[c-nsp] against arp spoofing
Gert Doering
gert at greenie.muc.de
Sat May 28 05:11:37 EDT 2005
Hi,
On Fri, May 27, 2005 at 05:56:05PM -0700, Monty Ree wrote:
> What do you do against arp spoofing? port security?
We put each customer into their own layer 3 network segment (implemented
by VLANs). Egress of that network is filtered by unicast RPF.
With this setup, the customers can spoof ARP and IP to their heart's
content, and all they can do is harm themselves, but not other customers.
Putting multiple different parties in a shared L2 network is asking
for trouble.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list