[c-nsp] against arp spoofing
Tantsura, Jeff
jtantsura at ugceurope.com
Mon May 30 03:53:22 EDT 2005
Matt,
This chapter describes how to configure the unknown unicast flood blocking
(UUFB) feature on the Cisco 7600 series routers.
http://www.cisco.com/en/US/partner/products/hw/routers/ps368/products_config
uration_guide_chapter09186a0080435cd8.html
--
Jeff Tantsura CCIE# 11416
Senior IP Network Engineer
-----Original Message-----
From: Matt Buford [mailto:matt at overloaded.net]
Sent: 30 May 2005 05:05
To: Levent Ogut; Gert Doering
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] against arp spoofing
Levent Ogut wrote:
> I definately agree with you it is the best to use one vlan for each
> customer,
> but sometimes existing setups (one vlan for all customers setup) can
> not be changed easily,
> so in those cases private-vlans are a part of the solution, not a
> complete solution,
> with some other techiques added it can be a more secure network.
>
> in the case of a data-center designed with one vlan for multiple
> customers,
> a rooted machine easily spoof arp and act a man in the middle, pvlans
> prevents this,
> with port security functions (sticky and so on) you can also minimize
> incidents.
This can also ben an issue of scaling. VLAN per customer doesn't scale very
well on the 6500 platform. It also creates relatively more complex
allocation issues. Admittedly these should be automated either way, but it
is still more complex to automate vlan-per-customer setups. With private
vlans, it is nothing but grab IPs (which need not be subnet sized) for the
server then do a port VLAN setting.
While private vlans isn't perfect, it is a nice compromise and it allows me
to scale a single pair of sup720's much higher by avoiding the limitations
on number of VLANs, as well as limitations on the number of spanning tree
ports per slot that are relatively low. I've been hoping Cisco will make a
few small changes to make it even more effective, but so far I haven't had
much luck. It seems to suit my needs fairly well though.
Private vlans (with local proxy arp) provides good protection against
broadcast traffic. It also provides good protection against IP conflicts
against the default gateways. It provides moderate mitigation of IP
conflicts between customers, and provides no protection against use of
non-allocated IPs. It also provides no help against unknown unicast
flooding.
If Cisco would provide some method for me to put in static ARP entries (the
current method can not handle tens of thousands of static ARPs in the
config), I would put all customer addresses in there with their MACs and be
fully protected against IP conflicts. I would also use port security to
lock down MACs per port and protect against unknown unicast flooding.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list