This is actually a great question which I've seen come up as well. Depending on the requirements, step 2 seems like it may be a little extreme. PLEASE correct me if you see something wrong with this, but wouldn't the following be a working solution as well?
Assuming we only want host 192.168.123.1 with a MAC of 001f.ca08.105c to communicate on vlan 123... access-list 123 permit ip host 192.168.123.1 any mac access-list extended no_spoof permit host 001f.ca08.105c any vlan access-map anti-spoof 10 action forward match mac address no_spoof match ip address 123 vlan access-map anti-spoof 20 action drop vlan filter anti-spoof vlan-list 123 On Mar 17, 2010, at 12:09 AM, Kingsley Charles wrote: >* Hi all *>* *>* I just came across this question. *>* *>* How do we prevent arp spoofing on switches without using DAI. *>* *>* My solution is as following: *>* *>* Solution 1 *>* ======== *>* *>* Configure "ip source" guard with port security. With this only arp packets with valid source IP and MAC address will be forward across the *>* switch and hence, no one can spoof the IP address with another MAC address. *>* *>* *>* Solution 2 *>* ======== *>* *>* Here I am dropping all the ARP traffic across vlan 3 where I am suspecting spoofing attack. *>* *>* mac access-list extended arp *>* permit any any 0x806 0x0 *>* *>* vlan access-map arp 10 *>* action drop *>* match mac address arp *>* *>* vlan access-map arp 10 *>* action forward *>* *>* vlan filter arp vlan-list 3 *>* *>* *>* Since the ARP is being dropped. The MAC addresses of the remote hosts should be statically configured each hosts. *>* On the router, we can add the arp statically with the following command *>* *>* router(config)#arp 10.20.30.42 3.3.3 arpa *>* *>* *>* *>* Also the switch needs to know, where to forward the mac address. *>* *>* sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 *>* *>* *>* *>* *>* If you have any other solutions, please do share it. *>* *>* *>* *>* With regards *>* Kings *>* _______________________________________________ *>* For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com *
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
