[c-nsp] Security question regarding VTP in a L2 shared environment

Steve Bertrand steve at ibctech.ca
Mon Feb 23 12:58:41 EST 2009

Geoffrey Pendery wrote:
> "Hypothetically, if there is no L2 or L3 security in place, would it
> be as simple as creating a "sw acc vlan 230", and allowing 230 on the
> trunk port on my switch to start scoping about at the other end?"
> Well, the L2 security in question is that on the other end of the
> trunk, it *should* be configured to only allow the VLANs that you're
> supposed to be sharing.
> If that is not configured, then yes, you could add access ports to the
> other VLANs, then add those VLANs to the trunk, and your access-port
> hosts would be on that VLAN.
> Since your intent is not to do that, you should configure your end of
> the trunk to only allow the VLANs that you intend to share with your
> layer-2 partner.

My end is already configured to only allow the VLANs in use on this

I have other concerns regarding this setup. The connection in question
terminates within another company's facility. They aggregate numerous
fibre connected clients of ours, and then we provide the Internet
bandwidth via a VLAN per sub.

Since the only responsibility that the other company has is physical
connectivity, I'm going to request that I collocate my own switch inside
of their network that terminate all of our clients (and ourselves).

I don't really like the potential for MitM with the existing setup. I
highly doubt that this would ever happen, but in all reality, one never
knows for sure.

At least if I have my own switch in the other network, I'll be able to
ensure end-to-end integrity to a much higher degree.


More information about the cisco-nsp mailing list