Gvrp and network security, Gvrp-inactive intermediate switches – Allied Telesis AT-S63 User Manual
Page 475
AT-S63 Management Software Menus Interface User’s Guide
Section III: VLANs
475
❑ You can convert dynamic GVRP VLANs and dynamic GVRP port
assignments to static VLANs and static port assignments. The
procedure for this is found in ”Modifying a VLAN” on page 447.
❑ The default port settings on the switch for GVRP is active, meaning
that the ports participate in GVRP. Allied Telesyn recommends
disabling GVRP on those ports that are connected to GVRP-
inactive devices, meaning that they do not feature GVRP.
❑ PDUs are transmitted to only those switch ports where GVRP is
enabled.
GVRP and
Network
Security
Use GVRP with caution because it can expose your network to
unauthorized access. A network intruder can access restricted parts of
the network by connecting to a switch port running GVRP and
transmitting a bogus GVRP PDU containing VIDs of restricted VLANs.
GVRP would make the switch port a member of the VLANs and that
could give the intruder access to restricted areas of your network.
To protect against this type of network intrusion, consider the following:
❑ Activating GVRP only on those switch ports that are connected to
other devices that support GVRP. Do not activate GVRP on ports
that are connected to GVRP-inactive devices.
❑ Converting all dynamic GVRP VLANs and dynamic GVRP ports to
static assignments, and then turning off GVRP on all switches. This
preserves the new VLAN assignments while protecting against
network intrusion.
GVRP-inactive
Intermediate
Switches
If two GVRP-active devices are separated by a GVRP-inactive switch, the
GVRP-active devices may not be able to share VLAN information. There
are two issues involved.
The first is whether the intermediate switch forwards the GVRP PDUs
that it receives from the GVRP-active switches. GVRP PDUs are
management frames, intended for a switch’s CPU. In all likelihood, a
GVRP-inactive switch discards the PDUs because it does not recognize
them.
The second issue is that even if the GVRP-inactive switch forwards GVRP
PDUs, it does not create the VLANs, at least not automatically.
Consequently, even if the GVRP-active switches receive the PDUs and
create the necessary VLANs, the intermediate switch may block the
VLAN traffic, unless you modify its VLANs and port assignments
manually.