Re: VLANs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/01/11 22:15, Jonathan Tripathy wrote:
If a guest maliciously added a vlan tag, wouldn’t it still remain in the frame, however be "double-tagged" by the outgoing physical port? Even still though, this probably isn't an issue, provided that all upstream switches are configured correctly.

I don't believe that this is an issue. And 802.1ad double tag won't be recognised so it will either be dropped by the switch or dropped by the outgoing NIC on the bridge. Short of constructing frames by hand, though, I'm not sure how you would go about adding an 802.1ad vlan tag on top of an 802.1q vlan tag.

I wish it wasn't an issue. Many switches allow hosts to vlan hop if the native vlan of a trunk port is the same as the native vlan of the host. It's eaisly prevent t hough with proper switch configuration.

What ebtable command would I use to prevent *any* tagged frames coming from a host?


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux