RE: Switch security.

From: Alex De Gruiter (Alex.deGruiter@didata.com.au)
Date: Tue Nov 21 2006 - 20:12:25 ART

• Next message: Tony Schaffran: "RE: EIGRP Hello packets"
• Previous message: David Prall: "RE: IPV6 OSPF Weirdness"
• Maybe in reply to: V Shekhar: "Switch security."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

A switch will forward any unknown unicast, broadcast and multicast
frames to all ports, regardless of whether they are protected or not;
this is standard L2 switching behaviour. Using "switchport protected"
only actually prevents unicast traffic between A and B.

From the Doc CD:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
/swtrafc.htm#wp1087814
By default, the switch floods packets with unknown destination MAC
addresses out of all ports. If unknown unicast and multicast traffic is
forwarded to a protected port, there could be security issues. To
prevent unknown unicast or multicast traffic from being forwarded from
one port to another, you can block a port (protected or nonprotected)
from flooding unknown unicast or multicast packets to other ports.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Michael Zuo
Sent: Wednesday, 22 November 2006 8:36 AM
To: Kal Han; V Shekhar
Cc: Groupstudy; Cisco certification
Subject: RE: Switch security.

If A and B can not communicate to each other, how can flooded frames go
between the two?

Does "vlan protected" distinguish between known MAC and unknown MAC?

thanks

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kal Han
Sent: Monday, November 20, 2006 12:37 PM
To: V Shekhar
Cc: Groupstudy; Cisco certification
Subject: Re: Switch security.

when you enable two ports as protected,
those two ports cannot communicate at all.
( not unicast, broadcast, multicast )

But for unknown destination mac addresses, switch by default will flood
to all ports.
This way some packets from one protected port can go to the other.

If you do not want this behavior, you need to configure switchport
block unicast | multicast

Thanks
Kal

On 11/19/06, V Shekhar <vshekhar25@yahoo.com> wrote:
>
> If the 1st requirent asks, to make sure two hosts (A &B) connected via
a
> switch should not communicate directly. (Should do Via host C).
> Hence I configure A & B connected to protected ports.
> And the second requirement asks to block any unicast and multicast
> exchange between A &B, Do I really need to use the "switchport block
> unicast|Multicast" on A
& B
> switch port?
> I think "Switchport protected" will block any unicast and multicast
> between A & B as well.
>
> Comments?
> -sHekHar.
>
>
>
>
>
>
>

• Next message: Tony Schaffran: "RE: EIGRP Hello packets"
• Previous message: David Prall: "RE: IPV6 OSPF Weirdness"
• Maybe in reply to: V Shekhar: "Switch security."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART