Patrick wrote:
On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote:
We do currently have the cisco's on their own vlan along with the
servers, but I'm told vlan hopping is trivial so that's not considered
secure... considering all you have to do is change a route on a box to
get to the vlan.
Far from being the VLAN expert here but isn't it possible to tie a VLAN
to physical ports on the switch too? In that case how would adding a
route allow you to hop over to the phone's VLAN (realizing this point is
moot if the PC & phone share a single network cable instead of each
their own)?
Regards,
Patrick
Patrick,
VLANS (IEEE 802.1q) operate at layer two of the OSI model. I don't see
how adding a route (layer three) in Linux can hop VLANS (unless you had
an unsecured router connected to both).
It depends on how the VLANs are implemented. With most decent
switches, you can allow tagging of a particular VLAN and specify a
"default" VLAN on a per port, per VLAN basis. This combined with 802.1x
and other security measures actually makes for some decent security at
such a low level.
In a typical network deployment with VoIP, you might specify your
switch ports to allow native "untagged" VLAN traffic, and assign it to
VLAN 100 (or whatever). You would then create a new VLAN (110 or
something) for VoIP traffic. You would then configure the switch to
allow tagged traffic for vlan 110 while making untagged traffic part of
vlan 100 - the default.
You would then configure one port to use 110 as the default - and
connect your Asterisk system to it. It would magically end up on the
same network as your phones.
The problem with this is, someone could connect a Linux box, load
8021q.ko and use vconfig to get that machine on the VoIP VLAN. However,
if people can just bring in random machines and connect them to your
network, it isn't very secure anyways :).
--
Kristian Kielhofner
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
