Hello Guys,
I'am wondering what technology you guys are using to segment traffic **within** a given VLAN.
Here is the ultimate goal we want to achieve : for users subnet, we would like to redirect ALL the trafic to the gateway (which in our case is a firewall), even trafic towards other computers in the sale VLAN.
With Cisco WiFi, it's easy: you just have to check "Forward trafic to upstream" and it's done.
However, when it comes to switches (wired), it's another world.
Currently, we are kind of using a hack to handle this : we send by DHCP a netmask option with the value 255.255.255.255 (/32).
This was tested after observing how some cloud providers are doing. We first tried it in a test subnet, and now a few years laters, we have 10k devices configured like that.
With this configuration, all the devices think that they are alone in their subnet and thus send all trafic to the gateway, even if behind the scene the destination is in the same VLAN.
This actually works like a charm (at least with all majors "users" OS - Windows/MAC/Linux/BSD/Android/IOS).
I'am well aware that it only works for Unicast; Multicast and broadcast are still received but still, there isn't any major risks with multicast/broadcast.
However, I literally never seen anyone doing this and there I found close to 0 information about this.
So here is my questions :
- What do you think about this? Do you see anything that could go wrong?
- What would be the "cleanest" way to achieve the same thing? Any other protocol/technology in mind?
We are using full C9k Cisco devices in Legacy mode (so no SDA Fabric).
No comments:
Post a Comment