[c-nsp] purposefully mismatching native vlans

Dan Martin dmartin at micromuse.com
Fri Dec 23 11:25:02 EST 2005


Spanning tree is your friend.

Spanning tree is your last defense against human nature.  

When you disable spanning tree you are deciding that nobody who will
plug or unplug cables in your network equipment will ever make a
mistake.

Do security considerations really outweigh that?

I'm not asking rhetorically here, i'm hoping somebody can tell me why
disabling spanning tree is so compelling.  I've seen a carrier with a
bunch of Ethernet out toward their customers disable spanning tree, and
I just dismissed it as goofy, but now with this thread I'm starting to
wonder if its me that has it all wrong.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Brochu
Sent: Friday, December 23, 2005 10:50 AM
To: Andrew Fort
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] purposefully mismatching native vlans

Thanks for the reply.

I plan to prune out vlan 1 from any port that sees vlan 1841, and 
vice-versa.  The likelyhood of anyone looping ports on our 6500 is very 
small, and STP will still be active on our residential switches further 
down the switch chain, so as an interm this hack of vlan translation 
still seems viable... Until the second phase where we subnet further.

-Mark

Andrew Fort wrote:
> Mark Brochu wrote:
> 
>> I feel that disabling spanning tree on that vlan is justifiable.  I 
>> can also prevent the log spam by disabling cdp v2 on the other ends.

>> I'm wondering if there are any other possible caveats I may run into.

>> Looking forward to your input!
>>
>> Mark Brochu
>> Network Analyst
>> University of Hartford
>>   
> 
> 
> This hack has worked for me in the past, though I last used it on
malbiu 
> 2924 switches.  Simple rule: Avoid loops.  The main problem you'll get

> if someone closes a loop: CAM tables that see both "1" and "1841" will

> think they're different VLANs and will happily populate the same MAC 
> address, on different ports, in those "different" VLANs, so you won't 
> even get detection of "mac moves" if your hardware supports that and 
> you'd configured it.
> 
> VLAN translation is available on some kit (may be worth looking at 
> vendors other than cisco here for a point solution linking these two 
> networks), so given the likelyhood of loop being formed and how much 
> you'd like to not have your ops staff days' ruined, perhaps this is 
> worth considering further.
> 
> -andrew
> 
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list