From: Scott Morris (swm@emanon.com)
Date: Wed Nov 02 2005 - 22:04:55 GMT-3
No. It forwards the packet out all ports IN THAT VLAN.
The previous "vulnerability" everyone talks about had to do with an overflow
that could be created where the switch would freak out at the number of
unknown frames coming in and would indeed flood out to all ports. But that
was a problem with much older switches. Not today.
You can't force it to clear an ARP cache either. You can send "gratuitous
ARPs" since the spec doesn't say anything about there must be a request for
one before a reply gets filed. If you're that worried about it, do some
static ARP, or do some DHCP services and use the 'update arp' parameter to
automatically do it on assignment. Technically though, you'd have to do
that on every device on your network. Unless you're filtering and
intercepting ARP packets (proxy ARP as well).
But that's a different issue all together... :)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sheahan, John
Sent: Wednesday, November 02, 2005 4:28 PM
To: ccielab@groupstudy.com
Subject: RE: Switch Network Design Question
As we all know regarding switching, if a frame comes into a switch and the
switch has no destination mac address in it's ARP table, it doesn't know
where to forward it so if forwards it out all ports on the switch.
From what I remember, if an attacker could continually clear the ARP cache
on a switch (or poison it), the switch will not know where to send all
frames and thus will forward them out all ports by design. If this happened,
it is possible that frames received on a port configured for the outside
VLAN might wind up getting forwarded to ports configured for the internal
VLAN.
_____
From: bud selig [mailto:bud4bud@gmail.com]
Sent: Wednesday, November 02, 2005 4:07 PM
To: Sheahan, John
Cc: ccielab@groupstudy.com
Subject: Re: Switch Network Design Question
This is great info. I appreciate it! Any more details on the vulnerability
you mentioned below would be appreciated as well.
Bud
On 11/2/05, Sheahan, John <John.Sheahan@priceline.com> wrote:
One more thing....
We specifically made an issue over this with Cisco a couple of years back.
There was talk of a hack at one time that could be put in place that would
"flatten" a switch, thus creating one big vlan. Cisco assured us, in person,
several times that this was considered safe by their standards. We still did
not believe them and continued to always use separate switches for at least
the switches attached to the outside interfaces of Pix firewalls.
We see now that Cisco put it's money where it's mouth was when they designed
the FWSM. When you configure a FWSM in a 6500 switch, you are using a VLAN
for the outside, dmz and inside interfaces all on the same switch.
I feel more comfortable now since Cisco came out with this design and we can
clearly see that is the direction Cisco is heading.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of bud
selig
Sent: Wednesday, November 02, 2005 3:52 PM
To: Cisco certification
Subject: Re: Switch Network Design Question
Thanks for all the responses on this. They were very helpful.
On 11/2/05, bud selig <bud4bud@gmail.com > wrote:
>
> Hello,
>
> I was wondering what everyone's thoughts were on having a single
switch
> house the outside, inside, DMZ VLANs. I prefer to keep the inside VLAN
on a
> different physical switch for a more secure environment.
>
> Thanks
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:05 GMT-3