There's a document in the SANS Intrusion detection FAQ on this. It describes a mechanism to perform the exploit. The url is: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm Basically, the method is to alter the 802.1q portion of the ethernet frame with the identifier of the VLAN of the target machine. This was done using sniffer pro. Now, the exploit requires that the trunk ports (across switches) have an underlying VLAN in common with the destination machine. Interestingly, some years ago Cisco recommended to a company that I worked for that VLAN 1 should not be used in production networks, and trunk ports should have their underlying VLAN setting set to an otherwise unused VLAN setting. This happens to coincide with the findings in the SANS article. Regards, John ************************************************************************** This email, its contents and any files attached are intended only for the named addressee. They contain information which may be confidential and/or legally privileged. If you are not the named addressee or if you have received this email in error, (a) you may not, without the consent of Cognotec, copy (which includes forwarding), use or rely on any information or attachments in any way and (b) please notify the sender by return email and delete it from your email system. Unless separately agreed, Cognotec does not accept any responsibility for the accuracy or completeness of the contents of this email or its attachments or for any statements or contractual commitments contained in this email or its attachments. **************************************************************************
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 09:12:45 PDT