[c-nsp] Block ARP

Rubens Kuhl Jr. rubensk at gmail.com
Tue Oct 4 09:31:20 EDT 2005


Haven't done it myself on C2950, but EI(Enhanced Image) software
versions can do L2 ACL based on MAC addresses and ethertypes, which
could block most of the ARP packets except from gateway or other
authorized machines.

But doing what the customer wants not always means doing what the
customer needs, and I would suggest digging more into the problem.

Besides ACLs, port security and private VLANs may be used to build up
a solution. Unfortunately this platform doesn't seem to be capable of
Dynamic ARP inspection or ARP ACLs (which would look inside ARP
packets).


Rubens


On 10/4/05, Ruben Montes <Ruben.Montes at eu.didata.com> wrote:
> Hello,
>
> We have a customer that complaint about problems in some slow machines
> when they receive a lot of ARP requests, and they want to block them in
> those ports. I think it is not possible to do so in the way they want...
> Any idea? I'm sure there are some points of view that I haven't
> considered...
> Ah, one last thing, I'm talking about a layer 2 scenario, with C2950 or
> something like that...
>
> Thanks in advance,
>
> Ruben
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list