>Blue Boar wrote: >The Cisco switches at least can be secured against this, if you can >live with the inconvenience. If you have one machine per port, you >can configure the switch to learn the first MAC address it sees, >and then not accept frames from any other address. This means >that you can't move machines around or changes NICs without the >switch admin resetting the MAC address for the affected ports. It also >means that you can't chain multiple machines off of any ports >configured that way, say via a hub. This comes at an administrative cost that is so high that mistakes are made and it does not scale. The better feature-set to look at which has promise in this approach is PRIVATE VLANs. Here you have a policy which is held at L2. It is described to the switch as policy and not as execution. Both Cisco and Foundry have something simular and the best way to research would be to Google for it. The property is help at the VLAN declaration. Ports placed in this VLAN have one of three policies. Community pvlans * A port assigned to a community pvlan has full connectivity to all other ports in the same community pvlan. * Ports that are promiscuous to a community pvlan have full connectivity to all the ports belonging to this community pvlan. * There can be several community pvlans within a primary pvlan but there is no direct layer-2 connectivity between ports belonging to different community pvlans. Isolated pvlan * A port assigned to the isolated pvlan can only reach the promiscuous ports of the isolated pvlan: there is no direct connectivity possible between two hosts in the isolated pvlan. * Ports promiscuous to the isolated pvlan have full connectivity to all the ports belonging to the isolated pvlan. * There is only one isolated pvlan in the primary pvlan (there is no need for several of them). Promiscuous ports * Promiscuous ports can talk to each other, even if they are not promiscuous to the same community or isolated pvlans. * Promiscuous ports have full connectivity to each individual ports belonging to the community or isolated pvlan they are promiscuous to. * Promiscuous ports belong to the primary pvlan and can be promiscuous to several different community or isolated pvlans in this primary pvlan. Good luck, --blast
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 10:00:55 PST