[c-nsp] static arping gateways

[Cord MacLeod]

On Jun 4, 2009, at 4:31 PM, Peter Rathlev wrote:

> On Thu, 2009-06-04 at 15:39 -0700, Cord MacLeod wrote:
>> Would it be a reasonable solution to static arp a gateway on a cisco
>> L3 switch to prevent a user from taking over the gateway?  So  
>> assuming
>> you have HSRP running on 2 layer 3 switches and they share a gateway
>> of 10.0.0.1 with switch one's address being 10.0.0.2 and two's  
>> address
>> being 10.0.0.3 would it be reasonable to static arp each of these
>> addresses to each switch?
>
> I'd say there's always a better way than static configuration.
>
> I'm not sure exactly what the scenario is, but if you're talking about
> simple L2 switches with a L3 interface for management, just keep the  
> L3
> termination away from user VLANs.

A bunch of L2 switches connected to two L3 switches.

>
>
> If you're talking about two L3 switches with a configuration like:
>
> ! *** A ***
> interface Vlan2
> ip address 10.0.0.2 255.255.255.0
> standby ip 10.0.0.1
> !
>
> ! *** B ***
> interface Vlan2
> ip address 10.0.0.3 255.255.255.0
> standby ip 10.0.0.1
> !

Essentially, yes.

>
>
> And then if you should configure each with a static ARP entry mapping
> 10.0.0.1 to 0000.0c07.ac00, then this would only "protect" each of  
> these
> two switches, not any hosts on the network. And the switches would  
> often
> have their own uplink(s), rarely needing to send traffic to the
> "gateway" address.

I only want to protect the switches.  I don't want anyone stealing  
their ip addresses or the hrsp gateway addresses.

>
>
> Have you looked at Dynamic Arp Inspection?

Wish I could use this.  Unfortunately, I can't.  We use LVS, which is  
a linux load balancer.  This does use a VIP, but not a virtual mac  
address.  Therefore when there's a failover, the switch ignores the  
new mac address with DAI, found this out the hard way on my Juniper  
switches, which have DAI enabled by default.

>
>
> Regards,
> Peter
>
>