[nsp] ARP filtering
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Jul 12 11:40:00 EDT 2004
>
> We limit customers in shared VLANs by filtering IP addresses on the
> switch. ie.
>
> ip access-list ex CUST_EXAMPLE
> permit ip 192.168.0.0 0.0.0.31
> deny ip any any
>
> However, it's my understandig that this will still allow ARP replies
> from outside the specified IP range, that will populate the MAC
> address tables in the switch and the end-station/router. For ingress
> ACLs this could result in traffic being sent to the rouge machine
> (but never being allowed back), or in the case of ingress and egress
> ACLs, the dropping all traffic.
>
> Is there anyway to stop this happening?
I don't think there is a way filtering legitimit ARP replies. But why
are you allowing "rogue" machines on the LAN if you don't want them to
communicate?
oli
More information about the cisco-nsp
mailing list