From: Church, Chuck (cchurch@netcogov.com)
Date: Thu Nov 03 2005 - 17:45:48 GMT-3
Sure, but port security (limiting how many MAC address you can learn on
a port) can mitigate that. Check out:
<http://www.cisco.com/en/US/products/hw/switches/ps628/products_configur
ation_guide_chapter09186a00802c3007.html#wp1038511>
The first MAC address to exceed the set limit can shut the port down and
log the offender. Problem solved.
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mike Ollington
Sent: Thursday, November 03, 2005 2:50 PM
To: Scott Morris; Sheahan, John; ccielab@groupstudy.com
Subject: RE: Switch Network Design Question
Is it still possible to flood the CAM table with thousands of MACs and
cause unicast flooding in that VLAN?
Most of the VLAN vulnerabilities that I have read about require physical
access to the switch.
Dot1q VLAN hopping, for example, requires you to have access to the
switch and access to a dot1q trunk port with a native VLAN that has some
operational traffic on it.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: 03 November 2005 01:05
To: 'Sheahan, John'; ccielab@groupstudy.com
Subject: RE: Switch Network Design Question
No. It forwards the packet out all ports IN THAT VLAN.
The previous "vulnerability" everyone talks about had to do with an
overflow
that could be created where the switch would freak out at the number of
unknown frames coming in and would indeed flood out to all ports. But
that
was a problem with much older switches. Not today.
You can't force it to clear an ARP cache either. You can send
"gratuitous
ARPs" since the spec doesn't say anything about there must be a request
for
one before a reply gets filed. If you're that worried about it, do some
static ARP, or do some DHCP services and use the 'update arp' parameter
to
automatically do it on assignment. Technically though, you'd have to do
that on every device on your network. Unless you're filtering and
intercepting ARP packets (proxy ARP as well).
But that's a different issue all together... :)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sheahan, John
Sent: Wednesday, November 02, 2005 4:28 PM
To: ccielab@groupstudy.com
Subject: RE: Switch Network Design Question
As we all know regarding switching, if a frame comes into a switch and
the
switch has no destination mac address in it's ARP table, it doesn't know
where to forward it so if forwards it out all ports on the switch.
From what I remember, if an attacker could continually clear the ARP
cache
on a switch (or poison it), the switch will not know where to send all
frames and thus will forward them out all ports by design. If this
happened,
it is possible that frames received on a port configured for the outside
VLAN might wind up getting forwarded to ports configured for the
internal
VLAN.
_____
From: bud selig [mailto:bud4bud@gmail.com]
Sent: Wednesday, November 02, 2005 4:07 PM
To: Sheahan, John
Cc: ccielab@groupstudy.com
Subject: Re: Switch Network Design Question
This is great info. I appreciate it! Any more details on the
vulnerability
you mentioned below would be appreciated as well.
Bud
On 11/2/05, Sheahan, John <John.Sheahan@priceline.com> wrote:
One more thing....
We specifically made an issue over this with Cisco a couple of years
back.
There was talk of a hack at one time that could be put in place that
would
"flatten" a switch, thus creating one big vlan. Cisco assured us, in
person,
several times that this was considered safe by their standards. We still
did
not believe them and continued to always use separate switches for at
least
the switches attached to the outside interfaces of Pix firewalls.
We see now that Cisco put it's money where it's mouth was when they
designed
the FWSM. When you configure a FWSM in a 6500 switch, you are using a
VLAN
for the outside, dmz and inside interfaces all on the same switch.
I feel more comfortable now since Cisco came out with this design and we
can
clearly see that is the direction Cisco is heading.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
bud
selig
Sent: Wednesday, November 02, 2005 3:52 PM
To: Cisco certification
Subject: Re: Switch Network Design Question
Thanks for all the responses on this. They were very helpful.
On 11/2/05, bud selig <bud4bud@gmail.com > wrote:
>
> Hello,
>
> I was wondering what everyone's thoughts were on having a single
switch
> house the outside, inside, DMZ VLANs. I prefer to keep the inside VLAN
on a
> different physical switch for a more secure environment.
>
> Thanks
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:05 GMT-3