Firewall Wizards mailing list archives
Re: vlan security ?
From: Eric Hall <firewall-wizards () darkart com>
Date: Thu, 10 Aug 2000 12:21:35 -0700
On Wed, Aug 09, 2000 at 02:54:54PM -0400, John Adams wrote: [snip]
There's simply no command (aside from putting a port up as a span port or trunk) to put a port in two VLANs. Would this attack involve injecting ISL packets into the switch to send data to multiple ports? ISL isn't authenticated, nor is VTP, so you could have packets crossing boundaries that way.
'switchport mode multi' and 'switchport multi vlan ###-###' work just fine on a 3500xl (12.0(5) XU) for putting a port into multiple vlans. I have this configured on a switch that isn't running VTP. It appears that packets are not being tagged (at least I can't see the tags on machines directly connected to the switch). I'm working out using one switch w/ private vlans ('port protected') and one secure mac address per port for isolation. So far its okay, I've yet to try to add tagged packets to the switch to see if they'll cross the vlan boundrys or not. I have tried some simple arp floods (random packets), so far no leaks but I've only tried with one host generating the flood. With the secure mac address limit set to '1' none of the faked arp packets can get into the switch, it appears this is done (on the 3500xl) at the port as the switch is still very responsive (no load impact). If I take off the secure mac address stuff the arp flood brings the switch to its knees as far as trying to interact with it goes. I've yet to try flooding w/ the correct mac address, that could be interesting. -eric _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: vlan security ? Predrag Zivic (Aug 11)
- <Possible follow-ups>
- Re: vlan security ? Eric Hall (Aug 11)
- RE: vlan security ? Ryan Russell (Aug 11)
- Re: vlan security ? Jim Duncan (Aug 12)
- RE: vlan security ? trall (Aug 11)
- Re: vlan security ? Darren Reed (Aug 11)