[c-nsp] against arp spoofing
Levent Ogut
levent.ogut at gmail.com
Sat May 28 09:40:05 EDT 2005
Hi,
PrivateVLANs addresses both lan security and ip address wasting issue.
for more information :
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sea/3750scg/swpvlan.htm
Private-vlans has three types of ports,
Promiscuous: (can send and recieve traffic from all)
Isolate: (can only send & recieve traffic from promiscuous port, has a
complete isolation from other ports in the private-vlan down to Layer
2)
Community : ( can send&recieve traffic from same community and
promiscuous ports)
As isolate ports have a clear isolation in layer 2, they can not
affect other isolate ports.
You can use isolate ports to terminate customer devices and promiscous
ports for the gateways of this vlan, you need to protect the gateway
ofcourse.
this features limited editon (Protected-port) is in 3550 switches but
the drawback is on these switches pvlan works within the switch,
if you can use 3750 which supports full private-vlans between swtiches
you can have a good data-center security.
HTH
On 5/28/05, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Sat, May 28, 2005 at 12:28:19PM +0100, Levent Ogut wrote:
> > You may also implement private-vlans (cisco term)
>
> How do pVLANs protect against IP or ARP spoofing?
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
>
More information about the cisco-nsp
mailing list