Re: VLAN Issue

[Damieon Stark <visigoth () covertdata net>]

As was once said by the wise Ryan Russell, on Tue, Jun 12, 2001 at 08:28:28AM -0600:
> The problem does exist with just one switch in at least one instance.  On
> the Catalyst 5xxx family, a researcher found that they could force 802.1q
> frames onto the switch, and some of them would leak through to the VLAN
> designated in the frames.  Cisco couldn't fix it.  The VLAN tags come at
> the end of the frame, 

For 802.1q to my understanding (without looking it up ;) 802.1q inserts the
vlan identifier right after the source MAC address.

> and under load, the switch would have already
> started forwarding the frame before it knew what VLAN it was designated
> for.

        To my best understanding, that is only possible if the switch has
trunking going on.  The only way we found to exploit it was with multiple
switches which are configured to do 802.1q vlan trunking.  If it can be
done with just one switch with NO vlan trunking that would be news to me.
I am unfortunately not in a place to be able to test (yea, I wish I had a
coupla Cat 5xxx's at home ;) I would have to see more info to believe that 
it happens without vlan trunking, because I thought the way the exploit worked
was via having the switch on the other side of a vlan trunk think the 802.1q
header on the frame was from the peer switch... Got a url?

Damieon Stark
Unix/Network Security Engineer
<plug>
currently seeking employment
</plug>

Attachment: _bin
Description: