Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

6500 Series and Security--w/Secure & Non-secure segments

Hi All,

This deals with placing both a secure and non-secure IP segment on a catalyst 6500 series switch.

From the back bone to the 6500 an IP address of 1.1.1.x (Private space). Firewall from there to 10.10.10.y (Public space). Firwewall comes from 6500 back to same 6500.

Security requirements:

The management will only be on the 10.10.10.y network. Turn off layer 2 functionality on the switch to stop arp poisoning.

In order to meet these requirements and to understand if I can do place both a secure and non-secure segment on the same 6500 Cat switch. The following configuration is needed:

1.) Connectivity from the internal backbone on the 1.1.1.x segment which is the private company space, to the management module card. If the switch can be compromised at the management level, security is an issue. Can I make the management module card only accessible on the 10.10.10.y segment, which is the public (non-routable) segment and behind the firewall on this same Cat 6500 series switch? And how?

2.) As all switches are vulnerable to arp poisoning, layer 2 functionality would have to be turned off, so as not to be able to get to the secure segment of the switch (10.10.10.y) from the non-secure segment (1.1.1.x), without firewall pass through. VLAN's are not considered secure ( Can I turn off this functionality for these reasons? And how?

Thank you up front for all of this help.



Re: 6500 Series and Security--w/Secure & Non-secure segments

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease to create content