[c-nsp] against arp spoofing

Tantsura, Jeff jtantsura at ugceurope.com
Mon May 30 03:53:22 EDT 2005 

Matt,

This chapter describes how to configure the unknown unicast flood blocking
(UUFB) feature on the Cisco 7600 series routers.

http://www.cisco.com/en/US/partner/products/hw/routers/ps368/products_config
uration_guide_chapter09186a0080435cd8.html

--
Jeff Tantsura  CCIE# 11416
Senior IP Network Engineer

-----Original Message-----
From: Matt Buford [mailto:matt at overloaded.net] 
Sent: 30 May 2005 05:05
To: Levent Ogut; Gert Doering
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] against arp spoofing

Levent Ogut wrote:
> I definately agree with you it is the best to use one vlan for each 
> customer,
> but sometimes existing setups (one vlan for all customers setup) can
> not be changed easily,
> so in those cases private-vlans are a part of the solution, not a
> complete solution,
> with some other techiques added it can be a more secure network.
>
> in the case of a data-center designed with one vlan for multiple 
> customers,
> a rooted machine easily spoof arp and act a man in the middle, pvlans
> prevents this,
> with port security functions (sticky and so on) you can also minimize 
> incidents.

This can also ben an issue of scaling.  VLAN per customer doesn't scale very

well on the 6500 platform.  It also creates relatively more complex 
allocation issues.  Admittedly these should be automated either way, but it 
is still more complex to automate vlan-per-customer setups.  With private 
vlans, it is nothing but grab IPs (which need not be subnet sized) for the 
server then do a port VLAN setting.

While private vlans isn't perfect, it is a nice compromise and it allows me 
to scale a single pair of sup720's much higher by avoiding the limitations 
on number of VLANs, as well as limitations on the number of spanning tree 
ports per slot that are relatively low.  I've been hoping Cisco will make a 
few small changes to make it even more effective, but so far I haven't had 
much luck.  It seems to suit my needs fairly well though.

Private vlans (with local proxy arp) provides good protection against 
broadcast traffic.  It also provides good protection against IP conflicts 
against the default gateways.  It provides moderate mitigation of IP 
conflicts between customers, and provides no protection against use of 
non-allocated IPs.  It also provides no help against unknown unicast 
flooding.

If Cisco would provide some method for me to put in static ARP entries (the 
current method can not handle tens of thousands of static ARPs in the 
config), I would put all customer addresses in there with their MACs and be 
fully protected against IP conflicts.  I would also use port security to 
lock down MACs per port and protect against unknown unicast flooding. 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list