[nsp] ARP filtering
Sam Stickland
sam_ml at spacething.org
Mon Jul 12 11:50:43 EDT 2004
On Mon, 12 Jul 2004, Oliver Boehmer (oboehmer) wrote:
>
> >
> > We limit customers in shared VLANs by filtering IP addresses on the
> > switch. ie.
> >
> > ip access-list ex CUST_EXAMPLE
> > permit ip 192.168.0.0 0.0.0.31
> > deny ip any any
> >
> > However, it's my understandig that this will still allow ARP replies
> > from outside the specified IP range, that will populate the MAC
> > address tables in the switch and the end-station/router. For ingress
> > ACLs this could result in traffic being sent to the rouge machine
> > (but never being allowed back), or in the case of ingress and egress
> > ACLs, the dropping all traffic.
> >
> > Is there anyway to stop this happening?
>
> I don't think there is a way filtering legitimit ARP replies. But why
> are you allowing "rogue" machines on the LAN if you don't want them to
> communicate?
It's for situations where you have a number of co-located machines in a
single VLAN and you wish to stop customers using IP addresses that aren't
assigned to them.
Sam
More information about the cisco-nsp
mailing list