[nsp] ARP filtering

Carles Fragoso i Mariscal cfragoso at cesca.es
Tue Jul 13 17:44:26 EDT 2004 

Hi guys,

What about using Private VLAN features plus a combination of ACL/VACLs?

It could allow you to put all the servers on the same subnet but you
could isolate them at L2 within the same VLAN:

http://www.cisco.com/en/US/tech/tk389/tk814/tech_protocols_list.html

The only problem could be that if communication between servers is
needed you should add static routes to force the path through the
L3 gateway.

It could be useful for ARP spoofing attacks too. ;)

-- Carlos

____________________________________________________
         __
        / /          Carles Fragoso i Mariscal
  C E / S / C A   Dept. Comunicacions i Operacions
      /_/              <cfragoso at cesca.es>

       Centre de Supercomputacio de Catalunya
        CATalunya Neutral Internet eXchange
        Tlf: +34932056464  Fax: +34932056979
____________________________________________________

-----Mensaje original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]En nombre de Noriega,
Alejandro
Enviado el: martes, 13 de julio de 2004 21:10
Para: Gert Doering; Sam Stickland
CC: cisco-nsp at puck.nether.net
Asunto: RE: [nsp] ARP filtering


That is a good idea but you waste a lot of IPs (net and bcast stuff) and
have to be careful with the soft IDBs limit.
Also I'm looking for a good solution about co-located service, trying to
apply security issues focusing to protect my network and customers.

Some examples?

Alejandro.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Monday, July 12, 2004 12:56 PM
To: Sam Stickland
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] ARP filtering


Hi,

On Mon, Jul 12, 2004 at 04:50:43PM +0100, Sam Stickland wrote:
> > I don't think there is a way filtering legitimit ARP replies. But 
> > why are you allowing "rogue" machines on the LAN if you don't want 
> > them to communicate?
> 
> It's for situations where you have a number of co-located machines in 
> a
> single VLAN and you wish to stop customers using IP addresses that
aren't 
> assigned to them.

Setup a dedicated VLAN per customer plus unicast RPF (or an ACL that
does the same thing).

Everything else is spoofable.

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list