James Harper (james.harper@xxxxxxxxxxxxxxxx) wrote on 20 May 2006 10:22: >I assume you have done some policy routing stuff to make the routing >work? No, not necessary, just a simple list of routes. >That should be a clue that what you have done is a bit of a hack. Well, Ben, Peter and James are unanimous even in the wording :-) I agree the cleanest way is to use separate IP networks but I'm using about 65 vlans for now, and it may increase in the future. This means I cannot do it without using invalid addresses so I preferred the other way. I'll have a look at bridging all vlans and using iptables/ebtables to control traffic. It might be feasible if the number of rules doesn't get too large. As for explaining what I'm doing, I think you've all understood it but maybe you don't believe it :-) It's really just the opposite of the usual: instead of having each machine be able to talk to every other (this is what the switch does), restrict communication to each machine <-> servers only, plus some groups. Thanks a lot for the good answers.
