[c-nsp] ARP on ASR9k 4.3.2
Gert Doering
gert at greenie.muc.de
Thu Jan 16 12:50:41 EST 2014
Hi,
On Thu, Jan 16, 2014 at 06:32:04PM +0100, Florian Lohoff wrote:
> > We thought so to. We opened a case - Cisco DDTS CSCty06696 was the
> > result. Cisco did not agree that this was faulty behavior: they insisted
> > that it was correct. The DDTS and SMU are for an option to disable the
> > ability to learn out of subnet ARPs. Under the interface you can configure
> > "arp learning local" to block out-of-subnet ARPs.
>
> It is completely broken by design - a blind person at the age of 85
> would see this.
If he had any idea what this "networking" stuff was all about.
Some of the more recent surprises coming from Cisco make me doubt these
codes have ever seen a life network or read an RFC document. *sigh*
(*Bugs* can happen, but insisting that stupidity is "expected behaviour"
and then undergoing the expense to have an off-by-default(!) "make it less
braindead" switch added to it is really amazing)
[..]
> *ROFL* - Sending out gratious arp on a peering exchange lan can
> blackhole traffic for others - IMHO thats an easy DoS vector - how could
> that be "fairly"?
"fairly effective"... "fairly nasty"... dunno.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140116/dd611e80/attachment.sig>
More information about the cisco-nsp
mailing list