Kings, Great observations.
I personally like the static arp entries and then blocking arp on the switch. Its a real cut-throat way to get it done. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Mar 17, 2010, at 12:09 AM, Kingsley Charles wrote: > Hi all > > I just came across this question. > > How do we prevent arp spoofing on switches without using DAI. > > My solution is as following: > > Solution 1 > ======== > > Configure "ip source" guard with port security. With this only arp packets > with valid source IP and MAC address will be forward across the > switch and hence, no one can spoof the IP address with another MAC address. > > > Solution 2 > ======== > > Here I am dropping all the ARP traffic across vlan 3 where I am suspecting > spoofing attack. > > mac access-list extended arp > permit any any 0x806 0x0 > > vlan access-map arp 10 > action drop > match mac address arp > > vlan access-map arp 10 > action forward > > vlan filter arp vlan-list 3 > > > Since the ARP is being dropped. The MAC addresses of the remote hosts should > be statically configured each hosts. > On the router, we can add the arp statically with the following command > > router(config)#arp 10.20.30.42 3.3.3 arpa > > > > Also the switch needs to know, where to forward the mac address. > > sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 > > > > > If you have any other solutions, please do share it. > > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
