[c-nsp] static arping gateways
Lincoln Dale
ltd at cisco.com
Thu Jun 4 22:43:13 EDT 2009
Cord MacLeod wrote:
> Would it be a reasonable solution to static arp a gateway on a cisco
> L3 switch to prevent a user from taking over the gateway? So assuming
> you have HSRP running on 2 layer 3 switches and they share a gateway
> of 10.0.0.1 with switch one's address being 10.0.0.2 and two's address
> being 10.0.0.3 would it be reasonable to static arp each of these
> addresses to each switch?
a better solution would be to enable Dynamic ARP Inspection (DAI) on
your Cisco L3 switch.
"best practice" would be to enable various other integrated security
features to protect against other DoS, flooding, spoofing, starvation
attack vectors.
cheers,
lincoln.
More information about the cisco-nsp
mailing list