[c-nsp] against arp spoofing
Levent Ogut
levent.ogut at gmail.com
Sat May 28 16:33:36 EDT 2005
I definately agree with you it is the best to use one vlan for each customer,
but sometimes existing setups (one vlan for all customers setup) can
not be changed easily,
so in those cases private-vlans are a part of the solution, not a
complete solution,
with some other techiques added it can be a more secure network.
in the case of a data-center designed with one vlan for multiple customers,
a rooted machine easily spoof arp and act a man in the middle, pvlans
prevents this,
with port security functions (sticky and so on) you can also minimize incidents.
indeed seperating broadcast domains per customer will be best solution,
On 5/28/05, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Sat, May 28, 2005 at 02:40:05PM +0100, Levent Ogut wrote:
> > PrivateVLANs addresses both lan security and ip address wasting issue.
> > for more information :
> > http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sea/3750scg/swpvlan.htm
>
> Actually, "private VLAN" per se doesn't give you much regarding
> IP and MAC addres spoofing.
>
> There are some features in the newer Cisco switches that can achieve
> this (by snooping DHCP packets, and permitting only IPs and MACs that
> are "permitted by DHCP"), but that's something on top of pVLANs - not
> something they bring in by default, and not something that helps you
> much if you don't use DHCP for IP assignment.
>
> As for ip address wastage: this is why we have IPv6. One /64 per L3
> LAN segment, and be done with it. Until then, yes, one VLAN per customer
> will burn some more legacy IP space - but IPv4 will run out anyway.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
>
More information about the cisco-nsp
mailing list