Re: VLANs - Jonathan Tripathy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonathan Tripathy <jonnyt@abpni.co.uk>
To: John Haxby <john.haxby@oracle.com>
Cc: netfilter@vger.kernel.org
Subject: Re: VLANs
Date: Tue, 11 Jan 2011 10:57:37 +0000	[thread overview]
Message-ID: <4D2C37A1.8090906@abpni.co.uk> (raw)
In-Reply-To: <4D2C3426.3000202@oracle.com>

> On 10/01/11 22:15, Jonathan Tripathy wrote:
>> If a guest maliciously added a vlan tag, wouldn’t it still remain in 
>> the frame, however be "double-tagged" by the outgoing physical port? 
>> Even still though, this probably isn't an issue, provided that all 
>> upstream switches are configured correctly. 
>
> I don't believe that this is an issue.  And 802.1ad double tag won't 
> be recognised so it will either be dropped by the switch or dropped by 
> the outgoing NIC on the bridge.   Short of constructing frames by 
> hand, though, I'm not sure how you would go about adding an 802.1ad 
> vlan tag on top of an 802.1q vlan tag.
>
I wish it wasn't an issue. Many switches allow hosts to vlan hop if the 
native vlan of a trunk port is the same as the native vlan of the host. 
It's eaisly prevent t hough with proper switch configuration.

What ebtable command would I use to prevent *any* tagged frames coming 
from a host?

next prev parent reply	other threads:[~2011-01-11 10:57 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-10 17:42 VLANs Jonathan Tripathy
2011-01-10 21:33 ` VLANs John Haxby
2011-01-10 22:15   ` VLANs Jonathan Tripathy
2011-01-11  8:19     ` VLANs Thomas Berg
2011-01-11 10:26       ` VLANs Jonathan Tripathy
2011-01-11 10:42     ` VLANs John Haxby
2011-01-11 10:57       ` Jonathan Tripathy [this message]
     [not found]         ` <4D2C47DB.10702@oracle.com>
2011-01-11 12:24           ` VLANs Jonathan Tripathy
2011-01-11 12:48             ` VLANs John Haxby
2011-01-11 12:52               ` VLANs Jonathan Tripathy
2011-01-11 17:12                 ` VLANs John Haxby
2011-01-11 17:15                   ` VLANs Jonathan Tripathy
2011-01-11 17:21                     ` VLANs John Haxby
  -- strict thread matches above, loose matches on Subject: below --
2011-01-05 12:12 VLANs Jonathan Tripathy
2011-01-06  7:32 ` VLANs John Haxby

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D2C37A1.8090906@abpni.co.uk \
    --to=jonnyt@abpni.co.uk \
    --cc=john.haxby@oracle.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.