RE: VLAN Issue

[John.Curran () Cognotec Com]

There's a document in the SANS Intrusion detection FAQ on this. It describes
a mechanism to perform the exploit.

The url is: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

Basically, the method is to alter the 802.1q portion of the ethernet frame
with the identifier of the VLAN of the target machine. This was done using
sniffer pro. Now, the exploit requires that the trunk ports (across
switches) have an underlying VLAN in common  with the destination machine.

Interestingly, some years ago Cisco recommended to a company that I worked
for that VLAN 1 should not be used in production networks, and trunk ports
should have their underlying VLAN setting set to an otherwise unused VLAN
setting. This happens to coincide with the findings in the SANS article.

Regards,

John

**************************************************************************
This email, its contents and any files attached are intended only for
the named addressee.  They contain information which may be 
confidential and/or legally privileged. If you are not the named 
addressee or if you have received this email in error, (a) you may 
not, without the consent of Cognotec, copy (which includes 
forwarding), use or rely on any information or attachments in any 
way and (b) please notify the sender by return email and delete it 
from your email system.  Unless separately agreed, Cognotec 
does not accept any responsibility for the accuracy or 
completeness of the contents of this email or its attachments or 
for any statements or contractual commitments contained in this 
email or its attachments.
**************************************************************************