There are ways and tools available to do ARP spoofing and basically jam up the cam table of the switch. I'm not sure offhand how susceptible the 5500 is to this kind of attack though. You're probably aware of this though.
The Cat 6000 series has Private VLANs which let you have Isolated or Community VLANs within a VLANs. This is pretty cool because the main VLAN could be your DMZ IP Subnet and you can have sub-VLANs in the same IP subnet and keep the traffic seperate and control what port traffic comes in/out on. Devices in a isolated VLAN can only send/receive traffic to the port mapped to that Isolated VLAN and not with other devices in the same isolated VLAN. Devices in a community VLAN can send/receive traffic to the port mapped to that Community VLAN and also the other devices in the same Community VLAN. Also, Private VLANs are local to the switch and you can't trunk them between switches. --- Mike Shaw <[EMAIL PROTECTED]> wrote: > There are definitely textbook reasons (secondary > compromize issues, etc), > but does anyone know of a specific technical reason > why using a VLAN for a > DMZ segment is a bad idea (cisco 5500 switch)? > > The VLAN would have no telnet interface living on > it, and no level 3 > switching/routing going to/from it. It'd be just an > isolated segment. The > only thing I could think of would be that someone > could spoof the > frame-tagging or something. > > Any input is appreciated. > > -Mike > __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/