On Fri, Apr 19, 2002 at 10:03:34PM +0930, Brett Lymn wrote: > a) VLANs are implemented by putting data into an otherwise unused part > of the IP header. Anyone can easily craft a packet with the right > data in the right place given the right tools and access.
VLANs on a normal VLAN Port receive "normal" Ethernat/IP Frames. There is no special marker or byte involved. The switch decides based on the physical port, to which a VLAN does belong. The only situation, where in a VLAN there is In-Band signalling, to which a ethernet frame does belong, is on the trunk port. In that case it is an additional ID in front of the normal Ethernet Header (thats why VLAN pacets can be 1504 bytes size). If you are not connected to a trunk port, you cant 'spoof' a VLAN ID, it is simply ignored. (Of course, this is only true if the switch is implemented sanely) > b) A switch which receives a packet with VLAN information on it on a > non-trunk port should treat the packet as bad (well IMHO) and > either drop the packet or scrub the invalid information. The > reality is that the behaviour will be "implementation defined" Actually there where bugs in implementations, I do not know of any switches which are still broken in the way you describe. Greetings Bernd _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
