Re: Vlans

[John Kinsella <jlk () slip net>]

Tim - In theory it's capable to "flatten" VLANs on a switch by slamming
the switch's CPU with enough traffic that it stops tagging packets for
the appropriate VLANs.  From what I understand, at this point instead of
the switch dropping the packet, it sends the packet out destined for all
VLANs.  There was some discussion on this topic on bugtraq last year.

I've been meaning to test out the theory myself in the lab over the last
few weeks but haven't had a chance yet...I will say that unless money is
a serious constraint that a client has, I always try to keep internal
and external network traffic on physically separate switches.  Some
piece of mind may come, though, from considering that the amount of
traffic needed to jump a switch's VLANs *should* be more than easily
generated by a remote user...I'd guess at least 80% of a switch's
backplane capacity would need to be forced through the switch.

John

On Wed, Jan 17, 2001 at 09:02:03AM -0800, Tim Salus wrote:
> I am not certain if this is the place to ask this and if not please let
> me know where to send it.
>
> I have a client who has the following configuration
>
> Internet -> router -> firewall -> load balancer
>
> The connection from the router to the firewall is on a switch and the
> connection from the inside interface of the firewall is on the same
> switch. The separation is done using VLANS.
>
> I was taught this is bad due to 802.1q tagging and VLAN hopping using
> tagged packets. The problem is I can find very little information on
> this to prove my point.
>
> Also what if there is no 802.1q trunking being done. Is there still a
> problem with this?
>
> Is there an exploit to get around the firewall and do server flooding by
> jumping VLANS.
>
> No one can get on the firewall segment so what I need to know is can
> anyone on the internet cause a problem with this type of configuration.
>
> Thanks in advance
>
> Timothy L. Salus