From: Rick (ccie_2003@hotmail.com)
Date: Wed Oct 09 2002 - 09:36:29 GMT-3
Brian,
There has been a big discussion lately about VLANs and security in regards
to keeping different flows of traffic separate and protected. Do you see
anyway someone could manipulate dot1q tags to compromise data integrity
between organizations? There is a 3rd party telling me that his traffic
should be on a separate switch that VLAN separation was not enough. How can
I support that it is enough separation?
Thanks,
Rick
----- Original Message -----
From: "Brian McGahan" <brian@cyscoexpert.com>
To: "'Chris'" <clarson52@comcast.net>; "'P729'" <p729@cox.net>; "'chenyan'"
<chenyan@deeptht.com.cn>; "'ccielab'" <ccielab@groupstudy.com>
Sent: Sunday, October 06, 2002 3:50 PM
Subject: RE: 802.1q native vlan
> Chris,
>
> You're overcomplicating the issue. Let's assume that your
> native vlan is vlan 10. This means that all traffic received on a .1q
> trunk link that does not have a tag, belongs to vlan 10. Remember that
> tagging only happens on the trunk line, the tag values are not carried
> over access links (non trunk links).
>
> If traffic is generated by a host in vlan 10, and this traffic
> must traverse the .1q trunk, the packet will not be tagged. When the
> switch on the other end of the trunk receives the frame, it knows that
> this frame belongs to vlan 10, since the packet is untagged, and the
> native vlan is 10. Your native vlan must match between all switches,
> otherwise you will have traffic leaking between vlans. That case is as
> follows.
>
> Take the same situation, a host in vlan 10 generates a packet
> that traverses a .1q trunk. The switch which this host is attached has
> vlan 10 designated as the native vlan, however the switch on the other
> side has vlan 20 designated as the native vlan. When the switch on the
> remote side receives this packet, it assumes that the packet belongs to
> vlan 20, and forwards it appropriately. This results in incorrect
> forwarding, since the packet should actually be destined for vlan 10.
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> http://www.cyscoexpert.com
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Chris
> > Sent: Sunday, October 06, 2002 2:13 PM
> > To: P729; chenyan; ccielab
> > Subject: Re: 802.1q native vlan
> >
> > I have been looking through the Docs and indeed it does say that
> native
> > vlan traffic is not tagged. I guess I have missed that when reading
> the
> > switching docs previously, and was always taught that all traffic is
> > tagged.
> >
> > Thanks for the clarification.
> >
> > This would also mean that it is restricted to the native vlan then
> right?
> > Without a tag it could not be forwarded to any other vlan.
> >
> >
> >
> > ----- Original Message -----
> > From: "P729" <p729@cox.net>
> > To: "Chris" <clarson52@comcast.net>; "chenyan"
> <chenyan@deeptht.com.cn>;
> > "ccielab" <ccielab@groupstudy.com>
> > Sent: Sunday, October 06, 2002 2:05 PM
> > Subject: Re: 802.1q native vlan
> >
> >
> > > "Any untagged frames will get tagged..."
> > >
> > > Mmmm...sounds kinda contradictory doesn't it? Actually, frames
> assigned
> > to
> > > the native VLAN of the trunk are sent untagged across the trunk,
> period.
> > But
> > > one might ask, "how would the switches on each end know when there's
> a
> > > native VLAN mismatch?" The answer for Cisco switches is through CDP.
> If
> > CDP
> > > is disabled or not available, then they wouldn't know and you can
> pretty
> > > much bridge the two VLANs together and maybe not know it...
> > >
> > > Regards,
> > >
> > > Mas Kato
> > > https://ecardfile.com/id/mkato
> > > ----- Original Message -----
> > > From: "Chris" <clarson52@comcast.net>
> > > To: "chenyan" <chenyan@deeptht.com.cn>; "ccielab"
> > <ccielab@groupstudy.com>
> > > Sent: Sunday, October 06, 2002 9:48 AM
> > > Subject: Re: 802.1q native vlan
> > >
> > >
> > > Any untagged frames will get tagged to the native vlan and travel
> the
> > native
> > > vlan.
> > >
> > >
> > > ----- Original Message -----
> > > From: "chenyan" <chenyan@deeptht.com.cn>
> > > To: "ccielab" <ccielab@groupstudy.com>
> > > Sent: Sunday, October 06, 2002 11:13 AM
> > > Subject: 802.1q native vlan
> > >
> > >
> > > > hi,guys
> > > >
> > > > I want to know why there is native vlan for 802.1q and what is
> that
> > for?
> > > >
> > > > Thanks
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:45 GMT-3