[c-nsp] Prevent "IP Spoofing" from inside of the network

Church, Chuck cchurch at netcogov.com
Tue May 24 09:21:56 EDT 2005


The 2950 and 3550 switches will let you use an inbound ACL on a
switchport.  An ACL blocking the HSRP address as the source on ports
facing the users/servers should do it.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
ricardo.jantarada at bnpparibas.com
Sent: Tuesday, May 24, 2005 8:01 AM
To: cisco-nsp at puck.nether.net
Subject: Re: Re: [c-nsp] Prevent "IP Spoofing" from inside of the
network




Ok, but we have a few number of divices that can't be in DHCP. I'm
talking
about servers in there own Vlan.
The fact is that i would like to check the IP address of every
"non-DHCP"
divice before having them connected to this Vlan...
I know that switches don't deal with IP addresses but i hope there is a
way
to do so.





Internet
saku/cisco-nsp at ytti.fi@puck.nether.net - 05/24/2005 11:53 AM


Sent by:    cisco-nsp-bounces at puck.nether.net

To:    cisco-nsp

cc:


Subject:    Re: [c-nsp] Prevent "IP Spoofing" from inside of the network


On (2005-05-24 11:33 +0200), ricardo.jantarada at bnpparibas.com wrote:

> A few days ago, someone accidentally took the HSRP IP Address of the
> network.
> We usualy use DHCP protocol, for clients, to protect the network for
this
> kind of problems, but sometimes we have to use Hard IP addresses for
other
> diveses.
> I would like to protect this HSRP IP address to be use by someone else
than
> my routers.

 Basicly you can do this by forcing DHCP usage. Catalyst 3550 and up
support
ip source guard which only allows ports with DHCP assigned address to
communicate. You might want to configure dynamic arp inspection to go
with
it.

--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/







This message and any attachments (the "message") is
intended solely for the addressees and is confidential.
If you receive this message in error, please delete it and
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message.
BNP PARIBAS (and its subsidiaries) shall (will) not
therefore be liable for the message if modified.



This message and any attachments (the "message") is
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with 
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 

                ---------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le 
"message") sont etablis a l'intention exclusive de ses 
destinataires et sont confidentiels. Si vous recevez ce 
message par erreur, merci de le detruire et d'en avertir 
immediatement l'expediteur. Toute utilisation de ce 
message non conforme a sa destination, toute diffusion 
ou toute publication, totale ou partielle, est interdite, sauf 
autorisation expresse. L'internet ne permettant pas 
d'assurer l'integrite de ce message, BNP PARIBAS (et ses
filiales) decline(nt) toute responsabilite au titre de ce 
message, dans l'hypothese ou il aurait ete modifie.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list