Well, one thing to keep in mind here is that switches are not routers
and the "VLAN" interface is effectively a NIC for a "management module"
plugged into one of the VLANS going thru the switch.
As on a PC, you get to specify an IP address, netmask and default
gateway. For "IP" to work, you have to have layer 1-2 connectivity
between the "management module" and the target and the IP setup needs
to be right, if you have "incomplete ARP" then the module belives
that the target should be one the same VLAN as it is, and you need
to prove that that VLAN can pass between the two endpoints. The
target also needs to belive that it's on the same subnet so it will
respond on that vlan and not thru it's default gateway.
With Cisco switches, the management VLAN is assumed be by VLAN 1 and
VLAN 1 should have connectivity thru any tree of physically connected
switches and routers. Non-tagged packets will also be treated as
VLAN 1 should you have a router set up as a trunk with sub-interfaces.
If you override these assumptions, you *can* lose management vlan
connectivity, for dotq the native vlan can be something other than
VLAN 1, VLAN's other than 1 are only passed thru trunk ports if
they are locally defined (access vlan usage or set vlan n commands),
or if they're broadcast via correctly configured VTP.
I'm sure all of this is obvious, but my experience is that many
problems are due to obvious things that you don't verify, and it's
easy to overgeneralize about "management VLAN's automatically have
connectivity", when they don't.
Also, note that there is some perverse behavior when you configure
multiple VLANn interfaces under newer IOS versions. Only one of them
says "up", but pre-existing arp-entries can still still route packets
to/from other vlans.
As far as the Cisco vulnerability, this is really nothing that obscure,
you see the same kind of thing happen in real-life when some idiot
mis-configures a PC with the "gateway address" instead of his assigned
IP address, and incorrect ARP's poison the cache or seem to overwrite
the router's own idea of it's own MAC address. This, or something
similar can show up with HSRP when a PC is misconfigured with one of
the real or virtual IP's.
Non-routers can suffer from similar problems or even more bizarre
behavior, it's just a more effective DOS when the gateway for your
network goes away than a single box.
George
> From cisco-nsp-request@puck.nether.net Fri Nov 16 05:20:28 2001
> Resent-Date: Fri, 16 Nov 2001 05:19:49 -0500
> Received-Date: Fri, 16 Nov 2001 05:14:05 -0500
> Reply-To: <steven.godfrey@intechnology.co.uk>
> From: "Steven Godfrey" <steven.godfrey@intechnology.co.uk>
> To: "'Gert Doering'" <gert@greenie.muc.de>,
> "'Kevin Gannon'" <kgannon@lancomms.ie>, <cisco-nsp@puck.nether.net>
> Subject: RE: [nsp] Buffers full on switch?
> Date: Fri, 16 Nov 2001 10:13:46 -0000
> In-Reply-To: <9wRXfD.A.-1E.SJB97@puck.nether.net>
> Resent-From: cisco-nsp@puck.nether.net
> X-Mailing-List: <cisco-nsp@puck.nether.net> archive/latest/8266
> X-Loop: cisco-nsp@puck.nether.net
> List-Post: <mailto:cisco-nsp@puck.nether.net>
> List-Help: <mailto:cisco-nsp-request@puck.nether.net?subject=help>
> List-Subscribe: <mailto:cisco-nsp-request@puck.nether.net?subject=subscribe>
> Precedence: list
> Resent-Sender: cisco-nsp-request@puck.nether.net
>
> Hi,
> The symptoms are very very similar, but the arp table is empty apart from the VLAN 1 mac address which is correct.
>
> When you try to ping anything the arp table will just show the incomplete entry for the IP address you try to ping.
>
>
> Thanks a lot for the pointer though, the IOS that runs in the switch is in the affected range so I will upgrade these soon.
>
> > -----Original Message-----
> > From: Gert Doering [mailto:gert@greenie.muc.de]
> > Sent: Thursday November 2001 19:07
> > To: steven.godfrey@intechnology.co.uk; 'Kevin Gannon';
> > cisco-nsp@puck.nether.net
> > Subject: Re: [nsp] Buffers full on switch?
> >
> >
> > hi,
> >
> > On Thu, Nov 15, 2001 at 05:53:07PM -0000, Steven Godfrey wrote:
> > > Any ideas how such a thing could happen on 2 switches at the same
> > time, and why it only drops stuff destined for the VLAN interface?
> >
> > Could you, by chance, have some rogue hosts on that VLAN? There was a
> > bugtraq article by Cisco today about ARP spoofing attacks against IOS
> > switches, leading to the switches not responding to ARPs to their own
> > IPs
> > anymore.
> >
> > http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >
> > //www.muc.de/~gert/
> > Gert Doering - Munich, Germany
> > gert@greenie.muc.de
> > fax: +49-89-35655025
> > gert.doering@physik.tu-muenchen.de
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:55 EDT