[Wylug-help] VLANs and security
Robert Wood
rob at rnwood.co.uk
Wed May 12 20:37:07 BST 2004
On Wednesday May 12 2004 16:20, Jim Jackson wrote:
> > http://www.securityfocus.com/bid/615/discussion/
>
> This highlights a way to possibly subvert VLAN trunking to get a packet
> from from one VLAN to another - but not in reverse. On susceptible
> equipment it could be used to mount a DOS.
>
> I can see many ways in which switch manufacturers can make it impossible
> to do this. Though it appears that Cisco in 2002 were issuing best
> practice to mitigate this at th eir bootcamps
>
This is news to me having only implemented 802.1q VLANs with Extreme Networks
kit... Their software had the option (set by default I believe) of dropping
any 802.1q tagged frame on ingress from a non-trunk port.
This should be fairly trivial to configure on any switch that allows filtering
aka "access lists") by EtherType - 802.1Q uses 0x8100 by default (I think).
Rob
--
Robert Wood <rob at rnwood.co.uk>
http://www.rnwood.co.uk/
"If you can't make something good,
make something look good." - Bill Gates
More information about the Wylug-help
mailing list