It was only particular to Dot1q trunks as well... as far as I can remember it wasn't an issue on isl trunked ports.
is that correct?? rgds, Ciaron ----- Original Message ----- From: "Priscilla Oppenheimer" To: Sent: Thursday, August 01, 2002 11:34 PM Subject: Re: RE: Cat2950 VLAN 1 ip address...can't connect [7:50331] > [EMAIL PROTECTED] wrote: > > > > AT Cisco Networkers i went to the layer 2 security breakout > > session and they talked about this. 1st they said the article > > is out dated. When the article was written Cisco already had a > > fix for this. > > That was what I figured, Mr. Bond. (nice address! ;-) > > A fix would be pretty easy. The vulnerability required a host on an access > port to send a frame with a VLAN tag already in it. That could easily be > disallowed. (The switch itself should add any tags when sending across a > trunk link. Or, a server on a trunk link could include a tag, but a host on > an ordinary access port shouldn't include a tag in its frame.) > > I don't know if this is what the original poster had in mind, but I bet it > is. The story got blown out of proportion and will probably never die. > > Priscilla > > > 2nd they said with the current switch IOS and > > additional features they could not hop any VLANS. They tried > > everything and where not successful. the whole purpose of the > > breakout was to defuse the myths out there about how unsecure > > VLANs are. With all that said they did say they do not > > recommend using one switch with VLANS for web, dmz, and > > internal traffic > > > > > > From: "Priscilla Oppenheimer" > > > Date: 2002/08/01 Thu PM 03:40:39 EDT > > > To: [EMAIL PROTECTED] > > > Subject: RE: Cat2950 VLAN 1 ip address...can't connect > > [7:50331] > > > > > > Turpin, Mark wrote: > > > > > > > > I'm referring to trunks, sorry. > > > > > > There were some vulnerabilities related to this, but actually > > the fix was to > > > make sure the native VLAN wasn't trunked, if I understand it > > correctly.... > > > Although the vulnerabilities caused a big stir, they were > > hard to exploit. > > > They required physical access to the switch, a Sniffer, and > > traffic > > > generation capabilities. Also, Cisco may have made some > > changes to avoid the > > > problem after it got reported. But here's the info from SANS: > > > > > > http://www.sans.org/newlook/resources/IDFAQ/vlan.htm > > > > > > Priscilla > > > > > > > > > > > > > > -----Original Message----- > > > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, August 01, 2002 12:14 PM > > > > To: Turpin, Mark > > > > Cc: [EMAIL PROTECTED] > > > > Subject: Re: Cat2950 VLAN 1 ip address...can't connect > > [7:50331] > > > > > > > > > > > > > > > > Not sure what you mean. Your not changing the default > > VLAN, > > > > VLAN 1 > > > > will remain, can't delete it, (not talking about trunks). I > > > > know of no > > > > problems arising when using a VLAN other than 1 for inband > > > > connectivity. > > > > > > > > Dave > > > > > > > > > > > > "The information transmitted is intended only for the > > person > > > > or entity to > > > > which it is addressed and may contain confidential and/or > > > > privileged > > > > material. Any review, retransmission, dissemination or other > > > > use of, or > > > > taking of any action in reliance upon, this information by > > > > persons or > > > > entities other than the intended recipient is prohibited. If > > > > you received > > > > this in error, please contact the sender and delete the > > > > material from all > > > > computers." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50480&t=50331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
