On Thu, 2009-06-04 at 15:39 -0700, Cord MacLeod wrote: > Would it be a reasonable solution to static arp a gateway on a cisco > L3 switch to prevent a user from taking over the gateway? So assuming > you have HSRP running on 2 layer 3 switches and they share a gateway > of 10.0.0.1 with switch one's address being 10.0.0.2 and two's address > being 10.0.0.3 would it be reasonable to static arp each of these > addresses to each switch?
I'd say there's always a better way than static configuration. I'm not sure exactly what the scenario is, but if you're talking about simple L2 switches with a L3 interface for management, just keep the L3 termination away from user VLANs. If you're talking about two L3 switches with a configuration like: ! *** A *** interface Vlan2 ip address 10.0.0.2 255.255.255.0 standby ip 10.0.0.1 ! ! *** B *** interface Vlan2 ip address 10.0.0.3 255.255.255.0 standby ip 10.0.0.1 ! And then if you should configure each with a static ARP entry mapping 10.0.0.1 to 0000.0c07.ac00, then this would only "protect" each of these two switches, not any hosts on the network. And the switches would often have their own uplink(s), rarely needing to send traffic to the "gateway" address. Have you looked at Dynamic Arp Inspection? Regards, Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
