Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

By design or sheer dumb luck? Is configuration necessary in this case?

Hey all, I saw something that stumped me for a moment today and then got me thinking.

A colleague of mine had set up a test lab at work. This was to evaluate a PIX environment, but was nothing too fancy: a couple of host pc's emulating internet-based servers, a pc emulating an internal lan machine, a machine pretending to be a host in a dmz, the pix itself, and a router pointing where necessary between them all.

Now normally, to keep this all segregated for testing purposes, I would vlan everything up, with a separate vlan for all the networks involved. Or use separate, dumb switches.

But my partner here takes an unconfigured switch with all ports up and...just plugs everything in. I am aghast, but his reasoning is that, when devices arp for the mac of the device they want to speak to, the switch will know whats on each port anyway and will forward it via the appropriate port. Which sort of makes sense... but I cant help but feel that this is too straightforward, and that the law of unintended consequences will take over.

(Oddly enough, I've discovered that this has happened in production, and I'm currently trying to debug some odd traffic thats appearing in a dmz interface on a PIX. I'm starting to wonder...)

Anyone have any thoughts? Timesaving good idea or lazy shortcut?

Cheers all,

Gar

6 REPLIES
Hall of Fame Super Gold

Re: By design or sheer dumb luck? Is configuration necessary in

Gar

I think that it is a lazy shortcut. When your colleague connected the devices this way things did work as expected. And you probably did not check to see if unexpected things would work - and they would have. If you configure a PC in a certain subnet with a default gateway and you configure other devices in other networks you expect that the PC will forward to its default gateway to get to the other devices. But the way the switch was installed the PC COULD communicate directly with any other device without needing the gateway. Since all devices were effectively in the same VLAN on the switch they were all in the same broadcast domain. In this situation every device would hear the ARP request from every other device. So the PC could have done an ARP directly for some other device, received an ARP response and begun to communicate directly.

There are reasons why we generally put things into VLANs in our network: reducing the broadcast domain being one of them, increasing security is another, and there are a number of other reasons. When you install a switch in the way that you describe you undo those things.

It was a test environment and it worked. But I certainly would not want to see you do it that way in a production environment.

HTH

Rick

Community Member

Re: By design or sheer dumb luck? Is configuration necessary in

Hi Rick,

Thanks for your reply- which, as an aside, is always work reading: I keep all the old Netcraftsmen pdf's archived and with me for reference and wisdom.

Oddly enough, there's now a situation in production that has me foxed: essentially, a PIX has started seeing traffic ORIGINATING from an inside IP (10.x.x.x) that its somehow reporting as being in the dmz, and this 'inside' traffic is trying to get OUT of the DMZ (192.168.168.x) and back into the inside. Odd doesnt begin to describe it.

The PIX is dropping it like a hot potato, so its doing its job, but I can think of no likely scenario (other than a spoofed ip or misconfigured workstation) where this might even be possibility. This switch thing though has me worried. Time to investigate!

All the best,

Gar

Re: By design or sheer dumb luck? Is configuration necessary in

How about a misconfigured switch? I would trace the MAC address and make sure the port is on the right VLAN.

Oh, and make sure that nothing is doing proxy-arp, unless you are using it in a very controlled fashion - that can really mess things up.

(BTW, I have always felt that there should be a facility to put an access-list on proxy-arp so that you can control (1) to whom it responds with proxy ARP, and (2) which addresses it will rspond on behalf of.)

Kevin Dorrell

Luxembourg

Re: By design or sheer dumb luck? Is configuration necessary in

I wouldn't personally do it but your hosts are not going to broadcast for the MAC of an IP out of your subnet. So the host will send it to it's Default Gateway and send it along. One problem that could present itself is GARP. This could then make your ARP cache get out of sync and then the next thing you now you are forwarding directly to the host because it sent a gratiutious arp updating everyones arp cache. GARPs are broadcast and without a VLAN you have one large broadcast domain.

No matter what, lab or production, I would never recommend doing this because it will lead to unexpected results and security holes.

Please rate helpful posts

Thanks

Fred

Re: By design or sheer dumb luck? Is configuration necessary in

Unfortunately, a host might well ARP for an address that if off its subnet, especially if the user is mal-intentioned. Simply set the default gateway equal to the host address, and the host will ARP for everything.

Kevin Dorrell

Luxembourg

Community Member

Re: By design or sheer dumb luck? Is configuration necessary in

Thanks guys for all your thoughts on this. I am thinking switch-related matters at this point in time. Proxy arp might be an issue as well, I'll investigate.

gar

117
Views
0
Helpful
6
Replies
CreatePlease to create content