[nsp] ARP filtering
james at thehamptonfamily.us
james at thehamptonfamily.us
Mon Jul 12 11:59:28 EDT 2004
We try to put all new Co-Lo customers in there own vlan. In the past
everything was flat and open but I am slowly migrating all Co-Lo's so that
they get there own small block of IP's and a vlan. Its also easier
rate-limit this way, you can set customers at different speeds.
James
> On Mon, 12 Jul 2004, Oliver Boehmer (oboehmer) wrote:
>
>>
>> >
>> > We limit customers in shared VLANs by filtering IP addresses on the
>> switch. ie.
>> >
>> > ip access-list ex CUST_EXAMPLE
>> > permit ip 192.168.0.0 0.0.0.31
>> > deny ip any any
>> >
>> > However, it's my understandig that this will still allow ARP replies
>> from outside the specified IP range, that will populate the MAC
>> address tables in the switch and the end-station/router. For ingress
>> ACLs this could result in traffic being sent to the rouge machine
>> (but never being allowed back), or in the case of ingress and egress
>> ACLs, the dropping all traffic.
>> >
>> > Is there anyway to stop this happening?
>>
>> I don't think there is a way filtering legitimit ARP replies. But why
>> are you allowing "rogue" machines on the LAN if you don't want them to
>> communicate?
>
> It's for situations where you have a number of co-located machines in a
> single VLAN and you wish to stop customers using IP addresses that
> aren't assigned to them.
>
> Sam
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list