Kings, It's a logical and like a route-map.
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 14, 2010, at 11:42 PM, Kingsley Charles <[email protected]> wrote: > That should work. But the question was in general to prevent spoofing without > using DAI. We don't know the IP address and > MAC addresses that will flow across. > > One question, with vlan-access maps, if there are more than two match > criterias is it match-any or match-all? > > With regards > Kings > > On Thu, Apr 15, 2010 at 5:43 AM, bwalla <[email protected]> wrote: > This is actually a great question which I've seen come up as well. Depending > on the requirements, step 2 seems like it may be a little extreme. > > PLEASE correct me if you see something wrong with this, but wouldn't the > following be a working solution as well? > > > Assuming we only want host 192.168.123.1 with a MAC of 001f.ca08.105c to > communicate on vlan 123... > > access-list 123 permit ip host 192.168.123.1 any > > mac access-list extended no_spoof > permit host 001f.ca08.105c any > > > > vlan access-map anti-spoof 10 > action forward > match mac address no_spoof > match ip address 123 > vlan access-map anti-spoof 20 > action drop > > vlan filter anti-spoof vlan-list 123 > > > On Mar 17, 2010, at 12:09 AM, Kingsley Charles wrote: > > > > > Hi all > > > > I just came across this question. > > > > How do we prevent arp spoofing on switches without using DAI. > > > > My solution is as following: > > > > > > Solution 1 > > ======== > > > > Configure "ip source" guard with port security. With this only arp packets > > with valid source IP and MAC address will be forward across the > > > > switch and hence, no one can spoof the IP address with another MAC address. > > > > > > Solution 2 > > ======== > > > > Here I am dropping all the ARP traffic across vlan 3 where I am suspecting > > spoofing attack. > > > > > > mac access-list extended arp > > permit any any 0x806 0x0 > > > > vlan access-map arp 10 > > action drop > > match mac address arp > > > > > > vlan access-map arp 10 > > action forward > > > > vlan filter arp vlan-list 3 > > > > > > Since the ARP is being dropped. The MAC addresses of the remote hosts > > should be statically configured each hosts. > > > > On the router, we can add the arp statically with the following command > > > > router(config)#arp 10.20.30.42 3.3.3 arpa > > > > > > > > Also the switch needs to know, where to forward the mac address. > > > > > > sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 > > > > > > > > > > If you have any other solutions, please do share it. > > > > > > > > > > With regards > > Kings > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
