Re: Restrictions on Ethernet L2 circuits?
Linen,
As far as I'm concerned, enterprises should just connect their various sites to the Internet independently, and use VPN
techniques if and where necessary to provide the illusion of a unified network. In practice, this illusion of a single
large LAN (or rather, multiple organization-wide LANs) is very important to the typical enterprise, because so much
security policy is enforced based on IP addresses. And the typical enterprise wants a central chokepoint that all traffic > must go through, for reasons that might have to do with security, or support costs, or with (illusions of) control.
Most security policies are also based on 'local" vs "remote" criteria. Most pieces of software believe that an access to a local IP is faster and safer than accesses to an IP address somewhere else. Emulate means lying to someone, and if you start lying too much you can end up messing everything. I agree that enterprises should use WANs as WANS (i.e., IP routed networks) and don't try to hide distance and security fragility from systems and security appliances. End to end VPN can be used in the very special cases where a special security is needed, by means of strong VPN encryption. It seems nice to have something that looks like a simple Ethernet cable. The problem is that it is *not* a simple cable, and will never be. Make the rest of the LAN believe that it is such a simple cable may raise huge trouble. Most of LAN protocols have a degree of TRUST on LAN traffic. Any security expert will tell you that trust is your enemy. Managing a router is a hassle? Oh, come on! If a net admin is unable to manage a simple sub net configuration and so some simple math with masks and prefixes he would rather find himself another job. Take care, A.B. Jr.
participants (1)
-
A.B. Jr.