[c-nsp] against arp spoofing
Matt Buford
matt at overloaded.net
Mon May 30 12:00:41 EDT 2005
Of course, doing this will cause substantial problems. Every time there is
a spanning tree topology change, the dynamic MAC table is flushed. Without
unknown unicast flooding, this means that all servers become uncreachable
until they transmit and are learned. If some servers are not very busy and
do not transmit any packets without a new request coming in from outside,
they will suddenly be unreachable until at least one of their ARP entries
times out.
It is only safe to turn off unknown unicast flooding if you take steps to
ensure that every host will transmit almost constantly, or if you statically
configure all MACs to the proper ports (port security).
In my experience, the biggest unknown unicast source cause is Microsoft load
balancing. Any time there is a jump, it almost always turns out to be
caused by some customer turning on load balancing, which responds to ARPs
with a MAC that never transmits any packets. It does this on purpose to
flood packets destined for the VIP to all servers as an unknown unicast.
Unfortunately it floods to all other customers on the VLAN too.
----- Original Message -----
From: "Tantsura, Jeff" <jtantsura at ugceurope.com>
To: "'Matt Buford'" <matt at overloaded.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Monday, May 30, 2005 3:53 AM
Subject: RE: [c-nsp] against arp spoofing
> Matt,
>
> This chapter describes how to configure the unknown unicast flood blocking
> (UUFB) feature on the Cisco 7600 series routers.
>
> http://www.cisco.com/en/US/partner/products/hw/routers/ps368/products_config
> uration_guide_chapter09186a0080435cd8.html
>
> --
> Jeff Tantsura CCIE# 11416
> Senior IP Network Engineer
More information about the cisco-nsp
mailing list