Re: Switching Advice

From: Nimesh Vakharia (nvakhari@clio.rad.sunysb.edu)
Date: Thu Dec 27 2001 - 21:39:30 EST


While we are on this topic, I was wondernig if anyone has seen the
following on the old version of the Cisco 65xx IOS where there was a CatOS
and IOS for management.

for eg:

Lab-6500# (enable) sh trunk 2/5

* - indicates vtp domain mismatch
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
 2/5 nonegotiate dot1q trunking 98

Port Vlans allowed on trunk
--------
---------------------------------------------------------------------
 2/5 98

Port Vlans allowed and active in management domain
--------
---------------------------------------------------------------------
 2/5 98

Port Vlans in spanning tree forwarding state and not pruned
--------
---------------------------------------------------------------------
 2/5 98

If the 'Native vlan' and 'Vlans allowed on trunk' are the same the 802.1q
encapsulation fails and this config does not work. I remember reading
about this on Cisco's site but cannot recall the details. Obviously
Murphy's Law, I cannot find that document.
Anyone know why, it had something to do with Spanning tree running on
Native vlan which therefore might require it to be a non trunk on that
vlan or somethign along those lines.

thanks,

Nimesh.

On Wed, 26 Dec 2001, dan hopkins wrote:

>
> The SANS document does only apply to 802.1q trunks between 2924XL switches.
> The methodology they used is dependant on the way that 802.1q trunks tag
> the frames. This can be spoofed in some situations.
>
> I am unaware of any tests that test this with ISL Trunking or any tests of
> VLAN hopping in a single switch.
>
> Searching on this topic brought me to a good Doc on switching security:
> http://www.sans.org/infosecFAQ/switchednet/switch_security.htm
>
> on 2001-12-26 09:02 -0500, Brian DeFeyter <bdf@gospelcom.net> wrote:
>
> > This sounds like it's only a concern on multiple switch setups using
> > trunks for VLAN communication? In my example, everything is routed
> > through one switch... probably bypassing this problem.
> >
> > - bdf
> >
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:27 EDT