[unisog] Vlan Broked
Marcos.Guerra at br.flextronics.com
Fri Mar 26 20:45:00 GMT 2004
Thanks so much for your support.
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
Sent: Friday, March 26, 2004 5:31 PM
To: Marcos Guerra
Cc: unisog at sans.org
Subject: Re: [unisog] Vlan Broked
On Wed, 24 Mar 2004 08:43:31 -0300, Marcos Guerra
<Marcos.Guerra at br.flextronics.com> said:
> I'm projecting a new network infrastructure and I would like to know from
> you if anyone knows a case of broked Vlans?
The biggest *real* danger to a vlan-based infrastructure is a
done by your own NOC-monkeys. The second biggest danger is an unsecured
Note that neither of these are vlan-specific issues.
Things to do:
1) Harden your routers, whether or not you use vlans.
2) Deploy configuration change control for your routers, whether or not you
3) Make sure you design in a way to clean up after your mistakes - it's
Really Bad Ju-ju
when you down the interface that you're connecting via. I believe Juniper
has a really
nice "commit" feature, where if you typo and screw the configuration up
you can't subsequently issue "commit", the router will automagically reboot
old known-good configuration.
4) A separate management-net is very nice, especially if you have enough
to run a physically separate net.
In other words, if you're doing a new infrastructure, this is a good time to
All the usual things will help your vlan, and there really isn't much
More information about the unisog