[c-nsp] ARP/MAC spoofing protection from a bad nic

Afsheen Bigdeli afsheenb at gravityplaysfavorites.net
Fri Jan 5 21:22:11 EST 2007 

Personally, I'd probably hold off on doing anything - the odds of a 
similar meltdown happening again are hopefully rather slim, and the 
ramifications of protecting against it might cause more trouble than 
they're worth...

That being said, you'll probably want to implement port security. See 
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.

How it works:

For each port, you can enable port security, assign the maximum number 
of mac addresses that you'd expect to see attached to that switchport, 
and what action to take if you go over the expected number of mac 
addresses. You can also enter static mac addresses, but that would 
become quite time consuming, I'd think.

Additionally, you can also configure aging parameters - so the logic 
ends up being "I expect to see no more than X mac addresses sourced from 
this port in a given time period; if I do see more than X addresses, 
take this action (shutdown, errdisable, etc)". The aforementioned link 
goes into greater detail.

Two caveats: 1) you'll probably want the value of X to be higher than 
one, as the headaches of having a port automatically shutdown every time 
you change the NIC that is attached to it aren't worth the net benefits, 
IMHO and 2) ports have to meet certain conditions for port security to 
be allowed, the most commonly ignored one being that a trunk cannot be a 
secure port.

Hope that helps,
--afsheenb





Joseph Jackson wrote:
> Hey all,
> 
>  
> 
>  
> 
>             Earlier today we had what seems to be a NIC in a server go
> bad and started answering with its mac address for every IP within its
> subnet.  Of course this caused a massive LAN meltdown which wasn't all
> that fun.  We'd like to never have that happen again so I am wondering
> what you guys do out there to prevent this type of issue happening or at
> least make trouble shooting the problem and finding the offending device
> faster.  Thanks!
> 
>  
> 
>  
> 
> Joseph
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list