Re: [OSL | CCIE_Security] Solutiion for ARP spoofing

Mon, 19 Apr 2010 01:49:49 -0700 

Buck,
you cannot match on both IP AND non-IP traffic within a single map entry.
E.g., ARP packet will match the "match mac" statement, but to produce
a match on the whole entry number 10 in your example the packet must
also (AND!) match the "match ip address 123", which it will not of course...

Also, to make the Ethernet LAN work without ARP the only two
things/pieces you need to accomplish are:
            - configure static mappings "arp -s <IP> <MAC>" on ALL
hosts connected to this LAN, and
            - block all ARP packets on the LAN.

You don't need to configure any mappings on the switch itself (apart
from the only one you probably need for telnetting to its CLI) because
it acts as a pure L2  device in this method.
========================================

On 16 April 2010 20:49, Buck Wallander <[email protected]> wrote:
> Peter,
>
> The access-map sequence has two match statements; one for layer-2 (mac
> access-list) and another for layer-3 (ip access-list) addresses. Can you
> explain why you believe that the 'AND' condition never be met in this
> example? To me it seems like this SHOULD validate ARP for this statically
> defined host in vlan 123:
>
> access-list 123 permit ip host 192.168.123.1 any
> mac access-list extended no_spoof
>  permit host 001f.ca08.105c any 0x806 0x0
> vlan access-map anti-spoof 10
>  action forward
>  match mac address no_spoof
>  match ip address 123
> vlan access-map anti-spoof 20
>  action drop
> vlan filter anti-spoof vlan-list 123
>
> After thinking about this for a while, I'm beginning to think that the best
> solution would be using a VACL to drop all ARP traffic in vlan 123 and
> statically define our host mac-mapping, the only caveat being you'd need to
> be presented with four pieces of info: mac, ip, port, and vlan.
>
> vlan access-map anti-spoof 10
>  action drop
>  match mac address anto_spoof
> ip source binding 001F.CA08.105C vlan 123 192.168.123.1 interface Fa0/15
> vlan filter anti-spoof vlan-list 123
>
>
> Buck
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to