You are right. To be protected against IP spoofing you would need a VACL configured as well. >Private VLANs won't help you with ip-spoofing in the same subnet and >hsrp-attacks and not against arp attacks (but these can be prevented >using static arp-entries on the l3-device). > >Matthias