On 10/01/11 22:15, Jonathan Tripathy wrote:
If a guest maliciously added a vlan tag, wouldn’t it still remain in
the frame, however be "double-tagged" by the outgoing physical port?
Even still though, this probably isn't an issue, provided that all
upstream switches are configured correctly.
I don't believe that this is an issue. And 802.1ad double tag won't
be recognised so it will either be dropped by the switch or dropped by
the outgoing NIC on the bridge. Short of constructing frames by
hand, though, I'm not sure how you would go about adding an 802.1ad
vlan tag on top of an 802.1q vlan tag.
I wish it wasn't an issue. Many switches allow hosts to vlan hop if the
native vlan of a trunk port is the same as the native vlan of the host.
It's eaisly prevent t hough with proper switch configuration.
What ebtable command would I use to prevent *any* tagged frames coming
from a host?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html