[nsp] PIX 535 stateful failover

sthaug at nethelp.no sthaug at nethelp.no
Mon Jun 14 07:31:22 EDT 2004


> > There's no reasonably likely scenario I can think of in which 
> > having a trunk to the firewall would be any less secure than having two 
> > non-trunked connections to the firewall from the same switch on 
> > different VLANs.
> 
> http://www.securityfocus.com/archive/1/26008
> http://www.securityfocus.com/archive/1/27062
> 
> Just for ONE publicly known VLAN hopping problem.

This is rather old information. Some of us have tried rather hard to
reproduce this problem with newer software and switches, and have been
unable to do so. Also note that the 3550, for instance, has the "vlan
dot1q tag native" command which will drop untagged packets on a trunk
port.

In short, even if it is certainly possible to create security problems
if you use VLAN technology, I don't believe the problems mentioned in
the two URLs above are a significant problem in practice today.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the cisco-nsp mailing list