Re: port protected

From: p729@xxxxxxx
Date: Tue Jun 18 2002 - 22:29:27 GMT-3

• Next message: David Ham: "TB verification"
• Previous message: Balaji Siva: "RE: removing vlan 1 on Cat 5000"
• Maybe in reply to: Erlend Ringstad: "port protected"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
<<These are clients are supposed to talk to each other, but they are supposed t
o do it through the router.>>

I don't believe this is how PVLANs were intended to be used. In fact, what you'
re describing is usually referred to as a possible weakness that should be elim
inated with an ACL that filters traffic with the same source and destination ne
twork addresses.

Without the ACL, the weakness could be exploited by configuring a client to for
ward what would normally be local traffic to the router, say by modifying the s
ubnet mask, for example.

Regards,

Mas Kato
https://ecardfile.com/id/mkato
============================================================
From: Erlend Ringstad <erlendri@ringstad.no>
Date: 2002/06/18 Tue AM 04:00:14 EDT
To: <ccielab@groupstudy.com>
Subject: port protected

Greetings.

I'm playing around with the catalyst 2950/3550 "port protected"
interfacecommand.

My setup:

2 laptops, one 7100 and one Catalyst 2950.

The laptops and the router is in the same vlan (default vlan 1).

config:

interface FastEthernet0/1
 description Connected to 7100
!
interface FastEthernet0/2
 description Connected to laptop 1
 port protected
!
interface FastEthernet0/3
 description Connected to laptop 2
 port protected
!

The port protected command will make the port a private vlan (PVLAN).
In my case that will deny ALL layer2 (and hence also layer3) packets
between laptop 1 and laptop 2 (which is what i want to do) even if the
hosts know each others real mac-address. No communication whatsoever.

Why am I not happy?

These are clients are supposed to talk to each other, but they are
supposed to do it through the router.

To do that the router needs som kind of arp-spoofing/arp-proxying
mechanism, but not for a different subnet like proxy-arp would help me
with, but the same.

To clearify:

I want to deny L2 communication between laptop 1 and laptop 2 but
i do want them to be able to talk to each other on L3 via the router
connected to the port.

I belive there is some way to make the router send an arp response
to every request it gets, if it knows the target or not.

Help me out guys! (and gals;)

Regards,

Erlend Ringstad

• Next message: David Ham: "TB verification"
• Previous message: Balaji Siva: "RE: removing vlan 1 on Cat 5000"
• Maybe in reply to: Erlend Ringstad: "port protected"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:37 GMT-3