[VLAN] VLAN issue - other IP's discovered across VLANS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 09, 2006 at 11:04:19PM +0100, Frode Marton Meling wrote:
> Hello
> I have a server setup with the following network config:
> 
> Default	eth0		- 192.168.100.1 255.255.255.0
> GW:192.168.100.254
> VLAN2	eth0.2	- 0.0.0.2 255.255.255.255
> VLAN3	eth0.3	- 0.0.0.3 255.255.255.255
> VLAN4	eth0.4	- 0.0.0.4 255.255.255.255
> 
> The reason for this is that I run VMWare server and the other VLANS
> are used by the VMWare server.. Without setting any IP, I got
> errors..

That should not happen. It's perfectly legal to not have an IP
address configured on an interface, and if you're bridging it may
even interfere.


> I have a VLAN truck from my HP-managed switch. All VLANS tagged
> except Default VLAN (I have tried this with tagging on Default
> VLAN also).

Default VLAN or the native VLAN is untagged by definition, right?


> If I add my linux desktop to VLAN4 and do a netdiscover, it will
> find the 192.168.100.1 (I can not access it, but since it is
> detectable from outside, it is a risk).

I'm not sure I agree with your risk analysis, but let's stick to the
point:

netdiscover floods ARP requests for all private IP addresses. Your
Linux VLAN box replies even though the request is coming in on a
interface with a different address than the one in the request. Linux
does this by default.

Read more about rp_filter and arp_filter in
/usr/src/linux/Documentation/networking/ip-sysctl.txt or consider
implementing firewall rules to ensure your system behaves as
intended.

Hope this helps!


//Peter

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux