[c-nsp] Blocking arp / DAI
Mike
mike-cisconsplist at tiedyenetworks.com
Fri Jun 20 19:50:39 EDT 2014
On 06/20/2014 06:39 AM, Casper Gondelach wrote:
> Mike,
>
> Are you looking for ip source guard?
>
> http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swdhcp82.html
>
> This uses the binding database to block everything except the
> database. We use this to prevent static ip's / address stealing.
>
> Gr,
>
> Casper
>
No, this doesn't seem to be complete.
I want the switch to snoop dhcp leases. Then later, when another part of
the network sends out an arp for some address, before the switch floods
the broadcast out all ports in the vlan, I want it to look at the arp
message and limit the ports it floods the message out to just those ones
where the DHCP binding database says that IP can be found. So, in a nut
shell, I want the switch to refrain from SENDING out any port that the
database doesn't say has the IP in question. The purpose of this is to
limit/reduce unnecessary broadcast traffic. Stupidly enabling broadcast
rate limits does not do the job since it drops packets that are
necessary, I just want to drop the unnecessary.
Thank you.
More information about the cisco-nsp
mailing list