|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: maximum active vlans in a crisco 6509
2000-06-20-23:56:07 Bora Akyol: > If you put all of the users on seperate switch ports, then would > they be able to snoop each other's traffic? At least the switches > that I have seen prevent this behavior unless you put a particular > switch port in "monitor" mode. Sorry, I did a dumb thing here, I basically carried over a whole debate context from other lists and assumed it here. I should have least referenced the other discussions. It's been discussed at great length on [email protected] and [email protected] The short version is, the core switch behavior you're talking about was never designed as a security barrier, or an IP level traffic visibility control tool; it was just designed to shrink the scope of traffic visibility for performance reasons. Any number of hacks, like CAM table flooding, can coerce a normal switch to leak somethign fierce. Furthermore, and badly mangling the intent of my example, VLANs weren't originally designed as security barriers, they were just intended to help provide control over the scope of broadcast domains, to help people better provision the use of the excruciatingly expensive switch ports, when switches were young, their ports were dear, and they came in just a few sizes. But where the focus of core switch behavior is purely at the MAC level, VLANs at least are defined in terms of specific physical ports, leaving room to hope that barring security bugs in the OSes on the host processors of the switches, VLANs may be a bit more effective as security barriers. > As long as all rooms in this hotel are on seperate switch ports, > you would basically be OK even without using VLANs. Depends on the level of protection and control you want to offer. Barring bugs in the switch OS, VLANs _should_ allow you to very positively associate traffic with specific ports, if you give each one a separate VLAN; this you cannot reasonably do with simple switches given a dynamic user community. Simple switches leave you far weaker guarantees about inter-user protections as well, but what I was trying to hint at with the thought about doing traffic shaping with the upstream router was the idea of keeping accountability right from the individual switch port all the way to the router. Probably too flawed an example to be any good, sorry for the digression here. -Bennett Attachment:
pgp00003.pgp
|