[Asterisk-Users] Cisco 7940 Reboot

[Rich Adamson]

I think what the OP's managers were suggesting is that its not all that
difficult to overflow the switch forwarding table, and cause packets to
appear on a vlan where it shouldn't be. The approach has been around for
a while, and the higher quality switches now handle the table overflow
issue in a much more secure way. No compromised layer-3 needed at all,
and it doesn't make any difference if the vlans are defined on a
per-port or other basis.

The lower-end workgroup switches are more likely to be issues in
current products as opposed to the higher-end switches. But, one only
needs to find "a" switch within the layer-2 trunked network.


> I'm not a VLAN expert either, but there's one switch that ties the 
> private vlans into the public vlan, so all you have to do is add a route 
> from your box to the vlan over that switch, effectively hopping you onto 
> the vlan.  Not really sure the details on it, but that's basically the 
> gist of what I understand it (I'm just the voip guy, not the network 
> expert ;).  So we've effectively got the phones and servers isolated 
> into their own vlan.
> 
> Aaron
> 
> Patrick wrote:
>> On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote:
>>  
>>> We do currently have the cisco's on their own vlan along with the 
>>> servers, but I'm told vlan hopping is trivial so that's not 
>>> considered secure... considering all you have to do is change a route 
>>> on a box to get to the vlan.
>>>     
>>
>> Far from being the VLAN expert here but isn't it possible to tie a VLAN
>> to physical ports on the switch too? In that case how would adding a
>> route allow you to hop over to the phone's VLAN (realizing this point is
>> moot if the PC & phone share a single network cable instead of each
>> their own)?