Firewall Wizards mailing list archives
Cisco Private VLANs
From: "Zarcone, Christopher" <Christopher.Zarcone () netigy com>
Date: Wed, 6 Dec 2000 07:09:37 -0800
Wizards, I know there have a lot of religious-war threads about the use of VLANs as security enforcement technologies. (I know firsthand because I started a few of them :-) Be that as it may, Cisco has recently introduced "Private VLANs" with their Catalyst 6000 series of switches. According to the whitepapers, Private VLANs allow you to "isolate" ports within a VLAN, such that they can only communicate with other designated ports in the VLAN (like the port for your router/default gateway). Supposedly an isolated port cannot communicate with other isolated ports (e.g. one PC can't talk to another PC, even though they're in the same VLAN). Cisco promotes the use of this in provider co-location facilities, primarily for IP address conservation but also for cross-customer security. It all sounds good in theory, but is anyone aware of any security issues or known vulnerabilities? For example, I know that with some of the other older Catalysts, you could cause frames to jump VLANs (and therefore jump enforcement boundaries) by creating frames with bogus 802.1q headers prepended. I heard Cisco corrected the problem, but it only makes you wonder what other VLAN gremlins might be lurking out there... TIA, Christopher Zarcone, CISSP Senior Consultant christopher.zarcone () netigy com Netigy Corporation www.netigy.com My opinions do not necessarily represent the opinions of my employer. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Private VLANs Zarcone, Christopher (Dec 08)
- RE: Cisco Private VLANs Barry Dykes (Dec 20)