Re: [fw-wiz] MAC blocking
- From: "Dale W. Carder" <dwcarder@xxxxxxxxxxxxx>
- Date: Mon, 28 Nov 2005 17:31:40 -0600
Thus spake Chuck Swiger (chuck@xxxxxxxxxxx) on Mon, Nov 28, 2005 at 05:09:32PM -0500:
> I would say it's not safe to assume that VLANs can be trusted to
> separate traffic with complete reliability, especially if it is
> possible for a malicious machine to gain access to a trunk port:
Anything is possible with proper misconfiguration.
If you decide that for whatever limitaion makes you need to use vlans
instead of separate physical infrastructure, you need to know what
you are doing.
In switched networks, there are huge implications as to how 802.1q,
Vlan 1 (particularly on catalyst), VTP (yuck), STP, CDP, etc.
interoperate with your security goals.
But, some of the nicer features that have appeared lately for layer
2 include switches that can do edge port ACL's, static mac to port
provisioning, 802.1X, VMPS, private vlans... The layer 2 toolbox
is getting a bit better.
Dale W. Carder - Network Engineer
University of Wisconsin at Madison
firewall-wizards mailing list
- Next by Date: [fw-wiz] Throttle users ..
- Next by thread: Re: [fw-wiz] MAC blocking