Re: switch jamming

• Previous message: Toni Heinonen: "RE: switch jamming"
• Maybe in reply to: Jan: "switch jamming"
• Next in thread: blast: "RE: switch jamming"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Blue Boar wrote:
>The Cisco switches at least can be secured against this, if you can
>live with the inconvenience.  If you have one machine per port, you
>can configure the switch to learn the first MAC address it sees,
>and then not accept frames from any other address.  This means
>that you can't move machines around or changes NICs without the
>switch admin resetting the MAC address for the affected ports.  It also
>means that you can't chain multiple machines off of any ports
>configured that way, say via a hub.

This comes at an administrative cost that is so high
that mistakes are made and it does not scale.

The better feature-set to look at which has promise
in this approach is PRIVATE VLANs.  Here you have a
policy which is held at L2.  It is described to the
switch as policy and not as execution.
Both Cisco and Foundry have something simular and the
best way to research would be to Google for it.

The property is help at the VLAN declaration.
Ports placed in this VLAN have one of three policies.

Community pvlans

*   A port assigned to a community pvlan has full connectivity to all other
    ports in the same community pvlan.
*   Ports that are promiscuous to a community pvlan have full connectivity
    to all the ports belonging to this community pvlan.
*   There can be several community pvlans within a primary pvlan but there
    is no direct layer-2 connectivity between ports belonging to different
community pvlans.


Isolated pvlan

*   A port assigned to the isolated pvlan can only reach the promiscuous
    ports of the isolated pvlan: there is no direct connectivity possible
between two hosts in the isolated pvlan.
*   Ports promiscuous to the isolated pvlan have full connectivity to all
    the ports belonging to the isolated pvlan.
*   There is only one isolated pvlan in the primary pvlan (there is no need
    for several of them).


Promiscuous ports

*   Promiscuous ports can talk to each other, even if they are not
    promiscuous to the same community or isolated pvlans.
*   Promiscuous ports have full connectivity to each individual ports
    belonging to the community or isolated pvlan they are promiscuous to.
*   Promiscuous ports belong to the primary pvlan and can be promiscuous to
    several different community or isolated pvlans in this primary pvlan.



Good luck,
--blast

• Next message: blast: "RE: switch jamming"
• Previous message: Toni Heinonen: "RE: switch jamming"
• Maybe in reply to: Jan: "switch jamming"
• Next in thread: blast: "RE: switch jamming"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 10:00:55 PST