Re: [fw-wiz] MAC blocking

Thus spake Chuck Swiger (chuck@xxxxxxxxxxx) on Mon, Nov 28, 2005 at 05:09:32PM -0500:
> I would say it's not safe to assume that VLANs can be trusted to
> separate traffic with complete reliability, especially if it is
> possible for a malicious machine to gain access to a trunk port:

Anything is possible with proper misconfiguration.

If you decide that for whatever limitaion makes you need to use vlans
instead of separate physical infrastructure, you need to know what
you are doing.

In switched networks, there are huge implications as to how 802.1q,
Vlan 1 (particularly on catalyst), VTP (yuck), STP, CDP, etc.
interoperate with your security goals.

But, some of the nicer features that have appeared lately for layer
2 include switches that can do edge port ACL's, static mac to port
provisioning, 802.1X, VMPS, private vlans... The layer 2 toolbox
is getting a bit better.


Dale W. Carder - Network Engineer
University of Wisconsin at Madison
firewall-wizards mailing list

Relevant Pages

  • Re: Bluetooth connection
    ... Thanks again Dale! ... they had a suggestion, or solution, to the question on port selection. ... I ended up with the Bluetooth virtual COM ...
  • Re: Group Policy - WinXp firewall
    ... the settings for GP are under "Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: ... Dale wrote: ... The DB vendor first suggested that the Xp firewall be turned off, but then setteled on having TCP port 6719 open in both directions at each client PC and the server. ...
  • Re: Bluetooth connection
    ... Thanks Dale, but the installation software for the GlobalSat BTA-806 ... option of a custom installation. ... BT-338 Bluetooth receiver with COM port 11 but the VisualGPS software COM ...
  • Re: problem with vlan interfaces tagging/untagging in a simulated switch box
    ... on layer 2 switch, ports doesn't have ip addresses and traffic comming ... from a vlan port is tagged and pass through trunk port. ... In your topology the em0 which plays the role of trunk port has ip ...
    ... There is no vlan 660 anywhere. ... I get this error when set this port as your ... recommended as a trunk port. ... the fiber goes to a netscreen firewall. ...