From: Erick B. (erickbe@yahoo.com)
Date: Sun Oct 13 2002 - 21:35:39 GMT-3
Check out these URLs:
http://www.infowar.com/iwftp/xforce/advise24.html
The second one appears to be down right now... or it
might not be around anymore (was from my bookmarks).
--- Rick <ccie_2003@hotmail.com> wrote:
> Thanks Brian,
>
> I wander if anyone else in the group has any
> knowledge on this? I need some
> hard facts to why it would not be a security issue.
> Do you know where those
> studies are located on the bug notices. The real
> concern is that a hacker
> could jump vlans to access user data on another
> VLAN. So the third party is
> saying there must be more than just VLAN separation,
> which could only be
> physical separation. I'm trying to sell them on the
> fact that it can't be
> done. Any thoughts on this are much appreciated.
>
> Also, if anyone would like to share the security
> practice for protecting
> a switched network please do so.
>
> For instance I always set tunk off on all ports and
> clear all vlans from all
> ports because someone could set the other side of
> the port to desirable and
> build a link, etc.
>
> Thanks,
> Rick
> ----- Original Message -----
> From: "Brian McGahan" <brian@cyscoexpert.com>
> To: "'Rick'" <ccie_2003@hotmail.com>
> Sent: Wednesday, October 09, 2002 11:23 AM
> Subject: RE: 802.1q native vlan( further question on
> VLAN hopping -security
> issue)
>
>
> > Rick,
> >
> > I can't really think of a case where this would be
> a problem.
> > Remember, tags are only on trunk links. If
> someone spoofed a .1q header
> > on an access link, I'd bet that the switch would
> just drop the frame.
> >
> > Personally I think that vlan separation is enough.
> I have read
> > some bug notices where traffic has leaked between
> vlans however, but
> > these have been addressed. If your customer is
> worried about security,
> > have them run IPSEC. Especially on the LAN, IPSEC
> will add negligible
> > delay. There are many nic cards today that will
> do it in hardware.
> >
> > HTH
> >
> > Brian McGahan, CCIE #8593
> > Director of Design and Implementation
> > brian@cyscoexpert.com
> >
> > CyscoExpert Corporation
> > Internetwork Consulting & Training
> > http://www.cyscoexpert.com
> > Voice: 847.674.3392
> > Fax: 847.674.2625
> >
> >
> > > -----Original Message-----
> > > From: Rick [mailto:ccie_2003@hotmail.com]
> > > Sent: Wednesday, October 09, 2002 7:36 AM
> > > To: Ccielab (E-mail); Brian McGahan
> > > Subject: Re: 802.1q native vlan( further
> question on VLAN hopping -
> > > security issue)
> > >
> > > Brian,
> > >
> > > There has been a big discussion lately about
> VLANs and security in
> > regards
> > > to keeping different flows of traffic separate
> and protected. Do you
> > see
> > > anyway someone could manipulate dot1q tags to
> compromise data
> > integrity
> > > between organizations? There is a 3rd party
> telling me that his
> > traffic
> > > should be on a separate switch that VLAN
> separation was not enough.
> > How
> > > can
> > > I support that it is enough separation?
> > >
> > > Thanks,
> > > Rick
> > > ----- Original Message -----
> > > From: "Brian McGahan" <brian@cyscoexpert.com>
> > > To: "'Chris'" <clarson52@comcast.net>; "'P729'"
> <p729@cox.net>;
> > > "'chenyan'"
> > > <chenyan@deeptht.com.cn>; "'ccielab'"
> <ccielab@groupstudy.com>
> > > Sent: Sunday, October 06, 2002 3:50 PM
> > > Subject: RE: 802.1q native vlan
> > >
> > >
> > > > Chris,
> > > >
> > > > You're overcomplicating the issue. Let's
> assume that your
> > > > native vlan is vlan 10. This means that all
> traffic received on a
> > .1q
> > > > trunk link that does not have a tag, belongs
> to vlan 10. Remember
> > that
> > > > tagging only happens on the trunk line, the
> tag values are not
> > carried
> > > > over access links (non trunk links).
> > > >
> > > > If traffic is generated by a host in vlan 10,
> and this traffic
> > > > must traverse the .1q trunk, the packet will
> not be tagged. When
> > the
> > > > switch on the other end of the trunk receives
> the frame, it knows
> > that
> > > > this frame belongs to vlan 10, since the
> packet is untagged, and the
> > > > native vlan is 10. Your native vlan must match
> between all switches,
> > > > otherwise you will have traffic leaking
> between vlans. That case is
> > as
> > > > follows.
> > > >
> > > > Take the same situation, a host in vlan 10
> generates a packet
> > > > that traverses a .1q trunk. The switch which
> this host is attached
> > has
> > > > vlan 10 designated as the native vlan, however
> the switch on the
> > other
> > > > side has vlan 20 designated as the native
> vlan. When the switch on
> > the
> > > > remote side receives this packet, it assumes
> that the packet belongs
> > to
> > > > vlan 20, and forwards it appropriately. This
> results in incorrect
> > > > forwarding, since the packet should actually
> be destined for vlan
> > 10.
> > > >
> > > > HTH
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > Director of Design and Implementation
> > > > brian@cyscoexpert.com
> > > >
> > > > CyscoExpert Corporation
> > > > Internetwork Consulting & Training
> > > > http://www.cyscoexpert.com
> > > > Voice: 847.674.3392
> > > > Fax: 847.674.2625
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > Of
> > > > > Chris
> > > > > Sent: Sunday, October 06, 2002 2:13 PM
> > > > > To: P729; chenyan; ccielab
> > > > > Subject: Re: 802.1q native vlan
> > > > >
> > > > > I have been looking through the Docs and
> indeed it does say that
> > > > native
> > > > > vlan traffic is not tagged. I guess I have
> missed that when
> > reading
> > > > the
> > > > > switching docs previously, and was always
> taught that all traffic
> > is
> > > > > tagged.
> > > > >
> > > > > Thanks for the clarification.
> > > > >
> > > > > This would also mean that it is restricted
> to the native vlan then
> > > > right?
> > > > > Without a tag it could not be forwarded to
> any other vlan.
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "P729" <p729@cox.net>
> > > > > To: "Chris" <clarson52@comcast.net>;
> "chenyan"
> > > > <chenyan@deeptht.com.cn>;
> > > > > "ccielab" <ccielab@groupstudy.com>
> > > > > Sent: Sunday, October 06, 2002 2:05 PM
> > > > > Subject: Re: 802.1q native vlan
> > > > >
> > > > >
> > > > > > "Any untagged frames will get tagged..."
> > > > > >
> > > > > > Mmmm...sounds kinda contradictory doesn't
> it? Actually, frames
> > > > assigned
> > > > > to
> > > > > > the native VLAN of the trunk are sent
> untagged across the trunk,
> > > > period.
> > > > > But
> > > > > > one might ask, "how would the switches on
> each end know when
> > there's
> > > > a
> > > > > > native VLAN mismatch?" The answer for
> Cisco switches is through
> > CDP.
> > > > If
> > > > > CDP
> > > > > > is disabled or not available, then they
> wouldn't know and you
> > can
> > > > pretty
> > > > > > much bridge the two VLANs together and
> maybe not know it...
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Mas Kato
> > > > > > https://ecardfile.com/id/mkato
> > > > > > ----- Original Message -----
> > > > > > From: "Chris" <clarson52@comcast.net>
> > > > > > To: "chenyan" <chenyan@deeptht.com.cn>;
> "ccielab"
> > > > > <ccielab@groupstudy.com>
> > > > > > Sent: Sunday, October 06, 2002 9:48 AM
> > > > > > Subject: Re: 802.1q native vlan
> > > > > >
> > > > > >
> > > > > > Any untagged frames will get tagged to the
> native vlan and
> > travel
> > > > the
> > > > > native
> > > > > > vlan.
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "chenyan" <chenyan@deeptht.com.cn>
> > > > > > To: "ccielab" <ccielab@groupstudy.com>
> > > > > > Sent: Sunday, October 06, 2002 11:13 AM
> > > > > > Subject: 802.1q native vlan
> > > > > >
> > > > > >
> > > > > > > hi,guys
> > > > > > >
> > > > > > > I want to know why there is native vlan
> for 802.1q and what is
> > > > that
> > > > > for?
> > > > > > >
> > > > > > > Thanks
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:46 GMT-3