From: Richard Davidson (rich@myhomemail.net)
Date: Tue Oct 15 2002 - 22:11:02 GMT-3
Another thing to add to the vlan security thing. A switch can only hold just so many mac addresses. If the address table was filled it will foward every packet out every interface except the interface in which it was recieved. There are applications that can crame the switch with dumy mac addresses. I have not tested or read this. It's more like pased down info, so it may be a little off.
Richard
Rick <ccie_2003@hotmail.com> wrote:Thanks Chuck,
I believe that is the one of the answers we were looking for in regards to
the frame size of DOT1Q or ISL modified frames because there would be an
issue with size coming from an access port. I would have thought there would
have been a security document somewhere in regards to VLAN separation. Let
me ask you this question... Remember back with the early switches how they
had very small bridging tables that would only hold a few MAC address, and
if they overflowed they would sometimes reboot? What would happen if someone
was generating frames at a high feed rate into a switch port with a
different source MAC address on every frame, would the switch melt down and
turn into a dumb hub allowing interVLAN contamination? I figured there has
to be one hardcore lab rat who has tested this...
Thanks,
Rick
----- Original Message -----
From: "Chuck Church"
To: "'Rick'" ; "'Ccielab (E-mail)'"
Sent: Monday, October 14, 2002 2:17 PM
Subject: RE: 802.1q native vlan( further question on VLAN hopping -securit y
issue)
> Rick,
>
> There's a few things that can be done to make it secure. Since they
> want a separate switch for their own traffic, it sounds like they don't
need
> any trunks. Without any trunks, I'd imagine a switch would be immune to a
> spoofed vlan tag, as the non-trunk ports would not look at the tag, and
drop
> it if it exceeded the 1514/1518 limit. Someone correct me on that part if
> I'm wrong. I certainly wouldn't ever trunk to a switch you didn't have
> absolute control over. And you certainly need to make sure that access to
> the switch's management interface (telnet, http, snmp, whatever) are
secure.
> But Mas is right, nothing's more secure than air. (Unless you're using
> wireless. Then wired is more secure :)
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Sr. Network Engineer
> Magnacom Technologies
> 140 N. Rt. 303
> Valley Cottage, NY 10989
> 845-267-4000
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> P729
> Sent: Sunday, October 13, 2002 3:23 AM
> To: Rick; Ccielab (E-mail)
> Subject: Re: 802.1q native vlan( further question on VLAN hopping
> -security issue)
>
>
> Nothing, short of no network connectivity at all, is going to be as secure
> as an air-gap. Administrative fat-fingering aside, if someone had the
> wherewithal to forge a valid tagged frame, that person could theoretically
> implement a one-way DoS attack from a non-local VLAN.
>
> Regards,
>
> Mas Kato
> https://ecardfile.com/id/mkato
> ----- Original Message -----
> From: "Rick"
> To: "Ccielab (E-mail)" ; "Brian McGahan"
>
> Sent: Wednesday, October 09, 2002 5:36 AM
> Subject: Re: 802.1q native vlan( further question on VLAN
hopping -security
> issue)
>
>
> Brian,
>
> There has been a big discussion lately about VLANs and security in regards
> to keeping different flows of traffic separate and protected. Do you see
> anyway someone could manipulate dot1q tags to compromise data integrity
> between organizations? There is a 3rd party telling me that his traffic
> should be on a separate switch that VLAN separation was not enough. How
can
> I support that it is enough separation?
>
> Thanks,
> Rick
> ----- Original Message -----
> From: "Brian McGahan"
> To: "'Chris'" ; "'P729'"
;
"'chenyan'"
> ; "'ccielab'"
> Sent: Sunday, October 06, 2002 3:50 PM
> Subject: RE: 802.1q native vlan
>
>
> > Chris,
> >
> > You're overcomplicating the issue. Let's assume that your
> > native vlan is vlan 10. This means that all traffic received on a .1q
> > trunk link that does not have a tag, belongs to vlan 10. Remember that
> > tagging only happens on the trunk line, the tag values are not carried
> > over access links (non trunk links).
> >
> > If traffic is generated by a host in vlan 10, and this traffic
> > must traverse the .1q trunk, the packet will not be tagged. When the
> > switch on the other end of the trunk receives the frame, it knows that
> > this frame belongs to vlan 10, since the packet is untagged, and the
> > native vlan is 10. Your native vlan must match between all switches,
> > otherwise you will have traffic leaking between vlans. That case is as
> > follows.
> >
> > Take the same situation, a host in vlan 10 generates a packet
> > that traverses a .1q trunk. The switch which this host is attached has
> > vlan 10 designated as the native vlan, however the switch on the other
> > side has vlan 20 designated as the native vlan. When the switch on the
> > remote side receives this packet, it assumes that the packet belongs to
> > vlan 20, and forwards it appropriately. This results in incorrect
> > forwarding, since the packet should actually be destined for vlan 10.
> >
> > HTH
> >
> > Brian McGahan, CCIE #8593
> > Director of Design and Implementation
> > brian@cyscoexpert.com
> >
> > CyscoExpert Corporation
> > Internetwork Consulting & Training
> > http://www.cyscoexpert.com
> > Voice: 847.674.3392
> > Fax: 847.674.2625
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > Chris
> > > Sent: Sunday, October 06, 2002 2:13 PM
> > > To: P729; chenyan; ccielab
> > > Subject: Re: 802.1q native vlan
> > >
> > > I have been looking through the Docs and indeed it does say that
> > native
> > > vlan traffic is not tagged. I guess I have missed that when reading
> > the
> > > switching docs previously, and was always taught that all traffic is
> > > tagged.
> > >
> > > Thanks for the clarification.
> > >
> > > This would also mean that it is restricted to the native vlan then
> > right?
> > > Without a tag it could not be forwarded to any other vlan.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "P729"
> > > To: "Chris" ; "chenyan"
> > ;
> > > "ccielab"
> > > Sent: Sunday, October 06, 2002 2:05 PM
> > > Subject: Re: 802.1q native vlan
> > >
> > >
> > > > "Any untagged frames will get tagged..."
> > > >
> > > > Mmmm...sounds kinda contradictory doesn't it? Actually, frames
> > assigned
> > > to
> > > > the native VLAN of the trunk are sent untagged across the trunk,
> > period.
> > > But
> > > > one might ask, "how would the switches on each end know when there's
> > a
> > > > native VLAN mismatch?" The answer for Cisco switches is through CDP.
> > If
> > > CDP
> > > > is disabled or not available, then they wouldn't know and you can
> > pretty
> > > > much bridge the two VLANs together and maybe not know it...
> > > >
> > > > Regards,
> > > >
> > > > Mas Kato
> > > > https://ecardfile.com/id/mkato
> > > > ----- Original Message -----
> > > > From: "Chris"
> > > > To: "chenyan" ; "ccielab"
> > >
> > > > Sent: Sunday, October 06, 2002 9:48 AM
> > > > Subject: Re: 802.1q native vlan
> > > >
> > > >
> > > > Any untagged frames will get tagged to the native vlan and travel
> > the
> > > native
> > > > vlan.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "chenyan"
> > > > To: "ccielab"
> > > > Sent: Sunday, October 06, 2002 11:13 AM
> > > > Subject: 802.1q native vlan
> > > >
> > > >
> > > > > hi,guys
> > > > >
> > > > > I want to know why there is native vlan for 802.1q and what is
> > that
> > > for?
> > > > >
> > > > > Thanks
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:48 GMT-3