- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: 5412zl - Forbid Command Does Not Function As E...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 02:08 PM
тАО07-24-2008 02:08 PM
5412zl - Forbid Command Does Not Function As Expected
We have a set of ports that belong to VLAN 99; L19-L24. We never want devices on these ports to be able to join VLAN 1. Our VLAN configuration is set up as:
vlan 1
name "DEFAULT_VLAN"
forbid D1-D22,L19-L24
untagged A1-A24,B1-B20,B23-B24,C1-C22,C24,E11-E24,J1-J24,K1-K24,L1-L18,Trk1-Trk2,Trk17,Trk20,
Trk22,Trk24,Trk26
ip address 172.16.1.2 255.255.0.0
exit
vlan 99
name "DSL_VLAN"
untagged L19-L24
tagged Trk1-Trk2,Trk17,Trk20,Trk22,Trk24,Trk26
no ip address
exit
Note the "forbid" statement in VLAN 1. This should prevent ports L19-L24 from ever joining VLAN 1.
We also had an admin experimenting with 802.1x (which we've pretty much given up on). But we had the following statements left in the configuration:
aaa port-access authenticator L19 auth-vid 1
aaa port-access authenticator L19 unauth-vid 99
aaa port-access authenticator L20 auth-vid 1
aaa port-access authenticator L20 unauth-vid 99
aaa port-access authenticator L21 auth-vid 1
aaa port-access authenticator L21 unauth-vid 99
aaa port-access authenticator L23 auth-vid 1
aaa port-access authenticator L23 unauth-vid 99
aaa port-access authenticator L24 auth-vid 1
aaa port-access authenticator L24 unauth-vid 99
aaa port-access authenticator active
While attempting to troubleshoot a DSL problem I connected a laptop to port 21. This laptop has a certificate to join our domain, but because of the "forbid" statement in the VLAN 1 configuration, I never expected to authenticate to VLAN 1. Yet, connecting to L21, I clearly had access to our entire private LAN.
I spent an hour trying to figure out how I could possibly be connecting to VLAN 1 with that forbid statement.
Finally, I removed the port authenticator statement for port 21 and was no longer a member of VLAN 1(after disconnecting and reconnecting).
I consider this to be a MAJOR security threat. While the admin who failed to clean up after testing was clearly not completing their job, I would never expect this type of problem with the "forbid" statement configured.
Has anyone else seen this problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 02:53 AM
тАО07-25-2008 02:53 AM
Re: 5412zl - Forbid Command Does Not Function As Expected
As the authenticator command is probably treated as dynamic vlan assignement, forbid had no effect.
regards,
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 06:51 AM
тАО07-25-2008 06:51 AM
Re: 5412zl - Forbid Command Does Not Function As Expected
please send me all sh run print
and I make new config for you
(no need forbit command)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 02:19 PM
тАО07-25-2008 02:19 PM
Re: 5412zl - Forbid Command Does Not Function As Expected
Having said that though, I believe with an upcoming K.13.xx release there will be a change to how GVRP/Forbid and 802.1x operate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-30-2008 01:48 AM
тАО07-30-2008 01:48 AM