Anyone using the Cisco Edge (Protected) PVLAN port feature? I am considering deploying a managed backup network using protected ports.
I am wondering if anyone has used this before and what their experiences are?
The basic design idea is one core switch, several access switches. One VLAN and one IP subnet. A backup server connects to the core switch, customer backup clients connect to the access switches. All customer-facing ports on the access switches are put into protected mode, and the uplinks from the core switch to the access switches. In some basic testing I did, this effectively prevents any two customer backup clients from talking to each other; either on the same switch or different switches. I was able to get from any customer server to the managed backup server, and the MBU server could hit every client.
The MBU server will not be doing any routing, and we control all switches and the MBU server (most of the clients as well) so there will not be any routers on this VLAN. I can think of some possible attack scenarios where the MBU server is doing a data restore (server -> client) and a malicious client either ARP poisons the MBU server or poisons the CAM table on the switch.
But really my main question is, is anyone actually using protected ports in a medium scale (250 stations) environment?