[Asterisk-Users] Cisco 7940 Reboot

[Kristian Kielhofner]

Patrick wrote:
> On Mon, 2005-12-12 at 16:20 -0600, Aaron Daniel wrote:
> 
>>We do currently have the cisco's on their own vlan along with the 
>>servers, but I'm told vlan hopping is trivial so that's not considered 
>>secure... considering all you have to do is change a route on a box to 
>>get to the vlan.
> 
> 
> Far from being the VLAN expert here but isn't it possible to tie a VLAN
> to physical ports on the switch too? In that case how would adding a
> route allow you to hop over to the phone's VLAN (realizing this point is
> moot if the PC & phone share a single network cable instead of each
> their own)?
> 
> Regards,
> Patrick

Patrick,

	VLANS (IEEE 802.1q) operate at layer two of the OSI model.  I don't see 
how adding a route (layer three) in Linux can hop VLANS (unless you had 
an unsecured router connected to both).

	It depends on how the VLANs are implemented.  With most decent 
switches, you can allow tagging of a particular VLAN and specify a 
"default" VLAN on a per port, per VLAN basis.  This combined with 802.1x 
and other security measures actually makes for some decent security at 
such a low level.

	In a typical network deployment with VoIP, you might specify your 
switch ports to allow native "untagged" VLAN traffic, and assign it to 
VLAN 100 (or whatever).  You would then create a new VLAN (110 or 
something) for VoIP traffic.  You would then configure the switch to 
allow tagged traffic for vlan 110 while making untagged traffic part of 
vlan 100 - the default.

	You would then configure one port to use 110 as the default - and 
connect your Asterisk system to it.  It would magically end up on the 
same network as your phones.

	The problem with this is, someone could connect a Linux box, load 
8021q.ko and use vconfig to get that machine on the VoIP VLAN.  However, 
if people can just bring in random machines and connect them to your 
network, it isn't very secure anyways :).

-- 
Kristian Kielhofner