If a switch is leaking broadcast traffic across all VLANs, the issue isn't with VLAN technology, it's with a (very) stupid implementation.
On Mon, Jun 28, 2010 at 3:36 PM, Phil Pennock <[email protected]> wrote: > On 2010-06-28 at 12:26 -0700, Brent Chapman wrote: >> Everybody says "but what if the switch somehow leaks packets from one VLAN >> to another?" Well, what if the switch ACLs didn't work, and passed traffic >> that it shouldn't? Those would both be major security bugs, drawing a quick >> response from the vendors in question. > > You might think that. For us, at $former_employer, it just led us to > stop buying Alcatel switches when we couldn't get them to see the > problem with having broadcast traffic leak across all VLANs. > > In this day and age, I'm inclined to agree that switches should do as > you say, but I'd still want to stress-test before trusting their VLAN > logic to be an unreinforced part of a security periphery. > > -Phil > _______________________________________________ > Tech mailing list > [email protected] > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
