Home page logo

nanog logo nanog mailing list archives

Re: maximum active vlans in a crisco 6509
From: Bennett Todd <bet () rahul net>
Date: Wed, 21 Jun 2000 00:34:39 -0400

2000-06-20-23:56:07 Bora Akyol:
If you put all of the users on seperate switch ports, then would
they be able to snoop each other's traffic? At least the switches
that I have seen prevent this behavior unless you put a particular
switch port in "monitor" mode.

Sorry, I did a dumb thing here, I basically carried over a whole
debate context from other lists and assumed it here. I should have
least referenced the other discussions. It's been discussed at great
length on firewall-wizards () nfr com and firewalls () lists gnac net 

The short version is, the core switch behavior you're talking about
was never designed as a security barrier, or an IP level traffic
visibility control tool; it was just designed to shrink the scope of
traffic visibility for performance reasons. Any number of hacks,
like CAM table flooding, can coerce a normal switch to leak
somethign fierce.

Furthermore, and badly mangling the intent of my example,
VLANs weren't originally designed as security barriers, they
were just intended to help provide control over the scope of
broadcast domains, to help people better provision the use of the
excruciatingly expensive switch ports, when switches were young,
their ports were dear, and they came in just a few sizes.

But where the focus of core switch behavior is purely at the MAC
level, VLANs at least are defined in terms of specific physical
ports, leaving room to hope that barring security bugs in the OSes
on the host processors of the switches, VLANs may be a bit more
effective as security barriers.

As long as all rooms in this hotel are on seperate switch ports,
you would basically be OK even without using VLANs.

Depends on the level of protection and control you want to offer.
Barring bugs in the switch OS, VLANs _should_ allow you to very
positively associate traffic with specific ports, if you give each
one a separate VLAN; this you cannot reasonably do with simple
switches given a dynamic user community. Simple switches leave you
far weaker guarantees about inter-user protections as well, but what
I was trying to hint at with the thought about doing traffic shaping
with the upstream router was the idea of keeping accountability
right from the individual switch port all the way to the router.

Probably too flawed an example to be any good, sorry for the
digression here.


Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]