<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>RE: [rbak-nsp] dhcp only on interface</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Ah, if that is the case then you definitely need CLIPS, secured ARP will not do this.<BR>
<BR>
Can I just ask why exactly you /dont/ want to use CLIPS in this situation?<BR>
<BR>
<BR>
------------------------------------------------<BR>
David Freedman<BR>
Group Network Engineering<BR>
Claranet Limited<BR>
<A HREF="http://www.clara.net">http://www.clara.net</A><BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Frans Legdeur [<A HREF="mailto:frans@falco-networks.com">mailto:frans@falco-networks.com</A>]<BR>
Sent: Sun 8/3/2008 21:25<BR>
To: David Freedman; Marcin Kuczera; redback-nsp@puck.nether.net<BR>
Subject: Re: [rbak-nsp] dhcp only on interface<BR>
<BR>
I believe this could be a bit more complicated, since the secured arp<BR>
command at the subscriber interface would make sure that the Redback answers<BR>
with its OWN mac address as being in the middle for any destination that the<BR>
subscriber tries to reach, after that the Redback has checked if this<BR>
destination is still available.<BR>
Next to that, it does all that David has explained, it will send the request<BR>
only through to the rightful owner of the address.<BR>
<BR>
The secured arp thing worked well on the SMS platforms but got a bit strange<BR>
<BR>
<BR>
<BR>
<BR>
on the SEšs in behavior.<BR>
It will do the job on any bridge based interface, with or without DHCP<BR>
enabled.<BR>
<BR>
Now with DHCP, the lease that it serves back would update the ARP table, and<BR>
should clear it when the lease expires.<BR>
The point is that these are separated tables, although the lease got<BR>
expired, the ARP table is not.<BR>
<BR>
What Marcin likes to achieve is that when the lease is expired, the<BR>
connection of that subscriber is dropped, and no communication is allowed<BR>
anymore, right?<BR>
The DHCP server should be able to do this but it sounds more like a job for<BR>
a clips controlled subscriber to me.<BR>
<BR>
Kind regards,<BR>
<BR>
Frans.<BR>
<BR>
<BR>
<BR>
From: David Freedman <david.freedman@uk.clara.net><BR>
Date: Sat, 2 Aug 2008 23:09:15 +0100<BR>
To: Marcin Kuczera <marcin@leon.pl>, <redback-nsp@puck.nether.net><BR>
Subject: Re: [rbak-nsp] dhcp only on interface<BR>
<BR>
Do you mean like, redback "secured arp" ?<BR>
<BR>
"When secured ARP is enabled, ARP requests received on an interface are not<BR>
answered unless the request<BR>
comes from the circuit known to contain the requesting host. ARP requests<BR>
are sent by the interface only<BR>
on the circuit known to contain the target host, and are not flooded to all<BR>
circuits bound to an interface<BR>
"<BR>
<BR>
I believe with this configured on an interface , no ARP requests are<BR>
answered unless the requesting host has made themselves known to the redback<BR>
(in your case , via DHCP)<BR>
<BR>
<BR>
<BR>
------------------------------------------------<BR>
David Freedman<BR>
Group Network Engineering<BR>
Claranet Limited<BR>
<A HREF="http://www.clara.net">http://www.clara.net</A><BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: redback-nsp-bounces@puck.nether.net on behalf of Marcin Kuczera<BR>
Sent: Sat 8/2/2008 21:33<BR>
To: redback-nsp@puck.nether.net<BR>
Subject: [rbak-nsp] dhcp only on interface<BR>
<BR>
hello,<BR>
maybe some of you know the function of "replay only" on MikroTik.<BR>
This is something that allows for the communication only hosts who confirmed<BR>
their lease of address to DHCP server.<BR>
Others with the static IP configuration will not work.<BR>
<BR>
Now, the question - is it possible to do it on RedBack ? (not CLIPS) ?<BR>
As far now I saw, that if I enable DHCP on interface and computers<BR>
fetch addresses from DHCP, the ARP entry looks like static.<BR>
However, dynamic ARP (static IP without DHCP) is still possible.<BR>
<BR>
Is there any method to disable dynamic ARP on particular interface to<BR>
make it running what I mentioned about ?<BR>
<BR>
If yes, any method to allow particular MAC/IP (static) to be mixed<BR>
with dynamic assignment ?<BR>
<BR>
Regards,<BR>
Marcin<BR>
<BR>
_______________________________________________<BR>
redback-nsp mailing list<BR>
redback-nsp@puck.nether.net<BR>
<A HREF="https://puck.nether.net/mailman/listinfo/redback-nsp">https://puck.nether.net/mailman/listinfo/redback-nsp</A><BR>
<BR>
<BR>
<BR>
_______________________________________________<BR>
redback-nsp mailing list<BR>
redback-nsp@puck.nether.net<BR>
<A HREF="https://puck.nether.net/mailman/listinfo/redback-nsp">https://puck.nether.net/mailman/listinfo/redback-nsp</A><BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>