaba P?csai wrote: > Hi, > > I am new at VLAN so please be patient!:) > A*s far as I understood the concept of the VLAN it is useful for separating > different LANS from each other improving the security. > > I tried a really easy use of VLAN package and I was not able to get it work > as I desired. > VLAN2 eth3 eth2 VLAN3 > PC A ----------------------------------------> PC > B ----------------------------------> PC C > > All of them are Linux boxes. At PC B there is IP forwarding switched on. > So I configured at PCB eth2.3 interface and eth3.2 interface with class C > addresses and different subnets. > The eth3 and eth2 interfaces at PC B are up with 0.0.0.0 ip address. > The PC A and PC C interfaces are also set to use vlan tags. In this case PC > A eth1.2 PC C is eth1.3. > > If I try to ping from PCA the PC C than I can do that!!! How can it be?! Why > should I use iptables to DROP those packages?! It think VLAN should do this > by itself?! > How can I do that that there is a subnet instead of PC A and all the VLAN3 > tagged package goes to PC C but nothing from another VLAN?! Didn't you just configured a router? I think your VLAN PC is routing between the two VLANs, which is perfectly normal. Or, maybe I mis-understand your setup. > > > Another question about VLAN over MAC address. Is that already in use?! > Shouldn't be there a table which tells which MAC address is associated with > which VLAN ?! > How can I filter out the wrong packages not to send to wrong VLAN based on > MAC address? MAC-VLANs have nothing to do with 802.1Q VLANs, it is just another type of VLANs. I use them mostly for emulating lots of network devices in a single machine. Ben > > Thank you in advice. > > Csaba > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004 > > _______________________________________________ > Vlan mailing list > Vlan@xxxxxxxxxxxx > http://www.lanforge.com/mailman/listinfo/vlan > -- Ben Greear <greearb@xxxxxxxxxxxxxxx> Candela Technologies Inc http://www.candelatech.com _______________________________________________ Vlan mailing list Vlan@xxxxxxxxxxxx http://www.lanforge.com/mailman/listinfo/vlan --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.751 / Virus Database: 502 - Release Date: 9/2/2004
