On Mar 25, 2007, at 10:38 AM, bofh wrote:
On 3/25/07, Jason Dixon <[EMAIL PROTECTED]> wrote:
It works fine if you're using secure VLANs. But if you have the
money for a VLAN-capable switch, you might as well use dedicated
interfaces. But it *can* be done easily and securely.
But isn't the hope then that there's no "leakage" and that you can't
easily do something like that arp-based thing used to sniff a switch?
I know, I know, my design at my last company included using vlans this
way too, but I kept the internal vlans on internal switches, and
external vlans on external, physically separate, switches[1].
Disabling DTP, which should be done anyways, will prevent VLAN
hopping. I'm not sure what "arp-based thing" you're referring to
that wasn't fixed 5-6 years ago. Perhaps you're referring to arp
spoofing, which has nothing to do with VLANs. Please clarify.
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
