[Wylug-help] VLANs and security

Jim Jackson jj at comp.leeds.ac.uk
Thu May 13 09:52:26 BST 2004


On Wed, 12 May 2004, Robert Wood wrote:

> On Wednesday May 12 2004 16:20, Jim Jackson wrote:
> > > http://www.securityfocus.com/bid/615/discussion/
> >
> > This highlights a way to possibly subvert VLAN trunking to get a packet
> > from from one VLAN to another - but not in reverse. On susceptible
> > equipment it could be used to mount a DOS.
> >
> > I can see many ways in which switch manufacturers can make it impossible
> > to do this. Though it appears that Cisco in 2002 were issuing best
> > practice to mitigate this at th eir bootcamps
> >
>
> This is news to me having only implemented 802.1q VLANs with Extreme Networks
> kit... Their software had the option (set by default I believe) of dropping
> any 802.1q tagged frame on ingress from a non-trunk port.

The obvious solution.

> This should be fairly trivial to configure on any switch that allows filtering
> aka "access lists") by EtherType - 802.1Q uses 0x8100 by default (I think).

I think one of the problems with Cisco kit is that by default the ports
are set to "negotiate" trunking, so if you link 2 cisco switches they can
trunk automatically.

Jim




More information about the Wylug-help mailing list