That should work. But the question was in general to prevent spoofing without using DAI. We don't know the IP address and MAC addresses that will flow across.
One question, with vlan-access maps, if there are more than two match criterias is it match-any or match-all? With regards Kings On Thu, Apr 15, 2010 at 5:43 AM, bwalla <[email protected]> wrote: > This is actually a great question which I've seen come up as well. Depending > on the requirements, step 2 seems like it may be a little extreme. > PLEASE correct me if you see something wrong with this, but wouldn't the > following be a working solution as well? > > Assuming we only want host 192.168.123.1 with a MAC of 001f.ca08.105c to > communicate on vlan 123... > > access-list 123 permit ip host 192.168.123.1 any > > mac access-list extended no_spoof > permit host 001f.ca08.105c any > > vlan access-map anti-spoof 10 > action forward > match mac address no_spoof > match ip address 123 > vlan access-map anti-spoof 20 > action drop > > vlan filter anti-spoof vlan-list 123 > > > On Mar 17, 2010, at 12:09 AM, Kingsley Charles wrote: > > >* Hi all > *>* > *>* I just came across this question. > *>* > *>* How do we prevent arp spoofing on switches without using DAI. > *>* > *>* My solution is as following: > *>* > *>* Solution 1 > *>* ======== > *>* > *>* Configure "ip source" guard with port security. With this only arp > packets with valid source IP and MAC address will be forward across the > *>* switch and hence, no one can spoof the IP address with another MAC > address. > *>* > *>* > *>* Solution 2 > *>* ======== > *>* > *>* Here I am dropping all the ARP traffic across vlan 3 where I am > suspecting spoofing attack. > *>* > *>* mac access-list extended arp > *>* permit any any 0x806 0x0 > *>* > *>* vlan access-map arp 10 > *>* action drop > *>* match mac address arp > *>* > *>* vlan access-map arp 10 > *>* action forward > *>* > *>* vlan filter arp vlan-list 3 > *>* > *>* > *>* Since the ARP is being dropped. The MAC addresses of the remote hosts > should be statically configured each hosts. > *>* On the router, we can add the arp statically with the following command > *>* > *>* router(config)#arp 10.20.30.42 3.3.3 arpa > *>* > *>* > *>* > *>* Also the switch needs to know, where to forward the mac address. > *>* > *>* sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 > *>* > *>* > *>* > *>* > *>* If you have any other solutions, please do share it. > *>* > *>* > *>* > *>* With regards > *>* Kings > *>* _______________________________________________ > *>* For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > * > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
