[c-nsp] against arp spoofing

Matt Buford matt at overloaded.net
Sun May 29 23:05:24 EDT 2005 

Levent Ogut wrote:
> I definately agree with you it is the best to use one vlan for each 
> customer,
> but sometimes existing setups (one vlan for all customers setup) can
> not be changed easily,
> so in those cases private-vlans are a part of the solution, not a
> complete solution,
> with some other techiques added it can be a more secure network.
>
> in the case of a data-center designed with one vlan for multiple 
> customers,
> a rooted machine easily spoof arp and act a man in the middle, pvlans
> prevents this,
> with port security functions (sticky and so on) you can also minimize 
> incidents.

This can also ben an issue of scaling.  VLAN per customer doesn't scale very 
well on the 6500 platform.  It also creates relatively more complex 
allocation issues.  Admittedly these should be automated either way, but it 
is still more complex to automate vlan-per-customer setups.  With private 
vlans, it is nothing but grab IPs (which need not be subnet sized) for the 
server then do a port VLAN setting.

While private vlans isn't perfect, it is a nice compromise and it allows me 
to scale a single pair of sup720's much higher by avoiding the limitations 
on number of VLANs, as well as limitations on the number of spanning tree 
ports per slot that are relatively low.  I've been hoping Cisco will make a 
few small changes to make it even more effective, but so far I haven't had 
much luck.  It seems to suit my needs fairly well though.

Private vlans (with local proxy arp) provides good protection against 
broadcast traffic.  It also provides good protection against IP conflicts 
against the default gateways.  It provides moderate mitigation of IP 
conflicts between customers, and provides no protection against use of 
non-allocated IPs.  It also provides no help against unknown unicast 
flooding.

If Cisco would provide some method for me to put in static ARP entries (the 
current method can not handle tens of thousands of static ARPs in the 
config), I would put all customer addresses in there with their MACs and be 
fully protected against IP conflicts.  I would also use port security to 
lock down MACs per port and protect against unknown unicast flooding.

More information about the cisco-nsp mailing list