Ciaron Gogarty wrote: > > It was only particular to Dot1q trunks as well... as far as I > can remember > it wasn't an issue on isl trunked ports.
The testing that revealed the problem was done on Dot1q VLANs. It's possible it could have been a problem on ISL too and that just wasn't tested. It's probably not a problem anymore, either way. Priscilla > > is that correct?? > > rgds, > > Ciaron > ----- Original Message ----- > From: "Priscilla Oppenheimer" > To: > Sent: Thursday, August 01, 2002 11:34 PM > Subject: Re: RE: Cat2950 VLAN 1 ip address...can't connect > [7:50331] > > > > [EMAIL PROTECTED] wrote: > > > > > > AT Cisco Networkers i went to the layer 2 security breakout > > > session and they talked about this. 1st they said the > article > > > is out dated. When the article was written Cisco already > had a > > > fix for this. > > > > That was what I figured, Mr. Bond. (nice address! ;-) > > > > A fix would be pretty easy. The vulnerability required a host > on an access > > port to send a frame with a VLAN tag already in it. That > could easily be > > disallowed. (The switch itself should add any tags when > sending across a > > trunk link. Or, a server on a trunk link could include a tag, > but a host > on > > an ordinary access port shouldn't include a tag in its frame.) > > > > I don't know if this is what the original poster had in mind, > but I bet it > > is. The story got blown out of proportion and will probably > never die. > > > > Priscilla > > > > > 2nd they said with the current switch IOS and > > > additional features they could not hop any VLANS. They tried > > > everything and where not successful. the whole purpose of > the > > > breakout was to defuse the myths out there about how > unsecure > > > VLANs are. With all that said they did say they do not > > > recommend using one switch with VLANS for web, dmz, and > > > internal traffic > > > > > > > > From: "Priscilla Oppenheimer" > > > > Date: 2002/08/01 Thu PM 03:40:39 EDT > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: Cat2950 VLAN 1 ip address...can't connect > > > [7:50331] > > > > > > > > Turpin, Mark wrote: > > > > > > > > > > I'm referring to trunks, sorry. > > > > > > > > There were some vulnerabilities related to this, but > actually > > > the fix was to > > > > make sure the native VLAN wasn't trunked, if I understand > it > > > correctly.... > > > > Although the vulnerabilities caused a big stir, they were > > > hard to exploit. > > > > They required physical access to the switch, a Sniffer, > and > > > traffic > > > > generation capabilities. Also, Cisco may have made some > > > changes to avoid the > > > > problem after it got reported. But here's the info from > SANS: > > > > > > > > http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > > > > > > > > Priscilla > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > > > > Sent: Thursday, August 01, 2002 12:14 PM > > > > > To: Turpin, Mark > > > > > Cc: [EMAIL PROTECTED] > > > > > Subject: Re: Cat2950 VLAN 1 ip address...can't connect > > > [7:50331] > > > > > > > > > > > > > > > > > > > > Not sure what you mean. Your not changing the default > > > VLAN, > > > > > VLAN 1 > > > > > will remain, can't delete it, (not talking about > trunks). I > > > > > know of no > > > > > problems arising when using a VLAN other than 1 for > inband > > > > > connectivity. > > > > > > > > > > Dave > > > > > > > > > > > > > > > "The information transmitted is intended only for the > > > person > > > > > or entity to > > > > > which it is addressed and may contain confidential > and/or > > > > > privileged > > > > > material. Any review, retransmission, dissemination or > other > > > > > use of, or > > > > > taking of any action in reliance upon, this information > by > > > > > persons or > > > > > entities other than the intended recipient is > prohibited. If > > > > > you received > > > > > this in error, please contact the sender and delete the > > > > > material from all > > > > > computers." > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50486&t=50331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]