[c-nsp] static arping gateways

Peter Rathlev peter at rathlev.dk
Thu Jun 4 19:31:33 EDT 2009


On Thu, 2009-06-04 at 15:39 -0700, Cord MacLeod wrote:
> Would it be a reasonable solution to static arp a gateway on a cisco  
> L3 switch to prevent a user from taking over the gateway?  So assuming  
> you have HSRP running on 2 layer 3 switches and they share a gateway  
> of 10.0.0.1 with switch one's address being 10.0.0.2 and two's address  
> being 10.0.0.3 would it be reasonable to static arp each of these  
> addresses to each switch? 

I'd say there's always a better way than static configuration.

I'm not sure exactly what the scenario is, but if you're talking about
simple L2 switches with a L3 interface for management, just keep the L3
termination away from user VLANs.

If you're talking about two L3 switches with a configuration like:

! *** A ***
interface Vlan2
 ip address 10.0.0.2 255.255.255.0
 standby ip 10.0.0.1
!

! *** B ***
interface Vlan2
 ip address 10.0.0.3 255.255.255.0
 standby ip 10.0.0.1
!

And then if you should configure each with a static ARP entry mapping
10.0.0.1 to 0000.0c07.ac00, then this would only "protect" each of these
two switches, not any hosts on the network. And the switches would often
have their own uplink(s), rarely needing to send traffic to the
"gateway" address.

Have you looked at Dynamic Arp Inspection?

Regards,
Peter




More information about the cisco-nsp mailing list