RE: Switch Network Design Question

From: Sheahan, John (John.Sheahan@priceline.com)
Date: Wed Nov 02 2005 - 18:27:53 GMT-3

• Next message: CCIEin2006: "Re: Switch Network Design Question"
• Previous message: bud selig: "Re: Switch Network Design Question"
• Maybe in reply to: bud selig: "Switch Network Design Question"
• Next in thread: CCIEin2006: "Re: Switch Network Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As we all know regarding switching, if a frame comes into a switch and
the switch has no destination mac address in it's ARP table, it doesn't
know where to forward it so if forwards it out all ports on the switch.

From what I remember, if an attacker could continually clear the ARP
cache on a switch (or poison it), the switch will not know where to send
all frames and thus will forward them out all ports by design. If this
happened, it is possible that frames received on a port configured for
the outside VLAN might wind up getting forwarded to ports configured for
the internal VLAN.

  _____

From: bud selig [mailto:bud4bud@gmail.com]
Sent: Wednesday, November 02, 2005 4:07 PM
To: Sheahan, John
Cc: ccielab@groupstudy.com
Subject: Re: Switch Network Design Question

This is great info. I appreciate it! Any more details on the
vulnerability you mentioned below would be appreciated as well.

Bud

On 11/2/05, Sheahan, John <John.Sheahan@priceline.com> wrote:

One more thing....
We specifically made an issue over this with Cisco a couple of years
back. There was talk of a hack at one time that could be put in place
that would "flatten" a switch, thus creating one big vlan. Cisco assured
us, in person, several times that this was considered safe by their
standards. We still did not believe them and continued to always use
separate switches for at least the switches attached to the outside
interfaces of Pix firewalls.

We see now that Cisco put it's money where it's mouth was when they
designed the FWSM. When you configure a FWSM in a 6500 switch, you are
using a VLAN for the outside, dmz and inside interfaces all on the same
switch.

I feel more comfortable now since Cisco came out with this design and we
can clearly see that is the direction Cisco is heading.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
bud selig
Sent: Wednesday, November 02, 2005 3:52 PM
To: Cisco certification
Subject: Re: Switch Network Design Question

Thanks for all the responses on this. They were very helpful.

On 11/2/05, bud selig <bud4bud@gmail.com > wrote:
>
> Hello,
>
> I was wondering what everyone's thoughts were on having a single
switch
> house the outside, inside, DMZ VLANs. I prefer to keep the inside VLAN
on a
> different physical switch for a more secure environment.
>
> Thanks

• Next message: CCIEin2006: "Re: Switch Network Design Question"
• Previous message: bud selig: "Re: Switch Network Design Question"
• Maybe in reply to: bud selig: "Switch Network Design Question"
• Next in thread: CCIEin2006: "Re: Switch Network Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:05 GMT-3