Re: vlan security ?

[Eric Hall <firewall-wizards () darkart com>]

On Wed, Aug 09, 2000 at 02:54:54PM -0400, John Adams wrote:
[snip] 
> There's simply no command (aside from putting a port up as a span port or
> trunk) to put a port in two VLANs. Would this attack involve injecting ISL
> packets into the switch to send data to multiple ports? ISL isn't
> authenticated, nor is VTP, so you could have packets crossing boundaries
> that way. 

        'switchport mode multi' and 'switchport multi vlan ###-###'
work just fine on a 3500xl (12.0(5) XU) for putting a port into
multiple vlans.  I have this configured on a switch that isn't
running VTP.  It appears that packets are not being tagged (at least
I can't see the tags on machines directly connected to the switch).

        I'm working out using one switch w/ private vlans ('port
protected') and one secure mac address per port for isolation.
So far its okay, I've yet to try to add tagged packets to the
switch to see if they'll cross the vlan boundrys or not.  I have
tried some simple arp floods (random packets), so far no leaks
but I've only tried with one host generating the flood.  With the
secure mac address limit set to '1' none of the faked arp packets
can get into the switch, it appears this is done (on the 3500xl)
at the port as the switch is still very responsive (no load impact).
If I take off the secure mac address stuff the arp flood brings the
switch to its knees as far as trying to interact with it goes.
I've yet to try flooding w/ the correct mac address, that could
be interesting.


                -eric



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards