[Dovecot] OT - quality managed switch : Was Re: Possible to split message store location?

Stan Hoeppner stan at hardwarefreak.com
Fri Sep 24 02:55:57 EEST 2010


Charles Marcus put forth on 9/23/2010 6:57 AM:

> Stan - if you don't mind an OT question...

I'll give it a shot.

> Given your obvious expertise in the Enterprise Storage arena (enjoyed
> reading some of your past posts on the subject, though much of it was
> over my head) - what would you recommend as a 'quality managed switch'
> that doesn't break the bank? I'd like to get one that doesn't require a
> CISCO CCNA to configure/manage (relatively easy to understand Web UI)...

Experience with enterprise storage doesn't necessarily make one an
ethernet switch expert, especially considering that the vast majority of
my storage network experience is with fiber channel networks.  Fiber
channel switch configuration and management has little, if anything, in
common with ethernet.  I do have a little ethernet experience, as most
IT folk do.  But WRT iSCSI SANs, the few I've done used dedicated
switches on a separate storage network, so there was no reason to
implement VLANs.  My VLAN experience is rather limited.

> All I'm looking for is a way to provide some separate VLANs with ACLs -
> specifically, I need one VLAN that is our general internal LAN, one VLAN
> that is totally segregated (to provide Guest Wireless internet-only
> access), and one VLAN for our Accountants, that blocks access from other
> workstations on the internal network, but allows the users on it to
> access resources on the internal network.

It sounds like you're attempting to solve a security problem with a
technology primarily designed to allow moving equipment from one network
segment to another--VLAN.  VLANs function primarily at OSI layer 2.  The
only ACL functionality here is based on MAC addresses.  In your "guest
wireless" case, VLANs gain you almost nothing.  What a VLAN _can_ give
you in this case is the ability to restrict a given layer 3 IP subnet to
one VLAN which only has access to the the wireless APs and internet
router.

_However_, you can do the same thing with an IP router and proper use of
DCHP.  You can also do the same for the internal networks you mentioned,
with a router and DHCP.  It seems that using VLANs to solve your problem
is a "poor rich man's" solution.  By that I mean VLANs are a "poor"
technical solution in this case, and you must be "rich" to buy all the
layer 2 gear vs. implementing a single router, which can be a Linux
server with iptables rules and a dhcpd running on it.  This would also
give you much richer functionality and control.

In summary, you don't need VLAN capable switches to do what you want,
and if you went this route, it's a suboptimal solution.  An IP
router/dchp server can do the job better and with much greater
flexibility/functionality.

The one hitch in all of this is that you'll need two different WEP/WAP
keys assigned to each AP, and the combination of the AP and DHCP server
will need to assign an IP from the proper subnet pool to regular users
and guest users based on which key they auth with.  I've never set this
up before but I know it can be done as colleagues have done it.  It may
or may not require replacing all of your current APs.  It depends on
whether your APs can do multiple keys and subnets.

Acquiring VLAN capable managed switched with an easy to use GUI is the
least of your worries Charles.  The difficult aspect of setting up what
you want to do is in the education and planning stage.  Whether the gear
you end up using has a GUI or not is the least of your worries. :(

What you describe is not an easy setup at all.  And it can't be solved
with better switches.  Your DHCP server will play a big role in this.
If you choose to go the VLAN switch route, you will most likely need to
replace all your APs with new units that do VLANs, and it would probably
be a very smart idea to get the APs and switches from the same vendor.

Or, you can just put in a new router/dhcp server and be done with all
this.  The learning curve here could be just as steep, but you'd save a
boat load of cash compared to replacing all your switches and APs.

-- 
Stan


More information about the dovecot mailing list