I think what the OP's managers were suggesting is that its not all that
difficult to overflow the switch forwarding table, and cause packets to
appear on a vlan where it shouldn't be. The approach has been around for
a while, and the higher quality switches now handle the table overflow
issue in a much more secure way. No compromised layer-3 needed at all,
and it doesn't make any difference if the vlans are defined on a
per-port or other basis.
The lower-end workgroup switches are more likely to be issues in
current products as opposed to the higher-end switches. But, one only
needs to find "a" switch within the layer-2 trunked network.
I'm not a VLAN expert either, but there's one switch that ties the
private vlans into the public vlan, so all you have to do is add a route
from your box to the vlan over that switch, effectively hopping you onto
the vlan. Not really sure the details on it, but that's basically the
gist of what I understand it (I'm just the voip guy, not the network
expert ;). So we've effectively got the phones and servers isolated
into their own vlan.
Aaron
Patrick wrote:
On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote:
We do currently have the cisco's on their own vlan along with the
servers, but I'm told vlan hopping is trivial so that's not
considered secure... considering all you have to do is change a route
on a box to get to the vlan.
Far from being the VLAN expert here but isn't it possible to tie a VLAN
to physical ports on the switch too? In that case how would adding a
route allow you to hop over to the phone's VLAN (realizing this point is
moot if the PC & phone share a single network cable instead of each
their own)?
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
