The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not put the
doorbell on the same network as the banking data. You can do that on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.

For instance, you might trust the doorbell network (physically exposed on
the outside of your building) less than the one handling credit card data,
and don't want them able to communicate. But your site topology might mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled switch
at each end. You then decide on a VLAN numbering scheme, for instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on
VLAN 456. You do the same for switch B. You plug in the doorbell kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports. Because
the tag says VLAN 123, each switch now conveys this only between port 1.
For this traffic, it's as if the other ports didn't exist. Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc. This
makes the switches more expensive. It's also more work to configure and
maintain.

This is fairly standard enterprise networking, and not uncommon if your
business is large enough to buy switches from Cisco rather than Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

In article , Mike Tomlinson wrote:
Dave Liquorice escribió:

Seemed OK at the time but can you imagine trying to
use the modern web at 64 kbps?

When my broadband went down a while back, I used a 56k modem to get my
daily fix of the internets. Quite an eye-opener.

A major part of the problem is advertising. Those selfish ****ers think
nothing of hurling flashing, auto-vid-playing, noisy ads that consume
more bandwidth combined than the page you actually wanted to look at.
And then they whinge that people use ad-blockers to preserve their
sanity.

It was ads that obscured legitimate page content that tipped me into
using a blocker. Not popups that had to be dismissed (which I'd blocked
earlier), but in-page ads that ****ed up layouts so badly the pages
were unreadable.

Stories like
http://www.theverge.com/2015/8/25/92...-vulnerability
http://www.computerworld.com/article...-for-ddos.html
have not encouraged me to change back.

(The waste of bandwidth doesn't help either, of course.)

On 29/01/2016 12:19, Adrian Caspersz wrote:
On 29/01/16 00:58, John Rumm wrote:
On 28/01/2016 19:12, Adrian Caspersz wrote:
On 28/01/16 18:32, John Rumm wrote:
On 28/01/2016 11:08, Huge wrote:
On 2016-01-28, John Rumm
wrote:
On 27/01/2016 15:03, www.GymRatZ.co.uk wrote:


Or, as happened to me once, someone "tidies it away" and then
calls IT as to why nothing in the office works any more.

Yup, had that...

and someone who crated a network storm on a lan by deciding that
a loose RJ45 really ought to be plugged into something - and
ended up creating a loopback on an old hub that did not spot the
problem and attempted to forward the forwarded packet forever
more!


Or someone brings in their 4-port redundant thing from home which
fixes their local lack of ports issue, but gifts the rest of the
network a new DHCP server leasing out 192.168.0.0/24 and a gateway
to nowhere.

Yup had that as well...


Another gateway to nowhere...

I was working in a UK call centre where 150 thin client devices had the
next gateway set to a Citrix server out of town. This worked normally
until one particular morning when some of the workstations failed to
connect and a lot of sales activity was lost. Management not happy.

We could ping the gateway interface and got a quick response. Hmmm...
Guys in Citrix server town could ping our interface as well. OK.

Netscans revealed the MAC address of the gateway interface, and that to
be something made by HP.

A printer. Someone bored in a meeting room with idle fingers had given
this device the gateway IP address and lots of enquiring packets to look
at. We never found whom this person was.

IT people have a special dispensation from H&S for running up and down
corridors, in fire fighting situations like this. A map of where network
printers are exactly located would have been useful, but oh no, we don't
have that :-(

I had very similar a good few years ago. After driving into Birmingham &
back for a new router interface card, I discovered a standalone print
server, newly installed that day. It didn't cause a total failure, just
woeful, unpredictable performance, presumably as sometimes ARP would
resolve the router. I also never discovered which idiot configured the
print server.

On 29/01/16 13:21, Alan Braggins wrote:
In article , Mike Tomlinson wrote:
Dave Liquorice escribió:

Seemed OK at the time but can you imagine trying to
use the modern web at 64 kbps?

When my broadband went down a while back, I used a 56k modem to get my
daily fix of the internets. Quite an eye-opener.

A major part of the problem is advertising. Those selfish ****ers think
nothing of hurling flashing, auto-vid-playing, noisy ads that consume
more bandwidth combined than the page you actually wanted to look at.
And then they whinge that people use ad-blockers to preserve their
sanity.

It was ads that obscured legitimate page content that tipped me into
using a blocker. Not popups that had to be dismissed (which I'd blocked
earlier), but in-page ads that ****ed up layouts so badly the pages
were unreadable.

I love firefox for that,. It has an HTML editor that allows you to
delete nodes one by one until all that is left is what you want..


Stories like
http://www.theverge.com/2015/8/25/92...-vulnerability
http://www.computerworld.com/article...-for-ddos.html
have not encouraged me to change back.

(The waste of bandwidth doesn't help either, of course.)



--
If you tell a lie big enough and keep repeating it, people will
eventually come to believe it. The lie can be maintained only for such
time as the State can shield the people from the political, economic
and/or military consequences of the lie. It thus becomes vitally
important for the State to use all of its powers to repress dissent, for
the truth is the mortal enemy of the lie, and thus by extension, the
truth is the greatest enemy of the State.

Joseph Goebbels

On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not put the
doorbell on the same network as the banking data. You can do that on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically exposed on
the outside of your building) less than the one handling credit card data,
and don't want them able to communicate. But your site topology might mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled switch
at each end. You then decide on a VLAN numbering scheme, for instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to be on
VLAN 456. You do the same for switch B. You plug in the doorbell kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports. Because
the tag says VLAN 123, each switch now conveys this only between port 1.
For this traffic, it's as if the other ports didn't exist. Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc. This
makes the switches more expensive. It's also more work to configure and
maintain.

This is fairly standard enterprise networking, and not uncommon if your
business is large enough to buy switches from Cisco rather than Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet




--
How fortunate for governments that the people they administer don't think.

Adolf Hitler

On 29/01/16 13:46, Chris Bartram wrote:
On 29/01/2016 12:19, Adrian Caspersz wrote:
On 29/01/16 00:58, John Rumm wrote:
On 28/01/2016 19:12, Adrian Caspersz wrote:
On 28/01/16 18:32, John Rumm wrote:
On 28/01/2016 11:08, Huge wrote:
On 2016-01-28, John Rumm
wrote:
On 27/01/2016 15:03, www.GymRatZ.co.uk wrote:


Or, as happened to me once, someone "tidies it away" and then
calls IT as to why nothing in the office works any more.

Yup, had that...

and someone who crated a network storm on a lan by deciding that
a loose RJ45 really ought to be plugged into something - and
ended up creating a loopback on an old hub that did not spot the
problem and attempted to forward the forwarded packet forever
more!


Or someone brings in their 4-port redundant thing from home which
fixes their local lack of ports issue, but gifts the rest of the
network a new DHCP server leasing out 192.168.0.0/24 and a gateway
to nowhere.

Yup had that as well...


Another gateway to nowhere...

I was working in a UK call centre where 150 thin client devices had the
next gateway set to a Citrix server out of town. This worked normally
until one particular morning when some of the workstations failed to
connect and a lot of sales activity was lost. Management not happy.

We could ping the gateway interface and got a quick response. Hmmm...
Guys in Citrix server town could ping our interface as well. OK.

Netscans revealed the MAC address of the gateway interface, and that to
be something made by HP.

A printer. Someone bored in a meeting room with idle fingers had given
this device the gateway IP address and lots of enquiring packets to look
at. We never found whom this person was.

IT people have a special dispensation from H&S for running up and down
corridors, in fire fighting situations like this. A map of where network
printers are exactly located would have been useful, but oh no, we don't
have that :-(

I had very similar a good few years ago. After driving into Birmingham &
back for a new router interface card, I discovered a standalone print
server, newly installed that day. It didn't cause a total failure, just
woeful, unpredictable performance, presumably as sometimes ARP would
resolve the router. I also never discovered which idiot configured the
print server.

I had a wonderful one once. Engineer phones me up to say 'I am at the
customers site, and I cant work out what is going on. When I try to ping
the internet, I get 50% packet loss' 'EXACTLY 50%???' 'Yes'

'What software is it'

'Wuin9odws NT' (not my baby, windows NT)

Well it sounds like its doing something like switching routes on a round
robin basis, but that's all I can tell you'

.....

Phone rings 'I got it!'

'What was it?'

'Windows NT can have multiple default routes!!!'

"WHAATTT??*&^! The whole point of a default is its um THE default. If
you want diverse routing run RIP/OSPF/BGP..not static routes.

'No, they had TWO DEFAULT ROUTES CONFIGURED'

'God, how crap is that. Microsoft...couldn't write code to add one and
one..'

Ok if you have two interfaces maybe each one will have its own default
route BUT not two default routes working on either of the cards
simultaenously. Sheesh.


--
He who ****s in the road, will meet flies on his return.

"Mr Natural"

The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

Err, I don't think you do:

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

VLAN != VPN.

VLAN is for running networks over shared physical infrastructure. They're
separate, they run separate DHCP servers, one side cannot generate packets
that route to the other no matter how it gets compromised.

VPN is for extending your network over the Internet. In a domestic
situation you probably don't want that (though you may use it to connect to
your employer).

VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing
(though some run at layer 2). VLANs won't run over the Internet unless you
wrap them in a VPN (and it's generally a bad idea).

For instance, you ran a single ethernet cable under the patio to the shed.
You want the shed to have access to the front door camera (that anyone could
walk up to and hook into while you were on holiday) and the NAS containing
your bank statements. You'd like those to be on two separate networks, but
can't run another cable because it's under the concrete.

Or you ran a single cable up the stairs but you want to give the kids a
separate network so you can separate their traffic from your home business
in the spare bedroom. You want to be able to firewall your business traffic
so whatever dodgy apps they're running won't get access to your work
machines. Or perhaps you want first go at the DSL connection and want to
restrict the bandwidth the kids have, or shut off their network after
dinnertime while you can keep working.

This is all on top of standard MAC address switching that means links will
only carry traffic relevant for them. That doesn't help you if a dodgy app
generates traffic it's not intended to. VLANs do.

Theo

On 29/01/16 15:33, Theo wrote:
The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

Err, I don't think you do:

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

VLAN != VPN.

VLAN is for running networks over shared physical infrastructure. They're
separate, they run separate DHCP servers, one side cannot generate packets
that route to the other no matter how it gets compromised.

VPN is for extending your network over the Internet. In a domestic
situation you probably don't want that (though you may use it to connect to
your employer).

VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing
(though some run at layer 2). VLANs won't run over the Internet unless you
wrap them in a VPN (and it's generally a bad idea).

For instance, you ran a single ethernet cable under the patio to the shed.
You want the shed to have access to the front door camera (that anyone could
walk up to and hook into while you were on holiday) and the NAS containing
your bank statements. You'd like those to be on two separate networks, but
can't run another cable because it's under the concrete.

Or you ran a single cable up the stairs but you want to give the kids a
separate network so you can separate their traffic from your home business
in the spare bedroom. You want to be able to firewall your business traffic
so whatever dodgy apps they're running won't get access to your work
machines. Or perhaps you want first go at the DSL connection and want to
restrict the bandwidth the kids have, or shut off their network after
dinnertime while you can keep working.

This is all on top of standard MAC address switching that means links will
only carry traffic relevant for them. That doesn't help you if a dodgy app
generates traffic it's not intended to. VLANs do.


well exactly, nothing to do with ethernet ports and not needed domestically.

Since you can run as many networks as you like over a single piece of cable.

And if you really must use DHCP make sure the mac addresses are
pre-allocated.


Theo



--
"I am inclined to tell the truth and dislike people who lie consistently.
This makes me unfit for the company of people of a Left persuasion, and
all women"

On 29/01/16 15:46, Huge wrote:
The Natural Philosopher wrote:

[19 lines snipped]

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

Oh, that's hysterical.

Oh yeah, one slip ane read 'VPN' wher VLAN is written and get a good laugh.

Now tell me once again, what possible reason could anyone ever have for
installing a VLAN in a sonmestic situation, and what is meant oin the
context of previous posts by 'Ethernet port'

Or is it simply a question of 'I am posting this irrelevant technical
**** to baffle bra8ins and show off'
??


--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not
put the
doorbell on the same network as the banking data. You can do that on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically exposed on
the outside of your building) less than the one handling credit card
data,
and don't want them able to communicate. But your site topology might
mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic
down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled
switch
at each end. You then decide on a VLAN numbering scheme, for instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to
be on
VLAN 456. You do the same for switch B. You plug in the doorbell kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches
with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on
one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports.
Because
the tag says VLAN 123, each switch now conveys this only between port 1.
For this traffic, it's as if the other ports didn't exist.
Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc. This
makes the switches more expensive. It's also more work to configure and
maintain.

This is fairly standard enterprise networking, and not uncommon if your
business is large enough to buy switches from Cisco rather than Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

I don't think you know what you are talking about.

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

On 29/01/2016 15:37, The Natural Philosopher wrote:
On 29/01/16 15:33, Theo wrote:
The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

Err, I don't think you do:

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

VLAN != VPN.

VLAN is for running networks over shared physical infrastructure.
They're
separate, they run separate DHCP servers, one side cannot generate
packets
that route to the other no matter how it gets compromised.

VPN is for extending your network over the Internet. In a domestic
situation you probably don't want that (though you may use it to
connect to
your employer).

VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing
(though some run at layer 2). VLANs won't run over the Internet
unless you
wrap them in a VPN (and it's generally a bad idea).

For instance, you ran a single ethernet cable under the patio to the
shed.
You want the shed to have access to the front door camera (that anyone
could
walk up to and hook into while you were on holiday) and the NAS
containing
your bank statements. You'd like those to be on two separate
networks, but
can't run another cable because it's under the concrete.

Or you ran a single cable up the stairs but you want to give the kids a
separate network so you can separate their traffic from your home
business
in the spare bedroom. You want to be able to firewall your business
traffic
so whatever dodgy apps they're running won't get access to your work
machines. Or perhaps you want first go at the DSL connection and want to
restrict the bandwidth the kids have, or shut off their network after
dinnertime while you can keep working.

This is all on top of standard MAC address switching that means links
will
only carry traffic relevant for them. That doesn't help you if a
dodgy app
generates traffic it's not intended to. VLANs do.


well exactly, nothing to do with ethernet ports and not needed
domestically.

Since you can run as many networks as you like over a single piece of
cable.

And if you really must use DHCP make sure the mac addresses are
pre-allocated.

Stop digging, you are wrong.

On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not
put the
doorbell on the same network as the banking data. You can do that
on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT
network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically
exposed on
the outside of your building) less than the one handling credit card
data,
and don't want them able to communicate. But your site topology might
mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic
down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled
switch
at each end. You then decide on a VLAN numbering scheme, for instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to
be on
VLAN 456. You do the same for switch B. You plug in the doorbell
kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches
with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on
one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the
packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports.
Because
the tag says VLAN 123, each switch now conveys this only between port 1.
For this traffic, it's as if the other ports didn't exist.
Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc.
This
makes the switches more expensive. It's also more work to configure and
maintain.

This is fairly standard enterprise networking, and not uncommon if your
business is large enough to buy switches from Cisco rather than Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

I don't think you know what you are talking about.

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

First of all switches only propagate to MAC addresses associated with
the actual hardware that has 'claimed' the IP address. The exception is
merely broadcasts.

You are thinking perhaps of a hub or repeater, which sends all traffic
everywhere. Switches never have.

So basically you can have dozens of independent IP networks sharing the
same switch and traffic will not cross over except on ARP requests,
typically a broadcast.

Now of course spoofing IP addresses is possible in this scenario, so its
not secure as such, but in terms of traffic, it does separate them.

My point has been that in a domestic situation, security is not normally
an issue within te site.


So there is no need for routers and Vlans and expensive kit, just to
make best use of the cabling.


If you have to share cabling just connect two switches via a bit of
cable. They will sort out the traffic just fine.


--
How fortunate for governments that the people they administer don't think.

Adolf Hitler

On 29/01/16 16:45, dennis@home wrote:
On 29/01/2016 15:37, The Natural Philosopher wrote:
On 29/01/16 15:33, Theo wrote:
The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

Err, I don't think you do:

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

VLAN != VPN.

VLAN is for running networks over shared physical infrastructure.
They're
separate, they run separate DHCP servers, one side cannot generate
packets
that route to the other no matter how it gets compromised.

VPN is for extending your network over the Internet. In a domestic
situation you probably don't want that (though you may use it to
connect to
your employer).

VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP) thing
(though some run at layer 2). VLANs won't run over the Internet
unless you
wrap them in a VPN (and it's generally a bad idea).

For instance, you ran a single ethernet cable under the patio to the
shed.
You want the shed to have access to the front door camera (that anyone
could
walk up to and hook into while you were on holiday) and the NAS
containing
your bank statements. You'd like those to be on two separate
networks, but
can't run another cable because it's under the concrete.

Or you ran a single cable up the stairs but you want to give the kids a
separate network so you can separate their traffic from your home
business
in the spare bedroom. You want to be able to firewall your business
traffic
so whatever dodgy apps they're running won't get access to your work
machines. Or perhaps you want first go at the DSL connection and
want to
restrict the bandwidth the kids have, or shut off their network after
dinnertime while you can keep working.

This is all on top of standard MAC address switching that means links
will
only carry traffic relevant for them. That doesn't help you if a
dodgy app
generates traffic it's not intended to. VLANs do.


well exactly, nothing to do with ethernet ports and not needed
domestically.

Since you can run as many networks as you like over a single piece of
cable.

And if you really must use DHCP make sure the mac addresses are
pre-allocated.

Stop digging, you are wrong.

No dennis, I am not wrong. There is a difference between security and
traffic sharing

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html

Read the section on how switches maintain MAC address tables so they
only send particular packets destined for a particular target down a
particular piece of cable. And the tree spanning algorithms that allow
them to decide routes via other switches.

Anyone who has set up anything more than a basic network knows that a
single switch can acccomodate dozens on independent IP networks, all
coexisting happily and all mutually inaccessible if set up correctly, at
the casual use level. Of course from a security point of view they are
not always so separate - one network CAN break into another..but is that
really an issue in a domestic situationb? Is your doorbell really going
to change its IP address onto a 'different' network and hack into your
server?

The whole POINT of a switch is that they are plug and play mac level
ROUTERS.

Not repeaters.





--
The theory of Communism may be summed up in one sentence: Abolish all
private property.

Karl Marx

On 29/01/2016 17:11, The Natural Philosopher wrote:
On 29/01/16 16:45, dennis@home wrote:
On 29/01/2016 15:37, The Natural Philosopher wrote:
On 29/01/16 15:33, Theo wrote:
The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
Virtual LANs allow you to run separate networks over the same
physical
cabling.


Yes, I know that..(mere professional IT network engineer)

Err, I don't think you do:

Yes, but what has that utterly pointless and complex solution got
to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on
different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

VLAN != VPN.

VLAN is for running networks over shared physical infrastructure.
They're
separate, they run separate DHCP servers, one side cannot generate
packets
that route to the other no matter how it gets compromised.

VPN is for extending your network over the Internet. In a domestic
situation you probably don't want that (though you may use it to
connect to
your employer).

VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP)
thing
(though some run at layer 2). VLANs won't run over the Internet
unless you
wrap them in a VPN (and it's generally a bad idea).

For instance, you ran a single ethernet cable under the patio to the
shed.
You want the shed to have access to the front door camera (that anyone
could
walk up to and hook into while you were on holiday) and the NAS
containing
your bank statements. You'd like those to be on two separate
networks, but
can't run another cable because it's under the concrete.

Or you ran a single cable up the stairs but you want to give the kids a
separate network so you can separate their traffic from your home
business
in the spare bedroom. You want to be able to firewall your business
traffic
so whatever dodgy apps they're running won't get access to your work
machines. Or perhaps you want first go at the DSL connection and
want to
restrict the bandwidth the kids have, or shut off their network after
dinnertime while you can keep working.

This is all on top of standard MAC address switching that means links
will
only carry traffic relevant for them. That doesn't help you if a
dodgy app
generates traffic it's not intended to. VLANs do.


well exactly, nothing to do with ethernet ports and not needed
domestically.

Since you can run as many networks as you like over a single piece of
cable.

And if you really must use DHCP make sure the mac addresses are
pre-allocated.

Stop digging, you are wrong.

No dennis, I am not wrong. There is a difference between security and
traffic sharing

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html

Read the section on how switches maintain MAC address tables so they
only send particular packets destined for a particular target down a
particular piece of cable. And the tree spanning algorithms that allow
them to decide routes via other switches.

Anyone who has set up anything more than a basic network knows that a
single switch can acccomodate dozens on independent IP networks, all
coexisting happily and all mutually inaccessible if set up correctly, at
the casual use level. Of course from a security point of view they are
not always so separate - one network CAN break into another..but is that
really an issue in a domestic situationb? Is your doorbell really going
to change its IP address onto a 'different' network and hack into your
server?

The whole POINT of a switch is that they are plug and play mac level
ROUTERS.

Not repeaters.


Do you really want to keep digging?
I probably know more about this stuff than you, it was my job to design
networks with vlans in over ethernet, ATM, etc.

I had millions of pounds worth of kit from juniper, cisco, and others
just to model networks on. They included:-

a play out suit provided by BBC technical services
several reverse caches for the web servers
loads of switches
ATM switches
DSLAMs
CISCO VoIP
System X exchange (14 of them IIRC)
radio links
10G long haul links (never did get the soliton based one)


You can continue to claim that you were correct but we know differently.

On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not
put the
doorbell on the same network as the banking data. You can do that
on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT
network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically
exposed on
the outside of your building) less than the one handling credit card
data,
and don't want them able to communicate. But your site topology might
mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic
down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled
switch
at each end. You then decide on a VLAN numbering scheme, for instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to
be on
VLAN 456. You do the same for switch B. You plug in the doorbell
kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches
with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on
one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the
packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports.
Because
the tag says VLAN 123, each switch now conveys this only between
port 1.
For this traffic, it's as if the other ports didn't exist.
Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc.
This
makes the switches more expensive. It's also more work to configure
and
maintain.

This is fairly standard enterprise networking, and not uncommon if your
business is large enough to buy switches from Cisco rather than Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

I don't think you know what you are talking about.

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.
On a VLAN it won't.

En el artículo , The Natural Philosopher
escribió:

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

You say:

Yes, I know that..(mere professional IT network engineer)

and you don't even know the difference between a VLAN and a VPN.

I'm glad I'm not one of your customers.

--
(\_/)
(='.'=) Bunny says: Windows 10? Nein danke!
(")_(")

On Fri, 29 Jan 2016 18:04:16 +0000, dennis@home
wrote:

snip

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.
On a VLAN it won't.


I don't think he's ever heard of 'managed' devices (switches) mate.
;-(

So, because he hasn't heard of them, they don't exist. ;-)

Cheers, T i m

On 29/01/16 17:34, dennis@home wrote:
On 29/01/2016 17:11, The Natural Philosopher wrote:
On 29/01/16 16:45, dennis@home wrote:
On 29/01/2016 15:37, The Natural Philosopher wrote:
On 29/01/16 15:33, Theo wrote:
The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
Virtual LANs allow you to run separate networks over the same
physical
cabling.


Yes, I know that..(mere professional IT network engineer)

Err, I don't think you do:

Yes, but what has that utterly pointless and complex solution got
to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on
different IP
networks using a bog standard switch. The switch itself will
associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

VLAN != VPN.

VLAN is for running networks over shared physical infrastructure.
They're
separate, they run separate DHCP servers, one side cannot generate
packets
that route to the other no matter how it gets compromised.

VPN is for extending your network over the Internet. In a domestic
situation you probably don't want that (though you may use it to
connect to
your employer).

VLAN is a layer 2 (Ethernet) thing, VPN is (mostly) a layer 3 (IP)
thing
(though some run at layer 2). VLANs won't run over the Internet
unless you
wrap them in a VPN (and it's generally a bad idea).

For instance, you ran a single ethernet cable under the patio to the
shed.
You want the shed to have access to the front door camera (that anyone
could
walk up to and hook into while you were on holiday) and the NAS
containing
your bank statements. You'd like those to be on two separate
networks, but
can't run another cable because it's under the concrete.

Or you ran a single cable up the stairs but you want to give the
kids a
separate network so you can separate their traffic from your home
business
in the spare bedroom. You want to be able to firewall your business
traffic
so whatever dodgy apps they're running won't get access to your work
machines. Or perhaps you want first go at the DSL connection and
want to
restrict the bandwidth the kids have, or shut off their network after
dinnertime while you can keep working.

This is all on top of standard MAC address switching that means links
will
only carry traffic relevant for them. That doesn't help you if a
dodgy app
generates traffic it's not intended to. VLANs do.


well exactly, nothing to do with ethernet ports and not needed
domestically.

Since you can run as many networks as you like over a single piece of
cable.

And if you really must use DHCP make sure the mac addresses are
pre-allocated.

Stop digging, you are wrong.

No dennis, I am not wrong. There is a difference between security and
traffic sharing

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html

Read the section on how switches maintain MAC address tables so they
only send particular packets destined for a particular target down a
particular piece of cable. And the tree spanning algorithms that allow
them to decide routes via other switches.

Anyone who has set up anything more than a basic network knows that a
single switch can acccomodate dozens on independent IP networks, all
coexisting happily and all mutually inaccessible if set up correctly, at
the casual use level. Of course from a security point of view they are
not always so separate - one network CAN break into another..but is that
really an issue in a domestic situationb? Is your doorbell really going
to change its IP address onto a 'different' network and hack into your
server?

The whole POINT of a switch is that they are plug and play mac level
ROUTERS.

Not repeaters.


Do you really want to keep digging?
I probably know more about this stuff than you, it was my job to design
networks with vlans in over ethernet, ATM, etc.

I had millions of pounds worth of kit from juniper, cisco, and others
just to model networks on. They included:-

a play out suit provided by BBC technical services
several reverse caches for the web servers
loads of switches
ATM switches
DSLAMs
CISCO VoIP
System X exchange (14 of them IIRC)
radio links
10G long haul links (never did get the soliton based one)


You can continue to claim that you were correct but we know differently.

the issues are all exaplianed in the link I posted.

Listing a load of brand names doesn't make you an expert.

--
He who ****s in the road, will meet flies on his return.

"Mr Natural"

On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:
On 29/01/16 13:08, Theo Markettos wrote:
The Natural Philosopher wrote:
On 29/01/16 00:33, Theo wrote:
Also multiple ethernet ports mean you can segment the network: not
put the
doorbell on the same network as the banking data. You can do that
on a
switch with VLANs, but to do that you need a more expensive switch.

Theo
Can you put that in simple English that a a mere professional IT
network
engineer can understand?

What are 'multiple Ethernet ports' in this context, please, and
how do
they differ from what a switch has anyway?

Virtual LANs allow you to run separate networks over the same physical
cabling.


Yes, I know that..(mere professional IT network engineer)

For instance, you might trust the doorbell network (physically
exposed on
the outside of your building) less than the one handling credit card
data,
and don't want them able to communicate. But your site topology might
mean
you have to use the same physical link for connecting them.

Let's assume you have one ethernet cable you want to send both traffic
down.
You do this by using VLAN-enabled switches. You put a VLAN-enabled
switch
at each end. You then decide on a VLAN numbering scheme, for
instance:

VLAN 123 = doorbell
VLAN 456 = accounting

You then configure switch A for port 1 to be on VLAN 123 and port 2 to
be on
VLAN 456. You do the same for switch B. You plug in the doorbell
kit to
port 1 and credit card kit to port 2.

You select port 3 to carry all 'tagged' frames, and link the switches
with
your one cable between their port 3s.

+-------------------------------+
| Switch A |
doorbell -|-port 1--[tag=123?]-+ |
| X--port 3 -|-- VLAN tagged frames on
one link
accounts -|-port 2--[tag=456?]-+ |
| |
+-------------------------------+
[and the same at the other end]

The switches 'tag' packets going out on port 3, in other words the
packet
over the link looks like:

[VLAN tag=123][Ethernet header][IP header][IP payload][checksums]

and then route based on the tag, rather than routing to all ports.
Because
the tag says VLAN 123, each switch now conveys this only between
port 1.
For this traffic, it's as if the other ports didn't exist.
Effectively you
have two isolated networks running over a single cable.

The downside is that you need a management interface on each switch to
configure this, that means the switch having a webserver, CPU, etc.
This
makes the switches more expensive. It's also more work to configure
and
maintain.

This is fairly standard enterprise networking, and not uncommon if
your
business is large enough to buy switches from Cisco rather than
Belkin.

(Some cheapo switches support it too - for instance there's a 10 pound
TP-Link gigabit 8-port. I haven't tried it)

Theo

Yes, but what has that utterly pointless and complex solution got to do
with domestic installations and 'multiple ethernet ports'

You can set up a pair of devicees to talk to each other on different IP
networks using a bog standard switch. The switch itself will associate
IP and MAC addresses together and prevent traffic spilling onto other
segments.

You don't meed all that VLAN gubbins at home, and unless ypu are
seriously paranoid, you dont need it in an office either

Vlan is more about extended trusted networks over foriegn IP and
untrusted networks - i.e, the Internet

I don't think you know what you are talking about.

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.


And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts on a
routine basiss.

On a VLAN it won't.

VLAN is a security issue. It is not about traffic.

So first of all, you need to understand the basics

Of why we use switches rather than repeaters

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html
"From a performance perspective, it would be more interesting to have
devices that operate in the datalink layer and can analyse the
destination address of each frame and forward the frames selectively on
the link that leads to the destination. Such devices are usually called
*Ethernet switches* [7]. An Ethernet switch is a relay that operates in
the datalink layer as is illustrated in the figure below."

See that? The switch learns where each destination is, and doesn't send
all traffic to all devices.

You cant hear a conversation on one wire that is between devices on two
other wires, because the switch is a mac level ROUTER.

Obviously you can discover by doing an ARP requests, or an Ethernet
broadcast what other devices are on that Network, but you cant tell
where they are connected unless you can probe the switches MAC address
to port map tables.


All a VLAN is, is a layer on top of that that disallows broadcasts
between pre defined VLANS, that's all.

"A switch can support several VLANs and it runs one MAC learning
algorithm for each Virtual LAN. When a switch receives a frame with an
*unknown or a multicast destination*, it forwards it over all the ports
that belong to the same Virtual LAN but not over the ports that belong
to other Virtual LANs. Similarly, when a switch learns a source address
on a port, it associates it to the Virtual LAN of this port and uses
this information only when forwarding frames on this Virtual LAN."

http://cnp3book.info.ucl.ac.be/protocols/ethernet.html

So devices on other VLANS won't respond to a broadcast on a given VLAN.
But beyond that they have no impact on performance or routine routing of
packets.

So all this nonsense about 'separating traffic' is just that. Nonsense.

If you route tow Vlans over the same piece of wire, they will compete
with each other VLAN or not. And if you have two devices on two
different bits of wire, the traffic fr9m one will not go down the wire
to the other irrespective if whether they are on Vlans or not.

And Vlans therefore have zero use in a domestic environment.

ALL they really do is stop people on a given set of wires representing
themselves as belonging to a network they have no rights to join.

I repeat (sic!) VLANS are for security, not performance.

--
He who ****s in the road, will meet flies on his return.

"Mr Natural"

On 29/01/2016 23:50, The Natural Philosopher wrote:


Well yes, but would you REALLY have a live access to your internal
network on a CAT 5 socket outside your front door?

You might have on the camera.

The whole POINT of a switch is that they are plug and play mac level
ROUTERS.ow

Not repeaters.

That buys you efficiency rather than any real security.



That was my point. IN a nutshell.

The average punter isn't going to buy a switch with management let alone
know how to set up a VLAN on it.

Its a pointless willy waving exercise on a domestic DIY thread.



Stop wriggling.

On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:

8

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.

For heavens sake admit you are wrong.
Switches are layer 2 devices and are transparent so everything is
visible whatever you claim.
Vlan switches are not as transparent.

I can assure you that you can ping every device connected to a switch
just as though they were connected to the same segment of ethernet.


And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts on a
routine basiss.

How does that equate with your claim a switch will stop things talking
to each other?



On a VLAN it won't.

VLAN is a security issue. It is not about traffic.

So first of all, you need to understand the basics

Go away and stop pretending you know anything new.

Snip cr@p that you can get out of google in three seconds.

On 30/01/16 00:18, dennis@home wrote:
On 29/01/2016 23:50, The Natural Philosopher wrote:


Well yes, but would you REALLY have a live access to your internal
network on a CAT 5 socket outside your front door?

You might have on the camera.

The whole POINT of a switch is that they are plug and play mac level
ROUTERS.ow

Not repeaters.

That buys you efficiency rather than any real security.



That was my point. IN a nutshell.

The average punter isn't going to buy a switch with management let alone
know how to set up a VLAN on it.

Its a pointless willy waving exercise on a domestic DIY thread.



Stop wriggling.

You have some nerve. Anyone can look at he link I posted, read up on the
subject and see that you didn't understand what you were saying.

You are a classic example of a technician who thinks they understand the
technology they use daily, but is hilariously clueless. Like the plumber
who installed my *mains pressure* hot water tank in the loft - 'good
place for it mate, you will get better water pressure with it in the loft*'

Id stop wriggling dennis.

Or learn to apologise.



--
Bureaucracy defends the status quo long past the time the quo has lost
its status.

Laurence Peter

On 30/01/16 00:25, dennis@home wrote:
On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:

8

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.

For heavens sake admit you are wrong.
Switches are layer 2 devices and are transparent so everything is
visible whatever you claim.
Vlan switches are not as transparent.


Please dennis, stop making a fool of yourself an READ UP on how they work.

Its embarrassing.

A leyer two router, is a switch and its NOT transparent.


I can assure you that you can ping every device connected to a switch
just as though they were connected to the same segment of ethernet.

So what? thats because they route the pings. I can ping almost every
device on te internet. That doesn't means I can read every packet on the
internet ..



And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts on a
routine basiss.

How does that equate with your claim a switch will stop things talking
to each other?


I didn't say it would stop these talking to each other dennis. I said
that traffic between devices is not available to other devices and does
not occupy their segments.

Do9nt straw man me.



On a VLAN it won't.

VLAN is a security issue. It is not about traffic.

So first of all, you need to understand the basics

Go away and stop pretending you know anything new.


I see. In denial because you don't want to read up and learn, so you
never ever will.

The difference between you and me dennis, is that I like to learn, and I
am happier to pass a link to a well written piece of information that
explains what I am trying to say better than I can, whereas you wont do
that, preferring to present a case based on *your knowledge* and backed
with personal abuse.

But that is because I am here to learn and to educate, and you are here
to boost your inflated ego...


Snip cr@p that you can get out of google in three seconds.


Well, why dont *you* actually use google to check what you are saty9ing
before you make a fool of yourself?



--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."

On 30/01/2016 00:38, The Natural Philosopher wrote:
On 30/01/16 00:25, dennis@home wrote:
On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:

8

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.

For heavens sake admit you are wrong.
Switches are layer 2 devices and are transparent so everything is
visible whatever you claim.
Vlan switches are not as transparent.


Please dennis, stop making a fool of yourself an READ UP on how they work.

Its embarrassing.

A leyer two router, is a switch and its NOT transparent.


I can assure you that you can ping every device connected to a switch
just as though they were connected to the same segment of ethernet.

So what? thats because they route the pings. I can ping almost every
device on te internet. That doesn't means I can read every packet on the
internet ..

Hmmm, its interesting that TNP has romped off on a tangent about whether
a switch will leak information flowing between two ports to other ports
not involved in the discussion (which generally it won't unless
instructed to port mirror), as if that alone will provide security. Its
missing the elephant in the room that the switch will allow any device
on any port to make contact with any other device irrespective of the
ports its attached to, the IP subnet its on, or for that matter even the
higher level protocol being used.

So yes a switch may make it harder for the outsider to eavesdrop on the
established conversation between a PC and NAS for example. However it
will happily allow the outsider to talk to the PC or the NAS directly,
which makes the former a bit of a moot point.

And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts on a
routine basiss.

How does that equate with your claim a switch will stop things talking
to each other?


I didn't say it would stop these talking to each other dennis. I said
that traffic between devices is not available to other devices and does
not occupy their segments.

Do9nt straw man me.

ISTR dennis said:

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Which is true....

TNP countered that

Actually it will.

Which is clearly not true.

Well, why dont *you* actually use google to check what you are saty9ing
before you make a fool of yourself?

When in glass houses?


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 30/01/16 02:48, John Rumm wrote:
On 30/01/2016 00:38, The Natural Philosopher wrote:
On 30/01/16 00:25, dennis@home wrote:
On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:

8

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on
your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.

For heavens sake admit you are wrong.
Switches are layer 2 devices and are transparent so everything is
visible whatever you claim.
Vlan switches are not as transparent.


Please dennis, stop making a fool of yourself an READ UP on how they
work.

Its embarrassing.

A leyer two router, is a switch and its NOT transparent.


I can assure you that you can ping every device connected to a switch
just as though they were connected to the same segment of ethernet.

So what? thats because they route the pings. I can ping almost every
device on te internet. That doesn't means I can read every packet on the
internet ..

Hmmm, its interesting that TNP has romped off on a tangent about whether
a switch will leak information flowing between two ports to other ports
not involved in the discussion (which generally it won't unless
instructed to port mirror), as if that alone will provide security.

I didnt say that at all.

PLEASE read waht I am saying., I have said all along that I cant see
what the point of 'secure house networks' is, and that the claims that
'Vlan segeregates traffic' are in fact silly, because a normal; s3witch
does that too.

But switches DO provide security. Maybe you haven't used a packet
sniffer on a coaxial ethernet network, but I have, You can read every
packet between every machine passively. YoOu can do that with a wifi
password as well . That simply cant be done with a switch unless you
have a backdoor into the switch.


Its
missing the elephant in the room that the switch will allow any device
on any port to make contact with any other device irrespective of the
ports its attached to, the IP subnet its on, or for that matter even the
higher level protocol being used.

In principle yes, *if it is actively configured especially to do so*.

My point is by the time you have someone who can do that inside your
home network, security is gone anyway.





So yes a switch may make it harder

*impossible*

for the outsider to eavesdrop on the
*established conversation between a PC and NAS for example. However it
will happily allow the outsider to talk to the PC or the NAS directly,
which makes the former a bit of a moot point.

Well hello.

I can talk to any web server on the internet directly too,. but guess
what, they all have passwords that people cant read or use because they
too cant intercept established traffic..or its encrypted.



And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts on a
routine basiss.

How does that equate with your claim a switch will stop things talking
to each other?


I didn't say it would stop these talking to each other dennis. I said
that traffic between devices is not available to other devices and does
not occupy their segments.

Do9nt straw man me.

ISTR dennis said:

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Which is true....

TNP countered that

Actually it will.

Which is clearly not true.

It is in the context of what was iunder discussion.

That dennis was maintaining tat all traffic was available on all
segments simultaneously.



Well, why dont *you* actually use google to check what you are saty9ing
before you make a fool of yourself?

When in glass houses?




--
How fortunate for governments that the people they administer don't think.

Adolf Hitler

On 30/01/2016 09:50, The Natural Philosopher wrote:
On 30/01/16 02:48, John Rumm wrote:
On 30/01/2016 00:38, The Natural Philosopher wrote:
On 30/01/16 00:25, dennis@home wrote:
On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:

8

A VLAN will stop a device on one port talking to a device on
another
port using a plain switch will not!

Actually it will.

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on
your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.

For heavens sake admit you are wrong.
Switches are layer 2 devices and are transparent so everything is
visible whatever you claim.
Vlan switches are not as transparent.


Please dennis, stop making a fool of yourself an READ UP on how they
work.

Its embarrassing.

A leyer two router, is a switch and its NOT transparent.


I can assure you that you can ping every device connected to a switch
just as though they were connected to the same segment of ethernet.

So what? thats because they route the pings. I can ping almost every
device on te internet. That doesn't means I can read every packet on the
internet ..

Hmmm, its interesting that TNP has romped off on a tangent about whether
a switch will leak information flowing between two ports to other ports
not involved in the discussion (which generally it won't unless
instructed to port mirror), as if that alone will provide security.

I didnt say that at all.

PLEASE read waht I am saying., I have said all along that I cant see
what the point of 'secure house networks' is, and that the claims that
'Vlan segeregates traffic' are in fact silly, because a normal; s3witch
does that too.

Why do we want to read your attempts to divert attention away from what
I said and you disputed?


But switches DO provide security. Maybe you haven't used a packet
sniffer on a coaxial ethernet network, but I have, You can read every
packet between every machine passively. YoOu can do that with a wifi
password as well . That simply cant be done with a switch unless you
have a backdoor into the switch.

But you are the only one talking about doing that.
And even on switches without port mirroring you can spoof the mac
address and intercept traffic if you know what you are doing.

Its
missing the elephant in the room that the switch will allow any device
on any port to make contact with any other device irrespective of the
ports its attached to, the IP subnet its on, or for that matter even the
higher level protocol being used.

In principle yes, *if it is actively configured especially to do so*.

You do understand that most switches have no configuration options and
do allow any device to talk to any other device connected to them.

The ones that can be configured to stop it are those that use VLANs to
do so.


My point is by the time you have someone who can do that inside your
home network, security is gone anyway.

If its using a managed switch and VLANs they aren't inside your home
network .

So yes a switch may make it harder

*impossible*

for the outsider to eavesdrop on the
*established conversation between a PC and NAS for example. However it
will happily allow the outsider to talk to the PC or the NAS directly,
which makes the former a bit of a moot point.

Well hello.

I can talk to any web server on the internet directly too,. but guess
what, they all have passwords that people cant read or use because they
too cant intercept established traffic..or its encrypted.

Irrelevant argument added to try and obscure your original wrong claim.




And just because its perfectly possible to send a broadcast and get a
response back from every ethernet devices on a given network, doesnt
means that all those devices receive traffic OTHER than broadcasts
on a
routine basiss.

How does that equate with your claim a switch will stop things talking
to each other?


I didn't say it would stop these talking to each other dennis. I said
that traffic between devices is not available to other devices and does
not occupy their segments.

Do9nt straw man me.

ISTR dennis said:

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Which is true....

TNP countered that

Actually it will.

Which is clearly not true.

It is in the context of what was iunder discussion.

The context is shown for all and you were wrong so admit it.


That dennis was maintaining tat all traffic was available on all
segments simultaneously.

I have never mention traffic let alone being on all ports.
Traffic isn't the issue, that is just some smoke you have introduced to
try and hide your lack of knowledge.

The Natural Philosopher wrote:

the claims that 'Vlan segeregates traffic' are in fact silly, because
a normal; s3witch does that too.

But the level of segregation is different ...

All switches *try* to avoid forwarding packets to ports where they're
not needed, a VLAN switch *prevents* packets reaching ports other than
those they're configured to reach.

But switches DO provide security. Maybe you haven't used a packet
sniffer on a coaxial ethernet network, but I have, You can read every
packet between every machine passively. YoOu can do that with a wifi
password as well . That simply cant be done with a switch unless you
have a backdoor into the switch.

MAC flooding, ARP spoofing.

On Sat, 30 Jan 2016 09:50:38 +0000, The Natural Philosopher
wrote:


On Fri, 29 Jan 2016 16:44:37 +0000, dennis@home wrote:
A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

PLEASE read waht I am saying., I have said all along that I cant see
what the point of 'secure house networks' is,

Translation: I don't / didn't understand the meaning of 'VLAN'.

and that the claims that
'Vlan segeregates traffic' are in fact silly, because a normal; s3witch
does that too.

No it doesn't (as you have now been told several times) in the context
under discussion and the fact that you think it's silly doesn't negate
that fact.

We are (even if you aren't) in this instance specifically talking
about the logical segmentation of groups of ports on a single 'switch'
so that (for example) a device in port group A may not be allowed to
see a device in port group B. It could be as if there were two
completely separate switches. The VLAN in that instance is being used
to 'isolate' two logically separate groups, whilst all sharing the
same physical cables and hardware.

A VLAN could also be used to 'join' disparate workstations spread
across a range of equipment, like a 'workgroup'.

snip further waffling

Cheers, T i m

On 30/01/2016 09:50, The Natural Philosopher wrote:
On 30/01/16 02:48, John Rumm wrote:
On 30/01/2016 00:38, The Natural Philosopher wrote:
On 30/01/16 00:25, dennis@home wrote:
On 29/01/2016 23:44, The Natural Philosopher wrote:
On 29/01/16 18:04, dennis@home wrote:
On 29/01/2016 17:02, The Natural Philosopher wrote:
On 29/01/16 16:44, dennis@home wrote:
On 29/01/2016 14:34, The Natural Philosopher wrote:

8

A VLAN will stop a device on one port talking to a device on
another
port using a plain switch will not!

Actually it will.

So here you claim a plain switch will STOP a device on one port talking
to another in the same way that one using VLANs will. Are you still
making that claim or would you like to change your mind?

No it won't!
Just download an IP address scanner app and it will find everything
(using IP) on any port.

Then dennis highlighted that you IP scan everything on a switch.

Dennis. PLEASES read up about how a switch works, and why we HAVE
switches instead of repeaters. And why the little blinken lights on
your
switch do not all blink at the same time but in pairs, because packets
are not on all segments simultaneously.

You then replied with a non-sequitur of no actual relevance. The fact
that the switch will route packets to their most appropriate port(s),
has nothing to do with whether an IP scan can establish communications
with things attached to every port.

For heavens sake admit you are wrong.
Switches are layer 2 devices and are transparent so everything is
visible whatever you claim.
Vlan switches are not as transparent.


Please dennis, stop making a fool of yourself an READ UP on how they
work.

But his statement is patently correct. A plain switch is a transparent
routing device.

Do you really have to be so shouty and argumentative when it should be
clear there are plenty of people other than yourself who understand how
this stuff works?

Its not dennis looking foolish here.


Its embarrassing.

A leyer two router, is a switch and its NOT transparent.

Since it does not prevent any device on any port talking to any device
on any other port, how are you defining transparency?

I can assure you that you can ping every device connected to a switch
just as though they were connected to the same segment of ethernet.

So what? thats because they route the pings. I can ping almost every
device on te internet. That doesn't means I can read every packet on the
internet ..

red herring time I see.

The original point was that having a lan segment accessible to
outsiders, will compromise the lan security because it will allow the
outsiders to communicate with devices on the lan. It was highlighted
that using VLANs can prevent this, and you were the one claiming that a
normal switch will also do this.

You seem to be attempting this feat of cognitive dissonance by putting
your blinkers on, and considering one a restrictive use case where an
attacker would like to eavesdrop on a conversation running between two
other hosts. Arguing that because a switch does not behave as a dumb
repeating hub, its harder for an attacker to do this. The fact that this
last point is true, does not invalidate the point that the switch does
not stop the outsider having its own conversations with any other device.

Hmmm, its interesting that TNP has romped off on a tangent about whether
a switch will leak information flowing between two ports to other ports
not involved in the discussion (which generally it won't unless
instructed to port mirror), as if that alone will provide security.

I didnt say that at all.

PLEASE read waht I am saying.,

I have, you keep subtly shifting you position. We have noticed. Your words:

"I can ping almost every device on te internet. That doesn't means I can
read every packet on the internet"

I agree with the statement, but fail to see the relevance.

I have said all along that I cant see
what the point of 'secure house networks' is,

That is a separate issue. In many cases there is no point, in others
there may be.

and that the claims that
'Vlan segeregates traffic' are in fact silly,

are in fact also correct, that's what VLANs do.

because a normal; s3witch
does that too.

Not in any practical security sense.

But switches DO provide security. Maybe you haven't used a packet
sniffer on a coaxial ethernet network, but I have, You can read every
packet between every machine passively. YoOu can do that with a wifi
password as well . That simply cant be done with a switch unless you
have a backdoor into the switch.

I understand the point you are making, and you are correct in the sense
that the default action of the switch is as you describe. You should
also however accept that there are a number of ways of changing this
default behaviour if you actually want to sniff traffic between hosts.

More importantly you should also accept that once a host is connected to
a non VLAN switch, that LAN is now fully accessible to the host, the
switch will offer up no protection to stop the host either initiating
contact with any other host or receiving contact from any other host.
This *different* from VLAN segregated traffic, where you have in effect
partitioned the network into two (or more) discrete LANs that behave as
if they are not even physically connected to each other.

Its
missing the elephant in the room that the switch will allow any device
on any port to make contact with any other device irrespective of the
ports its attached to, the IP subnet its on, or for that matter even the
higher level protocol being used.

In principle yes, *if it is actively configured especially to do so*.

A dumb switch with no configuration (or for that matter even the ability
to be configured) will also function as I describe.

My point is by the time you have someone who can do that inside your
home network, security is gone anyway.

Actually that was the point others were originally making to you.

So yes a switch may make it harder

*impossible*

No not at all. Lob it a few (fake) ARP replies, do a bit of IP spoofing,
play about with spanning tree configurations, tell it to port mirror,
play about with multicast groups etc, There are plenty of ways of
getting it to leak data. However none of that is the issue originally
being discussed.

for the outsider to eavesdrop on the
*established conversation between a PC and NAS for example. However it
will happily allow the outsider to talk to the PC or the NAS directly,
which makes the former a bit of a moot point.

Well hello.

I can talk to any web server on the internet directly too,. but guess
what, they all have passwords that people cant read or use because they
too cant intercept established traffic..or its encrypted.

again more straw men...

If we assume that the internet is at least partly made up of devices
that are fully intended to have public visibility and are expecting
random computers to attempt to talk to them (and hopefully are hardened
to resist attack), you will hopefully see this is a different scenario
from machines on what is expected to be a private LAN, which even if
connected to the internet is inside a secure perimeter.

ISTR dennis said:

A VLAN will stop a device on one port talking to a device on another
port using a plain switch will not!

Which is true....

TNP countered that

Actually it will.

Which is clearly not true.

It is in the context of what was iunder discussion.

That dennis was maintaining tat all traffic was available on all
segments simultaneously.

Could you highlight where you believe he made that claim?


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

The Natural Philosopher wrote:
PLEASE read waht I am saying., I have said all along that I cant see
what the point of 'secure house networks' is, and that the claims that
'Vlan segeregates traffic' are in fact silly, because a normal; s3witch
does that too.

But switches DO provide security. Maybe you haven't used a packet
sniffer on a coaxial ethernet network, but I have, You can read every
packet between every machine passively. YoOu can do that with a wifi
password as well . That simply cant be done with a switch unless you
have a backdoor into the switch.

Fun though this discussion is, the point about switches v hubs is a settled
one. I don't think you can actually buy a hub for modern networking. I
think they may exist for 100M ethernet, but I haven't seen one. They don't
exist for gigabit, and definitely not for 10G. The argument is one of 20
years ago. But, as has been pointed out, it doesn't take much to trick a
switch into sending you traffic - you just need to be active rather than a
passive listener. VLANs prevent that.

Anyway, let's get this back to DIY. The question of how this is relevant to
'secure home networks' is that it can dig you out of a hole of not having
enough wiring. If you want to run different networks over the same physical
wire, VLANs will do that. It won't help if they aren't ethernet, and it
won't help if you are constrained by bandwidth (but you could run the
inter-switch link at 2.5/5/10G if the wiring was up to it), but otherwise
'not enough cables' is something it'll handle. It's the alternative to
chasing another hole in the plaster.

Why do you need 'different networks'? Security and bandwidth management.
As more stuff goes IP, you don't necessarily want to throw it down one 'best
effort' pipe, where it all gets mixed up together. Some things are more
important, both in security and traffic priority. You don't want the kids
hammering BitTorrent to knock out the phones or the CCTV.

Theo

En el artículo , Andy
Burns escribió:

MAC flooding, ARP spoofing.

On some managed models, port(s) can be put into promiscuous mode, seeing
everything that passes through the switch.

--
(\_/)
(='.'=) Bunny says: Windows 10? Nein danke!
(")_(")

Mike Tomlinson wrote:

On some managed models, port(s) can be put into promiscuous mode, seeing
everything that passes through the switch.

Yes, but an attacker has to get admin control of the switch to enable
mirroring/spanning, which usually requires access to another port.

On 30/01/2016 13:26, Mike Tomlinson wrote:
En el artículo , Andy
Burns escribió:

MAC flooding, ARP spoofing.

On some managed models, port(s) can be put into promiscuous mode, seeing
everything that passes through the switch.

You are starting to see that as a common option even on relatively low
end domestic kit as well now.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 29/01/2016 23:50, The Natural Philosopher wrote:
Well yes, but would you REALLY have a live access to your internal
network on a CAT 5 socket outside your front door?

Maybe not (although IP cams are quite common these days) - but I'm
pretty sure the wires out to the shed could be cut and spliced to
somewhere else.

Andy

On Wed, 27 Jan 2016 15:10:41 +0000, T i m wrote:

On Wed, 27 Jan 2016 13:28:05 +0000, F news@nowhere wrote:

snip

When I upgraded my switch from 100M to Gb, I monitored the network
usage and the general time taken to do stuff. Given that the ends were
Gb and the cables short and able to support such, I can't say I really
saw much difference in the overall throughput, suggesting any
bottlenecks were elsewhere (like HDD access etc).

I think I looked into it and think I remember the use of a higher
performance NIC in the server, the basic 'on board' solutions weren't
typically very efficient?

Pushing a 50GB file across the 25M of Cat 6 to the Proliant G8 server in
the garage I get a transfer speed of ~600Mbps.

I'll have to test mine but being yours is a 'real' server (focused on
i/o and not economy like mine) is likely to be much better an ant
generic PC hardware running as a server.


That won't necessarily be true. For several years, I tried just about
every trick I could to get the data transfer rates between my NAS4Free
box and my win2k desktop machine (connected via 2 or 3 metres worth of
CAT5 in total using an 8 port Netgear GBit switch above 60MB/s (circa
500Mbps). Both machines were using 2010 vintage MoBos with built in GBit
lan ports and dual core CPUs.

The CrystalDiskMark results were interesting in that sustained large
sequential transfer rates hovered around the 75MB/s mark for any of the
four disks in the NAS box (mapped to local drive letters) almost without
regard to any real world stop watch timed benchmarked improvements I was
able to make.

The biggest improvement arose out of replacing the single core Semperon
in the NAS box with a dual core Athlon 64 chip (I was already using a
dual core 3.1GHz Phenom in the desktop PC) along with enabling the "Cool
'n' Quiet" feature and allowing N4F's excellent power management to work
its magic (I'd initially disabled this feature and slightly underclocked
and undervolted the Semperon to keep the power consumption down - it
turned out that by allowing N4F's power management to function, I was
able to achieve the same power saving - that is for the 99.9% of the time
it was just idling).

Eventually, I raised the write speed (from desktop to NAS) to a dizzying
64MB/s and the read speed to a more modest 58MB/s (I never did figure why
the write performance was so notably better than the write performance -
just one of life's many mysteries I guess). I did see an improvement
early on when using jumbo frame working until jumbo frames became
deprecated to the point of no longer being supported by the FreeBSD devs
not long after that last hardware upgrade back around 2010.

Nearly two years ago now, I had an opportunity to benchmark using a
customer's win7 desktop machine which had a decent specification. This
was a real eye opener! The connection still used the same 8 port Gbit
switch, only the cat5 segment to the workbench involved an extra 10 or 15
metres of cable. Testing using 10GB's worth of large media files (500GB
to 2000GB in size) showed an average speed of circa 85MB/s each way using
stopwatch timings. Even more revealing was the fact that before the disk
ram caches filled up, the win7 PC reported 120 odd MB/s transfer rates
for the 2 or 3 seconds it took before the disk transfer rates throttled
it back to the 85 to 90 MB/s mark.

I didn't bother changing the CIFS/SMB protocol from type 1 (optimised
for win2k / XP) to type 2 (optimised for win7 / 8). Seeing it reach so
close to the theoretical max of 125MB/s before hitting the disk i/o limit
of 85MB/s made such a test moot.

It turned out that the 64MB/s writing speed limit I'd been trying to
improve upon for the previous 3 years or so had been nothing to do with
the NAS box and everything to do with limitations in win2k's networking
driver code. Believe me, I lost count of the number of 'tuning sessions'
I'd tried to improve networking performance (it wasn't a hardware issue -
the desktop hardware had an even higher spec than the NAS box).

Having tested with a decently specced win7 box, I could rest assured
that the NAS4Free box was quite capable of maxing out the Gigabit link
and not in need of any further network performance tuning. It's also
worth remembering that the micro ATX SATA 2 MoBo (now some six years old)
used in the NAS was nothing special (other than having a built in Gbit
LAN port). Plus, it's also worth keeping in mind that CIFS/SMB
performance in BSD blows Linux into the weeds (at least twice as fast
compared to using a Linux based NAS box - and the same applies the other
way round when Linux is running as a client machine).


--
Johnny B Good

On Mon, 01 Feb 2016 00:49:56 GMT, Johnny B Good
wrote:

On Wed, 27 Jan 2016 15:10:41 +0000, T i m wrote:
snip

I'll have to test mine but being yours is a 'real' server (focused on
i/o and not economy like mine) is likely to be much better an ant
generic PC hardware running as a server.


That won't necessarily be true. For several years, I tried just about
every trick I could to get the data transfer rates between my NAS4Free
box and my win2k desktop machine (connected via 2 or 3 metres worth of
CAT5 in total using an 8 port Netgear GBit switch above 60MB/s (circa
500Mbps). Both machines were using 2010 vintage MoBos with built in GBit
lan ports and dual core CPUs.

The CrystalDiskMark results were interesting in that sustained large
sequential transfer rates hovered around the 75MB/s mark for any of the
four disks in the NAS box (mapped to local drive letters) almost without
regard to any real world stop watch timed benchmarked improvements I was
able to make.

The biggest improvement arose out of replacing the single core Semperon
in the NAS box with a dual core Athlon 64 chip

snip more interesting stuff for brevity

That would reinforce what I was thinking regarding the poor i/o of a
'std' (onboard NIC) compared with one focused on efficient / low CPU
involvement / server orientated NIC?

Transferring data is a very I/O based task and therefore shouldn't
require much in the way of CPU. So, as long as the hardware involved
was self sufficient (could use DMA etc) then it should offload much of
the CPU load onto the Ethernet card itself (and why the sell such
cards for 'servers' presumably)?

Network *and* any hard disk controllers may help.

http://www.intel.com/content/www/us/en/ethernet-products/gigabit-server-adapters/overview.html

Cheers, T i m

On 01/02/2016 08:25, T i m wrote:
On Mon, 01 Feb 2016 00:49:56 GMT, Johnny B Good
wrote:

On Wed, 27 Jan 2016 15:10:41 +0000, T i m wrote:
snip

I'll have to test mine but being yours is a 'real' server (focused on
i/o and not economy like mine) is likely to be much better an ant
generic PC hardware running as a server.


That won't necessarily be true. For several years, I tried just about
every trick I could to get the data transfer rates between my NAS4Free
box and my win2k desktop machine (connected via 2 or 3 metres worth of
CAT5 in total using an 8 port Netgear GBit switch above 60MB/s (circa
500Mbps). Both machines were using 2010 vintage MoBos with built in GBit
lan ports and dual core CPUs.

The CrystalDiskMark results were interesting in that sustained large
sequential transfer rates hovered around the 75MB/s mark for any of the
four disks in the NAS box (mapped to local drive letters) almost without
regard to any real world stop watch timed benchmarked improvements I was
able to make.

The biggest improvement arose out of replacing the single core Semperon
in the NAS box with a dual core Athlon 64 chip

snip more interesting stuff for brevity

That would reinforce what I was thinking regarding the poor i/o of a
'std' (onboard NIC) compared with one focused on efficient / low CPU
involvement / server orientated NIC?

Transferring data is a very I/O based task and therefore shouldn't
require much in the way of CPU. So, as long as the hardware involved
was self sufficient (could use DMA etc) then it should offload much of
the CPU load onto the Ethernet card itself (and why the sell such
cards for 'servers' presumably)?

Network *and* any hard disk controllers may help.

My laptop will get to 80MBytes/sec to the Synology ds215j.

That is despite the network being a gig nic on USB3.
The CPU hovers in the low teens so the workload isn't high.
The nic has never exceed 80% link capacity so I expect that's the limit.
Now if I had a suitable wifi router it could do better in theory.

Writes should be quicker as the NAS can cache them and write them to
disk in optimal order. It can't always know what to read ahead so it
can't optimise the reads as easily. However frequently writes are slower
and that's probably poor file system optimisation (they are probably
still using ext3 rather than a more recent one).

T i m wrote:
That would reinforce what I was thinking regarding the poor i/o of a
'std' (onboard NIC) compared with one focused on efficient / low CPU
involvement / server orientated NIC?

Transferring data is a very I/O based task and therefore shouldn't
require much in the way of CPU. So, as long as the hardware involved
was self sufficient (could use DMA etc) then it should offload much of
the CPU load onto the Ethernet card itself (and why the sell such
cards for 'servers' presumably)?

Yes... Intel NICs are the gold standard, they're also less fussy about
drivers because they do more in hardware. Realtek and Marvell NICs are
cheaper and leave more to software.

You can often get Intel NICs for cheap (about a tenner) if you look at
ex-server cards on ebay - some are branded HP, Dell or whatever but look for
the ones with Intel chips.

However if the PC is recent it probably has an Intel NIC as part of the
chipset, so the motherboard may already have that sorted.

Theo

On 01 Feb 2016 22:00:10 +0000 (GMT), Theo
wrote:

T i m wrote:
That would reinforce what I was thinking regarding the poor i/o of a
'std' (onboard NIC) compared with one focused on efficient / low CPU
involvement / server orientated NIC?

Transferring data is a very I/O based task and therefore shouldn't
require much in the way of CPU. So, as long as the hardware involved
was self sufficient (could use DMA etc) then it should offload much of
the CPU load onto the Ethernet card itself (and why the sell such
cards for 'servers' presumably)?

Yes... Intel NICs are the gold standard, they're also less fussy about
drivers because they do more in hardware.

Makes sense.

Realtek and Marvell NICs are
cheaper and leave more to software.

Like 'Winmodems' ;-)

You can often get Intel NICs for cheap (about a tenner) if you look at
ex-server cards on ebay - some are branded HP, Dell or whatever but look for
the ones with Intel chips.

Ok, good tip, thanks.

However if the PC is recent it probably has an Intel NIC as part of the
chipset, so the motherboard may already have that sorted.

They may of course ... but what are the chances of an integrated NIC
(even an Intel one) being as capable (on a desktop board specifically)
as an add-on card, in the same way onboard video is rarely as capable
as even the simplest add-on video card (demonstrated by the size (lack
of?) of any heatsinks on the on-board video solutions)?

OOI, is there a utility that is good for doing such network throughput
tests or is it more 'real world' to transfer a largish block of data
(as I believe you mention previously) and just time the result?

Cheers, T i m

"T i m" wrote in message
...
On 01 Feb 2016 22:00:10 +0000 (GMT), Theo
wrote:

T i m wrote:
That would reinforce what I was thinking regarding the poor i/o of a
'std' (onboard NIC) compared with one focused on efficient / low CPU
involvement / server orientated NIC?

Transferring data is a very I/O based task and therefore shouldn't
require much in the way of CPU. So, as long as the hardware involved
was self sufficient (could use DMA etc) then it should offload much of
the CPU load onto the Ethernet card itself (and why the sell such
cards for 'servers' presumably)?

Yes... Intel NICs are the gold standard, they're also less fussy about
drivers because they do more in hardware.

Makes sense.

Realtek and Marvell NICs are
cheaper and leave more to software.

Like 'Winmodems' ;-)

You can often get Intel NICs for cheap (about a tenner) if you look at
ex-server cards on ebay - some are branded HP, Dell or whatever but look
for
the ones with Intel chips.

Ok, good tip, thanks.

However if the PC is recent it probably has an Intel NIC as part of the
chipset, so the motherboard may already have that sorted.

They may of course ... but what are the chances of an integrated NIC
(even an Intel one) being as capable (on a desktop board specifically)
as an add-on card,

OTOH the integrated NIC does better bandwidth wise to the motherboard ram.

in the same way onboard video is rarely as capable as even
the simplest add-on video card (demonstrated by the size
(lack of?) of any heatsinks on the on-board video solutions)?

That's a different issue and the highest performance video
cards cost more than the entire motherboard, for a reason.

OOI, is there a utility that is good for doing such network throughput
tests or is it more 'real world' to transfer a largish block of data
(as I believe you mention previously) and just time the result?