Firewall Wizards mailing list archives
Re: MAC blocking
From: "Dale W. Carder" <dwcarder () doit wisc edu>
Date: Mon, 28 Nov 2005 17:31:40 -0600
Thus spake Chuck Swiger (chuck () codefab com) on Mon, Nov 28, 2005 at 05:09:32PM -0500:
I would say it's not safe to assume that VLANs can be trusted to separate traffic with complete reliability, especially if it is possible for a malicious machine to gain access to a trunk port: http://www.sans.org/resources/idfaq/vlan.php
Anything is possible with proper misconfiguration. If you decide that for whatever limitaion makes you need to use vlans instead of separate physical infrastructure, you need to know what you are doing. In switched networks, there are huge implications as to how 802.1q, Vlan 1 (particularly on catalyst), VTP (yuck), STP, CDP, etc. interoperate with your security goals. But, some of the nicer features that have appeared lately for layer 2 include switches that can do edge port ACL's, static mac to port provisioning, 802.1X, VMPS, private vlans... The layer 2 toolbox is getting a bit better. Dale ---------------------------------- Dale W. Carder - Network Engineer University of Wisconsin at Madison http://net.doit.wisc.edu/~dwcarder _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: MAC blocking Dale W. Carder (Dec 01)
- <Possible follow-ups>
- Re: MAC blocking Chuck Swiger (Dec 01)