Limitations of using sub-interfaces
Hi All
I would like to know the limitations of using sub -interface rather going for physical interfaces for everytime in the firewall. I think there could be some more imitations or drawbacks ofusing sub interfaces ????????????????????????? share your thoughts on this would be really appriciated. Thankyou |
If you're talking using subif's on a firewall, there wouldn't be much point unless you were doing vlan tagging. Make sure the switch you're connecting to can do dot1q
So to answer your q, no, I can't think of any drawbacks cheers |
sub-interfaces? I've never heard of that term before.
Do you mean dual-homed interfaces, like this?: Code:
eth0 Link encap:Ethernet HWaddr FE:FD:40:3E:E7:DC |
Quote:
There are some possible problems that can come into play. As said above you have to use 802.1q vlan tagging for it to be useful at all. And with trunking you have some other things to worry about. like vlan hopping, native-vlan restrictions, etc. What is the reason that you would want to do a firewall with sub-interfaces. Without trunking then the address would have to be on the same network and if that is the case then they can just bypass the firewall altogether. |
These types of interfaces usually don't play well with accepted security practices and procedure, in my experience. I've seen sub-interfaces being used to alleviate network issues and other problems, but from the security standpoint, it complicates things.
For instance, on my virtual server box (Linode.com), I wanted a dedicated interface so that I could permanently run a dedicated sniffer. Typically, dedicated sniffers should use interfaces with no IP assigned (this is part of bastion processing), but I found that the colo could only give me a sub-interface that was tied to an additional IP, and one can't establish a sub-interface without an IP. An additional issue that was discovered: When sniffing (or pinging, or anything else network-related), sub-interface was still basically utilizing the real-life hardware interface that was pretty much already dedicated. This defeats the purpose of bastion hardening, IMO. Maybe some of slimm609's network-fu above would've alleviated my issues but I've no direct control over the hosting provider's network, so that info probably wouldn't have helped me anyway. Linode.com uses UML/Xen so that's the price I pay for not using dedicated hardware, but I just wanted to point out a few limitiations. It would help if you explained your needs, though. |
Thanks for all you folks and big sorry delay in responding from my side.
|
All times are GMT -5. The time now is 05:50 PM. |