We have a mixture of Cisco 2950 / 2960 switches at our access layer. A recent network penetration test highlighted the need for protection against man in the middle attacks using gratuitous arp / or arp poisoning.
This can be circumvented by implementing DHCP Snooping and Dynamic ARP Inspection. However DAI isn't supported on the 2950.
We have been looking at implementing Private VLANs as a separate piece of work and I was wondering if this would perform the same level of protection on a Cisco 2950 without the need for DAI ?
Thanks in advance.
Exactly as you suggested, the problems with ARP Poisoning are best remedied using Dynamic ARP Inspection, however, the 2950 series does not support it (the 2960 do support it since IOS 12.2(50)SE if I am not mistaken).
The problem with the Private VLAN is that, again, neither 2950 nor 2960 support the full Private VLAN function. They only support what is called a Private VLAN Edge which is basically a "switchport protected" port.
Moreover, I am afraid that even the full Private VLAN support would not be helpful here. Private VLANs might prevent one station from polluting the ARP cache of a second station if they are members of an isolated PVLAN or in two different community PVLANs. The problem here is that PVLANs do not protect the routers or other devices connected to unprotected (promiscuous) ports. The spoofed ARP packets from individual stations will flow through such ports without limitations. While an attacking station won't be able to resend the frame to its correct recipient because of the isolation, it will be at least able to cause denial-of-service.