Gvrp and network security, Gvrp-inactive intermediate switches – Allied Telesis AT-S63 User Manual

Page 637

background image

AT-S63 Management Software Menus Interface User’s Guide

Section VI: VLANs

637

ˆ

PDUs are transmitted to only those switch ports where GVRP is
enabled.

GVRP and

Network Security

GVRP should be used with caution because it can expose your network to
unauthorized access. A network intruder can access restricted parts of the
network by connecting to a switch port running GVRP and transmitting a
bogus GVRP PDU containing VIDs of restricted VLANs. GVRP would
make the switch port a member of the VLANs and that could give the
intruder access to restricted areas of your network.

To protect against this type of network intrusion, consider the following:

ˆ

Activating GVRP only on those switch ports that are connected to
other devices that support GVRP. Do not activate GVRP on ports that
are connected to GVRP-inactive devices.

ˆ

Converting all dynamic GVRP VLANs and dynamic GVRP ports to
static assignments, and then turning off GVRP on all switches. This
preserves the new VLAN assignments while protecting against
network intrusion.

GVRP-inactive

Intermediate

Switches

If two GVRP-active devices are separated by a GVRP-inactive switch, the
GVRP-active devices may not be able to share VLAN information. There
are two issues involved.

The first is whether the intermediate switch forwards the GVRP PDUs that
it receives from the GVRP-active switches. GVRP PDUs are management
frames, intended for a switch’s CPU. In all likelihood, a GVRP-inactive
switch will discard the PDUs because it does not recognize them.

The second issue is that even if the GVRP-inactive switch forwards GVRP
PDUs, it will not create the VLANs, at least not automatically.
Consequently, even if the GVRP-active switches receive the PDUs and
create the necessary VLANs, the intermediate switch may block the VLAN
traffic, unless you modify its VLANs and port assignments manually.

Generic Attribute

Registration

Protocol (GARP)

Overview

The following is a technical overview of GARP. An understanding of GARP
may prove helpful when you use GVRP.

The purpose of the Generic Attribute Registration Protocol (GARP) is to
provide a generic framework whereby devices in a bridged LAN, for
example end stations and switches, can register and deregister attribute
values, such as VLAN Identifiers, with each other. In doing so, the
attributes are propagated to devices in the bridged LAN, and these
devices form a “reachability” tree that is a subset of an active topology. For
a bridged LAN, the active topology is normally that created and maintained
by the Spanning Tree Protocol (STP).

To use GARP, a GARP application must be defined. The Layer 2 switch
has one GARP application presently implemented, GVRP.