Larry, According to Ken Kaminski at Lexington office, you are vulnerable to Vlan hopping. --
RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""Larry Letterman"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > we have been pruning or clearing Vlan 1 from our data vlans > for a good while with 6509's and supervisor 1a-ge2. Our management > stays on Vlan 1 and our data stays on the others. > > > Larry Letterman > Cisco Systems > [EMAIL PROTECTED] > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Kent Hundley > Sent: Friday, March 22, 2002 8:30 PM > To: [EMAIL PROTECTED] > Subject: RE: Catalyst 6509 [7:39192] > > > Correct, it's essentially a 802.1q native VLAN issue, not a VLAN 1 issue per > se. I would note though that although the change to make a non-active VLAN > the native VLAN is an obvious fix, it strikes me as a bug that Cisco does > not perform a sanity check on native VLAN frames to ensure that they in > fact, do not have a 802.1q frame tag. This is what causes the issue since > packets on the native VLAN are not supposed to have a 802.1q frame tag. > > On a related note, it _is_ now possible to clear VLAN 1 from a trunk. It > disallows all non-management related traffic, i.e. anything other than VTP, > CDP, etc. So this should in theory also "fix" the VLAN hopping issue, > although it's probably cleaner to just assign a non-active VLAN as the > native VLAN. > > > http://www.cisco.com/warp/public/473/21.html#case > > The Case of VLAN 1 > VTP pruning cannot be applied to VLANs that need to exist everywhere and to > be allowed on all switches in the campus (to be able to carry VTP, CDP > traffic, and other control traffic). There is a way, however, to limit the > extent of VLAN 1. This is a feature called VLAN 1 disable on trunk, and it > is available on Catalyst 4000, 5000, and 6000 family switches since Cisco > IOS releave 5.4(x). This allow you to prune VLAN 1 from a trunk as you would > do for any other VLAN, but this pruning will not include all of the control > protocol traffic that will still be allowed on the trunk (DTP, PagP, CDP, > VTP, and so on). However, you will block all user traffic on that trunk. > Using this feature, you can completely avoid the VLAN spanning the entire > campus, and as such, STP loops will be limited in extent, even in VLAN 1. > You can configure VLAN 1 to be disabled as you would configure other VLANs > to be cleared from the trunk by issuing the following commands: > > Console> (enable) set trunk 2/1 des > Port(s) 2/1 trunk mode set to desirable. > Console> (enable) clear trunk 2/1 1 > Removing Vlan(s) 1 from allowed list. > Port 2/1 allowed vlans modified to 2-1005. > > > Regards, > Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Steven A. Ridder > Sent: Friday, March 22, 2002 7:18 PM > To: [EMAIL PROTECTED] > Subject: Re: Catalyst 6509 [7:39192] > > > I'm embarrased to say, I got it wrong, you must use any Vlan but 1 on the > trunk port. Here's the direct quote from the link below" > > "... prolonged discussions took place with the switch vendor to discuss the > implications of the results above. After consultation with their developers > it was concluded that the traffic from VLAN 1 was allowed to hop to other > VLANs because the trunk port was also set (implicitly) to native VLAN 1. > They suggested that by changing the native VLAN of the trunk port the VLAN > hopping could be eliminated. This was tested and was found to be true......" > > > http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > > -- > > RFC 1149 Compliant. > Get in my head: > http://sar.dynu.com > > > ""MADMAN"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > How?? > > > > C6509> (enable) clear vlan 1 > > VLAN number must be in the range 2..1000,1025..4094. > > C6509> (enable) > > > > You can disable it on trunks however > > > > dave > > > > "Steven A. Ridder" wrote: > > > > > > The big problem with Vlan 1 is that if it exists on your network a > hacker > > > can do VLAN hopping (not a good thing). Cisco recommends deleting Vlan > 1 > > > from switches. > > > > > > -- > > > > > > RFC 1149 Compliant. > > > Get in my head: > > > http://sar.dynu.com > > > > > > ""maverick hurley"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > absoultly it will help for security, The thing to remember is that > your > > > > ports are default for native vlan1. You can specify a different vlan > > > number > > > > for your management like vlan 5. But in case of trunking > mishaps/issues > > > and > > > > vlan pruning issues it is safer using vlan 1. > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39290&t=39192 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
