[c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

Sven 'Darkman' Michels sven at darkman.de
Thu Jan 14 08:15:00 EST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pavel,

Pavel Skovajsa schrieb:
> by suboptimal I meant the fact it is possible (simply by sending to
> ffff.ffff.ffff) to flood the traffic from one isolated access switch
> port through distribution layer, into the rest of the switching fabric
> infra simply due to the fact that all uplink/downlink ports are
> "switchport mode trunks". Obviously the traffic does not get into the
> end-user ports, but still the trunk are utilized -> hence the
> functionality is little different then the expected "pseudowire"
> functionality.

Ah, okay. But that i try to limit with other features (things like limited
broadcast for a port etc.) so this should not be a big deal, should it?
The main goal is to prevent "local" attacks from one server to another,
like having a compromised host sniffing the rest after flooding the mac
table, or do some arp spoofing... or what so ever ;)

This should be still the case, even with the trunks, right?

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktPGNQACgkQQoCguWUBzBwD/ACeNDAYcSG91XlsE9cCRnW7ZQK1
2GkAnitdSGedsjhj+u+lBkTEKznPULqe
=/mF3
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list