[c-nsp] against arp spoofing

Gert Doering gert at greenie.muc.de
Sat May 28 14:54:38 EDT 2005


Hi,

On Sat, May 28, 2005 at 02:40:05PM +0100, Levent Ogut wrote:
> PrivateVLANs addresses both lan security and ip address wasting issue.
> for more information :
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sea/3750scg/swpvlan.htm

Actually, "private VLAN" per se doesn't give you much regarding
IP and MAC addres spoofing.

There are some features in the newer Cisco switches that can achieve
this (by snooping DHCP packets, and permitting only IPs and MACs that
are "permitted by DHCP"), but that's something on top of pVLANs - not
something they bring in by default, and not something that helps you
much if you don't use DHCP for IP assignment.

As for ip address wastage: this is why we have IPv6.  One /64 per L3
LAN segment, and be done with it.  Until then, yes, one VLAN per customer
will burn some more legacy IP space - but IPv4 will run out anyway.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list