[c-nsp] RELATED: Feedback on: Security Advice for Routers and Switches

Arie Vayner ariev at vayner.net
Sun May 6 14:05:52 EDT 2007 

Alan,

Did you try to disable ICMP redirects? (no ip redirects on the VLAN
interface)?

Arie

On 5/6/07, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk> wrote:
>
> hi,
>
> related to this issue - and raised by myself as an option
> regarding securing the network. I have been checking out
> some of the L2 isolation methods and the obvious is
> 'port protected'
>
> so, I turned it on, et voila, hosts on the same switch can no longer
> talk to each other. if i use Host A and Host B as examples.....
>
> host B moves onto another switch daisy-chained to the first switch..
> host A can then reach it. okay. I then set the trunk link that feeds
> down to the other switch ALSO as port protected. et voila, once
> again, ost a and host b can no longer talk. HOWEVER, i want them to
> be able to do some talking. so, the docs say that once you use port
> protected then the traffic must get to Layer 3 before then can talk.
> however, these devices should have an L3 path via the router which
> feeds their VLAN and the link to the switch...but there seems to be a
> magical command I need on that router interface or VLAN to allow
> the devices to talk to each other...and I'm a little wary/confused
> as the way i see it is that the router interface will see a packet
> from Host A to Host B coming from interface X... but it knows that both
> A and B are DOWN that interface X link - and from basic network
> memory I would say that the router SHOULD just throw that packet
> away as it 'knows' that since both hosts are on that broadcast
> domain, then they will/should already have received that packet.
> so, where has my logic gone wrong - or what is the incantation to get
> port protected clienbts talking to each other. (which I want them to do
> barring certain activities and , in the case of requiring a day-0
> worm lockdown, i want to control ;-) )
>
> many thanks
>
> alan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list