[unisog] Vlan Broked

Marcos Guerra Marcos.Guerra at br.flextronics.com
Fri Mar 26 20:45:00 GMT 2004


Valdis

Thanks so much for your support.

Best regards;

Marcos Guerra

-----Original Message-----
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
Sent: Friday, March 26, 2004 5:31 PM
To: Marcos Guerra
Cc: unisog at sans.org
Subject: Re: [unisog] Vlan Broked 


On Wed, 24 Mar 2004 08:43:31 -0300, Marcos Guerra
<Marcos.Guerra at br.flextronics.com>  said:
> I'm projecting a new network infrastructure and I would like to know from
> you if anyone knows a case of broked Vlans?

The biggest *real* danger to a vlan-based infrastructure is a
misconfiguration
done by your own NOC-monkeys. The second biggest danger is an unsecured
router.
Note that neither of these are vlan-specific issues.

Things to do:

1) Harden your routers, whether or not you use vlans.

2) Deploy configuration change control for your routers, whether or not you
use vlans.

3) Make sure you design in a way to clean up after your mistakes - it's
Really Bad Ju-ju
when you down the interface that you're connecting via.  I believe Juniper
has a really
nice "commit" feature, where if you typo and screw the configuration up
enough that
you can't subsequently issue "commit", the router will automagically reboot
to the
old known-good configuration.

4) A separate management-net is very nice, especially if you have enough
pairs
to run a physically separate net.

In other words, if you're doing a new infrastructure, this is a good time to
harden it.
All the usual things will help your vlan, and there really isn't much
vlan-specific....



More information about the unisog mailing list