[EMAIL PROTECTED] wrote: > > AT Cisco Networkers i went to the layer 2 security breakout > session and they talked about this. 1st they said the article > is out dated. When the article was written Cisco already had a > fix for this.
That was what I figured, Mr. Bond. (nice address! ;-) A fix would be pretty easy. The vulnerability required a host on an access port to send a frame with a VLAN tag already in it. That could easily be disallowed. (The switch itself should add any tags when sending across a trunk link. Or, a server on a trunk link could include a tag, but a host on an ordinary access port shouldn't include a tag in its frame.) I don't know if this is what the original poster had in mind, but I bet it is. The story got blown out of proportion and will probably never die. Priscilla > 2nd they said with the current switch IOS and > additional features they could not hop any VLANS. They tried > everything and where not successful. the whole purpose of the > breakout was to defuse the myths out there about how unsecure > VLANs are. With all that said they did say they do not > recommend using one switch with VLANS for web, dmz, and > internal traffic > > > > From: "Priscilla Oppenheimer" > > Date: 2002/08/01 Thu PM 03:40:39 EDT > > To: [EMAIL PROTECTED] > > Subject: RE: Cat2950 VLAN 1 ip address...can't connect > [7:50331] > > > > Turpin, Mark wrote: > > > > > > I'm referring to trunks, sorry. > > > > There were some vulnerabilities related to this, but actually > the fix was to > > make sure the native VLAN wasn't trunked, if I understand it > correctly.... > > Although the vulnerabilities caused a big stir, they were > hard to exploit. > > They required physical access to the switch, a Sniffer, and > traffic > > generation capabilities. Also, Cisco may have made some > changes to avoid the > > problem after it got reported. But here's the info from SANS: > > > > http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > > > > Priscilla > > > > > > > > > > -----Original Message----- > > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, August 01, 2002 12:14 PM > > > To: Turpin, Mark > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: Cat2950 VLAN 1 ip address...can't connect > [7:50331] > > > > > > > > > > > > Not sure what you mean. Your not changing the default > VLAN, > > > VLAN 1 > > > will remain, can't delete it, (not talking about trunks). I > > > know of no > > > problems arising when using a VLAN other than 1 for inband > > > connectivity. > > > > > > Dave > > > > > > > > > "The information transmitted is intended only for the > person > > > or entity to > > > which it is addressed and may contain confidential and/or > > > privileged > > > material. Any review, retransmission, dissemination or other > > > use of, or > > > taking of any action in reliance upon, this information by > > > persons or > > > entities other than the intended recipient is prohibited. If > > > you received > > > this in error, please contact the sender and delete the > > > material from all > > > computers." > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50478&t=50331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
