[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux and Inter-vlan Routing

Rainer Nagel wrote:
> Hi Tomfi,
> 
> On Tue, Aug 07, 2007 at 09:07:48AM +0200, tomfi wrote:
> 
>> Yes at this point you must "only" strongly remember that it is
>> default/native vlan so not so secure (people are not error prune :) )
>> I think one of good practices is to use this vlan as "guest vlan".
> 
> Good practice is, not to use it.
> In addition the native vlan on links between your switches
> (infrastructure devices) should be different than that on links between
> your switches and connected hosts if these get trunks.
> Than double tagging VLAN hopping is prevented.
> 
> Ciao
Sorry but I must say your interpretation is not correct ... even whorse
is Vlan hooping helper... if you have not consistent native vlan across
all trunks you are nice to your hackers...

maybe it is only English language problem ... see this page, there are
anti Vlan hooping practices:
http://www.ciscopress.com/articles/article.asp?p=474239&seqNum=2&rl=1
 section Mitigating VLAN Hopping Attacks


PS: I thing you ware trying to mention that dont use native vlan on
trunks same as native vlan on access ports.
Reply to: