North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: maximum active vlans in a crisco 6509

  • From: Bennett Todd
  • Date: Wed Jun 21 00:37:43 2000

2000-06-20-23:56:07 Bora Akyol:
> If you put all of the users on seperate switch ports, then would
> they be able to snoop each other's traffic? At least the switches
> that I have seen prevent this behavior unless you put a particular
> switch port in "monitor" mode.

Sorry, I did a dumb thing here, I basically carried over a whole
debate context from other lists and assumed it here. I should have
least referenced the other discussions. It's been discussed at great
length on [email protected] and [email protected]

The short version is, the core switch behavior you're talking about
was never designed as a security barrier, or an IP level traffic
visibility control tool; it was just designed to shrink the scope of
traffic visibility for performance reasons. Any number of hacks,
like CAM table flooding, can coerce a normal switch to leak
somethign fierce.

Furthermore, and badly mangling the intent of my example,
VLANs weren't originally designed as security barriers, they
were just intended to help provide control over the scope of
broadcast domains, to help people better provision the use of the
excruciatingly expensive switch ports, when switches were young,
their ports were dear, and they came in just a few sizes.

But where the focus of core switch behavior is purely at the MAC
level, VLANs at least are defined in terms of specific physical
ports, leaving room to hope that barring security bugs in the OSes
on the host processors of the switches, VLANs may be a bit more
effective as security barriers.

> As long as all rooms in this hotel are on seperate switch ports,
> you would basically be OK even without using VLANs.

Depends on the level of protection and control you want to offer.
Barring bugs in the switch OS, VLANs _should_ allow you to very
positively associate traffic with specific ports, if you give each
one a separate VLAN; this you cannot reasonably do with simple
switches given a dynamic user community. Simple switches leave you
far weaker guarantees about inter-user protections as well, but what
I was trying to hint at with the thought about doing traffic shaping
with the upstream router was the idea of keeping accountability
right from the individual switch port all the way to the router.

Probably too flawed an example to be any good, sorry for the
digression here.


Attachment: pgp00003.pgp
Description: PGP signature