Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1769
Views
0
Helpful
2
Replies

Can private Vlans be used to prevent man in the middle attacks ?

Go to solution
cbeswick
Level 1
Level 1

‎07-29-2009 01:54 AM - edited ‎03-06-2019 06:59 AM

Hi,

We have a mixture of Cisco 2950 / 2960 switches at our access layer. A recent network penetration test highlighted the need for protection against man in the middle attacks using gratuitous arp / or arp poisoning.

This can be circumvented by implementing DHCP Snooping and Dynamic ARP Inspection. However DAI isn't supported on the 2950.

We have been looking at implementing Private VLANs as a separate piece of work and I was wondering if this would perform the same level of protection on a Cisco 2950 without the need for DAI ?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-29-2009 02:38 AM

Hello,

Exactly as you suggested, the problems with ARP Poisoning are best remedied using Dynamic ARP Inspection, however, the 2950 series does not support it (the 2960 do support it since IOS 12.2(50)SE if I am not mistaken).

The problem with the Private VLAN is that, again, neither 2950 nor 2960 support the full Private VLAN function. They only support what is called a Private VLAN Edge which is basically a "switchport protected" port.

Moreover, I am afraid that even the full Private VLAN support would not be helpful here. Private VLANs might prevent one station from polluting the ARP cache of a second station if they are members of an isolated PVLAN or in two different community PVLANs. The problem here is that PVLANs do not protect the routers or other devices connected to unprotected (promiscuous) ports. The spoofed ARP packets from individual stations will flow through such ports without limitations. While an attacking station won't be able to resend the frame to its correct recipient because of the isolation, it will be at least able to cause denial-of-service.

Best regards,

Peter

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-29-2009 02:38 AM

Hello,

Exactly as you suggested, the problems with ARP Poisoning are best remedied using Dynamic ARP Inspection, however, the 2950 series does not support it (the 2960 do support it since IOS 12.2(50)SE if I am not mistaken).

The problem with the Private VLAN is that, again, neither 2950 nor 2960 support the full Private VLAN function. They only support what is called a Private VLAN Edge which is basically a "switchport protected" port.

Moreover, I am afraid that even the full Private VLAN support would not be helpful here. Private VLANs might prevent one station from polluting the ARP cache of a second station if they are members of an isolated PVLAN or in two different community PVLANs. The problem here is that PVLANs do not protect the routers or other devices connected to unprotected (promiscuous) ports. The spoofed ARP packets from individual stations will flow through such ports without limitations. While an attacking station won't be able to resend the frame to its correct recipient because of the isolation, it will be at least able to cause denial-of-service.

Best regards,

Peter

0 Helpful

Go to solution
cbeswick
Level 1
Level 1
In response to Peter Paluch

‎07-29-2009 03:05 AM

Many thanks for your response.

It looks like its going to be an upgrade on the existing 2960's, and raise it as a known risk on the 2950s.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card