[nsp] ARP filtering
Noriega, Alejandro
ANoriega at prima.com.ar
Tue Jul 13 15:09:36 EDT 2004
That is a good idea but you waste a lot of IPs (net and bcast stuff) and
have to be careful with the soft IDBs limit.
Also I'm looking for a good solution about co-located service, trying to
apply security issues focusing to protect my network and customers.
Some examples?
Alejandro.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Monday, July 12, 2004 12:56 PM
To: Sam Stickland
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] ARP filtering
Hi,
On Mon, Jul 12, 2004 at 04:50:43PM +0100, Sam Stickland wrote:
> > I don't think there is a way filtering legitimit ARP replies. But
> > why are you allowing "rogue" machines on the LAN if you don't want
> > them to communicate?
>
> It's for situations where you have a number of co-located machines in
> a
> single VLAN and you wish to stop customers using IP addresses that
aren't
> assigned to them.
Setup a dedicated VLAN per customer plus unicast RPF (or an ACL that
does the same thing).
Everything else is spoofable.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list