On Mar 25, 2007, at 10:38 AM, bofh wrote:

On 3/25/07, Jason Dixon <[EMAIL PROTECTED]> wrote:
It works fine if you're using secure VLANs.  But if you have the
money for a VLAN-capable switch, you might as well use dedicated
interfaces.  But it *can* be done easily and securely.

But isn't the hope then that there's no "leakage" and that you can't
easily do something like that arp-based thing used to sniff a switch?
I know, I know, my design at my last company included using vlans this
way too, but I kept the internal vlans on internal switches, and
external vlans on external, physically separate, switches[1].

Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what "arp-based thing" you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify.

Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Reply via email to