nanog mailing list archives
Re: maximum active vlans in a crisco 6509
From: Bennett Todd <bet () rahul net>
Date: Wed, 21 Jun 2000 00:34:39 -0400
2000-06-20-23:56:07 Bora Akyol:
If you put all of the users on seperate switch ports, then would they be able to snoop each other's traffic? At least the switches that I have seen prevent this behavior unless you put a particular switch port in "monitor" mode.
Sorry, I did a dumb thing here, I basically carried over a whole debate context from other lists and assumed it here. I should have least referenced the other discussions. It's been discussed at great length on firewall-wizards () nfr com and firewalls () lists gnac net. The short version is, the core switch behavior you're talking about was never designed as a security barrier, or an IP level traffic visibility control tool; it was just designed to shrink the scope of traffic visibility for performance reasons. Any number of hacks, like CAM table flooding, can coerce a normal switch to leak somethign fierce. Furthermore, and badly mangling the intent of my example, VLANs weren't originally designed as security barriers, they were just intended to help provide control over the scope of broadcast domains, to help people better provision the use of the excruciatingly expensive switch ports, when switches were young, their ports were dear, and they came in just a few sizes. But where the focus of core switch behavior is purely at the MAC level, VLANs at least are defined in terms of specific physical ports, leaving room to hope that barring security bugs in the OSes on the host processors of the switches, VLANs may be a bit more effective as security barriers.
As long as all rooms in this hotel are on seperate switch ports, you would basically be OK even without using VLANs.
Depends on the level of protection and control you want to offer. Barring bugs in the switch OS, VLANs _should_ allow you to very positively associate traffic with specific ports, if you give each one a separate VLAN; this you cannot reasonably do with simple switches given a dynamic user community. Simple switches leave you far weaker guarantees about inter-user protections as well, but what I was trying to hint at with the thought about doing traffic shaping with the upstream router was the idea of keeping accountability right from the individual switch port all the way to the router. Probably too flawed an example to be any good, sorry for the digression here. -Bennett
Attachment:
_bin
Description:
Current thread:
- maximum active vlans in a crisco 6509 Bob Biver (Jun 20)
- RE: maximum active vlans in a crisco 6509 Roeland Meyer (E-mail) (Jun 20)
- Re: maximum active vlans in a crisco 6509 Bennett Todd (Jun 20)
- Re: maximum active vlans in a crisco 6509 Bora Akyol (Jun 20)
- Re: maximum active vlans in a crisco 6509 Bennett Todd (Jun 20)
- Re: maximum active vlans in a crisco 6509 Jeff Kell (Jun 20)
- Re: maximum active vlans in a crisco 6509 Bennett Todd (Jun 20)
- Re: maximum active vlans in a crisco 6509 Stephen Sprunk (Jun 21)
- RE: maximum active vlans in a crisco 6509 Roeland Meyer (E-mail) (Jun 20)
- Re: maximum active vlans in a crisco 6509 Devin P. Anderson (Jun 21)