We have a webserver that is connected to three different networks. Due to our cabling, we have to run two of those networks over the same physical network. When connecting from OS X and Windows we are occasionally blocked because the client is sending to the wrong interface. Linux clients seem to have no problem at all. I have read the docs and understand that the problems exists because of the ARP implementation in Linux. (I don''t understand why the problem is happening with OS X and Win clients, but not Linux clients). Why do the docs also mention that one possible solution, arp_filter, is not recommended in a production environment? What are the dangers? Network stability, security? Are there other ways to solve the problem other than recabling?
Hello Robert, Robert Ian Smit said the following on 30/06/2005 10:48:> We have a webserver that is connected to three different networks. Due > to our cabling, we have to run two of those networks over the same > physical network.Although no answer to your question, but if that switch is capable of VLAN''s you can use the same physical equipment, but diffrent logical networks/broadcast domains. -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Robert wrote on 30/06/2005 05:48:44:> We have a webserver that is connected to three different networks. Due > to our cabling, we have to run two of those networks over the same > physical network. > > Why do the docs also mention that one possible solution, arp_filter, is > not recommended in a production environment? > > What are the dangers? Network stability, security? >take a look at this thread, not from a long time ago: http://lists.shorewall.net/pipermail/shorewall-users/2005-May/018334.html cheers, -- Eduardo Ferreira Icatu Holding S.A.
On Jun 30, 2005, at 14:42 , Eduardo Ferreira wrote:>> We have a webserver that is connected to three different networks. >> Due >> to our cabling, we have to run two of those networks over the same >> physical network. >> >> Why do the docs also mention that one possible solution, >> arp_filter, is >> not recommended in a production environment? >> > take a look at this thread, not from a long time ago: > > http://lists.shorewall.net/pipermail/shorewall-users/2005-May/ > 018334.htmlAfter rereading the documentation and the thread mentioned, I believe I need to adjust my understanding of exactly what is not recommended. I now think that the docs advise against two networks connected to the same physical network and not so much against arp_filter itself. Is this understanding correct? We have the webserver behind another bridging firewall protecting the first network. The second network is a closed network or extranet, the last network is our internal network. Although it is clearly true that by breaking into one server, you could have access to the other networks as well, the problem of hosts not being able to connect is much bigger to us than the risk of someone breaking in and gaining access to the other networks. Given these conditions would it still be a bad idea to enable arp_filter? One other reply mentioned VLANs as a solution. What would be the estimate price for a decent switch that will support this. I have had some fights with prosumer Linksys switches costing about 300 euros, but utterly failed to setup the VLANs. One of the problems was a lack of proper documentation, another my knowlegde and experience or rather the lack thereof. Regards, Bob
On Thu, 2005-06-30 at 22:38 +0200, Robert Ian Smit wrote:> > > One other reply mentioned VLANs as a solution. What would be the > estimate price for a decent switch that will support this. I have > had > some fights with prosumer Linksys switches costing about 300 euros, > but utterly failed to setup the VLANs. One of the problems was a > lack > of proper documentation, another my knowlegde and experience or > rather the lack thereof.Checkout these: http://www.trendnet.com/products/TEG-160WS.htm for $350-490.