[c-nsp] Security question regarding VTP in a L2 shared environment

Geoffrey Pendery geoff at pendery.net
Mon Feb 23 12:09:46 EST 2009 

"Hypothetically, if there is no L2 or L3 security in place, would it
be as simple as creating a "sw acc vlan 230", and allowing 230 on the
trunk port on my switch to start scoping about at the other end?"

Well, the L2 security in question is that on the other end of the
trunk, it *should* be configured to only allow the VLANs that you're
supposed to be sharing.
If that is not configured, then yes, you could add access ports to the
other VLANs, then add those VLANs to the trunk, and your access-port
hosts would be on that VLAN.

Since your intent is not to do that, you should configure your end of
the trunk to only allow the VLANs that you intend to share with your
layer-2 partner.


-Geoff


On Fri, Feb 20, 2009 at 9:28 PM, Steve Bertrand <steve at ibctech.ca> wrote:
> I have a shared L2 environment with a local company, in which we have
> numerous VLANs over fibre. I'm in the process of moving to transparent
> on all of my switches, and during the work, I'm checking things out.
>
> Doing a "sh vlan" produces output that includes VLANs that I shouldn't see:
>
> 230   xxxOFFICExxx                     active
> 240   xxxSECURITYxxx                   active
> 250   xxxDMZx                          active
>
> ...etc.
>
> The VLANs shown above belong to the network that I am connected to. They
> are completely outside of my security boundary.
>
> Hypothetically, if there is no L2 or L3 security in place, would it be
> as simple as creating a "sw acc vlan 230", and allowing 230 on the trunk
> port on my switch to start scoping about at the other end?
>
> Of course I am not going to do anything of the sort, hence why I am
> asking here. I'm sure I know the answer already, but if I don't get any
> feedback from the list, I'm going to lab it up internally and do some
> educational testing for my own knowledge.
>
> Steve
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list