Anyone using the Cisco Edge (Protected) PVLAN port feature?
Anyone using the Cisco Edge (Protected) PVLAN port feature? I am considering deploying a managed backup network using protected ports.
I am wondering if anyone has used this before and what their experiences are?
The basic design idea is one core switch, several access switches. One VLAN and one IP subnet. A backup server connects to the core switch, customer backup clients connect to the access switches. All customer-facing ports on the access switches are put into protected mode, and the uplinks from the core switch to the access switches. In some basic testing I did, this effectively prevents any two customer backup clients from talking to each other; either on the same switch or different switches. I was able to get from any customer server to the managed backup server, and the MBU server could hit every client.
The MBU server will not be doing any routing, and we control all switches and the MBU server (most of the clients as well) so there will not be any routers on this VLAN. I can think of some possible attack scenarios where the MBU server is doing a data restore (server -> client) and a malicious client either ARP poisons the MBU server or poisons the CAM table on the switch.
But really my main question is, is anyone actually using protected ports in a medium scale (250 stations) environment?
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...