[c-nsp] Rogue NAT gateways
John Gill
johgill at cisco.com
Sun Jul 15 20:10:21 EDT 2012
On 7/15/12 8:10 PM, John Gill wrote:
> Hi Dan,
> If you have Dynamic ARP Inspection (DAI) on your switches, you can
> configure the gateway to be at trusted port and and use DHCP snooping to
> keep track of who should have which ARP entry. If you do not want to
> use DHCP snooping, you can use ARP ACL to statically configure ARP
> inspection.
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html
>
>
> This can effectively keep someone from mascaraing as your gateway
> router. If your goal is to keep NAT gateways from being used where they
> present their outside address to you, I don't have an easy answer for
> that off the top of my head.
>
> Regards,
> John Gill
> cisco
>
>
>
> On 7/15/12 6:16 PM, Dan Letkeman wrote:
>> Wondering if anyone has any tricks for disabling the use of any NAT
>> gateways? I know the best way is to remove it physically, but in the
>> case of guest access and mobile devices its sometimes difficult to do
>> so. Now that many devices can act as a hotspot, some of these devices
>> are becoming difficult to find. I have looked into ACL's with ttl
>> requirements, but I could not seem to get it to work like I wanted.
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
More information about the cisco-nsp
mailing list