[c-nsp] Disable ARP
Alex A. Pavlenko
lex at sandy.ru
Fri Aug 25 05:28:33 EDT 2006
----- Original Message -----
From: "Saku Ytti" <saku+cisco-nsp at ytti.fi>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, August 24, 2006 7:14 PM
Subject: Re: [c-nsp] Disable ARP
> On (2006-08-24 19:02 +0400), Alex A. Pavlenko wrote:
>
>> Are there any means to disable ARP learning on Ethernet interface or subinterface
>> on Cisco router?
>
> Yeah, unnumbered vlan subinterfaces (learning happens on DHCP), and cisco
> itself does not send 'arp who has' on the wire. Very useful if you have
> lot of low-speed subscribers on same rather empty subnet, to avoid
> filling their pipes with useless 'arp who has' queries when someone
> scans whole subnet through.
Thanks, you've revealed to me a very interesting technique. However it is linked to DHCP, which is
not used in our network. The main goal is to increase security - to forbid customers
to steal ip addresses. Obviously, it can be achieved by setting static ARP cache entries
on the router and disable ARP learning on subinterface. Without second step customer
can take unused ip address which is not statically placed into ARP cache. However
it is still incomprehensible how to disable ARP :( The only workaround I see is to
attach inbound access-list where all legitimate addresses are listed, but it requires
a lot of hand work and consumes router resources :( So I'll appreciate any further ideas if any.
Thanks
Alex.
>
> Thanks,
> --
> ++ytti
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list