[c-nsp] Limiting number of ARP entries for 802.1q subinterfaces

Rubens Kuhl Jr. rubensk at gmail.com
Thu Sep 15 13:50:22 EDT 2005 

MAC flooding (sending frames with tons of origin MAC addresses) is
only a problem to switches, but I think you are refering to ARP
request flooding (sending packets to lots of different IP addresses in
a very short time period).

7600s has specific ways to do ARP Throttling
(http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080435b3f.html#wp1124944)
 but on both 7500s and 7600s you can use control-plane policing to
impose requests/second thresholds to ARP packets.

A totally different scenario would be an attacker that has control of
both an inside and an outside machine, the inside machine sitted on a
very large sub-net (/8, /16) and instructed to actually answer the ARP
requests from the router. That would be an ARP  table overflow...
don't know it there is some prevention to this.


Rubens





On 9/15/05, Murilo Antonio Pugliese <mpugliese at diveo.net.br> wrote:
> 
> This subject wasn't posted by myself, but maybe to avoid a excessive MAC flooding
> that would act as a DDOS attach against a router capacity to handle it.
> It may be feasible if you consider a router/LC/controller/PA or whatever that would
> aggregate a large amount of 802.1q subinterfaces, each one delivered for a different
> LAN with who knows how many hosts.
> 
> -----Mensagem original-----
> De: oboehmer at cisco.com [mailto:oboehmer at cisco.com]
> Enviada em: quinta-feira, 15 de setembro de 2005 12:01
> Para: Murilo Antonio Pugliese; rubensk at gmail.com; Marko Milivojevic
> Cc: cisco-nsp at puck.nether.net
> Assunto: RE: [c-nsp] Limiting number of ARP entries for 802.1q
> subinterfaces
> 
> 
> I'm not really sure if the previous suggestions address your issue. You
> don't want to limit the number of mac-addresses learned over a given
> switchport, but you want to limit the number of ARP entries resolved via
> ARP on a routed/L3 interface.
> 
> I don't know of any (Rodney?), but which problem are you trying to
> solve?
> 
> One obvious solution would be to use a smaller networks (a /24 on the
> interface can have at most 253 ARP entries, so you have a natural limit)
> ;-)
> 
>         oli
> 
> 
> Murilo Antonio Pugliese <> wrote on Thursday, September 15, 2005 4:39
> PM:
> 
> > Ok, so it's feasible to limit the amount of learned MAC addresses
> > on L3 802.1q subinterface of a 7600 Series Router.
> >
> > And so, are you guys confident that this functionality cannot be
> > achieve at a 7500 Series Router ?
> >
> >
> > -----Mensagem original-----
> > De: Rubens Kuhl Jr. [mailto:rubensk at gmail.com]
> > Enviada em: quinta-feira, 15 de setembro de 2005 11:08
> > Para: Marko Milivojevic
> > Cc: cisco-nsp at puck.nether.net
> > Assunto: Re: [c-nsp] Limiting number of ARP entries for 802.1q
> > subinterfaces
> >
> >
> > I would add
> > switchport port-security violation restrict
> >
> > 'shutdown' action is probably unwanted.
> >
> > Also of notice is a possible bug with IPv6 router discovery MACs that
> > somehow got into port-security static MAC table. Disabling IPv6
> > provided a workaround.
> >
> >
> > Rubens
> >
> > On 9/15/05, Marko Milivojevic <markom at pangalactic.net> wrote:
> >>
> >>         It may not work in your environment (definitely won't work
> >> for 7500), but 7600 is essentially a switch. Being that, it allows
> >> you to do:
> >>
> >> int fa0/1
> >>   switchport
> >>   switchport trunk encapsulation do1q
> >>   switchport mode trunk
> >>   switchport trunk allowed vlan 200
> >>   switchport port-security
> >>   ! this is from the head -- check syntax
> >>   switchport port-security maximum 50 vlan 200
> >> !
> >> interface vlan200
> >>   ip address ...
> >> !
> >>
> >>         The configuration above will effectively limit the number of
> >> learnet MAC addresses in VLAN 200 on interface Fa0/1, while still
> >> providing L3 "termination".
> >>
> >> Marko.
> >>
> >> Everton da Silva Marques wrote:
> >>> Is there an option to limit the maximum
> >>> number of MAC addresses that a 7500/7600
> >>> router is willing to learn for one L3
> >>> 802.1q subinterface? Something like:
> >>>
> >>> interface FastEthernet0/1.200
> >>>  encapsulation dot1q 200
> >>>  ip arp cache maximum-mac-addresses 50
> >>>
> >>> Otherwise, would anyone suggest another
> >>> way to create a similar, per-VLAN limit
> >>> for ARP entries?
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list